Adding some negative tests for trust verification for rs-security
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/af69b53d Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/af69b53d Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/af69b53d Branch: refs/heads/3.1.x-fixes Commit: af69b53d8460c7c80546afb8ae56dd086a807a6f Parents: f05a415 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Tue Mar 28 13:04:16 2017 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Tue Mar 28 13:13:41 2017 +0100 ---------------------------------------------------------------------- .../security/xml/AbstractXmlSecInHandler.java | 6 +- .../rs/security/xml/XmlSecInInterceptor.java | 20 ++--- .../security/saml/KeystorePasswordCallback.java | 4 + .../jaxrs/security/xml/JAXRSXmlSecTest.java | 90 ++++++++++++++++++++ .../systest/jaxrs/security/bethal.properties | 24 ++++++ .../systest/jaxrs/security/morpit.properties | 21 +++++ .../jaxrs/security/morpittrust.properties | 23 +++++ .../cxf/systest/jaxrs/security/xml/server.xml | 32 +++++++ .../systest/jaxrs/security/xml/stax-server.xml | 34 +++++++- 9 files changed, 242 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java index 8d79b1c..27bc803 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSecInHandler.java @@ -96,7 +96,11 @@ public abstract class AbstractXmlSecInHandler { } protected void throwFault(String error, Exception ex) { - LOG.warning(error); + StringBuilder log = new StringBuilder(error); + if (ex != null) { + log = log.append(" - ").append(ex.getMessage()); + } + LOG.warning(log.toString()); Response response = JAXRSUtils.toResponseBuilder(400).entity(error).build(); throw ExceptionUtils.toBadRequestException(null, response); } http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java index 19a7457..3341793 100644 --- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java +++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java @@ -106,9 +106,9 @@ public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message> imple message.getInterceptorChain().add( new StaxActionInInterceptor(requireSignature, requireEncryption)); } - + private void prepareMessage(Message inMsg) throws Fault { - + XMLStreamReader originalXmlStreamReader = inMsg.getContent(XMLStreamReader.class); if (originalXmlStreamReader == null) { InputStream is = inMsg.getContent(InputStream.class); @@ -147,7 +147,7 @@ public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message> imple return "GET".equals(method) && !MessageUtils.isRequestor(message); } - + private void configureDecryptionKeys(Message message, XMLSecurityProperties properties) throws IOException, UnsupportedCallbackException, WSSecurityException { @@ -311,8 +311,8 @@ public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message> imple new TrustValidator().validateTrust(sigCrypto, cert, publicKey, getSubjectContraints(msg)); } catch (WSSecurityException e) { - throw new XMLSecurityException("empty", new Object[] {"Error during Signature Trust " - + "validation: " + e.getMessage()}); + String error = "Signature validation failed"; + throw new XMLSecurityException("empty", new Object[] {error}); } if (persistSignature) { @@ -408,19 +408,19 @@ public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message> imple @Override public Object aroundReadFrom(ReaderInterceptorContext ctx) throws IOException, WebApplicationException { Message message = ((ReaderInterceptorContextImpl)ctx).getMessage(); - + if (isServerGet(message)) { - return ctx.proceed(); + return ctx.proceed(); } else { prepareMessage(message); Object object = ctx.proceed(); - new StaxActionInInterceptor(requireSignature, + new StaxActionInInterceptor(requireSignature, requireEncryption).handleMessage(message); return object; } - + } - + /** * This interceptor handles parsing the StaX results (events) + checks to see whether the * required (if any) Actions (signature or encryption) were fulfilled. http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/KeystorePasswordCallback.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/KeystorePasswordCallback.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/KeystorePasswordCallback.java index 3103aad..099bc4e 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/KeystorePasswordCallback.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/KeystorePasswordCallback.java @@ -46,6 +46,10 @@ public class KeystorePasswordCallback implements CallbackHandler { pc.setPassword("password"); } else if ("bob".equals(pc.getIdentifier())) { pc.setPassword("password"); + } else if ("morpit".equals(pc.getIdentifier())) { + pc.setPassword("password"); + } else if ("bethal".equals(pc.getIdentifier())) { + pc.setPassword("password"); } else { pc.setPassword("abcd!1234"); } http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java index b1c42d8..94084a6 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java @@ -311,6 +311,96 @@ public class JAXRSXmlSecTest extends AbstractBusClientServerTestBase { } @Test + public void testSignatureNegativeServer() throws Exception { + String address = "https://localhost:" + test.port + "/xmlsignegativeserver/bookstore/books"; + + JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean(); + bean.setAddress(address); + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = JAXRSXmlSecTest.class.getResource("client.xml"); + Bus springBus = bf.createBus(busFile.toString()); + bean.setBus(springBus); + + Map<String, Object> properties = new HashMap<>(); + properties.put("security.callback-handler", + "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"); + properties.put("security.signature.username", "bethal"); + properties.put("security.signature.properties", + "org/apache/cxf/systest/jaxrs/security/bethal.properties"); + bean.setProperties(properties); + if (test.streaming) { + XmlSecOutInterceptor sigOutInterceptor = new XmlSecOutInterceptor(); + sigOutInterceptor.setSignRequest(true); + bean.getOutInterceptors().add(sigOutInterceptor); + + XmlSecInInterceptor sigInInterceptor = new XmlSecInInterceptor(); + sigInInterceptor.setRequireSignature(true); + bean.getInInterceptors().add(sigInInterceptor); + } else { + XmlSigOutInterceptor sigOutInterceptor = new XmlSigOutInterceptor(); + bean.getOutInterceptors().add(sigOutInterceptor); + + XmlSigInInterceptor sigInInterceptor = new XmlSigInInterceptor(); + bean.getInInterceptors().add(sigInInterceptor); + } + + WebClient wc = bean.createWebClient(); + WebClient.getConfig(wc).getHttpConduit().getClient().setReceiveTimeout(10000000L); + try { + wc.post(new Book("CXF", 126L), Book.class); + fail("Failure expected on signature trust failure"); + } catch (WebApplicationException ex) { + assertTrue(ex.getMessage().contains("400 Bad Request")); + } + } + + @Test + public void testSignatureNegativeClient() throws Exception { + String address = "https://localhost:" + test.port + "/xmlsignegativeclient/bookstore/books"; + + JAXRSClientFactoryBean bean = new JAXRSClientFactoryBean(); + bean.setAddress(address); + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = JAXRSXmlSecTest.class.getResource("client.xml"); + Bus springBus = bf.createBus(busFile.toString()); + bean.setBus(springBus); + + Map<String, Object> properties = new HashMap<>(); + properties.put("security.callback-handler", + "org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"); + properties.put("security.signature.username", "bethal"); + properties.put("security.signature.properties", + "org/apache/cxf/systest/jaxrs/security/bethal.properties"); + bean.setProperties(properties); + if (test.streaming) { + XmlSecOutInterceptor sigOutInterceptor = new XmlSecOutInterceptor(); + sigOutInterceptor.setSignRequest(true); + bean.getOutInterceptors().add(sigOutInterceptor); + + XmlSecInInterceptor sigInInterceptor = new XmlSecInInterceptor(); + sigInInterceptor.setRequireSignature(true); + bean.getInInterceptors().add(sigInInterceptor); + } else { + XmlSigOutInterceptor sigOutInterceptor = new XmlSigOutInterceptor(); + bean.getOutInterceptors().add(sigOutInterceptor); + + XmlSigInInterceptor sigInInterceptor = new XmlSigInInterceptor(); + bean.getInInterceptors().add(sigInInterceptor); + } + + WebClient wc = bean.createWebClient(); + WebClient.getConfig(wc).getHttpConduit().getClient().setReceiveTimeout(10000000L); + try { + wc.post(new Book("CXF", 126L), Book.class); + fail("Failure expected on signature trust failure"); + } catch (ProcessingException ex) { + assertTrue(ex.getCause() instanceof BadRequestException); + } + } + + @Test public void testPostEncryptedBook() throws Exception { String address = "https://localhost:" + test.port + "/xmlenc/bookstore/books"; Map<String, Object> properties = new HashMap<String, Object>(); http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bethal.properties ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bethal.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bethal.properties new file mode 100644 index 0000000..7356fc5 --- /dev/null +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/bethal.properties @@ -0,0 +1,24 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin +org.apache.wss4j.crypto.merlin.keystore.type=jks +org.apache.wss4j.crypto.merlin.keystore.password=password +org.apache.wss4j.crypto.merlin.keystore.alias=bethal +org.apache.wss4j.crypto.merlin.keystore.file=keys/Bethal.jks + http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpit.properties ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpit.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpit.properties new file mode 100644 index 0000000..7cf81d6 --- /dev/null +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpit.properties @@ -0,0 +1,21 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin +org.apache.wss4j.crypto.merlin.keystore.type=jks +org.apache.wss4j.crypto.merlin.keystore.password=password +org.apache.wss4j.crypto.merlin.keystore.alias=morpit +org.apache.wss4j.crypto.merlin.keystore.file=keys/Morpit.jks http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpittrust.properties ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpittrust.properties b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpittrust.properties new file mode 100644 index 0000000..0056c7d --- /dev/null +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/morpittrust.properties @@ -0,0 +1,23 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin +org.apache.wss4j.crypto.merlin.keystore.type=jks +org.apache.wss4j.crypto.merlin.keystore.password=password +org.apache.wss4j.crypto.merlin.keystore.alias=morpit +org.apache.wss4j.crypto.merlin.keystore.file=keys/Morpit.jks +org.apache.wss4j.crypto.merlin.truststore.password=password +org.apache.wss4j.crypto.merlin.truststore.file=keys/Truststore.jks http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/server.xml ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/server.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/server.xml index d3c70c0..a1aaf40 100644 --- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/server.xml +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/server.xml @@ -96,6 +96,38 @@ under the License. </jaxrs:properties> </jaxrs:server> + <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec}/xmlsignegativeserver"> + <jaxrs:serviceBeans> + <ref bean="serviceBean"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <ref bean="xmlSigInHandler"/> + </jaxrs:providers> + <jaxrs:outInterceptors> + <ref bean="xmlSigOutHandler"/> + </jaxrs:outInterceptors> + <jaxrs:properties> + <entry key="security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/> + <entry key="security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/morpit.properties"/> + </jaxrs:properties> + </jaxrs:server> + + <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec}/xmlsignegativeclient"> + <jaxrs:serviceBeans> + <ref bean="serviceBean"/> + </jaxrs:serviceBeans> + <jaxrs:providers> + <ref bean="xmlSigInHandler"/> + </jaxrs:providers> + <jaxrs:outInterceptors> + <ref bean="xmlSigOutHandler"/> + </jaxrs:outInterceptors> + <jaxrs:properties> + <entry key="security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/> + <entry key="security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/morpittrust.properties"/> + </jaxrs:properties> + </jaxrs:server> + <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec}/xmlsigconstraints"> <jaxrs:serviceBeans> <ref bean="serviceBean"/> http://git-wip-us.apache.org/repos/asf/cxf/blob/af69b53d/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml index 9ba3bce..2281c60 100644 --- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml +++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml @@ -116,7 +116,39 @@ under the License. </jaxrs:properties> </jaxrs:server> - <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsigconstraints"> + <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsignegativeserver"> + <jaxrs:serviceBeans> + <ref bean="serviceBean"/> + </jaxrs:serviceBeans> + <jaxrs:inInterceptors> + <ref bean="xmlSigInHandler"/> + </jaxrs:inInterceptors> + <jaxrs:outInterceptors> + <ref bean="xmlSigOutHandler"/> + </jaxrs:outInterceptors> + <jaxrs:properties> + <entry key="security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/> + <entry key="security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/morpit.properties"/> + </jaxrs:properties> + </jaxrs:server> + + <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsignegativeclient"> + <jaxrs:serviceBeans> + <ref bean="serviceBean"/> + </jaxrs:serviceBeans> + <jaxrs:inInterceptors> + <ref bean="xmlSigInHandler"/> + </jaxrs:inInterceptors> + <jaxrs:outInterceptors> + <ref bean="xmlSigOutHandler"/> + </jaxrs:outInterceptors> + <jaxrs:properties> + <entry key="security.callback-handler" value="org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"/> + <entry key="security.signature.properties" value="org/apache/cxf/systest/jaxrs/security/morpittrust.properties"/> + </jaxrs:properties> + </jaxrs:server> + + <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsigconstraints"> <jaxrs:serviceBeans> <ref bean="serviceBean"/> </jaxrs:serviceBeans>