Repository: cxf Updated Branches: refs/heads/3.1.x-fixes ac1dbc498 -> b297eed6d
Refactoring how tokens are encrypted in the STS Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/fc54f211 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/fc54f211 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/fc54f211 Branch: refs/heads/3.1.x-fixes Commit: fc54f21168a9294f2900bd6bc30d1b2eb5a172e7 Parents: ac1dbc4 Author: Colm O hEigeartaigh <[email protected]> Authored: Wed Nov 11 15:02:59 2015 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Nov 11 17:19:43 2015 +0000 ---------------------------------------------------------------------- .../cxf/sts/operation/AbstractOperation.java | 125 +---------------- .../cxf/sts/operation/TokenIssueOperation.java | 16 +-- .../cxf/sts/operation/TokenRenewOperation.java | 11 +- .../sts/token/provider/SAMLTokenProvider.java | 11 +- .../cxf/sts/token/provider/SCTProvider.java | 14 +- .../token/provider/TokenProviderParameters.java | 9 ++ .../sts/token/provider/TokenProviderUtils.java | 135 +++++++++++++++++++ .../cxf/sts/operation/DummyTokenProvider.java | 13 ++ 8 files changed, 186 insertions(+), 148 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/fc54f211/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java index d7c2c45..e47287c 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java @@ -21,9 +21,7 @@ package org.apache.cxf.sts.operation; import java.net.URI; import java.security.Principal; -import java.security.cert.X509Certificate; import java.util.ArrayList; -import java.util.Collections; import java.util.Date; import java.util.List; import java.util.Set; @@ -77,19 +75,12 @@ import org.apache.cxf.ws.security.sts.provider.model.secext.ReferenceType; import org.apache.cxf.ws.security.sts.provider.model.secext.SecurityTokenReferenceType; import org.apache.cxf.ws.security.sts.provider.model.utility.AttributedDateTime; import org.apache.cxf.ws.security.tokenstore.TokenStore; -import org.apache.cxf.ws.security.wss4j.WSS4JUtils; -import org.apache.wss4j.common.WSEncryptionPart; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.util.XMLUtils; import org.apache.wss4j.dom.WSConstants; -import org.apache.wss4j.dom.handler.WSHandlerConstants; -import org.apache.wss4j.dom.handler.WSHandlerResult; -import org.apache.wss4j.dom.message.WSSecEncrypt; import org.apache.wss4j.dom.message.WSSecEncryptedKey; import org.apache.wss4j.dom.util.XmlSchemaDateFormat; -import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants; import org.apache.xml.security.exceptions.XMLSecurityException; -import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent; import org.apache.xml.security.stax.securityEvent.SecurityEvent; import org.apache.xml.security.stax.securityEvent.SecurityEventConstants; import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent; @@ -312,80 +303,6 @@ public abstract class AbstractOperation { } /** - * Encrypt a Token element using the given arguments. - */ - protected Element encryptToken( - Element element, - String id, - EncryptionProperties encryptionProperties, - KeyRequirements keyRequirements, - WebServiceContext context - ) throws WSSecurityException { - String name = encryptionProperties.getEncryptionName(); - if (name == null) { - name = stsProperties.getEncryptionUsername(); - } - if (name == null) { - LOG.fine("No encryption alias is configured"); - return element; - } - - // Get the encryption algorithm to use - String encryptionAlgorithm = keyRequirements.getEncryptionAlgorithm(); - if (encryptionAlgorithm == null) { - // If none then default to what is configured - encryptionAlgorithm = encryptionProperties.getEncryptionAlgorithm(); - } else { - List<String> supportedAlgorithms = - encryptionProperties.getAcceptedEncryptionAlgorithms(); - if (!supportedAlgorithms.contains(encryptionAlgorithm)) { - encryptionAlgorithm = encryptionProperties.getEncryptionAlgorithm(); - if (LOG.isLoggable(Level.FINE)) { - LOG.fine("EncryptionAlgorithm not supported, defaulting to: " + encryptionAlgorithm); - } - } - } - // Get the key-wrap algorithm to use - String keyWrapAlgorithm = keyRequirements.getKeywrapAlgorithm(); - if (keyWrapAlgorithm == null) { - // If none then default to what is configured - keyWrapAlgorithm = encryptionProperties.getKeyWrapAlgorithm(); - } else { - List<String> supportedAlgorithms = - encryptionProperties.getAcceptedKeyWrapAlgorithms(); - if (!supportedAlgorithms.contains(keyWrapAlgorithm)) { - keyWrapAlgorithm = encryptionProperties.getKeyWrapAlgorithm(); - if (LOG.isLoggable(Level.FINE)) { - LOG.fine("KeyWrapAlgorithm not supported, defaulting to: " + keyWrapAlgorithm); - } - } - } - - WSSecEncrypt builder = new WSSecEncrypt(); - if (WSHandlerConstants.USE_REQ_SIG_CERT.equals(name)) { - X509Certificate cert = getReqSigCert(context.getMessageContext()); - builder.setUseThisCert(cert); - } else { - builder.setUserInfo(name); - } - builder.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType()); - builder.setSymmetricEncAlgorithm(encryptionAlgorithm); - builder.setKeyEncAlgo(keyWrapAlgorithm); - builder.setEmbedEncryptedKey(true); - - WSEncryptionPart encryptionPart = new WSEncryptionPart(id, "Element"); - encryptionPart.setElement(element); - - Document doc = element.getOwnerDocument(); - doc.appendChild(element); - - builder.prepare(element.getOwnerDocument(), stsProperties.getEncryptionCrypto()); - builder.encryptForRef(null, Collections.singletonList(encryptionPart)); - - return doc.getDocumentElement(); - } - - /** * Encrypt a secret using the given arguments producing a DOM EncryptedKey element */ protected Element encryptSecret( @@ -475,6 +392,7 @@ public abstract class AbstractOperation { providerParameters.setPrincipal(context.getUserPrincipal()); providerParameters.setWebServiceContext(context); providerParameters.setTokenStore(getTokenStore()); + providerParameters.setEncryptToken(encryptIssuedToken); KeyRequirements keyRequirements = requestRequirements.getKeyRequirements(); TokenRequirements tokenRequirements = requestRequirements.getTokenRequirements(); @@ -542,47 +460,6 @@ public abstract class AbstractOperation { return providerParameters; } - /** - * Get the X509Certificate associated with the signature that was received. This cert is to be used - * for encrypting the issued token. - */ - private X509Certificate getReqSigCert(MessageContext context) { - @SuppressWarnings("unchecked") - List<WSHandlerResult> results = - (List<WSHandlerResult>) context.get(WSHandlerConstants.RECV_RESULTS); - // DOM - X509Certificate cert = WSS4JUtils.getReqSigCert(results); - if (cert != null) { - return cert; - } - - // Streaming - @SuppressWarnings("unchecked") - final List<SecurityEvent> incomingEventList = - (List<SecurityEvent>) context.get(SecurityEvent.class.getName() + ".in"); - if (incomingEventList != null) { - for (SecurityEvent incomingEvent : incomingEventList) { - if (WSSecurityEventConstants.SignedPart == incomingEvent.getSecurityEventType() - || WSSecurityEventConstants.SignedElement - == incomingEvent.getSecurityEventType()) { - org.apache.xml.security.stax.securityToken.SecurityToken token = - ((AbstractSecuredElementSecurityEvent)incomingEvent).getSecurityToken(); - try { - if (token != null && token.getX509Certificates() != null - && token.getX509Certificates().length > 0) { - return token.getX509Certificates()[0]; - } - } catch (XMLSecurityException ex) { - LOG.log(Level.FINE, ex.getMessage(), ex); - return null; - } - } - } - } - - return null; - } - protected TokenValidatorResponse validateReceivedToken( WebServiceContext context, String realm, TokenRequirements tokenRequirements, ReceivedToken token) { http://git-wip-us.apache.org/repos/asf/cxf/blob/fc54f211/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java index 39f5b6b..383535e 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java @@ -288,7 +288,10 @@ public class TokenIssueOperation extends AbstractOperation implements IssueOpera JAXBElement<RequestedSecurityTokenType> requestedToken = QNameConstants.WS_TRUST_FACTORY.createRequestedSecurityToken(requestedTokenType); LOG.fine("Encrypting Issued Token: " + encryptIssuedToken); - if (!encryptIssuedToken) { + if (encryptIssuedToken) { + requestedTokenType.setAny(tokenResponse.getToken()); + response.getAny().add(requestedToken); + } else { if (tokenResponse.getToken() instanceof String) { Document doc = DOMUtils.newDocument(); Element requestedTokenEl = doc.createElementNS(STSConstants.WST_NS_05_12, @@ -299,17 +302,6 @@ public class TokenIssueOperation extends AbstractOperation implements IssueOpera requestedTokenType.setAny(tokenResponse.getToken()); response.getAny().add(requestedToken); } - } else { - if (!(tokenResponse.getToken() instanceof Element)) { - throw new STSException("Error in creating the response", STSException.REQUEST_FAILED); - } - requestedTokenType.setAny( - encryptToken( - (Element)tokenResponse.getToken(), tokenResponse.getTokenId(), - encryptionProperties, keyRequirements, webServiceContext - ) - ); - response.getAny().add(requestedToken); } if (returnReferences) { http://git-wip-us.apache.org/repos/asf/cxf/blob/fc54f211/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java index e7cba56..f4815f4 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenRenewOperation.java @@ -225,16 +225,7 @@ public class TokenRenewOperation extends AbstractOperation implements RenewOpera JAXBElement<RequestedSecurityTokenType> requestedToken = QNameConstants.WS_TRUST_FACTORY.createRequestedSecurityToken(requestedTokenType); LOG.fine("Encrypting Issued Token: " + encryptIssuedToken); - if (!encryptIssuedToken) { - requestedTokenType.setAny(tokenRenewerResponse.getToken()); - } else { - requestedTokenType.setAny( - encryptToken( - tokenRenewerResponse.getToken(), tokenRenewerResponse.getTokenId(), - encryptionProperties, keyRequirements, webServiceContext - ) - ); - } + requestedTokenType.setAny(tokenRenewerResponse.getToken()); response.getAny().add(requestedToken); if (returnReferences) { http://git-wip-us.apache.org/repos/asf/cxf/blob/fc54f211/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java index 3d5d762..ad6b386 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java @@ -137,7 +137,7 @@ public class SAMLTokenProvider extends AbstractSAMLTokenProvider implements Toke } TokenProviderResponse response = new TokenProviderResponse(); - response.setToken(token); + String tokenType = tokenRequirements.getTokenType(); if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSConstants.SAML2_NS.equals(tokenType)) { @@ -146,6 +146,15 @@ public class SAMLTokenProvider extends AbstractSAMLTokenProvider implements Toke response.setTokenId(token.getAttributeNS(null, "AssertionID")); } + if (tokenParameters.isEncryptToken()) { + token = TokenProviderUtils.encryptToken(token, response.getTokenId(), + tokenParameters.getStsProperties(), + tokenParameters.getEncryptionProperties(), + keyRequirements, + tokenParameters.getWebServiceContext()); + } + response.setToken(token); + DateTime validFrom = null; DateTime validTill = null; if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) { http://git-wip-us.apache.org/repos/asf/cxf/blob/fc54f211/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java index c00af45..93f3a08 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SCTProvider.java @@ -26,6 +26,8 @@ import java.util.logging.Level; import java.util.logging.Logger; import org.w3c.dom.Document; +import org.w3c.dom.Element; + import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.sts.STSConstants; @@ -123,7 +125,6 @@ public class SCTProvider implements TokenProvider { sct.setID(wssConfig.getIdAllocator().createId("sctId-", sct)); TokenProviderResponse response = new TokenProviderResponse(); - response.setToken(sct.getElement()); response.setTokenId(sct.getIdentifier()); if (returnEntropy) { response.setEntropy(keyHandler.getEntropyBytes()); @@ -173,6 +174,17 @@ public class SCTProvider implements TokenProvider { } tokenParameters.getTokenStore().add(token); + + if (tokenParameters.isEncryptToken()) { + Element el = TokenProviderUtils.encryptToken(sct.getElement(), response.getTokenId(), + tokenParameters.getStsProperties(), + tokenParameters.getEncryptionProperties(), + tokenParameters.getKeyRequirements(), + tokenParameters.getWebServiceContext()); + response.setToken(el); + } else { + response.setToken(sct.getElement()); + } // Create the references TokenReference attachedReference = new TokenReference(); http://git-wip-us.apache.org/repos/asf/cxf/blob/fc54f211/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderParameters.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderParameters.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderParameters.java index 35841b6..aeb5798 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderParameters.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderParameters.java @@ -52,6 +52,7 @@ public class TokenProviderParameters { private Map<String, Object> additionalProperties; private TokenStore tokenStore; private String realm; + private boolean encryptToken; public TokenStore getTokenStore() { return tokenStore; @@ -156,5 +157,13 @@ public class TokenProviderParameters { public void setRequestedSecondaryClaims(ClaimCollection requestedSecondaryClaims) { this.requestedSecondaryClaims = requestedSecondaryClaims; } + + public boolean isEncryptToken() { + return encryptToken; + } + + public void setEncryptToken(boolean encryptToken) { + this.encryptToken = encryptToken; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/fc54f211/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java index 406c02e..53ef14b 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java @@ -18,17 +18,37 @@ */ package org.apache.cxf.sts.token.provider; +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.List; +import java.util.logging.Level; import java.util.logging.Logger; import javax.xml.bind.JAXBElement; import javax.xml.namespace.QName; +import javax.xml.ws.WebServiceContext; +import javax.xml.ws.handler.MessageContext; +import org.w3c.dom.Document; import org.w3c.dom.Element; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.sts.STSConstants; +import org.apache.cxf.sts.STSPropertiesMBean; +import org.apache.cxf.sts.request.KeyRequirements; +import org.apache.cxf.sts.service.EncryptionProperties; import org.apache.cxf.ws.addressing.EndpointReferenceType; +import org.apache.cxf.ws.security.wss4j.WSS4JUtils; +import org.apache.wss4j.common.WSEncryptionPart; +import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.dom.handler.WSHandlerConstants; +import org.apache.wss4j.dom.handler.WSHandlerResult; +import org.apache.wss4j.dom.message.WSSecEncrypt; +import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants; +import org.apache.xml.security.exceptions.XMLSecurityException; +import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent; +import org.apache.xml.security.stax.securityEvent.SecurityEvent; public final class TokenProviderUtils { @@ -79,4 +99,119 @@ public final class TokenProviderUtils { return null; } + /** + * Encrypt a Token element using the given arguments. + */ + public static Element encryptToken( + Element element, + String id, + STSPropertiesMBean stsProperties, + EncryptionProperties encryptionProperties, + KeyRequirements keyRequirements, + WebServiceContext context + ) throws WSSecurityException { + String name = encryptionProperties.getEncryptionName(); + if (name == null) { + name = stsProperties.getEncryptionUsername(); + } + if (name == null) { + LOG.fine("No encryption alias is configured"); + return element; + } + + // Get the encryption algorithm to use + String encryptionAlgorithm = keyRequirements.getEncryptionAlgorithm(); + if (encryptionAlgorithm == null) { + // If none then default to what is configured + encryptionAlgorithm = encryptionProperties.getEncryptionAlgorithm(); + } else { + List<String> supportedAlgorithms = + encryptionProperties.getAcceptedEncryptionAlgorithms(); + if (!supportedAlgorithms.contains(encryptionAlgorithm)) { + encryptionAlgorithm = encryptionProperties.getEncryptionAlgorithm(); + if (LOG.isLoggable(Level.FINE)) { + LOG.fine("EncryptionAlgorithm not supported, defaulting to: " + encryptionAlgorithm); + } + } + } + // Get the key-wrap algorithm to use + String keyWrapAlgorithm = keyRequirements.getKeywrapAlgorithm(); + if (keyWrapAlgorithm == null) { + // If none then default to what is configured + keyWrapAlgorithm = encryptionProperties.getKeyWrapAlgorithm(); + } else { + List<String> supportedAlgorithms = + encryptionProperties.getAcceptedKeyWrapAlgorithms(); + if (!supportedAlgorithms.contains(keyWrapAlgorithm)) { + keyWrapAlgorithm = encryptionProperties.getKeyWrapAlgorithm(); + if (LOG.isLoggable(Level.FINE)) { + LOG.fine("KeyWrapAlgorithm not supported, defaulting to: " + keyWrapAlgorithm); + } + } + } + + WSSecEncrypt builder = new WSSecEncrypt(); + if (WSHandlerConstants.USE_REQ_SIG_CERT.equals(name)) { + X509Certificate cert = getReqSigCert(context.getMessageContext()); + builder.setUseThisCert(cert); + } else { + builder.setUserInfo(name); + } + builder.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType()); + builder.setSymmetricEncAlgorithm(encryptionAlgorithm); + builder.setKeyEncAlgo(keyWrapAlgorithm); + builder.setEmbedEncryptedKey(true); + + WSEncryptionPart encryptionPart = new WSEncryptionPart(id, "Element"); + encryptionPart.setElement(element); + + Document doc = element.getOwnerDocument(); + doc.appendChild(element); + + builder.prepare(element.getOwnerDocument(), stsProperties.getEncryptionCrypto()); + builder.encryptForRef(null, Collections.singletonList(encryptionPart)); + + return doc.getDocumentElement(); + } + + /** + * Get the X509Certificate associated with the signature that was received. This cert is to be used + * for encrypting the issued token. + */ + public static X509Certificate getReqSigCert(MessageContext context) { + @SuppressWarnings("unchecked") + List<WSHandlerResult> results = + (List<WSHandlerResult>) context.get(WSHandlerConstants.RECV_RESULTS); + // DOM + X509Certificate cert = WSS4JUtils.getReqSigCert(results); + if (cert != null) { + return cert; + } + + // Streaming + @SuppressWarnings("unchecked") + final List<SecurityEvent> incomingEventList = + (List<SecurityEvent>) context.get(SecurityEvent.class.getName() + ".in"); + if (incomingEventList != null) { + for (SecurityEvent incomingEvent : incomingEventList) { + if (WSSecurityEventConstants.SignedPart == incomingEvent.getSecurityEventType() + || WSSecurityEventConstants.SignedElement + == incomingEvent.getSecurityEventType()) { + org.apache.xml.security.stax.securityToken.SecurityToken token = + ((AbstractSecuredElementSecurityEvent)incomingEvent).getSecurityToken(); + try { + if (token != null && token.getX509Certificates() != null + && token.getX509Certificates().length > 0) { + return token.getX509Certificates()[0]; + } + } catch (XMLSecurityException ex) { + LOG.log(Level.FINE, ex.getMessage(), ex); + return null; + } + } + } + } + + return null; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/fc54f211/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/DummyTokenProvider.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/DummyTokenProvider.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/DummyTokenProvider.java index 87b7ea3..b8d590f 100644 --- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/DummyTokenProvider.java +++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/DummyTokenProvider.java @@ -20,10 +20,12 @@ package org.apache.cxf.sts.operation; import org.w3c.dom.Document; +import org.w3c.dom.Element; import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.sts.token.provider.TokenProvider; import org.apache.cxf.sts.token.provider.TokenProviderParameters; import org.apache.cxf.sts.token.provider.TokenProviderResponse; +import org.apache.cxf.sts.token.provider.TokenProviderUtils; import org.apache.cxf.ws.security.sts.provider.STSException; import org.apache.wss4j.common.token.BinarySecurity; import org.apache.wss4j.dom.WSConstants; @@ -64,6 +66,17 @@ public class DummyTokenProvider implements TokenProvider { response.setToken(bst.getElement()); response.setTokenId(id); + if (tokenParameters.isEncryptToken()) { + Element el = TokenProviderUtils.encryptToken(bst.getElement(), response.getTokenId(), + tokenParameters.getStsProperties(), + tokenParameters.getEncryptionProperties(), + tokenParameters.getKeyRequirements(), + tokenParameters.getWebServiceContext()); + response.setToken(el); + } else { + response.setToken(bst.getElement()); + } + return response; } catch (Exception e) { throw new STSException("Can't serialize SAML assertion", e, STSException.REQUEST_FAILED);
