1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import java.util.LinkedList;
22 import java.util.List;
23
24 import javax.xml.namespace.QName;
25
26 import org.apache.wss4j.common.ext.WSSecurityException;
27 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
28 import org.apache.wss4j.stax.ext.WSSConstants;
29 import org.apache.wss4j.stax.impl.securityToken.KerberosServiceSecurityTokenImpl;
30 import org.apache.wss4j.stax.securityEvent.KerberosTokenSecurityEvent;
31 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
32 import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
33 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
34 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
35 import org.apache.xml.security.stax.impl.util.IDGenerator;
36 import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
37 import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
38 import org.junit.jupiter.api.Test;
39
40 import static org.junit.jupiter.api.Assertions.assertEquals;
41 import static org.junit.jupiter.api.Assertions.fail;
42
43 public class KerberosTokenTest extends AbstractPolicyTestBase {
44
45 @Test
46 public void testPolicy() throws Exception {
47 String policyString =
48 "<sp:SymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
49 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
50 "<sp:EncryptionToken>\n" +
51 " <wsp:Policy>\n" +
52 " <sp:KerberosToken>\n" +
53 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
54 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
55 " <sp:RequireKeyIdentifierReference/>" +
56 " <sp:WssKerberosV5ApReqToken11/>\n" +
57 " </wsp:Policy>\n" +
58 " </sp:KerberosToken>\n" +
59 " </wsp:Policy>\n" +
60 "</sp:EncryptionToken>\n" +
61 "<sp:SignatureToken>\n" +
62 " <wsp:Policy>\n" +
63 " <sp:KerberosToken>\n" +
64 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
65 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
66 " <sp:RequireKeyIdentifierReference/>" +
67 " <sp:WssKerberosV5ApReqToken11/>\n" +
68 " </wsp:Policy>\n" +
69 " </sp:KerberosToken>\n" +
70 " </wsp:Policy>\n" +
71 "</sp:SignatureToken>\n" +
72 " <sp:AlgorithmSuite>\n" +
73 " <wsp:Policy>\n" +
74 " <sp:Basic256/>\n" +
75 " </wsp:Policy>\n" +
76 " </sp:AlgorithmSuite>\n" +
77 "</wsp:Policy>\n" +
78 "</sp:SymmetricBinding>";
79
80 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
81 KerberosTokenSecurityEvent initiatorTokenSecurityEvent = new KerberosTokenSecurityEvent();
82 initiatorTokenSecurityEvent.setIssuerName("xs:anyURI");
83
84 KerberosServiceSecurityTokenImpl kerberosServiceSecurityToken =
85 new KerberosServiceSecurityTokenImpl(null, null, null, WSSConstants.NS_KERBEROS5_AP_REQ, IDGenerator.generateID(null),
86 WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF);
87 kerberosServiceSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
88 initiatorTokenSecurityEvent.setSecurityToken(kerberosServiceSecurityToken);
89 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
90
91 KerberosTokenSecurityEvent recipientTokenSecurityEvent = new KerberosTokenSecurityEvent();
92 recipientTokenSecurityEvent.setIssuerName("xs:anyURI");
93
94 kerberosServiceSecurityToken =
95 new KerberosServiceSecurityTokenImpl(null, null, null, WSSConstants.NS_KERBEROS5_AP_REQ, IDGenerator.generateID(null),
96 WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF);
97 kerberosServiceSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
98 recipientTokenSecurityEvent.setSecurityToken(kerberosServiceSecurityToken);
99 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
100
101 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
102 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
103 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
104 SignedPartSecurityEvent signedPartSecurityEvent =
105 new SignedPartSecurityEvent(
106 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
107 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
108 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
109
110 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
111 new ContentEncryptedElementSecurityEvent(
112 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
113 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
114 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
115
116 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
117 operationSecurityEvent.setOperation(new QName("definitions"));
118 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
119
120 policyEnforcer.doFinal();
121 }
122
123 @Test
124 public void testPolicyNegative() throws Exception {
125 String policyString =
126 "<sp:SymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
127 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
128 "<sp:EncryptionToken>\n" +
129 " <wsp:Policy>\n" +
130 " <sp:KerberosToken>\n" +
131 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
132 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
133 " <sp:WssKerberosV5ApReqToken11/>\n" +
134 " </wsp:Policy>\n" +
135 " </sp:KerberosToken>\n" +
136 " </wsp:Policy>\n" +
137 "</sp:EncryptionToken>\n" +
138 "<sp:SignatureToken>\n" +
139 " <wsp:Policy>\n" +
140 " <sp:KerberosToken>\n" +
141 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
142 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
143 " <sp:WssKerberosV5ApReqToken11/>\n" +
144 " </wsp:Policy>\n" +
145 " </sp:KerberosToken>\n" +
146 " </wsp:Policy>\n" +
147 "</sp:SignatureToken>\n" +
148 " <sp:AlgorithmSuite>\n" +
149 " <wsp:Policy>\n" +
150 " <sp:Basic256/>\n" +
151 " </wsp:Policy>\n" +
152 " </sp:AlgorithmSuite>\n" +
153 "</wsp:Policy>\n" +
154 "</sp:SymmetricBinding>";
155
156 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
157 KerberosTokenSecurityEvent initiatorTokenSecurityEvent = new KerberosTokenSecurityEvent();
158 initiatorTokenSecurityEvent.setIssuerName("xs:anyURI");
159
160 KerberosServiceSecurityTokenImpl kerberosServiceSecurityToken =
161 new KerberosServiceSecurityTokenImpl(null, null, null, WSSConstants.NS_GSS_KERBEROS5_AP_REQ, IDGenerator.generateID(null),
162 WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER);
163 kerberosServiceSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
164 initiatorTokenSecurityEvent.setSecurityToken(kerberosServiceSecurityToken);
165 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
166
167 KerberosTokenSecurityEvent recipientTokenSecurityEvent = new KerberosTokenSecurityEvent();
168 recipientTokenSecurityEvent.setIssuerName("xs:anyURI");
169
170 kerberosServiceSecurityToken =
171 new KerberosServiceSecurityTokenImpl(null, null, null, WSSConstants.NS_KERBEROS5_AP_REQ, IDGenerator.generateID(null),
172 WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER);
173 kerberosServiceSecurityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
174 recipientTokenSecurityEvent.setSecurityToken(kerberosServiceSecurityToken);
175 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
176
177 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
178 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
179 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
180 SignedPartSecurityEvent signedPartSecurityEvent =
181 new SignedPartSecurityEvent(
182 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
183 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
184 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
185
186 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
187 new ContentEncryptedElementSecurityEvent(
188 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
189 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
190 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
191
192 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
193 operationSecurityEvent.setOperation(new QName("definitions"));
194
195 try {
196 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
197 fail("Exception expected");
198 } catch (WSSecurityException e) {
199 assertEquals(e.getMessage(), "Policy enforces WssKerberosV5ApReqToken11");
200 }
201 }
202 }