/** Test a valid SAML 1.1 Assertion */ @org.junit.Test public void testValidSAML1Assertion() throws Exception { TokenValidator samlTokenValidator = new SAMLTokenValidator(); TokenValidatorParameters validatorParameters = createValidatorParameters(); TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements(); // Create a ValidateTarget consisting of a SAML Assertion Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties()); CallbackHandler callbackHandler = new PasswordCallbackHandler(); Element samlToken = createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler); Document doc = samlToken.getOwnerDocument(); samlToken = (Element) doc.appendChild(samlToken); ReceivedToken validateTarget = new ReceivedToken(samlToken); tokenRequirements.setValidateTarget(validateTarget); validatorParameters.setToken(validateTarget); assertTrue(samlTokenValidator.canHandleToken(validateTarget)); TokenValidatorResponse validatorResponse = samlTokenValidator.validateToken(validatorParameters); assertTrue(validatorResponse != null); assertTrue(validatorResponse.getToken() != null); assertTrue(validatorResponse.getToken().getState() == STATE.VALID); Principal principal = validatorResponse.getPrincipal(); assertTrue(principal != null && principal.getName() != null); }
/** Test a SAML 2 Assertion with an invalid signature */ @org.junit.Test public void testInvalidSignatureSAML2Assertion() throws Exception { TokenValidator samlTokenValidator = new SAMLTokenValidator(); TokenValidatorParameters validatorParameters = createValidatorParameters(); TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements(); // Create a ValidateTarget consisting of a SAML Assertion Crypto crypto = CryptoFactory.getInstance(getEveCryptoProperties()); CallbackHandler callbackHandler = new EveCallbackHandler(); Element samlToken = createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "eve", callbackHandler); Document doc = samlToken.getOwnerDocument(); samlToken = (Element) doc.appendChild(samlToken); ReceivedToken validateTarget = new ReceivedToken(samlToken); tokenRequirements.setValidateTarget(validateTarget); validatorParameters.setToken(validateTarget); assertTrue(samlTokenValidator.canHandleToken(validateTarget)); // Set tokenstore to null so that issued token is not found in the cache validatorParameters.setTokenStore(null); TokenValidatorResponse validatorResponse = samlTokenValidator.validateToken(validatorParameters); assertTrue(validatorResponse != null); assertTrue(validatorResponse.getToken() != null); assertTrue(validatorResponse.getToken().getState() == STATE.INVALID); }
/** Test a valid certificate */ @org.junit.Test public void testValidCertificate() throws Exception { TokenValidator x509TokenValidator = new X509TokenValidator(); TokenValidatorParameters validatorParameters = createValidatorParameters(); TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements(); // Create a ValidateTarget consisting of an X509Certificate BinarySecurityTokenType binarySecurityToken = new BinarySecurityTokenType(); JAXBElement<BinarySecurityTokenType> tokenType = new JAXBElement<BinarySecurityTokenType>( QNameConstants.BINARY_SECURITY_TOKEN, BinarySecurityTokenType.class, binarySecurityToken); CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS); cryptoType.setAlias("myclientkey"); Crypto crypto = validatorParameters.getStsProperties().getSignatureCrypto(); X509Certificate[] certs = crypto.getX509Certificates(cryptoType); assertTrue(certs != null && certs.length > 0); binarySecurityToken.setValue(Base64.getMimeEncoder().encodeToString(certs[0].getEncoded())); ReceivedToken validateTarget = new ReceivedToken(tokenType); tokenRequirements.setValidateTarget(validateTarget); validatorParameters.setToken(validateTarget); // It can't handle the token as the value type is not set assertFalse(x509TokenValidator.canHandleToken(validateTarget)); binarySecurityToken.setValueType(X509TokenValidator.X509_V3_TYPE); assertTrue(x509TokenValidator.canHandleToken(validateTarget)); // This will fail as the encoding type is not set TokenValidatorResponse validatorResponse = null; validatorResponse = x509TokenValidator.validateToken(validatorParameters); assertTrue(validatorResponse != null); assertTrue(validatorResponse.getToken() != null); assertTrue(validatorResponse.getToken().getState() == STATE.INVALID); binarySecurityToken.setEncodingType(WSConstants.SOAPMESSAGE_NS + "#Base64Binary"); validatorResponse = x509TokenValidator.validateToken(validatorParameters); assertTrue(validatorResponse.getToken() != null); assertTrue(validatorResponse.getToken().getState() == STATE.VALID); Principal principal = validatorResponse.getPrincipal(); assertTrue(principal != null && principal.getName() != null); }
private TokenValidatorParameters createValidatorParameters() throws WSSecurityException { TokenValidatorParameters parameters = new TokenValidatorParameters(); TokenRequirements tokenRequirements = new TokenRequirements(); tokenRequirements.setTokenType(STSConstants.STATUS); parameters.setTokenRequirements(tokenRequirements); KeyRequirements keyRequirements = new KeyRequirements(); parameters.setKeyRequirements(keyRequirements); parameters.setPrincipal(new CustomTokenPrincipal("alice")); // Mock up message context MessageImpl msg = new MessageImpl(); WrappedMessageContext msgCtx = new WrappedMessageContext(msg); WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx); parameters.setWebServiceContext(webServiceContext); // Add STSProperties object StaticSTSProperties stsProperties = new StaticSTSProperties(); Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties()); stsProperties.setEncryptionCrypto(crypto); stsProperties.setSignatureCrypto(crypto); stsProperties.setEncryptionUsername("myservicekey"); stsProperties.setSignatureUsername("mystskey"); stsProperties.setCallbackHandler(new PasswordCallbackHandler()); stsProperties.setIssuer("STS"); parameters.setStsProperties(stsProperties); parameters.setTokenStore(tokenStore); return parameters; }
/** Test an invalid UsernameToken with password text */ @org.junit.Test public void testInvalidUsernameTokenText() throws Exception { TokenValidator usernameTokenValidator = new UsernameTokenValidator(); TokenValidatorParameters validatorParameters = createValidatorParameters(); TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements(); // Create a ValidateTarget consisting of a UsernameToken UsernameTokenType usernameToken = new UsernameTokenType(); AttributedString username = new AttributedString(); username.setValue("eve"); usernameToken.setUsername(username); JAXBElement<UsernameTokenType> tokenType = new JAXBElement<UsernameTokenType>( QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameToken); // Add a password PasswordString password = new PasswordString(); password.setValue("clarinet"); password.setType(WSConstants.PASSWORD_TEXT); JAXBElement<PasswordString> passwordType = new JAXBElement<PasswordString>(QNameConstants.PASSWORD, PasswordString.class, password); usernameToken.getAny().add(passwordType); ReceivedToken validateTarget = new ReceivedToken(tokenType); tokenRequirements.setValidateTarget(validateTarget); validatorParameters.setToken(validateTarget); assertTrue(usernameTokenValidator.canHandleToken(validateTarget)); // This will fail as the username is bad TokenValidatorResponse validatorResponse = usernameTokenValidator.validateToken(validatorParameters); assertTrue(validatorResponse != null); assertTrue(validatorResponse.getToken() != null); assertTrue(validatorResponse.getToken().getState() == STATE.INVALID); // This will fail as the password is bad username.setValue("alice"); password.setValue("badpassword"); validatorResponse = usernameTokenValidator.validateToken(validatorParameters); assertTrue(validatorResponse != null); assertTrue(validatorResponse.getToken() != null); assertTrue(validatorResponse.getToken().getState() == STATE.INVALID); }
/** Test a SAML 1.1 Assertion using Certificate Constraints */ @org.junit.Test public void testSAML1AssertionCertConstraints() throws Exception { TokenValidator samlTokenValidator = new SAMLTokenValidator(); TokenValidatorParameters validatorParameters = createValidatorParameters(); TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements(); validatorParameters.setTokenStore(null); // Create a ValidateTarget consisting of a SAML Assertion Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties()); CallbackHandler callbackHandler = new PasswordCallbackHandler(); Element samlToken = createSAMLAssertion(WSConstants.WSS_SAML_TOKEN_TYPE, crypto, "mystskey", callbackHandler); Document doc = samlToken.getOwnerDocument(); samlToken = (Element) doc.appendChild(samlToken); ReceivedToken validateTarget = new ReceivedToken(samlToken); tokenRequirements.setValidateTarget(validateTarget); validatorParameters.setToken(validateTarget); assertTrue(samlTokenValidator.canHandleToken(validateTarget)); List<String> certConstraints = new ArrayList<String>(); certConstraints.add("XYZ"); certConstraints.add(".*CN=www.sts.com.*"); ((SAMLTokenValidator) samlTokenValidator).setSubjectConstraints(certConstraints); TokenValidatorResponse validatorResponse = samlTokenValidator.validateToken(validatorParameters); assertTrue(validatorResponse != null); assertTrue(validatorResponse.getToken() != null); assertTrue(validatorResponse.getToken().getState() == STATE.VALID); certConstraints.clear(); certConstraints.add("XYZ"); ((SAMLTokenValidator) samlTokenValidator).setSubjectConstraints(certConstraints); validatorResponse = samlTokenValidator.validateToken(validatorParameters); assertTrue(validatorResponse != null); assertTrue(validatorResponse.getToken() != null); assertTrue(validatorResponse.getToken().getState() == STATE.INVALID); }
/** Test an invalid certificate */ @org.junit.Test public void testInvalidCertificate() throws Exception { TokenValidator x509TokenValidator = new X509TokenValidator(); TokenValidatorParameters validatorParameters = createValidatorParameters(); TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements(); // Create a ValidateTarget consisting of an X509Certificate BinarySecurityTokenType binarySecurityToken = new BinarySecurityTokenType(); JAXBElement<BinarySecurityTokenType> tokenType = new JAXBElement<BinarySecurityTokenType>( QNameConstants.BINARY_SECURITY_TOKEN, BinarySecurityTokenType.class, binarySecurityToken); CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS); cryptoType.setAlias("eve"); Crypto crypto = CryptoFactory.getInstance(getEveCryptoProperties()); X509Certificate[] certs = crypto.getX509Certificates(cryptoType); assertTrue(certs != null && certs.length > 0); binarySecurityToken.setValue(Base64.getMimeEncoder().encodeToString(certs[0].getEncoded())); binarySecurityToken.setValueType(X509TokenValidator.X509_V3_TYPE); binarySecurityToken.setEncodingType(WSConstants.SOAPMESSAGE_NS + "#Base64Binary"); ReceivedToken validateTarget = new ReceivedToken(tokenType); tokenRequirements.setValidateTarget(validateTarget); validatorParameters.setToken(validateTarget); assertTrue(x509TokenValidator.canHandleToken(validateTarget)); TokenValidatorResponse validatorResponse = x509TokenValidator.validateToken(validatorParameters); assertTrue(validatorResponse != null); assertTrue(validatorResponse.getToken() != null); assertTrue(validatorResponse.getToken().getState() == STATE.INVALID); }
/** Test a valid UsernameToken with password digest */ @org.junit.Test public void testValidUsernameTokenDigest() throws Exception { TokenValidator usernameTokenValidator = new UsernameTokenValidator(); TokenValidatorParameters validatorParameters = createValidatorParameters(); TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements(); // Create a ValidateTarget consisting of a UsernameToken UsernameTokenType usernameToken = new UsernameTokenType(); AttributedString username = new AttributedString(); username.setValue("alice"); usernameToken.setUsername(username); JAXBElement<UsernameTokenType> tokenType = new JAXBElement<UsernameTokenType>( QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameToken); // Create a WSS4J UsernameToken Document doc = DOMUtils.createDocument(); UsernameToken ut = new UsernameToken(true, doc, WSConstants.PASSWORD_DIGEST); ut.setName("alice"); ut.setPassword("clarinet"); ut.addNonce(doc); ut.addCreated(true, doc); // Add a password PasswordString password = new PasswordString(); password.setValue(ut.getPassword()); password.setType(WSConstants.PASSWORD_DIGEST); JAXBElement<PasswordString> passwordType = new JAXBElement<PasswordString>(QNameConstants.PASSWORD, PasswordString.class, password); usernameToken.getAny().add(passwordType); // Add a nonce EncodedString nonce = new EncodedString(); nonce.setValue(ut.getNonce()); nonce.setEncodingType(WSConstants.SOAPMESSAGE_NS + "#Base64Binary"); JAXBElement<EncodedString> nonceType = new JAXBElement<EncodedString>(QNameConstants.NONCE, EncodedString.class, nonce); usernameToken.getAny().add(nonceType); // Add Created value String created = ut.getCreated(); Element createdElement = doc.createElementNS(WSConstants.WSU_NS, "Created"); createdElement.setAttributeNS(WSConstants.XMLNS_NS, "xmlns", WSConstants.WSU_NS); createdElement.setTextContent(created); usernameToken.getAny().add(createdElement); ReceivedToken validateTarget = new ReceivedToken(tokenType); tokenRequirements.setValidateTarget(validateTarget); validatorParameters.setToken(validateTarget); assertTrue(usernameTokenValidator.canHandleToken(validateTarget)); TokenValidatorResponse validatorResponse = usernameTokenValidator.validateToken(validatorParameters); assertTrue(validatorResponse != null); assertTrue(validatorResponse.getToken() != null); assertTrue(validatorResponse.getToken().getState() == STATE.VALID); Principal principal = validatorResponse.getPrincipal(); assertTrue(principal != null && principal.getName() != null); // Expected failure on a bad password password.setValue("badpassword"); validatorResponse = usernameTokenValidator.validateToken(validatorParameters); assertTrue(validatorResponse != null); assertTrue(validatorResponse.getToken() != null); assertTrue(validatorResponse.getToken().getState() == STATE.INVALID); }