Skip to content
Permalink
Browse files
Adding support for sending Claims via the Validate binding + a test
git-svn-id: https://svn.apache.org/repos/asf/cxf/trunk@1565326 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information
coheigea committed Feb 6, 2014
1 parent aacf5fc commit 5b82381fb9958c43c7b196d514abd3cc3f40a15e
Show file tree
Hide file tree
Showing 7 changed files with 77 additions and 4 deletions.
@@ -1056,6 +1056,8 @@ protected STSResponse validate(SecurityToken tok, String tokentype)
writer.writeStartElement("wst", "TokenType", namespace);
writer.writeCharacters(tokentype);
writer.writeEndElement();

addClaims(writer);

writer.writeStartElement("wst", "ValidateTarget", namespace);

@@ -45,7 +45,6 @@

import org.w3c.dom.Element;
import org.w3c.dom.Node;

import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.SoapVersion;
@@ -75,6 +74,7 @@
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.principal.CustomTokenPrincipal;
import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSSConfig;
import org.apache.wss4j.dom.WSSecurityEngine;
@@ -539,16 +539,18 @@ protected void doResults(
if (!utWithCallbacks) {
WSS4JTokenConverter.convertToken(msg, p);
}
Object receivedAssertion = null;
Object receivedAssertion = o.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
if (receivedAssertion == null) {
receivedAssertion = o.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
}

List<String> roles = null;
if (o.get(WSSecurityEngineResult.TAG_SAML_ASSERTION) != null) {
if (receivedAssertion instanceof SamlAssertionWrapper) {
String roleAttributeName = (String)msg.getContextualProperty(
SecurityConstants.SAML_ROLE_ATTRIBUTENAME);
if (roleAttributeName == null || roleAttributeName.length() == 0) {
roleAttributeName = SAML_ROLE_ATTRIBUTENAME_DEFAULT;
}
receivedAssertion = o.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
roles = SAMLUtils.parseRolesInAssertion(receivedAssertion, roleAttributeName);
SAMLSecurityContext context = createSecurityContext(p, roles);
context.setIssuer(SAMLUtils.getIssuer(receivedAssertion));
@@ -37,6 +37,9 @@
* The provider dispatches the Username Token to an STS for validation (via TLS), and also
* send a TokenType corresponding to a SAML2 Assertion. The STS will create the requested
* SAML Assertion after validation and return it to the provider.
*
* In the second test, the service will also send some claims to the STS for inclusion in the
* SAML Token, and validate the result.
*/
public class TransformationTest extends AbstractBusClientServerTestBase {

@@ -92,6 +95,29 @@ public void testTokenTransformation() throws Exception {
bus.shutdown(true);
}

@org.junit.Test
public void testTokenTransformationClaims() throws Exception {

SpringBusFactory bf = new SpringBusFactory();
URL busFile = TransformationTest.class.getResource("cxf-client.xml");

Bus bus = bf.createBus(busFile.toString());
SpringBusFactory.setDefaultBus(bus);
SpringBusFactory.setThreadDefaultBus(bus);

URL wsdl = TransformationTest.class.getResource("DoubleIt.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItTransportUTClaimsPort");
DoubleItPortType transportUTPort =
service.getPort(portQName, DoubleItPortType.class);
updateAddressPort(transportUTPort, PORT);

doubleIt(transportUTPort, 25);

((java.io.Closeable)transportUTPort).close();
bus.shutdown(true);
}

private static void doubleIt(DoubleItPortType port, int numToDouble) {
int resp = port.doubleIt(numToDouble);
assertEquals(numToDouble * 2 , resp);
@@ -41,6 +41,7 @@
<property name="tokenProviders" ref="transportTokenProviders"/>
<property name="tokenValidators" ref="transportTokenValidators"/>
<property name="stsProperties" ref="transportSTSProperties"/>
<property name="claimsManager" ref="claimsManager"/>
<property name="tokenStore" ref="defaultTokenStore"/>
</bean>
<bean id="defaultTokenStore" class="org.apache.cxf.sts.cache.DefaultInMemoryTokenStore">
@@ -38,6 +38,9 @@
<wsdl:port name="DoubleItTransportUTPort" binding="tns:DoubleItTransportUTBinding">
<soap:address location="https://localhost:8081/doubleit/services/doubleittransportut"/>
</wsdl:port>
<wsdl:port name="DoubleItTransportUTClaimsPort" binding="tns:DoubleItTransportUTBinding">
<soap:address location="https://localhost:8081/doubleit/services/doubleittransportutclaims"/>
</wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItBindingTransportUTPolicy">
<wsp:ExactlyOne>
@@ -29,6 +29,12 @@
<entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
</jaxws:properties>
</jaxws:client>
<jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportUTClaimsPort" createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.username" value="alice"/>
<entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
</jaxws:properties>
</jaxws:client>
<http:conduit name="https://localhost:.*">
<http:tlsClientParameters disableCNCheck="true">
<sec:trustManagers>
@@ -41,6 +41,39 @@
</entry>
</jaxws:properties>
</jaxws:endpoint>

<bean id="authzInterceptor" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
<property name="methodRolesMap">
<map>
<entry key="doubleIt" value="admin-user"/>
</map>
</property>
</bean>

<bean id="roleClaimsCallbackHandler" class="org.apache.cxf.systest.sts.claims.ClaimsCallbackHandler"/>

<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleittransportutclaims" implementor="org.apache.cxf.systest.sts.transformation.DoubleItPortTypeImpl" endpointName="s:DoubleItTransportUTClaimsPort" serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.Server}/doubleit/services/doubleittransportutclaims" wsdlLocation="org/apache/cxf/systest/sts/transformation/DoubleIt.wsdl">
<jaxws:properties>
<entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
<entry key="ws-security.ut.validator">
<bean class="org.apache.cxf.ws.security.trust.STSTokenValidator"/>
</entry>
<entry key="ws-security.sts.client">
<bean class="org.apache.cxf.ws.security.trust.STSClient">
<constructor-arg ref="cxf"/>
<property name="wsdlLocation" value="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Transport?wsdl"/>
<property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/>
<property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port"/>
<property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
<property name="claimsCallbackHandler" ref="roleClaimsCallbackHandler"/>
</bean>
</entry>
</jaxws:properties>
<jaxws:inInterceptors>
<ref bean="authzInterceptor"/>
</jaxws:inInterceptors>
</jaxws:endpoint>

<httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
<httpj:engine port="${testutil.ports.Server}">
<httpj:tlsServerParameters>

0 comments on commit 5b82381

Please sign in to comment.