[picketlink-commits] Picketlink SVN: r1358 - in product/trunk/picketlink-core/src: main/java/org/picketlink/identity/federation/web/constants and 5 other directories.
picketlink-commits at lists.jboss.org
picketlink-commits at lists.jboss.org
Tue Jan 31 17:13:34 EST 2012
Author: anil.saldhana at jboss.com
Date: 2012-01-31 17:13:31 -0500 (Tue, 31 Jan 2012)
New Revision: 1358
Added:
product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/AbstractSAML2RedirectWithSignatureTestCase.java
product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2LogoutSignatureTomcatWorkflowUnitTestCase.java
Modified:
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/util/
product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/util/RedirectBindingSignatureUtil.java
product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/
product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaContext.java
product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaRequest.java
product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/
product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java
Log:
merge changes from -r1328 to 1337
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web
___________________________________________________________________
Added: svn:mergeinfo
+ /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/web:1159-1173,1192-1228
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/web:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/web:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/web:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/web:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web:1152-1173,1329-1337
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2012-01-31 22:12:56 UTC (rev 1357)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java 2012-01-31 22:13:31 UTC (rev 1358)
@@ -89,6 +89,10 @@
String SAML_REQUEST_KEY = "SAMLRequest";
String SAML_RESPONSE_KEY = "SAMLResponse";
+
+ String SAML_SIG_ALG_REQUEST_KEY = "SigAlg";
+
+ String SAML_SIGNATURE_REQUEST_KEY = "Signature";
String DECRYPTING_KEY = "DECRYPTING_KEY";
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java
___________________________________________________________________
Modified: svn:mergeinfo
- /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java:1159-1173,1192-1228
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java:1138-1141,1152-1173
+ /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java:1159-1173,1192-1228
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/constants/GeneralConstants.java:1138-1141,1152-1173,1329-1337
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2
___________________________________________________________________
Modified: svn:mergeinfo
- /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1159-1173,1192-1228
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1144-1147,1152-1173
+ /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1159-1173,1192-1228
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2:1144-1147,1152-1173,1329-1337
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java
___________________________________________________________________
Modified: svn:mergeinfo
- /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java:1159-1173,1192-1228
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java:1144-1147,1152-1173,1295-1298
+ /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java:1159-1173,1192-1228
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/handlers/saml2/SAML2AuthenticationHandler.java:1144-1147,1152-1173,1295-1298,1329-1337
Property changes on: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/util
___________________________________________________________________
Modified: svn:mergeinfo
- /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/web/util:1159-1173,1192-1228
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/web/util:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/web/util:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/web/util:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/web/util:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util:1152-1173,1302-1320
+ /federation/trunk/picketlink-bindings/src/main/java/org/picketlink/identity/federation/web/util:1159-1173,1192-1228
/federation/trunk/picketlink-bindings-jboss/src/main/java/org/picketlink/identity/federation/web/util:1159-1173,1192-1228
/federation/trunk/picketlink-fed-api/src/main/java/org/picketlink/identity/federation/web/util:1152-1154,1159-1173,1192-1228
/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/web/util:1152-1173,1192-1228
/federation/trunk/picketlink-fed-model/src/main/java/org/picketlink/identity/federation/web/util:1152-1154,1159-1173
/federation/trunk/picketlink-web/src/main/java/org/picketlink/identity/federation/web/util:1152-1173,1302-1320,1329-1337
Modified: product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/util/RedirectBindingSignatureUtil.java
===================================================================
--- product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/util/RedirectBindingSignatureUtil.java 2012-01-31 22:12:56 UTC (rev 1357)
+++ product/trunk/picketlink-core/src/main/java/org/picketlink/identity/federation/web/util/RedirectBindingSignatureUtil.java 2012-01-31 22:13:31 UTC (rev 1358)
@@ -52,6 +52,7 @@
*/
public class RedirectBindingSignatureUtil
{
+
/**
* Get the URL for the SAML request that contains the signature and signature algorithm
* @param authRequest
@@ -69,16 +70,19 @@
// Deal with the original request
StringWriter sw = new StringWriter();
+
saml2Request.marshall(authRequest, sw);
//URL Encode the Request
String urlEncodedRequest = RedirectBindingUtil.deflateBase64URLEncode(sw.toString());
String urlEncodedRelayState = null;
+
if (isNotNull(relayState))
urlEncodedRelayState = URLEncoder.encode(relayState, "UTF-8");
- byte[] sigValue = computeSignature("SAMLRequest=" + urlEncodedRequest, urlEncodedRelayState, signingKey);
+ byte[] sigValue = computeSignature(GeneralConstants.SAML_REQUEST_KEY, urlEncodedRequest, urlEncodedRelayState,
+ signingKey);
//Now construct the URL
return getRequestRedirectURLWithSignature(urlEncodedRequest, urlEncodedRelayState, sigValue,
@@ -110,7 +114,8 @@
if (isNotNull(relayState))
urlEncodedRelayState = URLEncoder.encode(relayState, "UTF-8");
- byte[] sigValue = computeSignature("SAMLResponse=" + urlEncodedResponse, urlEncodedRelayState, signingKey);
+ byte[] sigValue = computeSignature(GeneralConstants.SAML_RESPONSE_KEY, urlEncodedResponse, urlEncodedRelayState,
+ signingKey);
//Now construct the URL
return getResponseRedirectURLWithSignature(urlEncodedResponse, urlEncodedRelayState, sigValue,
@@ -129,7 +134,8 @@
public static String getSAMLRequestURLWithSignature(String urlEncodedRequest, String urlEncodedRelayState,
PrivateKey signingKey) throws IOException, GeneralSecurityException
{
- byte[] sigValue = computeSignature("SAMLRequest=" + urlEncodedRequest, urlEncodedRelayState, signingKey);
+ byte[] sigValue = computeSignature(GeneralConstants.SAML_REQUEST_KEY, urlEncodedRequest, urlEncodedRelayState,
+ signingKey);
return getRequestRedirectURLWithSignature(urlEncodedRequest, urlEncodedRelayState, sigValue,
signingKey.getAlgorithm());
}
@@ -146,7 +152,8 @@
public static String getSAMLResponseURLWithSignature(String urlEncodedResponse, String urlEncodedRelayState,
PrivateKey signingKey) throws IOException, GeneralSecurityException
{
- byte[] sigValue = computeSignature("SAMLResponse=" + urlEncodedResponse, urlEncodedRelayState, signingKey);
+ byte[] sigValue = computeSignature(GeneralConstants.SAML_RESPONSE_KEY, urlEncodedResponse, urlEncodedRelayState,
+ signingKey);
return getResponseRedirectURLWithSignature(urlEncodedResponse, urlEncodedRelayState, sigValue,
signingKey.getAlgorithm());
}
@@ -163,7 +170,7 @@
public static AuthnRequestType getRequestFromSignedURL(String signedURL) throws ConfigurationException,
ProcessingException, ParsingException, IOException
{
- String samlRequestTokenValue = getTokenValue(signedURL, "SAMLRequest");
+ String samlRequestTokenValue = getTokenValue(signedURL, GeneralConstants.SAML_REQUEST_KEY);
SAML2Request saml2Request = new SAML2Request();
return saml2Request.getAuthnRequestType(RedirectBindingUtil.urlBase64DeflateDecode(samlRequestTokenValue));
@@ -177,7 +184,7 @@
*/
public static byte[] getSignatureValueFromSignedURL(String signedURL) throws IOException
{
- String sigValueTokenValue = getTokenValue(signedURL, "Signature");
+ String sigValueTokenValue = getTokenValue(signedURL, GeneralConstants.SAML_SIGNATURE_REQUEST_KEY);
if (sigValueTokenValue == null)
throw new IllegalArgumentException(ErrorCodes.NULL_VALUE + "Signature Token is not present");
return RedirectBindingUtil.urlBase64Decode(sigValueTokenValue);
@@ -199,40 +206,58 @@
throws UnsupportedEncodingException, GeneralSecurityException
{
//Construct the url again
- String reqFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, "SAMLRequest");
+ StringBuilder sb = new StringBuilder();
+
+ if (isRequestQueryString(queryString))
+ {
+ addParameter(sb, GeneralConstants.SAML_REQUEST_KEY,
+ RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.SAML_REQUEST_KEY));
+ }
+ else
+ {
+ addParameter(sb, GeneralConstants.SAML_RESPONSE_KEY,
+ RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.SAML_RESPONSE_KEY));
+ }
+
String relayStateFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.RELAY_STATE);
- String sigAlgFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, "SigAlg");
- StringBuilder sb = new StringBuilder();
- sb.append("SAMLRequest=").append(reqFromURL);
-
if (isNotNull(relayStateFromURL))
{
- sb.append("&RelayState=").append(relayStateFromURL);
+ addParameter(sb, GeneralConstants.RELAY_STATE, relayStateFromURL);
}
- sb.append("&SigAlg=").append(sigAlgFromURL);
+ addParameter(sb, GeneralConstants.SAML_SIG_ALG_REQUEST_KEY,
+ RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.SAML_SIG_ALG_REQUEST_KEY));
+
return SignatureUtil.validate(sb.toString().getBytes("UTF-8"), sigValue, validatingKey);
}
+ private static boolean isRequestQueryString(String queryString)
+ {
+ return RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.SAML_REQUEST_KEY) != null;
+ }
+
//***************** Private Methods **************
- private static byte[] computeSignature(String requestOrResponseKeyValuePair, String urlEncodedRelayState,
+ private static byte[] computeSignature(String samlParameter, String urlEncoded, String urlEncodedRelayState,
PrivateKey signingKey) throws IOException, GeneralSecurityException
{
StringBuilder sb = new StringBuilder();
- sb.append(requestOrResponseKeyValuePair);
+
+ addParameter(sb, samlParameter, urlEncoded);
+
if (isNotNull(urlEncodedRelayState))
{
- sb.append("&RelayState=").append(urlEncodedRelayState);
+ addParameter(sb, GeneralConstants.RELAY_STATE, urlEncodedRelayState);
}
+
//SigAlg
String algo = signingKey.getAlgorithm();
String sigAlg = SignatureUtil.getXMLSignatureAlgorithmURI(algo);
sigAlg = URLEncoder.encode(sigAlg, "UTF-8");
- sb.append("&SigAlg=").append(sigAlg);
+ addParameter(sb, GeneralConstants.SAML_SIG_ALG_REQUEST_KEY, sigAlg);
byte[] sigValue = SignatureUtil.sign(sb.toString(), signingKey);
@@ -242,49 +267,54 @@
private static String getRequestRedirectURLWithSignature(String urlEncodedRequest, String urlEncodedRelayState,
byte[] signature, String sigAlgo) throws IOException
{
+ return getRedirectURLWithSignature(GeneralConstants.SAML_REQUEST_KEY, urlEncodedRequest, urlEncodedRelayState,
+ signature, sigAlgo);
+ }
+
+ private static String getResponseRedirectURLWithSignature(String urlEncodedResponse, String urlEncodedRelayState,
+ byte[] signature, String sigAlgo) throws IOException
+ {
+ return getRedirectURLWithSignature(GeneralConstants.SAML_RESPONSE_KEY, urlEncodedResponse, urlEncodedRelayState,
+ signature, sigAlgo);
+ }
+
+ private static String getRedirectURLWithSignature(String samlParameter, String urlEncoded,
+ String urlEncodedRelayState, byte[] signature, String sigAlgo) throws IOException
+ {
StringBuilder sb = new StringBuilder();
- sb.append("SAMLRequest=").append(urlEncodedRequest);
+
+ addParameter(sb, samlParameter, urlEncoded);
+
if (isNotNull(urlEncodedRelayState))
{
- sb.append("&").append("RelayState=").append(urlEncodedRelayState);
+ addParameter(sb, GeneralConstants.RELAY_STATE, urlEncodedRelayState);
}
+
//SigAlg
String sigAlg = SignatureUtil.getXMLSignatureAlgorithmURI(sigAlgo);
sigAlg = URLEncoder.encode(sigAlg, "UTF-8");
- sb.append("&").append("SigAlg=").append(sigAlg);
+ addParameter(sb, GeneralConstants.SAML_SIG_ALG_REQUEST_KEY, sigAlg);
//Encode the signature value
String encodedSig = RedirectBindingUtil.base64URLEncode(signature);
- sb.append("&").append("Signature=").append(encodedSig);
+ addParameter(sb, GeneralConstants.SAML_SIGNATURE_REQUEST_KEY, encodedSig);
return sb.toString();
}
- private static String getResponseRedirectURLWithSignature(String urlEncodedResponse, String urlEncodedRelayState,
- byte[] signature, String sigAlgo) throws IOException
+ private static void addParameter(StringBuilder queryString, String paramName, String paramValue)
{
- StringBuilder sb = new StringBuilder();
- sb.append("SAMLResponse=").append(urlEncodedResponse);
- if (isNotNull(urlEncodedRelayState))
+ String parameterSeparator = "&";
+
+ if (queryString.length() == 0)
{
- sb.append("&").append("RelayState=").append(urlEncodedRelayState);
+ parameterSeparator = "";
}
- //SigAlg
- String sigAlg = SignatureUtil.getXMLSignatureAlgorithmURI(sigAlgo);
- sigAlg = URLEncoder.encode(sigAlg, "UTF-8");
-
- sb.append("&").append("SigAlg=").append(sigAlg);
-
- //Encode the signature value
- String encodedSig = RedirectBindingUtil.base64URLEncode(signature);
-
- sb.append("&").append("Signature=").append(encodedSig);
-
- return sb.toString();
+ queryString.append(parameterSeparator).append(paramName).append("=").append(paramValue);
}
private static String getToken(String queryString, String token)
Property changes on: product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings
___________________________________________________________________
Added: svn:mergeinfo
+ /federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings:1140-1173,1329-1337
/federation/trunk/picketlink-fed-api/src/test/java/org/picketlink/test/identity/federation/bindings:1192-1228
/federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/bindings:1152-1154,1159-1173,1192-1228
Modified: product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaContext.java
===================================================================
--- product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaContext.java 2012-01-31 22:12:56 UTC (rev 1357)
+++ product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaContext.java 2012-01-31 22:13:31 UTC (rev 1358)
@@ -879,7 +879,7 @@
return null;
}
- public RequestDispatcher getRequestDispatcher(String arg0)
+ public RequestDispatcher getRequestDispatcher(final String path)
{
return new RequestDispatcher()
{
@@ -890,6 +890,11 @@
public void forward(ServletRequest arg0, ServletResponse arg1) throws ServletException, IOException
{
+ if (arg0 instanceof MockCatalinaRequest) {
+ MockCatalinaRequest mockRequest = (MockCatalinaRequest) arg0;
+
+ mockRequest.setForwardPath(path);
+ }
}
};
}
Modified: product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaRequest.java
===================================================================
--- product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaRequest.java 2012-01-31 22:12:56 UTC (rev 1357)
+++ product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/mock/MockCatalinaRequest.java 2012-01-31 22:13:31 UTC (rev 1358)
@@ -44,6 +44,7 @@
private String method;
private String remotee;
private String queryString;
+ private String forwardPath;
@Override
@@ -154,4 +155,14 @@
this.params.clear();
this.session = null;
}
+
+ public String getForwardPath()
+ {
+ return this.forwardPath;
+ }
+
+ public void setForwardPath(String path)
+ {
+ this.forwardPath = path;
+ }
}
\ No newline at end of file
Property changes on: product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow
___________________________________________________________________
Modified: svn:mergeinfo
- /federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow:1140-1173,1307-1318,1321-1325
/federation/trunk/picketlink-fed-api/src/test/java/org/picketlink/test/identity/federation/bindings/workflow:1192-1228
/federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow:1152-1154,1159-1173,1192-1228
+ /federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow:1140-1173,1307-1318,1321-1325,1329-1337
/federation/trunk/picketlink-fed-api/src/test/java/org/picketlink/test/identity/federation/bindings/workflow:1192-1228
/federation/trunk/picketlink-fed-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow:1152-1154,1159-1173,1192-1228
Copied: product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/AbstractSAML2RedirectWithSignatureTestCase.java (from rev 1337, federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/AbstractSAML2RedirectWithSignatureTestCase.java)
===================================================================
--- product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/AbstractSAML2RedirectWithSignatureTestCase.java (rev 0)
+++ product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/AbstractSAML2RedirectWithSignatureTestCase.java 2012-01-31 22:13:31 UTC (rev 1358)
@@ -0,0 +1,288 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2011, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.picketlink.test.identity.federation.bindings.workflow;
+
+import java.io.IOException;
+import java.net.URL;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpSession;
+
+import junit.framework.Assert;
+
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.Session;
+import org.apache.catalina.realm.GenericPrincipal;
+import org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve;
+import org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectSignatureFormAuthenticator;
+import org.picketlink.identity.federation.web.constants.GeneralConstants;
+import org.picketlink.identity.federation.web.core.IdentityServer;
+import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaContext;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaContextClassLoader;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaRealm;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaRequest;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaResponse;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaSession;
+
+/**
+ * Abstract class to create SAML2 Redirect Binding testcases using signatures.
+ *
+ * @author Pedro Igor
+ * @since Dec 2, 2011
+ */
+public abstract class AbstractSAML2RedirectWithSignatureTestCase
+{
+ protected static final String BASE_PROFILE = "saml2/redirect";
+
+ private static final String IDP_PROFILE = BASE_PROFILE + "/idp-sig/";
+
+ private MockCatalinaSession idpHttpSession = new MockCatalinaSession();
+
+ protected IDPWebBrowserSSOValve createIdentityProvider()
+ {
+ Thread.currentThread().setContextClassLoader(setupTCL(IDP_PROFILE));
+
+ IDPWebBrowserSSOValve idpWebBrowserSSOValve = new IDPWebBrowserSSOValve();
+
+ MockCatalinaContext catalinaContext = new MockCatalinaContext();
+
+ idpWebBrowserSSOValve.setContainer(catalinaContext);
+
+ catalinaContext.setAttribute("IDENTITY_SERVER", new IdentityServer());
+
+ idpWebBrowserSSOValve.setSignOutgoingMessages(true);
+ idpWebBrowserSSOValve.setIgnoreIncomingSignatures(false);
+ idpWebBrowserSSOValve.setValidatingAliasToTokenIssuer(true);
+
+ try
+ {
+ idpWebBrowserSSOValve.start();
+ }
+ catch (LifecycleException e)
+ {
+ e.printStackTrace();
+ }
+
+ return idpWebBrowserSSOValve;
+ }
+
+ protected void addIdentityServerParticipants(IDPWebBrowserSSOValve idp, String url) {
+ IdentityServer identityServer = getIdentityServer(idp);
+
+ identityServer.stack().register(getIDPHttpSession().getId(), url, false);
+ }
+
+ protected MockCatalinaSession getIDPHttpSession()
+ {
+ return this.idpHttpSession;
+ }
+
+ protected IdentityServer getIdentityServer(IDPWebBrowserSSOValve idp)
+ {
+ return (IdentityServer) ((MockCatalinaContext) idp.getContainer()).getAttribute("IDENTITY_SERVER");
+ }
+
+ protected SPRedirectSignatureFormAuthenticator createServiceProvider(String spProfile)
+ {
+ Thread.currentThread().setContextClassLoader(setupTCL(spProfile));
+
+ SPRedirectSignatureFormAuthenticator sp = new SPRedirectSignatureFormAuthenticator();
+
+ sp.setIdpAddress("192.168.1.1");
+
+ sp.setContainer(new MockCatalinaContext());
+
+ try
+ {
+ sp.testStart();
+ }
+ catch (LifecycleException e)
+ {
+ Assert.fail("Error while creating Employee SP.");
+ }
+
+ return sp;
+ }
+
+ protected void setQueryStringFromResponse(MockCatalinaResponse idpLogoutEmployeeResponse,
+ MockCatalinaRequest idpLogoutResponseRequest) throws IOException
+ {
+ String samlParameter = null;
+ String samlParameterValue = null;
+
+ if (idpLogoutEmployeeResponse.redirectString.contains(GeneralConstants.SAML_REQUEST_KEY + "="))
+ {
+ samlParameter = GeneralConstants.SAML_REQUEST_KEY;
+ samlParameterValue = getSAMLRequest(idpLogoutEmployeeResponse);
+ }
+ else
+ {
+ samlParameter = GeneralConstants.SAML_RESPONSE_KEY;
+ samlParameterValue = getSAMLResponse(idpLogoutEmployeeResponse);
+ }
+
+ idpLogoutResponseRequest.setParameter(samlParameter, RedirectBindingUtil.urlDecode(samlParameterValue));
+
+ boolean hasRelayState = idpLogoutEmployeeResponse.redirectString.indexOf("&RelayState") != -1;
+
+ if (hasRelayState)
+ {
+ idpLogoutResponseRequest.setParameter(GeneralConstants.RELAY_STATE,
+ RedirectBindingUtil.urlDecode(getSAMLRelayState(idpLogoutEmployeeResponse)));
+ }
+
+ idpLogoutResponseRequest.setParameter(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY,
+ RedirectBindingUtil.urlDecode(getSAMLSigAlg(idpLogoutEmployeeResponse)));
+ idpLogoutResponseRequest.setParameter(GeneralConstants.SAML_SIGNATURE_REQUEST_KEY,
+ RedirectBindingUtil.urlDecode(getSAMLSignature(idpLogoutEmployeeResponse)));
+
+ StringBuffer queryString = new StringBuffer();
+
+ queryString.append(samlParameter + "=" + samlParameterValue);
+
+ if (hasRelayState)
+ {
+ queryString.append("&").append(GeneralConstants.RELAY_STATE).append("=")
+ .append(getSAMLRelayState(idpLogoutEmployeeResponse));
+ }
+
+ queryString.append("&").append(GeneralConstants.SAML_SIG_ALG_REQUEST_KEY).append("=")
+ .append(getSAMLSigAlg(idpLogoutEmployeeResponse));
+ queryString.append("&").append(GeneralConstants.SAML_SIGNATURE_REQUEST_KEY).append("=")
+ .append(getSAMLSignature(idpLogoutEmployeeResponse));
+
+ idpLogoutResponseRequest.setQueryString(queryString.toString());
+ }
+
+ protected String getSAMLResponse(MockCatalinaResponse response)
+ {
+ int endIndex = response.redirectString.indexOf("&SigAlg=");
+
+ if (response.redirectString.contains("&RelayState="))
+ {
+ endIndex = response.redirectString.indexOf("&RelayState=");
+ }
+
+ return response.redirectString.substring(
+ response.redirectString.indexOf(GeneralConstants.SAML_RESPONSE_KEY + "=")
+ + (GeneralConstants.SAML_RESPONSE_KEY + "=").length(), endIndex);
+ }
+
+ protected String getSAMLSignature(MockCatalinaResponse response)
+ {
+ return response.redirectString.substring(response.redirectString.indexOf("&Signature=") + "&Signature=".length());
+ }
+
+ protected String getSAMLRelayState(MockCatalinaResponse response)
+ {
+ return response.redirectString.substring(
+ response.redirectString.indexOf("&RelayState=") + "&RelayState=".length(),
+ response.redirectString.lastIndexOf("&SigAlg="));
+ }
+
+ protected String getSAMLSigAlg(MockCatalinaResponse response)
+ {
+ return response.redirectString.substring(response.redirectString.indexOf("&SigAlg=") + "&SigAlg=".length(),
+ response.redirectString.lastIndexOf("&Signature="));
+ }
+
+ protected String getSAMLRequest(MockCatalinaResponse response)
+ {
+ int endIndex = response.redirectString.indexOf("&SigAlg=");
+
+ if (response.redirectString.contains("&RelayState="))
+ {
+ endIndex = response.redirectString.indexOf("&RelayState=");
+ }
+
+ return response.redirectString.substring(response.redirectString.indexOf(GeneralConstants.SAML_REQUEST_KEY + "=")
+ + (GeneralConstants.SAML_REQUEST_KEY + "=").length(), endIndex);
+ }
+
+ protected MockCatalinaRequest createRequest(HttpSession httpSession, boolean withUserPrincipal)
+ {
+ MockCatalinaRequest request = createRequest("192.168.1.3", withUserPrincipal);
+
+ request.setSession((Session) httpSession);
+
+ return request;
+ }
+
+ protected MockCatalinaRequest createRequest(String userAddress, boolean withUserPrincipal)
+ {
+ MockCatalinaRequest request = new MockCatalinaRequest();
+
+ request = new MockCatalinaRequest();
+ request.setMethod("GET");
+ request.setRemoteAddr(userAddress);
+ request.setSession(new MockCatalinaSession());
+ request.setContext(new MockCatalinaContext());
+
+ if (withUserPrincipal) {
+ request.setUserPrincipal(createPrincipal());
+ }
+
+ return request;
+ }
+
+ protected MockCatalinaRequest createIDPRequest(boolean withUserPrincipal)
+ {
+ return createRequest(this.getIDPHttpSession(), withUserPrincipal);
+ }
+
+ protected GenericPrincipal createPrincipal()
+ {
+ MockCatalinaRealm realm = new MockCatalinaRealm("user", "user", new Principal()
+ {
+ public String getName()
+ {
+ return "user";
+ }
+ });
+ List<String> roles = new ArrayList<String>();
+ roles.add("manager");
+ roles.add("employee");
+
+ List<String> rolesList = new ArrayList<String>();
+ rolesList.add("manager");
+
+ return new GenericPrincipal(realm, "user", "user", roles);
+ }
+
+ protected MockCatalinaContextClassLoader setupTCL(String resource)
+ {
+ URL[] urls = new URL[]
+
+ {Thread.currentThread().getContextClassLoader().getResource(resource)};
+
+ MockCatalinaContextClassLoader mcl = new MockCatalinaContextClassLoader(urls);
+
+ mcl.setDelegate(Thread.currentThread().getContextClassLoader());
+ mcl.setProfile(resource);
+
+ return mcl;
+ }
+
+}
Copied: product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2LogoutSignatureTomcatWorkflowUnitTestCase.java (from rev 1337, federation/trunk/picketlink-bindings/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2LogoutSignatureTomcatWorkflowUnitTestCase.java)
===================================================================
--- product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2LogoutSignatureTomcatWorkflowUnitTestCase.java (rev 0)
+++ product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2LogoutSignatureTomcatWorkflowUnitTestCase.java 2012-01-31 22:13:31 UTC (rev 1358)
@@ -0,0 +1,191 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.picketlink.test.identity.federation.bindings.workflow;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.PrintWriter;
+
+import javax.servlet.ServletException;
+
+import junit.framework.Assert;
+
+import org.apache.catalina.LifecycleException;
+import org.junit.Test;
+import org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve;
+import org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectSignatureFormAuthenticator;
+import org.picketlink.identity.federation.web.constants.GeneralConstants;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaLoginConfig;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaRequest;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaResponse;
+import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaSession;
+
+/**
+ * <p>Unit test the SAML2 Logout Mechanism for Tomcat bindings with token signature.</>
+ * <p>This test uses a scenario where there are two SPs (Employee e Sales) pointing to the same IDP. When the user sends a GLO logout request to the Employee SP
+ * Picketlink will start the logout process and invalidate the user in both SPs.</p>
+ *
+ * @author <a href="mailto:psilva at redhat.com">Pedro Igor</a>
+ * @since Dec 1, 2011
+ */
+ at SuppressWarnings("unused")
+public class SAML2LogoutSignatureTomcatWorkflowUnitTestCase extends AbstractSAML2RedirectWithSignatureTestCase
+{
+ private static final String SP_SALES_URL = "http://192.168.1.4:8080/sales/";
+
+ private static final String SP_SALES_PROFILE = BASE_PROFILE + "/sp/sales-sig";
+
+ private static final String SP_EMPLOYEE_URL = "http://192.168.1.2:8080/employee/";
+
+ private static final String SP_EMPLOYEE_PROFILE = BASE_PROFILE + "/sp/employee-sig";
+
+ private IDPWebBrowserSSOValve idpWebBrowserSSOValve;
+
+ private MockCatalinaSession employeeHttpSession = new MockCatalinaSession();
+
+ private MockCatalinaSession salesHttpSession = new MockCatalinaSession();
+
+ private SPRedirectSignatureFormAuthenticator salesServiceProvider;
+
+ private SPRedirectSignatureFormAuthenticator employeeServiceProvider;
+
+ /**
+ * Tests the GLO logout mechanism.
+ *
+ * @throws LifecycleException
+ * @throws IOException
+ * @throws ServletException
+ */
+ @Test
+ public void testSAML2LogOutFromSP() throws LifecycleException, IOException, ServletException
+ {
+
+ // requests a GLO logout to the Employee SP
+ MockCatalinaRequest originalEmployeeLogoutRequest = createRequest(employeeHttpSession, true);
+
+ originalEmployeeLogoutRequest.setParameter(GeneralConstants.GLOBAL_LOGOUT, "true");
+
+ MockCatalinaResponse originalEmployeeLogoutResponse = sendSPRequest(originalEmployeeLogoutRequest,
+ getEmployeeServiceProvider());
+
+ // sends the LogoutRequest to the IDP
+ MockCatalinaRequest idpLogoutRequest = createIDPRequest(true);
+
+ setQueryStringFromResponse(originalEmployeeLogoutResponse, idpLogoutRequest);
+
+ MockCatalinaResponse idpLogoutResponse = sendIDPRequest(idpLogoutRequest);
+
+ // The IDP responds with a LogoutRequest. Send it to the Sales SP with the RelayState pointing to the Employee SP
+ MockCatalinaRequest salesLogoutRequest = createRequest(salesHttpSession, true);
+
+ setQueryStringFromResponse(idpLogoutResponse, salesLogoutRequest);
+
+ MockCatalinaResponse salesLogoutResponse = sendSPRequest(salesLogoutRequest, getSalesServiceProvider());
+
+ // At this moment the user is not logged in Sales SP anymore.
+ assertTrue(this.salesHttpSession.isInvalidated());
+
+ // sends the StatusResponse to the IDP to continue the logout process.
+ MockCatalinaRequest processSalesStatusResponse = createIDPRequest(true);
+
+ setQueryStringFromResponse(salesLogoutResponse, processSalesStatusResponse);
+
+ MockCatalinaResponse salesStatusResponse = sendIDPRequest(processSalesStatusResponse);
+
+ // The IDP responds with a LogoutRequest. Send it to the Employee SP.
+ MockCatalinaRequest employeeLogoutRequest = createRequest(employeeHttpSession, true);
+
+ setQueryStringFromResponse(salesStatusResponse, employeeLogoutRequest);
+
+ MockCatalinaResponse employeeLogoutResponse = sendSPRequest(employeeLogoutRequest, getEmployeeServiceProvider());
+
+ // At this moment the user is not logged in Employee SP anymore.
+ assertTrue(this.employeeHttpSession.isInvalidated());
+
+ Assert.assertNotNull(employeeLogoutRequest.getForwardPath());
+ Assert.assertEquals(employeeLogoutRequest.getForwardPath(), GeneralConstants.LOGOUT_PAGE_NAME);
+ assertEquals(0, getIdentityServer(getIDPWebBrowserSSOValve()).stack().getParticipants(getIDPHttpSession().getId()));
+ assertEquals(0, getIdentityServer(getIDPWebBrowserSSOValve()).stack().getNumOfParticipantsInTransit(getIDPHttpSession().getId()));
+
+ //Finally the session should be invalidated
+ assertTrue(getIDPHttpSession().isInvalidated());
+ }
+
+ private MockCatalinaResponse sendSPRequest(MockCatalinaRequest request, SPRedirectSignatureFormAuthenticator sp) throws LifecycleException,
+ IOException, ServletException
+ {
+ MockCatalinaResponse response = new MockCatalinaResponse();
+
+ sp.authenticate(request, response, new MockCatalinaLoginConfig());
+
+ return response;
+ }
+
+ private MockCatalinaResponse sendIDPRequest(MockCatalinaRequest request) throws LifecycleException, IOException,
+ ServletException
+ {
+ IDPWebBrowserSSOValve idp = getIDPWebBrowserSSOValve();
+
+ MockCatalinaResponse response = new MockCatalinaResponse();
+
+ response.setWriter(new PrintWriter(new ByteArrayOutputStream()));
+
+ idp.invoke(request, response);
+
+ ((MockCatalinaSession) request.getSession()).clear();
+
+ return response;
+ }
+
+ private IDPWebBrowserSSOValve getIDPWebBrowserSSOValve() throws LifecycleException
+ {
+ if (this.idpWebBrowserSSOValve == null)
+ {
+ this.idpWebBrowserSSOValve = createIdentityProvider();
+ addIdentityServerParticipants(this.idpWebBrowserSSOValve, SP_EMPLOYEE_URL);
+ addIdentityServerParticipants(this.idpWebBrowserSSOValve, SP_SALES_URL);
+ }
+
+ return this.idpWebBrowserSSOValve;
+ }
+
+ public SPRedirectSignatureFormAuthenticator getEmployeeServiceProvider() {
+ if (this.employeeServiceProvider == null)
+ {
+ this.employeeServiceProvider = createServiceProvider(SP_EMPLOYEE_PROFILE);
+ }
+
+ return this.employeeServiceProvider;
+ }
+
+ public SPRedirectSignatureFormAuthenticator getSalesServiceProvider() {
+ if (this.salesServiceProvider == null)
+ {
+ this.salesServiceProvider = createServiceProvider(SP_SALES_PROFILE);
+ }
+
+ return this.salesServiceProvider;
+ }
+}
\ No newline at end of file
Modified: product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java
===================================================================
--- product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java 2012-01-31 22:12:56 UTC (rev 1357)
+++ product/trunk/picketlink-core/src/test/java/org/picketlink/test/identity/federation/bindings/workflow/SAML2RedirectSignatureTomcatWorkflowUnitTestCase.java 2012-01-31 22:13:31 UTC (rev 1358)
@@ -21,68 +21,55 @@
*/
package org.picketlink.test.identity.federation.bindings.workflow;
-
import static org.junit.Assert.assertNotNull;
import java.io.IOException;
-import java.net.URL;
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
import javax.servlet.ServletException;
import junit.framework.Assert;
import org.apache.catalina.LifecycleException;
-import org.apache.catalina.realm.GenericPrincipal;
import org.junit.Test;
import org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve;
import org.picketlink.identity.federation.bindings.tomcat.sp.SPRedirectSignatureFormAuthenticator;
-import org.picketlink.identity.federation.web.constants.GeneralConstants;
-import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
-import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaContext;
-import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaContextClassLoader;
import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaLoginConfig;
-import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaRealm;
import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaRequest;
import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaResponse;
-import org.picketlink.test.identity.federation.bindings.mock.MockCatalinaSession;
/**
* <p>
* This {@code TestCase} tests the interaction between the SP and the IDP in a scenario where token signature is used.
* </p>
* <p>
- * This class also tests the use of the {@code SPRedirectSignatureFormAuthenticator.idpAddress} and the {@code IDPWebBrowserSSOValve.validatingAliasToTokenIssuer} properties.
- * <br/>
+ * This class also tests the use of the {@code SPRedirectSignatureFormAuthenticator.idpAddress} and the {@code IDPWebBrowserSSOValve.validatingAliasToTokenIssuer} properties
+ * during the token's signature validation process.
+ * </p>
+ * <p>
* The objective is test the following scenarios:
- * <br/><br/>
- * 1) User's machine is the same of the SP and the IDP. (testSAML2RedirectWithSameConsumerAndProvider)
- * <br/>
- * 2) User's machine is different of the SP and the IDP. (testSAML2RedirectWithSifferentConsumerAndProvider)
+ * <ul>
+ * <li>User's machine is the same of the SP and the IDP. (testSAML2RedirectWithSameConsumerAndProvider)</li>
+ * <li> User's machine is different of the SP and the IDP. (testSAML2RedirectWithSifferentConsumerAndProvider)
+ * <br/>
* 192.168.1.1 -> IDP Address (IDP_PROFILE/WEB-INF/picketlink-idfed.xml)
+ * <br/>
* 192.168.1.2 -> SP Address (SP_PROFILE/WEB-INF/picketlink-idfed.xml)
+ * <br/>
* 192.168.1.3 -> End User Address
+ * </li>
+ * <ul>
* </p>
*
* @author <a href="mailto:psilva at redhat.com">Pedro Igor</a>
* @since Nov 14, 2011
*/
-public class SAML2RedirectSignatureTomcatWorkflowUnitTestCase
+public class SAML2RedirectSignatureTomcatWorkflowUnitTestCase extends AbstractSAML2RedirectWithSignatureTestCase
{
- private static final String profile = "saml2/redirect";
- private static final String IDP_PROFILE = profile + "/idp-sig/";
+ private static final String SP_EMPLOYEE_PROFILE = BASE_PROFILE + "/sp/employee-sig";
- private static final String SP_PROFILE = profile + "/sp/employee-sig";
+ private SPRedirectSignatureFormAuthenticator employeeServiceProvider;
- private final ClassLoader tcl = Thread.currentThread().getContextClassLoader();
-
- private String SAML_REQUEST_KEY = "SAMLRequest=";
-
- private String SAML_RESPONSE_KEY = "SAMLResponse=";
-
/**
* Tests the token's signatures validations when the requester and the SP/IDP as on the same host.
* The keyprovider is configured with the same ValidatingAlias for all of them.
@@ -92,168 +79,94 @@
@Test
public void testSAML2RedirectWithSameConsumerAndProvider() throws Exception
{
- testWorkflow("192.168.1.1", "192.168.1.1", false);
+ testWorkflow("192.168.1.1", "192.168.1.1");
}
-
+
/**
* Tests the token's signatures validations when the requester is in a differente host than the SP and IDP.
- * The keyprovider is configured with a ValidatingAlias for specific for the SP (192.168.1.2) that is different from the IDP (localhost) and the user (192.168.1.1).
+ * <br/>
+ * The keyprovider is configured with a ValidatingAlias for a specific SP (192.168.1.2) that is different from the IDP (192.168.1.1) and the user (192.168.1.3).
+ * <br/>
+ * Test fails if:
+ * <ul>
+ * <li>If you change the IDP address the test will fail because the SP's keystore and SPRedirectSignatureFormAuthenticator.idpAddress is configured to use a validating alias with value 192.168.1.1.</li>
+ * <li>If you change the SP address (SP_PROFILE/WEB-INF/picketlink-idfed.xml) the test will fail because the IDP's keystore is only configured to use a validating alias with value 192.168.1.2.</li>
+ * <li>If you ommit the SPRedirectSignatureFormAuthenticator.idpAddress because the user's address will be used to validate the token. His address is not in the keystore.</li>
+ * <li>If you ommit the IDPWebBrowserSSOValve.validatingAliasToTokenIssuer because the user's address will be used to validate the token. His address is not in the keystore.</li>
+ * </ul>
*/
@Test
- public void testSAML2RedirectWithSifferentConsumerAndProvider() throws Exception
+ public void testSAML2RedirectWithDifferentConsumerAndProvider() throws Exception
{
- testWorkflow("192.168.1.3", "192.168.1.1", true);
+ testWorkflow("192.168.1.3", "192.168.1.1");
}
- private void testWorkflow(String userAddress, String idpAddress, boolean validatingAliasToTokenIssuer) throws LifecycleException, IOException, ServletException
+ private void testWorkflow(String userAddress, String idpAddress)
+ throws LifecycleException, IOException, ServletException
{
- MockCatalinaRequest request = createRequest(userAddress);
-
+ MockCatalinaRequest request = createRequest(userAddress, false);
+
// Sends a initial request to the SP. Requesting a resource ...
MockCatalinaResponse idpAuthRequest = sendSPRequest(request, false, idpAddress);
-
+
assertNotNull("Redirect String can not be null.", idpAuthRequest.redirectString);
-
+
// Sends a auth request to the IDP
- request = createRequest(userAddress);
-
- request.setParameter("SAMLRequest", RedirectBindingUtil.urlDecode(getSAMLRequest(idpAuthRequest)));
- request.setParameter("SigAlg", RedirectBindingUtil.urlDecode(getSAMLSigAlg(idpAuthRequest)));
- request.setParameter("Signature", RedirectBindingUtil.urlDecode(getSAMLSignature(idpAuthRequest)));
- request.setQueryString(SAML_REQUEST_KEY + getSAMLRequest(idpAuthRequest) + "&SigAlg=" + getSAMLSigAlg(idpAuthRequest) + "&Signature=" + getSAMLSignature(idpAuthRequest));
-
- request.setUserPrincipal(new GenericPrincipal(createRealm(), "user", "user", getRoles()) );
-
- MockCatalinaResponse idpAuthResponse = sendIDPRequest(request, validatingAliasToTokenIssuer);
-
+ request = createRequest(userAddress, true);
+
+ setQueryStringFromResponse(idpAuthRequest, request);
+
+ MockCatalinaResponse idpAuthResponse = sendIDPRequest(request);
+
assertNotNull("Redirect String can not be null.", idpAuthResponse.redirectString);
-
+
// Sends the IDP response to the SP. Now the user is succesfully authenticated and access for the requested resource is granted...
- request = createRequest(userAddress);
- request.getContext().setRealm(createRealm());
-
- request.setParameter("SAMLResponse", RedirectBindingUtil.urlDecode(getSAMLResponse(idpAuthResponse)));
- request.setParameter("SigAlg", RedirectBindingUtil.urlDecode(getSAMLSigAlg(idpAuthResponse)));
- request.setParameter("Signature", RedirectBindingUtil.urlDecode(getSAMLSignature(idpAuthResponse)));
- request.setQueryString(SAML_RESPONSE_KEY + getSAMLResponse(idpAuthResponse) + "&SigAlg=" + getSAMLSigAlg(idpAuthResponse) + "&Signature=" + getSAMLSignature(idpAuthResponse));
-
+ request = createRequest(userAddress, false);
+
+ setQueryStringFromResponse(idpAuthResponse, request);
+
sendSPRequest(request, true, idpAddress);
}
- private MockCatalinaResponse sendIDPRequest(MockCatalinaRequest request, boolean validatingAliasToTokenIssuer)
+ private MockCatalinaResponse sendIDPRequest(MockCatalinaRequest request)
throws LifecycleException, IOException, ServletException
{
- MockCatalinaContextClassLoader mclIDP = setupTCL(IDP_PROFILE);
- Thread.currentThread().setContextClassLoader(mclIDP);
+ IDPWebBrowserSSOValve idp = createIdentityProvider();
- IDPWebBrowserSSOValve idp = new IDPWebBrowserSSOValve();
-
- idp.setSignOutgoingMessages(true);
- idp.setIgnoreIncomingSignatures(false);
- idp.setValidatingAliasToTokenIssuer(validatingAliasToTokenIssuer);
-
- idp.setContainer(request.getContext());
- idp.start();
-
MockCatalinaResponse response = new MockCatalinaResponse();
-
+
idp.invoke(request, response);
-
- return response;
- }
- private MockCatalinaResponse sendSPRequest(MockCatalinaRequest request, boolean validateAuthentication, String idpAddress)
- throws LifecycleException, IOException
- {
- MockCatalinaContextClassLoader mclSPEmp = setupTCL(SP_PROFILE);
- Thread.currentThread().setContextClassLoader(mclSPEmp);
-
- SPRedirectSignatureFormAuthenticator sp = new SPRedirectSignatureFormAuthenticator();
-
- sp.setIdpAddress(idpAddress);
-
- request.setParameter(GeneralConstants.RELAY_STATE, null);
-
- MockCatalinaLoginConfig loginConfig = new MockCatalinaLoginConfig();
-
- sp.setContainer(request.getContext());
- sp.testStart();
-
- MockCatalinaResponse response = new MockCatalinaResponse();
-
- if (validateAuthentication) {
- Assert.assertTrue("Employee app succesfully authenticated.", sp.authenticate(request, response, loginConfig));
- } else {
- sp.authenticate(request, response, loginConfig);
- }
-
return response;
}
-
- private MockCatalinaRequest createRequest(String userAddress)
- {
- MockCatalinaRequest request = new MockCatalinaRequest();
-
- request = new MockCatalinaRequest();
- request.setMethod("GET");
- request.setRemoteAddr(userAddress);
- request.setSession(new MockCatalinaSession());
- request.setContext(new MockCatalinaContext());
-
- return request;
- }
- private String getSAMLResponse(MockCatalinaResponse response)
+ private MockCatalinaResponse sendSPRequest(MockCatalinaRequest request, boolean validateAuthentication,
+ String idpAddress) throws LifecycleException, IOException
{
- return response.redirectString.substring(response.redirectString.indexOf(SAML_RESPONSE_KEY) +
- SAML_RESPONSE_KEY.length(), response.redirectString.indexOf("&SigAlg="));
- }
- private String getSAMLSignature(MockCatalinaResponse response)
- {
- return response.redirectString.substring(response.redirectString.indexOf("&Signature=") +
- "&Signature=".length());
- }
+ MockCatalinaResponse response = new MockCatalinaResponse();
- private String getSAMLSigAlg(MockCatalinaResponse response)
- {
- return response.redirectString.substring(response.redirectString.indexOf("&SigAlg=") +
- "&SigAlg=".length(), response.redirectString.lastIndexOf("&Signature="));
- }
+ if (validateAuthentication)
+ {
+ Assert.assertTrue("Employee app succesfully authenticated.",
+ getEmployeeServiceProvider().authenticate(request, response, new MockCatalinaLoginConfig()));
+ }
+ else
+ {
+ getEmployeeServiceProvider().authenticate(request, response, new MockCatalinaLoginConfig());
+ }
- private String getSAMLRequest(MockCatalinaResponse response)
- {
- return response.redirectString.substring(response.redirectString.indexOf(SAML_REQUEST_KEY) +
- SAML_REQUEST_KEY.length(), response.redirectString.indexOf("&SigAlg="));
+ return response;
}
- private List<String> getRoles()
+ public SPRedirectSignatureFormAuthenticator getEmployeeServiceProvider()
{
- List<String> roles = new ArrayList<String>();
- roles.add("manager");
- roles.add("employee");
- return roles;
- }
+ if (this.employeeServiceProvider == null)
+ {
+ this.employeeServiceProvider = createServiceProvider(SP_EMPLOYEE_PROFILE);
+ }
- private MockCatalinaRealm createRealm()
- {
- return new MockCatalinaRealm("user", "user", new Principal()
- {
- public String getName()
- {
- return "user";
- }
- });
+ return this.employeeServiceProvider;
}
-
- private MockCatalinaContextClassLoader setupTCL(String resource)
- {
- URL[] urls = new URL[] {tcl.getResource(resource)};
-
- MockCatalinaContextClassLoader mcl = new MockCatalinaContextClassLoader(urls);
- mcl.setDelegate(tcl);
- mcl.setProfile(resource);
- return mcl;
- }
-
+
}
More information about the picketlink-commits
mailing list