/** Test a valid SAML 1.1 Assertion */
  @org.junit.Test
  public void testValidSAML1Assertion() throws Exception {
    TokenValidator samlTokenValidator = new SAMLTokenValidator();
    TokenValidatorParameters validatorParameters = createValidatorParameters();
    TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();

    // Create a ValidateTarget consisting of a SAML Assertion
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    CallbackHandler callbackHandler = new PasswordCallbackHandler();
    Element samlToken =
        createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler);
    Document doc = samlToken.getOwnerDocument();
    samlToken = (Element) doc.appendChild(samlToken);

    ReceivedToken validateTarget = new ReceivedToken(samlToken);
    tokenRequirements.setValidateTarget(validateTarget);
    validatorParameters.setToken(validateTarget);

    assertTrue(samlTokenValidator.canHandleToken(validateTarget));

    TokenValidatorResponse validatorResponse =
        samlTokenValidator.validateToken(validatorParameters);
    assertTrue(validatorResponse != null);
    assertTrue(validatorResponse.getToken() != null);
    assertTrue(validatorResponse.getToken().getState() == STATE.VALID);

    Principal principal = validatorResponse.getPrincipal();
    assertTrue(principal != null && principal.getName() != null);
  }
  /** Test a SAML 2 Assertion with an invalid signature */
  @org.junit.Test
  public void testInvalidSignatureSAML2Assertion() throws Exception {
    TokenValidator samlTokenValidator = new SAMLTokenValidator();
    TokenValidatorParameters validatorParameters = createValidatorParameters();
    TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();

    // Create a ValidateTarget consisting of a SAML Assertion
    Crypto crypto = CryptoFactory.getInstance(getEveCryptoProperties());
    CallbackHandler callbackHandler = new EveCallbackHandler();
    Element samlToken =
        createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "eve", callbackHandler);
    Document doc = samlToken.getOwnerDocument();
    samlToken = (Element) doc.appendChild(samlToken);

    ReceivedToken validateTarget = new ReceivedToken(samlToken);
    tokenRequirements.setValidateTarget(validateTarget);
    validatorParameters.setToken(validateTarget);

    assertTrue(samlTokenValidator.canHandleToken(validateTarget));

    // Set tokenstore to null so that issued token is not found in the cache
    validatorParameters.setTokenStore(null);

    TokenValidatorResponse validatorResponse =
        samlTokenValidator.validateToken(validatorParameters);
    assertTrue(validatorResponse != null);
    assertTrue(validatorResponse.getToken() != null);
    assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
  }
예제 #3
0
  /** Test a valid certificate */
  @org.junit.Test
  public void testValidCertificate() throws Exception {
    TokenValidator x509TokenValidator = new X509TokenValidator();
    TokenValidatorParameters validatorParameters = createValidatorParameters();
    TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();

    // Create a ValidateTarget consisting of an X509Certificate
    BinarySecurityTokenType binarySecurityToken = new BinarySecurityTokenType();
    JAXBElement<BinarySecurityTokenType> tokenType =
        new JAXBElement<BinarySecurityTokenType>(
            QNameConstants.BINARY_SECURITY_TOKEN,
            BinarySecurityTokenType.class,
            binarySecurityToken);
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias("myclientkey");
    Crypto crypto = validatorParameters.getStsProperties().getSignatureCrypto();
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    assertTrue(certs != null && certs.length > 0);
    binarySecurityToken.setValue(Base64.getMimeEncoder().encodeToString(certs[0].getEncoded()));

    ReceivedToken validateTarget = new ReceivedToken(tokenType);
    tokenRequirements.setValidateTarget(validateTarget);
    validatorParameters.setToken(validateTarget);

    // It can't handle the token as the value type is not set
    assertFalse(x509TokenValidator.canHandleToken(validateTarget));

    binarySecurityToken.setValueType(X509TokenValidator.X509_V3_TYPE);
    assertTrue(x509TokenValidator.canHandleToken(validateTarget));

    // This will fail as the encoding type is not set
    TokenValidatorResponse validatorResponse = null;
    validatorResponse = x509TokenValidator.validateToken(validatorParameters);
    assertTrue(validatorResponse != null);
    assertTrue(validatorResponse.getToken() != null);
    assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);

    binarySecurityToken.setEncodingType(WSConstants.SOAPMESSAGE_NS + "#Base64Binary");

    validatorResponse = x509TokenValidator.validateToken(validatorParameters);
    assertTrue(validatorResponse.getToken() != null);
    assertTrue(validatorResponse.getToken().getState() == STATE.VALID);

    Principal principal = validatorResponse.getPrincipal();
    assertTrue(principal != null && principal.getName() != null);
  }
  private TokenValidatorParameters createValidatorParameters() throws WSSecurityException {
    TokenValidatorParameters parameters = new TokenValidatorParameters();

    TokenRequirements tokenRequirements = new TokenRequirements();
    tokenRequirements.setTokenType(STSConstants.STATUS);
    parameters.setTokenRequirements(tokenRequirements);

    KeyRequirements keyRequirements = new KeyRequirements();
    parameters.setKeyRequirements(keyRequirements);

    parameters.setPrincipal(new CustomTokenPrincipal("alice"));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
    parameters.setWebServiceContext(webServiceContext);

    // Add STSProperties object
    StaticSTSProperties stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    parameters.setStsProperties(stsProperties);
    parameters.setTokenStore(tokenStore);

    return parameters;
  }
  /** Test an invalid UsernameToken with password text */
  @org.junit.Test
  public void testInvalidUsernameTokenText() throws Exception {
    TokenValidator usernameTokenValidator = new UsernameTokenValidator();
    TokenValidatorParameters validatorParameters = createValidatorParameters();
    TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();

    // Create a ValidateTarget consisting of a UsernameToken
    UsernameTokenType usernameToken = new UsernameTokenType();
    AttributedString username = new AttributedString();
    username.setValue("eve");
    usernameToken.setUsername(username);
    JAXBElement<UsernameTokenType> tokenType =
        new JAXBElement<UsernameTokenType>(
            QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameToken);

    // Add a password
    PasswordString password = new PasswordString();
    password.setValue("clarinet");
    password.setType(WSConstants.PASSWORD_TEXT);
    JAXBElement<PasswordString> passwordType =
        new JAXBElement<PasswordString>(QNameConstants.PASSWORD, PasswordString.class, password);
    usernameToken.getAny().add(passwordType);

    ReceivedToken validateTarget = new ReceivedToken(tokenType);
    tokenRequirements.setValidateTarget(validateTarget);
    validatorParameters.setToken(validateTarget);

    assertTrue(usernameTokenValidator.canHandleToken(validateTarget));

    // This will fail as the username is bad
    TokenValidatorResponse validatorResponse =
        usernameTokenValidator.validateToken(validatorParameters);
    assertTrue(validatorResponse != null);
    assertTrue(validatorResponse.getToken() != null);
    assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);

    // This will fail as the password is bad
    username.setValue("alice");
    password.setValue("badpassword");
    validatorResponse = usernameTokenValidator.validateToken(validatorParameters);
    assertTrue(validatorResponse != null);
    assertTrue(validatorResponse.getToken() != null);
    assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
  }
  /** Test a SAML 1.1 Assertion using Certificate Constraints */
  @org.junit.Test
  public void testSAML1AssertionCertConstraints() throws Exception {
    TokenValidator samlTokenValidator = new SAMLTokenValidator();
    TokenValidatorParameters validatorParameters = createValidatorParameters();
    TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
    validatorParameters.setTokenStore(null);

    // Create a ValidateTarget consisting of a SAML Assertion
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    CallbackHandler callbackHandler = new PasswordCallbackHandler();
    Element samlToken =
        createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler);
    Document doc = samlToken.getOwnerDocument();
    samlToken = (Element) doc.appendChild(samlToken);

    ReceivedToken validateTarget = new ReceivedToken(samlToken);
    tokenRequirements.setValidateTarget(validateTarget);
    validatorParameters.setToken(validateTarget);

    assertTrue(samlTokenValidator.canHandleToken(validateTarget));
    List<String> certConstraints = new ArrayList<String>();
    certConstraints.add("XYZ");
    certConstraints.add(".*CN=www.sts.com.*");
    ((SAMLTokenValidator) samlTokenValidator).setSubjectConstraints(certConstraints);

    TokenValidatorResponse validatorResponse =
        samlTokenValidator.validateToken(validatorParameters);
    assertTrue(validatorResponse != null);
    assertTrue(validatorResponse.getToken() != null);
    assertTrue(validatorResponse.getToken().getState() == STATE.VALID);

    certConstraints.clear();
    certConstraints.add("XYZ");
    ((SAMLTokenValidator) samlTokenValidator).setSubjectConstraints(certConstraints);
    validatorResponse = samlTokenValidator.validateToken(validatorParameters);
    assertTrue(validatorResponse != null);
    assertTrue(validatorResponse.getToken() != null);
    assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
  }
예제 #7
0
  /** Test an invalid certificate */
  @org.junit.Test
  public void testInvalidCertificate() throws Exception {
    TokenValidator x509TokenValidator = new X509TokenValidator();
    TokenValidatorParameters validatorParameters = createValidatorParameters();
    TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();

    // Create a ValidateTarget consisting of an X509Certificate
    BinarySecurityTokenType binarySecurityToken = new BinarySecurityTokenType();
    JAXBElement<BinarySecurityTokenType> tokenType =
        new JAXBElement<BinarySecurityTokenType>(
            QNameConstants.BINARY_SECURITY_TOKEN,
            BinarySecurityTokenType.class,
            binarySecurityToken);

    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias("eve");
    Crypto crypto = CryptoFactory.getInstance(getEveCryptoProperties());
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    assertTrue(certs != null && certs.length > 0);

    binarySecurityToken.setValue(Base64.getMimeEncoder().encodeToString(certs[0].getEncoded()));
    binarySecurityToken.setValueType(X509TokenValidator.X509_V3_TYPE);
    binarySecurityToken.setEncodingType(WSConstants.SOAPMESSAGE_NS + "#Base64Binary");

    ReceivedToken validateTarget = new ReceivedToken(tokenType);
    tokenRequirements.setValidateTarget(validateTarget);
    validatorParameters.setToken(validateTarget);

    assertTrue(x509TokenValidator.canHandleToken(validateTarget));

    TokenValidatorResponse validatorResponse =
        x509TokenValidator.validateToken(validatorParameters);
    assertTrue(validatorResponse != null);
    assertTrue(validatorResponse.getToken() != null);
    assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
  }
  /** Test a valid UsernameToken with password digest */
  @org.junit.Test
  public void testValidUsernameTokenDigest() throws Exception {
    TokenValidator usernameTokenValidator = new UsernameTokenValidator();
    TokenValidatorParameters validatorParameters = createValidatorParameters();
    TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();

    // Create a ValidateTarget consisting of a UsernameToken
    UsernameTokenType usernameToken = new UsernameTokenType();
    AttributedString username = new AttributedString();
    username.setValue("alice");
    usernameToken.setUsername(username);
    JAXBElement<UsernameTokenType> tokenType =
        new JAXBElement<UsernameTokenType>(
            QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameToken);

    // Create a WSS4J UsernameToken
    Document doc = DOMUtils.createDocument();
    UsernameToken ut = new UsernameToken(true, doc, WSConstants.PASSWORD_DIGEST);
    ut.setName("alice");
    ut.setPassword("clarinet");
    ut.addNonce(doc);
    ut.addCreated(true, doc);

    // Add a password
    PasswordString password = new PasswordString();
    password.setValue(ut.getPassword());
    password.setType(WSConstants.PASSWORD_DIGEST);
    JAXBElement<PasswordString> passwordType =
        new JAXBElement<PasswordString>(QNameConstants.PASSWORD, PasswordString.class, password);
    usernameToken.getAny().add(passwordType);

    // Add a nonce
    EncodedString nonce = new EncodedString();
    nonce.setValue(ut.getNonce());
    nonce.setEncodingType(WSConstants.SOAPMESSAGE_NS + "#Base64Binary");
    JAXBElement<EncodedString> nonceType =
        new JAXBElement<EncodedString>(QNameConstants.NONCE, EncodedString.class, nonce);
    usernameToken.getAny().add(nonceType);

    // Add Created value
    String created = ut.getCreated();
    Element createdElement = doc.createElementNS(WSConstants.WSU_NS, "Created");
    createdElement.setAttributeNS(WSConstants.XMLNS_NS, "xmlns", WSConstants.WSU_NS);
    createdElement.setTextContent(created);
    usernameToken.getAny().add(createdElement);

    ReceivedToken validateTarget = new ReceivedToken(tokenType);
    tokenRequirements.setValidateTarget(validateTarget);
    validatorParameters.setToken(validateTarget);

    assertTrue(usernameTokenValidator.canHandleToken(validateTarget));

    TokenValidatorResponse validatorResponse =
        usernameTokenValidator.validateToken(validatorParameters);
    assertTrue(validatorResponse != null);
    assertTrue(validatorResponse.getToken() != null);
    assertTrue(validatorResponse.getToken().getState() == STATE.VALID);

    Principal principal = validatorResponse.getPrincipal();
    assertTrue(principal != null && principal.getName() != null);

    // Expected failure on a bad password
    password.setValue("badpassword");
    validatorResponse = usernameTokenValidator.validateToken(validatorParameters);
    assertTrue(validatorResponse != null);
    assertTrue(validatorResponse.getToken() != null);
    assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
  }