Adding Jetty ClientCertificate tests
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/9ca20024 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/9ca20024 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/9ca20024 Branch: refs/heads/master Commit: 9ca20024cf317396c3a44a50dfa83d3bc05dca41 Parents: 6415da2 Author: Colm O hEigeartaigh <[email protected]> Authored: Thu Apr 23 16:55:07 2015 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Thu Apr 23 17:01:46 2015 +0100 ---------------------------------------------------------------------- systests/jetty8/pom.xml | 8 +- .../ClientCertificatePreAuthSpringTest.java | 79 ++++++++++++++++++ .../integrationtests/ClientCertificateTest.java | 79 ++++++++++++++++++ .../integrationtests/HOKCallbackHandler.java | 48 +++++++++++ .../cxf/fediz/integrationtests/JettyUtils.java | 6 +- .../jetty8/src/test/resources/alice_client.jks | Bin 0 -> 1277 bytes .../test/resources/fediz_config_client_cert.xml | 44 ++++++++++ .../test/resources/rp-client-cert-server.xml | 81 +++++++++++++++++++ systests/jetty8/src/test/resources/server.jks | Bin 1863 -> 2701 bytes 9 files changed, 340 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9ca20024/systests/jetty8/pom.xml ---------------------------------------------------------------------- diff --git a/systests/jetty8/pom.xml b/systests/jetty8/pom.xml index 55fa4c8..305fa70 100644 --- a/systests/jetty8/pom.xml +++ b/systests/jetty8/pom.xml @@ -101,8 +101,8 @@ <filtering>true</filtering> <includes> <include>**/idp-server.xml</include> - <include>**/rp-server.xml</include> - <include>**/fediz_config.xml</include> + <include>**/rp-*server.xml</include> + <include>**/fediz_config*.xml</include> </includes> </testResource> <testResource> @@ -110,8 +110,8 @@ <filtering>false</filtering> <excludes> <exclude>**/idp-server.xml</exclude> - <exclude>**/rp-server.xml</exclude> - <exclude>**/fediz_config.xml</exclude> + <exclude>**/rp-*server.xml</exclude> + <exclude>**/fediz_config*.xml</exclude> </excludes> </testResource> </testResources> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9ca20024/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificatePreAuthSpringTest.java ---------------------------------------------------------------------- diff --git a/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificatePreAuthSpringTest.java b/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificatePreAuthSpringTest.java new file mode 100644 index 0000000..0542bd1 --- /dev/null +++ b/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificatePreAuthSpringTest.java @@ -0,0 +1,79 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.fediz.integrationtests; + +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; + +/** + * In this test-case, the IdP is set up to require client authentication, rather than authenticating using a + * username + password, or via Kerberos. + */ +public class ClientCertificatePreAuthSpringTest extends AbstractClientCertTests { + + static String idpHttpsPort; + static String rpHttpsPort; + + @BeforeClass + public static void init() { + System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog"); + System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true"); + System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info"); + + idpHttpsPort = System.getProperty("idp.https.port"); + Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort); + rpHttpsPort = System.getProperty("rp.https.port"); + Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort); + + JettyUtils.initIdpServer(); + JettyUtils.startIdpServer(); + JettyUtils.initRpServer("rp-client-cert-server.xml"); + JettyUtils.startRpServer(); + } + + @AfterClass + public static void cleanup() { + JettyUtils.stopIdpServer(); + JettyUtils.stopRpServer(); + } + + @Override + public String getIdpHttpsPort() { + return idpHttpsPort; + } + + @Override + public String getRpHttpsPort() { + return rpHttpsPort; + } + + @Override + public String getServletContextName() { + return "fedizspringhelloworld"; + } + +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9ca20024/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java ---------------------------------------------------------------------- diff --git a/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java b/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java new file mode 100644 index 0000000..8e7d734 --- /dev/null +++ b/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/ClientCertificateTest.java @@ -0,0 +1,79 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.fediz.integrationtests; + +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; + +/** + * In this test-case, the IdP is set up to require client authentication, rather than authenticating using a + * username + password, or via Kerberos. + */ +public class ClientCertificateTest extends AbstractClientCertTests { + + static String idpHttpsPort; + static String rpHttpsPort; + + @BeforeClass + public static void init() { + System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog"); + System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true"); + System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info"); + + idpHttpsPort = System.getProperty("idp.https.port"); + Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort); + rpHttpsPort = System.getProperty("rp.https.port"); + Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort); + + JettyUtils.initIdpServer(); + JettyUtils.startIdpServer(); + JettyUtils.initRpServer("rp-client-cert-server.xml"); + JettyUtils.startRpServer(); + } + + @AfterClass + public static void cleanup() { + JettyUtils.stopIdpServer(); + JettyUtils.stopRpServer(); + } + + @Override + public String getIdpHttpsPort() { + return idpHttpsPort; + } + + @Override + public String getRpHttpsPort() { + return rpHttpsPort; + } + + @Override + public String getServletContextName() { + return "fedizhelloworld"; + } + +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9ca20024/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java ---------------------------------------------------------------------- diff --git a/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java b/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java new file mode 100644 index 0000000..e2f402c --- /dev/null +++ b/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/HOKCallbackHandler.java @@ -0,0 +1,48 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.fediz.integrationtests; + +import java.io.IOException; + +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.UnsupportedCallbackException; + +import org.apache.cxf.fediz.core.spi.WReqCallback; + +public class HOKCallbackHandler implements CallbackHandler { + + static final String HOK_WREQ = + "<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\";>" + + "<KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</KeyType>" + + "</RequestSecurityToken>"; + + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { + for (int i = 0; i < callbacks.length; i++) { + if (callbacks[i] instanceof WReqCallback) { + WReqCallback callback = (WReqCallback) callbacks[i]; + callback.setWreq(HOK_WREQ); + } else { + throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback"); + } + } + } + +} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9ca20024/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/JettyUtils.java ---------------------------------------------------------------------- diff --git a/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/JettyUtils.java b/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/JettyUtils.java index 603fedc..fb6859d 100644 --- a/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/JettyUtils.java +++ b/systests/jetty8/src/test/java/org/apache/cxf/fediz/integrationtests/JettyUtils.java @@ -67,9 +67,13 @@ public final class JettyUtils { } public static void initRpServer() { + initRpServer("rp-server.xml"); + } + + public static void initRpServer(String configurationFile) { if (rpServer == null) { try { - Resource testServerConfig = Resource.newSystemResource("rp-server.xml"); + Resource testServerConfig = Resource.newSystemResource(configurationFile); XmlConfiguration configuration = new XmlConfiguration(testServerConfig.getInputStream()); rpServer = (Server)configuration.configure(); http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9ca20024/systests/jetty8/src/test/resources/alice_client.jks ---------------------------------------------------------------------- diff --git a/systests/jetty8/src/test/resources/alice_client.jks b/systests/jetty8/src/test/resources/alice_client.jks new file mode 100644 index 0000000..5e1bdd2 Binary files /dev/null and b/systests/jetty8/src/test/resources/alice_client.jks differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9ca20024/systests/jetty8/src/test/resources/fediz_config_client_cert.xml ---------------------------------------------------------------------- diff --git a/systests/jetty8/src/test/resources/fediz_config_client_cert.xml b/systests/jetty8/src/test/resources/fediz_config_client_cert.xml new file mode 100644 index 0000000..d0605b8 --- /dev/null +++ b/systests/jetty8/src/test/resources/fediz_config_client_cert.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<!-- Place in Tomcat conf folder or other location as designated in this sample's webapp/META-INF/context.xml file. + Keystore referenced below must have IDP STS' public cert included in it. This example re-uses the Tomcat SSL + keystore (tomcat-rp.jks) for this task; alternatively you may wish to use a Fediz-specific keystore instead. +--> +<FedizConfig> + <contextConfig name="/fedizhelloworld"> + <audienceUris> + <audienceItem>urn:org:apache:cxf:fediz:fedizhelloworld</audienceItem> + </audienceUris> + <certificateStores> + <trustManager> + <keyStore file="ststrust.jks" password="storepass" type="JKS" /> + </trustManager> + </certificateStores> + <trustedIssuers> + <issuer certificateValidation="PeerTrust" /> + </trustedIssuers> + <maximumClockSkew>1000</maximumClockSkew> + <signingKey keyAlias="mytomidpkey" keyPassword="tompass"> + <keyStore file="test-classes/server.jks" password="tompass" type="JKS" /> + </signingKey> + <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:type="federationProtocolType" version="1.0.0"> + <realm>urn:org:apache:cxf:fediz:fedizhelloworld</realm> + <issuer>https://localhost:${idp.https.port}/fediz-idp/federation</issuer> + <roleDelimiter>,</roleDelimiter> + <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI> + <freshness>10</freshness> + <homeRealm type="String">urn:org:apache:cxf:fediz:idp:realm-A</homeRealm> + <claimTypesRequested> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; optional="false" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; optional="true" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; optional="true" /> + <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; optional="true" /> + </claimTypesRequested> + <authenticationType>http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl</authenticationType> + <request type="Class">org.apache.cxf.fediz.integrationtests.HOKCallbackHandler</request> + </protocol> + <logoutURL>/secure/logout</logoutURL> + <logoutRedirectTo>/index.html</logoutRedirectTo> + </contextConfig> +</FedizConfig> + http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9ca20024/systests/jetty8/src/test/resources/rp-client-cert-server.xml ---------------------------------------------------------------------- diff --git a/systests/jetty8/src/test/resources/rp-client-cert-server.xml b/systests/jetty8/src/test/resources/rp-client-cert-server.xml new file mode 100644 index 0000000..187d4cb --- /dev/null +++ b/systests/jetty8/src/test/resources/rp-client-cert-server.xml @@ -0,0 +1,81 @@ +<?xml version="1.0"?> +<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd";> + +<Configure id="RPServer" class="org.eclipse.jetty.server.Server"> + + <Call class="org.eclipse.jetty.util.log.Log" name="getRootLogger"> + <Call name="setDebugEnabled"> + <Arg type="boolean">true</Arg> + </Call> + </Call> + + <Call name="addConnector"> + <Arg> + <New + class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"> + <Arg> + <New class="org.eclipse.jetty.http.ssl.SslContextFactory"> + <Set name="keyStore">./target/test-classes/server.jks + </Set> + <Set name="keyStorePassword">tompass</Set> + <Set name="keyManagerPassword">tompass</Set> + <Set name="trustStore">./target/test-classes/server.jks</Set> + <Set name="trustStorePassword">tompass</Set> + <Set name="wantClientAuth">true</Set> + </New> + </Arg> + <Set name="port">${rp.https.port}</Set> + <Set name="maxIdleTime">30000</Set> + </New> + </Arg> + </Call> + + <Set name="handler"> + <New class="org.eclipse.jetty.server.handler.HandlerList"> + <Set name="handlers"> + <Array type="org.eclipse.jetty.server.Handler"> + <Item> + <New class="org.eclipse.jetty.webapp.WebAppContext"> + <Set name="contextPath">/fedizhelloworld</Set> + <Set name="war">./target/rp/fediz-systests-webapps-simple.war</Set> + <!--Set name="war">./target/jetty/rp/webapps/simpleWebapp</Set>--> + <Set name="throwUnavailableOnStartupException">true</Set> + + <Get name="securityHandler"> + <Set name="authenticator"> + <New class="org.apache.cxf.fediz.jetty.FederationAuthenticator"> + <Set name="configFile">./target/test-classes/fediz_config_client_cert.xml</Set> + </New> + </Set> + </Get> + </New> + </Item> + <Item> + <New class="org.eclipse.jetty.webapp.WebAppContext"> + <Set name="contextPath">/fedizspringhelloworld</Set> + <Set name="war">./target/rp/fediz-systests-webapps-springPreauth.war</Set> + <Set name="throwUnavailableOnStartupException">true</Set> + + <Get name="securityHandler"> + <Set name="authenticator"> + <New class="org.apache.cxf.fediz.jetty.FederationAuthenticator"> + <Set name="configFile">./target/test-classes/fediz_config_client_cert.xml</Set> + </New> + </Set> + </Get> + </New> + </Item> + </Array> + </Set> + </New> + </Set> + + <Call name="addBean"> + <Arg> + <New class="org.apache.cxf.fediz.jetty.FederationLoginService"> + <Set name="name">WSFED</Set> + </New> + </Arg> + </Call> + +</Configure> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/9ca20024/systests/jetty8/src/test/resources/server.jks ---------------------------------------------------------------------- diff --git a/systests/jetty8/src/test/resources/server.jks b/systests/jetty8/src/test/resources/server.jks index 2f0fdf3..a292ec9 100644 Binary files a/systests/jetty8/src/test/resources/server.jks and b/systests/jetty8/src/test/resources/server.jks differ
