use of org.apache.wss4j.common.saml.bean.ConditionsBean in project cxf by apache.
the class SamlTokenTest method testAudienceRestriction.
@org.junit.Test
public void testAudienceRestriction() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
URL busFile = SamlTokenTest.class.getResource("client.xml");
Bus bus = bf.createBus(busFile.toString());
BusFactory.setDefaultBus(bus);
BusFactory.setThreadDefaultBus(bus);
URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
DoubleItPortType saml2Port = service.getPort(portQName, DoubleItPortType.class);
String portNumber = PORT2;
if (STAX_PORT.equals(test.getPort())) {
portNumber = STAX_PORT2;
}
updateAddressPort(saml2Port, portNumber);
// Create a SAML Token with an AudienceRestrictionCondition
ConditionsBean conditions = new ConditionsBean();
List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<>();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("https://localhost:" + portNumber + "/DoubleItSaml2Transport2"));
audienceRestrictions.add(audienceRestriction);
conditions.setAudienceRestrictions(audienceRestrictions);
SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
callbackHandler.setConditions(conditions);
((BindingProvider) saml2Port).getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER, callbackHandler);
saml2Port.doubleIt(25);
try {
// Now use an "unknown" audience restriction
audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList("https://localhost:" + portNumber + "/DoubleItSaml2Transport2unknown"));
audienceRestrictions.clear();
audienceRestrictions.add(audienceRestriction);
conditions.setAudienceRestrictions(audienceRestrictions);
callbackHandler.setConditions(conditions);
saml2Port.doubleIt(25);
fail("Failure expected on unknown AudienceRestriction");
} catch (javax.xml.ws.soap.SOAPFaultException ex) {
// expected
}
}
use of org.apache.wss4j.common.saml.bean.ConditionsBean in project cxf by apache.
the class SamlTokenTest method testDisableAudienceRestrictionValidation.
@org.junit.Test
public void testDisableAudienceRestrictionValidation() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
URL busFile = SamlTokenTest.class.getResource("client.xml");
Bus bus = bf.createBus(busFile.toString());
BusFactory.setDefaultBus(bus);
BusFactory.setThreadDefaultBus(bus);
URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
DoubleItPortType saml2Port = service.getPort(portQName, DoubleItPortType.class);
String portNumber = PORT2;
if (STAX_PORT.equals(test.getPort())) {
portNumber = STAX_PORT2;
}
updateAddressPort(saml2Port, portNumber);
// Create a SAML Token with an AudienceRestrictionCondition
ConditionsBean conditions = new ConditionsBean();
List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<>();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList(service.getServiceName().toString() + ".xyz"));
audienceRestrictions.add(audienceRestriction);
conditions.setAudienceRestrictions(audienceRestrictions);
SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
callbackHandler.setConditions(conditions);
((BindingProvider) saml2Port).getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER, callbackHandler);
// It should fail with validation enabled
try {
saml2Port.doubleIt(25);
fail("Failure expected on unknown AudienceRestriction");
} catch (javax.xml.ws.soap.SOAPFaultException ex) {
// expected
}
// It should pass with validation disabled
portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort3");
saml2Port = service.getPort(portQName, DoubleItPortType.class);
updateAddressPort(saml2Port, portNumber);
((BindingProvider) saml2Port).getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER, callbackHandler);
saml2Port.doubleIt(25);
// It should pass because we explicitly allow the given audience restriction
portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort4");
saml2Port = service.getPort(portQName, DoubleItPortType.class);
updateAddressPort(saml2Port, portNumber);
((BindingProvider) saml2Port).getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER, callbackHandler);
saml2Port.doubleIt(25);
}
use of org.apache.wss4j.common.saml.bean.ConditionsBean in project cxf by apache.
the class SamlTokenTest method testAudienceRestrictionServiceName.
@org.junit.Test
public void testAudienceRestrictionServiceName() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
URL busFile = SamlTokenTest.class.getResource("client.xml");
Bus bus = bf.createBus(busFile.toString());
BusFactory.setDefaultBus(bus);
BusFactory.setThreadDefaultBus(bus);
URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
DoubleItPortType saml2Port = service.getPort(portQName, DoubleItPortType.class);
String portNumber = PORT2;
if (STAX_PORT.equals(test.getPort())) {
portNumber = STAX_PORT2;
}
updateAddressPort(saml2Port, portNumber);
// Create a SAML Token with an AudienceRestrictionCondition
ConditionsBean conditions = new ConditionsBean();
List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<>();
AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
audienceRestriction.setAudienceURIs(Collections.singletonList(service.getServiceName().toString()));
audienceRestrictions.add(audienceRestriction);
conditions.setAudienceRestrictions(audienceRestrictions);
SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
callbackHandler.setConditions(conditions);
((BindingProvider) saml2Port).getRequestContext().put(SecurityConstants.SAML_CALLBACK_HANDLER, callbackHandler);
saml2Port.doubleIt(25);
}
use of org.apache.wss4j.common.saml.bean.ConditionsBean in project cxf by apache.
the class SAMLTokenProvider method createCallbackHandler.
public SamlCallbackHandler createCallbackHandler(TokenProviderParameters tokenParameters, byte[] secret, RealmProperties samlRealm, Document doc) throws Exception {
boolean statementAdded = false;
// Parse the AttributeStatements
List<AttributeStatementBean> attrBeanList = null;
if (attributeStatementProviders != null && !attributeStatementProviders.isEmpty()) {
attrBeanList = new ArrayList<>();
for (AttributeStatementProvider statementProvider : attributeStatementProviders) {
AttributeStatementBean statementBean = statementProvider.getStatement(tokenParameters);
if (statementBean != null) {
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("AttributeStatements " + statementBean.toString() + " returned by AttributeStatementProvider " + statementProvider.getClass().getName());
}
attrBeanList.add(statementBean);
statementAdded = true;
}
}
}
// Parse the AuthenticationStatements
List<AuthenticationStatementBean> authBeanList = null;
if (authenticationStatementProviders != null && !authenticationStatementProviders.isEmpty()) {
authBeanList = new ArrayList<>();
for (AuthenticationStatementProvider statementProvider : authenticationStatementProviders) {
AuthenticationStatementBean statementBean = statementProvider.getStatement(tokenParameters);
if (statementBean != null) {
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("AuthenticationStatement " + statementBean.toString() + " returned by AuthenticationStatementProvider " + statementProvider.getClass().getName());
}
authBeanList.add(statementBean);
statementAdded = true;
}
}
}
// Parse the AuthDecisionStatements
List<AuthDecisionStatementBean> authDecisionBeanList = null;
if (authDecisionStatementProviders != null && !authDecisionStatementProviders.isEmpty()) {
authDecisionBeanList = new ArrayList<>();
for (AuthDecisionStatementProvider statementProvider : authDecisionStatementProviders) {
AuthDecisionStatementBean statementBean = statementProvider.getStatement(tokenParameters);
if (statementBean != null) {
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("AuthDecisionStatement " + statementBean.toString() + " returned by AuthDecisionStatementProvider " + statementProvider.getClass().getName());
}
authDecisionBeanList.add(statementBean);
statementAdded = true;
}
}
}
// Also handle "ActAs" via the ActAsAttributeStatementProvider
if (!statementAdded) {
attrBeanList = new ArrayList<>();
AttributeStatementProvider attributeProvider = new ClaimsAttributeStatementProvider();
AttributeStatementBean attributeBean = attributeProvider.getStatement(tokenParameters);
if (attributeBean != null && attributeBean.getSamlAttributes() != null && !attributeBean.getSamlAttributes().isEmpty()) {
attrBeanList.add(attributeBean);
} else {
attributeProvider = new DefaultAttributeStatementProvider();
attributeBean = attributeProvider.getStatement(tokenParameters);
attrBeanList.add(attributeBean);
}
attributeProvider = new ActAsAttributeStatementProvider();
attributeBean = attributeProvider.getStatement(tokenParameters);
if (attributeBean != null && attributeBean.getSamlAttributes() != null && !attributeBean.getSamlAttributes().isEmpty()) {
attrBeanList.add(attributeBean);
}
}
// Get the Subject and Conditions
SubjectProviderParameters subjectProviderParameters = new SubjectProviderParameters();
subjectProviderParameters.setProviderParameters(tokenParameters);
subjectProviderParameters.setDoc(doc);
subjectProviderParameters.setSecret(secret);
subjectProviderParameters.setAttrBeanList(attrBeanList);
subjectProviderParameters.setAuthBeanList(authBeanList);
subjectProviderParameters.setAuthDecisionBeanList(authDecisionBeanList);
SubjectBean subjectBean = subjectProvider.getSubject(subjectProviderParameters);
ConditionsBean conditionsBean = conditionsProvider.getConditions(tokenParameters);
// Set all of the beans on the SamlCallbackHandler
SamlCallbackHandler handler = new SamlCallbackHandler();
handler.setTokenProviderParameters(tokenParameters);
handler.setSubjectBean(subjectBean);
handler.setConditionsBean(conditionsBean);
handler.setAttributeBeans(attrBeanList);
handler.setAuthenticationBeans(authBeanList);
handler.setAuthDecisionStatementBeans(authDecisionBeanList);
if (samlRealm != null) {
handler.setIssuer(samlRealm.getIssuer());
}
return handler;
}
use of org.apache.wss4j.common.saml.bean.ConditionsBean in project cxf by apache.
the class SAMLTokenRenewer method createNewConditions.
private void createNewConditions(SamlAssertionWrapper assertion, TokenRenewerParameters tokenParameters) {
ConditionsBean conditions = conditionsProvider.getConditions(convertToProviderParameters(tokenParameters));
if (assertion.getSaml1() != null) {
org.opensaml.saml.saml1.core.Assertion saml1Assertion = assertion.getSaml1();
saml1Assertion.setIssueInstant(new DateTime());
org.opensaml.saml.saml1.core.Conditions saml1Conditions = SAML1ComponentBuilder.createSamlv1Conditions(conditions);
saml1Assertion.setConditions(saml1Conditions);
} else {
org.opensaml.saml.saml2.core.Assertion saml2Assertion = assertion.getSaml2();
saml2Assertion.setIssueInstant(new DateTime());
org.opensaml.saml.saml2.core.Conditions saml2Conditions = SAML2ComponentBuilder.createConditions(conditions);
saml2Assertion.setConditions(saml2Conditions);
}
}
Aggregations