Example 11 with AudienceRestrictionBean
use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.
the class JMSWSSecurityTest method testUnsignedSAML2AudienceRestrictionTokenURI.
@Test
public void testUnsignedSAML2AudienceRestrictionTokenURI() throws Exception {
QName serviceName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldService");
QName portName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldPort");
URL wsdl = getWSDLURL("/wsdl/jms_test.wsdl");
HelloWorldService service = new HelloWorldService(wsdl, serviceName);
String response = new String("Bonjour");
HelloWorldPortType greeter = service.getPort(portName, HelloWorldPortType.class);
SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
callbackHandler.setSignAssertion(true);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
ConditionsBean conditions = new ConditionsBean();
conditions.setTokenPeriodMinutes(5);
List<String> audiences = new ArrayList<>();
audiences.add("jms:jndi:dynamicQueues/test.jmstransport.text");
AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
audienceRestrictionBean.setAudienceURIs(audiences);
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestrictionBean));
callbackHandler.setConditions(conditions);
Map<String, Object> outProperties = new HashMap<>();
outProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_UNSIGNED);
outProperties.put(ConfigurationConstants.SAML_CALLBACK_REF, callbackHandler);
WSS4JOutInterceptor outInterceptor = new WSS4JOutInterceptor(outProperties);
Client client = ClientProxy.getClient(greeter);
client.getOutInterceptors().add(outInterceptor);
String reply = greeter.sayHi();
assertNotNull("no response received from service", reply);
assertEquals(response, reply);
((java.io.Closeable) greeter).close();
}
Also used :
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
HashMap(java.util.HashMap)
QName(javax.xml.namespace.QName)
HelloWorldService(org.apache.cxf.hello_world_jms.HelloWorldService)
ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean)
ArrayList(java.util.ArrayList)
HelloWorldPortType(org.apache.cxf.hello_world_jms.HelloWorldPortType)
URL(java.net.URL)
WSS4JOutInterceptor(org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor)
Client(org.apache.cxf.endpoint.Client)
Test(org.junit.Test)
Example 12 with AudienceRestrictionBean
use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.
the class JMSWSSecurityTest method testUnsignedSAML2AudienceRestrictionTokenBadServiceName.
@Test
public void testUnsignedSAML2AudienceRestrictionTokenBadServiceName() throws Exception {
QName serviceName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldService");
QName portName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldPort");
URL wsdl = getWSDLURL("/wsdl/jms_test.wsdl");
HelloWorldService service = new HelloWorldService(wsdl, serviceName);
HelloWorldPortType greeter = service.getPort(portName, HelloWorldPortType.class);
SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
callbackHandler.setSignAssertion(true);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
ConditionsBean conditions = new ConditionsBean();
conditions.setTokenPeriodMinutes(5);
List<String> audiences = new ArrayList<>();
audiences.add("{http://cxf.apache.org/hello_world_jms}BadHelloWorldService");
AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
audienceRestrictionBean.setAudienceURIs(audiences);
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestrictionBean));
callbackHandler.setConditions(conditions);
Map<String, Object> outProperties = new HashMap<>();
outProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_UNSIGNED);
outProperties.put(ConfigurationConstants.SAML_CALLBACK_REF, callbackHandler);
WSS4JOutInterceptor outInterceptor = new WSS4JOutInterceptor(outProperties);
Client client = ClientProxy.getClient(greeter);
client.getOutInterceptors().add(outInterceptor);
try {
greeter.sayHi();
fail("Failure expected on a bad audience restriction");
} catch (SOAPFaultException ex) {
// expected
}
((java.io.Closeable) greeter).close();
}
Also used :
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
HashMap(java.util.HashMap)
QName(javax.xml.namespace.QName)
HelloWorldService(org.apache.cxf.hello_world_jms.HelloWorldService)
ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean)
ArrayList(java.util.ArrayList)
HelloWorldPortType(org.apache.cxf.hello_world_jms.HelloWorldPortType)
SOAPFaultException(javax.xml.ws.soap.SOAPFaultException)
URL(java.net.URL)
WSS4JOutInterceptor(org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor)
Client(org.apache.cxf.endpoint.Client)
Test(org.junit.Test)
Example 13 with AudienceRestrictionBean
use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.
the class SamlTokenTest method testAudienceRestriction.
@org.junit.Test
public void testAudienceRestriction() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
URL busFile = SamlTokenTest.class.getResource("client.xml");
Bus bus = bf.createBus(busFile.toString());
BusFactory.setDefaultBus(bus);
BusFactory.setThreadDefaultBus(bus);
URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
DoubleItPortType saml2Port = service.getPort(portQName, DoubleItPortType.class);
String portNumber = PORT2;
if (STAX_PORT.equals(test.getPort())) {
portNumber = STAX_PORT2;
}
updateAddressPort(saml2Port, portNumber);
// Create a SAML Token with an AudienceRestrictionCondition
ConditionsBean conditions = new ConditionsBean();
List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<>();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("https://localhost:" + portNumber + "/DoubleItSaml2Transport2"));
audienceRestrictions.add(audienceRestriction);
conditions.setAudienceRestrictions(audienceRestrictions);
SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
callbackHandler.setConditions(conditions);
((BindingProvider) saml2Port).getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER, callbackHandler);
saml2Port.doubleIt(25);
try {
// Now use an "unknown" audience restriction
audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("https://localhost:" + portNumber + "/DoubleItSaml2Transport2unknown"));
audienceRestrictions.clear();
audienceRestrictions.add(audienceRestriction);
conditions.setAudienceRestrictions(audienceRestrictions);
callbackHandler.setConditions(conditions);
saml2Port.doubleIt(25);
fail("Failure expected on unknown AudienceRestriction");
} catch (javax.xml.ws.soap.SOAPFaultException ex) {
// expected
}
}
Also used :
Bus(org.apache.cxf.Bus)
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
QName(javax.xml.namespace.QName)
ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean)
ArrayList(java.util.ArrayList)
Service(javax.xml.ws.Service)
URL(java.net.URL)
SamlCallbackHandler(org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler)
SpringBusFactory(org.apache.cxf.bus.spring.SpringBusFactory)
DoubleItPortType(org.example.contract.doubleit.DoubleItPortType)
Example 14 with AudienceRestrictionBean
use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project syncope by apache.
the class SAML2ITCase method createResponse.
private org.opensaml.saml.saml2.core.Response createResponse(final String inResponseTo, final boolean signAssertion, final String subjectConfMethod, final String issuer) throws Exception {
Status status = SAML2PResponseComponentBuilder.createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null);
org.opensaml.saml.saml2.core.Response response = SAML2PResponseComponentBuilder.createSAMLResponse(inResponseTo, issuer, status);
response.setDestination("http://recipient.apache.org");
// Create an AuthenticationAssertion
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setIssuer(issuer);
callbackHandler.setSubjectName("puccini");
callbackHandler.setSubjectConfirmationMethod(subjectConfMethod);
SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
subjectConfirmationData.setAddress("http://apache.org");
subjectConfirmationData.setInResponseTo(inResponseTo);
subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
subjectConfirmationData.setRecipient("http://recipient.apache.org/saml2sp/assertion-consumer");
callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
ConditionsBean conditions = new ConditionsBean();
conditions.setNotBefore(new DateTime());
conditions.setNotAfter(new DateTime().plusMinutes(5));
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("http://recipient.apache.org/"));
conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
callbackHandler.setConditions(conditions);
SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
if (signAssertion) {
Crypto issuerCrypto = new Merlin();
KeyStore keyStore = KeyStore.getInstance("JKS");
InputStream input = Files.newInputStream(keystorePath);
keyStore.load(input, "security".toCharArray());
((Merlin) issuerCrypto).setKeyStore(keyStore);
assertion.signAssertion("subject", "security", issuerCrypto, false);
}
response.getAssertions().add(assertion.getSaml2());
return response;
}
Also used :
Status(org.opensaml.saml.saml2.core.Status)
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
InputStream(java.io.InputStream)
ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
KeyStore(java.security.KeyStore)
DateTime(org.joda.time.DateTime)
Crypto(org.apache.wss4j.common.crypto.Crypto)
SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)
SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback)
Merlin(org.apache.wss4j.common.crypto.Merlin)
Example 15 with AudienceRestrictionBean
use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.
the class DefaultConditionsProvider method createAudienceRestrictions.
/**
* Create a list of AudienceRestrictions to be added to the Conditions Element of the
* issued Assertion. The default behaviour is to add a single Audience URI per
* AudienceRestriction Element. The Audience URIs are from an AppliesTo address, and
* the wst:Participants (if either exist).
*/
protected List<AudienceRestrictionBean> createAudienceRestrictions(TokenProviderParameters providerParameters) {
List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<>();
String appliesToAddress = providerParameters.getAppliesToAddress();
if (appliesToAddress != null) {
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList(appliesToAddress));
audienceRestrictions.add(audienceRestriction);
}
Participants participants = providerParameters.getTokenRequirements().getParticipants();
if (participants != null) {
String address = extractAddressFromParticipantsEPR(participants.getPrimaryParticipant());
if (address != null) {
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList(address));
audienceRestrictions.add(audienceRestriction);
}
if (participants.getParticipants() != null) {
for (Object participant : participants.getParticipants()) {
if (participant != null) {
address = extractAddressFromParticipantsEPR(participant);
if (address != null) {
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList(address));
audienceRestrictions.add(audienceRestriction);
}
}
}
}
}
return audienceRestrictions;
}
Also used :
AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)
ArrayList(java.util.ArrayList)
Participants(org.apache.cxf.sts.request.Participants)
Aggregations
AudienceRestrictionBean (org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)25
ConditionsBean (org.apache.wss4j.common.saml.bean.ConditionsBean)20
DateTime (org.joda.time.DateTime)14
ArrayList (java.util.ArrayList)12
SubjectConfirmationDataBean (org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)11
Response (org.opensaml.saml.saml2.core.Response)11
SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)9
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)8
URL (java.net.URL)7
QName (javax.xml.namespace.QName)7
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)7
Crypto (org.apache.wss4j.common.crypto.Crypto)6
Status (org.opensaml.saml.saml2.core.Status)5
HashMap (java.util.HashMap)4
Client (org.apache.cxf.endpoint.Client)4
HelloWorldPortType (org.apache.cxf.hello_world_jms.HelloWorldPortType)4
HelloWorldService (org.apache.cxf.hello_world_jms.HelloWorldService)4
WSS4JOutInterceptor (org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor)4
InputStream (java.io.InputStream)3
KeyStore (java.security.KeyStore)3
