Search in sources :

Example 11 with AttributeStatementProvider

use of org.apache.cxf.sts.token.provider.AttributeStatementProvider in project cxf by apache.

the class IssueSamlClaimsUnitTest method addTokenProvider.

/**
 * @param issueOperation
 */
private void addTokenProvider(TokenIssueOperation issueOperation) {
    List<TokenProvider> providerList = new ArrayList<>();
    List<AttributeStatementProvider> customProviderList = new ArrayList<>();
    customProviderList.add(new CustomAttributeProvider());
    SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
    samlTokenProvider.setAttributeStatementProviders(customProviderList);
    providerList.add(samlTokenProvider);
    issueOperation.setTokenProviders(providerList);
}
Also used : TokenProvider(org.apache.cxf.sts.token.provider.TokenProvider) SAMLTokenProvider(org.apache.cxf.sts.token.provider.SAMLTokenProvider) SAMLTokenProvider(org.apache.cxf.sts.token.provider.SAMLTokenProvider) ArrayList(java.util.ArrayList) CustomAttributeProvider(org.apache.cxf.sts.common.CustomAttributeProvider) ClaimsAttributeStatementProvider(org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider) AttributeStatementProvider(org.apache.cxf.sts.token.provider.AttributeStatementProvider)

Example 12 with AttributeStatementProvider

use of org.apache.cxf.sts.token.provider.AttributeStatementProvider in project cxf by apache.

the class ValidateTokenTransformationUnitTest method runUsernameTokenTransformationClaims.

/**
 * Test to successfully validate a UsernameToken and transform it into a SAML Assertion with claims.
 */
private void runUsernameTokenTransformationClaims(boolean useSecondaryParameters) throws Exception {
    TokenValidateOperation validateOperation = new TokenValidateOperation();
    // Add Token Validator
    List<TokenValidator> validatorList = new ArrayList<>();
    validatorList.add(new UsernameTokenValidator());
    validateOperation.setTokenValidators(validatorList);
    // Add Token Provider
    List<TokenProvider> providerList = new ArrayList<>();
    List<AttributeStatementProvider> customProviderList = new ArrayList<>();
    customProviderList.add(new CustomAttributeProvider());
    SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
    samlTokenProvider.setAttributeStatementProviders(customProviderList);
    providerList.add(samlTokenProvider);
    validateOperation.setTokenProviders(providerList);
    // Add STSProperties object
    STSPropertiesMBean stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    validateOperation.setStsProperties(stsProperties);
    // Set the ClaimsManager
    ClaimsManager claimsManager = new ClaimsManager();
    ClaimsHandler claimsHandler = new CustomClaimsHandler();
    claimsManager.setClaimHandlers(Collections.singletonList(claimsHandler));
    validateOperation.setClaimsManager(claimsManager);
    // Mock up a request
    RequestSecurityTokenType request = new RequestSecurityTokenType();
    JAXBElement<String> tokenType = new JAXBElement<String>(QNameConstants.TOKEN_TYPE, String.class, WSS4JConstants.WSS_SAML2_TOKEN_TYPE);
    request.getAny().add(tokenType);
    Object claims = useSecondaryParameters ? createClaimsElementInSecondaryParameters() : createClaimsElement();
    request.getAny().add(claims);
    // Create a UsernameToken
    JAXBElement<UsernameTokenType> usernameTokenType = createUsernameToken("alice", "clarinet");
    ValidateTargetType validateTarget = new ValidateTargetType();
    validateTarget.setAny(usernameTokenType);
    JAXBElement<ValidateTargetType> validateTargetType = new JAXBElement<ValidateTargetType>(QNameConstants.VALIDATE_TARGET, ValidateTargetType.class, validateTarget);
    request.getAny().add(validateTargetType);
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    Principal principal = new CustomTokenPrincipal("ted");
    msgCtx.put(SecurityContext.class.getName(), createSecurityContext(principal));
    // Validate a token
    RequestSecurityTokenResponseType response = validateOperation.validate(request, principal, msgCtx);
    assertTrue(validateResponse(response));
    // Test the generated token.
    Element assertion = null;
    for (Object tokenObject : response.getAny()) {
        if (tokenObject instanceof JAXBElement<?> && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>) tokenObject).getName())) {
            RequestedSecurityTokenType rstType = (RequestedSecurityTokenType) ((JAXBElement<?>) tokenObject).getValue();
            assertion = (Element) rstType.getAny();
            break;
        }
    }
    assertNotNull(assertion);
    String tokenString = DOM2Writer.nodeToString(assertion);
    assertTrue(tokenString.contains("AttributeStatement"));
    assertTrue(tokenString.contains("alice"));
    assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER));
    assertTrue(tokenString.contains(ClaimTypes.LASTNAME.toString()));
}
Also used : RequestSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType) JAXBElement(javax.xml.bind.JAXBElement) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) CustomAttributeProvider(org.apache.cxf.sts.common.CustomAttributeProvider) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties) PasswordString(org.apache.cxf.ws.security.sts.provider.model.secext.PasswordString) AttributedString(org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString) RequestedSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType) ClaimsAttributeStatementProvider(org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider) AttributeStatementProvider(org.apache.cxf.sts.token.provider.AttributeStatementProvider) CustomClaimsHandler(org.apache.cxf.sts.common.CustomClaimsHandler) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) TokenProvider(org.apache.cxf.sts.token.provider.TokenProvider) SAMLTokenProvider(org.apache.cxf.sts.token.provider.SAMLTokenProvider) UsernameTokenValidator(org.apache.cxf.sts.token.validator.UsernameTokenValidator) TokenValidator(org.apache.cxf.sts.token.validator.TokenValidator) SAMLTokenValidator(org.apache.cxf.sts.token.validator.SAMLTokenValidator) UsernameTokenValidator(org.apache.cxf.sts.token.validator.UsernameTokenValidator) ClaimsManager(org.apache.cxf.sts.claims.ClaimsManager) PasswordCallbackHandler(org.apache.cxf.sts.common.PasswordCallbackHandler) ClaimsHandler(org.apache.cxf.sts.claims.ClaimsHandler) CustomClaimsHandler(org.apache.cxf.sts.common.CustomClaimsHandler) UsernameTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType) JAXBElement(javax.xml.bind.JAXBElement) Crypto(org.apache.wss4j.common.crypto.Crypto) SAMLTokenProvider(org.apache.cxf.sts.token.provider.SAMLTokenProvider) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext) SecurityContext(org.apache.cxf.security.SecurityContext) ValidateTargetType(org.apache.cxf.ws.security.sts.provider.model.ValidateTargetType) MessageImpl(org.apache.cxf.message.MessageImpl) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) Principal(java.security.Principal)

Example 13 with AttributeStatementProvider

use of org.apache.cxf.sts.token.provider.AttributeStatementProvider in project cxf by apache.

the class ValidateTokenTransformationUnitTest method testValidateSaml2TokenOnBehalfOfSaml2DifferentRealmFederateClaims.

/**
 * Test to successfully validate a SAML 2 Token issued by realm "A" and
 * transform it into a SAML 2 token (realm "B")
 * The relationship type between realm A and B is: FederateClaims
 */
@org.junit.Test
public void testValidateSaml2TokenOnBehalfOfSaml2DifferentRealmFederateClaims() throws Exception {
    TokenValidateOperation validateOperation = new TokenValidateOperation();
    Map<String, RealmProperties> realms = createSamlRealms();
    // Add Token Provider
    List<TokenProvider> providerList = new ArrayList<>();
    SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
    samlTokenProvider.setRealmMap(realms);
    List<AttributeStatementProvider> customProviderList = new ArrayList<>();
    customProviderList.add(new ClaimsAttributeStatementProvider());
    samlTokenProvider.setAttributeStatementProviders(customProviderList);
    providerList.add(samlTokenProvider);
    validateOperation.setTokenProviders(providerList);
    // Add Token Validator
    List<TokenValidator> validatorList = new ArrayList<>();
    SAMLTokenValidator samlTokenValidator = new SAMLTokenValidator();
    samlTokenValidator.setSamlRealmCodec(new IssuerSAMLRealmCodec());
    validatorList.add(samlTokenValidator);
    validateOperation.setTokenValidators(validatorList);
    // Add Service
    ServiceMBean service = new StaticService();
    service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
    validateOperation.setServices(Collections.singletonList(service));
    // Add Relationship list
    List<Relationship> relationshipList = new ArrayList<>();
    Relationship rs = createRelationship();
    relationshipList.add(rs);
    // Add STSProperties object
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    STSPropertiesMBean stsProperties = createSTSPropertiesMBean(crypto);
    stsProperties.setRealmParser(new CustomRealmParser());
    stsProperties.setIdentityMapper(new CustomIdentityMapper());
    stsProperties.setRelationships(relationshipList);
    validateOperation.setStsProperties(stsProperties);
    // Set the ClaimsManager
    ClaimsManager claimsManager = new ClaimsManager();
    claimsManager.setClaimHandlers(Collections.singletonList((ClaimsHandler) new CustomClaimsHandler()));
    validateOperation.setClaimsManager(claimsManager);
    // Mock up a request
    RequestSecurityTokenType request = new RequestSecurityTokenType();
    JAXBElement<String> tokenType = new JAXBElement<String>(QNameConstants.TOKEN_TYPE, String.class, WSS4JConstants.WSS_SAML2_TOKEN_TYPE);
    request.getAny().add(tokenType);
    // Add a ClaimsType
    ClaimsType claimsType = new ClaimsType();
    claimsType.setDialect(STSConstants.IDT_NS_05_05);
    Document doc = DOMUtils.createDocument();
    Element claimType = createClaimsType(doc);
    claimsType.getAny().add(claimType);
    JAXBElement<ClaimsType> claimsTypeJaxb = new JAXBElement<ClaimsType>(QNameConstants.CLAIMS, ClaimsType.class, claimsType);
    request.getAny().add(claimsTypeJaxb);
    // request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
    // create a SAML Token via the SAMLTokenProvider which contains claims
    CallbackHandler callbackHandler = new PasswordCallbackHandler();
    Element samlToken = createSAMLAssertion(WSS4JConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, realms);
    Document docToken = samlToken.getOwnerDocument();
    samlToken = (Element) docToken.appendChild(samlToken);
    String samlString = DOM2Writer.nodeToString(samlToken);
    assertTrue(samlString.contains("AttributeStatement"));
    assertTrue(samlString.contains("alice"));
    assertTrue(samlString.contains("doe"));
    assertTrue(samlString.contains(SAML2Constants.CONF_BEARER));
    // Add SAML token as ValidateTarget element
    ValidateTargetType validateTarget = new ValidateTargetType();
    validateTarget.setAny(samlToken);
    JAXBElement<ValidateTargetType> validateTargetType = new JAXBElement<ValidateTargetType>(QNameConstants.VALIDATE_TARGET, ValidateTargetType.class, validateTarget);
    request.getAny().add(validateTargetType);
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    msgCtx.put("url", "https");
    // Validate a token
    RequestSecurityTokenResponseType response = validateOperation.validate(request, null, msgCtx);
    assertTrue(validateResponse(response));
    // Test the generated token.
    Element assertion = null;
    for (Object tokenObject : response.getAny()) {
        if (tokenObject instanceof JAXBElement<?> && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>) tokenObject).getName())) {
            RequestedSecurityTokenType rstType = (RequestedSecurityTokenType) ((JAXBElement<?>) tokenObject).getValue();
            assertion = (Element) rstType.getAny();
            break;
        }
    }
    assertNotNull(assertion);
    String tokenString = DOM2Writer.nodeToString(assertion);
    assertTrue(tokenString.contains("AttributeStatement"));
    // subject unchanged
    assertTrue(tokenString.contains("alice"));
    // claim changed (to uppercase)
    assertTrue(tokenString.contains("DOE"));
    assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER));
}
Also used : CallbackHandler(javax.security.auth.callback.CallbackHandler) PasswordCallbackHandler(org.apache.cxf.sts.common.PasswordCallbackHandler) ServiceMBean(org.apache.cxf.sts.service.ServiceMBean) RequestSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType) JAXBElement(javax.xml.bind.JAXBElement) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) PasswordString(org.apache.cxf.ws.security.sts.provider.model.secext.PasswordString) AttributedString(org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString) RequestedSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType) StaticService(org.apache.cxf.sts.service.StaticService) Document(org.w3c.dom.Document) ClaimsAttributeStatementProvider(org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider) AttributeStatementProvider(org.apache.cxf.sts.token.provider.AttributeStatementProvider) CustomClaimsHandler(org.apache.cxf.sts.common.CustomClaimsHandler) TokenProvider(org.apache.cxf.sts.token.provider.TokenProvider) SAMLTokenProvider(org.apache.cxf.sts.token.provider.SAMLTokenProvider) UsernameTokenValidator(org.apache.cxf.sts.token.validator.UsernameTokenValidator) TokenValidator(org.apache.cxf.sts.token.validator.TokenValidator) SAMLTokenValidator(org.apache.cxf.sts.token.validator.SAMLTokenValidator) IssuerSAMLRealmCodec(org.apache.cxf.sts.token.validator.IssuerSAMLRealmCodec) ClaimsManager(org.apache.cxf.sts.claims.ClaimsManager) PasswordCallbackHandler(org.apache.cxf.sts.common.PasswordCallbackHandler) RealmProperties(org.apache.cxf.sts.token.realm.RealmProperties) ClaimsAttributeStatementProvider(org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider) ClaimsHandler(org.apache.cxf.sts.claims.ClaimsHandler) CustomClaimsHandler(org.apache.cxf.sts.common.CustomClaimsHandler) ClaimsType(org.apache.cxf.ws.security.sts.provider.model.ClaimsType) JAXBElement(javax.xml.bind.JAXBElement) Crypto(org.apache.wss4j.common.crypto.Crypto) SAMLTokenProvider(org.apache.cxf.sts.token.provider.SAMLTokenProvider) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) Relationship(org.apache.cxf.sts.token.realm.Relationship) WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext) SAMLTokenValidator(org.apache.cxf.sts.token.validator.SAMLTokenValidator) ValidateTargetType(org.apache.cxf.ws.security.sts.provider.model.ValidateTargetType) MessageImpl(org.apache.cxf.message.MessageImpl)

Example 14 with AttributeStatementProvider

use of org.apache.cxf.sts.token.provider.AttributeStatementProvider in project cxf by apache.

the class SAMLTokenValidatorTest method createSAMLAssertionWithClaimsProvider.

private Element createSAMLAssertionWithClaimsProvider(String tokenType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler) throws WSSecurityException {
    SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
    AttributeStatementProvider statementProvider = new ClaimsAttributeStatementProvider();
    samlTokenProvider.setAttributeStatementProviders(Collections.singletonList(statementProvider));
    TokenProviderParameters providerParameters = createProviderParameters("alice", tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, signatureUsername, callbackHandler);
    TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
    assertTrue(providerResponse != null);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
    return (Element) providerResponse.getToken();
}
Also used : ClaimsAttributeStatementProvider(org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider) SAMLTokenProvider(org.apache.cxf.sts.token.provider.SAMLTokenProvider) Element(org.w3c.dom.Element) TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse) ClaimsAttributeStatementProvider(org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider) AttributeStatementProvider(org.apache.cxf.sts.token.provider.AttributeStatementProvider) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)

Example 15 with AttributeStatementProvider

use of org.apache.cxf.sts.token.provider.AttributeStatementProvider in project cxf by apache.

the class SCTSAMLTokenProvider method createCallbackHandler.

public SamlCallbackHandler createCallbackHandler(TokenProviderParameters tokenParameters, byte[] secret, Document doc) throws Exception {
    // Parse the AttributeStatements
    List<AttributeStatementBean> attrBeanList = null;
    if (attributeStatementProviders != null && !attributeStatementProviders.isEmpty()) {
        attrBeanList = new ArrayList<>();
        for (AttributeStatementProvider statementProvider : attributeStatementProviders) {
            AttributeStatementBean statementBean = statementProvider.getStatement(tokenParameters);
            if (statementBean != null) {
                LOG.fine("AttributeStatements" + statementBean.toString() + "returned by AttributeStatementProvider " + statementProvider.getClass().getName());
                attrBeanList.add(statementBean);
            }
        }
    }
    // If no statements, then default to the DefaultAttributeStatementProvider
    if (attrBeanList == null || attrBeanList.isEmpty()) {
        attrBeanList = new ArrayList<>();
        AttributeStatementProvider attributeProvider = new DefaultAttributeStatementProvider();
        AttributeStatementBean attributeBean = attributeProvider.getStatement(tokenParameters);
        attrBeanList.add(attributeBean);
    }
    // Get the Subject and Conditions
    SubjectProviderParameters subjectProviderParameters = new SubjectProviderParameters();
    subjectProviderParameters.setProviderParameters(tokenParameters);
    subjectProviderParameters.setDoc(doc);
    subjectProviderParameters.setSecret(secret);
    subjectProviderParameters.setAttrBeanList(attrBeanList);
    SubjectBean subjectBean = subjectProvider.getSubject(subjectProviderParameters);
    ConditionsBean conditionsBean = conditionsProvider.getConditions(tokenParameters);
    // Set all of the beans on the SamlCallbackHandler
    SamlCallbackHandler handler = new SamlCallbackHandler();
    handler.setTokenProviderParameters(tokenParameters);
    handler.setSubjectBean(subjectBean);
    handler.setConditionsBean(conditionsBean);
    handler.setAttributeBeans(attrBeanList);
    return handler;
}
Also used : SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean) SamlCallbackHandler(org.apache.cxf.sts.token.provider.SamlCallbackHandler) AttributeStatementBean(org.apache.wss4j.common.saml.bean.AttributeStatementBean) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) DefaultAttributeStatementProvider(org.apache.cxf.sts.token.provider.DefaultAttributeStatementProvider) AttributeStatementProvider(org.apache.cxf.sts.token.provider.AttributeStatementProvider) DefaultAttributeStatementProvider(org.apache.cxf.sts.token.provider.DefaultAttributeStatementProvider) SubjectProviderParameters(org.apache.cxf.sts.token.provider.SubjectProviderParameters)

Aggregations

AttributeStatementProvider (org.apache.cxf.sts.token.provider.AttributeStatementProvider)15 ClaimsAttributeStatementProvider (org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider)14 SAMLTokenProvider (org.apache.cxf.sts.token.provider.SAMLTokenProvider)14 ArrayList (java.util.ArrayList)13 Element (org.w3c.dom.Element)13 JAXBElement (javax.xml.bind.JAXBElement)12 ClaimsHandler (org.apache.cxf.sts.claims.ClaimsHandler)12 ClaimsManager (org.apache.cxf.sts.claims.ClaimsManager)12 CustomClaimsHandler (org.apache.cxf.sts.common.CustomClaimsHandler)11 TokenProvider (org.apache.cxf.sts.token.provider.TokenProvider)8 WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)7 MessageImpl (org.apache.cxf.message.MessageImpl)7 STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)7 SAMLTokenValidator (org.apache.cxf.sts.token.validator.SAMLTokenValidator)7 TokenValidator (org.apache.cxf.sts.token.validator.TokenValidator)7 RequestSecurityTokenResponseType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)7 RequestSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType)7 RequestedSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType)7 Crypto (org.apache.wss4j.common.crypto.Crypto)7 PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)6