Author: alessio.soldano(a)jboss.com Date: 2012-05-08 09:39:31 -0400 (Tue, 08 May 2012) New Revision: 16237 Added: stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/stsKeystore.properties Removed: stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/web.xml Modified: stack/cxf/trunk/modules/testsuite/cxf-tests/scripts/cxf-samples-jars-jaxws.xml stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/java/org/jboss/test/ws/jaxws/samples/wsse/policy/trust/SampleSTS.java stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/java/org/jboss/test/ws/jaxws/samples/wsse/policy/trustPicketLink/PicketLinkSTService.java stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/java/org/jboss/test/ws/jaxws/samples/wsse/policy/trustPicketLink/WSTrustPicketLinkTestCase.java stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/jboss-web.xml stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/picketlink-sts.xml stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/wsdl/PicketLinkSTS.wsdl Log: [JBWS-3493] Use WS-Security UsernameToken profile to authenticate to STS (instead of http basic auth) + enable full WS-Security communication (encrypt & sign). Also cleanup the testcase a bit. Modified: stack/cxf/trunk/modules/testsuite/cxf-tests/scripts/cxf-samples-jars-jaxws.xml =================================================================== --- stack/cxf/trunk/modules/testsuite/cxf-tests/scripts/cxf-samples-jars-jaxws.xml 2012-05-08 10:48:49 UTC (rev 16236) +++ stack/cxf/trunk/modules/testsuite/cxf-tests/scripts/cxf-samples-jars-jaxws.xml 2012-05-08 13:39:31 UTC (rev 16237) @@ -256,21 +256,22 @@ <!-- jaxws-samples-wsse-policy-trustPicketLink-sts --> <war - warfile="${tests.output.dir}/test-libs/jaxws-samples-wsse-policy-trustPicketLink-sts.war" - webxml="${tests.output.dir}/test-resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/web.xml"> + warfile="${tests.output.dir}/test-libs/jaxws-samples-wsse-policy-trustPicketLink-sts.war" needxmlfile='false'> <classes dir="${tests.output.dir}/test-classes"> <include name="org/jboss/test/ws/jaxws/samples/wsse/policy/trustPicketLink/PicketLinkSTService.class"/> + <include name="org/jboss/test/ws/jaxws/samples/wsse/policy/trustPicketLink/STSCallbackHandler.class"/> </classes> <webinf dir="${tests.output.dir}/test-resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF"> <include name="wsdl/PicketLinkSTS.wsdl"/> - <include name="jboss-web.xml"/> <!-- workaround --> + <include name="jboss-web.xml"/> </webinf> <zipfileset dir="${tests.output.dir}/test-resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF" prefix="WEB-INF/classes"> <include name="stsstore.jks" /> <include name="picketlink-sts.xml" /> + <include name="stsKeystore.properties" /> </zipfileset> <manifest> - <attribute name="Dependencies" value="org.picketlink"/> + <attribute name="Dependencies" value="org.apache.ws.security,org.apache.cxf,org.picketlink"/> </manifest> </war> Modified: stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/java/org/jboss/test/ws/jaxws/samples/wsse/policy/trust/SampleSTS.java =================================================================== --- stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/java/org/jboss/test/ws/jaxws/samples/wsse/policy/trust/SampleSTS.java 2012-05-08 10:48:49 UTC (rev 16236) +++ stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/java/org/jboss/test/ws/jaxws/samples/wsse/policy/trust/SampleSTS.java 2012-05-08 13:39:31 UTC (rev 16237) @@ -43,6 +43,7 @@ portName = "UT_Port", targetNamespace = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/", wsdlLocation = "WEB-INF/wsdl/ws-trust-1.4-service.wsdl") +//be sure to have dependency on org.apache.cxf module when on AS7, otherwise Apache CXF annotations are ignored @EndpointProperties(value = { @EndpointProperty(key = "ws-security.signature.username", value = "mystskey"), @EndpointProperty(key = "ws-security.signature.properties", value = "stsKeystore.properties"), Modified: stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/java/org/jboss/test/ws/jaxws/samples/wsse/policy/trustPicketLink/PicketLinkSTService.java =================================================================== --- stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/java/org/jboss/test/ws/jaxws/samples/wsse/policy/trustPicketLink/PicketLinkSTService.java 2012-05-08 10:48:49 UTC (rev 16236) +++ stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/java/org/jboss/test/ws/jaxws/samples/wsse/policy/trustPicketLink/PicketLinkSTService.java 2012-05-08 13:39:31 UTC (rev 16237) @@ -27,6 +27,9 @@ import javax.xml.ws.WebServiceContext; import javax.xml.ws.WebServiceProvider; +import org.apache.cxf.annotations.EndpointProperties; +import org.apache.cxf.annotations.EndpointProperty; +import org.apache.cxf.interceptor.InInterceptors; import org.picketlink.identity.federation.core.wstrust.PicketLinkSTS; /** @@ -38,6 +41,13 @@ */ @WebServiceProvider(serviceName = "PicketLinkSTS", portName = "PicketLinkSTSPort", targetNamespace = "urn:picketlink:identity-federation:sts", wsdlLocation = "WEB-INF/wsdl/PicketLinkSTS.wsdl") @ServiceMode(value = Service.Mode.MESSAGE) +//be sure to have dependency on org.apache.cxf module when on AS7, otherwise Apache CXF annotations are ignored +@EndpointProperties(value = { + @EndpointProperty(key = "ws-security.signature.username", value = "mystskey"), + @EndpointProperty(key = "ws-security.signature.properties", value = "stsKeystore.properties"), + @EndpointProperty(key = "ws-security.callback-handler", value = "org.jboss.test.ws.jaxws.samples.wsse.policy.trustPicketLink.STSCallbackHandler") +}) +@InInterceptors(interceptors = {"org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor"}) public class PicketLinkSTService extends PicketLinkSTS { @Resource Modified: stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/java/org/jboss/test/ws/jaxws/samples/wsse/policy/trustPicketLink/WSTrustPicketLinkTestCase.java =================================================================== --- stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/java/org/jboss/test/ws/jaxws/samples/wsse/policy/trustPicketLink/WSTrustPicketLinkTestCase.java 2012-05-08 10:48:49 UTC (rev 16236) +++ stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/java/org/jboss/test/ws/jaxws/samples/wsse/policy/trustPicketLink/WSTrustPicketLinkTestCase.java 2012-05-08 13:39:31 UTC (rev 16237) @@ -33,8 +33,6 @@ import org.apache.cxf.Bus; import org.apache.cxf.BusFactory; -import org.apache.cxf.configuration.security.AuthorizationPolicy; -import org.apache.cxf.transport.http.HTTPConduit; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.trust.STSClient; import org.jboss.wsf.test.JBossWSCXFTestSetup; @@ -62,7 +60,7 @@ authenticationOptions.put("rolesProperties", getResourceFile("jaxws/samples/wsse/policy/trust/WEB-INF/jbossws-roles.properties").getAbsolutePath()); authenticationOptions.put("unauthenticatedIdentity", "anonymous"); - testSetup.addSecurityDomainRequirement("JBossWS-trustPicketLink-sts", authenticationOptions); + testSetup.addSecurityDomainRequirement("JBossWS-trust-sts", authenticationOptions); return testSetup; } @@ -95,27 +93,21 @@ ctx.put(SecurityConstants.SIGNATURE_USERNAME, "myclientkey"); ctx.put(SecurityConstants.ENCRYPT_USERNAME, "myservicekey"); STSClient stsClient = new STSClient(bus); + //override STS location from service WSDL contract, as the same endpoint is used for the WSTrustTestCase too (which uses Apache CXF STS impl) stsClient.setWsdlLocation(stsURL + "?wsdl"); stsClient.setServiceQName(new QName("urn:picketlink:identity-federation:sts", "PicketLinkSTS")); stsClient.setEndpointQName(new QName("urn:picketlink:identity-federation:sts", "PicketLinkSTSPort")); Map<String, Object> props = stsClient.getProperties(); -// props.put(SecurityConstants.USERNAME, "alice"); -// props.put(SecurityConstants.CALLBACK_HANDLER, new ClientCallbackHandler()); -// props.put(SecurityConstants.ENCRYPT_PROPERTIES, Thread.currentThread().getContextClassLoader().getResource("META-INF/clientKeystore.properties")); -// props.put(SecurityConstants.ENCRYPT_USERNAME, "mystskey"); + + props.put(SecurityConstants.USERNAME, "alice"); + props.put(SecurityConstants.CALLBACK_HANDLER, new ClientCallbackHandler()); + props.put(SecurityConstants.ENCRYPT_PROPERTIES, Thread.currentThread().getContextClassLoader().getResource("META-INF/clientKeystore.properties")); + props.put(SecurityConstants.ENCRYPT_USERNAME, "mystskey"); + props.put(SecurityConstants.STS_TOKEN_USERNAME, "myclientkey"); props.put(SecurityConstants.STS_TOKEN_PROPERTIES, Thread.currentThread().getContextClassLoader().getResource("META-INF/clientKeystore.properties")); props.put(SecurityConstants.STS_TOKEN_USE_CERT_FOR_KEYINFO, "true"); - //set http basic auth to workaround PicketLink STS requiring username to be set in context; this needs to be performed in a CXF specific way, - //as the CXF STSClient does not support setting up basic auth by simple BindingProvider.USERNAME_PROPERTY/USERNAME_PASSWORD setup - HTTPConduit conduit = (HTTPConduit)stsClient.getClient().getConduit(); - AuthorizationPolicy authPolicy = new AuthorizationPolicy(); - authPolicy.setAuthorizationType("BASIC"); - authPolicy.setUserName("alice"); - authPolicy.setPassword("clarinet"); - conduit.setAuthorization(authPolicy); - ctx.put(SecurityConstants.STS_CLIENT, stsClient); } } Modified: stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/jboss-web.xml =================================================================== --- stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/jboss-web.xml 2012-05-08 10:48:49 UTC (rev 16236) +++ stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/jboss-web.xml 2012-05-08 13:39:31 UTC (rev 16237) @@ -3,5 +3,5 @@ <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.4//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_4_0.dtd"> <jboss-web> - <security-domain>java:/jaas/JBossWS-trustPicketLink-sts</security-domain> + <security-domain>java:/jaas/JBossWS-trust-sts</security-domain> </jboss-web> Modified: stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/picketlink-sts.xml =================================================================== --- stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/picketlink-sts.xml 2012-05-08 10:48:49 UTC (rev 16236) +++ stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/picketlink-sts.xml 2012-05-08 13:39:31 UTC (rev 16237) @@ -17,8 +17,4 @@ TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion"/> </TokenProviders> - <ServiceProviders> - <ServiceProvider Endpoint="http://services.testcorp.org/provider1" TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profi... - TruststoreAlias="service1"/> - </ServiceProviders> </PicketLinkSTS> Added: stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/stsKeystore.properties =================================================================== --- stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/stsKeystore.properties (rev 0) +++ stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/stsKeystore.properties 2012-05-08 13:39:31 UTC (rev 16237) @@ -0,0 +1,23 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin +org.apache.ws.security.crypto.merlin.keystore.type=jks +org.apache.ws.security.crypto.merlin.keystore.password=stsspass +org.apache.ws.security.crypto.merlin.keystore.file=stsstore.jks + Deleted: stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/web.xml =================================================================== --- stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/web.xml 2012-05-08 10:48:49 UTC (rev 16236) +++ stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/web.xml 2012-05-08 13:39:31 UTC (rev 16237) @@ -1,38 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<web-app - version="3.0" - xmlns="http://java.sun.com/xml/ns/javaee" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> - - <servlet> - <servlet-name>PicketLinkSTS</servlet-name> - <servlet-class>org.jboss.test.ws.jaxws.samples.wsse.policy.trustPicketLink.PicketLinkSTService</servlet-class> - </servlet> - <servlet-mapping> - <servlet-name>PicketLinkSTS</servlet-name> - <url-pattern>/*</url-pattern> - </servlet-mapping> - - <security-constraint> - <web-resource-collection> - <web-resource-name>PicketLinkSTSService</web-resource-name> - <url-pattern>/*</url-pattern> - <http-method>POST</http-method> - </web-resource-collection> - <auth-constraint> - <role-name>friend</role-name> - </auth-constraint> - <user-data-constraint> - <transport-guarantee>NONE</transport-guarantee> - </user-data-constraint> - </security-constraint> - <login-config> - <auth-method>BASIC</auth-method> - <realm-name>Security Realm</realm-name> - </login-config> - <security-role> - <role-name>friend</role-name> - </security-role> - -</web-app> \ No newline at end of file Modified: stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/wsdl/PicketLinkSTS.wsdl =================================================================== --- stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/wsdl/PicketLinkSTS.wsdl 2012-05-08 10:48:49 UTC (rev 16236) +++ stack/cxf/trunk/modules/testsuite/cxf-tests/src/test/resources/jaxws/samples/wsse/policy/trustPicketLink/WEB-INF/wsdl/PicketLinkSTS.wsdl 2012-05-08 13:39:31 UTC (rev 16237) @@ -4,6 +4,8 @@ xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl" + xmlns:wsp="http://www.w3.org/ns/ws-policy" + xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w... xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"> <wsdl:types> <xs:schema targetNamespace="urn:picketlink:identity-federation:sts" @@ -32,13 +34,16 @@ </wsdl:operation> </wsdl:portType> <wsdl:binding name="STSBinding" type="tns:SecureTokenService"> + <wsp:PolicyReference URI="#UT_policy" /> <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/> <wsdl:operation name="IssueToken"> <soap12:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Iss... style="document"/> <wsdl:input> + <wsp:PolicyReference URI="#Input_policy" /> <soap12:body use="literal"/> </wsdl:input> <wsdl:output> + <wsp:PolicyReference URI="#Output_policy" /> <soap12:body use="literal"/> </wsdl:output> </wsdl:operation> @@ -48,4 +53,129 @@ <soap12:address location="http://localhost:8080/picketlink-sts/PicketLinkSTS"/> </wsdl:port> </wsdl:service> + + <wsp:Policy wsu:Id="UT_policy"> + <wsp:ExactlyOne> + <wsp:All> + <wsap10:UsingAddressing/> + <sp:SymmetricBinding + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&... + <wsp:Policy> + <sp:ProtectionToken> + <wsp:Policy> + <sp:X509Token + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/... + <wsp:Policy> + <sp:RequireDerivedKeys /> + <sp:RequireThumbprintReference /> + <sp:WssX509V3Token10 /> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:ProtectionToken> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic256 /> + </wsp:Policy> + </sp:AlgorithmSuite> + <sp:Layout> + <wsp:Policy> + <sp:Lax /> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp /> + <sp:EncryptSignature /> + <sp:OnlySignEntireHeadersAndBody /> + </wsp:Policy> + </sp:SymmetricBinding> + <sp:SignedSupportingTokens + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&... + <wsp:Policy> + <sp:UsernameToken + sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/... + <wsp:Policy> + <sp:WssUsernameToken10 /> + </wsp:Policy> + </sp:UsernameToken> + </wsp:Policy> + </sp:SignedSupportingTokens> + <sp:Wss11 + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&... + <wsp:Policy> + <sp:MustSupportRefKeyIdentifier /> + <sp:MustSupportRefIssuerSerial /> + <sp:MustSupportRefThumbprint /> + <sp:MustSupportRefEncryptedKey /> + </wsp:Policy> + </sp:Wss11> + <sp:Trust13 + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&... + <wsp:Policy> + <sp:MustSupportIssuedTokens /> + <sp:RequireClientEntropy /> + <sp:RequireServerEntropy /> + </wsp:Policy> + </sp:Trust13> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + + <wsp:Policy wsu:Id="Input_policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:SignedParts + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&... + <sp:Body /> + <sp:Header Name="To" + Namespace="http://www.w3.org/2005/08/addressing" /> + <sp:Header Name="From" + Namespace="http://www.w3.org/2005/08/addressing" /> + <sp:Header Name="FaultTo" + Namespace="http://www.w3.org/2005/08/addressing" /> + <sp:Header Name="ReplyTo" + Namespace="http://www.w3.org/2005/08/addressing" /> + <sp:Header Name="MessageID" + Namespace="http://www.w3.org/2005/08/addressing" /> + <sp:Header Name="RelatesTo" + Namespace="http://www.w3.org/2005/08/addressing" /> + <sp:Header Name="Action" + Namespace="http://www.w3.org/2005/08/addressing" /> + </sp:SignedParts> + <sp:EncryptedParts + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&... + <sp:Body /> + </sp:EncryptedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + + <wsp:Policy wsu:Id="Output_policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:SignedParts + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&... + <sp:Body /> + <sp:Header Name="To" + Namespace="http://www.w3.org/2005/08/addressing" /> + <sp:Header Name="From" + Namespace="http://www.w3.org/2005/08/addressing" /> + <sp:Header Name="FaultTo" + Namespace="http://www.w3.org/2005/08/addressing" /> + <sp:Header Name="ReplyTo" + Namespace="http://www.w3.org/2005/08/addressing" /> + <sp:Header Name="MessageID" + Namespace="http://www.w3.org/2005/08/addressing" /> + <sp:Header Name="RelatesTo" + Namespace="http://www.w3.org/2005/08/addressing" /> + <sp:Header Name="Action" + Namespace="http://www.w3.org/2005/08/addressing" /> + </sp:SignedParts> + <sp:EncryptedParts + xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702&... + <sp:Body /> + </sp:EncryptedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + </wsdl:definitions>