Changing the default to issue tokens rather than WS-Trust responses
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/bbe5e870 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/bbe5e870 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/bbe5e870 Branch: refs/heads/3.1.x-fixes Commit: bbe5e870579720272af49b9cea65b8293d5b1f3c Parents: 194224f Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Fri Feb 5 17:53:25 2016 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Fri Feb 5 20:39:45 2016 +0000 ---------------------------------------------------------------------- .../cxf/sts/rest/RESTSecurityTokenService.java | 8 +++ .../sts/rest/RESTSecurityTokenServiceImpl.java | 61 ++++++++++++----- .../cxf/systest/sts/rest/RESTUnitTest.java | 71 +++++++++++++++----- 3 files changed, 107 insertions(+), 33 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/bbe5e870/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenService.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenService.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenService.java index 04cc0f6..a68194d 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenService.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenService.java @@ -63,6 +63,14 @@ public interface RESTSecurityTokenService { }) Response getToken(@PathParam("tokenType") String tokenType, @QueryParam("keyType") String keyType, @QueryParam("claim") List<String> requestedClaims); + + @GET + @Path("ws-trust/{tokenType}") + @Produces({ + MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON + }) + Response getTokenViaWSTrust(@PathParam("tokenType") String tokenType, @QueryParam("keyType") String keyType, + @QueryParam("claim") List<String> requestedClaims); @POST @Produces({ http://git-wip-us.apache.org/repos/asf/cxf/blob/bbe5e870/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java index 393b806..ae454ab 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java @@ -45,6 +45,7 @@ import org.apache.cxf.ws.security.sts.provider.model.ClaimsType; import org.apache.cxf.ws.security.sts.provider.model.ObjectFactory; import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType; import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType; +import org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType; import org.apache.cxf.ws.security.trust.STSUtils; import org.apache.wss4j.dom.WSConstants; @@ -90,6 +91,36 @@ public class RESTSecurityTokenServiceImpl extends SecurityTokenServiceImpl imple @Override public Response getToken(String tokenType, String keyType, List<String> requestedClaims) { + RequestSecurityTokenResponseType response = + issueToken(tokenType, keyType, requestedClaims); + + RequestedSecurityTokenType requestedToken = getRequestedSecurityToken(response); + + return Response.ok(requestedToken.getAny()).build(); + } + + @Override + public Response getTokenViaWSTrust(String tokenType, String keyType, List<String> requestedClaims) { + return getToken(tokenType, keyType, requestedClaims); + } + + private RequestedSecurityTokenType getRequestedSecurityToken(RequestSecurityTokenResponseType response) { + for (Object obj : response.getAny()) { + if (obj instanceof JAXBElement<?>) { + JAXBElement<?> jaxbElement = (JAXBElement<?>)obj; + if ("RequestedSecurityToken".equals(jaxbElement.getName().getLocalPart())) { + return (RequestedSecurityTokenType)jaxbElement.getValue(); + } + } + } + return null; + } + + private RequestSecurityTokenResponseType issueToken( + String tokenType, + String keyType, + List<String> requestedClaims + ) { if (tokenTypeMap != null && tokenTypeMap.containsKey(tokenType)) { tokenType = tokenTypeMap.get(tokenType); } @@ -141,32 +172,32 @@ public class RESTSecurityTokenServiceImpl extends SecurityTokenServiceImpl imple // } // request.setContext(null); - return getToken(Action.ISSUE, request); + return processRequest(Action.ISSUE, request); } @Override public Response getToken(Action action, RequestSecurityTokenType request) { - RequestSecurityTokenResponseType response; + RequestSecurityTokenResponseType response = processRequest(action, request); + + JAXBElement<RequestSecurityTokenResponseType> jaxbResponse = + QNameConstants.WS_TRUST_FACTORY.createRequestSecurityTokenResponse(response); + + return Response.ok(jaxbResponse).build(); + } + + private RequestSecurityTokenResponseType processRequest(Action action, + RequestSecurityTokenType request) { switch (action) { case VALIDATE: - response = validate(request); - break; + return validate(request); case RENEW: - response = renew(request); - break; + return renew(request); case CANCEL: - response = cancel(request); - break; + return cancel(request); case ISSUE: default: - response = issueSingle(request); - break; + return issueSingle(request); } - - JAXBElement<RequestSecurityTokenResponseType> jaxbResponse = - QNameConstants.WS_TRUST_FACTORY.createRequestSecurityTokenResponse(response); - - return Response.ok(jaxbResponse).build(); } @Override http://git-wip-us.apache.org/repos/asf/cxf/blob/bbe5e870/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java index 7caf0f2..068b4c3 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/RESTUnitTest.java @@ -25,6 +25,7 @@ import javax.security.auth.callback.CallbackHandler; import javax.ws.rs.core.Response; import javax.xml.bind.JAXBElement; +import org.w3c.dom.Document; import org.w3c.dom.Element; import org.apache.cxf.Bus; @@ -83,23 +84,11 @@ public class RESTUnitTest extends AbstractBusClientServerTestBase { client.path("saml2.0"); Response response = client.get(); - RequestSecurityTokenResponseType securityResponse = - response.readEntity(RequestSecurityTokenResponseType.class); - - RequestedSecurityTokenType requestedSecurityToken = null; - for (Object obj : securityResponse.getAny()) { - if (obj instanceof JAXBElement<?>) { - JAXBElement<?> jaxbElement = (JAXBElement<?>)obj; - if ("RequestedSecurityToken".equals(jaxbElement.getName().getLocalPart())) { - requestedSecurityToken = (RequestedSecurityTokenType)jaxbElement.getValue(); - break; - } - } - } - assertNotNull(requestedSecurityToken); + Document assertionDoc = response.readEntity(Document.class); + assertNotNull(assertionDoc); // Process the token - List<WSSecurityEngineResult> results = processToken(requestedSecurityToken); + List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement()); assertTrue(results != null && results.size() == 1); SamlAssertionWrapper assertion = @@ -112,6 +101,7 @@ public class RESTUnitTest extends AbstractBusClientServerTestBase { } @org.junit.Test + @org.junit.Ignore public void testIssueJWTToken() throws Exception { SpringBusFactory bf = new SpringBusFactory(); URL busFile = RESTUnitTest.class.getResource("cxf-client.xml"); @@ -129,7 +119,53 @@ public class RESTUnitTest extends AbstractBusClientServerTestBase { client.get(); } - private List<WSSecurityEngineResult> processToken(RequestedSecurityTokenType securityResponse) + @org.junit.Test + @org.junit.Ignore + public void testIssueSAML2TokenViaWSTrust() throws Exception { + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = RESTUnitTest.class.getResource("cxf-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token"; + WebClient client = WebClient.create(address, busFile.toString()); + + client.type("application/xml").accept("application/xml"); + client.path("saml2.0"); + + Response response = client.get(); + RequestSecurityTokenResponseType securityResponse = + response.readEntity(RequestSecurityTokenResponseType.class); + + RequestedSecurityTokenType requestedSecurityToken = null; + for (Object obj : securityResponse.getAny()) { + if (obj instanceof JAXBElement<?>) { + JAXBElement<?> jaxbElement = (JAXBElement<?>)obj; + if ("RequestedSecurityToken".equals(jaxbElement.getName().getLocalPart())) { + requestedSecurityToken = (RequestedSecurityTokenType)jaxbElement.getValue(); + break; + } + } + } + assertNotNull(requestedSecurityToken); + + // Process the token + List<WSSecurityEngineResult> results = + processToken((Element)requestedSecurityToken.getAny()); + + assertTrue(results != null && results.size() == 1); + SamlAssertionWrapper assertion = + (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION); + assertTrue(assertion != null); + assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null); + assertTrue(assertion.isSigned()); + + bus.shutdown(true); + } + + private List<WSSecurityEngineResult> processToken(Element assertionElement) throws Exception { RequestData requestData = new RequestData(); requestData.setDisableBSPEnforcement(true); @@ -140,9 +176,8 @@ public class RESTUnitTest extends AbstractBusClientServerTestBase { requestData.setSigVerCrypto(crypto); Processor processor = new SAMLTokenProcessor(); - Element securityTokenElem = (Element)securityResponse.getAny(); return processor.handleToken( - securityTokenElem, requestData, new WSDocInfo(securityTokenElem.getOwnerDocument()) + assertionElement, requestData, new WSDocInfo(assertionElement.getOwnerDocument()) ); }