[CXF-5697] Some minor updates for WHICH_JAR
[cxf.git] / services / sts / systests / basic / src / test / java / org / apache / cxf / systest / sts / rest / STSRESTTest.java
1 /**
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
17 * under the License.
18 */
19 package org.apache.cxf.systest.sts.rest;
20
21 import java.io.IOException;
22 import java.io.InputStream;
23 import java.io.InputStreamReader;
24 import java.net.URL;
25 import java.nio.charset.StandardCharsets;
26 import java.security.KeyStore;
27 import java.security.KeyStoreException;
28 import java.security.NoSuchAlgorithmException;
29 import java.security.cert.Certificate;
30 import java.security.cert.CertificateException;
31 import java.security.cert.X509Certificate;
32 import java.util.List;
33
34 import javax.security.auth.callback.CallbackHandler;
35 import javax.ws.rs.core.Response;
36 import javax.xml.bind.JAXBElement;
37 import javax.xml.transform.dom.DOMSource;
38
39 import org.w3c.dom.Document;
40 import org.w3c.dom.Element;
41
42 import org.apache.cxf.Bus;
43 import org.apache.cxf.bus.spring.SpringBusFactory;
44 import org.apache.cxf.common.util.Base64Utility;
45 import org.apache.cxf.common.util.CompressionUtils;
46 import org.apache.cxf.jaxrs.client.WebClient;
47 import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
48 import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
49 import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
50 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
51 import org.apache.cxf.rt.security.claims.Claim;
52 import org.apache.cxf.rt.security.claims.ClaimCollection;
53 import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
54 import org.apache.cxf.staxutils.StaxUtils;
55 import org.apache.cxf.staxutils.W3CDOMStreamWriter;
56 import org.apache.cxf.systest.sts.common.SecurityTestUtil;
57 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
58 import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType;
59 import org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType;
60 import org.apache.cxf.ws.security.sts.provider.model.StatusType;
61 import org.apache.cxf.ws.security.trust.STSUtils;
62 import org.apache.wss4j.common.crypto.Crypto;
63 import org.apache.wss4j.common.crypto.CryptoFactory;
64 import org.apache.wss4j.common.saml.OpenSAMLUtil;
65 import org.apache.wss4j.common.saml.SAMLKeyInfo;
66 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
67 import org.apache.wss4j.common.util.Loader;
68 import org.apache.wss4j.dom.WSDocInfo;
69 import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
70 import org.apache.wss4j.dom.handler.RequestData;
71 import org.apache.wss4j.dom.processor.Processor;
72 import org.apache.wss4j.dom.processor.SAMLTokenProcessor;
73 import org.junit.Assert;
74 import org.junit.BeforeClass;
75
76 /**
77 * Some tests for the REST interface of the CXF STS.
78 */
79 public class STSRESTTest extends AbstractBusClientServerTestBase {
80
81 static final String STSPORT = allocatePort(STSRESTServer.class);
82
83 private static final String SAML1_TOKEN_TYPE =
84 "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
85 private static final String SAML2_TOKEN_TYPE =
86 "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
87 private static final String JWT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:jwt";
88 private static final String SYMMETRIC_KEY_KEYTYPE =
89 "http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey";
90 private static final String PUBLIC_KEY_KEYTYPE =
91 "http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey";
92 private static final String BEARER_KEYTYPE =
93 "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer";
94 private static final String DEFAULT_ADDRESS =
95 "https://localhost:8081/doubleit/services/doubleittransportsaml1";
96
97 @BeforeClass
98 public static void startServers() throws Exception {
99 assertTrue(
100 "Server failed to launch",
101 // run the server in the same process
102 // set this to false to fork
103 launchServer(STSRESTServer.class, true)
104 );
105 }
106
107 @org.junit.AfterClass
108 public static void cleanup() throws Exception {
109 SecurityTestUtil.cleanup();
110 stopAllServers();
111 }
112
113 @org.junit.Test
114 public void testIssueSAML2Token() throws Exception {
115 SpringBusFactory bf = new SpringBusFactory();
116 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
117
118 Bus bus = bf.createBus(busFile.toString());
119 SpringBusFactory.setDefaultBus(bus);
120 SpringBusFactory.setThreadDefaultBus(bus);
121
122 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
123 WebClient client = WebClient.create(address, busFile.toString());
124
125 client.accept("application/xml");
126 client.path("saml2.0");
127
128 Response response = client.get();
129 Document assertionDoc = response.readEntity(Document.class);
130 assertNotNull(assertionDoc);
131
132 // Process the token
133 List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
134
135 assertTrue(results != null && results.size() == 1);
136 SamlAssertionWrapper assertion =
137 (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
138 assertTrue(assertion != null);
139 assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
140 assertTrue(assertion.isSigned());
141
142 bus.shutdown(true);
143 }
144
145 @org.junit.Test
146 public void testIssueSAML1Token() throws Exception {
147 SpringBusFactory bf = new SpringBusFactory();
148 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
149
150 Bus bus = bf.createBus(busFile.toString());
151 SpringBusFactory.setDefaultBus(bus);
152 SpringBusFactory.setThreadDefaultBus(bus);
153
154 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
155 WebClient client = WebClient.create(address, busFile.toString());
156
157 client.accept("application/xml");
158 client.path("saml1.1");
159
160 Response response = client.get();
161 Document assertionDoc = response.readEntity(Document.class);
162 assertNotNull(assertionDoc);
163
164 // Process the token
165 List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
166
167 assertTrue(results != null && results.size() == 1);
168 SamlAssertionWrapper assertion =
169 (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
170 assertTrue(assertion != null);
171 assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null);
172 assertTrue(assertion.isSigned());
173
174 bus.shutdown(true);
175 }
176
177 @org.junit.Test
178 public void testIssueSymmetricKeySaml1() throws Exception {
179 SpringBusFactory bf = new SpringBusFactory();
180 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
181
182 Bus bus = bf.createBus(busFile.toString());
183 SpringBusFactory.setDefaultBus(bus);
184 SpringBusFactory.setThreadDefaultBus(bus);
185
186 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
187 WebClient client = WebClient.create(address, busFile.toString());
188
189 client.accept("application/xml");
190 client.path("saml1.1");
191 client.query("keyType", SYMMETRIC_KEY_KEYTYPE);
192
193 Response response = client.get();
194 Document assertionDoc = response.readEntity(Document.class);
195 assertNotNull(assertionDoc);
196
197 // Process the token
198 List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
199
200 assertTrue(results != null && results.size() == 1);
201 SamlAssertionWrapper assertion =
202 (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
203 assertTrue(assertion != null);
204 assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null);
205 assertTrue(assertion.isSigned());
206
207 List<String> methods = assertion.getConfirmationMethods();
208 String confirmMethod = null;
209 if (methods != null && methods.size() > 0) {
210 confirmMethod = methods.get(0);
211 }
212 assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
213 SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo();
214 assertTrue(subjectKeyInfo.getSecret() != null);
215
216 bus.shutdown(true);
217 }
218
219 @org.junit.Test
220 public void testIssueSymmetricKeySaml1ShortKeyType() throws Exception {
221 SpringBusFactory bf = new SpringBusFactory();
222 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
223
224 Bus bus = bf.createBus(busFile.toString());
225 SpringBusFactory.setDefaultBus(bus);
226 SpringBusFactory.setThreadDefaultBus(bus);
227
228 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
229 WebClient client = WebClient.create(address, busFile.toString());
230
231 client.accept("application/xml");
232 client.path("saml1.1");
233 client.query("keyType", "SymmetricKey");
234
235 Response response = client.get();
236 Document assertionDoc = response.readEntity(Document.class);
237 assertNotNull(assertionDoc);
238
239 // Process the token
240 List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
241
242 assertTrue(results != null && results.size() == 1);
243 SamlAssertionWrapper assertion =
244 (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
245 assertTrue(assertion != null);
246 assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null);
247 assertTrue(assertion.isSigned());
248
249 List<String> methods = assertion.getConfirmationMethods();
250 String confirmMethod = null;
251 if (methods != null && methods.size() > 0) {
252 confirmMethod = methods.get(0);
253 }
254 assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
255 SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo();
256 assertTrue(subjectKeyInfo.getSecret() != null);
257
258 bus.shutdown(true);
259 }
260
261 @org.junit.Test
262 public void testIssuePublicKeySAML2Token() throws Exception {
263 SpringBusFactory bf = new SpringBusFactory();
264 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
265
266 Bus bus = bf.createBus(busFile.toString());
267 SpringBusFactory.setDefaultBus(bus);
268 SpringBusFactory.setThreadDefaultBus(bus);
269
270 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
271 WebClient client = WebClient.create(address, busFile.toString());
272
273 client.accept("application/xml");
274 client.path("saml2.0");
275 client.query("keyType", PUBLIC_KEY_KEYTYPE);
276
277 Response response = client.get();
278 Document assertionDoc = response.readEntity(Document.class);
279 assertNotNull(assertionDoc);
280
281 // Process the token
282 List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
283
284 assertTrue(results != null && results.size() == 1);
285 SamlAssertionWrapper assertion =
286 (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
287 assertTrue(assertion != null);
288 assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
289 assertTrue(assertion.isSigned());
290
291 List<String> methods = assertion.getConfirmationMethods();
292 String confirmMethod = null;
293 if (methods != null && methods.size() > 0) {
294 confirmMethod = methods.get(0);
295 }
296 assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
297 SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo();
298 assertTrue(subjectKeyInfo.getCerts() != null);
299
300 bus.shutdown(true);
301 }
302
303 @org.junit.Test
304 public void testIssuePublicKeySAML2TokenShortKeyType() throws Exception {
305 SpringBusFactory bf = new SpringBusFactory();
306 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
307
308 Bus bus = bf.createBus(busFile.toString());
309 SpringBusFactory.setDefaultBus(bus);
310 SpringBusFactory.setThreadDefaultBus(bus);
311
312 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
313 WebClient client = WebClient.create(address, busFile.toString());
314
315 client.accept("application/xml");
316 client.path("saml2.0");
317 client.query("keyType", "PublicKey");
318
319 Response response = client.get();
320 Document assertionDoc = response.readEntity(Document.class);
321 assertNotNull(assertionDoc);
322
323 // Process the token
324 List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
325
326 assertTrue(results != null && results.size() == 1);
327 SamlAssertionWrapper assertion =
328 (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
329 assertTrue(assertion != null);
330 assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
331 assertTrue(assertion.isSigned());
332
333 List<String> methods = assertion.getConfirmationMethods();
334 String confirmMethod = null;
335 if (methods != null && methods.size() > 0) {
336 confirmMethod = methods.get(0);
337 }
338 assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
339 SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo();
340 assertTrue(subjectKeyInfo.getCerts() != null);
341
342 bus.shutdown(true);
343 }
344
345 @org.junit.Test
346 public void testIssueBearerSAML1Token() throws Exception {
347 SpringBusFactory bf = new SpringBusFactory();
348 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
349
350 Bus bus = bf.createBus(busFile.toString());
351 SpringBusFactory.setDefaultBus(bus);
352 SpringBusFactory.setThreadDefaultBus(bus);
353
354 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
355 WebClient client = WebClient.create(address, busFile.toString());
356
357 client.accept("application/xml");
358 client.path("saml1.1");
359 client.query("keyType", BEARER_KEYTYPE);
360
361 Response response = client.get();
362 Document assertionDoc = response.readEntity(Document.class);
363 assertNotNull(assertionDoc);
364
365 // Process the token
366 List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
367
368 assertTrue(results != null && results.size() == 1);
369 SamlAssertionWrapper assertion =
370 (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
371 assertTrue(assertion != null);
372 assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null);
373 assertTrue(assertion.isSigned());
374
375 List<String> methods = assertion.getConfirmationMethods();
376 String confirmMethod = null;
377 if (methods != null && methods.size() > 0) {
378 confirmMethod = methods.get(0);
379 }
380 assertTrue(confirmMethod.contains("bearer"));
381
382 bus.shutdown(true);
383 }
384
385 @org.junit.Test
386 public void testIssueBearerSAML1TokenShorKeyType() throws Exception {
387 SpringBusFactory bf = new SpringBusFactory();
388 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
389
390 Bus bus = bf.createBus(busFile.toString());
391 SpringBusFactory.setDefaultBus(bus);
392 SpringBusFactory.setThreadDefaultBus(bus);
393
394 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
395 WebClient client = WebClient.create(address, busFile.toString());
396
397 client.accept("application/xml");
398 client.path("saml1.1");
399 client.query("keyType", "Bearer");
400
401 Response response = client.get();
402 Document assertionDoc = response.readEntity(Document.class);
403 assertNotNull(assertionDoc);
404
405 // Process the token
406 List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
407
408 assertTrue(results != null && results.size() == 1);
409 SamlAssertionWrapper assertion =
410 (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
411 assertTrue(assertion != null);
412 assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null);
413 assertTrue(assertion.isSigned());
414
415 List<String> methods = assertion.getConfirmationMethods();
416 String confirmMethod = null;
417 if (methods != null && methods.size() > 0) {
418 confirmMethod = methods.get(0);
419 }
420 assertTrue(confirmMethod.contains("bearer"));
421
422 bus.shutdown(true);
423 }
424
425 @org.junit.Test
426 public void testIssueSAML2TokenAppliesTo() throws Exception {
427 SpringBusFactory bf = new SpringBusFactory();
428 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
429
430 Bus bus = bf.createBus(busFile.toString());
431 SpringBusFactory.setDefaultBus(bus);
432 SpringBusFactory.setThreadDefaultBus(bus);
433
434 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
435 WebClient client = WebClient.create(address, busFile.toString());
436
437 client.accept("application/xml");
438 client.path("saml2.0");
439 client.query("appliesTo", DEFAULT_ADDRESS);
440
441 Response response = client.get();
442 Document assertionDoc = response.readEntity(Document.class);
443 assertNotNull(assertionDoc);
444
445 // Process the token
446 List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
447
448 assertTrue(results != null && results.size() == 1);
449 SamlAssertionWrapper assertion =
450 (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
451 assertTrue(assertion != null);
452 assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
453 assertTrue(assertion.isSigned());
454
455 bus.shutdown(true);
456 }
457
458 @org.junit.Test
459 public void testIssueSAML2TokenUnknownAppliesTo() throws Exception {
460 SpringBusFactory bf = new SpringBusFactory();
461 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
462
463 Bus bus = bf.createBus(busFile.toString());
464 SpringBusFactory.setDefaultBus(bus);
465 SpringBusFactory.setThreadDefaultBus(bus);
466
467 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
468 WebClient client = WebClient.create(address, busFile.toString());
469
470 client.accept("application/xml");
471 client.path("saml2.0");
472 client.query("appliesTo", "https://localhost:8081/tripleit/");
473
474 Response response = client.get();
475 try {
476 response.readEntity(Document.class);
477 fail("Failure expected on an unknown AppliesTo address");
478 } catch (Exception ex) {
479 // expected
480 }
481
482 bus.shutdown(true);
483 }
484
485 @org.junit.Test
486 public void testIssueSAML2TokenClaims() throws Exception {
487 SpringBusFactory bf = new SpringBusFactory();
488 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
489
490 Bus bus = bf.createBus(busFile.toString());
491 SpringBusFactory.setDefaultBus(bus);
492 SpringBusFactory.setThreadDefaultBus(bus);
493
494 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
495 WebClient client = WebClient.create(address, busFile.toString());
496
497 client.accept("application/xml");
498 client.path("saml2.0");
499
500 // First check that the role isn't usually in the generated token
501
502 Response response = client.get();
503 Document assertionDoc = response.readEntity(Document.class);
504 assertNotNull(assertionDoc);
505
506 // Process the token
507 List<WSSecurityEngineResult> results = processToken(assertionDoc.getDocumentElement());
508
509 assertTrue(results != null && results.size() == 1);
510 SamlAssertionWrapper assertion =
511 (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
512 assertTrue(assertion != null);
513 assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
514 assertTrue(assertion.isSigned());
515
516 ClaimCollection claims = SAMLUtils.getClaims(assertion);
517 assertEquals(1, claims.size());
518 Claim claim = claims.get(0);
519 String role = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
520 assertNotEquals(claim.getClaimType().toString(), role);
521
522 // Now get another token specifying the role
523 client.query("claim", role);
524 response = client.get();
525 assertionDoc = response.readEntity(Document.class);
526 assertNotNull(assertionDoc);
527
528 // Process the token
529 results = processToken(assertionDoc.getDocumentElement());
530
531 assertTrue(results != null && results.size() == 1);
532 assertion =
533 (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
534 assertTrue(assertion != null);
535 assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
536 assertTrue(assertion.isSigned());
537
538 claims = SAMLUtils.getClaims(assertion);
539 assertEquals(1, claims.size());
540 claim = claims.get(0);
541 assertEquals(claim.getClaimType().toString(), role);
542 assertEquals("ordinary-user", claim.getValues().get(0));
543
544 bus.shutdown(true);
545 }
546
547 @org.junit.Test
548 public void testIssueSAML2TokenViaWSTrust() throws Exception {
549 SpringBusFactory bf = new SpringBusFactory();
550 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
551
552 Bus bus = bf.createBus(busFile.toString());
553 SpringBusFactory.setDefaultBus(bus);
554 SpringBusFactory.setThreadDefaultBus(bus);
555
556 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
557 WebClient client = WebClient.create(address, busFile.toString());
558
559 client.accept("application/xml");
560 client.path("saml2.0");
561 client.query("wstrustResponse", "true");
562
563 Response response = client.get();
564 RequestSecurityTokenResponseType securityResponse =
565 response.readEntity(RequestSecurityTokenResponseType.class);
566
567 validateSAMLSecurityTokenResponse(securityResponse, true);
568
569 bus.shutdown(true);
570 }
571
572 @org.junit.Test
573 public void testIssueSAML2TokenViaPOST() throws Exception {
574 SpringBusFactory bf = new SpringBusFactory();
575 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
576
577 Bus bus = bf.createBus(busFile.toString());
578 SpringBusFactory.setDefaultBus(bus);
579 SpringBusFactory.setThreadDefaultBus(bus);
580
581 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
582 WebClient client = WebClient.create(address, busFile.toString());
583
584 client.type("application/xml").accept("application/xml");
585
586 // Create RequestSecurityToken
587 W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
588 String namespace = STSUtils.WST_NS_05_12;
589 writer.writeStartElement("wst", "RequestSecurityToken", namespace);
590 writer.writeNamespace("wst", namespace);
591
592 writer.writeStartElement("wst", "RequestType", namespace);
593 writer.writeCharacters(namespace + "/Issue");
594 writer.writeEndElement();
595
596 writer.writeStartElement("wst", "TokenType", namespace);
597 writer.writeCharacters(SAML2_TOKEN_TYPE);
598 writer.writeEndElement();
599
600 writer.writeEndElement();
601
602 Response response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
603
604 RequestSecurityTokenResponseType securityResponse =
605 response.readEntity(RequestSecurityTokenResponseType.class);
606
607 validateSAMLSecurityTokenResponse(securityResponse, true);
608
609 bus.shutdown(true);
610 }
611
612 @org.junit.Test
613 public void testExplicitlyIssueSAML2TokenViaPOST() throws Exception {
614 SpringBusFactory bf = new SpringBusFactory();
615 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
616
617 Bus bus = bf.createBus(busFile.toString());
618 SpringBusFactory.setDefaultBus(bus);
619 SpringBusFactory.setThreadDefaultBus(bus);
620
621 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
622 WebClient client = WebClient.create(address, busFile.toString());
623
624 client.type("application/xml").accept("application/xml");
625 client.query("action", "issue");
626
627 // Create RequestSecurityToken
628 W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
629 String namespace = STSUtils.WST_NS_05_12;
630 writer.writeStartElement("wst", "RequestSecurityToken", namespace);
631 writer.writeNamespace("wst", namespace);
632
633 writer.writeStartElement("wst", "RequestType", namespace);
634 writer.writeCharacters(namespace + "/Issue");
635 writer.writeEndElement();
636
637 writer.writeStartElement("wst", "TokenType", namespace);
638 writer.writeCharacters(SAML2_TOKEN_TYPE);
639 writer.writeEndElement();
640
641 writer.writeEndElement();
642
643 Response response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
644
645 RequestSecurityTokenResponseType securityResponse =
646 response.readEntity(RequestSecurityTokenResponseType.class);
647
648 validateSAMLSecurityTokenResponse(securityResponse, true);
649
650 bus.shutdown(true);
651 }
652
653 @org.junit.Test
654 public void testExplicitlyIssueSAML1TokenViaPOST() throws Exception {
655 SpringBusFactory bf = new SpringBusFactory();
656 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
657
658 Bus bus = bf.createBus(busFile.toString());
659 SpringBusFactory.setDefaultBus(bus);
660 SpringBusFactory.setThreadDefaultBus(bus);
661
662 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
663 WebClient client = WebClient.create(address, busFile.toString());
664
665 client.type("application/xml").accept("application/xml");
666 client.query("action", "issue");
667
668 // Create RequestSecurityToken
669 W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
670 String namespace = STSUtils.WST_NS_05_12;
671 writer.writeStartElement("wst", "RequestSecurityToken", namespace);
672 writer.writeNamespace("wst", namespace);
673
674 writer.writeStartElement("wst", "RequestType", namespace);
675 writer.writeCharacters(namespace + "/Issue");
676 writer.writeEndElement();
677
678 writer.writeStartElement("wst", "TokenType", namespace);
679 writer.writeCharacters(SAML1_TOKEN_TYPE);
680 writer.writeEndElement();
681
682 writer.writeEndElement();
683
684 Response response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
685
686 RequestSecurityTokenResponseType securityResponse =
687 response.readEntity(RequestSecurityTokenResponseType.class);
688
689 validateSAMLSecurityTokenResponse(securityResponse, false);
690
691 bus.shutdown(true);
692 }
693
694 @org.junit.Test
695 public void testValidateSAML2Token() throws Exception {
696 SpringBusFactory bf = new SpringBusFactory();
697 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
698
699 Bus bus = bf.createBus(busFile.toString());
700 SpringBusFactory.setDefaultBus(bus);
701 SpringBusFactory.setThreadDefaultBus(bus);
702
703 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
704 WebClient client = WebClient.create(address, busFile.toString());
705
706 client.type("application/xml").accept("application/xml");
707 client.path("saml2.0");
708
709 // 1. Get a token via GET
710 Response response = client.get();
711 Document assertionDoc = response.readEntity(Document.class);
712 assertNotNull(assertionDoc);
713
714 // 2. Now validate it in the STS using POST
715 client = WebClient.create(address, busFile.toString());
716
717 client.type("application/xml").accept("application/xml");
718 client.query("action", "validate");
719
720 // Create RequestSecurityToken
721 W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
722 String namespace = STSUtils.WST_NS_05_12;
723 writer.writeStartElement("wst", "RequestSecurityToken", namespace);
724 writer.writeNamespace("wst", namespace);
725
726 writer.writeStartElement("wst", "RequestType", namespace);
727 writer.writeCharacters(namespace + "/Validate");
728 writer.writeEndElement();
729
730 writer.writeStartElement("wst", "TokenType", namespace);
731 String tokenType = namespace + "/RSTR/Status";
732 writer.writeCharacters(tokenType);
733 writer.writeEndElement();
734
735 writer.writeStartElement("wst", "ValidateTarget", namespace);
736 StaxUtils.copy(assertionDoc.getDocumentElement(), writer);
737 writer.writeEndElement();
738
739 writer.writeEndElement();
740
741 response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
742
743 RequestSecurityTokenResponseType securityResponse =
744 response.readEntity(RequestSecurityTokenResponseType.class);
745
746 StatusType status = null;
747 for (Object obj : securityResponse.getAny()) {
748 if (obj instanceof JAXBElement<?>) {
749 JAXBElement<?> jaxbElement = (JAXBElement<?>)obj;
750 if ("Status".equals(jaxbElement.getName().getLocalPart())) {
751 status = (StatusType)jaxbElement.getValue();
752 break;
753 }
754 }
755 }
756 assertNotNull(status);
757
758 // Check the token was valid
759 String validCode = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid";
760 assertEquals(validCode, status.getCode());
761
762 bus.shutdown(true);
763 }
764
765 @org.junit.Test
766 public void testRenewSAML2Token() throws Exception {
767 SpringBusFactory bf = new SpringBusFactory();
768 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
769
770 Bus bus = bf.createBus(busFile.toString());
771 SpringBusFactory.setDefaultBus(bus);
772 SpringBusFactory.setThreadDefaultBus(bus);
773
774 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
775 WebClient client = WebClient.create(address, busFile.toString());
776
777 client.type("application/xml").accept("application/xml");
778 client.query("action", "issue");
779
780 // 1. Get a token via POST
781
782 // Create RequestSecurityToken
783 W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
784 String namespace = STSUtils.WST_NS_05_12;
785 writer.writeStartElement("wst", "RequestSecurityToken", namespace);
786 writer.writeNamespace("wst", namespace);
787
788 writer.writeStartElement("wst", "RequestType", namespace);
789 writer.writeCharacters(namespace + "/Issue");
790 writer.writeEndElement();
791
792 writer.writeStartElement("wst", "TokenType", namespace);
793 writer.writeCharacters(SAML2_TOKEN_TYPE);
794 writer.writeEndElement();
795
796 writer.writeEndElement();
797
798 Response response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
799
800 RequestSecurityTokenResponseType securityResponse =
801 response.readEntity(RequestSecurityTokenResponseType.class);
802 Element token = validateSAMLSecurityTokenResponse(securityResponse, true);
803
804 // 2. Now validate it in the STS using POST
805 client = WebClient.create(address, busFile.toString());
806
807 client.type("application/xml").accept("application/xml");
808 client.query("action", "renew");
809
810 // Create RequestSecurityToken
811 writer = new W3CDOMStreamWriter();
812 writer.writeStartElement("wst", "RequestSecurityToken", namespace);
813 writer.writeNamespace("wst", namespace);
814
815 writer.writeStartElement("wst", "RequestType", namespace);
816 writer.writeCharacters(namespace + "/Renew");
817 writer.writeEndElement();
818
819 writer.writeStartElement("wst", "RenewTarget", namespace);
820 StaxUtils.copy(token, writer);
821 writer.writeEndElement();
822
823 writer.writeEndElement();
824
825 response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
826
827 securityResponse = response.readEntity(RequestSecurityTokenResponseType.class);
828
829 validateSAMLSecurityTokenResponse(securityResponse, true);
830
831 bus.shutdown(true);
832 }
833
834 @org.junit.Test
835 public void testIssueSAML2TokenPlain() throws Exception {
836 SpringBusFactory bf = new SpringBusFactory();
837 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
838
839 Bus bus = bf.createBus(busFile.toString());
840 SpringBusFactory.setDefaultBus(bus);
841 SpringBusFactory.setThreadDefaultBus(bus);
842
843 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
844 WebClient client = WebClient.create(address, busFile.toString());
845
846 client.accept("text/plain");
847 client.path("saml2.0");
848
849 Response response = client.get();
850 String encodedAssertion = response.readEntity(String.class);
851 assertNotNull(encodedAssertion);
852
853 byte[] deflatedToken = Base64Utility.decode(encodedAssertion);
854 InputStream inputStream = CompressionUtils.inflate(deflatedToken);
855 Document doc =
856 StaxUtils.read(new InputStreamReader(inputStream, StandardCharsets.UTF_8));
857
858 // Process the token
859 List<WSSecurityEngineResult> results = processToken(doc.getDocumentElement());
860
861 assertTrue(results != null && results.size() == 1);
862 SamlAssertionWrapper assertion =
863 (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
864 assertTrue(assertion != null);
865 assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
866 assertTrue(assertion.isSigned());
867
868 bus.shutdown(true);
869 }
870
871 @org.junit.Test
872 public void testIssueJWTTokenPlain() throws Exception {
873 SpringBusFactory bf = new SpringBusFactory();
874 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
875
876 Bus bus = bf.createBus(busFile.toString());
877 SpringBusFactory.setDefaultBus(bus);
878 SpringBusFactory.setThreadDefaultBus(bus);
879
880 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
881 WebClient client = WebClient.create(address, busFile.toString());
882
883 client.accept("text/plain");
884 client.path("jwt");
885
886 Response response = client.get();
887 String token = response.readEntity(String.class);
888 assertNotNull(token);
889
890 validateJWTToken(token, null);
891 }
892
893 @org.junit.Test
894 public void testIssueJWTTokenAppliesTo() throws Exception {
895 SpringBusFactory bf = new SpringBusFactory();
896 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
897
898 Bus bus = bf.createBus(busFile.toString());
899 SpringBusFactory.setDefaultBus(bus);
900 SpringBusFactory.setThreadDefaultBus(bus);
901
902 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
903 WebClient client = WebClient.create(address, busFile.toString());
904
905 client.accept("text/plain");
906 client.path("jwt");
907 client.query("appliesTo", DEFAULT_ADDRESS);
908
909 Response response = client.get();
910 String token = response.readEntity(String.class);
911 assertNotNull(token);
912
913 validateJWTToken(token, DEFAULT_ADDRESS);
914 }
915
916 @org.junit.Test
917 public void testIssueJWTTokenClaims() throws Exception {
918 SpringBusFactory bf = new SpringBusFactory();
919 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
920
921 Bus bus = bf.createBus(busFile.toString());
922 SpringBusFactory.setDefaultBus(bus);
923 SpringBusFactory.setThreadDefaultBus(bus);
924
925 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
926 WebClient client = WebClient.create(address, busFile.toString());
927
928 client.accept("text/plain");
929 client.path("jwt");
930
931 // First check that the role isn't usually in the generated token
932
933 Response response = client.get();
934 String token = response.readEntity(String.class);
935 assertNotNull(token);
936
937 JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
938 JwtToken jwt = jwtConsumer.getJwtToken();
939
940 String role = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
941 assertTrue(jwt.getClaim(role) == null);
942
943 // Now get another token specifying the role
944 client.query("claim", role);
945
946 response = client.get();
947 token = response.readEntity(String.class);
948 assertNotNull(token);
949
950 // Process the token
951 validateJWTToken(token, null);
952
953 jwtConsumer = new JwsJwtCompactConsumer(token);
954 jwt = jwtConsumer.getJwtToken();
955 assertEquals("ordinary-user", jwt.getClaim(role));
956
957 bus.shutdown(true);
958 }
959
960 @org.junit.Test
961 public void testIssueJWTTokenViaPOST() throws Exception {
962 SpringBusFactory bf = new SpringBusFactory();
963 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
964
965 Bus bus = bf.createBus(busFile.toString());
966 SpringBusFactory.setDefaultBus(bus);
967 SpringBusFactory.setThreadDefaultBus(bus);
968
969 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
970 WebClient client = WebClient.create(address, busFile.toString());
971
972 client.type("application/xml").accept("application/xml");
973
974 // Create RequestSecurityToken
975 W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
976 String namespace = STSUtils.WST_NS_05_12;
977 writer.writeStartElement("wst", "RequestSecurityToken", namespace);
978 writer.writeNamespace("wst", namespace);
979
980 writer.writeStartElement("wst", "RequestType", namespace);
981 writer.writeCharacters(namespace + "/Issue");
982 writer.writeEndElement();
983
984 writer.writeStartElement("wst", "TokenType", namespace);
985 writer.writeCharacters(JWT_TOKEN_TYPE);
986 writer.writeEndElement();
987
988 writer.writeEndElement();
989
990 Response response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
991
992 RequestSecurityTokenResponseType securityResponse =
993 response.readEntity(RequestSecurityTokenResponseType.class);
994
995 RequestedSecurityTokenType requestedSecurityToken = getRequestedSecurityToken(securityResponse);
996 assertNotNull(requestedSecurityToken);
997
998 String token = ((Element)requestedSecurityToken.getAny()).getTextContent();
999 assertNotNull(token);
1000
1001 validateJWTToken(token, null);
1002
1003 bus.shutdown(true);
1004 }
1005
1006 @org.junit.Test
1007 public void testValidateSAMLAndIssueJWT() throws Exception {
1008 SpringBusFactory bf = new SpringBusFactory();
1009 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
1010
1011 Bus bus = bf.createBus(busFile.toString());
1012 SpringBusFactory.setDefaultBus(bus);
1013 SpringBusFactory.setThreadDefaultBus(bus);
1014
1015 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
1016 WebClient client = WebClient.create(address, busFile.toString());
1017
1018 client.accept("application/xml");
1019 client.path("saml2.0");
1020
1021 // 1. Get a token via GET
1022 Response response = client.get();
1023 Document assertionDoc = response.readEntity(Document.class);
1024 assertNotNull(assertionDoc);
1025
1026 // 2. Now validate it in the STS using POST
1027 client = WebClient.create(address, busFile.toString());
1028
1029 client.type("application/xml").accept("application/xml");
1030 client.query("action", "validate");
1031
1032 // Create RequestSecurityToken
1033 W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
1034 String namespace = STSUtils.WST_NS_05_12;
1035 writer.writeStartElement("wst", "RequestSecurityToken", namespace);
1036 writer.writeNamespace("wst", namespace);
1037
1038 writer.writeStartElement("wst", "RequestType", namespace);
1039 writer.writeCharacters(namespace + "/Validate");
1040 writer.writeEndElement();
1041
1042 writer.writeStartElement("wst", "TokenType", namespace);
1043 writer.writeCharacters(JWT_TOKEN_TYPE);
1044 writer.writeEndElement();
1045
1046 writer.writeStartElement("wst", "ValidateTarget", namespace);
1047 StaxUtils.copy(assertionDoc.getDocumentElement(), writer);
1048 writer.writeEndElement();
1049
1050 writer.writeEndElement();
1051
1052 response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
1053
1054 RequestSecurityTokenResponseType securityResponse =
1055 response.readEntity(RequestSecurityTokenResponseType.class);
1056
1057 StatusType status = null;
1058 for (Object obj : securityResponse.getAny()) {
1059 if (obj instanceof JAXBElement<?>) {
1060 JAXBElement<?> jaxbElement = (JAXBElement<?>)obj;
1061 if ("Status".equals(jaxbElement.getName().getLocalPart())) {
1062 status = (StatusType)jaxbElement.getValue();
1063 break;
1064 }
1065 }
1066 }
1067 assertNotNull(status);
1068
1069 // Check the token was valid
1070 String validCode = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid";
1071 assertEquals(validCode, status.getCode());
1072
1073 // Check the token
1074 RequestedSecurityTokenType requestedSecurityToken = getRequestedSecurityToken(securityResponse);
1075 assertNotNull(requestedSecurityToken);
1076
1077 String token = ((Element)requestedSecurityToken.getAny()).getTextContent();
1078 assertNotNull(token);
1079
1080 validateJWTToken(token, null);
1081
1082 bus.shutdown(true);
1083 }
1084
1085 @org.junit.Test
1086 public void testValidateJWTAndIssueSAML() throws Exception {
1087 SpringBusFactory bf = new SpringBusFactory();
1088 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
1089
1090 Bus bus = bf.createBus(busFile.toString());
1091 SpringBusFactory.setDefaultBus(bus);
1092 SpringBusFactory.setThreadDefaultBus(bus);
1093
1094 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
1095 WebClient client = WebClient.create(address, busFile.toString());
1096
1097 client.accept("text/plain");
1098 client.path("jwt");
1099
1100 // 1. Get a token via GET
1101 Response response = client.get();
1102 String token = response.readEntity(String.class);
1103 assertNotNull(token);
1104
1105 // 2. Now validate it in the STS using POST
1106 client = WebClient.create(address, busFile.toString());
1107
1108 client.type("application/xml").accept("application/xml");
1109 client.query("action", "validate");
1110
1111 // Create RequestSecurityToken
1112 W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
1113 String namespace = STSUtils.WST_NS_05_12;
1114 writer.writeStartElement("wst", "RequestSecurityToken", namespace);
1115 writer.writeNamespace("wst", namespace);
1116
1117 writer.writeStartElement("wst", "RequestType", namespace);
1118 writer.writeCharacters(namespace + "/Validate");
1119 writer.writeEndElement();
1120
1121 writer.writeStartElement("wst", "TokenType", namespace);
1122 writer.writeCharacters(SAML2_TOKEN_TYPE);
1123 writer.writeEndElement();
1124
1125 writer.writeStartElement("wst", "ValidateTarget", namespace);
1126 writer.writeStartElement(null, "TokenWrapper", null);
1127 writer.writeCharacters(token);
1128 writer.writeEndElement();
1129 writer.writeEndElement();
1130
1131 writer.writeEndElement();
1132
1133 response = client.post(new DOMSource(writer.getDocument().getDocumentElement()));
1134
1135 RequestSecurityTokenResponseType securityResponse =
1136 response.readEntity(RequestSecurityTokenResponseType.class);
1137
1138 StatusType status = null;
1139 for (Object obj : securityResponse.getAny()) {
1140 if (obj instanceof JAXBElement<?>) {
1141 JAXBElement<?> jaxbElement = (JAXBElement<?>)obj;
1142 if ("Status".equals(jaxbElement.getName().getLocalPart())) {
1143 status = (StatusType)jaxbElement.getValue();
1144 break;
1145 }
1146 }
1147 }
1148 assertNotNull(status);
1149
1150 // Check the token was valid
1151 String validCode = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/status/valid";
1152 assertEquals(validCode, status.getCode());
1153
1154 // Check the token
1155 validateSAMLSecurityTokenResponse(securityResponse, true);
1156
1157 bus.shutdown(true);
1158 }
1159
1160 @org.junit.Test
1161 public void testIssueJWTTokenXMLWrapper() throws Exception {
1162 SpringBusFactory bf = new SpringBusFactory();
1163 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
1164
1165 Bus bus = bf.createBus(busFile.toString());
1166 SpringBusFactory.setDefaultBus(bus);
1167 SpringBusFactory.setThreadDefaultBus(bus);
1168
1169 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
1170 WebClient client = WebClient.create(address, busFile.toString());
1171
1172 client.accept("application/xml");
1173 client.path("jwt");
1174
1175 Response response = client.get();
1176 Document assertionDoc = response.readEntity(Document.class);
1177 assertNotNull(assertionDoc);
1178
1179 // Discard XML wrapper
1180 validateJWTToken(assertionDoc.getDocumentElement().getFirstChild().getTextContent(), null);
1181 }
1182
1183 @org.junit.Test
1184 public void testIssueJWTTokenJSONWrapper() throws Exception {
1185 SpringBusFactory bf = new SpringBusFactory();
1186 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
1187
1188 Bus bus = bf.createBus(busFile.toString());
1189 SpringBusFactory.setDefaultBus(bus);
1190 SpringBusFactory.setThreadDefaultBus(bus);
1191
1192 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
1193 WebClient client = WebClient.create(address, busFile.toString());
1194
1195 client.accept("application/json");
1196 client.path("jwt");
1197
1198 client.get();
1199 }
1200
1201 @org.junit.Test
1202 public void testDefaultSAMLFormat() throws Exception {
1203 SpringBusFactory bf = new SpringBusFactory();
1204 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
1205
1206 Bus bus = bf.createBus(busFile.toString());
1207 SpringBusFactory.setDefaultBus(bus);
1208 SpringBusFactory.setThreadDefaultBus(bus);
1209
1210 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
1211 WebClient client = WebClient.create(address, busFile.toString());
1212
1213 client.accept("*");
1214 client.path("saml");
1215
1216 Response response = client.get();
1217 // It should be XML
1218 Document doc = response.readEntity(Document.class);
1219 assertNotNull(doc);
1220 }
1221
1222 @org.junit.Test
1223 public void testDefaultJWTFormat() throws Exception {
1224 SpringBusFactory bf = new SpringBusFactory();
1225 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
1226
1227 Bus bus = bf.createBus(busFile.toString());
1228 SpringBusFactory.setDefaultBus(bus);
1229 SpringBusFactory.setThreadDefaultBus(bus);
1230
1231 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
1232 WebClient client = WebClient.create(address, busFile.toString());
1233
1234 client.accept("*");
1235 client.path("jwt");
1236
1237 Response response = client.get();
1238 // It should be XML
1239 Document doc = response.readEntity(Document.class);
1240 assertNotNull(doc);
1241 }
1242
1243 @org.junit.Test
1244 public void testIssueSAMLTokenWithWrongAcceptType() throws Exception {
1245 SpringBusFactory bf = new SpringBusFactory();
1246 URL busFile = STSRESTTest.class.getResource("cxf-client.xml");
1247
1248 Bus bus = bf.createBus(busFile.toString());
1249 SpringBusFactory.setDefaultBus(bus);
1250 SpringBusFactory.setThreadDefaultBus(bus);
1251
1252 String address = "https://localhost:" + STSPORT + "/SecurityTokenService/token";
1253 WebClient client = WebClient.create(address, busFile.toString());
1254
1255 client.accept("application/json");
1256 client.path("saml2.0");
1257
1258 Response response = client.get();
1259 try {
1260 response.readEntity(Document.class);
1261 fail("Failure expected on an bad accept type");
1262 } catch (Exception ex) {
1263 // expected
1264 }
1265
1266 bus.shutdown(true);
1267 }
1268
1269 private Element validateSAMLSecurityTokenResponse(
1270 RequestSecurityTokenResponseType securityResponse, boolean saml2
1271 ) throws Exception {
1272 RequestedSecurityTokenType requestedSecurityToken = getRequestedSecurityToken(securityResponse);
1273 assertNotNull(requestedSecurityToken);
1274
1275 // Process the token
1276 List<WSSecurityEngineResult> results =
1277 processToken((Element)requestedSecurityToken.getAny());
1278
1279 assertTrue(results != null && results.size() == 1);
1280 SamlAssertionWrapper assertion =
1281 (SamlAssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
1282 assertTrue(assertion != null);
1283 if (saml2) {
1284 assertTrue(assertion.getSaml2() != null && assertion.getSaml1() == null);
1285 } else {
1286 assertTrue(assertion.getSaml2() == null && assertion.getSaml1() != null);
1287 }
1288 assertTrue(assertion.isSigned());
1289
1290 return (Element)results.get(0).get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
1291 }
1292
1293 private RequestedSecurityTokenType getRequestedSecurityToken(RequestSecurityTokenResponseType securityResponse) {
1294 for (Object obj : securityResponse.getAny()) {
1295 if (obj instanceof JAXBElement<?>) {
1296 JAXBElement<?> jaxbElement = (JAXBElement<?>)obj;
1297 if ("RequestedSecurityToken".equals(jaxbElement.getName().getLocalPart())) {
1298 return (RequestedSecurityTokenType)jaxbElement.getValue();
1299 }
1300 }
1301 }
1302 return null;
1303 }
1304
1305 private List<WSSecurityEngineResult> processToken(Element assertionElement)
1306 throws Exception {
1307 RequestData requestData = new RequestData();
1308 requestData.setDisableBSPEnforcement(true);
1309 CallbackHandler callbackHandler = new org.apache.cxf.systest.sts.common.CommonCallbackHandler();
1310 requestData.setCallbackHandler(callbackHandler);
1311 Crypto crypto = CryptoFactory.getInstance("serviceKeystore.properties");
1312 requestData.setDecCrypto(crypto);
1313 requestData.setSigVerCrypto(crypto);
1314
1315 Processor processor = new SAMLTokenProcessor();
1316 return processor.handleToken(
1317 assertionElement, requestData, new WSDocInfo(assertionElement.getOwnerDocument())
1318 );
1319 }
1320
1321 private void validateJWTToken(String token, String audience)
1322 throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
1323 JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
1324 JwtToken jwt = jwtConsumer.getJwtToken();
1325
1326 // Validate claims
1327 Assert.assertEquals("DoubleItSTSIssuer", jwt.getClaim(JwtConstants.CLAIM_ISSUER));
1328 if (audience != null) {
1329 @SuppressWarnings("unchecked")
1330 List<String> audiences = (List<String>)jwt.getClaim(JwtConstants.CLAIM_AUDIENCE);
1331 assertEquals(1, audiences.size());
1332 Assert.assertEquals(audience, audiences.get(0));
1333 }
1334 Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
1335 Assert.assertNotNull(jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
1336
1337 KeyStore keystore = KeyStore.getInstance("JKS");
1338 keystore.load(Loader.getResource("keys/servicestore.jks").openStream(), "sspass".toCharArray());
1339 Certificate cert = keystore.getCertificate("mystskey");
1340 Assert.assertNotNull(cert);
1341
1342 Assert.assertTrue(jwtConsumer.verifySignatureWith((X509Certificate)cert,
1343 SignatureAlgorithm.RS256));
1344 }
1345
1346 }