Search in sources :

Example 11 with AudienceRestrictionBean

use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.

the class JMSWSSecurityTest method testUnsignedSAML2AudienceRestrictionTokenURI.

@Test
public void testUnsignedSAML2AudienceRestrictionTokenURI() throws Exception {
    QName serviceName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldService");
    QName portName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldPort");
    URL wsdl = getWSDLURL("/wsdl/jms_test.wsdl");
    HelloWorldService service = new HelloWorldService(wsdl, serviceName);
    String response = new String("Bonjour");
    HelloWorldPortType greeter = service.getPort(portName, HelloWorldPortType.class);
    SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
    callbackHandler.setSignAssertion(true);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    ConditionsBean conditions = new ConditionsBean();
    conditions.setTokenPeriodMinutes(5);
    List<String> audiences = new ArrayList<>();
    audiences.add("jms:jndi:dynamicQueues/test.jmstransport.text");
    AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
    audienceRestrictionBean.setAudienceURIs(audiences);
    conditions.setAudienceRestrictions(Collections.singletonList(audienceRestrictionBean));
    callbackHandler.setConditions(conditions);
    Map<String, Object> outProperties = new HashMap<>();
    outProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_UNSIGNED);
    outProperties.put(ConfigurationConstants.SAML_CALLBACK_REF, callbackHandler);
    WSS4JOutInterceptor outInterceptor = new WSS4JOutInterceptor(outProperties);
    Client client = ClientProxy.getClient(greeter);
    client.getOutInterceptors().add(outInterceptor);
    String reply = greeter.sayHi();
    assertNotNull("no response received from service", reply);
    assertEquals(response, reply);
    ((java.io.Closeable) greeter).close();
}
Also used : AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) HashMap(java.util.HashMap) QName(javax.xml.namespace.QName) HelloWorldService(org.apache.cxf.hello_world_jms.HelloWorldService) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) ArrayList(java.util.ArrayList) HelloWorldPortType(org.apache.cxf.hello_world_jms.HelloWorldPortType) URL(java.net.URL) WSS4JOutInterceptor(org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor) Client(org.apache.cxf.endpoint.Client) Test(org.junit.Test)

Example 12 with AudienceRestrictionBean

use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.

the class JMSWSSecurityTest method testUnsignedSAML2AudienceRestrictionTokenBadServiceName.

@Test
public void testUnsignedSAML2AudienceRestrictionTokenBadServiceName() throws Exception {
    QName serviceName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldService");
    QName portName = new QName("http://cxf.apache.org/hello_world_jms", "HelloWorldPort");
    URL wsdl = getWSDLURL("/wsdl/jms_test.wsdl");
    HelloWorldService service = new HelloWorldService(wsdl, serviceName);
    HelloWorldPortType greeter = service.getPort(portName, HelloWorldPortType.class);
    SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
    callbackHandler.setSignAssertion(true);
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
    ConditionsBean conditions = new ConditionsBean();
    conditions.setTokenPeriodMinutes(5);
    List<String> audiences = new ArrayList<>();
    audiences.add("{http://cxf.apache.org/hello_world_jms}BadHelloWorldService");
    AudienceRestrictionBean audienceRestrictionBean = new AudienceRestrictionBean();
    audienceRestrictionBean.setAudienceURIs(audiences);
    conditions.setAudienceRestrictions(Collections.singletonList(audienceRestrictionBean));
    callbackHandler.setConditions(conditions);
    Map<String, Object> outProperties = new HashMap<>();
    outProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_UNSIGNED);
    outProperties.put(ConfigurationConstants.SAML_CALLBACK_REF, callbackHandler);
    WSS4JOutInterceptor outInterceptor = new WSS4JOutInterceptor(outProperties);
    Client client = ClientProxy.getClient(greeter);
    client.getOutInterceptors().add(outInterceptor);
    try {
        greeter.sayHi();
        fail("Failure expected on a bad audience restriction");
    } catch (SOAPFaultException ex) {
    // expected
    }
    ((java.io.Closeable) greeter).close();
}
Also used : AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) HashMap(java.util.HashMap) QName(javax.xml.namespace.QName) HelloWorldService(org.apache.cxf.hello_world_jms.HelloWorldService) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) ArrayList(java.util.ArrayList) HelloWorldPortType(org.apache.cxf.hello_world_jms.HelloWorldPortType) SOAPFaultException(javax.xml.ws.soap.SOAPFaultException) URL(java.net.URL) WSS4JOutInterceptor(org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor) Client(org.apache.cxf.endpoint.Client) Test(org.junit.Test)

Example 13 with AudienceRestrictionBean

use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.

the class SamlTokenTest method testAudienceRestriction.

@org.junit.Test
public void testAudienceRestriction() throws Exception {
    SpringBusFactory bf = new SpringBusFactory();
    URL busFile = SamlTokenTest.class.getResource("client.xml");
    Bus bus = bf.createBus(busFile.toString());
    BusFactory.setDefaultBus(bus);
    BusFactory.setThreadDefaultBus(bus);
    URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
    Service service = Service.create(wsdl, SERVICE_QNAME);
    QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
    DoubleItPortType saml2Port = service.getPort(portQName, DoubleItPortType.class);
    String portNumber = PORT2;
    if (STAX_PORT.equals(test.getPort())) {
        portNumber = STAX_PORT2;
    }
    updateAddressPort(saml2Port, portNumber);
    // Create a SAML Token with an AudienceRestrictionCondition
    ConditionsBean conditions = new ConditionsBean();
    List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<>();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.setAudienceURIs(Collections.singletonList("https://localhost:" + portNumber + "/DoubleItSaml2Transport2"));
    audienceRestrictions.add(audienceRestriction);
    conditions.setAudienceRestrictions(audienceRestrictions);
    SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
    callbackHandler.setConditions(conditions);
    ((BindingProvider) saml2Port).getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER, callbackHandler);
    saml2Port.doubleIt(25);
    try {
        // Now use an "unknown" audience restriction
        audienceRestriction = new AudienceRestrictionBean();
        audienceRestriction.setAudienceURIs(Collections.singletonList("https://localhost:" + portNumber + "/DoubleItSaml2Transport2unknown"));
        audienceRestrictions.clear();
        audienceRestrictions.add(audienceRestriction);
        conditions.setAudienceRestrictions(audienceRestrictions);
        callbackHandler.setConditions(conditions);
        saml2Port.doubleIt(25);
        fail("Failure expected on unknown AudienceRestriction");
    } catch (javax.xml.ws.soap.SOAPFaultException ex) {
    // expected
    }
}
Also used : Bus(org.apache.cxf.Bus) AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) QName(javax.xml.namespace.QName) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) ArrayList(java.util.ArrayList) Service(javax.xml.ws.Service) URL(java.net.URL) SamlCallbackHandler(org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler) SpringBusFactory(org.apache.cxf.bus.spring.SpringBusFactory) DoubleItPortType(org.example.contract.doubleit.DoubleItPortType)

Example 14 with AudienceRestrictionBean

use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project syncope by apache.

the class SAML2ITCase method createResponse.

private org.opensaml.saml.saml2.core.Response createResponse(final String inResponseTo, final boolean signAssertion, final String subjectConfMethod, final String issuer) throws Exception {
    Status status = SAML2PResponseComponentBuilder.createStatus(SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null);
    org.opensaml.saml.saml2.core.Response response = SAML2PResponseComponentBuilder.createSAMLResponse(inResponseTo, issuer, status);
    response.setDestination("http://recipient.apache.org");
    // Create an AuthenticationAssertion
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setIssuer(issuer);
    callbackHandler.setSubjectName("puccini");
    callbackHandler.setSubjectConfirmationMethod(subjectConfMethod);
    SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
    subjectConfirmationData.setAddress("http://apache.org");
    subjectConfirmationData.setInResponseTo(inResponseTo);
    subjectConfirmationData.setNotAfter(new DateTime().plusMinutes(5));
    subjectConfirmationData.setRecipient("http://recipient.apache.org/saml2sp/assertion-consumer");
    callbackHandler.setSubjectConfirmationData(subjectConfirmationData);
    ConditionsBean conditions = new ConditionsBean();
    conditions.setNotBefore(new DateTime());
    conditions.setNotAfter(new DateTime().plusMinutes(5));
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.setAudienceURIs(Collections.singletonList("http://recipient.apache.org/"));
    conditions.setAudienceRestrictions(Collections.singletonList(audienceRestriction));
    callbackHandler.setConditions(conditions);
    SAMLCallback samlCallback = new SAMLCallback();
    SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
    SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
    if (signAssertion) {
        Crypto issuerCrypto = new Merlin();
        KeyStore keyStore = KeyStore.getInstance("JKS");
        InputStream input = Files.newInputStream(keystorePath);
        keyStore.load(input, "security".toCharArray());
        ((Merlin) issuerCrypto).setKeyStore(keyStore);
        assertion.signAssertion("subject", "security", issuerCrypto, false);
    }
    response.getAssertions().add(assertion.getSaml2());
    return response;
}
Also used : Status(org.opensaml.saml.saml2.core.Status) AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) InputStream(java.io.InputStream) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) KeyStore(java.security.KeyStore) DateTime(org.joda.time.DateTime) Crypto(org.apache.wss4j.common.crypto.Crypto) SubjectConfirmationDataBean(org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean) SAMLCallback(org.apache.wss4j.common.saml.SAMLCallback) Merlin(org.apache.wss4j.common.crypto.Merlin)

Example 15 with AudienceRestrictionBean

use of org.apache.wss4j.common.saml.bean.AudienceRestrictionBean in project cxf by apache.

the class DefaultConditionsProvider method createAudienceRestrictions.

/**
 * Create a list of AudienceRestrictions to be added to the Conditions Element of the
 * issued Assertion. The default behaviour is to add a single Audience URI per
 * AudienceRestriction Element. The Audience URIs are from an AppliesTo address, and
 * the wst:Participants (if either exist).
 */
protected List<AudienceRestrictionBean> createAudienceRestrictions(TokenProviderParameters providerParameters) {
    List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<>();
    String appliesToAddress = providerParameters.getAppliesToAddress();
    if (appliesToAddress != null) {
        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
        audienceRestriction.setAudienceURIs(Collections.singletonList(appliesToAddress));
        audienceRestrictions.add(audienceRestriction);
    }
    Participants participants = providerParameters.getTokenRequirements().getParticipants();
    if (participants != null) {
        String address = extractAddressFromParticipantsEPR(participants.getPrimaryParticipant());
        if (address != null) {
            AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
            audienceRestriction.setAudienceURIs(Collections.singletonList(address));
            audienceRestrictions.add(audienceRestriction);
        }
        if (participants.getParticipants() != null) {
            for (Object participant : participants.getParticipants()) {
                if (participant != null) {
                    address = extractAddressFromParticipantsEPR(participant);
                    if (address != null) {
                        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
                        audienceRestriction.setAudienceURIs(Collections.singletonList(address));
                        audienceRestrictions.add(audienceRestriction);
                    }
                }
            }
        }
    }
    return audienceRestrictions;
}
Also used : AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) ArrayList(java.util.ArrayList) Participants(org.apache.cxf.sts.request.Participants)

Aggregations

AudienceRestrictionBean (org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)25 ConditionsBean (org.apache.wss4j.common.saml.bean.ConditionsBean)20 DateTime (org.joda.time.DateTime)14 ArrayList (java.util.ArrayList)12 SubjectConfirmationDataBean (org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)11 Response (org.opensaml.saml.saml2.core.Response)11 SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)9 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)8 URL (java.net.URL)7 QName (javax.xml.namespace.QName)7 SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)7 Crypto (org.apache.wss4j.common.crypto.Crypto)6 Status (org.opensaml.saml.saml2.core.Status)5 HashMap (java.util.HashMap)4 Client (org.apache.cxf.endpoint.Client)4 HelloWorldPortType (org.apache.cxf.hello_world_jms.HelloWorldPortType)4 HelloWorldService (org.apache.cxf.hello_world_jms.HelloWorldService)4 WSS4JOutInterceptor (org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor)4 InputStream (java.io.InputStream)3 KeyStore (java.security.KeyStore)3