| /** |
| * Licensed to the Apache Software Foundation (ASF) under one |
| * or more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information |
| * regarding copyright ownership. The ASF licenses this file |
| * to you under the Apache License, Version 2.0 (the |
| * "License"); you may not use this file except in compliance |
| * with the License. You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, |
| * software distributed under the License is distributed on an |
| * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| * KIND, either express or implied. See the License for the |
| * specific language governing permissions and limitations |
| * under the License. |
| */ |
| package org.apache.wss4j.stax.test; |
| |
| import java.io.ByteArrayInputStream; |
| import java.io.ByteArrayOutputStream; |
| import java.io.InputStream; |
| import java.nio.charset.StandardCharsets; |
| import java.nio.file.Path; |
| import java.time.ZoneOffset; |
| import java.time.ZonedDateTime; |
| import java.util.ArrayList; |
| import java.util.HashMap; |
| import java.util.List; |
| import java.util.Map; |
| import java.util.Properties; |
| |
| import javax.xml.stream.XMLStreamException; |
| import javax.xml.stream.XMLStreamReader; |
| import javax.xml.stream.XMLStreamWriter; |
| import javax.xml.transform.dom.DOMSource; |
| import javax.xml.transform.stream.StreamResult; |
| |
| import org.apache.wss4j.common.ConfigurationConstants; |
| import org.apache.wss4j.common.cache.EHCacheReplayCache; |
| import org.apache.wss4j.common.cache.ReplayCache; |
| import org.apache.wss4j.common.ext.WSSecurityException; |
| import org.apache.wss4j.common.util.DateUtil; |
| import org.apache.wss4j.common.util.UsernameTokenUtil; |
| import org.apache.wss4j.dom.WSConstants; |
| import org.apache.wss4j.dom.handler.WSHandlerConstants; |
| import org.apache.wss4j.stax.ext.WSSConstants; |
| import org.apache.wss4j.stax.ext.WSSSecurityProperties; |
| import org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent; |
| import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants; |
| import org.apache.wss4j.stax.setup.ConfigurationConverter; |
| import org.apache.wss4j.stax.setup.InboundWSSec; |
| import org.apache.wss4j.stax.setup.OutboundWSSec; |
| import org.apache.wss4j.stax.setup.WSSec; |
| import org.apache.wss4j.stax.test.utils.StAX2DOM; |
| import org.apache.wss4j.stax.test.utils.XmlReaderToWriter; |
| import org.apache.xml.security.exceptions.XMLSecurityException; |
| import org.apache.xml.security.stax.securityEvent.SecurityEvent; |
| import org.apache.xml.security.stax.securityEvent.SecurityEventListener; |
| import org.apache.xml.security.utils.XMLUtils; |
| import org.junit.jupiter.api.Test; |
| import org.junit.jupiter.api.io.TempDir; |
| import org.junit.jupiter.params.ParameterizedTest; |
| import org.junit.jupiter.params.provider.ValueSource; |
| import org.w3c.dom.Document; |
| import org.w3c.dom.Element; |
| import org.w3c.dom.NodeList; |
| |
| import static org.junit.jupiter.api.Assertions.assertEquals; |
| import static org.junit.jupiter.api.Assertions.assertNotNull; |
| import static org.junit.jupiter.api.Assertions.assertTrue; |
| import static org.junit.jupiter.api.Assertions.fail; |
| |
| public class UsernameTokenTest extends AbstractTestBase { |
| |
| @Test |
| public void testDefaultConfigurationInbound() throws Exception { |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"); |
| String action = WSHandlerConstants.USERNAME_TOKEN; |
| Properties properties = new Properties(); |
| Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties); |
| |
| //some test that we can really sure we get what we want from WSS4J |
| NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST.getNamespace()); |
| |
| javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer(); |
| transformer.transform(new DOMSource(securedDocument), new StreamResult(baos)); |
| } |
| |
| //done UsernameToken; now verification: |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| //securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray()); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties); |
| |
| WSSecurityEventConstants.Event[] expectedSecurityEvents = new WSSecurityEventConstants.Event[]{ |
| WSSecurityEventConstants.USERNAME_TOKEN, |
| WSSecurityEventConstants.OPERATION, |
| }; |
| final TestSecurityEventListener securityEventListener = new TestSecurityEventListener(expectedSecurityEvents); |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null, securityEventListener); |
| |
| Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| |
| securityEventListener.compare(); |
| |
| //header element must still be there |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| } |
| } |
| |
| @Test |
| public void testWrongUsername() throws Exception { |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"); |
| String action = WSHandlerConstants.USERNAME_TOKEN; |
| Properties properties = new Properties(); |
| Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties); |
| |
| //some test that we can really sure we get what we want from WSS4J |
| NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer(); |
| transformer.transform(new DOMSource(securedDocument), new StreamResult(baos)); |
| } |
| |
| //done UsernameToken; now verification: |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl("wrongUsername")); |
| //securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray()); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true); |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray()))); |
| |
| try { |
| StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| fail("Expected XMLStreamException"); |
| } catch (XMLStreamException e) { |
| assertNotNull(e.getCause()); |
| assertTrue(e.getCause() instanceof WSSecurityException); |
| assertEquals(e.getCause().getMessage(), "The security token could not be authenticated or authorized"); |
| assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.FAILED_AUTHENTICATION); |
| } |
| } |
| } |
| |
| //Username can't be checked in swssf, it must be done via SecurityEvent |
| @Test |
| public void testInboundPW_TEXT() throws Exception { |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"); |
| String action = WSHandlerConstants.USERNAME_TOKEN; |
| Properties properties = new Properties(); |
| properties.setProperty(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT); |
| Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties); |
| |
| //some test that we can really sure we get what we want from WSS4J |
| NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT.getNamespace()); |
| |
| javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer(); |
| transformer.transform(new DOMSource(securedDocument), new StreamResult(baos)); |
| } |
| |
| //done UsernameToken; now verification: |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl("username")); |
| //securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray()); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true); |
| |
| SecurityEventListener securityEventListener = new SecurityEventListener() { |
| @Override |
| public void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException { |
| if (securityEvent instanceof UsernameTokenSecurityEvent) { |
| UsernameTokenSecurityEvent usernameTokenSecurityEvent = (UsernameTokenSecurityEvent) securityEvent; |
| if (!"username".equals(usernameTokenSecurityEvent.getSecurityToken().getPrincipal().getName())) { |
| throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", |
| new Object[] {"Wrong username"}); |
| } |
| } |
| } |
| }; |
| |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), new ArrayList<SecurityEvent>(), securityEventListener); |
| |
| try { |
| StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| fail("Expected XMLStreamException"); |
| } catch (XMLStreamException e) { |
| assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.FAILED_AUTHENTICATION); |
| } |
| } |
| } |
| |
| //wss4j bug. PWNONE throws an NPE... |
| /*@Test |
| public void testInboundPWNONE() throws Exception { |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"); |
| String action = WSHandlerConstants.USERNAME_TOKEN; |
| Properties properties = new Properties(); |
| properties.setProperty(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_NONE); |
| Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties); |
| |
| //some test that we can really sure we get what we want from WSS4J |
| NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer(); |
| transformer.transform(new DOMSource(securedDocument), new StreamResult(baos)); |
| } |
| |
| //done UsernameToken; now verification: |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| //securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray()); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties); |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray()))); |
| |
| Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| |
| //header element must still be there |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| } |
| } |
| */ |
| |
| @Test |
| public void testReusedNonce(@TempDir Path tempDir) throws Exception { |
| |
| ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC); |
| String createdString = DateUtil.getDateTimeFormatter(true).format(created); |
| String digest = |
| UsernameTokenUtil.doPasswordDigest( |
| XMLUtils.decode("Ex2YESUvsa1qne1m6TM8XA=="), createdString, "default" |
| ); |
| |
| String req = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + |
| "<env:Envelope xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\">\n" + |
| " <env:Header>" + |
| " <wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" env:mustUnderstand=\"1\">" + |
| " <wsse:UsernameToken wsu:Id=\"UsernameToken-1\">" + |
| " <wsse:Username>transmitter</wsse:Username>" + |
| " <wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest\">" + digest + "</wsse:Password>" + |
| " <wsse:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">Ex2YESUvsa1qne1m6TM8XA==</wsse:Nonce>" + |
| " <wsu:Created>" + createdString + "</wsu:Created>" + |
| " </wsse:UsernameToken>" + |
| " </wsse:Security>\n" + |
| " </env:Header>\n" + |
| " <env:Body>\n" + |
| " </env:Body>\n" + |
| "</env:Envelope>"; |
| |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| ReplayCache replayCache = createCache("wss4j.nonce.cache", tempDir); |
| securityProperties.setNonceReplayCache(replayCache); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true); |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(req.getBytes()))); |
| StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| |
| try { |
| xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(req.getBytes()))); |
| StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| fail("Expected XMLStreamException"); |
| } catch (XMLStreamException e) { |
| assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.FAILED_AUTHENTICATION); |
| } |
| |
| replayCache.close(); |
| } |
| |
| /** |
| * This is a test for processing an "old" UsernameToken, i.e. one with a "Created" element that is |
| * out of date |
| */ |
| @Test |
| public void testOldUsernameToken() throws Exception { |
| |
| ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC).minusSeconds(301L); |
| String createdString = DateUtil.getDateTimeFormatter(true).format(created); |
| |
| String digest = |
| UsernameTokenUtil.doPasswordDigest( |
| XMLUtils.decode("Ex2YEKVvsa1qne1m6TM8XA=="), createdString, "default" |
| ); |
| |
| String req = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + |
| "<env:Envelope xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\">\n" + |
| " <env:Header>" + |
| " <wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" env:mustUnderstand=\"1\">" + |
| " <wsse:UsernameToken wsu:Id=\"UsernameToken-1\">" + |
| " <wsse:Username>transmitter</wsse:Username>" + |
| " <wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest\">" + digest + "</wsse:Password>" + |
| " <wsse:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">Ex2YEKVvsa1qne1m6TM8XA==</wsse:Nonce>" + |
| " <wsu:Created>" + createdString + "</wsu:Created>" + |
| " </wsse:UsernameToken>" + |
| " </wsse:Security>\n" + |
| " </env:Header>\n" + |
| " <env:Body>\n" + |
| " </env:Body>\n" + |
| "</env:Envelope>"; |
| |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true); |
| |
| try { |
| XMLStreamReader xmlStreamReader = |
| wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(req.getBytes()))); |
| StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| fail("Expected XMLStreamException"); |
| } catch (XMLStreamException e) { |
| assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.MESSAGE_EXPIRED); |
| } |
| } |
| |
| /** |
| * This is a test for processing a UsernameToken where the "Created" element is in the (near) |
| * future. It should be accepted by default when it is created 30 seconds in the future. |
| */ |
| @Test |
| public void testNearFutureCreated() throws Exception { |
| ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC).plusSeconds(30L); |
| String createdString = DateUtil.getDateTimeFormatter(true).format(created); |
| |
| String digest = |
| UsernameTokenUtil.doPasswordDigest( |
| XMLUtils.decode("Ex2YEKVvSa1qne1m6TM8XA=="), createdString, "default" |
| ); |
| |
| String req = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + |
| "<env:Envelope xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\">\n" + |
| " <env:Header>" + |
| " <wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" env:mustUnderstand=\"1\">" + |
| " <wsse:UsernameToken wsu:Id=\"UsernameToken-1\">" + |
| " <wsse:Username>transmitter</wsse:Username>" + |
| " <wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest\">" + digest + "</wsse:Password>" + |
| " <wsse:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">Ex2YEKVvSa1qne1m6TM8XA==</wsse:Nonce>" + |
| " <wsu:Created>" + createdString + "</wsu:Created>" + |
| " </wsse:UsernameToken>" + |
| " </wsse:Security>\n" + |
| " </env:Header>\n" + |
| " <env:Body>\n" + |
| " </env:Body>\n" + |
| "</env:Envelope>"; |
| |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties); |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(req.getBytes()))); |
| StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| } |
| |
| /** |
| * This is a test for processing a UsernameToken where the "Created" element is in the future. |
| * A UsernameToken that is 120 seconds in the future should be rejected by default. |
| */ |
| @Test |
| public void testFutureCreated() throws Exception { |
| ZonedDateTime created = ZonedDateTime.now(ZoneOffset.UTC).plusSeconds(120L); |
| String createdString = DateUtil.getDateTimeFormatter(true).format(created); |
| |
| String digest = |
| UsernameTokenUtil.doPasswordDigest( |
| XMLUtils.decode("Ex2YEKVvsa1Qne1m6TM8XA=="), createdString, "default" |
| ); |
| |
| String req = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" + |
| "<env:Envelope xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\">\n" + |
| " <env:Header>" + |
| " <wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" env:mustUnderstand=\"1\">" + |
| " <wsse:UsernameToken wsu:Id=\"UsernameToken-1\">" + |
| " <wsse:Username>transmitter</wsse:Username>" + |
| " <wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest\">" + digest + "</wsse:Password>" + |
| " <wsse:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">Ex2YEKVvsa1Qne1m6TM8XA==</wsse:Nonce>" + |
| " <wsu:Created>" + createdString + "</wsu:Created>" + |
| " </wsse:UsernameToken>" + |
| " </wsse:Security>\n" + |
| " </env:Header>\n" + |
| " <env:Body>\n" + |
| " </env:Body>\n" + |
| "</env:Envelope>"; |
| |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true); |
| |
| try { |
| XMLStreamReader xmlStreamReader = |
| wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(req.getBytes()))); |
| StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| fail("Expected XMLStreamException"); |
| } catch (XMLStreamException e) { |
| assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.MESSAGE_EXPIRED); |
| } |
| } |
| |
| @Test |
| public void testDefaultConfigurationOutbound() throws Exception { |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| List<WSSConstants.Action> actions = new ArrayList<>(); |
| actions.add(WSSConstants.USERNAMETOKEN); |
| securityProperties.setActions(actions); |
| securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray()); |
| securityProperties.setTokenUser("transmitter"); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| |
| OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties); |
| XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>()); |
| XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml")); |
| XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter); |
| xmlStreamWriter.close(); |
| |
| Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())); |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST.getNamespace()); |
| } |
| |
| //done UsernameToken; now verification: |
| { |
| String action = WSHandlerConstants.USERNAME_TOKEN; |
| doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action); |
| } |
| } |
| |
| @Test |
| public void testOutboundPW_NONE() throws Exception { |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| List<WSSConstants.Action> actions = new ArrayList<>(); |
| actions.add(WSSConstants.USERNAMETOKEN); |
| securityProperties.setActions(actions); |
| securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray()); |
| securityProperties.setTokenUser("transmitter"); |
| securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| |
| OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties); |
| XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>()); |
| XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml")); |
| XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter); |
| xmlStreamWriter.close(); |
| |
| Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())); |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart()); |
| assertEquals(nodeList.getLength(), 0); |
| } |
| |
| //done UsernameToken; now verification: |
| { |
| String action = WSHandlerConstants.USERNAME_TOKEN; |
| |
| Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())); |
| Properties properties = new Properties(); |
| properties.put(WSHandlerConstants.ALLOW_USERNAMETOKEN_NOPASSWORD, "true"); |
| doInboundSecurityWithWSS4J_1(document, action, properties, false); |
| } |
| } |
| |
| @Test |
| public void testOutboundPW_TEXT() throws Exception { |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| List<WSSConstants.Action> actions = new ArrayList<>(); |
| actions.add(WSSConstants.USERNAMETOKEN); |
| securityProperties.setActions(actions); |
| securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray()); |
| securityProperties.setTokenUser("transmitter"); |
| securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| |
| OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties); |
| XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>()); |
| XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml")); |
| XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter); |
| xmlStreamWriter.close(); |
| |
| Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())); |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT.getNamespace()); |
| } |
| |
| //done UsernameToken; now verification: |
| { |
| String action = WSHandlerConstants.USERNAME_TOKEN; |
| doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action); |
| } |
| } |
| |
| @ParameterizedTest |
| @ValueSource(strings = { "transmitter", "sender", "randomUsername" }) |
| public void testOutboundPW_TEXT_withEmptyPassword(String transmitter) throws Exception { |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| List<WSSConstants.Action> actions = new ArrayList<>(); |
| actions.add(WSSConstants.USERNAMETOKEN); |
| securityProperties.setActions(actions); |
| securityProperties.setTokenUser(transmitter); |
| securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT); |
| securityProperties.setCallbackHandler(x -> {}); |
| |
| try { |
| OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties); |
| XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>()); |
| XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml")); |
| XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter); |
| xmlStreamWriter.close(); |
| fail("Expecting an XMLStreamException"); |
| } catch (XMLStreamException e) { |
| assertNotNull(e.getCause()); |
| assertTrue(WSSecurityException.class.isAssignableFrom(e.getCause().getClass()), "Cause should be a WSSecurityException"); |
| WSSecurityException root = (WSSecurityException)e.getCause(); |
| assertEquals(root.getErrorCode(), WSSecurityException.ErrorCode.FAILURE); |
| assertEquals("noPassword", root.getMsgID()); |
| assertTrue(root.getMessage().contains(transmitter), () -> "Message string: <" + root.getMessage() + "> to include <" + transmitter + '>'); |
| } |
| } |
| } |
| |
| @Test |
| public void testOutboundSign() throws Exception { |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| List<WSSConstants.Action> actions = new ArrayList<>(); |
| actions.add(WSSConstants.USERNAMETOKEN_SIGNED); |
| securityProperties.setActions(actions); |
| securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray()); |
| securityProperties.setTokenUser("transmitter"); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| |
| OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties); |
| XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>()); |
| XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml")); |
| XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter); |
| xmlStreamWriter.close(); |
| |
| Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())); |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart()); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart()); |
| assertEquals(nodeList.getLength(), 0); |
| |
| nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Reference.getNamespaceURI(), WSSConstants.TAG_dsig_Reference.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| |
| nodeList = document.getElementsByTagNameNS(WSSConstants.NS_SOAP11, WSSConstants.TAG_SOAP_BODY_LN); |
| assertEquals(nodeList.getLength(), 1); |
| String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(WSSConstants.ATT_WSU_ID.getNamespaceURI(), WSSConstants.ATT_WSU_ID.getLocalPart()); |
| assertNotNull(idAttrValue); |
| assertTrue(idAttrValue.length() > 0); |
| } |
| |
| //done UsernameToken; now verification: |
| { |
| String action = WSHandlerConstants.USERNAME_TOKEN_SIGNATURE; |
| doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action); |
| } |
| } |
| |
| @Test |
| public void testInboundSign() throws Exception { |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"); |
| String action = WSHandlerConstants.USERNAME_TOKEN_SIGNATURE; |
| Properties properties = new Properties(); |
| Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties); |
| |
| //some test that we can really sure we get what we want from WSS4J |
| NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart()); |
| assertEquals(nodeList.getLength(), 0); |
| |
| javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer(); |
| transformer.transform(new DOMSource(securedDocument), new StreamResult(baos)); |
| } |
| |
| //done UsernameToken; now verification: |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray()); |
| securityProperties.setAllowUsernameTokenNoPassword(true); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties); |
| |
| XMLStreamReader xmlStreamReader = |
| wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null); |
| |
| Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| |
| //header element must still be there |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| } |
| } |
| |
| @Test |
| public void testInboundOutboundPW_NONE() throws Exception { |
| |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| List<WSSConstants.Action> actions = new ArrayList<>(); |
| actions.add(WSSConstants.USERNAMETOKEN); |
| securityProperties.setActions(actions); |
| securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray()); |
| securityProperties.setTokenUser("transmitter"); |
| securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| |
| OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties); |
| XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>()); |
| XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml")); |
| XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter); |
| xmlStreamWriter.close(); |
| |
| Document securedDocument = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())); |
| NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart()); |
| assertEquals(nodeList.getLength(), 0); |
| } |
| |
| //done UsernameToken; now verification: |
| |
| // Failure expected on no password |
| try { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true); |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray()))); |
| |
| xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray()))); |
| StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| fail("Expected XMLStreamException"); |
| } catch (XMLStreamException e) { |
| assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.FAILED_AUTHENTICATION); |
| } |
| |
| // Now set the appropriate boolean and it should pass |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.setAllowUsernameTokenNoPassword(true); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties); |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray()))); |
| |
| Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| |
| //header element must still be there |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| } |
| } |
| |
| @Test |
| public void testInboundTextNonceCreated() throws Exception { |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"); |
| String action = WSHandlerConstants.USERNAME_TOKEN; |
| Properties properties = new Properties(); |
| properties.setProperty(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT); |
| properties.setProperty(WSHandlerConstants.ADD_USERNAMETOKEN_NONCE, "true"); |
| properties.setProperty(WSHandlerConstants.ADD_USERNAMETOKEN_CREATED, "true"); |
| Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties); |
| |
| //some test that we can really sure we get what we want from WSS4J |
| NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT.getNamespace()); |
| |
| javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer(); |
| transformer.transform(new DOMSource(securedDocument), new StreamResult(baos)); |
| } |
| |
| //done UsernameToken; now verification: |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties); |
| |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null); |
| |
| Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| |
| //header element must still be there |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| } |
| } |
| |
| @Test |
| public void testOutboundTextNonceCreated() throws Exception { |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| |
| { |
| WSSSecurityProperties securityProperties = new WSSSecurityProperties(); |
| List<WSSConstants.Action> actions = new ArrayList<>(); |
| actions.add(WSSConstants.USERNAMETOKEN); |
| securityProperties.setActions(actions); |
| securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray()); |
| securityProperties.setTokenUser("transmitter"); |
| securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT); |
| securityProperties.setCallbackHandler(new CallbackHandlerImpl()); |
| securityProperties.setAddUsernameTokenNonce(true); |
| securityProperties.setAddUsernameTokenCreated(true); |
| |
| OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties); |
| XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>()); |
| XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml")); |
| XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter); |
| xmlStreamWriter.close(); |
| |
| Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())); |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT.getNamespace()); |
| } |
| |
| //done UsernameToken; now verification: |
| { |
| String action = WSHandlerConstants.USERNAME_TOKEN; |
| doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action); |
| } |
| } |
| |
| @Test |
| public void testPropertiesOutbound() throws Exception { |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| |
| { |
| Map<String, Object> config = new HashMap<>(); |
| config.put(ConfigurationConstants.ACTION, ConfigurationConstants.USERNAME_TOKEN); |
| config.put(ConfigurationConstants.USER, "transmitter"); |
| config.put(ConfigurationConstants.PW_CALLBACK_REF, new CallbackHandlerImpl()); |
| |
| WSSSecurityProperties securityProperties = ConfigurationConverter.convert(config); |
| OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties); |
| XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, StandardCharsets.UTF_8.name(), new ArrayList<SecurityEvent>()); |
| XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml")); |
| XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter); |
| xmlStreamWriter.close(); |
| |
| Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())); |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST.getNamespace()); |
| } |
| |
| //done UsernameToken; now verification: |
| { |
| String action = WSHandlerConstants.USERNAME_TOKEN; |
| doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action); |
| } |
| } |
| |
| @Test |
| public void testPropertiesInbound() throws Exception { |
| ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| { |
| InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"); |
| String action = WSHandlerConstants.USERNAME_TOKEN; |
| Properties properties = new Properties(); |
| Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties); |
| |
| //some test that we can really sure we get what we want from WSS4J |
| NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| |
| nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST.getNamespace()); |
| |
| javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer(); |
| transformer.transform(new DOMSource(securedDocument), new StreamResult(baos)); |
| } |
| |
| //done UsernameToken; now verification: |
| { |
| Map<String, Object> config = new HashMap<>(); |
| config.put(ConfigurationConstants.ACTION, ConfigurationConstants.USERNAME_TOKEN); |
| config.put(ConfigurationConstants.PW_CALLBACK_REF, new CallbackHandlerImpl()); |
| WSSSecurityProperties securityProperties = ConfigurationConverter.convert(config); |
| InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties); |
| |
| WSSecurityEventConstants.Event[] expectedSecurityEvents = new WSSecurityEventConstants.Event[]{ |
| WSSecurityEventConstants.USERNAME_TOKEN, |
| WSSecurityEventConstants.OPERATION, |
| }; |
| final TestSecurityEventListener securityEventListener = new TestSecurityEventListener(expectedSecurityEvents); |
| XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null, securityEventListener); |
| |
| Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader); |
| |
| securityEventListener.compare(); |
| |
| //header element must still be there |
| NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart()); |
| assertEquals(nodeList.getLength(), 1); |
| assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart()); |
| } |
| } |
| |
| private ReplayCache createCache(String key, Path tempDir) throws WSSecurityException { |
| try { |
| return new EHCacheReplayCache(key, tempDir); |
| } catch (XMLSecurityException e) { |
| throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e); |
| } |
| } |
| } |