Examples with SecurityToken org.apache.cxf.ws.security.tokenstore.SecurityToken used on opensource projects

Search in sources :

Example 21 with SecurityToken

use of org.apache.cxf.ws.security.tokenstore.SecurityToken in project ddf by codice.

the class TestPepInterceptorActions method testMessageWithDefaultUriAction.

@Test
public void testMessageWithDefaultUriAction() throws SecurityServiceException {
    PEPAuthorizingInterceptor interceptor = new PEPAuthorizingInterceptor();
    SecurityManager mockSecurityManager = mock(SecurityManager.class);
    interceptor.setSecurityManager(mockSecurityManager);
    Message messageWithAction = mock(Message.class);
    SecurityAssertion mockSecurityAssertion = mock(SecurityAssertion.class);
    SecurityToken mockSecurityToken = mock(SecurityToken.class);
    Subject mockSubject = mock(Subject.class);
    assertNotNull(mockSecurityAssertion);
    PowerMockito.mockStatic(SecurityAssertionStore.class);
    PowerMockito.mockStatic(SecurityLogger.class);
    when(SecurityAssertionStore.getSecurityAssertion(messageWithAction)).thenReturn(mockSecurityAssertion);
    // SecurityLogger is already stubbed out
    when(mockSecurityAssertion.getSecurityToken()).thenReturn(mockSecurityToken);
    when(mockSecurityToken.getToken()).thenReturn(null);
    when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
    QName op = new QName("urn:catalog:query", "search", "ns1");
    QName port = new QName("urn:catalog:query", "query-port", "ns1");
    when(messageWithAction.get(MessageContext.WSDL_OPERATION)).thenReturn(op);
    when(messageWithAction.get(MessageContext.WSDL_PORT)).thenReturn(port);
    Exchange mockExchange = mock(Exchange.class);
    BindingOperationInfo mockBOI = mock(BindingOperationInfo.class);
    when(messageWithAction.getExchange()).thenReturn(mockExchange);
    when(mockExchange.get(BindingOperationInfo.class)).thenReturn(mockBOI);
    when(mockBOI.getExtensor(SoapOperationInfo.class)).thenReturn(null);
    doAnswer(new Answer<Boolean>() {

        @Override
        public Boolean answer(InvocationOnMock invocation) throws Throwable {
            CollectionPermission perm = (CollectionPermission) invocation.getArguments()[0];
            assertEquals("urn:catalog:query:query-port:searchRequest", perm.getAction());
            return true;
        }
    }).when(mockSubject).isPermitted(isA(CollectionPermission.class));
    // This should work.
    interceptor.handleMessage(messageWithAction);
    PowerMockito.verifyStatic();
}
Also used : BindingOperationInfo(org.apache.cxf.service.model.BindingOperationInfo) SecurityManager(ddf.security.service.SecurityManager) Message(org.apache.cxf.message.Message) QName(javax.xml.namespace.QName) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Subject(ddf.security.Subject) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Exchange(org.apache.cxf.message.Exchange) InvocationOnMock(org.mockito.invocation.InvocationOnMock) CollectionPermission(ddf.security.permission.CollectionPermission) PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest) Test(org.junit.Test)

Example 22 with SecurityToken

use of org.apache.cxf.ws.security.tokenstore.SecurityToken in project ddf by codice.

the class TestPepInterceptorValidSubject method testMessageValidSecurityAssertionToken.

@Test
public void testMessageValidSecurityAssertionToken() throws SecurityServiceException {
    PEPAuthorizingInterceptor interceptor = new PEPAuthorizingInterceptor();
    SecurityManager mockSecurityManager = mock(SecurityManager.class);
    interceptor.setSecurityManager(mockSecurityManager);
    Message messageWithValidSecurityAssertion = mock(Message.class);
    SecurityAssertion mockSecurityAssertion = mock(SecurityAssertion.class);
    SecurityToken mockSecurityToken = mock(SecurityToken.class);
    Subject mockSubject = mock(Subject.class);
    assertNotNull(mockSecurityAssertion);
    PowerMockito.mockStatic(SecurityAssertionStore.class);
    PowerMockito.mockStatic(SecurityLogger.class);
    when(SecurityAssertionStore.getSecurityAssertion(messageWithValidSecurityAssertion)).thenReturn(mockSecurityAssertion);
    // SecurityLogger is already stubbed out
    when(mockSecurityAssertion.getSecurityToken()).thenReturn(mockSecurityToken);
    when(mockSecurityToken.getToken()).thenReturn(null);
    when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
    QName op = new QName("urn:catalog:query", "search", "ns1");
    QName port = new QName("urn:catalog:query", "query-port", "ns1");
    when(messageWithValidSecurityAssertion.get("javax.xml.ws.wsdl.operation")).thenReturn(op);
    when(messageWithValidSecurityAssertion.get("javax.xml.ws.wsdl.port")).thenReturn(port);
    Exchange mockExchange = mock(Exchange.class);
    BindingOperationInfo mockBOI = mock(BindingOperationInfo.class);
    when(messageWithValidSecurityAssertion.getExchange()).thenReturn(mockExchange);
    when(mockExchange.get(BindingOperationInfo.class)).thenReturn(mockBOI);
    when(mockBOI.getExtensor(SoapOperationInfo.class)).thenReturn(null);
    when(mockSubject.isPermitted(isA(CollectionPermission.class))).thenReturn(true);
    // This should work.
    interceptor.handleMessage(messageWithValidSecurityAssertion);
    PowerMockito.verifyStatic();
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Exchange(org.apache.cxf.message.Exchange) BindingOperationInfo(org.apache.cxf.service.model.BindingOperationInfo) SecurityManager(ddf.security.service.SecurityManager) Message(org.apache.cxf.message.Message) QName(javax.xml.namespace.QName) CollectionPermission(ddf.security.permission.CollectionPermission) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Subject(ddf.security.Subject) Test(org.junit.Test) PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)

Example 23 with SecurityToken

use of org.apache.cxf.ws.security.tokenstore.SecurityToken in project ddf by codice.

the class TestPepInterceptorActions method testMessageWithNoAction.

@Test(expected = AccessDeniedException.class)
public void testMessageWithNoAction() throws SecurityServiceException {
    PEPAuthorizingInterceptor interceptor = new PEPAuthorizingInterceptor();
    SecurityManager mockSecurityManager = mock(SecurityManager.class);
    interceptor.setSecurityManager(mockSecurityManager);
    Message messageWithoutAction = mock(Message.class);
    SecurityAssertion mockSecurityAssertion = mock(SecurityAssertion.class);
    SecurityToken mockSecurityToken = mock(SecurityToken.class);
    Subject mockSubject = mock(Subject.class);
    assertNotNull(mockSecurityAssertion);
    PowerMockito.mockStatic(SecurityAssertionStore.class);
    PowerMockito.mockStatic(SecurityLogger.class);
    when(SecurityAssertionStore.getSecurityAssertion(messageWithoutAction)).thenReturn(mockSecurityAssertion);
    // SecurityLogger is already stubbed out
    when(mockSecurityAssertion.getSecurityToken()).thenReturn(mockSecurityToken);
    when(mockSecurityToken.getToken()).thenReturn(null);
    when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
    Exchange mockExchange = mock(Exchange.class);
    BindingOperationInfo mockBOI = mock(BindingOperationInfo.class);
    when(messageWithoutAction.getExchange()).thenReturn(mockExchange);
    when(mockExchange.get(BindingOperationInfo.class)).thenReturn(mockBOI);
    when(mockBOI.getExtensor(SoapOperationInfo.class)).thenReturn(null);
    when(mockSubject.isPermitted(isA(CollectionPermission.class))).thenReturn(false);
    // This should throw an exception.
    interceptor.handleMessage(messageWithoutAction);
    PowerMockito.verifyStatic();
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Exchange(org.apache.cxf.message.Exchange) BindingOperationInfo(org.apache.cxf.service.model.BindingOperationInfo) SecurityManager(ddf.security.service.SecurityManager) Message(org.apache.cxf.message.Message) CollectionPermission(ddf.security.permission.CollectionPermission) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Subject(ddf.security.Subject) PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest) Test(org.junit.Test)

Example 24 with SecurityToken

use of org.apache.cxf.ws.security.tokenstore.SecurityToken in project ddf by codice.

the class TestPepInterceptorInvalidSubject method testMessageInvalidSecurityAssertionToken.

// CHECKSTYLE.ON: VisibilityModifier
@Test
public void testMessageInvalidSecurityAssertionToken() throws SecurityServiceException {
    PEPAuthorizingInterceptor interceptor = new PEPAuthorizingInterceptor();
    SecurityManager mockSecurityManager = mock(SecurityManager.class);
    interceptor.setSecurityManager(mockSecurityManager);
    Message messageWithInvalidSecurityAssertion = mock(Message.class);
    SecurityAssertion mockSecurityAssertion = mock(SecurityAssertion.class);
    SecurityToken mockSecurityToken = mock(SecurityToken.class);
    Subject mockSubject = mock(Subject.class);
    assertNotNull(mockSecurityAssertion);
    PowerMockito.mockStatic(SecurityAssertionStore.class);
    PowerMockito.mockStatic(SecurityLogger.class);
    when(SecurityAssertionStore.getSecurityAssertion(messageWithInvalidSecurityAssertion)).thenReturn(mockSecurityAssertion);
    // SecurityLogger is already stubbed out
    when(mockSecurityAssertion.getSecurityToken()).thenReturn(mockSecurityToken);
    when(mockSecurityToken.getToken()).thenReturn(null);
    when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
    QName op = new QName("urn:catalog:query", "search", "ns1");
    QName port = new QName("urn:catalog:query", "query-port", "ns1");
    when(messageWithInvalidSecurityAssertion.get("javax.xml.ws.wsdl.operation")).thenReturn(op);
    when(messageWithInvalidSecurityAssertion.get("javax.xml.ws.wsdl.port")).thenReturn(port);
    Exchange mockExchange = mock(Exchange.class);
    BindingOperationInfo mockBOI = mock(BindingOperationInfo.class);
    when(messageWithInvalidSecurityAssertion.getExchange()).thenReturn(mockExchange);
    when(mockExchange.get(BindingOperationInfo.class)).thenReturn(mockBOI);
    when(mockBOI.getExtensor(SoapOperationInfo.class)).thenReturn(null);
    when(mockSubject.isPermitted(isA(CollectionPermission.class))).thenReturn(false);
    expectedExForInvalidSubject.expect(AccessDeniedException.class);
    expectedExForInvalidSubject.expectMessage("Unauthorized");
    // This should throw
    interceptor.handleMessage(messageWithInvalidSecurityAssertion);
    PowerMockito.verifyStatic();
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) Exchange(org.apache.cxf.message.Exchange) BindingOperationInfo(org.apache.cxf.service.model.BindingOperationInfo) SecurityManager(ddf.security.service.SecurityManager) Message(org.apache.cxf.message.Message) QName(javax.xml.namespace.QName) CollectionPermission(ddf.security.permission.CollectionPermission) SecurityAssertion(ddf.security.assertion.SecurityAssertion) Subject(ddf.security.Subject) Test(org.junit.Test) PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)

Example 25 with SecurityToken

use of org.apache.cxf.ws.security.tokenstore.SecurityToken in project ddf by codice.

the class LogoutService method getActionProviders.

@GET
@Path("/actions")
public Response getActionProviders(@Context HttpServletRequest request) throws SecurityServiceException {
    HttpSession session = httpSessionFactory.getOrCreateSession(request);
    Map<String, SecurityToken> realmTokenMap = ((SecurityTokenHolder) session.getAttribute(SecurityConstants.SAML_ASSERTION)).getRealmTokenMap();
    Map<String, Subject> realmSubjectMap = new HashMap<>();
    for (Map.Entry<String, SecurityToken> entry : realmTokenMap.entrySet()) {
        realmSubjectMap.put(entry.getKey(), securityManager.getSubject(entry.getValue()));
    }
    List<Map<String, String>> realmToPropMaps = new ArrayList<>();
    for (ActionProvider actionProvider : logoutActionProviders) {
        Action action = actionProvider.getAction(realmSubjectMap);
        if (action != null) {
            String realm = StringUtils.substringAfterLast(action.getId(), ".");
            //if the user is logged in and isn't a guest, add them
            if (realmTokenMap.get(realm) != null) {
                Map<String, String> actionProperties = new HashMap<>();
                String displayName = SubjectUtils.getName(realmSubjectMap.get(realm), "", true);
                if (displayName != null && !displayName.equals(SubjectUtils.GUEST_DISPLAY_NAME)) {
                    actionProperties.put("title", action.getTitle());
                    actionProperties.put("realm", realm);
                    actionProperties.put("auth", displayName);
                    actionProperties.put("description", action.getDescription());
                    actionProperties.put("url", action.getUrl().toString());
                    realmToPropMaps.add(actionProperties);
                }
            }
        }
    }
    return Response.ok(new ByteArrayInputStream(toJson(realmToPropMaps).getBytes(StandardCharsets.UTF_8))).build();
}
Also used : ActionProvider(ddf.action.ActionProvider) Action(ddf.action.Action) HashMap(java.util.HashMap) HttpSession(javax.servlet.http.HttpSession) ArrayList(java.util.ArrayList) Subject(org.apache.shiro.subject.Subject) SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) SecurityTokenHolder(ddf.security.common.SecurityTokenHolder) ByteArrayInputStream(java.io.ByteArrayInputStream) HashMap(java.util.HashMap) Map(java.util.Map) Path(javax.ws.rs.Path) GET(javax.ws.rs.GET)

Aggregations

SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)187 Element (org.w3c.dom.Element)57 Test (org.junit.Test)47 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)35 Subject (ddf.security.Subject)32 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)28 SecurityAssertion (ddf.security.assertion.SecurityAssertion)27 QName (javax.xml.namespace.QName)26 Fault (org.apache.cxf.interceptor.Fault)23 SecurityManager (ddf.security.service.SecurityManager)22 TokenStoreException (org.apache.cxf.ws.security.tokenstore.TokenStoreException)18 TokenStore (org.apache.cxf.ws.security.tokenstore.TokenStore)17 SOAPException (javax.xml.soap.SOAPException)16 Message (org.apache.cxf.message.Message)16 WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)16 IssuedToken (org.apache.wss4j.policy.model.IssuedToken)15 CollectionPermission (ddf.security.permission.CollectionPermission)14 Bus (org.apache.cxf.Bus)14 Document (org.w3c.dom.Document)14 ArrayList (java.util.ArrayList)13
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial