/** Test a valid SAML 1.1 Assertion */
@org.junit.Test
public void testValidSAML1Assertion() throws Exception {
TokenValidator samlTokenValidator = new SAMLTokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
// Create a ValidateTarget consisting of a SAML Assertion
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken =
createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler);
Document doc = samlToken.getOwnerDocument();
samlToken = (Element) doc.appendChild(samlToken);
ReceivedToken validateTarget = new ReceivedToken(samlToken);
tokenRequirements.setValidateTarget(validateTarget);
validatorParameters.setToken(validateTarget);
assertTrue(samlTokenValidator.canHandleToken(validateTarget));
TokenValidatorResponse validatorResponse =
samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
Principal principal = validatorResponse.getPrincipal();
assertTrue(principal != null && principal.getName() != null);
}
/** Test a SAML 2 Assertion with an invalid signature */
@org.junit.Test
public void testInvalidSignatureSAML2Assertion() throws Exception {
TokenValidator samlTokenValidator = new SAMLTokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
// Create a ValidateTarget consisting of a SAML Assertion
Crypto crypto = CryptoFactory.getInstance(getEveCryptoProperties());
CallbackHandler callbackHandler = new EveCallbackHandler();
Element samlToken =
createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "eve", callbackHandler);
Document doc = samlToken.getOwnerDocument();
samlToken = (Element) doc.appendChild(samlToken);
ReceivedToken validateTarget = new ReceivedToken(samlToken);
tokenRequirements.setValidateTarget(validateTarget);
validatorParameters.setToken(validateTarget);
assertTrue(samlTokenValidator.canHandleToken(validateTarget));
// Set tokenstore to null so that issued token is not found in the cache
validatorParameters.setTokenStore(null);
TokenValidatorResponse validatorResponse =
samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
}
/** Test a valid certificate */
@org.junit.Test
public void testValidCertificate() throws Exception {
TokenValidator x509TokenValidator = new X509TokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
// Create a ValidateTarget consisting of an X509Certificate
BinarySecurityTokenType binarySecurityToken = new BinarySecurityTokenType();
JAXBElement<BinarySecurityTokenType> tokenType =
new JAXBElement<BinarySecurityTokenType>(
QNameConstants.BINARY_SECURITY_TOKEN,
BinarySecurityTokenType.class,
binarySecurityToken);
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias("myclientkey");
Crypto crypto = validatorParameters.getStsProperties().getSignatureCrypto();
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
assertTrue(certs != null && certs.length > 0);
binarySecurityToken.setValue(Base64.getMimeEncoder().encodeToString(certs[0].getEncoded()));
ReceivedToken validateTarget = new ReceivedToken(tokenType);
tokenRequirements.setValidateTarget(validateTarget);
validatorParameters.setToken(validateTarget);
// It can't handle the token as the value type is not set
assertFalse(x509TokenValidator.canHandleToken(validateTarget));
binarySecurityToken.setValueType(X509TokenValidator.X509_V3_TYPE);
assertTrue(x509TokenValidator.canHandleToken(validateTarget));
// This will fail as the encoding type is not set
TokenValidatorResponse validatorResponse = null;
validatorResponse = x509TokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
binarySecurityToken.setEncodingType(WSConstants.SOAPMESSAGE_NS + "#Base64Binary");
validatorResponse = x509TokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
Principal principal = validatorResponse.getPrincipal();
assertTrue(principal != null && principal.getName() != null);
}
/** Test an invalid UsernameToken with password text */
@org.junit.Test
public void testInvalidUsernameTokenText() throws Exception {
TokenValidator usernameTokenValidator = new UsernameTokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
// Create a ValidateTarget consisting of a UsernameToken
UsernameTokenType usernameToken = new UsernameTokenType();
AttributedString username = new AttributedString();
username.setValue("eve");
usernameToken.setUsername(username);
JAXBElement<UsernameTokenType> tokenType =
new JAXBElement<UsernameTokenType>(
QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameToken);
// Add a password
PasswordString password = new PasswordString();
password.setValue("clarinet");
password.setType(WSConstants.PASSWORD_TEXT);
JAXBElement<PasswordString> passwordType =
new JAXBElement<PasswordString>(QNameConstants.PASSWORD, PasswordString.class, password);
usernameToken.getAny().add(passwordType);
ReceivedToken validateTarget = new ReceivedToken(tokenType);
tokenRequirements.setValidateTarget(validateTarget);
validatorParameters.setToken(validateTarget);
assertTrue(usernameTokenValidator.canHandleToken(validateTarget));
// This will fail as the username is bad
TokenValidatorResponse validatorResponse =
usernameTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
// This will fail as the password is bad
username.setValue("alice");
password.setValue("badpassword");
validatorResponse = usernameTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
}
/** Test a SAML 1.1 Assertion using Certificate Constraints */
@org.junit.Test
public void testSAML1AssertionCertConstraints() throws Exception {
TokenValidator samlTokenValidator = new SAMLTokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
validatorParameters.setTokenStore(null);
// Create a ValidateTarget consisting of a SAML Assertion
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken =
createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler);
Document doc = samlToken.getOwnerDocument();
samlToken = (Element) doc.appendChild(samlToken);
ReceivedToken validateTarget = new ReceivedToken(samlToken);
tokenRequirements.setValidateTarget(validateTarget);
validatorParameters.setToken(validateTarget);
assertTrue(samlTokenValidator.canHandleToken(validateTarget));
List<String> certConstraints = new ArrayList<String>();
certConstraints.add("XYZ");
certConstraints.add(".*CN=www.sts.com.*");
((SAMLTokenValidator) samlTokenValidator).setSubjectConstraints(certConstraints);
TokenValidatorResponse validatorResponse =
samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
certConstraints.clear();
certConstraints.add("XYZ");
((SAMLTokenValidator) samlTokenValidator).setSubjectConstraints(certConstraints);
validatorResponse = samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
}
/** Test an invalid certificate */
@org.junit.Test
public void testInvalidCertificate() throws Exception {
TokenValidator x509TokenValidator = new X509TokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
// Create a ValidateTarget consisting of an X509Certificate
BinarySecurityTokenType binarySecurityToken = new BinarySecurityTokenType();
JAXBElement<BinarySecurityTokenType> tokenType =
new JAXBElement<BinarySecurityTokenType>(
QNameConstants.BINARY_SECURITY_TOKEN,
BinarySecurityTokenType.class,
binarySecurityToken);
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias("eve");
Crypto crypto = CryptoFactory.getInstance(getEveCryptoProperties());
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
assertTrue(certs != null && certs.length > 0);
binarySecurityToken.setValue(Base64.getMimeEncoder().encodeToString(certs[0].getEncoded()));
binarySecurityToken.setValueType(X509TokenValidator.X509_V3_TYPE);
binarySecurityToken.setEncodingType(WSConstants.SOAPMESSAGE_NS + "#Base64Binary");
ReceivedToken validateTarget = new ReceivedToken(tokenType);
tokenRequirements.setValidateTarget(validateTarget);
validatorParameters.setToken(validateTarget);
assertTrue(x509TokenValidator.canHandleToken(validateTarget));
TokenValidatorResponse validatorResponse =
x509TokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
}
/** Test a valid UsernameToken with password digest */
@org.junit.Test
public void testValidUsernameTokenDigest() throws Exception {
TokenValidator usernameTokenValidator = new UsernameTokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
// Create a ValidateTarget consisting of a UsernameToken
UsernameTokenType usernameToken = new UsernameTokenType();
AttributedString username = new AttributedString();
username.setValue("alice");
usernameToken.setUsername(username);
JAXBElement<UsernameTokenType> tokenType =
new JAXBElement<UsernameTokenType>(
QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameToken);
// Create a WSS4J UsernameToken
Document doc = DOMUtils.createDocument();
UsernameToken ut = new UsernameToken(true, doc, WSConstants.PASSWORD_DIGEST);
ut.setName("alice");
ut.setPassword("clarinet");
ut.addNonce(doc);
ut.addCreated(true, doc);
// Add a password
PasswordString password = new PasswordString();
password.setValue(ut.getPassword());
password.setType(WSConstants.PASSWORD_DIGEST);
JAXBElement<PasswordString> passwordType =
new JAXBElement<PasswordString>(QNameConstants.PASSWORD, PasswordString.class, password);
usernameToken.getAny().add(passwordType);
// Add a nonce
EncodedString nonce = new EncodedString();
nonce.setValue(ut.getNonce());
nonce.setEncodingType(WSConstants.SOAPMESSAGE_NS + "#Base64Binary");
JAXBElement<EncodedString> nonceType =
new JAXBElement<EncodedString>(QNameConstants.NONCE, EncodedString.class, nonce);
usernameToken.getAny().add(nonceType);
// Add Created value
String created = ut.getCreated();
Element createdElement = doc.createElementNS(WSConstants.WSU_NS, "Created");
createdElement.setAttributeNS(WSConstants.XMLNS_NS, "xmlns", WSConstants.WSU_NS);
createdElement.setTextContent(created);
usernameToken.getAny().add(createdElement);
ReceivedToken validateTarget = new ReceivedToken(tokenType);
tokenRequirements.setValidateTarget(validateTarget);
validatorParameters.setToken(validateTarget);
assertTrue(usernameTokenValidator.canHandleToken(validateTarget));
TokenValidatorResponse validatorResponse =
usernameTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
Principal principal = validatorResponse.getPrincipal();
assertTrue(principal != null && principal.getName() != null);
// Expected failure on a bad password
password.setValue("badpassword");
validatorResponse = usernameTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
}
private User fromToken(String token) throws UnauthorizedException, ConflictException {
if (token == null) {
throw new UnauthorizedException("Missed token parameter");
}
return new User().withEmail(tokenValidator.validateToken(token));
}
