Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 4daa8a05d -> 892913e71
Adding Kerberos STS test Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1314a594 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1314a594 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1314a594 Branch: refs/heads/3.0.x-fixes Commit: 1314a594481392384c9fbd83040697f3492f05b2 Parents: 4daa8a0 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Wed Dec 3 10:49:29 2014 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Wed Dec 3 11:36:06 2014 +0000 ---------------------------------------------------------------------- systests/kerberos/pom.xml | 5 + .../common/KeystorePasswordCallback.java | 3 + .../kerberos/common/SecurityTestUtil.java | 22 ++ .../wssec/kerberos/KerberosTokenTest.java | 71 ++++- .../systest/kerberos/wssec/sts/STSServer.java | 50 +++ .../kerberos/wssec/sts/StaxSTSServer.java | 50 +++ .../test/resources/clientKeystore.properties | 24 ++ .../kerberos/src/test/resources/clientstore.jks | Bin 0 -> 4436 bytes .../wssec/kerberos/DoubleItKerberos.wsdl | 92 +++++- .../systest/kerberos/wssec/kerberos/server.xml | 24 ++ .../kerberos/wssec/kerberos/sts-client.xml | 71 +++++ .../cxf/systest/kerberos/wssec/sts/cxf-sts.xml | 101 ++++++ .../systest/kerberos/wssec/sts/stax-cxf-sts.xml | 106 ++++++ .../wssec/sts/ws-trust-1.4-service.wsdl | 319 +++++++++++++++++++ .../test/resources/serviceKeystore.properties | 24 ++ .../src/test/resources/servicestore.jks | Bin 0 -> 3350 bytes .../src/test/resources/stsKeystore.properties | 23 ++ .../kerberos/src/test/resources/stsstore.jks | Bin 0 -> 3978 bytes 18 files changed, 983 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/pom.xml ---------------------------------------------------------------------- diff --git a/systests/kerberos/pom.xml b/systests/kerberos/pom.xml index e5bc330..622517f 100644 --- a/systests/kerberos/pom.xml +++ b/systests/kerberos/pom.xml @@ -143,6 +143,11 @@ <version>${project.version}</version> </dependency> <dependency> + <groupId>org.apache.cxf.services.sts</groupId> + <artifactId>cxf-services-sts-core</artifactId> + <version>${project.version}</version> + </dependency> + <dependency> <groupId>org.apache.cxf</groupId> <artifactId>cxf-testutils</artifactId> <version>${project.version}</version> http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/common/KeystorePasswordCallback.java ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/common/KeystorePasswordCallback.java b/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/common/KeystorePasswordCallback.java index 0bada6a..3cc798b 100644 --- a/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/common/KeystorePasswordCallback.java +++ b/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/common/KeystorePasswordCallback.java @@ -45,6 +45,9 @@ public class KeystorePasswordCallback implements CallbackHandler { passwords.put("abcd", "dcba"); passwords.put("6e0e88f36ebb8744d470f62f604d03ea4ebe5094", "password"); passwords.put("wss40rev", "security"); + passwords.put("myclientkey", "ckpass"); + passwords.put("myservicekey", "skpass"); + passwords.put("mystskey", "stskpass"); } /** http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/common/SecurityTestUtil.java ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/common/SecurityTestUtil.java b/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/common/SecurityTestUtil.java index d2af280..059d535 100644 --- a/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/common/SecurityTestUtil.java +++ b/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/common/SecurityTestUtil.java @@ -26,6 +26,7 @@ import javax.crypto.spec.SecretKeySpec; import javax.xml.ws.BindingProvider; import org.apache.cxf.ws.security.SecurityConstants; +import org.apache.cxf.ws.security.trust.STSClient; import org.example.contract.doubleit.DoubleItPortType; /** @@ -88,4 +89,25 @@ public final class SecurityTestUtil { ); } + public static void updateSTSPort(BindingProvider p, String port) { + STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT); + if (stsClient != null) { + String location = stsClient.getWsdlLocation(); + if (location != null && location.contains("8080")) { + stsClient.setWsdlLocation(location.replace("8080", port)); + } else if (location != null && location.contains("8443")) { + stsClient.setWsdlLocation(location.replace("8443", port)); + } + } + stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT + ".sct"); + if (stsClient != null) { + String location = stsClient.getWsdlLocation(); + if (location.contains("8080")) { + stsClient.setWsdlLocation(location.replace("8080", port)); + } else if (location.contains("8443")) { + stsClient.setWsdlLocation(location.replace("8443", port)); + } + } + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/kerberos/KerberosTokenTest.java ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/kerberos/KerberosTokenTest.java b/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/kerberos/KerberosTokenTest.java index f7069d7..f9b8468 100644 --- a/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/kerberos/KerberosTokenTest.java +++ b/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/kerberos/KerberosTokenTest.java @@ -25,12 +25,15 @@ import java.io.FileOutputStream; import java.net.URL; import javax.xml.namespace.QName; +import javax.xml.ws.BindingProvider; import javax.xml.ws.Service; import org.apache.commons.io.IOUtils; import org.apache.cxf.Bus; import org.apache.cxf.bus.spring.SpringBusFactory; import org.apache.cxf.systest.kerberos.common.SecurityTestUtil; +import org.apache.cxf.systest.kerberos.wssec.sts.STSServer; +import org.apache.cxf.systest.kerberos.wssec.sts.StaxSTSServer; import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; import org.apache.cxf.testutil.common.TestUtil; import org.apache.directory.server.annotations.CreateKdcServer; @@ -98,6 +101,10 @@ public class KerberosTokenTest extends AbstractLdapTestUnit { static final String PORT2 = TestUtil.getPortNumber(Server.class, 2); static final String STAX_PORT2 = TestUtil.getPortNumber(StaxServer.class, 2); + static final String PORT3 = TestUtil.getPortNumber(Server.class, 3); + static final String STSPORT = TestUtil.getPortNumber(STSServer.class); + static final String STAX_STSPORT = TestUtil.getPortNumber(StaxSTSServer.class); + private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt"; private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService"); @@ -166,8 +173,22 @@ public class KerberosTokenTest extends AbstractLdapTestUnit { // set this to false to fork AbstractBusClientServerTestBase.launchServer(StaxServer.class, true) ); + + org.junit.Assert.assertTrue( + "Server failed to launch", + // run the server in the same process + // set this to false to fork + AbstractBusClientServerTestBase.launchServer(STSServer.class, true) + ); + + org.junit.Assert.assertTrue( + "Server failed to launch", + // run the server in the same process + // set this to false to fork + AbstractBusClientServerTestBase.launchServer(StaxSTSServer.class, true) + ); } - + @org.junit.AfterClass public static void cleanup() throws Exception { SecurityTestUtil.cleanup(); @@ -389,6 +410,24 @@ public class KerberosTokenTest extends AbstractLdapTestUnit { // runKerberosTest(portName, true, STAX_PORT); } + // In this test, a CXF client requests a SAML2 HOK Assertion from the STS, which has a + // policy of requiring a KerberosToken over the TransportBinding. The CXF client + // retrieves a service ticket from the KDC and inserts it into the security header of + // the request. The STS validates the ticket using the KerberosTokenValidator. + @org.junit.Test + public void testWSTrustKerberosToken() throws Exception { + + if (!runTests || !unrestrictedPoliciesInstalled) { + return; + } + + String portName = "DoubleItTransportSAML2Port"; + runKerberosSTSTest(portName, false, PORT3, STSPORT); + runKerberosSTSTest(portName, true, PORT3, STSPORT); + runKerberosSTSTest(portName, false, PORT3, STAX_STSPORT); + runKerberosSTSTest(portName, true, PORT3, STAX_STSPORT); + } + private void runKerberosTest(String portName, boolean streaming, String portNumber) throws Exception { SpringBusFactory bf = new SpringBusFactory(); @@ -416,4 +455,34 @@ public class KerberosTokenTest extends AbstractLdapTestUnit { bus.shutdown(true); } + private void runKerberosSTSTest(String portName, boolean streaming, String portNumber, + String stsPortNumber) throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = KerberosTokenTest.class.getResource("sts-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = KerberosTokenTest.class.getResource("DoubleItKerberos.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, portName); + DoubleItPortType kerberosPort = + service.getPort(portQName, DoubleItPortType.class); + + TestUtil.updateAddressPort(kerberosPort, portNumber); + + SecurityTestUtil.updateSTSPort((BindingProvider)kerberosPort, stsPortNumber); + + if (streaming) { + SecurityTestUtil.enableStreaming(kerberosPort); + } + + kerberosPort.doubleIt(25); + + ((java.io.Closeable)kerberosPort).close(); + bus.shutdown(true); + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/sts/STSServer.java ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/sts/STSServer.java b/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/sts/STSServer.java new file mode 100644 index 0000000..f8ddb55 --- /dev/null +++ b/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/sts/STSServer.java @@ -0,0 +1,50 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.systest.kerberos.wssec.sts; + +import java.net.URL; + +import org.apache.cxf.Bus; +import org.apache.cxf.BusFactory; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.testutil.common.AbstractBusTestServerBase; + +public class STSServer extends AbstractBusTestServerBase { + + public STSServer() { + + } + + protected void run() { + URL busFile = STSServer.class.getResource("cxf-sts.xml"); + Bus busLocal = new SpringBusFactory().createBus(busFile); + BusFactory.setDefaultBus(busLocal); + setBus(busLocal); + + try { + new STSServer(); + } catch (Exception e) { + e.printStackTrace(); + } + } + + public static void main(String args[]) { + new STSServer().run(); + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/sts/StaxSTSServer.java ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/sts/StaxSTSServer.java b/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/sts/StaxSTSServer.java new file mode 100644 index 0000000..9a3a0bc --- /dev/null +++ b/systests/kerberos/src/test/java/org/apache/cxf/systest/kerberos/wssec/sts/StaxSTSServer.java @@ -0,0 +1,50 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.systest.kerberos.wssec.sts; + +import java.net.URL; + +import org.apache.cxf.Bus; +import org.apache.cxf.BusFactory; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.testutil.common.AbstractBusTestServerBase; + +public class StaxSTSServer extends AbstractBusTestServerBase { + + public StaxSTSServer() { + + } + + protected void run() { + URL busFile = StaxSTSServer.class.getResource("stax-cxf-sts.xml"); + Bus busLocal = new SpringBusFactory().createBus(busFile); + BusFactory.setDefaultBus(busLocal); + setBus(busLocal); + + try { + new StaxSTSServer(); + } catch (Exception e) { + e.printStackTrace(); + } + } + + public static void main(String args[]) { + new StaxSTSServer().run(); + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/resources/clientKeystore.properties ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/clientKeystore.properties b/systests/kerberos/src/test/resources/clientKeystore.properties new file mode 100644 index 0000000..8ab391e --- /dev/null +++ b/systests/kerberos/src/test/resources/clientKeystore.properties @@ -0,0 +1,24 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin +org.apache.ws.security.crypto.merlin.keystore.type=jks +org.apache.ws.security.crypto.merlin.keystore.password=cspass +org.apache.ws.security.crypto.merlin.keystore.alias=myclientkey +org.apache.ws.security.crypto.merlin.keystore.file=clientstore.jks + http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/resources/clientstore.jks ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/clientstore.jks b/systests/kerberos/src/test/resources/clientstore.jks new file mode 100644 index 0000000..23168a9 Binary files /dev/null and b/systests/kerberos/src/test/resources/clientstore.jks differ http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/kerberos/DoubleItKerberos.wsdl ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/kerberos/DoubleItKerberos.wsdl b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/kerberos/DoubleItKerberos.wsdl index cd858e4..711c753 100644 --- a/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/kerberos/DoubleItKerberos.wsdl +++ b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/kerberos/DoubleItKerberos.wsdl @@ -17,7 +17,7 @@ specific language governing permissions and limitations under the License. --> -<wsdl:definitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://www.example.org/contract/DoubleIt" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsaws="http://www.w3.org/2005/08/addressing" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802" name="DoubleIt" targetNamespace="http://www.example.org/contract/DoubleIt"> +<wsdl:definitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://www.example.org/contract/DoubleIt" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsaws="http://www.w3.org/2005/08/addressing" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsaw="http://www.w3.org/2005/08/addressing" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" name="DoubleIt" targetNamespace="http://www.example.org/contract/DoubleIt"> <wsdl:import location="src/test/resources/DoubleItLogical.wsdl" namespace="http://www.example.org/contract/DoubleIt"/> <wsdl:binding name="DoubleItKerberosTransportBinding" type="tns:DoubleItPortType"> <wsp:PolicyReference URI="#DoubleItKerberosTransportPolicy"/> @@ -269,6 +269,21 @@ </wsdl:fault> </wsdl:operation> </wsdl:binding> + <wsdl:binding name="DoubleItTransportSAML2Binding" type="tns:DoubleItPortType"> + <wsp:PolicyReference URI="#DoubleItBindingTransportSAML2Policy"/> + <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction=""/> + <wsdl:input> + <soap:body use="literal"/> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/> + </wsdl:output> + </wsdl:operation> + </wsdl:binding> <wsdl:service name="DoubleItService"> <wsdl:port name="DoubleItKerberosTransportPort" binding="tns:DoubleItKerberosTransportBinding"> <soap:address location="https://localhost:9009/DoubleItKerberosTransport"/> @@ -316,6 +331,9 @@ binding="tns:DoubleItKerberosSymmetricSecureConversationBinding"> <soap:address location="http://localhost:9001/DoubleItKerberosSymmetricSecureConversation"/> </wsdl:port> + <wsdl:port name="DoubleItTransportSAML2Port" binding="tns:DoubleItTransportSAML2Binding"> + <soap:address location="https://localhost:8081/doubleit/services/doubleittransportsaml2"/> + </wsdl:port> </wsdl:service> <wsp:Policy wsu:Id="DoubleItKerberosTransportPolicy"> <wsp:ExactlyOne> @@ -1001,6 +1019,78 @@ </wsp:ExactlyOne> </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItBindingTransportSAML2Policy"> + <wsp:ExactlyOne> + <wsp:All> + <wsam:Addressing wsp:Optional="false"> + <wsp:Policy/> + </wsam:Addressing> + <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy/> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:TripleDes/> + </wsp:Policy> + </sp:AlgorithmSuite> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + </wsp:Policy> + </sp:TransportBinding> + <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <sp:RequestSecurityTokenTemplate> + <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType> + <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType> + </sp:RequestSecurityTokenTemplate> + <wsp:Policy> + <sp:RequireInternalReference/> + </wsp:Policy> + <sp:Issuer> + <wsaw:Address>http://localhost:8080/STS/STSUT</wsaw:Address> + <wsaw:Metadata> + <wsx:Metadata> + <wsx:MetadataSection> + <wsx:MetadataReference> + <wsaw:Address>http://localhost:8080/SecurityTokenService/UT/mex + </wsaw:Address> + </wsx:MetadataReference> + </wsx:MetadataSection> + </wsx:Metadata> + </wsaw:Metadata> + </sp:Issuer> + </sp:IssuedToken> + </wsp:Policy> + </sp:EndorsingSupportingTokens> + <sp:Wss11> + <wsp:Policy> + <sp:MustSupportRefIssuerSerial/> + <sp:MustSupportRefThumbprint/> + <sp:MustSupportRefEncryptedKey/> + </wsp:Policy> + </sp:Wss11> + <sp:Trust13> + <wsp:Policy> + <sp:MustSupportIssuedTokens/> + <sp:RequireClientEntropy/> + <sp:RequireServerEntropy/> + </wsp:Policy> + </sp:Trust13> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy"> <wsp:ExactlyOne> <wsp:All> http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/kerberos/server.xml ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/kerberos/server.xml b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/kerberos/server.xml index a0b94b1..48cf8a2 100644 --- a/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/kerberos/server.xml +++ b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/kerberos/server.xml @@ -55,6 +55,7 @@ <bean id="kerberosValidator" class="org.apache.wss4j.dom.validate.KerberosTokenValidator"> <property name="contextName" value="bob"/> <property name="serviceName" value="b...@service.ws.apache.org"/> + <property name="callbackHandler" ref="kerberosCallbackHandler"/> </bean> <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="KerberosOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItKerberosTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItKerberosTransportPort" implementor="org.apache.cxf.systest.kerberos.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/kerberos/wssec/kerberos/DoubleItKerberos.wsdl" depends-on="tls-settings"> <jaxws:properties> @@ -178,4 +179,27 @@ <entry key="ws-security.bst.validator" value-ref="kerberosValidator"/> </jaxws:properties> </jaxws:endpoint> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleittransportsaml2" implementor="org.apache.cxf.systest.kerberos.common.DoubleItImpl" endpointName="s:DoubleItTransportSAML2Port" serviceName="s:DoubleItService" depends-on="STSClientAuthHttpsSettings" address="https://localhost:${testutil.ports.Server.3}/doubleit/services/doubleittransportsaml2" wsdlLocation="org/apache/cxf/systest/kerberos/wssec/kerberos/DoubleItKerberos.wsdl"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.kerberos.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="serviceKeystore.properties"/> + </jaxws:properties> + </jaxws:endpoint> + + <httpj:engine-factory id="STSClientAuthHttpsSettings" bus="cxf"> + <httpj:engine port="${testutil.ports.Server.3}"> + <httpj:tlsServerParameters> + <sec:keyManagers keyPassword="skpass"> + <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/> + </sec:keyManagers> + <sec:cipherSuitesFilter> + <sec:include>.*_EXPORT_.*</sec:include> + <sec:include>.*_EXPORT1024_.*</sec:include> + <sec:include>.*_WITH_AES_.*</sec:include> + </sec:cipherSuitesFilter> + <sec:clientAuthentication want="false" required="false"/> + </httpj:tlsServerParameters> + </httpj:engine> + </httpj:engine-factory> </beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/kerberos/sts-client.xml ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/kerberos/sts-client.xml b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/kerberos/sts-client.xml new file mode 100644 index 0000000..31061f6 --- /dev/null +++ b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/kerberos/sts-client.xml @@ -0,0 +1,71 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:cxf="http://cxf.apache.org/core" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:sec="http://cxf.apache.org/configuration/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd"> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <cxf:logging/> + </cxf:features> + </cxf:bus> + <bean id="kerberosCallbackHandler" + class="org.apache.cxf.systest.kerberos.common.KerberosClientPasswordCallback"/> + + <bean class="org.apache.cxf.ws.security.kerberos.KerberosClient" id="kerberosClient"> + <constructor-arg ref="cxf"/> + <property name="contextName" value="alice"/> + <property name="serviceName" value="b...@service.ws.apache.org"/> + <property name="callbackHandler" ref="kerberosCallbackHandler"/> + </bean> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSAML2Port" createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.username" value="myclientkey"/> + <entry key="ws-security.signature.properties" value="clientKeystore.properties"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.kerberos.common.KeystorePasswordCallback"/> + <entry key="ws-security.sts.client"> + <bean class="org.apache.cxf.ws.security.trust.STSClient"> + <constructor-arg ref="cxf"/> + <property name="wsdlLocation" value="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Kerberos?wsdl"/> + <property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/> + <property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Kerberos_Port"/> + <property name="properties"> + <map> + <entry key="ws-security.username" value="alice"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.kerberos.common.KeystorePasswordCallback"/> + <entry key="ws-security.sts.token.username" value="myclientkey"/> + <entry key="ws-security.sts.token.properties" value="clientKeystore.properties"/> + <entry key="ws-security.sts.token.usecert" value="true"/> + <entry key="ws-security.kerberos.client" value-ref="kerberosClient"/> + </map> + </property> + </bean> + </entry> + </jaxws:properties> + </jaxws:client> + <http:conduit name="https://localhost:.*"> + <http:tlsClientParameters disableCNCheck="true"> + <sec:trustManagers> + <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/> + </sec:trustManagers> + <sec:keyManagers keyPassword="skpass"> + <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/> + </sec:keyManagers> + </http:tlsClientParameters> + </http:conduit> +</beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/sts/cxf-sts.xml ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/sts/cxf-sts.xml b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/sts/cxf-sts.xml new file mode 100644 index 0000000..0953e54 --- /dev/null +++ b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/sts/cxf-sts.xml @@ -0,0 +1,101 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" xmlns:cxf="http://cxf.apache.org/core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation=" http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/transports/http-jetty/configuration http://c xf.apache.org/schemas/configuration/http-jetty.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd"> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <cxf:logging/> + </cxf:features> + </cxf:bus> + <bean id="transportSTSProviderBean" class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider"> + <property name="issueOperation" ref="transportIssueDelegate"/> + <property name="validateOperation" ref="transportValidateDelegate"/> + </bean> + <bean id="transportIssueDelegate" class="org.apache.cxf.sts.operation.TokenIssueOperation"> + <property name="tokenProviders" ref="transportTokenProviders"/> + <property name="services" ref="transportService"/> + <property name="stsProperties" ref="transportSTSProperties"/> + <property name="tokenValidators" ref="transportTokenValidators"/> + </bean> + <bean id="transportValidateDelegate" class="org.apache.cxf.sts.operation.TokenValidateOperation"> + <property name="tokenProviders" ref="transportTokenProviders"/> + <property name="tokenValidators" ref="transportTokenValidators"/> + <property name="stsProperties" ref="transportSTSProperties"/> + </bean> + <util:list id="transportTokenProviders"> + <ref bean="transportSamlTokenProvider"/> + </util:list> + <util:list id="transportTokenValidators"> + <ref bean="transportSamlTokenValidator"/> + </util:list> + <bean id="transportSamlTokenProvider" class="org.apache.cxf.sts.token.provider.SAMLTokenProvider"> + <!-- <property name="attributeStatementProviders" ref="attributeStatementProvidersList" />--> + </bean> + <bean id="transportSamlTokenValidator" class="org.apache.cxf.sts.token.validator.SAMLTokenValidator"> + </bean> + <bean id="transportService" class="org.apache.cxf.sts.service.StaticService"> + <property name="endpoints" ref="transportEndpoints"/> + </bean> + <util:list id="transportEndpoints"> + <value>https://localhost:(\d)*/doubleit/services/doubleittransport.* + </value> + </util:list> + <bean id="transportSTSProperties" class="org.apache.cxf.sts.StaticSTSProperties"> + <property name="signaturePropertiesFile" value="stsKeystore.properties"/> + <property name="signatureUsername" value="mystskey"/> + <property name="callbackHandlerClass" value="org.apache.cxf.systest.kerberos.common.KeystorePasswordCallback"/> + <property name="encryptionPropertiesFile" value="stsKeystore.properties"/> + <property name="issuer" value="DoubleItSTSIssuer"/> + <property name="encryptionUsername" value="myservicekey"/> + </bean> + <jaxws:endpoint xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" id="localSTS" implementor="#transportSTSProviderBean" address="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Transport" wsdlLocation="src/test/resources/org/apache/cxf/systest/kerberos/wssec/sts/ws-trust-1.4-service.wsdl" depends-on="ClientAuthHttpsSettings" serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_Port"> + </jaxws:endpoint> + + <bean id="kerberosCallbackHandler" + class="org.apache.cxf.systest.kerberos.common.KerberosServicePasswordCallback"/> + <bean id="kerberosValidator" class="org.apache.wss4j.dom.validate.KerberosTokenValidator"> + <property name="contextName" value="bob"/> + <property name="serviceName" value="b...@service.ws.apache.org"/> + <property name="callbackHandler" ref="kerberosCallbackHandler"/> + </bean> + <jaxws:endpoint xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" id="localKerberosSTS" implementor="#transportSTSProviderBean" address="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Kerberos" wsdlLocation="src/test/resources/org/apache/cxf/systest/kerberos/wssec/sts/ws-trust-1.4-service.wsdl" depends-on="ClientAuthHttpsSettings" serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_Kerberos_Port"> + <jaxws:properties> + <entry key="ws-security.bst.validator" value-ref="kerberosValidator"/> + </jaxws:properties> + </jaxws:endpoint> + <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf"> + <httpj:engine port="${testutil.ports.STSServer}"> + <httpj:tlsServerParameters> + <sec:trustManagers> + <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks"/> + </sec:trustManagers> + <sec:keyManagers keyPassword="stskpass"> + <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks"/> + </sec:keyManagers> + <sec:cipherSuitesFilter> + <sec:include>.*_EXPORT_.*</sec:include> + <sec:include>.*_EXPORT1024_.*</sec:include> + <sec:include>.*_WITH_AES_.*</sec:include> + </sec:cipherSuitesFilter> + <sec:clientAuthentication want="true" required="true"/> + </httpj:tlsServerParameters> + </httpj:engine> + </httpj:engine-factory> +</beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/sts/stax-cxf-sts.xml ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/sts/stax-cxf-sts.xml b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/sts/stax-cxf-sts.xml new file mode 100644 index 0000000..77b3755 --- /dev/null +++ b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/sts/stax-cxf-sts.xml @@ -0,0 +1,106 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" xmlns:cxf="http://cxf.apache.org/core" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation=" http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/transports/http-jetty/configuration http://c xf.apache.org/schemas/configuration/http-jetty.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd"> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <cxf:logging/> + </cxf:features> + </cxf:bus> + <bean id="transportSTSProviderBean" class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider"> + <property name="issueOperation" ref="transportIssueDelegate"/> + <property name="validateOperation" ref="transportValidateDelegate"/> + </bean> + <bean id="utDelegationHandler" class="org.apache.cxf.sts.token.delegation.UsernameTokenDelegationHandler"/> + <bean id="transportIssueDelegate" class="org.apache.cxf.sts.operation.TokenIssueOperation"> + <property name="tokenProviders" ref="transportTokenProviders"/> + <property name="services" ref="transportService"/> + <property name="stsProperties" ref="transportSTSProperties"/> + </bean> + <bean id="transportValidateDelegate" class="org.apache.cxf.sts.operation.TokenValidateOperation"> + <property name="tokenProviders" ref="transportTokenProviders"/> + <property name="tokenValidators" ref="transportTokenValidators"/> + <property name="stsProperties" ref="transportSTSProperties"/> + </bean> + <util:list id="transportTokenProviders"> + <ref bean="transportSamlTokenProvider"/> + </util:list> + <util:list id="transportTokenValidators"> + <ref bean="transportSamlTokenValidator"/> + </util:list> + <bean id="transportSamlTokenProvider" class="org.apache.cxf.sts.token.provider.SAMLTokenProvider"> + <!-- <property name="attributeStatementProviders" ref="attributeStatementProvidersList" />--> + </bean> + <bean id="transportSamlTokenValidator" class="org.apache.cxf.sts.token.validator.SAMLTokenValidator"> + </bean> + <bean id="transportService" class="org.apache.cxf.sts.service.StaticService"> + <property name="endpoints" ref="transportEndpoints"/> + </bean> + <util:list id="transportEndpoints"> + <value>https://localhost:(\d)*/doubleit/services/doubleittransport.* + </value> + </util:list> + <bean id="transportSTSProperties" class="org.apache.cxf.sts.StaticSTSProperties"> + <property name="signaturePropertiesFile" value="stsKeystore.properties"/> + <property name="signatureUsername" value="mystskey"/> + <property name="callbackHandlerClass" value="org.apache.cxf.systest.kerberos.common.KeystorePasswordCallback"/> + <property name="encryptionPropertiesFile" value="stsKeystore.properties"/> + <property name="issuer" value="DoubleItSTSIssuer"/> + <property name="encryptionUsername" value="myservicekey"/> + </bean> + <jaxws:endpoint xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" id="localSTS" implementor="#transportSTSProviderBean" address="https://localhost:${testutil.ports.StaxSTSServer}/SecurityTokenService/Transport" wsdlLocation="src/test/resources/org/apache/cxf/systest/kerberos/wssec/sts/ws-trust-1.4-service.wsdl" depends-on="ClientAuthHttpsSettings" serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_Port"> + <jaxws:properties> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + + <bean id="kerberosCallbackHandler" + class="org.apache.cxf.systest.kerberos.common.KerberosServicePasswordCallback"/> + + <bean id="kerberosValidator" class="org.apache.wss4j.dom.validate.KerberosTokenValidator"> + <property name="contextName" value="bob"/> + <property name="serviceName" value="b...@service.ws.apache.org"/> + <property name="callbackHandler" ref="kerberosCallbackHandler"/> + </bean> + <jaxws:endpoint xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" id="localKerberosSTS" implementor="#transportSTSProviderBean" address="https://localhost:${testutil.ports.StaxSTSServer}/SecurityTokenService/Kerberos" wsdlLocation="src/test/resources/org/apache/cxf/systest/kerberos/wssec/sts/ws-trust-1.4-service.wsdl" depends-on="ClientAuthHttpsSettings" serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_Kerberos_Port"> + <jaxws:properties> + <entry key="ws-security.bst.validator" value-ref="kerberosValidator"/> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf"> + <httpj:engine port="${testutil.ports.StaxSTSServer}"> + <httpj:tlsServerParameters> + <sec:trustManagers> + <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks"/> + </sec:trustManagers> + <sec:keyManagers keyPassword="stskpass"> + <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks"/> + </sec:keyManagers> + <sec:cipherSuitesFilter> + <sec:include>.*_EXPORT_.*</sec:include> + <sec:include>.*_EXPORT1024_.*</sec:include> + <sec:include>.*_WITH_AES_.*</sec:include> + </sec:cipherSuitesFilter> + <sec:clientAuthentication want="true" required="true"/> + </httpj:tlsServerParameters> + </httpj:engine> + </httpj:engine-factory> +</beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/sts/ws-trust-1.4-service.wsdl ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/sts/ws-trust-1.4-service.wsdl b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/sts/ws-trust-1.4-service.wsdl new file mode 100644 index 0000000..15992eb --- /dev/null +++ b/systests/kerberos/src/test/resources/org/apache/cxf/systest/kerberos/wssec/sts/ws-trust-1.4-service.wsdl @@ -0,0 +1,319 @@ +<?xml version="1.0" encoding="UTF-8"?> +<wsdl:definitions xmlns:tns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" xmlns:wstrust="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"> + <wsdl:types> + <xs:schema elementFormDefault="qualified" targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> + <xs:element name="RequestSecurityToken" type="wst:AbstractRequestSecurityTokenType"/> + <xs:element name="RequestSecurityTokenResponse" type="wst:AbstractRequestSecurityTokenType"/> + <xs:complexType name="AbstractRequestSecurityTokenType"> + <xs:sequence> + <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> + </xs:sequence> + <xs:attribute name="Context" type="xs:anyURI" use="optional"/> + <xs:anyAttribute namespace="##other" processContents="lax"/> + </xs:complexType> + <xs:element name="RequestSecurityTokenCollection" type="wst:RequestSecurityTokenCollectionType"/> + <xs:complexType name="RequestSecurityTokenCollectionType"> + <xs:sequence> + <xs:element name="RequestSecurityToken" type="wst:AbstractRequestSecurityTokenType" minOccurs="2" maxOccurs="unbounded"/> + </xs:sequence> + </xs:complexType> + <xs:element name="RequestSecurityTokenResponseCollection" type="wst:RequestSecurityTokenResponseCollectionType"/> + <xs:complexType name="RequestSecurityTokenResponseCollectionType"> + <xs:sequence> + <xs:element ref="wst:RequestSecurityTokenResponse" minOccurs="1" maxOccurs="unbounded"/> + </xs:sequence> + <xs:anyAttribute namespace="##other" processContents="lax"/> + </xs:complexType> + </xs:schema> + </wsdl:types> + <!-- WS-Trust defines the following GEDs --> + <wsdl:message name="RequestSecurityTokenMsg"> + <wsdl:part name="request" element="wst:RequestSecurityToken"/> + </wsdl:message> + <wsdl:message name="RequestSecurityTokenResponseMsg"> + <wsdl:part name="response" element="wst:RequestSecurityTokenResponse"/> + </wsdl:message> + <wsdl:message name="RequestSecurityTokenCollectionMsg"> + <wsdl:part name="requestCollection" element="wst:RequestSecurityTokenCollection"/> + </wsdl:message> + <wsdl:message name="RequestSecurityTokenResponseCollectionMsg"> + <wsdl:part name="responseCollection" element="wst:RequestSecurityTokenResponseCollection"/> + </wsdl:message> + <!-- This portType an example of a Requestor (or other) endpoint that + Accepts SOAP-based challenges from a Security Token Service --> + <wsdl:portType name="WSSecurityRequestor"> + <wsdl:operation name="Challenge"> + <wsdl:input message="tns:RequestSecurityTokenResponseMsg"/> + <wsdl:output message="tns:RequestSecurityTokenResponseMsg"/> + </wsdl:operation> + </wsdl:portType> + <!-- This portType is an example of an STS supporting full protocol --> + <wsdl:portType name="STS"> + <wsdl:operation name="Cancel"> + <wsdl:input wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel" message="tns:RequestSecurityTokenMsg"/> + <wsdl:output wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal" message="tns:RequestSecurityTokenResponseMsg"/> + </wsdl:operation> + <wsdl:operation name="Issue"> + <wsdl:input wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" message="tns:RequestSecurityTokenMsg"/> + <wsdl:output wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal" message="tns:RequestSecurityTokenResponseCollectionMsg"/> + </wsdl:operation> + <wsdl:operation name="Renew"> + <wsdl:input wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew" message="tns:RequestSecurityTokenMsg"/> + <wsdl:output wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal" message="tns:RequestSecurityTokenResponseMsg"/> + </wsdl:operation> + <wsdl:operation name="Validate"> + <wsdl:input wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate" message="tns:RequestSecurityTokenMsg"/> + <wsdl:output wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal" message="tns:RequestSecurityTokenResponseMsg"/> + </wsdl:operation> + <wsdl:operation name="KeyExchangeToken"> + <wsdl:input wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KET" message="tns:RequestSecurityTokenMsg"/> + <wsdl:output wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/KETFinal" message="tns:RequestSecurityTokenResponseMsg"/> + </wsdl:operation> + <wsdl:operation name="RequestCollection"> + <wsdl:input message="tns:RequestSecurityTokenCollectionMsg"/> + <wsdl:output message="tns:RequestSecurityTokenResponseCollectionMsg"/> + </wsdl:operation> + </wsdl:portType> + <!-- This portType is an example of an endpoint that accepts + Unsolicited RequestSecurityTokenResponse messages --> + <wsdl:portType name="SecurityTokenResponseService"> + <wsdl:operation name="RequestSecurityTokenResponse"> + <wsdl:input message="tns:RequestSecurityTokenResponseMsg"/> + </wsdl:operation> + </wsdl:portType> + <wsdl:binding name="Transport_Binding" type="wstrust:STS"> + <wsp:PolicyReference URI="#Transport_policy"/> + <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> + <wsdl:operation name="Issue"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"/> + <wsdl:input> + <wsp:PolicyReference URI="#Input_policy"/> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <wsp:PolicyReference URI="#Output_policy"/> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + <wsdl:operation name="Validate"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate"/> + <wsdl:input> + <wsp:PolicyReference URI="#Input_policy"/> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <wsp:PolicyReference URI="#Output_policy"/> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + <wsdl:operation name="Cancel"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"/> + <wsdl:input> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + <wsdl:operation name="Renew"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"/> + <wsdl:input> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + <wsdl:operation name="KeyExchangeToken"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken"/> + <wsdl:input> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + <wsdl:operation name="RequestCollection"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection"/> + <wsdl:input> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + </wsdl:binding> + <wsdl:binding name="Transport_Kerberos_Binding" type="wstrust:STS"> + <wsp:PolicyReference URI="#Transport_Kerberos_policy"/> + <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> + <wsdl:operation name="Issue"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"/> + <wsdl:input> + <wsp:PolicyReference URI="#Input_policy"/> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <wsp:PolicyReference URI="#Output_policy"/> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + <wsdl:operation name="Validate"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate"/> + <wsdl:input> + <wsp:PolicyReference URI="#Input_policy"/> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <wsp:PolicyReference URI="#Output_policy"/> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + </wsdl:binding> + <wsdl:service name="SecurityTokenService"> + <wsdl:port name="Transport_Port" binding="tns:Transport_Binding"> + <soap:address location="https://localhost:8084/SecurityTokenService/Transport"/> + </wsdl:port> + <wsdl:port name="Transport_Kerberos_Port" binding="tns:Transport_Kerberos_Binding"> + <soap:address location="https://localhost:8084/SecurityTokenService/Kerberos"/> + </wsdl:port> + </wsdl:service> + <wsp:Policy wsu:Id="Transport_policy"> + <wsp:ExactlyOne> + <wsp:All> + <wsap10:UsingAddressing/> + <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy> + <sp:RequireClientCertificate/> + </wsp:Policy> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:TripleDes/> + </wsp:Policy> + </sp:AlgorithmSuite> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + </wsp:Policy> + </sp:TransportBinding> + <sp:Wss11 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:MustSupportRefKeyIdentifier/> + <sp:MustSupportRefIssuerSerial/> + <sp:MustSupportRefThumbprint/> + <sp:MustSupportRefEncryptedKey/> + </wsp:Policy> + </sp:Wss11> + <sp:Trust13 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:MustSupportIssuedTokens/> + <sp:RequireClientEntropy/> + <sp:RequireServerEntropy/> + </wsp:Policy> + </sp:Trust13> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="Transport_Kerberos_policy"> + <wsp:ExactlyOne> + <wsp:All> + <wsap10:UsingAddressing/> + <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy> + <sp:RequireClientCertificate/> + </wsp:Policy> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:TripleDes/> + </wsp:Policy> + </sp:AlgorithmSuite> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + </wsp:Policy> + </sp:TransportBinding> + <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:KerberosToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Once"> + <wsp:Policy> + <sp:WssGssKerberosV5ApReqToken11/> + </wsp:Policy> + </sp:KerberosToken> + </wsp:Policy> + </sp:SupportingTokens> + <sp:Wss11 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:MustSupportRefKeyIdentifier/> + <sp:MustSupportRefIssuerSerial/> + <sp:MustSupportRefThumbprint/> + <sp:MustSupportRefEncryptedKey/> + </wsp:Policy> + </sp:Wss11> + <sp:Trust13 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:MustSupportIssuedTokens/> + <sp:RequireClientEntropy/> + <sp:RequireServerEntropy/> + </wsp:Policy> + </sp:Trust13> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="Input_policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <sp:Body/> + <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/> + </sp:SignedParts> + <sp:EncryptedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <sp:Body/> + </sp:EncryptedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="Output_policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <sp:Body/> + <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/> + </sp:SignedParts> + <sp:EncryptedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <sp:Body/> + </sp:EncryptedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> +</wsdl:definitions> http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/resources/serviceKeystore.properties ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/serviceKeystore.properties b/systests/kerberos/src/test/resources/serviceKeystore.properties new file mode 100644 index 0000000..7657a5f --- /dev/null +++ b/systests/kerberos/src/test/resources/serviceKeystore.properties @@ -0,0 +1,24 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin +org.apache.ws.security.crypto.merlin.keystore.type=jks +org.apache.ws.security.crypto.merlin.keystore.password=sspass +org.apache.ws.security.crypto.merlin.keystore.alias=myservicekey +org.apache.ws.security.crypto.merlin.keystore.file=servicestore.jks + http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/resources/servicestore.jks ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/servicestore.jks b/systests/kerberos/src/test/resources/servicestore.jks new file mode 100644 index 0000000..0dfa206 Binary files /dev/null and b/systests/kerberos/src/test/resources/servicestore.jks differ http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/resources/stsKeystore.properties ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/stsKeystore.properties b/systests/kerberos/src/test/resources/stsKeystore.properties new file mode 100644 index 0000000..2f132ea --- /dev/null +++ b/systests/kerberos/src/test/resources/stsKeystore.properties @@ -0,0 +1,23 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin +org.apache.ws.security.crypto.merlin.keystore.type=jks +org.apache.ws.security.crypto.merlin.keystore.password=stsspass +org.apache.ws.security.crypto.merlin.keystore.file=stsstore.jks + http://git-wip-us.apache.org/repos/asf/cxf/blob/1314a594/systests/kerberos/src/test/resources/stsstore.jks ---------------------------------------------------------------------- diff --git a/systests/kerberos/src/test/resources/stsstore.jks b/systests/kerberos/src/test/resources/stsstore.jks new file mode 100644 index 0000000..e805906 Binary files /dev/null and b/systests/kerberos/src/test/resources/stsstore.jks differ