Search in sources :

Example 11 with ConditionsBean

use of org.apache.wss4j.common.saml.bean.ConditionsBean in project cxf by apache.

the class SamlTokenTest method testAudienceRestriction.

@org.junit.Test
public void testAudienceRestriction() throws Exception {
    SpringBusFactory bf = new SpringBusFactory();
    URL busFile = SamlTokenTest.class.getResource("client.xml");
    Bus bus = bf.createBus(busFile.toString());
    BusFactory.setDefaultBus(bus);
    BusFactory.setThreadDefaultBus(bus);
    URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
    Service service = Service.create(wsdl, SERVICE_QNAME);
    QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
    DoubleItPortType saml2Port = service.getPort(portQName, DoubleItPortType.class);
    String portNumber = PORT2;
    if (STAX_PORT.equals(test.getPort())) {
        portNumber = STAX_PORT2;
    }
    updateAddressPort(saml2Port, portNumber);
    // Create a SAML Token with an AudienceRestrictionCondition
    ConditionsBean conditions = new ConditionsBean();
    List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<>();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.setAudienceURIs(Collections.singletonList("https://localhost:" + portNumber + "/DoubleItSaml2Transport2"));
    audienceRestrictions.add(audienceRestriction);
    conditions.setAudienceRestrictions(audienceRestrictions);
    SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
    callbackHandler.setConditions(conditions);
    ((BindingProvider) saml2Port).getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER, callbackHandler);
    saml2Port.doubleIt(25);
    try {
        // Now use an "unknown" audience restriction
        audienceRestriction = new AudienceRestrictionBean();
        audienceRestriction.setAudienceURIs(Collections.singletonList("https://localhost:" + portNumber + "/DoubleItSaml2Transport2unknown"));
        audienceRestrictions.clear();
        audienceRestrictions.add(audienceRestriction);
        conditions.setAudienceRestrictions(audienceRestrictions);
        callbackHandler.setConditions(conditions);
        saml2Port.doubleIt(25);
        fail("Failure expected on unknown AudienceRestriction");
    } catch (javax.xml.ws.soap.SOAPFaultException ex) {
    // expected
    }
}
Also used : Bus(org.apache.cxf.Bus) AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) QName(javax.xml.namespace.QName) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) ArrayList(java.util.ArrayList) Service(javax.xml.ws.Service) URL(java.net.URL) SamlCallbackHandler(org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler) SpringBusFactory(org.apache.cxf.bus.spring.SpringBusFactory) DoubleItPortType(org.example.contract.doubleit.DoubleItPortType)

Example 12 with ConditionsBean

use of org.apache.wss4j.common.saml.bean.ConditionsBean in project cxf by apache.

the class SamlTokenTest method testDisableAudienceRestrictionValidation.

@org.junit.Test
public void testDisableAudienceRestrictionValidation() throws Exception {
    SpringBusFactory bf = new SpringBusFactory();
    URL busFile = SamlTokenTest.class.getResource("client.xml");
    Bus bus = bf.createBus(busFile.toString());
    BusFactory.setDefaultBus(bus);
    BusFactory.setThreadDefaultBus(bus);
    URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
    Service service = Service.create(wsdl, SERVICE_QNAME);
    QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
    DoubleItPortType saml2Port = service.getPort(portQName, DoubleItPortType.class);
    String portNumber = PORT2;
    if (STAX_PORT.equals(test.getPort())) {
        portNumber = STAX_PORT2;
    }
    updateAddressPort(saml2Port, portNumber);
    // Create a SAML Token with an AudienceRestrictionCondition
    ConditionsBean conditions = new ConditionsBean();
    List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<>();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.setAudienceURIs(Collections.singletonList(service.getServiceName().toString() + ".xyz"));
    audienceRestrictions.add(audienceRestriction);
    conditions.setAudienceRestrictions(audienceRestrictions);
    SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
    callbackHandler.setConditions(conditions);
    ((BindingProvider) saml2Port).getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER, callbackHandler);
    // It should fail with validation enabled
    try {
        saml2Port.doubleIt(25);
        fail("Failure expected on unknown AudienceRestriction");
    } catch (javax.xml.ws.soap.SOAPFaultException ex) {
    // expected
    }
    // It should pass with validation disabled
    portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort3");
    saml2Port = service.getPort(portQName, DoubleItPortType.class);
    updateAddressPort(saml2Port, portNumber);
    ((BindingProvider) saml2Port).getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER, callbackHandler);
    saml2Port.doubleIt(25);
    // It should pass because we explicitly allow the given audience restriction
    portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort4");
    saml2Port = service.getPort(portQName, DoubleItPortType.class);
    updateAddressPort(saml2Port, portNumber);
    ((BindingProvider) saml2Port).getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER, callbackHandler);
    saml2Port.doubleIt(25);
}
Also used : Bus(org.apache.cxf.Bus) AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) QName(javax.xml.namespace.QName) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) ArrayList(java.util.ArrayList) Service(javax.xml.ws.Service) URL(java.net.URL) SamlCallbackHandler(org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler) SpringBusFactory(org.apache.cxf.bus.spring.SpringBusFactory) DoubleItPortType(org.example.contract.doubleit.DoubleItPortType)

Example 13 with ConditionsBean

use of org.apache.wss4j.common.saml.bean.ConditionsBean in project cxf by apache.

the class SamlTokenTest method testAudienceRestrictionServiceName.

@org.junit.Test
public void testAudienceRestrictionServiceName() throws Exception {
    SpringBusFactory bf = new SpringBusFactory();
    URL busFile = SamlTokenTest.class.getResource("client.xml");
    Bus bus = bf.createBus(busFile.toString());
    BusFactory.setDefaultBus(bus);
    BusFactory.setThreadDefaultBus(bus);
    URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
    Service service = Service.create(wsdl, SERVICE_QNAME);
    QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
    DoubleItPortType saml2Port = service.getPort(portQName, DoubleItPortType.class);
    String portNumber = PORT2;
    if (STAX_PORT.equals(test.getPort())) {
        portNumber = STAX_PORT2;
    }
    updateAddressPort(saml2Port, portNumber);
    // Create a SAML Token with an AudienceRestrictionCondition
    ConditionsBean conditions = new ConditionsBean();
    List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<>();
    AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
    audienceRestriction.setAudienceURIs(Collections.singletonList(service.getServiceName().toString()));
    audienceRestrictions.add(audienceRestriction);
    conditions.setAudienceRestrictions(audienceRestrictions);
    SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
    callbackHandler.setConditions(conditions);
    ((BindingProvider) saml2Port).getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER, callbackHandler);
    saml2Port.doubleIt(25);
}
Also used : Bus(org.apache.cxf.Bus) SamlCallbackHandler(org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler) SpringBusFactory(org.apache.cxf.bus.spring.SpringBusFactory) AudienceRestrictionBean(org.apache.wss4j.common.saml.bean.AudienceRestrictionBean) QName(javax.xml.namespace.QName) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) ArrayList(java.util.ArrayList) Service(javax.xml.ws.Service) DoubleItPortType(org.example.contract.doubleit.DoubleItPortType) URL(java.net.URL)

Example 14 with ConditionsBean

use of org.apache.wss4j.common.saml.bean.ConditionsBean in project cxf by apache.

the class SAMLTokenProvider method createCallbackHandler.

public SamlCallbackHandler createCallbackHandler(TokenProviderParameters tokenParameters, byte[] secret, RealmProperties samlRealm, Document doc) throws Exception {
    boolean statementAdded = false;
    // Parse the AttributeStatements
    List<AttributeStatementBean> attrBeanList = null;
    if (attributeStatementProviders != null && !attributeStatementProviders.isEmpty()) {
        attrBeanList = new ArrayList<>();
        for (AttributeStatementProvider statementProvider : attributeStatementProviders) {
            AttributeStatementBean statementBean = statementProvider.getStatement(tokenParameters);
            if (statementBean != null) {
                if (LOG.isLoggable(Level.FINE)) {
                    LOG.fine("AttributeStatements " + statementBean.toString() + " returned by AttributeStatementProvider " + statementProvider.getClass().getName());
                }
                attrBeanList.add(statementBean);
                statementAdded = true;
            }
        }
    }
    // Parse the AuthenticationStatements
    List<AuthenticationStatementBean> authBeanList = null;
    if (authenticationStatementProviders != null && !authenticationStatementProviders.isEmpty()) {
        authBeanList = new ArrayList<>();
        for (AuthenticationStatementProvider statementProvider : authenticationStatementProviders) {
            AuthenticationStatementBean statementBean = statementProvider.getStatement(tokenParameters);
            if (statementBean != null) {
                if (LOG.isLoggable(Level.FINE)) {
                    LOG.fine("AuthenticationStatement " + statementBean.toString() + " returned by AuthenticationStatementProvider " + statementProvider.getClass().getName());
                }
                authBeanList.add(statementBean);
                statementAdded = true;
            }
        }
    }
    // Parse the AuthDecisionStatements
    List<AuthDecisionStatementBean> authDecisionBeanList = null;
    if (authDecisionStatementProviders != null && !authDecisionStatementProviders.isEmpty()) {
        authDecisionBeanList = new ArrayList<>();
        for (AuthDecisionStatementProvider statementProvider : authDecisionStatementProviders) {
            AuthDecisionStatementBean statementBean = statementProvider.getStatement(tokenParameters);
            if (statementBean != null) {
                if (LOG.isLoggable(Level.FINE)) {
                    LOG.fine("AuthDecisionStatement " + statementBean.toString() + " returned by AuthDecisionStatementProvider " + statementProvider.getClass().getName());
                }
                authDecisionBeanList.add(statementBean);
                statementAdded = true;
            }
        }
    }
    // Also handle "ActAs" via the ActAsAttributeStatementProvider
    if (!statementAdded) {
        attrBeanList = new ArrayList<>();
        AttributeStatementProvider attributeProvider = new ClaimsAttributeStatementProvider();
        AttributeStatementBean attributeBean = attributeProvider.getStatement(tokenParameters);
        if (attributeBean != null && attributeBean.getSamlAttributes() != null && !attributeBean.getSamlAttributes().isEmpty()) {
            attrBeanList.add(attributeBean);
        } else {
            attributeProvider = new DefaultAttributeStatementProvider();
            attributeBean = attributeProvider.getStatement(tokenParameters);
            attrBeanList.add(attributeBean);
        }
        attributeProvider = new ActAsAttributeStatementProvider();
        attributeBean = attributeProvider.getStatement(tokenParameters);
        if (attributeBean != null && attributeBean.getSamlAttributes() != null && !attributeBean.getSamlAttributes().isEmpty()) {
            attrBeanList.add(attributeBean);
        }
    }
    // Get the Subject and Conditions
    SubjectProviderParameters subjectProviderParameters = new SubjectProviderParameters();
    subjectProviderParameters.setProviderParameters(tokenParameters);
    subjectProviderParameters.setDoc(doc);
    subjectProviderParameters.setSecret(secret);
    subjectProviderParameters.setAttrBeanList(attrBeanList);
    subjectProviderParameters.setAuthBeanList(authBeanList);
    subjectProviderParameters.setAuthDecisionBeanList(authDecisionBeanList);
    SubjectBean subjectBean = subjectProvider.getSubject(subjectProviderParameters);
    ConditionsBean conditionsBean = conditionsProvider.getConditions(tokenParameters);
    // Set all of the beans on the SamlCallbackHandler
    SamlCallbackHandler handler = new SamlCallbackHandler();
    handler.setTokenProviderParameters(tokenParameters);
    handler.setSubjectBean(subjectBean);
    handler.setConditionsBean(conditionsBean);
    handler.setAttributeBeans(attrBeanList);
    handler.setAuthenticationBeans(authBeanList);
    handler.setAuthDecisionStatementBeans(authDecisionBeanList);
    if (samlRealm != null) {
        handler.setIssuer(samlRealm.getIssuer());
    }
    return handler;
}
Also used : ClaimsAttributeStatementProvider(org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider) AttributeStatementBean(org.apache.wss4j.common.saml.bean.AttributeStatementBean) AuthenticationStatementBean(org.apache.wss4j.common.saml.bean.AuthenticationStatementBean) ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) ClaimsAttributeStatementProvider(org.apache.cxf.sts.claims.ClaimsAttributeStatementProvider) SubjectBean(org.apache.wss4j.common.saml.bean.SubjectBean) AuthDecisionStatementBean(org.apache.wss4j.common.saml.bean.AuthDecisionStatementBean)

Example 15 with ConditionsBean

use of org.apache.wss4j.common.saml.bean.ConditionsBean in project cxf by apache.

the class SAMLTokenRenewer method createNewConditions.

private void createNewConditions(SamlAssertionWrapper assertion, TokenRenewerParameters tokenParameters) {
    ConditionsBean conditions = conditionsProvider.getConditions(convertToProviderParameters(tokenParameters));
    if (assertion.getSaml1() != null) {
        org.opensaml.saml.saml1.core.Assertion saml1Assertion = assertion.getSaml1();
        saml1Assertion.setIssueInstant(new DateTime());
        org.opensaml.saml.saml1.core.Conditions saml1Conditions = SAML1ComponentBuilder.createSamlv1Conditions(conditions);
        saml1Assertion.setConditions(saml1Conditions);
    } else {
        org.opensaml.saml.saml2.core.Assertion saml2Assertion = assertion.getSaml2();
        saml2Assertion.setIssueInstant(new DateTime());
        org.opensaml.saml.saml2.core.Conditions saml2Conditions = SAML2ComponentBuilder.createConditions(conditions);
        saml2Assertion.setConditions(saml2Conditions);
    }
}
Also used : ConditionsBean(org.apache.wss4j.common.saml.bean.ConditionsBean) DateTime(org.joda.time.DateTime)

Aggregations

ConditionsBean (org.apache.wss4j.common.saml.bean.ConditionsBean)20 AudienceRestrictionBean (org.apache.wss4j.common.saml.bean.AudienceRestrictionBean)16 ArrayList (java.util.ArrayList)9 DateTime (org.joda.time.DateTime)9 URL (java.net.URL)8 QName (javax.xml.namespace.QName)8 Response (org.opensaml.saml.saml2.core.Response)6 Client (org.apache.cxf.endpoint.Client)5 WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)5 SAMLCallback (org.apache.wss4j.common.saml.SAMLCallback)5 SubjectConfirmationDataBean (org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean)5 HashMap (java.util.HashMap)4 Service (javax.xml.ws.Service)4 Bus (org.apache.cxf.Bus)4 SpringBusFactory (org.apache.cxf.bus.spring.SpringBusFactory)4 HelloWorldPortType (org.apache.cxf.hello_world_jms.HelloWorldPortType)4 HelloWorldService (org.apache.cxf.hello_world_jms.HelloWorldService)4 SamlCallbackHandler (org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler)4 WSS4JOutInterceptor (org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor)4 Crypto (org.apache.wss4j.common.crypto.Crypto)4