Google Git
Sign in
apache / ws-wss4j / cdb67628499e7c83b3f74bbafbeae15ca60ed535 / . / ws-security-stax / src / test / java / org / apache / wss4j / stax / test / UsernameTokenTest.java
blob: 253e1e08c92a399b33aa1d119a750ec1ce8381c4 [file] [log] [blame]
/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.wss4j.stax.test;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.stream.XMLStreamWriter;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.wss4j.common.ConfigurationConstants;
import org.apache.wss4j.common.cache.EHCacheReplayCache;
import org.apache.wss4j.common.cache.ReplayCache;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.DateUtil;
import org.apache.wss4j.common.util.UsernameTokenUtil;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
import org.apache.wss4j.stax.setup.ConfigurationConverter;
import org.apache.wss4j.stax.setup.InboundWSSec;
import org.apache.wss4j.stax.setup.OutboundWSSec;
import org.apache.wss4j.stax.setup.WSSec;
import org.apache.wss4j.stax.test.utils.StAX2DOM;
import org.apache.wss4j.stax.test.utils.XmlReaderToWriter;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
import org.apache.xml.security.utils.XMLUtils;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.ValueSource;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assertions.fail;
public class UsernameTokenTest extends AbstractTestBase {
@Test
public void testDefaultConfigurationInbound() throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
{
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
String action = WSHandlerConstants.USERNAME_TOKEN;
Properties properties = new Properties();
Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
//some test that we can really sure we get what we want from WSS4J
NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart());
assertEquals(nodeList.getLength(), 1);
assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST.getNamespace());
javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
}
//done UsernameToken; now verification:
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
//securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
WSSecurityEventConstants.Event[] expectedSecurityEvents = new WSSecurityEventConstants.Event[]{
WSSecurityEventConstants.USERNAME_TOKEN,
WSSecurityEventConstants.OPERATION,
};
final TestSecurityEventListener securityEventListener = new TestSecurityEventListener(expectedSecurityEvents);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null, securityEventListener);
Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
securityEventListener.compare();
//header element must still be there
NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.getLength(), 1);
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
}
}
@Test
public void testWrongUsername() throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
{
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
String action = WSHandlerConstants.USERNAME_TOKEN;
Properties properties = new Properties();
Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
//some test that we can really sure we get what we want from WSS4J
NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
}
//done UsernameToken; now verification:
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl("wrongUsername"));
//securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
try {
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
fail("Expected XMLStreamException");
} catch (XMLStreamException e) {
assertNotNull(e.getCause());
assertTrue(e.getCause() instanceof WSSecurityException);
assertEquals(e.getCause().getMessage(), "The security token could not be authenticated or authorized");
assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.FAILED_AUTHENTICATION);
}
}
}
//Username can't be checked in swssf, it must be done via SecurityEvent
@Test
public void testInboundPW_TEXT() throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
{
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
String action = WSHandlerConstants.USERNAME_TOKEN;
Properties properties = new Properties();
properties.setProperty(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
//some test that we can really sure we get what we want from WSS4J
NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart());
assertEquals(nodeList.getLength(), 1);
assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT.getNamespace());
javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
}
//done UsernameToken; now verification:
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl("username"));
//securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
SecurityEventListener securityEventListener = new SecurityEventListener() {
@Override
public void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException {
if (securityEvent instanceof UsernameTokenSecurityEvent) {
UsernameTokenSecurityEvent usernameTokenSecurityEvent = (UsernameTokenSecurityEvent) securityEvent;
if (!"username".equals(usernameTokenSecurityEvent.getSecurityToken().getPrincipal().getName())) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty",
new Object[] {"Wrong username"});
}
}
}
};
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), new ArrayList<SecurityEvent>(), securityEventListener);
try {
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
fail("Expected XMLStreamException");
} catch (XMLStreamException e) {
assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.FAILED_AUTHENTICATION);
}
}
}
//wss4j bug. PWNONE throws an NPE...
/*@Test
public void testInboundPWNONE() throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
{
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
String action = WSHandlerConstants.USERNAME_TOKEN;
Properties properties = new Properties();
properties.setProperty(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_NONE);
Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
//some test that we can really sure we get what we want from WSS4J
NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
}
//done UsernameToken; now verification:
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
//securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
//header element must still be there
NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.getLength(), 1);
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
}
}
*/
@Test
public void testReusedNonce(@TempDir Path tempDir) throws Exception {
ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC);
String createdString = DateUtil.getDateTimeFormatter(true).format(created);
String digest =
UsernameTokenUtil.doPasswordDigest(
XMLUtils.decode("Ex2YESUvsa1qne1m6TM8XA=="), createdString, "default"
);
String req = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<env:Envelope xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\">\n" +
" <env:Header>" +
" <wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" env:mustUnderstand=\"1\">" +
" <wsse:UsernameToken wsu:Id=\"UsernameToken-1\">" +
" <wsse:Username>transmitter</wsse:Username>" +
" <wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest\">" + digest + "</wsse:Password>" +
" <wsse:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">Ex2YESUvsa1qne1m6TM8XA==</wsse:Nonce>" +
" <wsu:Created>" + createdString + "</wsu:Created>" +
" </wsse:UsernameToken>" +
" </wsse:Security>\n" +
" </env:Header>\n" +
" <env:Body>\n" +
" </env:Body>\n" +
"</env:Envelope>";
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
ReplayCache replayCache = createCache("wss4j.nonce.cache", tempDir);
securityProperties.setNonceReplayCache(replayCache);
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(req.getBytes())));
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
try {
xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(req.getBytes())));
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
fail("Expected XMLStreamException");
} catch (XMLStreamException e) {
assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.FAILED_AUTHENTICATION);
}
replayCache.close();
}
/**
* This is a test for processing an "old" UsernameToken, i.e. one with a "Created" element that is
* out of date
*/
@Test
public void testOldUsernameToken() throws Exception {
ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC).minusSeconds(301L);
String createdString = DateUtil.getDateTimeFormatter(true).format(created);
String digest =
UsernameTokenUtil.doPasswordDigest(
XMLUtils.decode("Ex2YEKVvsa1qne1m6TM8XA=="), createdString, "default"
);
String req = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<env:Envelope xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\">\n" +
" <env:Header>" +
" <wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" env:mustUnderstand=\"1\">" +
" <wsse:UsernameToken wsu:Id=\"UsernameToken-1\">" +
" <wsse:Username>transmitter</wsse:Username>" +
" <wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest\">" + digest + "</wsse:Password>" +
" <wsse:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">Ex2YEKVvsa1qne1m6TM8XA==</wsse:Nonce>" +
" <wsu:Created>" + createdString + "</wsu:Created>" +
" </wsse:UsernameToken>" +
" </wsse:Security>\n" +
" </env:Header>\n" +
" <env:Body>\n" +
" </env:Body>\n" +
"</env:Envelope>";
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
try {
XMLStreamReader xmlStreamReader =
wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(req.getBytes())));
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
fail("Expected XMLStreamException");
} catch (XMLStreamException e) {
assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.MESSAGE_EXPIRED);
}
}
/**
* This is a test for processing a UsernameToken where the "Created" element is in the (near)
* future. It should be accepted by default when it is created 30 seconds in the future.
*/
@Test
public void testNearFutureCreated() throws Exception {
ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC).plusSeconds(30L);
String createdString = DateUtil.getDateTimeFormatter(true).format(created);
String digest =
UsernameTokenUtil.doPasswordDigest(
XMLUtils.decode("Ex2YEKVvSa1qne1m6TM8XA=="), createdString, "default"
);
String req = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<env:Envelope xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\">\n" +
" <env:Header>" +
" <wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" env:mustUnderstand=\"1\">" +
" <wsse:UsernameToken wsu:Id=\"UsernameToken-1\">" +
" <wsse:Username>transmitter</wsse:Username>" +
" <wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest\">" + digest + "</wsse:Password>" +
" <wsse:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">Ex2YEKVvSa1qne1m6TM8XA==</wsse:Nonce>" +
" <wsu:Created>" + createdString + "</wsu:Created>" +
" </wsse:UsernameToken>" +
" </wsse:Security>\n" +
" </env:Header>\n" +
" <env:Body>\n" +
" </env:Body>\n" +
"</env:Envelope>";
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(req.getBytes())));
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
}
/**
* This is a test for processing a UsernameToken where the "Created" element is in the future.
* A UsernameToken that is 120 seconds in the future should be rejected by default.
*/
@Test
public void testFutureCreated() throws Exception {
ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC).plusSeconds(120L);
String createdString = DateUtil.getDateTimeFormatter(true).format(created);
String digest =
UsernameTokenUtil.doPasswordDigest(
XMLUtils.decode("Ex2YEKVvsa1Qne1m6TM8XA=="), createdString, "default"
);
String req = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<env:Envelope xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\">\n" +
" <env:Header>" +
" <wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" env:mustUnderstand=\"1\">" +
" <wsse:UsernameToken wsu:Id=\"UsernameToken-1\">" +
" <wsse:Username>transmitter</wsse:Username>" +
" <wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest\">" + digest + "</wsse:Password>" +
" <wsse:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">Ex2YEKVvsa1Qne1m6TM8XA==</wsse:Nonce>" +
" <wsu:Created>" + createdString + "</wsu:Created>" +
" </wsse:UsernameToken>" +
" </wsse:Security>\n" +
" </env:Header>\n" +
" <env:Body>\n" +
" </env:Body>\n" +
"</env:Envelope>";
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
try {
XMLStreamReader xmlStreamReader =
wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(req.getBytes())));
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
fail("Expected XMLStreamException");
} catch (XMLStreamException e) {
assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.MESSAGE_EXPIRED);
}
}
@Test
public void testDefaultConfigurationOutbound() throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
List<WSSConstants.Action> actions = new ArrayList<>();
actions.add(WSSConstants.USERNAMETOKEN);
securityProperties.setActions(actions);
securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
securityProperties.setTokenUser("transmitter");
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
xmlStreamWriter.close();
Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart());
assertEquals(nodeList.getLength(), 1);
assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST.getNamespace());
}
//done UsernameToken; now verification:
{
String action = WSHandlerConstants.USERNAME_TOKEN;
doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
}
}
@Test
public void testOutboundPW_NONE() throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
List<WSSConstants.Action> actions = new ArrayList<>();
actions.add(WSSConstants.USERNAMETOKEN);
securityProperties.setActions(actions);
securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
securityProperties.setTokenUser("transmitter");
securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE);
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
xmlStreamWriter.close();
Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart());
assertEquals(nodeList.getLength(), 0);
}
//done UsernameToken; now verification:
{
String action = WSHandlerConstants.USERNAME_TOKEN;
Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
Properties properties = new Properties();
properties.put(WSHandlerConstants.ALLOW_USERNAMETOKEN_NOPASSWORD, "true");
doInboundSecurityWithWSS4J_1(document, action, properties, false);
}
}
@Test
public void testOutboundPW_TEXT() throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
List<WSSConstants.Action> actions = new ArrayList<>();
actions.add(WSSConstants.USERNAMETOKEN);
securityProperties.setActions(actions);
securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
securityProperties.setTokenUser("transmitter");
securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT);
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
xmlStreamWriter.close();
Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart());
assertEquals(nodeList.getLength(), 1);
assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT.getNamespace());
}
//done UsernameToken; now verification:
{
String action = WSHandlerConstants.USERNAME_TOKEN;
doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
}
}
@ParameterizedTest
@ValueSource(strings = { "transmitter", "sender", "randomUsername" })
public void testOutboundPW_TEXT_withEmptyPassword(String transmitter) throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
List<WSSConstants.Action> actions = new ArrayList<>();
actions.add(WSSConstants.USERNAMETOKEN);
securityProperties.setActions(actions);
securityProperties.setTokenUser(transmitter);
securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT);
securityProperties.setCallbackHandler(x -> {});
try {
OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
xmlStreamWriter.close();
fail("Expecting an XMLStreamException");
} catch (XMLStreamException e) {
assertNotNull(e.getCause());
assertTrue(WSSecurityException.class.isAssignableFrom(e.getCause().getClass()), "Cause should be a WSSecurityException");
WSSecurityException root = (WSSecurityException)e.getCause();
assertEquals(root.getErrorCode(), WSSecurityException.ErrorCode.FAILURE);
assertEquals("noPassword", root.getMsgID());
assertTrue(root.getMessage().contains(transmitter), () -> "Message string: <" + root.getMessage() + "> to include <" + transmitter + '>');
}
}
}
@Test
public void testOutboundSign() throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
List<WSSConstants.Action> actions = new ArrayList<>();
actions.add(WSSConstants.USERNAMETOKEN_SIGNED);
securityProperties.setActions(actions);
securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
securityProperties.setTokenUser("transmitter");
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
xmlStreamWriter.close();
Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart());
assertEquals(nodeList.getLength(), 0);
nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart());
assertEquals(nodeList.getLength(), 1);
nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN);
assertEquals(nodeList.getLength(), 1);
String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart());
assertNotNull(idAttrValue);
assertTrue(idAttrValue.length() > 0);
}
//done UsernameToken; now verification:
{
String action = WSHandlerConstants.USERNAME_TOKEN_SIGNATURE;
doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
}
}
@Test
public void testInboundSign() throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
{
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
String action = WSHandlerConstants.USERNAME_TOKEN_SIGNATURE;
Properties properties = new Properties();
Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
//some test that we can really sure we get what we want from WSS4J
NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart());
assertEquals(nodeList.getLength(), 0);
javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
}
//done UsernameToken; now verification:
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
securityProperties.setAllowUsernameTokenNoPassword(true);
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
XMLStreamReader xmlStreamReader =
wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null);
Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
//header element must still be there
NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.getLength(), 1);
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
}
}
@Test
public void testInboundOutboundPW_NONE() throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
List<WSSConstants.Action> actions = new ArrayList<>();
actions.add(WSSConstants.USERNAMETOKEN);
securityProperties.setActions(actions);
securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
securityProperties.setTokenUser("transmitter");
securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE);
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
xmlStreamWriter.close();
Document securedDocument = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart());
assertEquals(nodeList.getLength(), 0);
}
//done UsernameToken; now verification:
// Failure expected on no password
try {
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
fail("Expected XMLStreamException");
} catch (XMLStreamException e) {
assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.FAILED_AUTHENTICATION);
}
// Now set the appropriate boolean and it should pass
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setAllowUsernameTokenNoPassword(true);
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
//header element must still be there
NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.getLength(), 1);
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
}
}
@Test
public void testInboundTextNonceCreated() throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
{
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
String action = WSHandlerConstants.USERNAME_TOKEN;
Properties properties = new Properties();
properties.setProperty(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
properties.setProperty(WSHandlerConstants.ADD_USERNAMETOKEN_NONCE, "true");
properties.setProperty(WSHandlerConstants.ADD_USERNAMETOKEN_CREATED, "true");
Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
//some test that we can really sure we get what we want from WSS4J
NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart());
assertEquals(nodeList.getLength(), 1);
assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT.getNamespace());
javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
}
//done UsernameToken; now verification:
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null);
Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
//header element must still be there
NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.getLength(), 1);
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
}
}
@Test
public void testOutboundTextNonceCreated() throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
{
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
List<WSSConstants.Action> actions = new ArrayList<>();
actions.add(WSSConstants.USERNAMETOKEN);
securityProperties.setActions(actions);
securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
securityProperties.setTokenUser("transmitter");
securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT);
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
securityProperties.setAddUsernameTokenNonce(true);
securityProperties.setAddUsernameTokenCreated(true);
OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
xmlStreamWriter.close();
Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart());
assertEquals(nodeList.getLength(), 1);
assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT.getNamespace());
}
//done UsernameToken; now verification:
{
String action = WSHandlerConstants.USERNAME_TOKEN;
doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
}
}
@Test
public void testPropertiesOutbound() throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
{
Map<String, Object> config = new HashMap<>();
config.put(ConfigurationConstants.ACTION, ConfigurationConstants.USERNAME_TOKEN);
config.put(ConfigurationConstants.USER, "transmitter");
config.put(ConfigurationConstants.PW_CALLBACK_REF, new CallbackHandlerImpl());
WSSSecurityProperties securityProperties = ConfigurationConverter.convert(config);
OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>());
XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
xmlStreamWriter.close();
Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart());
assertEquals(nodeList.getLength(), 1);
assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST.getNamespace());
}
//done UsernameToken; now verification:
{
String action = WSHandlerConstants.USERNAME_TOKEN;
doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
}
}
@Test
public void testPropertiesInbound() throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
{
InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
String action = WSHandlerConstants.USERNAME_TOKEN;
Properties properties = new Properties();
Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
//some test that we can really sure we get what we want from WSS4J
NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart());
assertEquals(nodeList.getLength(), 1);
assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST.getNamespace());
javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
}
//done UsernameToken; now verification:
{
Map<String, Object> config = new HashMap<>();
config.put(ConfigurationConstants.ACTION, ConfigurationConstants.USERNAME_TOKEN);
config.put(ConfigurationConstants.PW_CALLBACK_REF, new CallbackHandlerImpl());
WSSSecurityProperties securityProperties = ConfigurationConverter.convert(config);
InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
WSSecurityEventConstants.Event[] expectedSecurityEvents = new WSSecurityEventConstants.Event[]{
WSSecurityEventConstants.USERNAME_TOKEN,
WSSecurityEventConstants.OPERATION,
};
final TestSecurityEventListener securityEventListener = new TestSecurityEventListener(expectedSecurityEvents);
XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null, securityEventListener);
Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
securityEventListener.compare();
//header element must still be there
NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
assertEquals(nodeList.getLength(), 1);
assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
}
}
private ReplayCache createCache(String key, Path tempDir) throws WSSecurityException {
try {
return new EHCacheReplayCache(key, tempDir);
} catch (XMLSecurityException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
}
}
}