| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| */ |
| package org.apache.wss4j.stax.test.saml; |
| |
| import java.io.ByteArrayInputStream; |
| import java.io.ByteArrayOutputStream; |
| import java.io.InputStream; |
| import java.nio.charset.StandardCharsets; |
| import java.security.KeyStore; |
| import java.util.ArrayList; |
| import java.util.List; |
| import java.util.Properties; |
| |
| import javax.crypto.KeyGenerator; |
| import javax.crypto.SecretKey; |
| import javax.xml.stream.XMLStreamReader; |
| import javax.xml.stream.XMLStreamWriter; |
| import javax.xml.transform.dom.DOMSource; |
| import javax.xml.transform.stream.StreamResult; |
| |
| import org.apache.wss4j.common.WSEncryptionPart; |
| import org.apache.wss4j.common.crypto.Crypto; |
| import org.apache.wss4j.common.crypto.CryptoFactory; |
| import org.apache.wss4j.common.crypto.CryptoType; |
| import org.apache.wss4j.common.crypto.Merlin; |
| import org.apache.wss4j.common.saml.SAMLCallback; |
| import org.apache.wss4j.common.saml.SAMLUtil; |
| import org.apache.wss4j.common.saml.SamlAssertionWrapper; |
| import org.apache.wss4j.common.saml.bean.Version; |
| import org.apache.wss4j.common.saml.builder.SAML1Constants; |
| import org.apache.wss4j.common.saml.builder.SAML2Constants; |
| import org.apache.wss4j.common.util.KeyUtils; |
| import org.apache.wss4j.dom.WSConstants; |
| import org.apache.wss4j.dom.handler.WSHandlerConstants; |
| import org.apache.wss4j.dom.message.WSSecEncrypt; |
| import org.apache.wss4j.dom.message.WSSecHeader; |
| import org.apache.wss4j.dom.saml.WSSecSignatureSAML; |
| import org.apache.wss4j.stax.ext.WSSConstants; |
| import org.apache.wss4j.stax.ext.WSSSecurityProperties; |
| import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants; |
| import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants; |
| import org.apache.wss4j.stax.setup.InboundWSSec; |
| import org.apache.wss4j.stax.setup.OutboundWSSec; |
| import org.apache.wss4j.stax.setup.WSSec; |
| import org.apache.wss4j.stax.test.AbstractTestBase; |
| import org.apache.wss4j.stax.test.CallbackHandlerImpl; |
| import org.apache.wss4j.stax.test.utils.SOAPUtil; |
| import org.apache.wss4j.stax.test.utils.StAX2DOM; |
| import org.apache.wss4j.stax.test.utils.XmlReaderToWriter; |
| import org.apache.xml.security.stax.securityEvent.SecurityEvent; |
| import org.junit.jupiter.api.Test; |
| import org.w3c.dom.Document; |
| import org.w3c.dom.Element; |
| import org.w3c.dom.Node; |
| import org.w3c.dom.NodeList; |
| |
| import static org.junit.jupiter.api.Assertions.assertEquals; |
| |
| public class SAMLTokenReferenceTest extends AbstractTestBase { |
| |
| @Test |
| public void testSAML1SVKeyIdentifierOutbound() throws Exception { |
| |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| List<WSSConstants.Action> actions = new ArrayList<>(); |
| actions.add(WSSConstants.SAML_TOKEN_SIGNED); |
| securityProperties.setActions(actions); |
| SAMLCallbackHandlerImpl callbackHandler = new SAMLCallbackHandlerImpl(); |
| callbackHandler.setStatement(SAMLCallbackHandlerImpl.Statement.AUTHN); |
| callbackHandler.setConfirmationMethod(SAML1Constants.CONF_SENDER_VOUCHES); |
| callbackHandler.setIssuer("www.example.com"); |
| callbackHandler.setSignAssertion(false); |
| securityProperties.setSamlCallbackHandler(callbackHandler); |
| securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_SkiKeyIdentifier); |
| securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray()); |
| securityProperties.setSignatureUser("transmitter"); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| |
| OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties); |
| XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>()); |
| XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml")); |
| XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter); |
| xmlStreamWriter.close(); |
| |
| Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())); |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = document.getElementsByTagNameNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "KeyIdentifier"); |
| assertEquals(nodeList.getLength(), 2); |
| assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, "ValueType"), "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID"); |
| assertEquals(((Element) nodeList.item(1)).getAttributeNS(null, "ValueType"), "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"); |
| } |
| |
| //done signature; now test sig-verification: |
| { |
| String action = WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.SAML_TOKEN_UNSIGNED; |
| Properties properties = new Properties(); |
| doInboundSecurityWithWSS4J_1(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action, properties, false); |
| } |
| } |
| |
| @Test |
| public void testSAML1SVKeyIdentifierInbound() throws Exception { |
| |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler(); |
| callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN); |
| callbackHandler.setConfirmationMethod(SAML1Constants.CONF_SENDER_VOUCHES); |
| callbackHandler.setIssuer("www.example.com"); |
| callbackHandler.setSignAssertion(false); |
| |
| InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"); |
| String action = WSHandlerConstants.SAML_TOKEN_SIGNED; |
| Properties properties = new Properties(); |
| properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler); |
| properties.setProperty(WSHandlerConstants.SIG_KEY_ID, "X509KeyIdentifier"); |
| Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties); |
| |
| //some test that we can really sure we get what we want from WSS4J |
| NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = securedDocument.getElementsByTagNameNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "KeyIdentifier"); |
| assertEquals(nodeList.getLength(), 2); |
| assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, "ValueType"), "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID"); |
| assertEquals(((Element) nodeList.item(1)).getAttributeNS(null, "ValueType"), "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"); |
| |
| javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer(); |
| transformer.transform(new DOMSource(securedDocument), new StreamResult(baos)); |
| } |
| |
| //done signature; now test sig-verification: |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray()); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties); |
| |
| WSSecurityEventConstants.Event[] expectedSecurityEvents = new WSSecurityEventConstants.Event[]{ |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.SAML_TOKEN, |
| WSSecurityEventConstants.X509Token, |
| WSSecurityEventConstants.SignatureValue, |
| WSSecurityEventConstants.SignedElement, |
| WSSecurityEventConstants.SIGNED_PART, |
| WSSecurityEventConstants.OPERATION, |
| }; |
| final TestSecurityEventListener securityEventListener = new TestSecurityEventListener(expectedSecurityEvents); |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null, securityEventListener); |
| |
| Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| |
| securityEventListener.compare(); |
| |
| //header element must still be there |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| } |
| } |
| |
| @Test |
| public void testSAML1HOKKeyIdentifierOutbound() throws Exception { |
| |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| List<WSSConstants.Action> actions = new ArrayList<>(); |
| actions.add(WSSConstants.SAML_TOKEN_SIGNED); |
| securityProperties.setActions(actions); |
| SAMLCallbackHandlerImpl callbackHandler = new SAMLCallbackHandlerImpl(); |
| callbackHandler.setStatement(SAMLCallbackHandlerImpl.Statement.AUTHN); |
| callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY); |
| callbackHandler.setIssuer("www.example.com"); |
| KeyStore keyStore = KeyStore.getInstance("jks"); |
| keyStore.load(this.getClass().getClassLoader().getResourceAsStream("transmitter.jks"), "default".toCharArray()); |
| Merlin crypto = new Merlin(); |
| crypto.setKeyStore(keyStore); |
| CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS); |
| cryptoType.setAlias("transmitter"); |
| callbackHandler.setCerts(crypto.getX509Certificates(cryptoType)); |
| securityProperties.setSamlCallbackHandler(callbackHandler); |
| securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF); |
| securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray()); |
| securityProperties.setSignatureUser("transmitter"); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| |
| OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties); |
| XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>()); |
| XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml")); |
| XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter); |
| xmlStreamWriter.close(); |
| |
| Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())); |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 2); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_SAML_ASSERTION.getLocalPart()); |
| assertEquals(nodeList.item(1).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = document.getElementsByTagNameNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "KeyIdentifier"); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, "ValueType"), "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID"); |
| } |
| |
| //done signature; now test sig-verification: |
| { |
| String action = WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.SAML_TOKEN_SIGNED; |
| Properties properties = new Properties(); |
| doInboundSecurityWithWSS4J_1(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action, properties, false); |
| } |
| } |
| |
| @Test |
| public void testSAML1HOKKeyIdentifierInbound() throws Exception { |
| |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler(); |
| callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN); |
| callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY); |
| callbackHandler.setIssuer("www.example.com"); |
| |
| InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"); |
| String action = WSHandlerConstants.SAML_TOKEN_SIGNED; |
| Properties properties = new Properties(); |
| properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler); |
| Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties); |
| |
| //some test that we can really sure we get what we want from WSS4J |
| NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 2); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_SAML_ASSERTION.getLocalPart()); |
| assertEquals(nodeList.item(1).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = securedDocument.getElementsByTagNameNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "KeyIdentifier"); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, "ValueType"), "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID"); |
| |
| javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer(); |
| transformer.transform(new DOMSource(securedDocument), new StreamResult(baos)); |
| } |
| |
| //done signature; now test sig-verification: |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray()); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties); |
| |
| WSSecurityEventConstants.Event[] expectedSecurityEvents = new WSSecurityEventConstants.Event[]{ |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.SAML_TOKEN, |
| WSSecurityEventConstants.SignatureValue, |
| WSSecurityEventConstants.SIGNED_PART, |
| WSSecurityEventConstants.OPERATION, |
| }; |
| final TestSecurityEventListener securityEventListener = new TestSecurityEventListener(expectedSecurityEvents); |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null, securityEventListener); |
| |
| Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| |
| securityEventListener.compare(); |
| |
| //header element must still be there |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 2); |
| } |
| } |
| |
| /* todo doesn't work atm |
| @Test |
| public void testAssertionBelowSTRInbound() throws Exception { |
| |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler(); |
| callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN); |
| callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY); |
| callbackHandler.setIssuer("www.example.com"); |
| |
| InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"); |
| String action = WSHandlerConstants.SAML_TOKEN_SIGNED; |
| Properties properties = new Properties(); |
| properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler); |
| properties.setProperty(WSHandlerConstants.SIG_KEY_ID, "DirectReference"); |
| Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties); |
| |
| //some test that we can really sure we get what we want from WSS4J |
| NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 2); |
| Element securityHeader = (Element) nodeList.item(1).getParentNode(); |
| nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_SAML_ASSERTION.getNamespaceURI(), WSSConstants.TAG_saml_Assertion.getLocalPart()); |
| Node assertionNode = nodeList.item(0); |
| securityHeader.removeChild(assertionNode); |
| securityHeader.appendChild(assertionNode); |
| |
| javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer(); |
| transformer.transform(new DOMSource(securedDocument), new StreamResult(baos)); |
| transformer.transform(new DOMSource(securedDocument), new StreamResult(System.out)); |
| } |
| |
| //done signature; now test sig-verification: |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray()); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties); |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray()))); |
| |
| Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| |
| //header element must still be there |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 2); |
| } |
| } |
| */ |
| |
| @Test |
| public void testSAML1HOKEKKeyIdentifierInbound() throws Exception { |
| |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler(); |
| //we set here the receiver's certificate just to test EncryptedKey references. |
| //in real life this wont work that way. |
| CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS); |
| cryptoType.setAlias("receiver"); |
| callbackHandler.setCerts(CryptoFactory.getInstance("transmitter-crypto.properties").getX509Certificates(cryptoType)); |
| callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN); |
| callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY); |
| callbackHandler.setIssuer("www.example.com"); |
| |
| SAMLCallback samlCallback = new SAMLCallback(); |
| SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); |
| SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback); |
| |
| Crypto issuerCrypto = CryptoFactory.getInstance("saml/samlissuer.properties"); |
| samlAssertion.signAssertion("samlissuer", "default", issuerCrypto, false); |
| |
| Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG); |
| WSSecHeader secHeader = new WSSecHeader(doc); |
| Node assertionNode = samlAssertion.toDOM(doc); |
| secHeader.insertSecurityHeader(); |
| secHeader.getSecurityHeaderElement().appendChild(assertionNode); |
| |
| // Encrypt the SOAP body |
| WSSecEncrypt builder = new WSSecEncrypt(secHeader); |
| builder.setUserInfo("receiver"); |
| builder.setSymmetricEncAlgorithm(WSConstants.TRIPLE_DES); |
| builder.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); |
| builder.setCustomEKTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE); |
| builder.setCustomEKTokenId(samlAssertion.getId()); |
| |
| Crypto userCrypto = CryptoFactory.getInstance("receiver-crypto.properties"); |
| KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.TRIPLE_DES); |
| SecretKey symmetricKey = keyGen.generateKey(); |
| builder.prepare(userCrypto, symmetricKey); |
| |
| List<WSEncryptionPart> parts = new ArrayList<>(); |
| WSEncryptionPart encP = |
| new WSEncryptionPart( |
| "add", "http://ws.apache.org/counter/counter_port_type", "Element" |
| ); |
| parts.add(encP); |
| Element refElement = builder.encryptForRef(null, parts, symmetricKey); |
| builder.addInternalRefElement(refElement); |
| builder.appendToHeader(); |
| |
| javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer(); |
| transformer.transform(new DOMSource(doc), new StreamResult(baos)); |
| } |
| |
| //done signature; now test sig-verification: |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.setValidateSamlSubjectConfirmation(false); |
| securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray()); |
| securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray()); |
| CallbackHandlerImpl callbackHandler = new CallbackHandlerImpl(); |
| securityProperties.setCallbackHandler(callbackHandler); |
| |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties); |
| |
| WSSecurityEventConstants.Event[] expectedSecurityEvents = new WSSecurityEventConstants.Event[]{ |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.SAML_TOKEN, |
| WSSecurityEventConstants.EncryptedElement, |
| WSSecurityEventConstants.OPERATION, |
| }; |
| final TestSecurityEventListener securityEventListener = new TestSecurityEventListener(expectedSecurityEvents); |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null, securityEventListener); |
| |
| Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| |
| securityEventListener.compare(); |
| |
| //header element must still be there |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| } |
| } |
| |
| @Test |
| public void testSAML1HOKEKDirectReferenceInbound() throws Exception { |
| |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler(); |
| //we set here the receiver's certificate just to test EncryptedKey references. |
| //in real life this wont work that way. |
| CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS); |
| cryptoType.setAlias("receiver"); |
| callbackHandler.setCerts(CryptoFactory.getInstance("transmitter-crypto.properties").getX509Certificates(cryptoType)); |
| callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN); |
| callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY); |
| callbackHandler.setIssuer("www.example.com"); |
| |
| SAMLCallback samlCallback = new SAMLCallback(); |
| SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); |
| SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback); |
| |
| Crypto issuerCrypto = CryptoFactory.getInstance("saml/samlissuer.properties"); |
| samlAssertion.signAssertion("samlissuer", "default", issuerCrypto, false); |
| |
| Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG); |
| WSSecHeader secHeader = new WSSecHeader(doc); |
| Node assertionNode = samlAssertion.toDOM(doc); |
| secHeader.insertSecurityHeader(); |
| secHeader.getSecurityHeaderElement().appendChild(assertionNode); |
| |
| // Encrypt the SOAP body |
| WSSecEncrypt builder = new WSSecEncrypt(secHeader); |
| builder.setUserInfo("receiver"); |
| builder.setSymmetricEncAlgorithm(WSConstants.TRIPLE_DES); |
| builder.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING); |
| builder.setCustomEKTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE); |
| builder.setCustomEKTokenId(samlAssertion.getId()); |
| |
| Crypto userCrypto = CryptoFactory.getInstance("receiver-crypto.properties"); |
| KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.TRIPLE_DES); |
| SecretKey symmetricKey = keyGen.generateKey(); |
| builder.prepare(userCrypto, symmetricKey); |
| |
| List<WSEncryptionPart> parts = new ArrayList<>(); |
| WSEncryptionPart encP = |
| new WSEncryptionPart( |
| "add", "http://ws.apache.org/counter/counter_port_type", "Element" |
| ); |
| parts.add(encP); |
| Element refElement = builder.encryptForRef(null, parts, symmetricKey); |
| builder.addInternalRefElement(refElement); |
| builder.appendToHeader(); |
| |
| javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer(); |
| transformer.transform(new DOMSource(doc), new StreamResult(baos)); |
| } |
| |
| //done signature; now test sig-verification: |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.setValidateSamlSubjectConfirmation(false); |
| securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray()); |
| securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray()); |
| CallbackHandlerImpl callbackHandler = new CallbackHandlerImpl(); |
| securityProperties.setCallbackHandler(callbackHandler); |
| |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties); |
| |
| WSSecurityEventConstants.Event[] expectedSecurityEvents = new WSSecurityEventConstants.Event[]{ |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.SAML_TOKEN, |
| WSSecurityEventConstants.EncryptedElement, |
| WSSecurityEventConstants.OPERATION, |
| }; |
| final TestSecurityEventListener securityEventListener = new TestSecurityEventListener(expectedSecurityEvents); |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null, securityEventListener); |
| |
| Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| |
| securityEventListener.compare(); |
| |
| //header element must still be there |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| } |
| } |
| |
| @Test |
| public void testSAML2SVKeyIdentifierOutbound() throws Exception { |
| |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| List<WSSConstants.Action> actions = new ArrayList<>(); |
| actions.add(WSSConstants.SAML_TOKEN_SIGNED); |
| securityProperties.setActions(actions); |
| SAMLCallbackHandlerImpl callbackHandler = new SAMLCallbackHandlerImpl(); |
| callbackHandler.setSamlVersion(Version.SAML_20); |
| callbackHandler.setStatement(SAMLCallbackHandlerImpl.Statement.AUTHN); |
| callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES); |
| callbackHandler.setIssuer("www.example.com"); |
| callbackHandler.setSignAssertion(false); |
| KeyStore keyStore = KeyStore.getInstance("jks"); |
| keyStore.load(this.getClass().getClassLoader().getResourceAsStream("transmitter.jks"), "default".toCharArray()); |
| Merlin crypto = new Merlin(); |
| crypto.setKeyStore(keyStore); |
| CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS); |
| cryptoType.setAlias("transmitter"); |
| callbackHandler.setCerts(crypto.getX509Certificates(cryptoType)); |
| securityProperties.setSamlCallbackHandler(callbackHandler); |
| securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier); |
| securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray()); |
| securityProperties.setSignatureUser("transmitter"); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| |
| OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties); |
| XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>()); |
| XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml")); |
| XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter); |
| xmlStreamWriter.close(); |
| |
| Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())); |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = document.getElementsByTagNameNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "KeyIdentifier"); |
| assertEquals(nodeList.getLength(), 2); |
| assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, "ValueType"), "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID"); |
| assertEquals(((Element) nodeList.item(1)).getAttributeNS(null, "ValueType"), "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"); |
| } |
| |
| //done signature; now test sig-verification: |
| { |
| String action = WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.SAML_TOKEN_UNSIGNED; |
| Properties properties = new Properties(); |
| doInboundSecurityWithWSS4J_1(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action, properties, false); |
| } |
| } |
| |
| @Test |
| public void testSAML2SVKeyIdentifierInbound() throws Exception { |
| |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); |
| callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN); |
| callbackHandler.setConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES); |
| callbackHandler.setIssuer("www.example.com"); |
| callbackHandler.setSignAssertion(false); |
| |
| InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"); |
| String action = WSHandlerConstants.SAML_TOKEN_SIGNED; |
| Properties properties = new Properties(); |
| properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler); |
| properties.setProperty(WSHandlerConstants.SIG_KEY_ID, "X509KeyIdentifier"); |
| Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties); |
| |
| //some test that we can really sure we get what we want from WSS4J |
| NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = securedDocument.getElementsByTagNameNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "KeyIdentifier"); |
| assertEquals(nodeList.getLength(), 2); |
| assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, "ValueType"), "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID"); |
| assertEquals(((Element) nodeList.item(1)).getAttributeNS(null, "ValueType"), "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"); |
| |
| javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer(); |
| transformer.transform(new DOMSource(securedDocument), new StreamResult(baos)); |
| } |
| |
| //done signature; now test sig-verification: |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray()); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties); |
| |
| WSSecurityEventConstants.Event[] expectedSecurityEvents = new WSSecurityEventConstants.Event[]{ |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.SAML_TOKEN, |
| WSSecurityEventConstants.X509Token, |
| WSSecurityEventConstants.SignatureValue, |
| WSSecurityEventConstants.SignedElement, |
| WSSecurityEventConstants.SIGNED_PART, |
| WSSecurityEventConstants.OPERATION, |
| }; |
| final TestSecurityEventListener securityEventListener = new TestSecurityEventListener(expectedSecurityEvents); |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null, securityEventListener); |
| |
| Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| |
| securityEventListener.compare(); |
| |
| //header element must still be there |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| } |
| } |
| |
| @Test |
| public void testSAML2HOKKeyIdentifierOutbound() throws Exception { |
| |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| List<WSSConstants.Action> actions = new ArrayList<>(); |
| actions.add(WSSConstants.SAML_TOKEN_SIGNED); |
| securityProperties.setActions(actions); |
| SAMLCallbackHandlerImpl callbackHandler = new SAMLCallbackHandlerImpl(); |
| callbackHandler.setSamlVersion(Version.SAML_20); |
| callbackHandler.setStatement(SAMLCallbackHandlerImpl.Statement.AUTHN); |
| callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY); |
| callbackHandler.setIssuer("www.example.com"); |
| KeyStore keyStore = KeyStore.getInstance("jks"); |
| keyStore.load(this.getClass().getClassLoader().getResourceAsStream("transmitter.jks"), "default".toCharArray()); |
| Merlin crypto = new Merlin(); |
| crypto.setKeyStore(keyStore); |
| CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS); |
| cryptoType.setAlias("transmitter"); |
| callbackHandler.setCerts(crypto.getX509Certificates(cryptoType)); |
| securityProperties.setSamlCallbackHandler(callbackHandler); |
| securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF); |
| securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray()); |
| securityProperties.setSignatureUser("transmitter"); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| |
| OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties); |
| XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>()); |
| XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml")); |
| XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter); |
| xmlStreamWriter.close(); |
| |
| Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())); |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 2); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_SAML_ASSERTION.getLocalPart()); |
| assertEquals(nodeList.item(1).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = document.getElementsByTagNameNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "KeyIdentifier"); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, "ValueType"), "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID"); |
| } |
| |
| //done signature; now test sig-verification: |
| { |
| String action = WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.SAML_TOKEN_SIGNED; |
| Properties properties = new Properties(); |
| doInboundSecurityWithWSS4J_1(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action, properties, false); |
| } |
| } |
| |
| @Test |
| public void testSAML2HOKKeyIdentifierInbound() throws Exception { |
| |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); |
| callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN); |
| callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY); |
| callbackHandler.setIssuer("www.example.com"); |
| |
| InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"); |
| String action = WSHandlerConstants.SAML_TOKEN_SIGNED; |
| Properties properties = new Properties(); |
| properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler); |
| Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties); |
| |
| //some test that we can really sure we get what we want from WSS4J |
| NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 2); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_SAML_ASSERTION.getLocalPart()); |
| assertEquals(nodeList.item(1).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = securedDocument.getElementsByTagNameNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "KeyIdentifier"); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, "ValueType"), "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID"); |
| |
| javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer(); |
| transformer.transform(new DOMSource(securedDocument), new StreamResult(baos)); |
| } |
| |
| //done signature; now test sig-verification: |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray()); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties); |
| |
| WSSecurityEventConstants.Event[] expectedSecurityEvents = new WSSecurityEventConstants.Event[]{ |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.SAML_TOKEN, |
| WSSecurityEventConstants.SignatureValue, |
| WSSecurityEventConstants.SIGNED_PART, |
| WSSecurityEventConstants.OPERATION, |
| }; |
| final TestSecurityEventListener securityEventListener = new TestSecurityEventListener(expectedSecurityEvents); |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null, securityEventListener); |
| |
| Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| |
| securityEventListener.compare(); |
| |
| //header element must still be there |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 2); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_SAML_ASSERTION.getLocalPart()); |
| assertEquals(nodeList.item(1).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| } |
| } |
| |
| /* not implemented! |
| @Test |
| public void testSAML2HOKDirectReferenceOutbound() throws Exception { |
| |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.SAML_TOKEN_SIGNED}; |
| securityProperties.setActions(actions); |
| SAMLCallbackHandlerImpl callbackHandler = new SAMLCallbackHandlerImpl(); |
| callbackHandler.setSamlVersion(Version.SAML_20); |
| callbackHandler.setStatement(SAMLCallbackHandlerImpl.Statement.AUTHN); |
| callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY); |
| callbackHandler.setIssuer("www.example.com"); |
| KeyStore keyStore = KeyStore.getInstance("jks"); |
| keyStore.load(this.getClass().getClassLoader().getResourceAsStream("transmitter.jks"), "default".toCharArray()); |
| Merlin crypto = new Merlin(); |
| crypto.setKeyStore(keyStore); |
| callbackHandler.setCerts(crypto.getCertificates("transmitter")); |
| securityProperties.setSamlCallbackHandler(callbackHandler); |
| securityProperties.setSignatureKeyIdentifierType(WSSConstants.WSSKeyIdentifierType.SECURITY_TOKEN_DIRECT_REFERENCE); |
| securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray()); |
| securityProperties.setSignatureUser("transmitter"); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| |
| OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties); |
| XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>()); |
| XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml")); |
| XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter); |
| xmlStreamWriter.close(); |
| |
| Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())); |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 2); |
| } |
| |
| //done signature; now test sig-verification: |
| { |
| String action = WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.SAML_TOKEN_SIGNED; |
| Properties properties = new Properties(); |
| properties.setProperty(WSHandlerConstants.IS_BSP_COMPLIANT, "true"); |
| doInboundSecurityWithWSS4J_1(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action, SOAPConstants.SOAP_1_1_PROTOCOL, properties, false); |
| } |
| } |
| */ |
| |
| @Test |
| public void testSAML2HOKDirectReferenceInbound() throws Exception { |
| |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); |
| callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN); |
| callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY); |
| callbackHandler.setIssuer("www.example.com"); |
| |
| SAMLCallback samlCallback = new SAMLCallback(); |
| SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); |
| SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback); |
| |
| Crypto issuerCrypto = CryptoFactory.getInstance("saml/samlissuer.properties"); |
| samlAssertion.signAssertion("samlissuer", "default", issuerCrypto, false); |
| |
| Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG); |
| WSSecHeader secHeader = new WSSecHeader(doc); |
| secHeader.insertSecurityHeader(); |
| |
| WSSecSignatureSAML wsSign = new WSSecSignatureSAML(secHeader); |
| wsSign.setUserInfo("transmitter", "default"); |
| wsSign.setUseDirectReferenceToAssertion(true); |
| wsSign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); |
| |
| Crypto userCrypto = CryptoFactory.getInstance("transmitter-crypto.properties"); |
| Document securedDocument = wsSign.build(userCrypto, samlAssertion, null, null, null); |
| |
| //some test that we can really sure we get what we want from WSS4J |
| NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 2); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_SAML_ASSERTION.getLocalPart()); |
| assertEquals(nodeList.item(1).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = securedDocument.getElementsByTagNameNS( |
| "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "SecurityTokenReference"); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals( |
| ((Element) nodeList.item(0)). |
| getAttributeNS("http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd", "TokenType"), |
| "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"); |
| |
| javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer(); |
| transformer.transform(new DOMSource(securedDocument), new StreamResult(baos)); |
| } |
| |
| //done signature; now test sig-verification: |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray()); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties); |
| |
| WSSecurityEventConstants.Event[] expectedSecurityEvents = new WSSecurityEventConstants.Event[]{ |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.AlgorithmSuite, |
| WSSecurityEventConstants.SAML_TOKEN, |
| WSSecurityEventConstants.SignatureValue, |
| WSSecurityEventConstants.SIGNED_PART, |
| WSSecurityEventConstants.OPERATION, |
| }; |
| final TestSecurityEventListener securityEventListener = new TestSecurityEventListener(expectedSecurityEvents); |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null, securityEventListener); |
| |
| Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| |
| securityEventListener.compare(); |
| |
| //header element must still be there |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.getLength(), 2); |
| } |
| } |
| } |
