private List<WSSecurityEngineResult> processToken(SecurityToken token) throws Exception {
RequestData requestData = new RequestData();
requestData.setDisableBSPEnforcement(true);
CallbackHandler callbackHandler = new org.apache.cxf.systest.sts.common.CommonCallbackHandler();
requestData.setCallbackHandler(callbackHandler);
Crypto crypto = CryptoFactory.getInstance("serviceKeystore.properties");
requestData.setDecCrypto(crypto);
requestData.setSigVerCrypto(crypto);
Processor processor = new SAMLTokenProcessor();
return processor.handleToken(
token.getToken(), requestData, new WSDocInfo(token.getToken().getOwnerDocument()));
}
/** Test the Bearer SAML1 case with a Lifetime element */
@org.junit.Test
public void testBearerSaml1Lifetime() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
Bus bus = bf.createBus(busFile.toString());
SpringBusFactory.setDefaultBus(bus);
SpringBusFactory.setThreadDefaultBus(bus);
// Get a token
SecurityToken token =
requestSecurityTokenTTL(SAML1_TOKEN_TYPE, BEARER_KEYTYPE, bus, DEFAULT_ADDRESS);
assertTrue(SAML1_TOKEN_TYPE.equals(token.getTokenType()));
assertTrue(token.getToken() != null);
// Process the token
List<WSSecurityEngineResult> results = processToken(token);
assertTrue(results != null && results.size() == 1);
SamlAssertionWrapper assertion =
(SamlAssertionWrapper) results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(assertion != null);
assertTrue(assertion.getSaml1() != null && assertion.getSaml2() == null);
assertTrue(assertion.isSigned());
List<String> methods = assertion.getConfirmationMethods();
String confirmMethod = null;
if (methods != null && methods.size() > 0) {
confirmMethod = methods.get(0);
}
assertTrue(confirmMethod.contains("bearer"));
bus.shutdown(true);
}
/**
* Returns the SAML token as a DOM Element.
*
* @return the SAML token as a DOM element or null if it doesn't exist
*/
public Element getSAMLTokenAsElement() {
if (reference) {
LOGGER.warn("Attempting to return a SAML token without converting from a reference.");
return null;
}
SecurityToken token = (SecurityToken) getCredentials();
if (token != null) {
return token.getToken();
}
return null;
}
/** Test the Symmetric Key SAML1 case */
@org.junit.Test
public void testSymmetricKeySaml1() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
Bus bus = bf.createBus(busFile.toString());
SpringBusFactory.setDefaultBus(bus);
SpringBusFactory.setThreadDefaultBus(bus);
// Get a token
SecurityToken token =
requestSecurityToken(SAML1_TOKEN_TYPE, SYMMETRIC_KEY_KEYTYPE, bus, DEFAULT_ADDRESS);
assertTrue(token.getSecret() != null && token.getSecret().length > 0);
assertTrue(SAML1_TOKEN_TYPE.equals(token.getTokenType()));
assertTrue(token.getToken() != null);
// Process the token
List<WSSecurityEngineResult> results = processToken(token);
assertTrue(results != null && results.size() == 1);
SamlAssertionWrapper assertion =
(SamlAssertionWrapper) results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(assertion != null);
assertTrue(assertion.getSaml1() != null && assertion.getSaml2() == null);
assertTrue(assertion.isSigned());
List<String> methods = assertion.getConfirmationMethods();
String confirmMethod = null;
if (methods != null && methods.size() > 0) {
confirmMethod = methods.get(0);
}
assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo();
assertTrue(subjectKeyInfo.getSecret() != null);
bus.shutdown(true);
}
public Credential validateWithSTS(Credential credential, Message message)
throws WSSecurityException {
try {
SecurityToken token = new SecurityToken();
Element tokenElement = null;
int hash = 0;
if (credential.getSamlAssertion() != null) {
SamlAssertionWrapper assertion = credential.getSamlAssertion();
byte[] signatureValue = assertion.getSignatureValue();
if (signatureValue != null && signatureValue.length > 0) {
hash = Arrays.hashCode(signatureValue);
}
tokenElement = credential.getSamlAssertion().getElement();
} else if (credential.getUsernametoken() != null) {
tokenElement = credential.getUsernametoken().getElement();
hash = credential.getUsernametoken().hashCode();
} else if (credential.getBinarySecurityToken() != null) {
tokenElement = credential.getBinarySecurityToken().getElement();
hash = credential.getBinarySecurityToken().hashCode();
} else if (credential.getSecurityContextToken() != null) {
tokenElement = credential.getSecurityContextToken().getElement();
hash = credential.getSecurityContextToken().hashCode();
}
token.setToken(tokenElement);
TokenStore ts = null;
if (!disableCaching) {
ts = getTokenStore(message);
if (ts == null) {
ts = tokenStore;
}
if (ts != null && hash != 0) {
SecurityToken transformedToken = getTransformedToken(ts, hash);
if (transformedToken != null && !transformedToken.isExpired()) {
SamlAssertionWrapper assertion = new SamlAssertionWrapper(transformedToken.getToken());
credential.setPrincipal(new SAMLTokenPrincipalImpl(assertion));
credential.setTransformedToken(assertion);
return credential;
}
}
}
token.setTokenHash(hash);
STSClient c = stsClient;
if (c == null) {
c = STSUtils.getClient(message, "sts");
}
synchronized (c) {
System.setProperty("noprint", "true");
SecurityToken returnedToken = null;
if (useIssueBinding && useOnBehalfOf) {
ElementCallbackHandler callbackHandler = new ElementCallbackHandler(tokenElement);
c.setOnBehalfOf(callbackHandler);
returnedToken = c.requestSecurityToken();
c.setOnBehalfOf(null);
} else if (useIssueBinding && !useOnBehalfOf && credential.getUsernametoken() != null) {
c.getProperties()
.put(SecurityConstants.USERNAME, credential.getUsernametoken().getName());
c.getProperties()
.put(SecurityConstants.PASSWORD, credential.getUsernametoken().getPassword());
returnedToken = c.requestSecurityToken();
c.getProperties().remove(SecurityConstants.USERNAME);
c.getProperties().remove(SecurityConstants.PASSWORD);
} else {
List<SecurityToken> tokens = c.validateSecurityToken(token);
returnedToken = tokens.get(0);
}
if (returnedToken != token) {
SamlAssertionWrapper assertion = new SamlAssertionWrapper(returnedToken.getToken());
credential.setTransformedToken(assertion);
credential.setPrincipal(new SAMLTokenPrincipalImpl(assertion));
if (!disableCaching && hash != 0 && ts != null) {
ts.add(returnedToken);
token.setTransformedTokenIdentifier(returnedToken.getId());
ts.add(Integer.toString(hash), token);
}
}
return credential;
}
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE, e, "invalidSAMLsecurity");
}
}
private void doSignBeforeEncrypt() {
TokenWrapper sigTokenWrapper = getSignatureToken();
Token sigToken = sigTokenWrapper.getToken();
String sigTokId = null;
Element sigTokElem = null;
try {
SecurityToken sigTok = null;
if (sigToken != null) {
if (sigToken instanceof SecureConversationToken
|| sigToken instanceof SecurityContextToken
|| sigToken instanceof IssuedToken
|| sigToken instanceof KerberosToken
|| sigToken instanceof SpnegoContextToken) {
sigTok = getSecurityToken();
} else if (sigToken instanceof X509Token) {
if (isRequestor()) {
sigTokId = setupEncryptedKey(sigTokenWrapper, sigToken);
} else {
sigTokId = getEncryptedKey();
}
} else if (sigToken instanceof UsernameToken) {
if (isRequestor()) {
sigTokId = setupUTDerivedKey((UsernameToken) sigToken);
} else {
sigTokId = getUTDerivedKey();
}
}
} else {
policyNotAsserted(sbinding, "No signature token");
return;
}
if (sigTok == null && StringUtils.isEmpty(sigTokId)) {
policyNotAsserted(sigTokenWrapper, "No signature token id");
return;
} else {
policyAsserted(sigTokenWrapper);
}
if (sigTok == null) {
sigTok = tokenStore.getToken(sigTokId);
}
// if (sigTok == null) {
// REVISIT - no token?
// }
boolean tokIncluded = true;
if (includeToken(sigToken.getInclusion())) {
Element el = sigTok.getToken();
sigTokElem = cloneElement(el);
this.addEncryptedKeyElement(sigTokElem);
} else if (isRequestor() && sigToken instanceof X509Token) {
Element el = sigTok.getToken();
sigTokElem = cloneElement(el);
this.addEncryptedKeyElement(sigTokElem);
} else {
tokIncluded = false;
}
// Add timestamp
List<WSEncryptionPart> sigs = getSignedParts();
if (timestampEl != null) {
WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement());
sigs.add(timestampPart);
}
if (isRequestor()) {
addSupportingTokens(sigs);
if (!sigs.isEmpty()) {
signatures.add(doSignature(sigs, sigTokenWrapper, sigToken, sigTok, tokIncluded));
}
doEndorse();
} else {
// confirm sig
assertSupportingTokens(sigs);
addSignatureConfirmation(sigs);
if (!sigs.isEmpty()) {
doSignature(sigs, sigTokenWrapper, sigToken, sigTok, tokIncluded);
}
}
// Encryption
TokenWrapper encrTokenWrapper = getEncryptionToken();
Token encrToken = encrTokenWrapper.getToken();
SecurityToken encrTok = null;
if (sigToken.equals(encrToken)) {
// Use the same token
encrTok = sigTok;
} else {
policyNotAsserted(sbinding, "Encryption token does not equal signature token");
return;
}
List<WSEncryptionPart> enc = getEncryptedParts();
// Check for signature protection
if (sbinding.isSignatureProtection()) {
if (mainSigId != null) {
WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element");
sigPart.setElement(bottomUpElement);
enc.add(sigPart);
}
if (sigConfList != null && !sigConfList.isEmpty()) {
enc.addAll(sigConfList);
}
}
if (isRequestor()) {
enc.addAll(encryptedTokensList);
}
doEncryption(encrTokenWrapper, encrTok, tokIncluded, enc, false);
} catch (Exception e) {
throw new Fault(e);
}
}
private void doEncryptBeforeSign() {
try {
TokenWrapper encryptionWrapper = getEncryptionToken();
Token encryptionToken = encryptionWrapper.getToken();
List<WSEncryptionPart> encrParts = getEncryptedParts();
List<WSEncryptionPart> sigParts = getSignedParts();
// if (encryptionToken == null && encrParts.size() > 0) {
// REVISIT - nothing to encrypt?
// }
if (encryptionToken != null && encrParts.size() > 0) {
// The encryption token can be an IssuedToken or a
// SecureConversationToken
String tokenId = null;
SecurityToken tok = null;
if (encryptionToken instanceof IssuedToken
|| encryptionToken instanceof KerberosToken
|| encryptionToken instanceof SecureConversationToken
|| encryptionToken instanceof SecurityContextToken
|| encryptionToken instanceof SpnegoContextToken) {
tok = getSecurityToken();
} else if (encryptionToken instanceof X509Token) {
if (isRequestor()) {
tokenId = setupEncryptedKey(encryptionWrapper, encryptionToken);
} else {
tokenId = getEncryptedKey();
}
} else if (encryptionToken instanceof UsernameToken) {
if (isRequestor()) {
tokenId = setupUTDerivedKey((UsernameToken) encryptionToken);
} else {
tokenId = getUTDerivedKey();
}
}
if (tok == null) {
// if (tokenId == null || tokenId.length() == 0) {
// REVISIT - no tokenId? Exception?
// }
if (tokenId != null && tokenId.startsWith("#")) {
tokenId = tokenId.substring(1);
}
/*
* Get hold of the token from the token storage
*/
tok = tokenStore.getToken(tokenId);
}
boolean attached = false;
if (includeToken(encryptionToken.getInclusion())) {
Element el = tok.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
} else if (encryptionToken instanceof X509Token && isRequestor()) {
Element el = tok.getToken();
this.addEncryptedKeyElement(cloneElement(el));
attached = true;
}
WSSecBase encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true);
handleEncryptedSignedHeaders(encrParts, sigParts);
if (timestampEl != null) {
WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement());
sigParts.add(timestampPart);
}
if (isRequestor()) {
this.addSupportingTokens(sigParts);
} else {
addSignatureConfirmation(sigParts);
}
// Sign the message
// We should use the same key in the case of EncryptBeforeSig
if (sigParts.size() > 0) {
signatures.add(
this.doSignature(sigParts, encryptionWrapper, encryptionToken, tok, attached));
}
if (isRequestor()) {
this.doEndorse();
}
// Check for signature protection and encryption of UsernameToken
if (sbinding.isSignatureProtection() || encryptedTokensList.size() > 0 && isRequestor()) {
List<WSEncryptionPart> secondEncrParts = new ArrayList<WSEncryptionPart>();
// Now encrypt the signature using the above token
if (sbinding.isSignatureProtection()) {
if (this.mainSigId != null) {
WSEncryptionPart sigPart = new WSEncryptionPart(this.mainSigId, "Element");
sigPart.setElement(bottomUpElement);
secondEncrParts.add(sigPart);
}
if (sigConfList != null && !sigConfList.isEmpty()) {
secondEncrParts.addAll(sigConfList);
}
}
if (isRequestor()) {
secondEncrParts.addAll(encryptedTokensList);
}
Element secondRefList = null;
if (encryptionToken.isDerivedKeys() && !secondEncrParts.isEmpty()) {
secondRefList = ((WSSecDKEncrypt) encr).encryptForExternalRef(null, secondEncrParts);
this.addDerivedKeyElement(secondRefList);
} else if (!secondEncrParts.isEmpty()) {
// Encrypt, get hold of the ref list and add it
secondRefList = ((WSSecEncrypt) encr).encryptForRef(null, encrParts);
this.addDerivedKeyElement(secondRefList);
}
}
}
} catch (RuntimeException ex) {
throw ex;
} catch (Exception ex) {
throw new Fault(ex);
}
}
public static void logSecurityAssertionInfo(SecurityToken token) {
if (SECURITY_LOGGER.isDebugEnabled() && token != null) {
SECURITY_LOGGER.debug(getFormattedXml(token.getToken()));
}
}
/**
* Parses the SecurityToken by wrapping within an AssertionWrapper.
*
* @param securityToken SecurityToken
*/
private void parseToken(SecurityToken securityToken) {
XMLStreamReader xmlStreamReader = StaxUtils.createXMLStreamReader(securityToken.getToken());
try {
AttrStatement attributeStatement = null;
AuthenticationStatement authenticationStatement = null;
Attr attribute = null;
int attrs = 0;
while (xmlStreamReader.hasNext()) {
int event = xmlStreamReader.next();
switch (event) {
case XMLStreamConstants.START_ELEMENT:
{
String localName = xmlStreamReader.getLocalName();
switch (localName) {
case NameID.DEFAULT_ELEMENT_LOCAL_NAME:
name = xmlStreamReader.getElementText();
for (int i = 0; i < xmlStreamReader.getAttributeCount(); i++) {
if (xmlStreamReader
.getAttributeLocalName(i)
.equals(NameID.FORMAT_ATTRIB_NAME)) {
nameIDFormat = xmlStreamReader.getAttributeValue(i);
break;
}
}
break;
case AttributeStatement.DEFAULT_ELEMENT_LOCAL_NAME:
attributeStatement = new AttrStatement();
attributeStatements.add(attributeStatement);
break;
case AuthnStatement.DEFAULT_ELEMENT_LOCAL_NAME:
authenticationStatement = new AuthenticationStatement();
authenticationStatements.add(authenticationStatement);
attrs = xmlStreamReader.getAttributeCount();
for (int i = 0; i < attrs; i++) {
String name = xmlStreamReader.getAttributeLocalName(i);
String value = xmlStreamReader.getAttributeValue(i);
if (AuthnStatement.AUTHN_INSTANT_ATTRIB_NAME.equals(name)) {
authenticationStatement.setAuthnInstant(DateTime.parse(value));
}
}
break;
case AuthnContextClassRef.DEFAULT_ELEMENT_LOCAL_NAME:
if (authenticationStatement != null) {
String classValue = xmlStreamReader.getText();
classValue = classValue.trim();
AuthenticationContextClassRef authenticationContextClassRef =
new AuthenticationContextClassRef();
authenticationContextClassRef.setAuthnContextClassRef(classValue);
AuthenticationContext authenticationContext = new AuthenticationContext();
authenticationContext.setAuthnContextClassRef(authenticationContextClassRef);
authenticationStatement.setAuthnContext(authenticationContext);
}
break;
case Attribute.DEFAULT_ELEMENT_LOCAL_NAME:
attribute = new Attr();
if (attributeStatement != null) {
attributeStatement.addAttribute(attribute);
}
attrs = xmlStreamReader.getAttributeCount();
for (int i = 0; i < attrs; i++) {
String name = xmlStreamReader.getAttributeLocalName(i);
String value = xmlStreamReader.getAttributeValue(i);
if (Attribute.NAME_ATTTRIB_NAME.equals(name)) {
attribute.setName(value);
} else if (Attribute.NAME_FORMAT_ATTRIB_NAME.equals(name)) {
attribute.setNameFormat(value);
}
}
break;
case AttributeValue.DEFAULT_ELEMENT_LOCAL_NAME:
XSString xsString = new XMLString();
xsString.setValue(xmlStreamReader.getElementText());
if (attribute != null) {
attribute.addAttributeValue(xsString);
}
break;
case Issuer.DEFAULT_ELEMENT_LOCAL_NAME:
issuer = xmlStreamReader.getElementText();
break;
case Conditions.DEFAULT_ELEMENT_LOCAL_NAME:
attrs = xmlStreamReader.getAttributeCount();
for (int i = 0; i < attrs; i++) {
String name = xmlStreamReader.getAttributeLocalName(i);
String value = xmlStreamReader.getAttributeValue(i);
if (Conditions.NOT_BEFORE_ATTRIB_NAME.equals(name)) {
notBefore = DatatypeConverter.parseDateTime(value).getTime();
} else if (Conditions.NOT_ON_OR_AFTER_ATTRIB_NAME.equals(name)) {
notOnOrAfter = DatatypeConverter.parseDateTime(value).getTime();
}
}
break;
}
break;
}
case XMLStreamConstants.END_ELEMENT:
{
String localName = xmlStreamReader.getLocalName();
switch (localName) {
case AttributeStatement.DEFAULT_ELEMENT_LOCAL_NAME:
attributeStatement = null;
break;
case Attribute.DEFAULT_ELEMENT_LOCAL_NAME:
attribute = null;
break;
}
break;
}
}
}
} catch (XMLStreamException e) {
LOGGER.error("Unable to parse security token.", e);
} finally {
try {
xmlStreamReader.close();
} catch (XMLStreamException ignore) {
// ignore
}
}
}
// CHECKSTYLE:OFF
@org.junit.Test
public void testSAMLinWSSecToOtherRealm() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
Bus bus = bf.createBus(busFile.toString());
SpringBusFactory.setDefaultBus(bus);
SpringBusFactory.setThreadDefaultBus(bus);
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
CallbackHandler callbackHandler = new CommonCallbackHandler();
// Create SAML token
Element samlToken =
createSAMLAssertion(
WSConstants.WSS_SAML2_TOKEN_TYPE,
crypto,
"mystskey",
callbackHandler,
null,
"alice",
"a-issuer");
String id = null;
QName elName = DOMUtils.getElementQName(samlToken);
if (elName.equals(new QName(WSConstants.SAML_NS, "Assertion"))
&& samlToken.hasAttributeNS(null, "AssertionID")) {
id = samlToken.getAttributeNS(null, "AssertionID");
} else if (elName.equals(new QName(WSConstants.SAML2_NS, "Assertion"))
&& samlToken.hasAttributeNS(null, "ID")) {
id = samlToken.getAttributeNS(null, "ID");
}
if (id == null) {
id = samlToken.getAttributeNS(WSConstants.WSU_NS, "Id");
}
SecurityToken wstoken = new SecurityToken(id, samlToken, null, null);
Map<String, Object> properties = new HashMap<String, Object>();
properties.put(SecurityConstants.TOKEN, wstoken);
properties.put(SecurityConstants.TOKEN_ID, wstoken.getId());
// Get a token
SecurityToken token =
requestSecurityToken(
SAML2_TOKEN_TYPE,
BEARER_KEYTYPE,
null,
bus,
DEFAULT_ADDRESS,
null,
properties,
"b-issuer",
"Transport_SAML_Port");
/*
SecurityToken token =
requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, null,
bus, DEFAULT_ADDRESS, null, properties, "b-issuer", null);
*/
assertTrue(SAML2_TOKEN_TYPE.equals(token.getTokenType()));
assertTrue(token.getToken() != null);
List<WSSecurityEngineResult> results = processToken(token);
assertTrue(results != null && results.size() == 1);
SamlAssertionWrapper assertion =
(SamlAssertionWrapper) results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
assertTrue(assertion != null);
assertTrue(assertion.isSigned());
List<String> methods = assertion.getConfirmationMethods();
String confirmMethod = null;
if (methods != null && methods.size() > 0) {
confirmMethod = methods.get(0);
}
assertTrue(confirmMethod.contains("bearer"));
assertTrue("b-issuer".equals(assertion.getIssuerString()));
String subjectName = assertion.getSaml2().getSubject().getNameID().getValue();
assertTrue("Subject must be ALICE instead of " + subjectName, "ALICE".equals(subjectName));
}