@Override
public void afterPropertiesSet() throws Exception {
if (!configuration.containsKey(CRYPTO_PROVIDER_PROPERTY)) {
configuration.setProperty(CRYPTO_PROVIDER_PROPERTY, Merlin.class.getName());
}
this.crypto = CryptoFactory.getInstance(configuration, classLoader);
}
private TokenValidatorParameters createValidatorParameters() throws WSSecurityException {
TokenValidatorParameters parameters = new TokenValidatorParameters();
TokenRequirements tokenRequirements = new TokenRequirements();
tokenRequirements.setTokenType(STSConstants.STATUS);
parameters.setTokenRequirements(tokenRequirements);
KeyRequirements keyRequirements = new KeyRequirements();
parameters.setKeyRequirements(keyRequirements);
parameters.setPrincipal(new CustomTokenPrincipal("alice"));
// Mock up message context
MessageImpl msg = new MessageImpl();
WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
parameters.setWebServiceContext(webServiceContext);
// Add STSProperties object
StaticSTSProperties stsProperties = new StaticSTSProperties();
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
stsProperties.setEncryptionCrypto(crypto);
stsProperties.setSignatureCrypto(crypto);
stsProperties.setEncryptionUsername("myservicekey");
stsProperties.setSignatureUsername("mystskey");
stsProperties.setCallbackHandler(new PasswordCallbackHandler());
stsProperties.setIssuer("STS");
parameters.setStsProperties(stsProperties);
return parameters;
}
/** Test a valid SAML 1.1 Assertion */
@org.junit.Test
public void testValidSAML1Assertion() throws Exception {
TokenValidator samlTokenValidator = new SAMLTokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
// Create a ValidateTarget consisting of a SAML Assertion
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken =
createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler);
Document doc = samlToken.getOwnerDocument();
samlToken = (Element) doc.appendChild(samlToken);
ReceivedToken validateTarget = new ReceivedToken(samlToken);
tokenRequirements.setValidateTarget(validateTarget);
validatorParameters.setToken(validateTarget);
assertTrue(samlTokenValidator.canHandleToken(validateTarget));
TokenValidatorResponse validatorResponse =
samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
Principal principal = validatorResponse.getPrincipal();
assertTrue(principal != null && principal.getName() != null);
}
/** Test a SAML 2 Assertion with an invalid signature */
@org.junit.Test
public void testInvalidSignatureSAML2Assertion() throws Exception {
TokenValidator samlTokenValidator = new SAMLTokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
// Create a ValidateTarget consisting of a SAML Assertion
Crypto crypto = CryptoFactory.getInstance(getEveCryptoProperties());
CallbackHandler callbackHandler = new EveCallbackHandler();
Element samlToken =
createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "eve", callbackHandler);
Document doc = samlToken.getOwnerDocument();
samlToken = (Element) doc.appendChild(samlToken);
ReceivedToken validateTarget = new ReceivedToken(samlToken);
tokenRequirements.setValidateTarget(validateTarget);
validatorParameters.setToken(validateTarget);
assertTrue(samlTokenValidator.canHandleToken(validateTarget));
// Set tokenstore to null so that issued token is not found in the cache
validatorParameters.setTokenStore(null);
TokenValidatorResponse validatorResponse =
samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
}
/** Test a SAML 1.1 Assertion using Certificate Constraints */
@org.junit.Test
public void testSAML1AssertionCertConstraints() throws Exception {
TokenValidator samlTokenValidator = new SAMLTokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
validatorParameters.setTokenStore(null);
// Create a ValidateTarget consisting of a SAML Assertion
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new PasswordCallbackHandler();
Element samlToken =
createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler);
Document doc = samlToken.getOwnerDocument();
samlToken = (Element) doc.appendChild(samlToken);
ReceivedToken validateTarget = new ReceivedToken(samlToken);
tokenRequirements.setValidateTarget(validateTarget);
validatorParameters.setToken(validateTarget);
assertTrue(samlTokenValidator.canHandleToken(validateTarget));
List<String> certConstraints = new ArrayList<String>();
certConstraints.add("XYZ");
certConstraints.add(".*CN=www.sts.com.*");
((SAMLTokenValidator) samlTokenValidator).setSubjectConstraints(certConstraints);
TokenValidatorResponse validatorResponse =
samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
certConstraints.clear();
certConstraints.add("XYZ");
((SAMLTokenValidator) samlTokenValidator).setSubjectConstraints(certConstraints);
validatorResponse = samlTokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
}
/** * WS-Security Test Case for using the ThumbprintSHA1 key identifier for signature and encryption, * and the EncryptedKeySHA1 key identifier for encryption. * * <p> * * @author Davanum Srinivas ([email protected]) */ public class TestWSSecurityNew14 extends TestCase implements CallbackHandler { private static final Log LOG = LogFactory.getLog(TestWSSecurityNew14.class); private static final String SOAPMSG = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + "<SOAP-ENV:Envelope " + "xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" " + "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" " + "xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">" + "<SOAP-ENV:Body>" + "<add xmlns=\"http://ws.apache.org/counter/counter_port_type\">" + "<value xmlns=\"\">15</value>" + "</add>" + "</SOAP-ENV:Body>" + "</SOAP-ENV:Envelope>"; private WSSecurityEngine secEngine = new WSSecurityEngine(); private Crypto crypto = CryptoFactory.getInstance(); private MessageContext msgContext; private SOAPEnvelope unsignedEnvelope; private byte[] keyData; private SecretKey key; /** * TestWSSecurity constructor * * <p> * * @param name name of the test */ public TestWSSecurityNew14(String name) { super(name); } /** * JUnit suite * * <p> * * @return a junit test suite */ public static Test suite() { return new TestSuite(TestWSSecurityNew14.class); } /** * Setup method * * <p> * * @throws java.lang.Exception Thrown when there is a problem in setup */ protected void setUp() throws Exception { AxisClient tmpEngine = new AxisClient(new NullProvider()); msgContext = new MessageContext(tmpEngine); unsignedEnvelope = getSOAPEnvelope(); KeyGenerator keyGen = KeyGenerator.getInstance("AES"); keyGen.init(128); key = keyGen.generateKey(); keyData = key.getEncoded(); } /** * Constructs a soap envelope * * <p> * * @return soap envelope * @throws java.lang.Exception if there is any problem constructing the soap envelope */ protected SOAPEnvelope getSOAPEnvelope() throws Exception { InputStream in = new ByteArrayInputStream(SOAPMSG.getBytes()); Message msg = new Message(in); msg.setMessageContext(msgContext); return msg.getSOAPEnvelope(); } /** * Test that signs and verifies a WS-Security envelope. The test uses the ThumbprintSHA1 key * identifier type. * * <p> * * @throws java.lang.Exception Thrown when there is any problem in signing or verification */ public void testX509SignatureThumb() throws Exception { WSSecSignature builder = new WSSecSignature(); builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security"); builder.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER); // builder.setUserInfo("john", "keypass"); LOG.info("Before Signing ThumbprintSHA1...."); Document doc = unsignedEnvelope.getAsDocument(); WSSecHeader secHeader = new WSSecHeader(); secHeader.insertSecurityHeader(doc); Document signedDoc = builder.build(doc, crypto, secHeader); if (LOG.isDebugEnabled()) { LOG.debug("Signed message with ThumbprintSHA1 key identifier:"); String outputString = org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc); LOG.debug(outputString); } LOG.info("After Signing ThumbprintSHA1...."); verify(signedDoc); } /** * Test that signs (twice) and verifies a WS-Security envelope. The test uses the ThumbprintSHA1 * key identifier type. * * <p> * * @throws java.lang.Exception Thrown when there is any problem in signing or verification */ public void testDoubleX509SignatureThumb() throws Exception { WSSecSignature builder = new WSSecSignature(); builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security"); // builder.setUserInfo("john", "keypass"); builder.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER); Document doc = unsignedEnvelope.getAsDocument(); WSSecHeader secHeader = new WSSecHeader(); secHeader.insertSecurityHeader(doc); Document signedDoc = builder.build(doc, crypto, secHeader); Document signedDoc1 = builder.build(signedDoc, crypto, secHeader); verify(signedDoc1); } /** * Test that encrypts and decrypts a WS-Security envelope. The test uses the ThumbprintSHA1 key * identifier type. * * <p> * * @throws java.lang.Exception Thrown when there is any problem in encryption or decryption */ public void testX509EncryptionThumb() throws Exception { WSSecEncrypt builder = new WSSecEncrypt(); builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security"); builder.setKeyIdentifierType(WSConstants.THUMBPRINT_IDENTIFIER); LOG.info("Before Encrypting ThumbprintSHA1...."); Document doc = unsignedEnvelope.getAsDocument(); WSSecHeader secHeader = new WSSecHeader(); secHeader.insertSecurityHeader(doc); Document encryptedDoc = builder.build(doc, crypto, secHeader); String outputString = org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc); if (LOG.isDebugEnabled()) { LOG.debug("Encrypted message with THUMBPRINT_IDENTIFIER:"); LOG.debug(outputString); } assertTrue(outputString.indexOf("#ThumbprintSHA1") != -1); LOG.info("After Encrypting ThumbprintSHA1...."); verify(encryptedDoc); } /** * Test that encrypts and decrypts a WS-Security envelope. The test uses the EncryptedKeySHA1 key * identifier type. * * <p> * * @throws java.lang.Exception Thrown when there is any problem in encryption or decryption */ public void testX509EncryptionSHA1() throws Exception { WSSecEncrypt builder = new WSSecEncrypt(); builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security"); builder.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER); builder.setUseKeyIdentifier(true); LOG.info("Before Encrypting EncryptedKeySHA1...."); Document doc = unsignedEnvelope.getAsDocument(); WSSecHeader secHeader = new WSSecHeader(); secHeader.insertSecurityHeader(doc); Document encryptedDoc = builder.build(doc, crypto, secHeader); String outputString = org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc); if (LOG.isDebugEnabled()) { LOG.debug("Encrypted message with ENCRYPTED_KEY_SHA1_IDENTIFIER:"); LOG.debug(outputString); } assertTrue(outputString.indexOf("#EncryptedKeySHA1") != -1); LOG.info("After Encrypting EncryptedKeySHA1...."); verify(encryptedDoc); } /** * Test that encrypts using EncryptedKeySHA1, where it uses a symmetric key, rather than a * generated session key which is then encrypted using a public key. * * @throws java.lang.Exception Thrown when there is any problem in encryption or decryption */ public void testEncryptionSHA1Symmetric() throws Exception { WSSecEncrypt builder = new WSSecEncrypt(); builder.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER); builder.setSymmetricKey(key); builder.setEncryptSymmKey(false); builder.setUseKeyIdentifier(true); LOG.info("Before Encrypting EncryptedKeySHA1...."); Document doc = unsignedEnvelope.getAsDocument(); WSSecHeader secHeader = new WSSecHeader(); secHeader.insertSecurityHeader(doc); Document encryptedDoc = builder.build(doc, crypto, secHeader); String outputString = org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc); if (LOG.isDebugEnabled()) { LOG.debug("Encrypted message with ENCRYPTED_KEY_SHA1_IDENTIFIER:"); LOG.debug(outputString); } assertTrue(outputString.indexOf("#EncryptedKeySHA1") != -1); LOG.info("After Encrypting EncryptedKeySHA1...."); verify(encryptedDoc); } /** * Test that encrypts using EncryptedKeySHA1, where it uses a symmetric key (bytes), rather than a * generated session key which is then encrypted using a public key. * * @throws java.lang.Exception Thrown when there is any problem in encryption or decryption */ public void testEncryptionSHA1SymmetricBytes() throws Exception { WSSecEncrypt builder = new WSSecEncrypt(); builder.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER); builder.setEphemeralKey(keyData); builder.setEncryptSymmKey(false); builder.setUseKeyIdentifier(true); LOG.info("Before Encrypting EncryptedKeySHA1...."); Document doc = unsignedEnvelope.getAsDocument(); WSSecHeader secHeader = new WSSecHeader(); secHeader.insertSecurityHeader(doc); Document encryptedDoc = builder.build(doc, crypto, secHeader); String outputString = org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc); if (LOG.isDebugEnabled()) { LOG.debug("Encrypted message with ENCRYPTED_KEY_SHA1_IDENTIFIER:"); LOG.debug(outputString); } assertTrue(outputString.indexOf("#EncryptedKeySHA1") != -1); LOG.info("After Encrypting EncryptedKeySHA1...."); verify(encryptedDoc); } /** * Test that encrypts using EncryptedKeySHA1, where it uses a symmetric key, rather than a * generated session key which is then encrypted using a public key. The request is generated * using WSHandler, instead of coding it. * * @throws java.lang.Exception Thrown when there is any problem in encryption or decryption */ public void testEncryptionSHA1SymmetricBytesHandler() throws Exception { final WSSConfig cfg = WSSConfig.getNewInstance(); final RequestData reqData = new RequestData(); reqData.setWssConfig(cfg); java.util.Map messageContext = new java.util.TreeMap(); messageContext.put(WSHandlerConstants.ENC_SYM_ENC_KEY, "false"); messageContext.put(WSHandlerConstants.ENC_KEY_ID, "EncryptedKeySHA1"); messageContext.put(WSHandlerConstants.PW_CALLBACK_REF, this); reqData.setMsgContext(messageContext); reqData.setUsername(""); final java.util.Vector actions = new java.util.Vector(); actions.add(new Integer(WSConstants.ENCR)); Document doc = unsignedEnvelope.getAsDocument(); MyHandler handler = new MyHandler(); handler.send(WSConstants.ENCR, doc, reqData, actions, true); String outputString = org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc); if (LOG.isDebugEnabled()) { LOG.debug(outputString); } verify(doc); } /** * Verifies the soap envelope. This method verifies all the signature generated. * * @param env soap envelope * @throws java.lang.Exception Thrown when there is a problem in verification */ private void verify(Document doc) throws Exception { secEngine.processSecurityHeader(doc, null, this, crypto); } public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof WSPasswordCallback) { WSPasswordCallback pc = (WSPasswordCallback) callbacks[i]; /* * here call a function/method to lookup the password for * the given identifier (e.g. a user name or keystore alias) * e.g.: pc.setPassword(passStore.getPassword(pc.getIdentfifier)) * for Testing we supply a fixed name here. */ pc.setPassword("security"); pc.setKey(keyData); } else { throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); } } } }
/**
* Test signature created using an encrypted key SOAP Body is signed and encrypted. In the
* encryption, The ReferencesList element is put into the Encrypted Key, as a child of the
* EncryptedKey. Signature is created using the encrypted key.
*/
public class TestWSSecurityNew16 extends TestCase implements CallbackHandler {
private static final Log LOG = LogFactory.getLog(TestWSSecurityNew16.class);
private static final String SOAPMSG =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+ "<SOAP-ENV:Envelope "
+ "xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" "
+ "xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" "
+ "xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">"
+ "<SOAP-ENV:Body>"
+ "<add xmlns=\"http://ws.apache.org/counter/counter_port_type\">"
+ "<value xmlns=\"\">15</value>"
+ "</add>"
+ "</SOAP-ENV:Body>"
+ "</SOAP-ENV:Envelope>";
private WSSecurityEngine secEngine = new WSSecurityEngine();
private Crypto crypto = CryptoFactory.getInstance();
private MessageContext msgContext;
private Message message;
/**
* TestWSSecurity constructor
*
* <p>
*
* @param name name of the test
*/
public TestWSSecurityNew16(String name) {
super(name);
}
/**
* JUnit suite
*
* <p>
*
* @return a junit test suite
*/
public static Test suite() {
return new TestSuite(TestWSSecurityNew16.class);
}
/**
* Setup method
*
* <p>
*
* @throws Exception Thrown when there is a problem in setup
*/
protected void setUp() throws Exception {
AxisClient tmpEngine = new AxisClient(new NullProvider());
msgContext = new MessageContext(tmpEngine);
message = getSOAPMessage();
}
/**
* Constructs a soap envelope
*
* <p>
*
* @return soap envelope
* @throws Exception if there is any problem constructing the soap envelope
*/
protected Message getSOAPMessage() throws Exception {
InputStream in = new ByteArrayInputStream(SOAPMSG.getBytes());
Message msg = new Message(in);
msg.setMessageContext(msgContext);
return msg;
}
/**
* Test that first signs, then encrypts a WS-Security envelope.
*
* <p>
*
* @throws Exception Thrown when there is any problem in signing, encryption, decryption, or
* verification
*/
public void testEncryptedKeySignature() throws Exception {
SOAPEnvelope unsignedEnvelope = message.getSOAPEnvelope();
LOG.info("Before Sign/Encryption....");
Document doc = unsignedEnvelope.getAsDocument();
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
encrKey.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
encrKey.setKeySize(192);
encrKey.prepare(doc, crypto);
WSSecEncrypt encrypt = new WSSecEncrypt();
encrypt.setEncKeyId(encrKey.getId());
encrypt.setEphemeralKey(encrKey.getEphemeralKey());
encrypt.setSymmetricEncAlgorithm(WSConstants.TRIPLE_DES);
encrypt.setEncryptSymmKey(false);
encrypt.setEncryptedKeyElement(encrKey.getEncryptedKeyElement());
WSSecSignature sign = new WSSecSignature();
sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sign.setCustomTokenId(encrKey.getId());
sign.setSecretKey(encrKey.getEphemeralKey());
sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
Document signedDoc = sign.build(doc, crypto, secHeader);
Document encryptedSignedDoc = encrypt.build(signedDoc, crypto, secHeader);
if (LOG.isDebugEnabled()) {
LOG.debug("Signed and encrypted message with IssuerSerial key identifier (both), 3DES:");
String outputString =
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedSignedDoc);
LOG.debug(outputString);
}
LOG.info("After Sign/Encryption....");
verify(encryptedSignedDoc);
}
/**
* Verifies the soap envelope
*
* <p>
*
* @param doc
* @throws Exception Thrown when there is a problem in verification
*/
private void verify(Document doc) throws Exception {
secEngine.processSecurityHeader(doc, null, this, crypto);
if (LOG.isDebugEnabled()) {
LOG.debug("Verfied and decrypted message:");
String outputString = org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
LOG.debug(outputString);
}
}
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
/*
* here call a function/method to lookup the password for
* the given identifier (e.g. a user name or keystore alias)
* e.g.: pc.setPassword(passStore.getPassword(pc.getIdentfifier))
* for Testing we supply a fixed name here.
*/
pc.setPassword("security");
} else {
throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
}
}
}
}