Adding signature negative tests for WS-Security, client + server side
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/8b13c36c Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/8b13c36c Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/8b13c36c Branch: refs/heads/3.0.x-fixes Commit: 8b13c36c0978164dc24c80cd7c2f046cba2ea4a2 Parents: 657541e Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Tue Mar 28 12:18:54 2017 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Tue Mar 28 14:35:05 2017 +0100 ---------------------------------------------------------------------- .../cxf/systest/ws/action/ActionTest.java | 112 +++++++++++++++++++ .../ws/common/KeystorePasswordCallback.java | 2 + .../src/test/resources/bethal.properties | 24 ++++ .../cxf/systest/ws/action/DoubleItAction.wsdl | 12 ++ .../org/apache/cxf/systest/ws/action/client.xml | 104 +++++++++++++++++ .../org/apache/cxf/systest/ws/action/server.xml | 104 +++++++++++++++++ .../src/test/resources/truststore.properties | 23 ++++ 7 files changed, 381 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/8b13c36c/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java index 2a67c22..9d86f62 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java @@ -291,4 +291,116 @@ public class ActionTest extends AbstractBusClientServerTestBase { ((java.io.Closeable)port).close(); bus.shutdown(true); } + + @org.junit.Test + public void testSignatureNegativeClient() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = ActionTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = ActionTest.class.getResource("DoubleItAction.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSignatureNegativeClientPort"); + DoubleItPortType port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + try { + port.doubleIt(25); + fail("Failure expected as the client doesn't trust the cert of the service"); + } catch (javax.xml.ws.soap.SOAPFaultException ex) { + // expected + } + + ((java.io.Closeable)port).close(); + bus.shutdown(true); + } + + @org.junit.Test + public void testSignatureNegativeClientStreaming() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = ActionTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = ActionTest.class.getResource("DoubleItAction.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSignatureNegativeClientPort2"); + DoubleItPortType port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + try { + port.doubleIt(25); + fail("Failure expected as the client doesn't trust the cert of the service"); + } catch (javax.xml.ws.soap.SOAPFaultException ex) { + // expected + } + + ((java.io.Closeable)port).close(); + bus.shutdown(true); + } + + @org.junit.Test + public void testSignatureNegativeServer() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = ActionTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = ActionTest.class.getResource("DoubleItAction.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSignatureNegativeServerPort"); + DoubleItPortType port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + try { + port.doubleIt(25); + fail("Failure expected as the service doesn't trust the client cert"); + } catch (javax.xml.ws.soap.SOAPFaultException ex) { + // expected + } + + ((java.io.Closeable)port).close(); + bus.shutdown(true); + } + + @org.junit.Test + public void testSignatureNegativeServerStreaming() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = ActionTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = ActionTest.class.getResource("DoubleItAction.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSignatureNegativeServerPort2"); + DoubleItPortType port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + try { + port.doubleIt(25); + fail("Failure expected as the service doesn't trust the client cert"); + } catch (javax.xml.ws.soap.SOAPFaultException ex) { + // expected + } + + ((java.io.Closeable)port).close(); + bus.shutdown(true); + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/8b13c36c/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/KeystorePasswordCallback.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/KeystorePasswordCallback.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/KeystorePasswordCallback.java index 511155a..e680dce 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/KeystorePasswordCallback.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/KeystorePasswordCallback.java @@ -46,6 +46,8 @@ public class KeystorePasswordCallback implements CallbackHandler { passwords.put("6e0e88f36ebb8744d470f62f604d03ea4ebe5094", "password"); passwords.put("wss40rev", "security"); passwords.put("morpit", "password"); + passwords.put("myclientkey", "ckpass"); + passwords.put("myservicekey", "skpass"); } /** http://git-wip-us.apache.org/repos/asf/cxf/blob/8b13c36c/systests/ws-security/src/test/resources/bethal.properties ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/bethal.properties b/systests/ws-security/src/test/resources/bethal.properties new file mode 100644 index 0000000..7356fc5 --- /dev/null +++ b/systests/ws-security/src/test/resources/bethal.properties @@ -0,0 +1,24 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin +org.apache.wss4j.crypto.merlin.keystore.type=jks +org.apache.wss4j.crypto.merlin.keystore.password=password +org.apache.wss4j.crypto.merlin.keystore.alias=bethal +org.apache.wss4j.crypto.merlin.keystore.file=keys/Bethal.jks + http://git-wip-us.apache.org/repos/asf/cxf/blob/8b13c36c/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl index dcb40d4..eca0182 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl @@ -66,6 +66,18 @@ <wsdl:port name="DoubleItEncryptionPort" binding="tns:DoubleItNoSecurityBinding"> <soap:address location="http://localhost:9001/DoubleItEncryption"/> </wsdl:port> + <wsdl:port name="DoubleItSignatureNegativeClientPort" binding="tns:DoubleItNoSecurityBinding"> + <soap:address location="http://localhost:9001/DoubleItSignatureNegativeClient"/> + </wsdl:port> + <wsdl:port name="DoubleItSignatureNegativeClientPort2" binding="tns:DoubleItNoSecurityBinding"> + <soap:address location="http://localhost:9001/DoubleItSignatureNegativeClient2"/> + </wsdl:port> + <wsdl:port name="DoubleItSignatureNegativeServerPort" binding="tns:DoubleItNoSecurityBinding"> + <soap:address location="http://localhost:9001/DoubleItSignatureNegativeServer"/> + </wsdl:port> + <wsdl:port name="DoubleItSignatureNegativeServerPort2" binding="tns:DoubleItNoSecurityBinding"> + <soap:address location="http://localhost:9001/DoubleItSignatureNegativeServer2"/> + </wsdl:port> </wsdl:service> </wsdl:definitions> http://git-wip-us.apache.org/repos/asf/cxf/blob/8b13c36c/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml index 298048e..0cb52c1 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml @@ -229,4 +229,108 @@ </jaxws:inInterceptors> </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSignatureNegativeClientPort" createdFromAPI="true"> + <jaxws:outInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureUser" value="bethal"/> + <entry key="signaturePropFile" value="bethal.properties"/> + <entry key="signatureKeyIdentifier" value="DirectReference"/> + <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + </map> + </constructor-arg> + </bean> + </jaxws:outInterceptors> + <jaxws:inInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureVerificationPropFile" value="bethal.properties"/> + </map> + </constructor-arg> + </bean> + </jaxws:inInterceptors> + </jaxws:client> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSignatureNegativeClientPort2" createdFromAPI="true"> + <jaxws:outInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JStaxOutInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureUser" value="bethal"/> + <entry key="signaturePropFile" value="bethal.properties"/> + <entry key="signatureKeyIdentifier" value="DirectReference"/> + <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + </map> + </constructor-arg> + </bean> + </jaxws:outInterceptors> + <jaxws:inInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureVerificationPropFile" value="bethal.properties"/> + </map> + </constructor-arg> + </bean> + </jaxws:inInterceptors> + </jaxws:client> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSignatureNegativeServerPort" createdFromAPI="true"> + <jaxws:outInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureUser" value="bethal"/> + <entry key="signaturePropFile" value="bethal.properties"/> + <entry key="signatureKeyIdentifier" value="DirectReference"/> + <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + </map> + </constructor-arg> + </bean> + </jaxws:outInterceptors> + <jaxws:inInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureVerificationPropFile" value="truststore.properties"/> + </map> + </constructor-arg> + </bean> + </jaxws:inInterceptors> + </jaxws:client> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSignatureNegativeServerPort2" createdFromAPI="true"> + <jaxws:outInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureUser" value="bethal"/> + <entry key="signaturePropFile" value="bethal.properties"/> + <entry key="signatureKeyIdentifier" value="DirectReference"/> + <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + </map> + </constructor-arg> + </bean> + </jaxws:outInterceptors> + <jaxws:inInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureVerificationPropFile" value="truststore.properties"/> + </map> + </constructor-arg> + </bean> + </jaxws:inInterceptors> + </jaxws:client> + </beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/8b13c36c/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml index 1d45840..cb11d47 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml @@ -169,4 +169,108 @@ </jaxws:inInterceptors> </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SignatureNegativeClient" address="http://localhost:${testutil.ports.action.Server}/DoubleItSignatureNegativeClient" serviceName="s:DoubleItService" endpointName="s:DoubleItSignatureNegativeClientPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/action/DoubleItAction.wsdl"> + <jaxws:outInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureUser" value="morpit"/> + <entry key="signaturePropFile" value="morpit.properties"/> + <entry key="signatureKeyIdentifier" value="DirectReference"/> + <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + </map> + </constructor-arg> + </bean> + </jaxws:outInterceptors> + <jaxws:inInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureVerificationPropFile" value="truststore.properties"/> + </map> + </constructor-arg> + </bean> + </jaxws:inInterceptors> + </jaxws:endpoint> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SignatureNegativeClient2" address="http://localhost:${testutil.ports.action.Server}/DoubleItSignatureNegativeClient2" serviceName="s:DoubleItService" endpointName="s:DoubleItSignatureNegativeClientPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/action/DoubleItAction.wsdl"> + <jaxws:outInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureUser" value="morpit"/> + <entry key="signaturePropFile" value="morpit.properties"/> + <entry key="signatureKeyIdentifier" value="DirectReference"/> + <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + </map> + </constructor-arg> + </bean> + </jaxws:outInterceptors> + <jaxws:inInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureVerificationPropFile" value="truststore.properties"/> + </map> + </constructor-arg> + </bean> + </jaxws:inInterceptors> + </jaxws:endpoint> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SignatureNegativeServer" address="http://localhost:${testutil.ports.action.Server}/DoubleItSignatureNegativeServer" serviceName="s:DoubleItService" endpointName="s:DoubleItSignatureNegativeServerPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/action/DoubleItAction.wsdl"> + <jaxws:outInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureUser" value="morpit"/> + <entry key="signaturePropFile" value="morpit.properties"/> + <entry key="signatureKeyIdentifier" value="DirectReference"/> + <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + </map> + </constructor-arg> + </bean> + </jaxws:outInterceptors> + <jaxws:inInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureVerificationPropFile" value="morpit.properties"/> + </map> + </constructor-arg> + </bean> + </jaxws:inInterceptors> + </jaxws:endpoint> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SignatureNegativeServer2" address="http://localhost:${testutil.ports.action.Server}/DoubleItSignatureNegativeServer2" serviceName="s:DoubleItService" endpointName="s:DoubleItSignatureNegativeServerPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/action/DoubleItAction.wsdl"> + <jaxws:outInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JStaxOutInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureUser" value="morpit"/> + <entry key="signaturePropFile" value="morpit.properties"/> + <entry key="signatureKeyIdentifier" value="DirectReference"/> + <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + </map> + </constructor-arg> + </bean> + </jaxws:outInterceptors> + <jaxws:inInterceptors> + <bean class="org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor"> + <constructor-arg> + <map> + <entry key="action" value="Signature"/> + <entry key="signatureVerificationPropFile" value="morpit.properties"/> + </map> + </constructor-arg> + </bean> + </jaxws:inInterceptors> + </jaxws:endpoint> + </beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/8b13c36c/systests/ws-security/src/test/resources/truststore.properties ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/truststore.properties b/systests/ws-security/src/test/resources/truststore.properties new file mode 100644 index 0000000..170389a --- /dev/null +++ b/systests/ws-security/src/test/resources/truststore.properties @@ -0,0 +1,23 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +org.apache.wss4j.crypto.provider=org.apache.wss4j.common.crypto.Merlin +org.apache.wss4j.crypto.merlin.keystore.type=jks +org.apache.wss4j.crypto.merlin.keystore.password=password +org.apache.wss4j.crypto.merlin.keystore.file=keys/Truststore.jks +