Example 11 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class SamlTokenTest method testSaml1TokenHOK.
/**
* This test creates a holder-of-key SAML1 Assertion, and sends it in the security header
* to the provider.
*/
@Test
public void testSaml1TokenHOK() throws Exception {
Map<String, Object> outProperties = new HashMap<>();
outProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_SIGNED);
outProperties.put(ConfigurationConstants.SIG_KEY_ID, "DirectReference");
outProperties.put(ConfigurationConstants.USER, "alice");
outProperties.put("password", "password");
outProperties.put(ConfigurationConstants.SIG_PROP_FILE, "alice.properties");
SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
callbackHandler.setSignAssertion(true);
outProperties.put(ConfigurationConstants.SAML_CALLBACK_REF, callbackHandler);
Map<String, Object> inProperties = new HashMap<>();
inProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_SIGNED + " " + ConfigurationConstants.SIGNATURE);
inProperties.put(ConfigurationConstants.SIG_VER_PROP_FILE, "insecurity.properties");
final Map<QName, Object> customMap = new HashMap<>();
CustomSamlValidator validator = new CustomSamlValidator();
customMap.put(WSConstants.SAML_TOKEN, validator);
customMap.put(WSConstants.SAML2_TOKEN, validator);
inProperties.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);
List<String> xpaths = Arrays.asList("//wsse:Security", "//wsse:Security/saml1:Assertion");
try {
makeInvocation(outProperties, xpaths, inProperties, Collections.emptyMap());
fail("Failure expected in SAML Validator");
} catch (Fault ex) {
// expected
}
validator.setRequireSenderVouches(false);
Message message = makeInvocation(outProperties, xpaths, inProperties, Collections.emptyMap());
final List<WSHandlerResult> handlerResults = CastUtils.cast((List<?>) message.get(WSHandlerConstants.RECV_RESULTS));
WSSecurityEngineResult actionResult = handlerResults.get(0).getActionResults().get(WSConstants.ST_SIGNED).get(0);
SamlAssertionWrapper receivedAssertion = (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(receivedAssertion != null && receivedAssertion.getSaml1() != null);
assertTrue(receivedAssertion.isSigned());
actionResult = handlerResults.get(0).getActionResults().get(WSConstants.SIGN).get(0);
assertNotNull(actionResult);
}
Also used :
Message(org.apache.cxf.message.Message)
SoapMessage(org.apache.cxf.binding.soap.SoapMessage)
SOAPMessage(javax.xml.soap.SOAPMessage)
HashMap(java.util.HashMap)
QName(javax.xml.namespace.QName)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
Fault(org.apache.cxf.interceptor.Fault)
WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
AbstractSecurityTest(org.apache.cxf.ws.security.wss4j.AbstractSecurityTest)
Test(org.junit.Test)
Example 12 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class SamlTokenTest method testSaml2TokenWithRolesSingleValue.
/**
* This test creates a SAML2 Assertion and sends it in the security header to the provider.
* An attribute is created per role. There are several attributes with the same name.
*/
@Test
public void testSaml2TokenWithRolesSingleValue() throws Exception {
Map<String, Object> outProperties = new HashMap<>();
outProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_UNSIGNED);
outProperties.put(ConfigurationConstants.SIG_KEY_ID, "DirectReference");
outProperties.put(ConfigurationConstants.USER, "alice");
outProperties.put("password", "password");
outProperties.put(ConfigurationConstants.SIG_PROP_FILE, "alice.properties");
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(false);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
callbackHandler.setSignAssertion(true);
callbackHandler.setStatement(Statement.ATTR);
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
outProperties.put(ConfigurationConstants.SAML_CALLBACK_REF, callbackHandler);
Map<String, Object> inProperties = new HashMap<>();
inProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_SIGNED);
inProperties.put(ConfigurationConstants.SIG_VER_PROP_FILE, "insecurity.properties");
final Map<QName, Object> customMap = new HashMap<>();
CustomSamlValidator validator = new CustomSamlValidator();
validator.setRequireSAML1Assertion(false);
validator.setRequireSenderVouches(false);
validator.setRequireBearer(true);
customMap.put(WSConstants.SAML_TOKEN, validator);
customMap.put(WSConstants.SAML2_TOKEN, validator);
inProperties.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);
List<String> xpaths = Arrays.asList("//wsse:Security", "//wsse:Security/saml2:Assertion");
Map<String, String> inMessageProperties = new HashMap<>();
inMessageProperties.put(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, "false");
Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties);
final List<WSHandlerResult> handlerResults = CastUtils.cast((List<?>) message.get(WSHandlerConstants.RECV_RESULTS));
SecurityContext sc = message.get(SecurityContext.class);
assertNotNull(sc);
assertTrue(sc.isUserInRole("user"));
assertTrue(sc.isUserInRole("admin"));
WSSecurityEngineResult actionResult = handlerResults.get(0).getActionResults().get(WSConstants.ST_SIGNED).get(0);
SamlAssertionWrapper receivedAssertion = (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(receivedAssertion != null && receivedAssertion.getSaml2() != null);
assertTrue(receivedAssertion.isSigned());
}
Also used :
Message(org.apache.cxf.message.Message)
SoapMessage(org.apache.cxf.binding.soap.SoapMessage)
SOAPMessage(javax.xml.soap.SOAPMessage)
HashMap(java.util.HashMap)
QName(javax.xml.namespace.QName)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
SecurityContext(org.apache.cxf.security.SecurityContext)
AbstractSecurityTest(org.apache.cxf.ws.security.wss4j.AbstractSecurityTest)
Test(org.junit.Test)
Example 13 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class SamlTokenTest method testSaml1TokenSignedSenderVouches.
@Test
public void testSaml1TokenSignedSenderVouches() throws Exception {
Map<String, Object> outProperties = new HashMap<>();
outProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_SIGNED);
outProperties.put(ConfigurationConstants.SAML_CALLBACK_REF, new SAML1CallbackHandler());
outProperties.put(ConfigurationConstants.SIG_KEY_ID, "DirectReference");
outProperties.put(ConfigurationConstants.USER, "alice");
outProperties.put("password", "password");
outProperties.put(ConfigurationConstants.SIG_PROP_FILE, "alice.properties");
Map<String, Object> inProperties = new HashMap<>();
inProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_UNSIGNED + " " + ConfigurationConstants.SIGNATURE);
inProperties.put(ConfigurationConstants.SIG_VER_PROP_FILE, "insecurity.properties");
final Map<QName, Object> customMap = new HashMap<>();
CustomSamlValidator validator = new CustomSamlValidator();
customMap.put(WSConstants.SAML_TOKEN, validator);
customMap.put(WSConstants.SAML2_TOKEN, validator);
inProperties.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);
List<String> xpaths = Arrays.asList("//wsse:Security", "//wsse:Security/saml1:Assertion");
Map<String, String> inMessageProperties = new HashMap<>();
Message message = makeInvocation(outProperties, xpaths, inProperties, inMessageProperties);
final List<WSHandlerResult> handlerResults = CastUtils.cast((List<?>) message.get(WSHandlerConstants.RECV_RESULTS));
WSSecurityEngineResult actionResult = handlerResults.get(0).getActionResults().get(WSConstants.ST_UNSIGNED).get(0);
SamlAssertionWrapper receivedAssertion = (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(receivedAssertion != null && receivedAssertion.getSaml1() != null);
assertFalse(receivedAssertion.isSigned());
}
Also used :
Message(org.apache.cxf.message.Message)
SoapMessage(org.apache.cxf.binding.soap.SoapMessage)
SOAPMessage(javax.xml.soap.SOAPMessage)
HashMap(java.util.HashMap)
QName(javax.xml.namespace.QName)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
AbstractSecurityTest(org.apache.cxf.ws.security.wss4j.AbstractSecurityTest)
Test(org.junit.Test)
Example 14 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class SamlTokenTest method testSaml2TokenHOK.
/**
* This test creates a holder-of-key SAML2 Assertion, and sends it in the security header
* to the provider.
*/
@Test
public void testSaml2TokenHOK() throws Exception {
Map<String, Object> outProperties = new HashMap<>();
outProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_SIGNED);
outProperties.put(ConfigurationConstants.SIG_KEY_ID, "DirectReference");
outProperties.put(ConfigurationConstants.USER, "alice");
outProperties.put("password", "password");
outProperties.put(ConfigurationConstants.SIG_PROP_FILE, "alice.properties");
SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
callbackHandler.setSignAssertion(true);
outProperties.put(ConfigurationConstants.SAML_CALLBACK_REF, callbackHandler);
Map<String, Object> inProperties = new HashMap<>();
inProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.SAML_TOKEN_SIGNED + " " + ConfigurationConstants.SIGNATURE);
inProperties.put(ConfigurationConstants.SIG_VER_PROP_FILE, "insecurity.properties");
final Map<QName, Object> customMap = new HashMap<>();
CustomSamlValidator validator = new CustomSamlValidator();
customMap.put(WSConstants.SAML_TOKEN, validator);
customMap.put(WSConstants.SAML2_TOKEN, validator);
inProperties.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);
List<String> xpaths = Arrays.asList("//wsse:Security", "//wsse:Security/saml2:Assertion");
try {
makeInvocation(outProperties, xpaths, inProperties, Collections.emptyMap());
fail("Failure expected in SAML Validator");
} catch (Fault ex) {
// expected
}
validator.setRequireSenderVouches(false);
try {
makeInvocation(outProperties, xpaths, inProperties, Collections.emptyMap());
fail("Failure expected in SAML Validator");
} catch (Fault ex) {
// expected
}
validator.setRequireSAML1Assertion(false);
Message message = makeInvocation(outProperties, xpaths, inProperties, Collections.emptyMap());
final List<WSHandlerResult> handlerResults = CastUtils.cast((List<?>) message.get(WSHandlerConstants.RECV_RESULTS));
WSSecurityEngineResult actionResult = handlerResults.get(0).getActionResults().get(WSConstants.ST_SIGNED).get(0);
SamlAssertionWrapper receivedAssertion = (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(receivedAssertion != null && receivedAssertion.getSaml2() != null);
assertTrue(receivedAssertion.isSigned());
actionResult = handlerResults.get(0).getActionResults().get(WSConstants.SIGN).get(0);
assertNotNull(actionResult);
}
Also used :
Message(org.apache.cxf.message.Message)
SoapMessage(org.apache.cxf.binding.soap.SoapMessage)
SOAPMessage(javax.xml.soap.SOAPMessage)
HashMap(java.util.HashMap)
QName(javax.xml.namespace.QName)
SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper)
Fault(org.apache.cxf.interceptor.Fault)
WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
AbstractSecurityTest(org.apache.cxf.ws.security.wss4j.AbstractSecurityTest)
Test(org.junit.Test)
Example 15 with WSSecurityEngineResult
use of org.apache.wss4j.dom.engine.WSSecurityEngineResult in project cxf by apache.
the class CryptoCoverageChecker method handleMessage.
/**
* Checks that the WSS4J results refer to the required signed/encrypted
* elements as defined by the XPath expressions in {@link #xPaths}.
*
* @param message
* the SOAP message containing the signature
*
* @throws SoapFault
* if there is an error evaluating an XPath or an element is not
* covered by the required cryptographic operation
*/
public void handleMessage(SoapMessage message) throws Fault {
if (this.xPaths == null || this.xPaths.isEmpty()) {
// return
}
if (message.getContent(SOAPMessage.class) == null) {
throw new SoapFault("Error obtaining SOAP document", Fault.FAULT_CODE_CLIENT);
}
final Element documentElement;
try {
SOAPMessage saajDoc = message.getContent(SOAPMessage.class);
SOAPEnvelope envelope = saajDoc.getSOAPPart().getEnvelope();
if (!checkFaults && envelope.getBody().hasFault()) {
return;
}
documentElement = (Element) DOMUtils.getDomElement(envelope);
} catch (SOAPException e) {
throw new SoapFault("Error obtaining SOAP document", Fault.FAULT_CODE_CLIENT);
}
final Collection<WSDataRef> signed = new HashSet<>();
final Collection<WSDataRef> encrypted = new HashSet<>();
List<WSHandlerResult> results = CastUtils.cast((List<?>) message.get(WSHandlerConstants.RECV_RESULTS));
// Get all encrypted and signed references
if (results != null) {
for (WSHandlerResult wshr : results) {
List<WSSecurityEngineResult> signedResults = wshr.getActionResults().get(WSConstants.SIGN);
if (signedResults != null) {
for (WSSecurityEngineResult signedResult : signedResults) {
List<WSDataRef> sl = CastUtils.cast((List<?>) signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (sl != null) {
if (sl.size() == 1 && sl.get(0).getName().equals(new QName(WSS4JConstants.SIG_NS, WSS4JConstants.SIG_LN))) {
// endorsing the signature so don't include
continue;
}
signed.addAll(sl);
}
}
}
List<WSSecurityEngineResult> encryptedResults = wshr.getActionResults().get(WSConstants.ENCR);
if (encryptedResults != null) {
for (WSSecurityEngineResult encryptedResult : encryptedResults) {
List<WSDataRef> el = CastUtils.cast((List<?>) encryptedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
if (el != null) {
encrypted.addAll(el);
}
}
}
}
}
CryptoCoverageUtil.reconcileEncryptedSignedRefs(signed, encrypted);
// XPathFactory and XPath are not thread-safe so we must recreate them
// each request.
final XPathFactory factory = XPathFactory.newInstance();
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
} catch (javax.xml.xpath.XPathFactoryConfigurationException ex) {
// ignore
}
final XPath xpath = factory.newXPath();
if (this.prefixMap != null) {
xpath.setNamespaceContext(new MapNamespaceContext(this.prefixMap));
}
for (XPathExpression xPathExpression : this.xPaths) {
Collection<WSDataRef> refsToCheck = null;
switch(xPathExpression.getType()) {
case SIGNED:
refsToCheck = signed;
break;
case ENCRYPTED:
refsToCheck = encrypted;
break;
default:
throw new IllegalStateException("Unexpected crypto type: " + xPathExpression.getType());
}
try {
CryptoCoverageUtil.checkCoverage(documentElement, refsToCheck, xpath, Arrays.asList(xPathExpression.getXPath()), xPathExpression.getType(), xPathExpression.getScope());
} catch (WSSecurityException e) {
throw new SoapFault("No " + xPathExpression.getType() + " element found matching XPath " + xPathExpression.getXPath(), Fault.FAULT_CODE_CLIENT);
}
}
}
Also used :
XPath(javax.xml.xpath.XPath)
SoapFault(org.apache.cxf.binding.soap.SoapFault)
QName(javax.xml.namespace.QName)
Element(org.w3c.dom.Element)
MapNamespaceContext(org.apache.cxf.helpers.MapNamespaceContext)
WSSecurityException(org.apache.wss4j.common.ext.WSSecurityException)
SOAPEnvelope(javax.xml.soap.SOAPEnvelope)
WSDataRef(org.apache.wss4j.dom.WSDataRef)
SOAPMessage(javax.xml.soap.SOAPMessage)
WSHandlerResult(org.apache.wss4j.dom.handler.WSHandlerResult)
WSSecurityEngineResult(org.apache.wss4j.dom.engine.WSSecurityEngineResult)
XPathFactory(javax.xml.xpath.XPathFactory)
SOAPException(javax.xml.soap.SOAPException)
HashSet(java.util.HashSet)
Aggregations
WSSecurityEngineResult (org.apache.wss4j.dom.engine.WSSecurityEngineResult)89
WSHandlerResult (org.apache.wss4j.dom.handler.WSHandlerResult)42
SamlAssertionWrapper (org.apache.wss4j.common.saml.SamlAssertionWrapper)35
Element (org.w3c.dom.Element)23
HashMap (java.util.HashMap)19
ArrayList (java.util.ArrayList)18
Test (org.junit.Test)18
QName (javax.xml.namespace.QName)17
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)16
X509Certificate (java.security.cert.X509Certificate)12
SOAPMessage (javax.xml.soap.SOAPMessage)12
SoapMessage (org.apache.cxf.binding.soap.SoapMessage)12
SecurityContext (org.apache.cxf.security.SecurityContext)12
WSSecurityException (org.apache.wss4j.common.ext.WSSecurityException)12
Message (org.apache.cxf.message.Message)9
WSDataRef (org.apache.wss4j.dom.WSDataRef)9
Document (org.w3c.dom.Document)9
AbstractSecurityTest (org.apache.cxf.ws.security.wss4j.AbstractSecurityTest)8
BinarySecurity (org.apache.wss4j.common.token.BinarySecurity)8
RequestData (org.apache.wss4j.dom.handler.RequestData)8
