Add the ability to set a custom claim type in the generated token # Conflicts: # services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.java # services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTClaimsTest.java # services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/fb414c7a Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/fb414c7a Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/fb414c7a Branch: refs/heads/3.1.x-fixes Commit: fb414c7abfb5de8bf95462a9de23335d4320af4e Parents: af13152 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Tue Jul 11 13:11:49 2017 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Tue Jul 11 13:14:05 2017 +0100 ---------------------------------------------------------------------- .../sts/rest/RESTSecurityTokenServiceImpl.java | 1 + .../provider/jwt/DefaultJWTClaimsProvider.java | 29 +++++++- .../cxf/sts/token/provider/JWTClaimsTest.java | 77 +++++++++++++++++++- .../cxf/systest/sts/rest/STSRESTTest.java | 14 ++-- .../cxf/systest/sts/rest/cxf-rest-sts.xml | 7 ++ 5 files changed, 115 insertions(+), 13 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/fb414c7a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java index bcc31a4..f3d0719 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/rest/RESTSecurityTokenServiceImpl.java @@ -77,6 +77,7 @@ public class RESTSecurityTokenServiceImpl extends SecurityTokenServiceImpl imple DEFAULT_CLAIM_TYPE_MAP = new HashMap<String, String>(); DEFAULT_CLAIM_TYPE_MAP.put("emailaddress", CLAIM_TYPE_NS + "/claims/emailaddress"); DEFAULT_CLAIM_TYPE_MAP.put("role", CLAIM_TYPE_NS + "/claims/role"); + DEFAULT_CLAIM_TYPE_MAP.put("roles", CLAIM_TYPE_NS + "/claims/role"); DEFAULT_CLAIM_TYPE_MAP.put("surname", CLAIM_TYPE_NS + "/claims/surname"); DEFAULT_CLAIM_TYPE_MAP.put("givenname", CLAIM_TYPE_NS + "/claims/givenname"); DEFAULT_CLAIM_TYPE_MAP.put("name", CLAIM_TYPE_NS + "/claims/name"); http://git-wip-us.apache.org/repos/asf/cxf/blob/fb414c7a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.java index fee93df..6b4ffe0 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/jwt/DefaultJWTClaimsProvider.java @@ -24,6 +24,7 @@ import java.util.ArrayList; import java.util.Date; import java.util.Iterator; import java.util.List; +import java.util.Map; import java.util.UUID; import java.util.logging.Logger; @@ -60,7 +61,8 @@ public class DefaultJWTClaimsProvider implements JWTClaimsProvider { private boolean failLifetimeExceedance = true; private boolean acceptClientLifetime; private long futureTimeToLive = 60L; - + private Map<String, String> claimTypeMap; + /** * Get a JwtClaims object. */ @@ -158,7 +160,7 @@ public class DefaultJWTClaimsProvider implements JWTClaimsProvider { if (claim.getValues().size() == 1) { claimValues = claim.getValues().get(0); } - claims.setProperty(claim.getClaimType().toString(), claimValues); + claims.setProperty(translateClaim(claim.getClaimType().toString()), claimValues); } } } @@ -277,7 +279,14 @@ public class DefaultJWTClaimsProvider implements JWTClaimsProvider { } } } - + + private String translateClaim(String claimType) { + if (claimTypeMap == null || !claimTypeMap.containsKey(claimType)) { + return claimType; + } + return claimTypeMap.get(claimType); + } + public boolean isUseX500CN() { return useX500CN; } @@ -366,5 +375,17 @@ public class DefaultJWTClaimsProvider implements JWTClaimsProvider { public void setFailLifetimeExceedance(boolean failLifetimeExceedance) { this.failLifetimeExceedance = failLifetimeExceedance; } - + + public Map<String, String> getClaimTypeMap() { + return claimTypeMap; + } + + /** + * Specify a way to map ClaimType URIs to custom ClaimTypes + * @param claimTypeMap + */ + public void setClaimTypeMap(Map<String, String> claimTypeMap) { + this.claimTypeMap = claimTypeMap; + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/fb414c7a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTClaimsTest.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTClaimsTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTClaimsTest.java index 6e33ea4..88cb020 100644 --- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTClaimsTest.java +++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/JWTClaimsTest.java @@ -40,6 +40,7 @@ import org.apache.cxf.sts.common.PasswordCallbackHandler; import org.apache.cxf.sts.request.KeyRequirements; import org.apache.cxf.sts.request.TokenRequirements; import org.apache.cxf.sts.service.EncryptionProperties; +import org.apache.cxf.sts.token.provider.jwt.DefaultJWTClaimsProvider; import org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.crypto.CryptoFactory; @@ -210,7 +211,81 @@ public class JWTClaimsTest extends org.junit.Assert { JwtToken jwt = jwtConsumer.getJwtToken(); assertEquals(jwt.getClaim(CLAIM_STATIC_COMPANY.toString()), CLAIM_STATIC_COMPANY_VALUE); } - + + @org.junit.Test + public void testJWTRoleUsingURI() throws Exception { + TokenProvider tokenProvider = new JWTTokenProvider(); + TokenProviderParameters providerParameters = + createProviderParameters(JWTTokenProvider.JWT_TOKEN_TYPE, null); + + ClaimsManager claimsManager = new ClaimsManager(); + ClaimsHandler claimsHandler = new CustomClaimsHandler(); + claimsManager.setClaimHandlers(Collections.singletonList(claimsHandler)); + providerParameters.setClaimsManager(claimsManager); + + ClaimCollection claims = new ClaimCollection(); + + URI role = URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"); + + Claim claim = new Claim(); + claim.setClaimType(role); + claims.add(claim); + + providerParameters.setRequestedPrimaryClaims(claims); + + assertTrue(tokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE)); + TokenProviderResponse providerResponse = tokenProvider.createToken(providerParameters); + assertTrue(providerResponse != null); + assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null); + + String token = (String)providerResponse.getToken(); + assertNotNull(token); + + JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token); + JwtToken jwt = jwtConsumer.getJwtToken(); + assertEquals(jwt.getClaim(role.toString()), "DUMMY"); + } + + @org.junit.Test + public void testJWTRoleUsingCustomReturnType() throws Exception { + TokenProvider tokenProvider = new JWTTokenProvider(); + TokenProviderParameters providerParameters = + createProviderParameters(JWTTokenProvider.JWT_TOKEN_TYPE, null); + + ClaimsManager claimsManager = new ClaimsManager(); + ClaimsHandler claimsHandler = new CustomClaimsHandler(); + claimsManager.setClaimHandlers(Collections.singletonList(claimsHandler)); + providerParameters.setClaimsManager(claimsManager); + + ClaimCollection claims = new ClaimCollection(); + + URI role = URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"); + + Claim claim = new Claim(); + claim.setClaimType(role); + claims.add(claim); + + providerParameters.setRequestedPrimaryClaims(claims); + + Map<String, String> claimTypeMap = new HashMap<>(); + claimTypeMap.put(role.toString(), "roles"); + DefaultJWTClaimsProvider claimsProvider = new DefaultJWTClaimsProvider(); + claimsProvider.setClaimTypeMap(claimTypeMap); + ((JWTTokenProvider)tokenProvider).setJwtClaimsProvider(claimsProvider); + + assertTrue(tokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE)); + TokenProviderResponse providerResponse = tokenProvider.createToken(providerParameters); + assertTrue(providerResponse != null); + assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null); + + String token = (String)providerResponse.getToken(); + assertNotNull(token); + + JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token); + JwtToken jwt = jwtConsumer.getJwtToken(); + assertEquals(jwt.getClaim("roles"), "DUMMY"); + } + private TokenProviderParameters createProviderParameters( String tokenType, String appliesTo ) throws WSSecurityException { http://git-wip-us.apache.org/repos/asf/cxf/blob/fb414c7a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java index 4cc6b66..fbe4b2a 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java @@ -936,13 +936,11 @@ public class STSRESTTest extends AbstractBusClientServerTestBase { JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token); JwtToken jwt = jwtConsumer.getJwtToken(); - - String role = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; - assertTrue(jwt.getClaim(role) == null); - + assertTrue(jwt.getClaim("roles") == null); + // Now get another token specifying the role - client.query("claim", role); - + client.query("claim", "roles"); + response = client.get(); token = response.readEntity(String.class); assertNotNull(token); @@ -952,8 +950,8 @@ public class STSRESTTest extends AbstractBusClientServerTestBase { jwtConsumer = new JwsJwtCompactConsumer(token); jwt = jwtConsumer.getJwtToken(); - assertEquals("ordinary-user", jwt.getClaim(role)); - + assertEquals("ordinary-user", jwt.getClaim("roles")); + bus.shutdown(true); } http://git-wip-us.apache.org/repos/asf/cxf/blob/fb414c7a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml index 0a6828e..fabb124 100644 --- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml @@ -77,7 +77,14 @@ </bean> <bean id="transportSamlTokenProvider" class="org.apache.cxf.sts.token.provider.SAMLTokenProvider"> </bean> + <util:map id="claimTypes"> + <entry key="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" value="roles"/> + </util:map> + <bean id="customJWTClaimsProvider" class="org.apache.cxf.sts.token.provider.jwt.DefaultJWTClaimsProvider"> + <property name="claimTypeMap" ref="claimTypes"/> + </bean> <bean id="transportJWTTokenProvider" class="org.apache.cxf.sts.token.provider.jwt.JWTTokenProvider"> + <property name="jwtClaimsProvider" ref="customJWTClaimsProvider" /> </bean> <bean id="transportJWTTokenValidator" class="org.apache.cxf.sts.token.validator.jwt.JWTTokenValidator"> </bean>