@org.junit.Test
public void testCreateUnsignedJWT() throws Exception {
TokenProvider jwtTokenProvider = new JWTTokenProvider();
((JWTTokenProvider) jwtTokenProvider).setSignToken(false);
TokenProviderParameters providerParameters = createProviderParameters();
assertTrue(jwtTokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE));
TokenProviderResponse providerResponse = jwtTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
String token = (String) providerResponse.getToken();
assertNotNull(token);
assertTrue(token.split("\\.").length == 2);
// Validate the token
JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
JwtToken jwt = jwtConsumer.getJwtToken();
Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
Assert.assertEquals(providerResponse.getTokenId(), jwt.getClaim(JwtConstants.CLAIM_JWT_ID));
Assert.assertEquals(
providerResponse.getCreated().getTime() / 1000L,
jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
Assert.assertEquals(
providerResponse.getExpires().getTime() / 1000L, jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
}
/** Issue SAML 2 token with a valid requested lifetime */
@org.junit.Test
public void testSaml2ValidLifetime() throws Exception {
int requestedLifetime = 60;
SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
conditionsProvider.setAcceptClientLifetime(true);
samlTokenProvider.setConditionsProvider(conditionsProvider);
TokenProviderParameters providerParameters =
createProviderParameters(WSConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE);
// Set expected lifetime to 1 minute
Date creationTime = new Date();
Date expirationTime = new Date();
expirationTime.setTime(creationTime.getTime() + (requestedLifetime * 1000L));
Lifetime lifetime = new Lifetime();
XmlSchemaDateFormat fmt = new XmlSchemaDateFormat();
lifetime.setCreated(fmt.format(creationTime));
lifetime.setExpires(fmt.format(expirationTime));
providerParameters.getTokenRequirements().setLifetime(lifetime);
assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML2_TOKEN_TYPE));
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
assertEquals(
requestedLifetime * 1000L,
providerResponse.getExpires().getTime() - providerResponse.getCreated().getTime());
Element token = (Element) providerResponse.getToken();
String tokenString = DOM2Writer.nodeToString(token);
assertTrue(tokenString.contains(providerResponse.getTokenId()));
}
/**
* Issue SAML 2 token with a future Created Lifetime. This should fail as we only allow a future
* dated Lifetime up to 60 seconds to avoid clock skew problems.
*/
@org.junit.Test
public void testSaml2FarFutureCreatedLifetime() throws Exception {
int requestedLifetime = 60;
SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
conditionsProvider.setAcceptClientLifetime(true);
samlTokenProvider.setConditionsProvider(conditionsProvider);
TokenProviderParameters providerParameters =
createProviderParameters(WSConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE);
// Set expected lifetime to 1 minute
Date creationTime = new Date();
creationTime.setTime(creationTime.getTime() + (60L * 2L * 1000L));
Date expirationTime = new Date();
expirationTime.setTime(creationTime.getTime() + (requestedLifetime * 1000L));
Lifetime lifetime = new Lifetime();
XmlSchemaDateFormat fmt = new XmlSchemaDateFormat();
lifetime.setCreated(fmt.format(creationTime));
lifetime.setExpires(fmt.format(expirationTime));
providerParameters.getTokenRequirements().setLifetime(lifetime);
assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML2_TOKEN_TYPE));
try {
samlTokenProvider.createToken(providerParameters);
fail("Failure expected on a Created Element too far in the future");
} catch (STSException ex) {
// expected
}
// Now allow this sort of Created Element
conditionsProvider.setFutureTimeToLive(60L * 60L);
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
Element token = (Element) providerResponse.getToken();
String tokenString = DOM2Writer.nodeToString(token);
assertTrue(tokenString.contains(providerResponse.getTokenId()));
}
/**
* Issue SAML 2 token with a lifetime configured in SAMLTokenProvider No specific lifetime
* requested
*/
@org.junit.Test
public void testSaml2ProviderLifetime() throws Exception {
long providerLifetime = 10 * 600L;
SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
DefaultConditionsProvider conditionsProvider = new DefaultConditionsProvider();
conditionsProvider.setLifetime(providerLifetime);
samlTokenProvider.setConditionsProvider(conditionsProvider);
TokenProviderParameters providerParameters =
createProviderParameters(WSConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE);
assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML2_TOKEN_TYPE));
TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
assertEquals(
providerLifetime * 1000L,
providerResponse.getExpires().getTime() - providerResponse.getCreated().getTime());
Element token = (Element) providerResponse.getToken();
String tokenString = DOM2Writer.nodeToString(token);
assertTrue(tokenString.contains(providerResponse.getTokenId()));
}
@org.junit.Test
public void testCreateSignedJWT() throws Exception {
TokenProvider jwtTokenProvider = new JWTTokenProvider();
((JWTTokenProvider) jwtTokenProvider).setSignToken(true);
TokenProviderParameters providerParameters = createProviderParameters();
assertTrue(jwtTokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE));
TokenProviderResponse providerResponse = jwtTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
String token = (String) providerResponse.getToken();
assertNotNull(token);
assertTrue(token.split("\\.").length == 3);
// Validate the token
JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
JwtToken jwt = jwtConsumer.getJwtToken();
Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
Assert.assertEquals(providerResponse.getTokenId(), jwt.getClaim(JwtConstants.CLAIM_JWT_ID));
Assert.assertEquals(
providerResponse.getCreated().getTime() / 1000L,
jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
Assert.assertEquals(
providerResponse.getExpires().getTime() / 1000L, jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
// Verify Signature
Crypto crypto = providerParameters.getStsProperties().getSignatureCrypto();
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(providerParameters.getStsProperties().getSignatureUsername());
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
assertNotNull(certs);
assertTrue(jwtConsumer.verifySignatureWith(certs[0], SignatureAlgorithm.RS256));
}
