use of org.apache.cxf.sts.token.validator.TokenValidatorResponse in project cxf by apache.
the class SAMLTokenRenewerPOPTest method renewValidSAML1AssertionWrongPOP.
/**
* Renew a valid SAML1 Assertion
*/
@org.junit.Test
public void renewValidSAML1AssertionWrongPOP() throws Exception {
// Create the Assertion
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken = createSAMLAssertion(WSS4JConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50000, true, false);
Document doc = samlToken.getOwnerDocument();
samlToken = (Element) doc.appendChild(samlToken);
// Validate the Assertion
TokenValidator samlTokenValidator = new SAMLTokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
ReceivedToken validateTarget = new ReceivedToken(samlToken);
tokenRequirements.setValidateTarget(validateTarget);
validatorParameters.setToken(validateTarget);
assertTrue(samlTokenValidator.canHandleToken(validateTarget));
TokenValidatorResponse validatorResponse = samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
// Renew the Assertion
TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
renewerParameters.setAppliesToAddress("http://dummy-service.com/dummy");
renewerParameters.setStsProperties(validatorParameters.getStsProperties());
renewerParameters.setPrincipal(new CustomTokenPrincipal("alice"));
renewerParameters.setMessageContext(validatorParameters.getMessageContext());
renewerParameters.setKeyRequirements(validatorParameters.getKeyRequirements());
renewerParameters.setTokenRequirements(validatorParameters.getTokenRequirements());
renewerParameters.setTokenStore(validatorParameters.getTokenStore());
renewerParameters.setToken(validatorResponse.getToken());
TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
try {
samlTokenRenewer.renewToken(renewerParameters);
fail("Expected failure on lack of proof of possession");
} catch (Exception ex) {
// expected
}
List<WSSecurityEngineResult> signedResults = new ArrayList<>();
WSSecurityEngineResult signedResult = new WSSecurityEngineResult(WSConstants.SIGN);
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias("myservicekey");
signedResult.put(WSSecurityEngineResult.TAG_X509_CERTIFICATES, crypto.getX509Certificates(cryptoType));
signedResults.add(signedResult);
List<WSHandlerResult> handlerResults = new ArrayList<>();
WSHandlerResult handlerResult = new WSHandlerResult(null, signedResults, Collections.singletonMap(WSConstants.SIGN, signedResults));
handlerResults.add(handlerResult);
Map<String, Object> messageContext = validatorParameters.getMessageContext();
messageContext.put(WSHandlerConstants.RECV_RESULTS, handlerResults);
try {
samlTokenRenewer.renewToken(renewerParameters);
fail("Expected failure on wrong signature key");
} catch (Exception ex) {
// expected
}
}
use of org.apache.cxf.sts.token.validator.TokenValidatorResponse in project cxf by apache.
the class SAMLTokenRenewerTest method renewExpiredSAML2Assertion.
/**
* Renew an expired SAML2 Assertion
*/
@org.junit.Test
public void renewExpiredSAML2Assertion() throws Exception {
// Create the Assertion
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken = createSAMLAssertion(WSS4JConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50, true, true);
Document doc = samlToken.getOwnerDocument();
samlToken = (Element) doc.appendChild(samlToken);
// Sleep to expire the token
Thread.sleep(100);
// Validate the Assertion
TokenValidator samlTokenValidator = new SAMLTokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
ReceivedToken validateTarget = new ReceivedToken(samlToken);
tokenRequirements.setValidateTarget(validateTarget);
validatorParameters.setToken(validateTarget);
assertTrue(samlTokenValidator.canHandleToken(validateTarget));
TokenValidatorResponse validatorResponse = samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.EXPIRED);
// Renew the Assertion
TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
renewerParameters.setAppliesToAddress("http://dummy-service.com/dummy");
renewerParameters.setStsProperties(validatorParameters.getStsProperties());
renewerParameters.setPrincipal(new CustomTokenPrincipal("alice"));
renewerParameters.setMessageContext(validatorParameters.getMessageContext());
renewerParameters.setKeyRequirements(validatorParameters.getKeyRequirements());
renewerParameters.setTokenRequirements(validatorParameters.getTokenRequirements());
renewerParameters.setTokenStore(validatorParameters.getTokenStore());
renewerParameters.setToken(validatorResponse.getToken());
TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
samlTokenRenewer.setVerifyProofOfPossession(false);
assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
try {
samlTokenRenewer.renewToken(renewerParameters);
fail("Failure expected on an expired token, which is not allowed by default");
} catch (Exception ex) {
// expected
}
samlTokenRenewer.setAllowRenewalAfterExpiry(true);
TokenRenewerResponse renewerResponse = samlTokenRenewer.renewToken(renewerParameters);
assertTrue(renewerResponse != null);
assertTrue(renewerResponse.getToken() != null);
String oldId = new SamlAssertionWrapper(samlToken).getId();
String newId = new SamlAssertionWrapper(renewerResponse.getToken()).getId();
assertFalse(oldId.equals(newId));
// Now validate it again
validateTarget = new ReceivedToken(renewerResponse.getToken());
tokenRequirements.setValidateTarget(validateTarget);
validatorParameters.setToken(validateTarget);
validatorResponse = samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
}
use of org.apache.cxf.sts.token.validator.TokenValidatorResponse in project cxf by apache.
the class SAMLTokenRenewerTest method renewSAML1AssertionDifferentAppliesTo.
/**
* Renew a valid SAML1 Assertion but sending a different AppliesTo address.
*/
@org.junit.Test
public void renewSAML1AssertionDifferentAppliesTo() throws Exception {
// Create the Assertion
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken = createSAMLAssertion(WSS4JConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler, 50000, true, false);
Document doc = samlToken.getOwnerDocument();
samlToken = (Element) doc.appendChild(samlToken);
// Validate the Assertion
TokenValidator samlTokenValidator = new SAMLTokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
ReceivedToken validateTarget = new ReceivedToken(samlToken);
tokenRequirements.setValidateTarget(validateTarget);
validatorParameters.setToken(validateTarget);
assertTrue(samlTokenValidator.canHandleToken(validateTarget));
TokenValidatorResponse validatorResponse = samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
// Renew the Assertion
TokenRenewerParameters renewerParameters = new TokenRenewerParameters();
renewerParameters.setAppliesToAddress("http://dummy-service.com/dummy2");
renewerParameters.setStsProperties(validatorParameters.getStsProperties());
renewerParameters.setPrincipal(new CustomTokenPrincipal("alice"));
renewerParameters.setMessageContext(validatorParameters.getMessageContext());
renewerParameters.setKeyRequirements(validatorParameters.getKeyRequirements());
renewerParameters.setTokenRequirements(validatorParameters.getTokenRequirements());
renewerParameters.setTokenStore(validatorParameters.getTokenStore());
renewerParameters.setToken(validatorResponse.getToken());
TokenRenewer samlTokenRenewer = new SAMLTokenRenewer();
samlTokenRenewer.setVerifyProofOfPossession(false);
assertTrue(samlTokenRenewer.canHandleToken(validatorResponse.getToken()));
try {
samlTokenRenewer.renewToken(renewerParameters);
fail("Failure expected on sending a different AppliesTo address");
} catch (Exception ex) {
// expected
}
}
use of org.apache.cxf.sts.token.validator.TokenValidatorResponse in project cxf by apache.
the class UsernameTokenValidator method validateToken.
/**
* Validate a Token using the given TokenValidatorParameters.
*/
public TokenValidatorResponse validateToken(TokenValidatorParameters tokenParameters) {
TokenValidatorResponse response = new TokenValidatorResponse();
ReceivedToken validateTarget = tokenParameters.getToken();
validateTarget.setState(STATE.INVALID);
response.setToken(validateTarget);
UsernameTokenType usernameTokenType = (UsernameTokenType) validateTarget.getToken();
// Ignore the fact that no password is provided
// Some other requirements must be met to issue a token onbehalfof a subject
// whose authentication is not proved
validateTarget.setState(STATE.VALID);
response.setPrincipal(new CustomTokenPrincipal(usernameTokenType.getUsername().getValue()));
return response;
}
Aggregations