Search in sources :

Example 21 with SAMLTokenProvider

use of org.apache.cxf.sts.token.provider.SAMLTokenProvider in project cxf by apache.

the class IssueSamlUnitTest method testIssueSaml1Token.

/**
 * Test to successfully issue a Saml 1.1 token.
 */
@org.junit.Test
public void testIssueSaml1Token() throws Exception {
    TokenIssueOperation issueOperation = new TokenIssueOperation();
    // Add Token Provider
    issueOperation.setTokenProviders(Collections.singletonList(new SAMLTokenProvider()));
    // Add Service
    ServiceMBean service = new StaticService();
    service.setEndpoints(Collections.singletonList("http://dummy-service.com/dummy"));
    issueOperation.setServices(Collections.singletonList(service));
    // Add STSProperties object
    STSPropertiesMBean stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    issueOperation.setStsProperties(stsProperties);
    // Mock up a request
    RequestSecurityTokenType request = new RequestSecurityTokenType();
    JAXBElement<String> tokenType = new JAXBElement<String>(QNameConstants.TOKEN_TYPE, String.class, WSS4JConstants.WSS_SAML_TOKEN_TYPE);
    request.getAny().add(tokenType);
    request.getAny().add(createAppliesToElement("http://dummy-service.com/dummy"));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    Principal principal = new CustomTokenPrincipal("alice");
    msgCtx.put(SecurityContext.class.getName(), createSecurityContext(principal));
    // Issue a token
    RequestSecurityTokenResponseCollectionType response = issueOperation.issue(request, principal, msgCtx);
    List<RequestSecurityTokenResponseType> securityTokenResponse = response.getRequestSecurityTokenResponse();
    assertFalse(securityTokenResponse.isEmpty());
    // Test the generated token.
    Element assertion = null;
    for (Object tokenObject : securityTokenResponse.get(0).getAny()) {
        if (tokenObject instanceof JAXBElement<?> && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>) tokenObject).getName())) {
            RequestedSecurityTokenType rstType = (RequestedSecurityTokenType) ((JAXBElement<?>) tokenObject).getValue();
            assertion = (Element) rstType.getAny();
            break;
        }
    }
    assertNotNull(assertion);
    String tokenString = DOM2Writer.nodeToString(assertion);
    assertTrue(tokenString.contains("AttributeStatement"));
    assertTrue(tokenString.contains("alice"));
    assertTrue(tokenString.contains(SAML1Constants.CONF_BEARER));
}
Also used : ServiceMBean(org.apache.cxf.sts.service.ServiceMBean) RequestSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType) JAXBElement(javax.xml.bind.JAXBElement) Element(org.w3c.dom.Element) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties) JAXBElement(javax.xml.bind.JAXBElement) RequestedSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType) StaticService(org.apache.cxf.sts.service.StaticService) RequestSecurityTokenResponseCollectionType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) Crypto(org.apache.wss4j.common.crypto.Crypto) SAMLTokenProvider(org.apache.cxf.sts.token.provider.SAMLTokenProvider) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext) SecurityContext(org.apache.cxf.security.SecurityContext) PasswordCallbackHandler(org.apache.cxf.sts.common.PasswordCallbackHandler) MessageImpl(org.apache.cxf.message.MessageImpl) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) Principal(java.security.Principal)

Example 22 with SAMLTokenProvider

use of org.apache.cxf.sts.token.provider.SAMLTokenProvider in project cxf by apache.

the class JexlIssueSamlClaimsTest method testIssueSaml2TokenOnBehalfOfSaml2DifferentRealmFederateClaims.

/**
 * Test to successfully issue a SAML 2 token (realm "B") on-behalf-of a SAML 2 token which was issued by
 * realm "A". The relationship type between realm A and B is: FederateClaims
 */
@org.junit.Test
public void testIssueSaml2TokenOnBehalfOfSaml2DifferentRealmFederateClaims() throws Exception {
    TokenIssueOperation issueOperation = new TokenIssueOperation();
    Map<String, RealmProperties> realms = createSamlRealms();
    // Add Token Provider
    SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
    samlTokenProvider.setRealmMap(realms);
    samlTokenProvider.setAttributeStatementProviders(Collections.singletonList(new ClaimsAttributeStatementProvider()));
    issueOperation.setTokenProviders(Collections.singletonList(samlTokenProvider));
    TokenDelegationHandler delegationHandler = new SAMLDelegationHandler();
    issueOperation.setDelegationHandlers(Collections.singletonList(delegationHandler));
    // Add Token Validator
    SAMLTokenValidator samlTokenValidator = new SAMLTokenValidator();
    samlTokenValidator.setSamlRealmCodec(new IssuerSAMLRealmCodec());
    issueOperation.setTokenValidators(Collections.singletonList(samlTokenValidator));
    addService(issueOperation);
    // Add Relationship list
    Relationship rs = createRelationship();
    // Add STSProperties object
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    STSPropertiesMBean stsProperties = createSTSPropertiesMBean(crypto);
    stsProperties.setRealmParser(new CustomRealmParser());
    stsProperties.setRelationships(Collections.singletonList(rs));
    issueOperation.setStsProperties(stsProperties);
    // Set the ClaimsManager
    ClaimsManager claimsManager = new ClaimsManager();
    ClaimsHandler claimsHandler = new CustomClaimsHandler();
    claimsManager.setClaimHandlers(Collections.singletonList(claimsHandler));
    issueOperation.setClaimsManager(claimsManager);
    // Mock up a request
    RequestSecurityTokenType request = createRequest(realms, crypto);
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    msgCtx.put("url", "https");
    List<RequestSecurityTokenResponseType> securityTokenResponseList = issueToken(issueOperation, request, null, msgCtx);
    RequestSecurityTokenResponseType securityTokenResponse = securityTokenResponseList.get(0);
    // Test the generated token.
    Element assertion = null;
    for (Object tokenObject : securityTokenResponse.getAny()) {
        if (tokenObject instanceof JAXBElement<?> && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>) tokenObject).getName())) {
            RequestedSecurityTokenType rstType = (RequestedSecurityTokenType) ((JAXBElement<?>) tokenObject).getValue();
            assertion = (Element) rstType.getAny();
            break;
        }
    }
    assertNotNull(assertion);
    String tokenString = DOM2Writer.nodeToString(assertion);
    assertTrue(tokenString.contains("AttributeStatement"));
    // subject unchanged
    assertTrue(tokenString.contains("alice"));
    // transformed claim (to uppercase)
    assertTrue(tokenString.contains("DOE"));
    assertTrue(tokenString.contains(ROLE_CLAIM.toString()));
    // mapped role from admin to administrator
    assertTrue(tokenString.contains("administrator"));
    assertTrue(tokenString.contains("manager"));
    assertFalse(tokenString.contains("user"));
    assertFalse(tokenString.contains(ClaimTypes.EMAILADDRESS.toString()));
    assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER));
}
Also used : RequestSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType) JAXBElement(javax.xml.bind.JAXBElement) Element(org.w3c.dom.Element) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) RequestedSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType) CustomClaimsHandler(org.apache.cxf.sts.common.CustomClaimsHandler) IssuerSAMLRealmCodec(org.apache.cxf.sts.token.validator.IssuerSAMLRealmCodec) ClaimsManager(org.apache.cxf.sts.claims.ClaimsManager) TokenDelegationHandler(org.apache.cxf.sts.token.delegation.TokenDelegationHandler) RealmProperties(org.apache.cxf.sts.token.realm.RealmProperties) CustomRealmParser(org.apache.cxf.sts.operation.CustomRealmParser) ClaimsAttributeStatementProvider(org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider) ClaimsHandler(org.apache.cxf.sts.claims.ClaimsHandler) CustomClaimsHandler(org.apache.cxf.sts.common.CustomClaimsHandler) SAMLDelegationHandler(org.apache.cxf.sts.token.delegation.SAMLDelegationHandler) JAXBElement(javax.xml.bind.JAXBElement) Crypto(org.apache.wss4j.common.crypto.Crypto) SAMLTokenProvider(org.apache.cxf.sts.token.provider.SAMLTokenProvider) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) TokenIssueOperation(org.apache.cxf.sts.operation.TokenIssueOperation) Relationship(org.apache.cxf.sts.token.realm.Relationship) WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext) SAMLTokenValidator(org.apache.cxf.sts.token.validator.SAMLTokenValidator) MessageImpl(org.apache.cxf.message.MessageImpl)

Example 23 with SAMLTokenProvider

use of org.apache.cxf.sts.token.provider.SAMLTokenProvider in project cxf by apache.

the class SAMLTokenRenewerTest method createSAMLAssertion.

private Element createSAMLAssertion(String tokenType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler, long ttlMs, boolean allowRenewing, boolean allowRenewingAfterExpiry) throws WSSecurityException {
    SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
    DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
    conditionsProvider.setAcceptClientLifetime(true);
    samlTokenProvider.setConditionsProvider(conditionsProvider);
    TokenProviderParameters providerParameters = createProviderParameters(tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, signatureUsername, callbackHandler);
    Renewing renewing = new Renewing();
    renewing.setAllowRenewing(allowRenewing);
    renewing.setAllowRenewingAfterExpiry(allowRenewingAfterExpiry);
    providerParameters.getTokenRequirements().setRenewing(renewing);
    if (ttlMs != 0) {
        Lifetime lifetime = new Lifetime();
        Instant creationTime = Instant.now();
        Instant expirationTime = creationTime.plusNanos(ttlMs * 1000000L);
        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
        providerParameters.getTokenRequirements().setLifetime(lifetime);
    }
    TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
    return (Element) providerResponse.getToken();
}
Also used : Lifetime(org.apache.cxf.sts.request.Lifetime) SAMLTokenProvider(org.apache.cxf.sts.token.provider.SAMLTokenProvider) Renewing(org.apache.cxf.sts.request.Renewing) Instant(java.time.Instant) Element(org.w3c.dom.Element) DefaultConditionsProvider(org.apache.cxf.sts.token.provider.DefaultConditionsProvider) TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)

Example 24 with SAMLTokenProvider

use of org.apache.cxf.sts.token.provider.SAMLTokenProvider in project cxf by apache.

the class SAMLTokenRenewerPOPTest method createSAMLAssertion.

private Element createSAMLAssertion(String tokenType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler, long ttlMs, boolean allowRenewing, boolean allowRenewingAfterExpiry) throws WSSecurityException {
    SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
    DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
    conditionsProvider.setAcceptClientLifetime(true);
    samlTokenProvider.setConditionsProvider(conditionsProvider);
    TokenProviderParameters providerParameters = createProviderParameters(tokenType, STSConstants.PUBLIC_KEY_KEYTYPE, crypto, signatureUsername, callbackHandler);
    Renewing renewing = new Renewing();
    renewing.setAllowRenewing(allowRenewing);
    renewing.setAllowRenewingAfterExpiry(allowRenewingAfterExpiry);
    providerParameters.getTokenRequirements().setRenewing(renewing);
    if (ttlMs != 0) {
        Lifetime lifetime = new Lifetime();
        Instant creationTime = Instant.now();
        Instant expirationTime = creationTime.plusNanos(ttlMs * 1000000L);
        lifetime.setCreated(creationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
        lifetime.setExpires(expirationTime.atZone(ZoneOffset.UTC).format(DateUtil.getDateTimeFormatter(true)));
        providerParameters.getTokenRequirements().setLifetime(lifetime);
    }
    TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
    return (Element) providerResponse.getToken();
}
Also used : Lifetime(org.apache.cxf.sts.request.Lifetime) SAMLTokenProvider(org.apache.cxf.sts.token.provider.SAMLTokenProvider) Renewing(org.apache.cxf.sts.request.Renewing) Instant(java.time.Instant) Element(org.w3c.dom.Element) DefaultConditionsProvider(org.apache.cxf.sts.token.provider.DefaultConditionsProvider) TokenProviderResponse(org.apache.cxf.sts.token.provider.TokenProviderResponse) TokenProviderParameters(org.apache.cxf.sts.token.provider.TokenProviderParameters)

Example 25 with SAMLTokenProvider

use of org.apache.cxf.sts.token.provider.SAMLTokenProvider in project cxf by apache.

the class ValidateTokenTransformationUnitTest method testUsernameTokenTransformation.

/**
 * Test to successfully validate a UsernameToken and transform it into a SAML Assertion.
 */
@org.junit.Test
public void testUsernameTokenTransformation() throws Exception {
    TokenValidateOperation validateOperation = new TokenValidateOperation();
    // Add Token Validator
    validateOperation.setTokenValidators(Collections.singletonList(new UsernameTokenValidator()));
    // Add Token Provider
    validateOperation.setTokenProviders(Collections.singletonList(new SAMLTokenProvider()));
    // Add STSProperties object
    STSPropertiesMBean stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    validateOperation.setStsProperties(stsProperties);
    // Mock up a request
    RequestSecurityTokenType request = new RequestSecurityTokenType();
    JAXBElement<String> tokenType = new JAXBElement<String>(QNameConstants.TOKEN_TYPE, String.class, WSS4JConstants.WSS_SAML2_TOKEN_TYPE);
    request.getAny().add(tokenType);
    // Create a UsernameToken
    JAXBElement<UsernameTokenType> usernameTokenType = createUsernameToken("alice", "clarinet");
    ValidateTargetType validateTarget = new ValidateTargetType();
    validateTarget.setAny(usernameTokenType);
    JAXBElement<ValidateTargetType> validateTargetType = new JAXBElement<ValidateTargetType>(QNameConstants.VALIDATE_TARGET, ValidateTargetType.class, validateTarget);
    request.getAny().add(validateTargetType);
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    Principal principal = new CustomTokenPrincipal("alice");
    msgCtx.put(SecurityContext.class.getName(), createSecurityContext(principal));
    // Validate a token
    RequestSecurityTokenResponseType response = validateOperation.validate(request, principal, msgCtx);
    assertTrue(validateResponse(response));
    // Test the generated token.
    Element assertion = null;
    for (Object tokenObject : response.getAny()) {
        if (tokenObject instanceof JAXBElement<?> && REQUESTED_SECURITY_TOKEN.equals(((JAXBElement<?>) tokenObject).getName())) {
            RequestedSecurityTokenType rstType = (RequestedSecurityTokenType) ((JAXBElement<?>) tokenObject).getValue();
            assertion = (Element) rstType.getAny();
            break;
        }
    }
    assertNotNull(assertion);
    String tokenString = DOM2Writer.nodeToString(assertion);
    assertTrue(tokenString.contains("AttributeStatement"));
    assertTrue(tokenString.contains("alice"));
    assertTrue(tokenString.contains(SAML2Constants.CONF_BEARER));
}
Also used : RequestSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType) JAXBElement(javax.xml.bind.JAXBElement) Element(org.w3c.dom.Element) RequestSecurityTokenResponseType(org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType) StaticSTSProperties(org.apache.cxf.sts.StaticSTSProperties) PasswordString(org.apache.cxf.ws.security.sts.provider.model.secext.PasswordString) AttributedString(org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString) RequestedSecurityTokenType(org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) UsernameTokenValidator(org.apache.cxf.sts.token.validator.UsernameTokenValidator) PasswordCallbackHandler(org.apache.cxf.sts.common.PasswordCallbackHandler) UsernameTokenType(org.apache.cxf.ws.security.sts.provider.model.secext.UsernameTokenType) JAXBElement(javax.xml.bind.JAXBElement) Crypto(org.apache.wss4j.common.crypto.Crypto) SAMLTokenProvider(org.apache.cxf.sts.token.provider.SAMLTokenProvider) STSPropertiesMBean(org.apache.cxf.sts.STSPropertiesMBean) WrappedMessageContext(org.apache.cxf.jaxws.context.WrappedMessageContext) SecurityContext(org.apache.cxf.security.SecurityContext) ValidateTargetType(org.apache.cxf.ws.security.sts.provider.model.ValidateTargetType) MessageImpl(org.apache.cxf.message.MessageImpl) CustomTokenPrincipal(org.apache.wss4j.common.principal.CustomTokenPrincipal) Principal(java.security.Principal)

Aggregations

SAMLTokenProvider (org.apache.cxf.sts.token.provider.SAMLTokenProvider)68 Element (org.w3c.dom.Element)62 JAXBElement (javax.xml.bind.JAXBElement)52 STSPropertiesMBean (org.apache.cxf.sts.STSPropertiesMBean)44 WrappedMessageContext (org.apache.cxf.jaxws.context.WrappedMessageContext)43 MessageImpl (org.apache.cxf.message.MessageImpl)43 RequestSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType)43 Crypto (org.apache.wss4j.common.crypto.Crypto)43 PasswordCallbackHandler (org.apache.cxf.sts.common.PasswordCallbackHandler)42 RequestSecurityTokenResponseType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType)40 StaticSTSProperties (org.apache.cxf.sts.StaticSTSProperties)38 ServiceMBean (org.apache.cxf.sts.service.ServiceMBean)35 StaticService (org.apache.cxf.sts.service.StaticService)35 RequestedSecurityTokenType (org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType)32 RequestSecurityTokenResponseCollectionType (org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType)30 Principal (java.security.Principal)27 SecurityContext (org.apache.cxf.security.SecurityContext)27 CustomTokenPrincipal (org.apache.wss4j.common.principal.CustomTokenPrincipal)27 TokenProviderResponse (org.apache.cxf.sts.token.provider.TokenProviderResponse)24 TokenProviderParameters (org.apache.cxf.sts.token.provider.TokenProviderParameters)21