1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.wss4j.policy.stax.test;
21
22 import java.util.ArrayList;
23 import java.util.LinkedList;
24 import java.util.List;
25
26 import javax.xml.namespace.QName;
27
28 import org.apache.wss4j.common.ext.WSSecurityException;
29 import org.apache.wss4j.common.saml.SAMLCallback;
30 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
31 import org.apache.wss4j.common.saml.bean.AttributeBean;
32 import org.apache.wss4j.common.saml.bean.AttributeStatementBean;
33 import org.apache.wss4j.common.saml.bean.SubjectBean;
34 import org.apache.wss4j.common.saml.bean.Version;
35 import org.apache.wss4j.policy.stax.PolicyViolationException;
36 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
37 import org.apache.wss4j.stax.ext.WSSConstants;
38 import org.apache.wss4j.stax.impl.securityToken.KerberosServiceSecurityTokenImpl;
39 import org.apache.wss4j.stax.impl.securityToken.SamlSecurityTokenImpl;
40 import org.apache.wss4j.stax.securityEvent.KerberosTokenSecurityEvent;
41 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
42 import org.apache.wss4j.stax.securityEvent.SamlTokenSecurityEvent;
43 import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
44 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
45 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
46 import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
47 import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
48 import org.junit.jupiter.api.Test;
49
50 import static org.junit.jupiter.api.Assertions.assertEquals;
51 import static org.junit.jupiter.api.Assertions.assertTrue;
52 import static org.junit.jupiter.api.Assertions.fail;
53
54 public class IssuedTokenTest extends AbstractPolicyTestBase {
55
56 private static final String samlPolicyString =
57 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
58 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
59 "<sp:InitiatorToken>\n" +
60 " <wsp:Policy>\n" +
61 " <sp:IssuedToken>\n" +
62 " <sp:IssuerName>http://initiatorTokenIssuer.com</sp:IssuerName>\n" +
63 " <sp:RequestSecurityTokenTemplate xmlns:t=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">\n" +
64 " <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>\n" +
65 " <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>\n" +
66 " <t:Claims Dialect=\"http://schemas.xmlsoap.org/ws/2005/05/identity\"\n" +
67 " xmlns:ic=\"http://schemas.xmlsoap.org/ws/2005/05/identity\">\n" +
68 " <ic:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email\"/>\n" +
69 " <ic:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\"/>\n" +
70 " <ic:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/phone\" Optional=\"true\"/>\n" +
71 " </t:Claims>\n" +
72 " </sp:RequestSecurityTokenTemplate>\n" +
73 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
74 " <sp:RequireExternalReference/>\n" +
75 " </wsp:Policy>\n" +
76 " </sp:IssuedToken>\n" +
77 " </wsp:Policy>\n" +
78 "</sp:InitiatorToken>\n" +
79 "<sp:RecipientToken>\n" +
80 " <wsp:Policy>\n" +
81 " <sp:IssuedToken>\n" +
82 " <sp:IssuerName>http://recipientTokenIssuer.com</sp:IssuerName>\n" +
83 " <sp:RequestSecurityTokenTemplate/>\n" +
84 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
85 " <sp:RequireExternalReference/>\n" +
86 " </wsp:Policy>\n" +
87 " </sp:IssuedToken>\n" +
88 " </wsp:Policy>\n" +
89 "</sp:RecipientToken>\n" +
90 " <sp:AlgorithmSuite>\n" +
91 " <wsp:Policy>\n" +
92 " <sp:Basic256/>\n" +
93 " </wsp:Policy>\n" +
94 " </sp:AlgorithmSuite>\n" +
95 "</wsp:Policy>\n" +
96 "</sp:AsymmetricBinding>";
97
98 @Test
99 public void testPolicyWithSAMLToken() throws Exception {
100
101 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(samlPolicyString);
102
103 SAMLCallback samlCallback = new SAMLCallback();
104 samlCallback.setSamlVersion(Version.SAML_20);
105 samlCallback.setIssuer("http://initiatorTokenIssuer.com");
106 SubjectBean subjectBean = new SubjectBean();
107 samlCallback.setSubject(subjectBean);
108
109 List<AttributeStatementBean> attributeStatementBeans = new ArrayList<>();
110 List<AttributeBean> attributeBeans = new ArrayList<>();
111 List<Object> attributeValues = new ArrayList<>();
112 attributeValues.add("test@example.com");
113 attributeBeans.add(new AttributeBean("email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email", attributeValues));
114 attributeValues.clear();
115 attributeValues.add("Proper");
116 attributeBeans.add(new AttributeBean("surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", attributeValues));
117 attributeStatementBeans.add(new AttributeStatementBean(subjectBean, attributeBeans));
118 samlCallback.setAttributeStatementData(attributeStatementBeans);
119
120 SamlAssertionWrapper samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
121
122 SamlTokenSecurityEvent initiatorTokenSecurityEvent = new SamlTokenSecurityEvent();
123 SamlSecurityTokenImpl securityToken =
124 new SamlSecurityTokenImpl(
125 samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
126 WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
127 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
128 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
129 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
130
131 samlCallback.setIssuer("http://recipientTokenIssuer.com");
132 samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
133
134 SamlTokenSecurityEvent recipientTokenSecurityEvent = new SamlTokenSecurityEvent();
135 securityToken =
136 new SamlSecurityTokenImpl(
137 samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
138 WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
139 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
140 recipientTokenSecurityEvent.setSecurityToken(securityToken);
141 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
142
143 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
144 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
145 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
146 SignedPartSecurityEvent signedPartSecurityEvent =
147 new SignedPartSecurityEvent(
148 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
149 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
150 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
151
152 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
153 new ContentEncryptedElementSecurityEvent(
154 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
155 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
156 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
157
158 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
159 operationSecurityEvent.setOperation(new QName("definitions"));
160 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
161
162 policyEnforcer.doFinal();
163 }
164
165 @Test
166 public void testPolicyWithSAMLTokenWrongIssuer() throws Exception {
167
168 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(samlPolicyString);
169
170 SAMLCallback samlCallback = new SAMLCallback();
171 samlCallback.setSamlVersion(Version.SAML_20);
172 samlCallback.setIssuer("http://initiatorTokenIssuer.com");
173 SubjectBean subjectBean = new SubjectBean();
174 samlCallback.setSubject(subjectBean);
175
176 List<AttributeStatementBean> attributeStatementBeans = new ArrayList<>();
177 List<AttributeBean> attributeBeans = new ArrayList<>();
178 List<Object> attributeValues = new ArrayList<>();
179 attributeValues.add("test@example.com");
180 attributeBeans.add(new AttributeBean("email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email", attributeValues));
181 attributeValues.clear();
182 attributeValues.add("Proper");
183 attributeBeans.add(new AttributeBean("surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", attributeValues));
184 attributeStatementBeans.add(new AttributeStatementBean(subjectBean, attributeBeans));
185 samlCallback.setAttributeStatementData(attributeStatementBeans);
186
187 SamlAssertionWrapper samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
188
189 SamlTokenSecurityEvent initiatorTokenSecurityEvent = new SamlTokenSecurityEvent();
190 SamlSecurityTokenImpl securityToken =
191 new SamlSecurityTokenImpl(
192 samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
193 WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
194 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
195 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
196 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
197
198 SamlTokenSecurityEvent recipientTokenSecurityEvent = new SamlTokenSecurityEvent();
199 securityToken =
200 new SamlSecurityTokenImpl(
201 samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
202 WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
203 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
204 recipientTokenSecurityEvent.setSecurityToken(securityToken);
205 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
206
207 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
208 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
209 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
210 SignedPartSecurityEvent signedPartSecurityEvent =
211 new SignedPartSecurityEvent(
212 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
213 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
214 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
215
216 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
217 new ContentEncryptedElementSecurityEvent(
218 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
219 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
220 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
221
222 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
223 operationSecurityEvent.setOperation(new QName("definitions"));
224
225 try {
226 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
227 fail("Exception expected");
228 } catch (WSSecurityException e) {
229 assertTrue(e.getCause() instanceof PolicyViolationException);
230 assertEquals(e.getCause().getMessage(), "IssuerName in Policy (http://recipientTokenIssuer.com) didn't match with the one in the IssuedToken (http://initiatorTokenIssuer.com)");
231 }
232 }
233
234 @Test
235 public void testPolicyWithSAMLTokenWrongTokenType() throws Exception {
236
237 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(samlPolicyString);
238
239 SAMLCallback samlCallback = new SAMLCallback();
240 samlCallback.setSamlVersion(Version.SAML_11);
241 samlCallback.setIssuer("http://initiatorTokenIssuer.com");
242 SubjectBean subjectBean = new SubjectBean();
243 samlCallback.setSubject(subjectBean);
244
245 List<AttributeStatementBean> attributeStatementBeans = new ArrayList<>();
246 List<AttributeBean> attributeBeans = new ArrayList<>();
247 List<Object> attributeValues = new ArrayList<>();
248 attributeValues.add("test@example.com");
249 attributeBeans.add(new AttributeBean("email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email", attributeValues));
250 attributeValues.clear();
251 attributeValues.add("Proper");
252 attributeBeans.add(new AttributeBean("surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", attributeValues));
253 attributeStatementBeans.add(new AttributeStatementBean(subjectBean, attributeBeans));
254 samlCallback.setAttributeStatementData(attributeStatementBeans);
255
256 SamlAssertionWrapper samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
257
258 SamlTokenSecurityEvent initiatorTokenSecurityEvent = new SamlTokenSecurityEvent();
259 SamlSecurityTokenImpl securityToken =
260 new SamlSecurityTokenImpl(
261 samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
262 WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
263 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
264 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
265 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
266
267 samlCallback.setIssuer("http://recipientTokenIssuer.com");
268 samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
269
270 SamlTokenSecurityEvent recipientTokenSecurityEvent = new SamlTokenSecurityEvent();
271 securityToken =
272 new SamlSecurityTokenImpl(
273 samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
274 WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
275 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
276 recipientTokenSecurityEvent.setSecurityToken(securityToken);
277 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
278
279 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
280 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
281 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
282 SignedPartSecurityEvent signedPartSecurityEvent =
283 new SignedPartSecurityEvent(
284 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
285 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
286 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
287
288 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
289 new ContentEncryptedElementSecurityEvent(
290 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
291 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
292 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
293
294 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
295 operationSecurityEvent.setOperation(new QName("definitions"));
296
297 try {
298 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
299 fail("Exception expected");
300 } catch (WSSecurityException e) {
301 assertTrue(e.getCause() instanceof PolicyViolationException);
302 assertEquals(e.getCause().getMessage(), "Policy enforces SAML V2.0 token but got 1.1");
303 }
304 }
305
306 @Test
307 public void testPolicyWithSAMLTokenWrongKeyType() throws Exception {
308
309 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(samlPolicyString.replaceFirst("PublicKey", "SymmetricKey"));
310
311 SAMLCallback samlCallback = new SAMLCallback();
312 samlCallback.setSamlVersion(Version.SAML_20);
313 samlCallback.setIssuer("http://initiatorTokenIssuer.com");
314 SubjectBean subjectBean = new SubjectBean();
315 samlCallback.setSubject(subjectBean);
316
317 List<AttributeStatementBean> attributeStatementBeans = new ArrayList<>();
318 List<AttributeBean> attributeBeans = new ArrayList<>();
319 List<Object> attributeValues = new ArrayList<>();
320 attributeValues.add("test@example.com");
321 attributeBeans.add(new AttributeBean("email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email", attributeValues));
322 attributeValues.clear();
323 attributeValues.add("Proper");
324 attributeBeans.add(new AttributeBean("surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", attributeValues));
325 attributeStatementBeans.add(new AttributeStatementBean(subjectBean, attributeBeans));
326 samlCallback.setAttributeStatementData(attributeStatementBeans);
327
328 SamlAssertionWrapper samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
329
330 SamlTokenSecurityEvent initiatorTokenSecurityEvent = new SamlTokenSecurityEvent();
331 SamlSecurityTokenImpl securityToken =
332 new SamlSecurityTokenImpl(
333 samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
334 WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
335 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
336 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
337 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
338
339 samlCallback.setIssuer("http://recipientTokenIssuer.com");
340 samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
341
342 SamlTokenSecurityEvent recipientTokenSecurityEvent = new SamlTokenSecurityEvent();
343 securityToken =
344 new SamlSecurityTokenImpl(
345 samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
346 WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
347 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
348 recipientTokenSecurityEvent.setSecurityToken(securityToken);
349 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
350
351 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
352 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
353 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
354 SignedPartSecurityEvent signedPartSecurityEvent =
355 new SignedPartSecurityEvent(
356 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
357 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
358 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
359
360 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
361 new ContentEncryptedElementSecurityEvent(
362 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
363 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
364 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
365
366 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
367 operationSecurityEvent.setOperation(new QName("definitions"));
368
369 try {
370 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
371 fail("Exception expected");
372 } catch (WSSecurityException e) {
373 assertTrue(e.getCause() instanceof PolicyViolationException);
374 assertEquals(e.getCause().getMessage(), "Policy enforces SAML token with a symmetric key");
375 }
376 }
377
378 @Test
379 public void testPolicyWithSAMLTokenMissingClaimType() throws Exception {
380
381 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(samlPolicyString);
382
383 SAMLCallback samlCallback = new SAMLCallback();
384 samlCallback.setSamlVersion(Version.SAML_20);
385 samlCallback.setIssuer("http://initiatorTokenIssuer.com");
386 SubjectBean subjectBean = new SubjectBean();
387 samlCallback.setSubject(subjectBean);
388
389 List<AttributeStatementBean> attributeStatementBeans = new ArrayList<>();
390 List<AttributeBean> attributeBeans = new ArrayList<>();
391 List<Object> attributeValues = new ArrayList<>();
392 attributeValues.add("test@example.com");
393 attributeBeans.add(new AttributeBean("email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email", attributeValues));
394 attributeStatementBeans.add(new AttributeStatementBean(subjectBean, attributeBeans));
395 samlCallback.setAttributeStatementData(attributeStatementBeans);
396
397 SamlAssertionWrapper samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
398
399 SamlTokenSecurityEvent initiatorTokenSecurityEvent = new SamlTokenSecurityEvent();
400 SamlSecurityTokenImpl securityToken =
401 new SamlSecurityTokenImpl(
402 samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
403 WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
404 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
405 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
406 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
407
408 samlCallback.setIssuer("http://recipientTokenIssuer.com");
409 samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
410
411 SamlTokenSecurityEvent recipientTokenSecurityEvent = new SamlTokenSecurityEvent();
412 securityToken =
413 new SamlSecurityTokenImpl(
414 samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
415 WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
416 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
417 recipientTokenSecurityEvent.setSecurityToken(securityToken);
418 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
419
420 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
421 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
422 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
423 SignedPartSecurityEvent signedPartSecurityEvent =
424 new SignedPartSecurityEvent(
425 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
426 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
427 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
428
429 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
430 new ContentEncryptedElementSecurityEvent(
431 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
432 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
433 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
434
435 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
436 operationSecurityEvent.setOperation(new QName("definitions"));
437
438 try {
439 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
440 fail("Exception expected");
441 } catch (WSSecurityException e) {
442 assertTrue(e.getCause() instanceof PolicyViolationException);
443 assertEquals(e.getCause().getMessage(), "Attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname not found in the SAMLAssertion");
444 }
445 }
446
447 private static final String kerberosPolicyString =
448 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
449 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
450 "<sp:InitiatorToken>\n" +
451 " <wsp:Policy>\n" +
452 " <sp:IssuedToken>\n" +
453 " <sp:IssuerName>http://initiatorTokenIssuer.com</sp:IssuerName>\n" +
454 " <sp:RequestSecurityTokenTemplate xmlns:t=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">\n" +
455 " <t:TokenType>http://docs.oasisopen.org/wss/oasiswss-kerberos-tokenprofile-1.1#Kerberosv5APREQSHA1</t:TokenType>\n" +
456 " </sp:RequestSecurityTokenTemplate>\n" +
457 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
458 " <sp:RequireExternalReference/>\n" +
459 " </wsp:Policy>\n" +
460 " </sp:IssuedToken>\n" +
461 " </wsp:Policy>\n" +
462 "</sp:InitiatorToken>\n" +
463 "<sp:RecipientToken>\n" +
464 " <wsp:Policy>\n" +
465 " <sp:IssuedToken>\n" +
466 " <sp:IssuerName>http://recipientTokenIssuer.com</sp:IssuerName>\n" +
467 " <sp:RequestSecurityTokenTemplate/>\n" +
468 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
469 " <sp:RequireExternalReference/>\n" +
470 " </wsp:Policy>\n" +
471 " </sp:IssuedToken>\n" +
472 " </wsp:Policy>\n" +
473 "</sp:RecipientToken>\n" +
474 " <sp:AlgorithmSuite>\n" +
475 " <wsp:Policy>\n" +
476 " <sp:Basic256/>\n" +
477 " </wsp:Policy>\n" +
478 " </sp:AlgorithmSuite>\n" +
479 "</wsp:Policy>\n" +
480 "</sp:AsymmetricBinding>";
481
482 @Test
483 public void testPolicyWithKerberosToken() throws Exception {
484
485 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(kerberosPolicyString);
486
487 KerberosTokenSecurityEvent initiatorTokenSecurityEvent = new KerberosTokenSecurityEvent();
488 initiatorTokenSecurityEvent.setIssuerName("http://initiatorTokenIssuer.com");
489 KerberosServiceSecurityTokenImpl securityToken = new KerberosServiceSecurityTokenImpl(
490 null, null, null,
491 "http://docs.oasisopen.org/wss/oasiswss-kerberos-tokenprofile-1.1#Kerberosv5APREQSHA1",
492 "1", WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF);
493 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
494 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
495 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
496
497 KerberosTokenSecurityEvent recipientTokenSecurityEvent = new KerberosTokenSecurityEvent();
498 recipientTokenSecurityEvent.setIssuerName("http://recipientTokenIssuer.com");
499 securityToken = new KerberosServiceSecurityTokenImpl(
500 null, null, null,
501 "http://docs.oasisopen.org/wss/oasiswss-kerberos-tokenprofile-1.1#Kerberosv5APREQSHA1",
502 "1", WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF);
503 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
504 recipientTokenSecurityEvent.setSecurityToken(securityToken);
505 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
506
507 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
508 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
509 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
510 SignedPartSecurityEvent signedPartSecurityEvent =
511 new SignedPartSecurityEvent(
512 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
513 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
514 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
515
516 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
517 new ContentEncryptedElementSecurityEvent(
518 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
519 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
520 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
521
522 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
523 operationSecurityEvent.setOperation(new QName("definitions"));
524 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
525
526 policyEnforcer.doFinal();
527 }
528
529 @Test
530 public void testPolicyWithKerberosTokenWrongTokenType() throws Exception {
531
532 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(kerberosPolicyString);
533
534 KerberosTokenSecurityEvent initiatorTokenSecurityEvent = new KerberosTokenSecurityEvent();
535 initiatorTokenSecurityEvent.setIssuerName("http://initiatorTokenIssuer.com");
536 KerberosServiceSecurityTokenImpl securityToken = new KerberosServiceSecurityTokenImpl(
537 null, null, null,
538 "http://docs.oasisopen.org/wss/oasiswss-kerberos-tokenprofile-1.1#GSS_Kerberosv5_AP_REQ",
539 "1", WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF);
540 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
541 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
542 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
543
544 KerberosTokenSecurityEvent recipientTokenSecurityEvent = new KerberosTokenSecurityEvent();
545 recipientTokenSecurityEvent.setIssuerName("http://recipientTokenIssuer.com");
546 securityToken = new KerberosServiceSecurityTokenImpl(
547 null, null, null,
548 "http://docs.oasisopen.org/wss/oasiswss-kerberos-tokenprofile-1.1#Kerberosv5APREQSHA1",
549 "1", WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF);
550 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
551 recipientTokenSecurityEvent.setSecurityToken(securityToken);
552 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
553
554 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
555 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
556 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
557 SignedPartSecurityEvent signedPartSecurityEvent =
558 new SignedPartSecurityEvent(
559 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
560 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
561 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
562
563 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
564 new ContentEncryptedElementSecurityEvent(
565 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
566 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
567 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
568
569 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
570 operationSecurityEvent.setOperation(new QName("definitions"));
571 try {
572 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
573 fail("Exception expected");
574 } catch (WSSecurityException e) {
575 assertTrue(e.getCause() instanceof PolicyViolationException);
576 assertEquals(e.getCause().getMessage(),
577 "Policy enforces Kerberos token of type http://docs.oasisopen.org/wss/oasiswss-kerberos-tokenprofile-1.1#Kerberosv5APREQSHA1 but got http://docs.oasisopen.org/wss/oasiswss-kerberos-tokenprofile-1.1#GSS_Kerberosv5_AP_REQ");
578 }
579 }
580 }