ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gi...@apache.org
Subject svn commit: r1172285 [39/48] - in /webservices/wss4j/branches/swssf: ./ cxf-integration/ cxf-integration/src/ cxf-integration/src/main/ cxf-integration/src/main/java/ cxf-integration/src/main/java/org/ cxf-integration/src/main/java/org/swssf/ cxf-integ...
Date Sun, 18 Sep 2011 13:51:36 GMT
Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/TimestampTest.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Added: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/TrimmerOutputStreamTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/TrimmerOutputStreamTest.java?rev=1172285&view=auto
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/TrimmerOutputStreamTest.java (added)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/TrimmerOutputStreamTest.java Sun Sep 18 13:51:23 2011
@@ -0,0 +1,78 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.swssf.test;
+
+import org.swssf.impl.util.TrimmerOutputStream;
+import org.testng.Assert;
+import org.testng.annotations.Test;
+
+import java.io.ByteArrayOutputStream;
+
+/**
+ * @author $Author$
+ * @version $Revision$ $Date$
+ */
+public class TrimmerOutputStreamTest {
+
+    private final String testString = "Within this class we test if the TrimmerOutputStream works correctly under different conditions";
+
+    @Test
+    public void testWriteSingleBytes() throws Exception {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        TrimmerOutputStream trimmerOutputStream = new TrimmerOutputStream(baos, 32, 3, 4);
+
+        byte[] testStringBytes = ("<a>" + testString + "</a>").getBytes();
+        for (int i = 0; i < testStringBytes.length; i++) {
+            trimmerOutputStream.write(testStringBytes[i]);
+        }
+        trimmerOutputStream.close();
+
+        Assert.assertEquals(baos.size(), testStringBytes.length - 7);
+        Assert.assertEquals(baos.toString(), testString);
+    }
+
+    @Test
+    public void testWriteRandomByteSizes() throws Exception {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        TrimmerOutputStream trimmerOutputStream = new TrimmerOutputStream(baos, 32, 3, 4);
+
+        StringBuilder stringBuffer = new StringBuilder("<a>");
+        for (int i = 0; i < 100; i++) {
+            stringBuffer.append(testString);
+        }
+        stringBuffer.append("</a>");
+
+        byte[] testStringBytes = stringBuffer.toString().getBytes();
+
+        int written = 0;
+        int count = 0;
+        do {
+            count++;
+            trimmerOutputStream.write(testStringBytes, written, count);
+            written += count;
+        }
+        while ((written + count + 1) < testStringBytes.length);
+
+        trimmerOutputStream.write(testStringBytes, written, testStringBytes.length - written);
+        trimmerOutputStream.close();
+
+        Assert.assertEquals(baos.size(), testStringBytes.length - 7);
+        Assert.assertEquals(baos.toString(), stringBuffer.toString().substring(3, stringBuffer.length() - 4));
+    }
+}

Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/TrimmerOutputStreamTest.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Added: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/UncategorizedTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/UncategorizedTest.java?rev=1172285&view=auto
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/UncategorizedTest.java (added)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/UncategorizedTest.java Sun Sep 18 13:51:23 2011
@@ -0,0 +1,112 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.swssf.test;
+
+import org.swssf.config.Init;
+import org.swssf.ext.WSSecurityException;
+import org.testng.Assert;
+import org.testng.annotations.Test;
+
+import java.net.URL;
+
+/**
+ * @author $Author$
+ * @version $Revision$ $Date$
+ */
+public class UncategorizedTest extends AbstractTestBase {
+
+    @Test
+    public void testConfigurationLoadFromUrl() throws Exception {
+        URL url = this.getClass().getClassLoader().getResource("testdata/plain-soap-1.1.xml");
+        try {
+            Init.init(url);
+            Assert.fail();
+        } catch (WSSecurityException e) {
+            Assert.assertEquals(e.getMessage(), "General security error; nested exception is: \n" +
+                    "\tjavax.xml.bind.UnmarshalException\n" +
+                    " - with linked exception:\n" +
+                    "[org.xml.sax.SAXParseException: cvc-elt.1: Cannot find the declaration of element 'env:Envelope'.]");
+        }
+    }
+
+    /*@Test(invocationCount = 1)
+    public void testRandomInput() throws Exception {
+
+        String[] schemas = new String[4];
+        schemas[0] = "src/main/resources/schemas/xenc-schema.xsd";
+        schemas[1] = "src/main/resources/schemas/xmldsig-core-schema.xsd";
+        schemas[2] = "src/main/resources/schemas/oasis-200401-wss-wssecurity-utility-1.0.xsd";
+        schemas[3] = "src/main/resources/schemas/oasis-200401-wss-wssecurity-secext-1.0.xsd";
+
+        XMLGen xmlGen = new XMLGen(schemas);
+
+        javax.xml.transform.Transformer transformer = TransformerFactory.newInstance().newTransformer();
+        transformer.setOutputProperty(OutputKeys.INDENT, "yes");
+        transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
+
+         org.w3c.dom.Document w3cDoc = null;
+
+        Result streamResult = new StreamResult(new FileOutputStream("xml.xml", true));
+
+        SecurityProperties securityProperties = new SecurityProperties();
+        securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+        securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+        securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+
+        while (true) {
+            try {
+                Document doc = xmlGen.getRandom("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "Security");
+
+                w3cDoc = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
+
+                transformer.transform(new DocumentSource(doc), new DOMResult(w3cDoc));
+
+                Element envelope = w3cDoc.createElementNS(Constants.NS_SOAP11, Constants.TAG_soap_Envelope_LocalName);
+                Element header = w3cDoc.createElementNS(Constants.NS_SOAP11, Constants.TAG_soap_Header_LocalName);
+                Element body = w3cDoc.createElementNS(Constants.NS_SOAP11, Constants.TAG_soap_Body_LocalName);
+                body.setAttributeNS(Constants.NS_WSU10, Constants.ATT_wsu_Id.getLocalPart(), "1");
+
+                header.appendChild(w3cDoc.getDocumentElement());
+                w3cDoc.appendChild(envelope);
+                envelope.appendChild(header);
+                envelope.appendChild(body);
+
+                //transformer.transform(new DOMSource(w3cDoc), streamResult);
+
+                org.w3c.dom.Document document = doInboundSecurity(securityProperties, new CustomW3CDOMStreamReader(w3cDoc));
+            } catch (Exception e) {
+
+                System.out.println(e);
+                if (e instanceof RuntimeException) {
+                    transformer.transform(new DOMSource(w3cDoc), new StreamResult(System.out));
+                    throw e;
+                }
+                int i = 0;
+                Throwable cause = e;
+                while (cause != null && i < 10) {
+                    if (cause instanceof NullPointerException) {
+                        throw e;
+                    }
+                    i++;
+                    cause = cause.getCause();
+                }
+            }
+        }
+    }*/
+}

Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/UncategorizedTest.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Added: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/UsernameTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/UsernameTokenTest.java?rev=1172285&view=auto
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/UsernameTokenTest.java (added)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/UsernameTokenTest.java Sun Sep 18 13:51:23 2011
@@ -0,0 +1,476 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.swssf.test;
+
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.swssf.WSSec;
+import org.swssf.ext.*;
+import org.swssf.impl.securityToken.UsernameSecurityToken;
+import org.swssf.securityEvent.SecurityEvent;
+import org.swssf.securityEvent.SecurityEventListener;
+import org.swssf.securityEvent.UsernameTokenSecurityEvent;
+import org.swssf.test.utils.StAX2DOM;
+import org.swssf.test.utils.XmlReaderToWriter;
+import org.testng.Assert;
+import org.testng.annotations.Test;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
+
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+import javax.xml.stream.XMLStreamWriter;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.Properties;
+
+/**
+ * @author $Author$
+ * @version $Revision$ $Date$
+ */
+public class UsernameTokenTest extends AbstractTestBase {
+
+    @Test
+    public void testDefaultConfigurationInbound() throws Exception {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        {
+            InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+            String action = WSHandlerConstants.USERNAME_TOKEN;
+            Properties properties = new Properties();
+            Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+            //some test that we can really sure we get what we want from WSS4J
+            NodeList nodeList = securedDocument.getElementsByTagNameNS(Constants.TAG_wsse_UsernameToken.getNamespaceURI(), Constants.TAG_wsse_UsernameToken.getLocalPart());
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), Constants.TAG_wsse_Security.getLocalPart());
+
+            nodeList = securedDocument.getElementsByTagNameNS(Constants.TAG_wsse_Password.getNamespaceURI(), Constants.TAG_wsse_Password.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 1);
+            Assert.assertEquals(((Element) nodeList.item(0)).getAttribute(Constants.ATT_NULL_Type.getLocalPart()), Constants.UsernameTokenPasswordType.PASSWORD_DIGEST.getNamespace());
+
+            javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+            transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+        }
+
+        //done UsernameToken; now verification:
+        {
+            SecurityProperties securityProperties = new SecurityProperties();
+            securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+            //securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+            Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+
+            //header element must still be there
+            NodeList nodeList = document.getElementsByTagNameNS(Constants.TAG_wsse_UsernameToken.getNamespaceURI(), Constants.TAG_wsse_UsernameToken.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 1);
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), Constants.TAG_wsse_Security.getLocalPart());
+        }
+    }
+
+    @Test
+    public void testWrongUsername() throws Exception {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        {
+            InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+            String action = WSHandlerConstants.USERNAME_TOKEN;
+            Properties properties = new Properties();
+            Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+            //some test that we can really sure we get what we want from WSS4J
+            NodeList nodeList = securedDocument.getElementsByTagNameNS(Constants.TAG_wsse_UsernameToken.getNamespaceURI(), Constants.TAG_wsse_UsernameToken.getLocalPart());
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), Constants.TAG_wsse_Security.getLocalPart());
+
+            javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+            transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+        }
+
+        //done UsernameToken; now verification:
+        {
+            SecurityProperties securityProperties = new SecurityProperties();
+            securityProperties.setCallbackHandler(new CallbackHandlerImpl("wrongUsername"));
+            //securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+            try {
+                Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+                Assert.fail("Expected XMLStreamException");
+            } catch (XMLStreamException e) {
+                Assert.assertNotNull(e.getCause());
+                Assert.assertTrue(e.getCause() instanceof WSSecurityException);
+                Assert.assertEquals(e.getCause().getMessage(), "The security token could not be authenticated or authorized");
+            }
+        }
+    }
+
+    //Username can't be checked in swssf, it must be done via SecurityEvent
+    @Test
+    public void testInboundPW_TEXT() throws Exception {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        {
+            InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+            String action = WSHandlerConstants.USERNAME_TOKEN;
+            Properties properties = new Properties();
+            properties.setProperty(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
+            Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+            //some test that we can really sure we get what we want from WSS4J
+            NodeList nodeList = securedDocument.getElementsByTagNameNS(Constants.TAG_wsse_UsernameToken.getNamespaceURI(), Constants.TAG_wsse_UsernameToken.getLocalPart());
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), Constants.TAG_wsse_Security.getLocalPart());
+
+            nodeList = securedDocument.getElementsByTagNameNS(Constants.TAG_wsse_Password.getNamespaceURI(), Constants.TAG_wsse_Password.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 1);
+            Assert.assertEquals(((Element) nodeList.item(0)).getAttribute(Constants.ATT_NULL_Type.getLocalPart()), Constants.UsernameTokenPasswordType.PASSWORD_TEXT.getNamespace());
+
+            javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+            transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+        }
+
+        //done UsernameToken; now verification:
+        {
+            SecurityProperties securityProperties = new SecurityProperties();
+            securityProperties.setCallbackHandler(new CallbackHandlerImpl("username"));
+            //securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+
+            SecurityEventListener securityEventListener = new SecurityEventListener() {
+                public void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException {
+                    if (securityEvent instanceof UsernameTokenSecurityEvent) {
+                        UsernameTokenSecurityEvent usernameTokenSecurityEvent = (UsernameTokenSecurityEvent) securityEvent;
+                        if (!"username".equals(((UsernameSecurityToken) usernameTokenSecurityEvent.getSecurityToken()).getUsername())) {
+                            throw new WSSecurityException("Wrong username");
+                        }
+                    }
+                }
+            };
+
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), new ArrayList<SecurityEvent>(), securityEventListener);
+
+            try {
+                Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+                Assert.fail("Expected XMLStreamException");
+            } catch (XMLStreamException e) {
+                Assert.assertEquals(e.getMessage(), "org.swssf.ext.WSSecurityException: Wrong username");
+            }
+        }
+    }
+
+    //wss4j bug. PWNONE throws an NPE...
+    /*@Test
+    public void testInboundPWNONE() throws Exception {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        {
+            InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+            String action = WSHandlerConstants.USERNAME_TOKEN;
+            Properties properties = new Properties();
+            properties.setProperty(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_NONE);
+            Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+            //some test that we can really sure we get what we want from WSS4J
+            NodeList nodeList = securedDocument.getElementsByTagNameNS(Constants.TAG_wsse_UsernameToken.getNamespaceURI(), Constants.TAG_wsse_UsernameToken.getLocalPart());
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), Constants.TAG_wsse_Security.getLocalPart());
+
+            javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+            transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+        }
+
+        //done UsernameToken; now verification:
+        {
+            SecurityProperties securityProperties = new SecurityProperties();
+            securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+            //securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+            Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+
+            //header element must still be there
+            NodeList nodeList = document.getElementsByTagNameNS(Constants.TAG_wsse_UsernameToken.getNamespaceURI(), Constants.TAG_wsse_UsernameToken.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 1);
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), Constants.TAG_wsse_Security.getLocalPart());
+        }
+    }
+    */
+
+    @Test
+    public void testInboundUT_SIGN() throws Exception {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        {
+            InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+            String action = WSHandlerConstants.SIGN_WITH_UT_KEY;
+            Properties properties = new Properties();
+            Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+            //some test that we can really sure we get what we want from WSS4J
+            NodeList nodeList = securedDocument.getElementsByTagNameNS(Constants.TAG_wsse_UsernameToken.getNamespaceURI(), Constants.TAG_wsse_UsernameToken.getLocalPart());
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), Constants.TAG_wsse_Security.getLocalPart());
+
+            javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+            transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+        }
+
+        //done UsernameToken; now verification:
+        {
+            SecurityProperties securityProperties = new SecurityProperties();
+            securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+            securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+            Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+
+            //header element must still be there
+            NodeList nodeList = document.getElementsByTagNameNS(Constants.TAG_wsse_UsernameToken.getNamespaceURI(), Constants.TAG_wsse_UsernameToken.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 1);
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), Constants.TAG_wsse_Security.getLocalPart());
+        }
+    }
+
+    @Test
+    public void testReusedNonce() throws Exception {
+        String req = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
+                "<env:Envelope xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\">\n" +
+                "    <env:Header>" +
+                "       <wsse:Security xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\" env:mustUnderstand=\"1\">" +
+                "           <wsse:UsernameToken wsu:Id=\"UsernameToken-1\">" +
+                "               <wsse:Username>transmitter</wsse:Username>" +
+                "               <wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest\">HJuU+E+LKyZyC7k1BX7GF7kyACY=</wsse:Password>" +
+                "               <wsse:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">Ex2YESUvsa1qne1m6TM8XA==</wsse:Nonce>" +
+                "               <wsu:Created>2011-05-21T17:14:42.545Z</wsu:Created>" +
+                "           </wsse:UsernameToken>" +
+                "       </wsse:Security>\n" +
+                "    </env:Header>\n" +
+                "    <env:Body>\n" +
+                "    </env:Body>\n" +
+                "</env:Envelope>";
+
+        SecurityProperties securityProperties = new SecurityProperties();
+        securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+        InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+        XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(req.getBytes())));
+        StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+
+        try {
+            xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(req.getBytes())));
+            StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+            Assert.fail("Expected XMLStreamException");
+        } catch (XMLStreamException e) {
+            Assert.assertEquals(e.getMessage(), "org.swssf.ext.WSSecurityException: The security token could not be authenticated or authorized");
+        }
+    }
+
+    @Test
+    public void testDefaultConfigurationOutbound() throws Exception {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        {
+            SecurityProperties securityProperties = new SecurityProperties();
+            Constants.Action[] actions = new Constants.Action[]{Constants.Action.USERNAMETOKEN};
+            securityProperties.setOutAction(actions);
+            securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+            securityProperties.setTokenUser("transmitter");
+            securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+
+            OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
+            XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, "UTF-8", new ArrayList<SecurityEvent>());
+            XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
+            XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
+            xmlStreamWriter.close();
+
+            Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
+            NodeList nodeList = document.getElementsByTagNameNS(Constants.TAG_wsse_UsernameToken.getNamespaceURI(), Constants.TAG_wsse_UsernameToken.getLocalPart());
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), Constants.TAG_wsse_Security.getLocalPart());
+
+            nodeList = document.getElementsByTagNameNS(Constants.TAG_wsse_Password.getNamespaceURI(), Constants.TAG_wsse_Password.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 1);
+            Assert.assertEquals(((Element) nodeList.item(0)).getAttribute(Constants.ATT_NULL_Type.getLocalPart()), Constants.UsernameTokenPasswordType.PASSWORD_DIGEST.getNamespace());
+        }
+
+        //done UsernameToken; now verification:
+        {
+            String action = WSHandlerConstants.USERNAME_TOKEN;
+            doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
+        }
+    }
+
+    @Test
+    public void testOutboundPW_NONE() throws Exception {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        {
+            SecurityProperties securityProperties = new SecurityProperties();
+            Constants.Action[] actions = new Constants.Action[]{Constants.Action.USERNAMETOKEN};
+            securityProperties.setOutAction(actions);
+            securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+            securityProperties.setTokenUser("transmitter");
+            securityProperties.setUsernameTokenPasswordType(Constants.UsernameTokenPasswordType.PASSWORD_NONE);
+            securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+
+            OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
+            XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, "UTF-8", new ArrayList<SecurityEvent>());
+            XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
+            XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
+            xmlStreamWriter.close();
+
+            Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
+            NodeList nodeList = document.getElementsByTagNameNS(Constants.TAG_wsse_UsernameToken.getNamespaceURI(), Constants.TAG_wsse_UsernameToken.getLocalPart());
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), Constants.TAG_wsse_Security.getLocalPart());
+
+            nodeList = document.getElementsByTagNameNS(Constants.TAG_wsse_Password.getNamespaceURI(), Constants.TAG_wsse_Password.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 0);
+        }
+
+        //done UsernameToken; now verification:
+        {
+            String action = WSHandlerConstants.USERNAME_TOKEN;
+            doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
+        }
+    }
+
+    @Test
+    public void testOutboundPW_TEXT() throws Exception {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        {
+            SecurityProperties securityProperties = new SecurityProperties();
+            Constants.Action[] actions = new Constants.Action[]{Constants.Action.USERNAMETOKEN};
+            securityProperties.setOutAction(actions);
+            securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+            securityProperties.setTokenUser("transmitter");
+            securityProperties.setUsernameTokenPasswordType(Constants.UsernameTokenPasswordType.PASSWORD_TEXT);
+            securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+
+            OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
+            XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, "UTF-8", new ArrayList<SecurityEvent>());
+            XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
+            XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
+            xmlStreamWriter.close();
+
+            Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
+            NodeList nodeList = document.getElementsByTagNameNS(Constants.TAG_wsse_UsernameToken.getNamespaceURI(), Constants.TAG_wsse_UsernameToken.getLocalPart());
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), Constants.TAG_wsse_Security.getLocalPart());
+
+            nodeList = document.getElementsByTagNameNS(Constants.TAG_wsse_Password.getNamespaceURI(), Constants.TAG_wsse_Password.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 1);
+            Assert.assertEquals(((Element) nodeList.item(0)).getAttribute(Constants.ATT_NULL_Type.getLocalPart()), Constants.UsernameTokenPasswordType.PASSWORD_TEXT.getNamespace());
+        }
+
+        //done UsernameToken; now verification:
+        {
+            String action = WSHandlerConstants.USERNAME_TOKEN;
+            doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
+        }
+    }
+
+    @Test
+    public void testOutboundSign() throws Exception {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        {
+            SecurityProperties securityProperties = new SecurityProperties();
+            Constants.Action[] actions = new Constants.Action[]{Constants.Action.USERNAMETOKEN_SIGNED};
+            securityProperties.setOutAction(actions);
+            securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+            securityProperties.setTokenUser("transmitter");
+            securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+
+            OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
+            XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, "UTF-8", new ArrayList<SecurityEvent>());
+            XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
+            XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
+            xmlStreamWriter.close();
+
+            Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
+            NodeList nodeList = document.getElementsByTagNameNS(Constants.TAG_dsig_Signature.getNamespaceURI(), Constants.TAG_dsig_Signature.getLocalPart());
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), Constants.TAG_wsse_Security.getLocalPart());
+
+            nodeList = document.getElementsByTagNameNS(Constants.TAG_wsse_UsernameToken.getNamespaceURI(), Constants.TAG_wsse_UsernameToken.getLocalPart());
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), Constants.TAG_wsse_Security.getLocalPart());
+
+            nodeList = document.getElementsByTagNameNS(Constants.TAG_wsse_Password.getNamespaceURI(), Constants.TAG_wsse_Password.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 1);
+            Assert.assertEquals(((Element) nodeList.item(0)).getAttribute(Constants.ATT_NULL_Type.getLocalPart()), Constants.UsernameTokenPasswordType.PASSWORD_DIGEST.getNamespace());
+
+            nodeList = document.getElementsByTagNameNS(Constants.TAG_dsig_Reference.getNamespaceURI(), Constants.TAG_dsig_Reference.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 1);
+
+            nodeList = document.getElementsByTagNameNS(Constants.NS_SOAP11, Constants.TAG_soap_Body_LocalName);
+            Assert.assertEquals(nodeList.getLength(), 1);
+            String idAttrValue = ((Element) nodeList.item(0)).getAttributeNS(Constants.ATT_wsu_Id.getNamespaceURI(), Constants.ATT_wsu_Id.getLocalPart());
+            Assert.assertNotNull(idAttrValue);
+            Assert.assertTrue(idAttrValue.startsWith("id-"), "wsu:id Attribute doesn't start with id");
+        }
+
+        //done UsernameToken; now verification:
+        {
+            String action = WSHandlerConstants.SIGN_WITH_UT_KEY + " " + WSHandlerConstants.USERNAME_TOKEN;
+            doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
+        }
+    }
+
+    @Test
+    public void testInboundOutboundPW_NONE() throws Exception {
+
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        {
+            SecurityProperties securityProperties = new SecurityProperties();
+            Constants.Action[] actions = new Constants.Action[]{Constants.Action.USERNAMETOKEN};
+            securityProperties.setOutAction(actions);
+            securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+            securityProperties.setTokenUser("transmitter");
+            securityProperties.setUsernameTokenPasswordType(Constants.UsernameTokenPasswordType.PASSWORD_NONE);
+            securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+
+            OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
+            XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, "UTF-8", new ArrayList<SecurityEvent>());
+            XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
+            XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
+            xmlStreamWriter.close();
+
+            Document securedDocument = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
+            NodeList nodeList = securedDocument.getElementsByTagNameNS(Constants.TAG_wsse_UsernameToken.getNamespaceURI(), Constants.TAG_wsse_UsernameToken.getLocalPart());
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), Constants.TAG_wsse_Security.getLocalPart());
+
+            nodeList = securedDocument.getElementsByTagNameNS(Constants.TAG_wsse_Password.getNamespaceURI(), Constants.TAG_wsse_Password.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 0);
+        }
+
+        //done UsernameToken; now verification:
+        {
+            SecurityProperties securityProperties = new SecurityProperties();
+            securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+            Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+
+            //header element must still be there
+            NodeList nodeList = document.getElementsByTagNameNS(Constants.TAG_wsse_UsernameToken.getNamespaceURI(), Constants.TAG_wsse_UsernameToken.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 1);
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), Constants.TAG_wsse_Security.getLocalPart());
+        }
+    }
+}

Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/UsernameTokenTest.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Added: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/VulnerabliltyVectorsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/VulnerabliltyVectorsTest.java?rev=1172285&view=auto
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/VulnerabliltyVectorsTest.java (added)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/VulnerabliltyVectorsTest.java Sun Sep 18 13:51:23 2011
@@ -0,0 +1,305 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.swssf.test;
+
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.swssf.WSSec;
+import org.swssf.ext.Constants;
+import org.swssf.ext.InboundWSSec;
+import org.swssf.ext.SecurityProperties;
+import org.swssf.ext.WSSecurityException;
+import org.swssf.test.utils.StAX2DOM;
+import org.testng.Assert;
+import org.testng.annotations.Test;
+import org.w3c.dom.Attr;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
+
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpression;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.util.Properties;
+
+/**
+ * @author $Author$
+ * @version $Revision$ $Date$
+ */
+public class VulnerabliltyVectorsTest extends AbstractTestBase {
+
+    /**
+     * Tests if the framework is vulnerable to recursive key references
+     *
+     * @throws Exception
+     */
+    @Test
+    public void testRecursiveKeyReferencesDOS() throws Exception {
+        InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+
+        String action = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT;
+        Properties properties = new Properties();
+        properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+        Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+        XPathExpression xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey");
+        Element encryptedKeyElement = (Element) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+        encryptedKeyElement.removeAttribute("Id");
+        encryptedKeyElement.setAttribute("Id", "2");
+
+        xPathExpression = getXPath(".//dsig:X509Data");
+        Element keyIdentifierElement = (Element) xPathExpression.evaluate(encryptedKeyElement, XPathConstants.NODE);
+        Element securityTokenReferenceElement = (Element) keyIdentifierElement.getParentNode();
+        securityTokenReferenceElement.removeChild(keyIdentifierElement);
+        //wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#EncKeyId-1483925398"/>
+        Element referenceElement = securedDocument.createElementNS(Constants.TAG_wsse_Reference.getNamespaceURI(), Constants.TAG_wsse_Reference.getLocalPart());
+        referenceElement.setAttribute("URI", "#1");
+        securityTokenReferenceElement.appendChild(referenceElement);
+
+        Element clonedEncryptedElement = (Element) encryptedKeyElement.cloneNode(true);
+        clonedEncryptedElement.removeAttribute("Id");
+        clonedEncryptedElement.setAttribute("Id", "1");
+
+        xPathExpression = getXPath(".//wsse:Reference");
+        Element newReferenceElement = (Element) xPathExpression.evaluate(clonedEncryptedElement, XPathConstants.NODE);
+        newReferenceElement.removeAttribute("URI");
+        newReferenceElement.setAttribute("URI", "#2");
+
+        Element securityHeaderNode = (Element) encryptedKeyElement.getParentNode();
+        securityHeaderNode.insertBefore(clonedEncryptedElement, encryptedKeyElement);
+
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+        transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+
+        SecurityProperties securityProperties = new SecurityProperties();
+        securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+        securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+        securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+
+        try {
+            Document document = doInboundSecurity(securityProperties, xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+            Assert.fail("Expected XMLStreamException");
+        } catch (XMLStreamException e) {
+            Throwable throwable = e.getCause();
+            Assert.assertNotNull(throwable);
+            Assert.assertTrue(throwable instanceof WSSecurityException);
+            //we expect a "No SecurityToken found" since WSS says that a token must be declared before use.
+            //the declare before use is in the nature of streaming xml-security and therefore expected
+            //Assert.assertEquals(throwable.getMessage(), "An invalid security token was provided");
+            Assert.assertEquals(throwable.getMessage(), "Referenced security token could not be retrieved (Reference \"2\")");
+        }
+    }
+
+    /*
+    Todo correct this test.
+    @Test
+    public void testRecursiveKeyReferencesDOS2() throws Exception {
+        InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+
+        String action = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT;
+        Properties properties = new Properties();
+        properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+        Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+        XPathExpression xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey");
+        Element encryptedKeyElement = (Element) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+        encryptedKeyElement.removeAttribute("Id");
+        encryptedKeyElement.setAttribute("Id", "2");
+
+        xPathExpression = getXPath(".//dsig:X509Data");
+        Element keyIdentifierElement = (Element) xPathExpression.evaluate(encryptedKeyElement, XPathConstants.NODE);
+        Element securityTokenReferenceElement = (Element) keyIdentifierElement.getParentNode();
+        securityTokenReferenceElement.removeChild(keyIdentifierElement);
+        //wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" URI="#EncKeyId-1483925398"/>
+        Element referenceElement = securedDocument.createElementNS(Constants.TAG_wsse_Reference.getNamespaceURI(), Constants.TAG_wsse_Reference.getLocalPart());
+        referenceElement.setAttribute("URI", "#1");
+        securityTokenReferenceElement.appendChild(referenceElement);
+
+        Element clonedEncryptedElement = (Element) encryptedKeyElement.cloneNode(true);
+        clonedEncryptedElement.removeAttribute("Id");
+        clonedEncryptedElement.setAttribute("Id", "1");
+
+        xPathExpression = getXPath(".//wsse:Reference");
+        Element newReferenceElement = (Element) xPathExpression.evaluate(clonedEncryptedElement, XPathConstants.NODE);
+        newReferenceElement.removeAttribute("URI");
+        newReferenceElement.setAttribute("URI", "#2");
+
+        Element securityHeaderNode = (Element) encryptedKeyElement.getParentNode();
+        securityHeaderNode.insertBefore(clonedEncryptedElement, encryptedKeyElement);
+
+        doInboundSecurityWithWSS4J(securedDocument, WSHandlerConstants.ENCRYPT);
+    }
+    */
+
+    /**
+     * Since we don't support (yet) external URI refs this shouldn't be a problem.
+     * <p/>
+     * todo this test modifies signed content. test with encryption uri's or so
+     *
+     * @throws Exception
+     */
+    @Test
+    public void test_publicURIReferenceDOS() throws Exception {
+        InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+
+        String action = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT;
+        Properties properties = new Properties();
+        properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+        properties.setProperty(WSHandlerConstants.ENC_SYM_ALGO, "http://www.w3.org/2001/04/xmlenc#aes256-cbc");
+        Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+        XPathExpression xPathExpression = getXPath("//@URI");
+        Attr uri = (Attr) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+        uri.setNodeValue("http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.23.tar.gz");
+
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+        transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+
+        SecurityProperties inSecurityProperties = new SecurityProperties();
+        inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+        inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+        inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+
+        try {
+            Document document = doInboundSecurity(inSecurityProperties, xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+            Assert.fail("Expected XMLStreamException");
+        } catch (XMLStreamException e) {
+            Throwable throwable = e.getCause();
+            Assert.assertNotNull(throwable);
+            Assert.assertTrue(throwable instanceof WSSecurityException);
+            Assert.assertTrue(throwable.getMessage().startsWith("The signature or decryption was invalid (Digest verification failed"));
+        }
+    }
+
+    @Test
+    public void testTransformationCodeInjection() throws Exception {
+        //todo when stream-xml-sec signature supports transformations
+        //probably we never will. This is a big security hole!
+    }
+
+    /*
+    ** This test cannot be done here. We rely on the correct settings of the
+    * XMLStreamReader which is taken over us. @see InboundWSSec#processInMessage
+
+    @Test
+    public void test_DosAttackWithRecursiveEntity() throws Exception {
+        InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+
+        String action = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT;
+        Properties properties = new Properties();
+        properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+        properties.setProperty(WSHandlerConstants.ENC_SYM_ALGO, "http://www.w3.org/2001/04/xmlenc#aes256-cbc");
+        Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+        XPathExpression xPathExpression = getXPath("/env:Envelope/env:Header");
+        Element headerElement = (Element) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+        Element newElement = securedDocument.createElement("test");
+        headerElement.appendChild(newElement);
+        
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        InputStream dtd = this.getClass().getClassLoader().getResourceAsStream("testdata/recursiveDTD.txt");
+        byte[] buff = new byte[1024];
+        int read = 0;
+        while ((read = dtd.read(buff)) != -1) {
+            baos.write(buff, 0, read);
+        }
+        dtd.close();
+
+        Transformer transformer = TransformerFactory.newInstance().newTransformer();
+        transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
+        transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+
+        String soap = new String(baos.toByteArray(), "utf-8");
+        soap = soap.replaceFirst("<test/>", "<test>&x100;</test>");
+
+        System.out.println(soap);
+
+        SecurityProperties inSecurityProperties = new SecurityProperties();
+        inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+        inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+        inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+
+        try {
+            Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(soap.getBytes()));
+            Assert.fail("Expected XMLStreamException");
+        } catch (XMLStreamException e) {
+            System.out.println(e.getMessage());
+            e.printStackTrace();
+            Throwable throwable = e.getCause();
+            Assert.assertNotNull(throwable);
+            Assert.assertTrue(throwable instanceof WSSecurityException);
+            throwable = throwable.getCause();
+            Assert.assertNotNull(throwable);
+            Assert.assertTrue(throwable instanceof PolicyViolationException);
+            throwable = throwable.getCause();
+            Assert.assertNotNull(throwable);
+            Assert.assertTrue(throwable instanceof PolicyViolationException);
+            Assert.assertEquals(throwable.getMessage(), "No policy alternative could be satisfied");
+        }
+    }
+    */
+
+    @Test
+    public void testReplayAttackInbound() throws Exception {
+
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        {
+            InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+            String action = WSHandlerConstants.TIMESTAMP + " " + WSHandlerConstants.SIGNATURE;
+            Properties properties = new Properties();
+            properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+            Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+            //some test that we can really sure we get what we want from WSS4J
+            NodeList nodeList = securedDocument.getElementsByTagNameNS(Constants.TAG_dsig_Signature.getNamespaceURI(), Constants.TAG_dsig_Signature.getLocalPart());
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), Constants.TAG_wsse_Security.getLocalPart());
+
+            javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+            transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+        }
+
+        //done signature; now test sig-verification:
+        {
+            SecurityProperties securityProperties = new SecurityProperties();
+            securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+            StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+
+            try {
+                xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+                StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+                Assert.fail("Expected XMLStreamException");
+            } catch (XMLStreamException e) {
+                Assert.assertEquals(e.getMessage(), "org.swssf.ext.WSSecurityException: The message has expired");
+            }
+        }
+    }
+}

Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/VulnerabliltyVectorsTest.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Added: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/WSS4JCallbackHandlerImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/WSS4JCallbackHandlerImpl.java?rev=1172285&view=auto
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/WSS4JCallbackHandlerImpl.java (added)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/WSS4JCallbackHandlerImpl.java Sun Sep 18 13:51:23 2011
@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.swssf.test;
+
+import org.apache.ws.security.WSPasswordCallback;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import java.io.IOException;
+
+/**
+ * @author $Author$
+ * @version $Revision$ $Date$
+ */
+public class WSS4JCallbackHandlerImpl implements CallbackHandler {
+
+    private byte[] secret;
+
+    public WSS4JCallbackHandlerImpl() {
+    }
+
+    public WSS4JCallbackHandlerImpl(byte[] secret) {
+        this.secret = secret;
+    }
+
+    public void handle(javax.security.auth.callback.Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+        org.apache.ws.security.WSPasswordCallback pc = (org.apache.ws.security.WSPasswordCallback) callbacks[0];
+
+//        if (pc.getUsage() == org.apache.ws.security.WSPasswordCallback.DECRYPT || pc.getUsage() == org.apache.ws.security.WSPasswordCallback.SIGNATURE) {
+        pc.setPassword("default");
+/*        } else {
+            throw new UnsupportedCallbackException(pc, "Unrecognized CallbackHandlerImpl");
+        }
+*/
+        if (pc.getUsage() == WSPasswordCallback.SECURITY_CONTEXT_TOKEN) {
+            pc.setKey(secret);
+        }
+    }
+}

Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/WSS4JCallbackHandlerImpl.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Added: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/AbstractSAMLCallbackHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/AbstractSAMLCallbackHandler.java?rev=1172285&view=auto
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/AbstractSAMLCallbackHandler.java (added)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/AbstractSAMLCallbackHandler.java Sun Sep 18 13:51:23 2011
@@ -0,0 +1,149 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.swssf.test.saml;
+
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.message.WSSecEncryptedKey;
+import org.apache.ws.security.saml.ext.SAMLCallback;
+import org.apache.ws.security.saml.ext.bean.*;
+import org.apache.ws.security.saml.ext.bean.KeyInfoBean.CERT_IDENTIFIER;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+
+/**
+ * A base implementation of a Callback Handler for a SAML assertion. By default it creates an
+ * authentication assertion.
+ */
+public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
+
+    public enum Statement {
+        AUTHN, ATTR, AUTHZ
+    }
+
+    protected String subjectName = null;
+    protected String subjectQualifier = null;
+    protected String confirmationMethod = null;
+    protected X509Certificate[] certs;
+    protected Statement statement = Statement.AUTHN;
+    protected CERT_IDENTIFIER certIdentifier = CERT_IDENTIFIER.X509_CERT;
+    protected byte[] ephemeralKey = null;
+    protected String issuer = null;
+
+    public void setConfirmationMethod(String confMethod) {
+        confirmationMethod = confMethod;
+    }
+
+    public void setStatement(Statement statement) {
+        this.statement = statement;
+    }
+
+    public void setCertIdentifier(CERT_IDENTIFIER certIdentifier) {
+        this.certIdentifier = certIdentifier;
+    }
+
+    public void setCerts(X509Certificate[] certs) {
+        this.certs = certs;
+    }
+
+    public byte[] getEphemeralKey() {
+        return ephemeralKey;
+    }
+
+    public void setIssuer(String issuer) {
+        this.issuer = issuer;
+    }
+
+    /**
+     * Note that the SubjectBean parameter should be null for SAML2.0
+     */
+    protected void createAndSetStatement(SubjectBean subjectBean, SAMLCallback callback) {
+        if (statement == Statement.AUTHN) {
+            AuthenticationStatementBean authBean = new AuthenticationStatementBean();
+            if (subjectBean != null) {
+                authBean.setSubject(subjectBean);
+            }
+            authBean.setAuthenticationMethod("Password");
+            callback.setAuthenticationStatementData(Collections.singletonList(authBean));
+        } else if (statement == Statement.ATTR) {
+            AttributeStatementBean attrBean = new AttributeStatementBean();
+            if (subjectBean != null) {
+                attrBean.setSubject(subjectBean);
+            }
+            AttributeBean attributeBean = new AttributeBean();
+            attributeBean.setSimpleName("role");
+            attributeBean.setAttributeValues(Collections.singletonList("user"));
+            attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
+            callback.setAttributeStatementData(Collections.singletonList(attrBean));
+        } else {
+            AuthDecisionStatementBean authzBean = new AuthDecisionStatementBean();
+            if (subjectBean != null) {
+                authzBean.setSubject(subjectBean);
+            }
+            ActionBean actionBean = new ActionBean();
+            actionBean.setContents("Read");
+            authzBean.setActions(Collections.singletonList(actionBean));
+            authzBean.setResource("endpoint");
+            authzBean.setDecision(AuthDecisionStatementBean.Decision.PERMIT);
+            callback.setAuthDecisionStatementData(Collections.singletonList(authzBean));
+        }
+    }
+
+    protected KeyInfoBean createKeyInfo() throws Exception {
+        KeyInfoBean keyInfo = new KeyInfoBean();
+        if (statement == Statement.AUTHN) {
+            keyInfo.setCertificate(certs[0]);
+            keyInfo.setCertIdentifer(certIdentifier);
+        } else if (statement == Statement.ATTR) {
+            // Build a new Document
+            DocumentBuilderFactory docBuilderFactory =
+                    DocumentBuilderFactory.newInstance();
+            docBuilderFactory.setNamespaceAware(true);
+            DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
+            Document doc = docBuilder.newDocument();
+
+            // Create an Encrypted Key
+            WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
+            encrKey.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
+            encrKey.setUseThisCert(certs[0]);
+            encrKey.prepare(doc, null);
+            ephemeralKey = encrKey.getEphemeralKey();
+            Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
+
+            // Append the EncryptedKey to a KeyInfo element
+            Element keyInfoElement =
+                    doc.createElementNS(
+                            WSConstants.SIG_NS, WSConstants.SIG_PREFIX + ":" + WSConstants.KEYINFO_LN
+                    );
+            keyInfoElement.setAttributeNS(
+                    WSConstants.XMLNS_NS, "xmlns:" + WSConstants.SIG_PREFIX, WSConstants.SIG_NS
+            );
+            keyInfoElement.appendChild(encryptedKeyElement);
+
+            keyInfo.setElement(keyInfoElement);
+        }
+        return keyInfo;
+    }
+}

Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/AbstractSAMLCallbackHandler.java
------------------------------------------------------------------------------
    svn:executable = *

Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/AbstractSAMLCallbackHandler.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Added: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML1AuthnHOKHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML1AuthnHOKHandler.java?rev=1172285&view=auto
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML1AuthnHOKHandler.java (added)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML1AuthnHOKHandler.java Sun Sep 18 13:51:23 2011
@@ -0,0 +1,79 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.swssf.test.saml;
+
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.components.crypto.CryptoType;
+import org.apache.ws.security.saml.ext.SAMLCallback;
+import org.apache.ws.security.saml.ext.bean.AuthenticationStatementBean;
+import org.apache.ws.security.saml.ext.bean.KeyInfoBean;
+import org.apache.ws.security.saml.ext.bean.SubjectBean;
+import org.apache.ws.security.saml.ext.builder.SAML1Constants;
+import org.opensaml.common.SAMLVersion;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+
+/**
+ * A Callback Handler implementation for a SAML 1.1 authentication assertion using
+ * Holder of Key.
+ */
+public class SAML1AuthnHOKHandler implements CallbackHandler {
+
+    private String subjectName = "uid=joe,ou=people,ou=saml-demo,o=example.com";
+    private String subjectQualifier = "www.example.com";
+    private X509Certificate[] certs;
+
+    public SAML1AuthnHOKHandler() throws WSSecurityException {
+        Crypto crypto = CryptoFactory.getInstance("saml/saml-signed.properties");
+        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+        cryptoType.setAlias("transmitter");
+        certs = crypto.getX509Certificates(cryptoType);
+    }
+
+    public void handle(Callback[] callbacks)
+            throws IOException, UnsupportedCallbackException {
+        for (int i = 0; i < callbacks.length; i++) {
+            if (callbacks[i] instanceof SAMLCallback) {
+                SAMLCallback callback = (SAMLCallback) callbacks[i];
+                callback.setSamlVersion(SAMLVersion.VERSION_11);
+                SubjectBean subjectBean =
+                        new SubjectBean(
+                                subjectName, subjectQualifier, SAML1Constants.CONF_HOLDER_KEY
+                        );
+                KeyInfoBean keyInfo = new KeyInfoBean();
+                keyInfo.setCertificate(certs[0]);
+                subjectBean.setKeyInfo(keyInfo);
+                AuthenticationStatementBean authBean = new AuthenticationStatementBean();
+                authBean.setSubject(subjectBean);
+                authBean.setAuthenticationMethod("Password");
+                callback.setAuthenticationStatementData(Collections.singletonList(authBean));
+            } else {
+                throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
+            }
+        }
+    }
+}

Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML1AuthnHOKHandler.java
------------------------------------------------------------------------------
    svn:executable = *

Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML1AuthnHOKHandler.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Added: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML1CallbackHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML1CallbackHandler.java?rev=1172285&view=auto
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML1CallbackHandler.java (added)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML1CallbackHandler.java Sun Sep 18 13:51:23 2011
@@ -0,0 +1,80 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.swssf.test.saml;
+
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.components.crypto.CryptoType;
+import org.apache.ws.security.saml.ext.SAMLCallback;
+import org.apache.ws.security.saml.ext.bean.KeyInfoBean;
+import org.apache.ws.security.saml.ext.bean.SubjectBean;
+import org.apache.ws.security.saml.ext.builder.SAML1Constants;
+import org.opensaml.common.SAMLVersion;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import java.io.IOException;
+
+/**
+ * A Callback Handler implementation for a SAML 1.1 assertion. By default it creates an
+ * authentication assertion using Sender Vouches.
+ */
+public class SAML1CallbackHandler extends AbstractSAMLCallbackHandler {
+
+    public SAML1CallbackHandler() throws Exception {
+        if (certs == null) {
+            Crypto crypto = CryptoFactory.getInstance("saml/saml-signed.properties");
+            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+            cryptoType.setAlias("transmitter");
+            certs = crypto.getX509Certificates(cryptoType);
+        }
+
+        subjectName = "uid=joe,ou=people,ou=saml-demo,o=example.com";
+        subjectQualifier = "www.example.com";
+        confirmationMethod = SAML1Constants.CONF_SENDER_VOUCHES;
+    }
+
+    public void handle(Callback[] callbacks)
+            throws IOException, UnsupportedCallbackException {
+        for (int i = 0; i < callbacks.length; i++) {
+            if (callbacks[i] instanceof SAMLCallback) {
+                SAMLCallback callback = (SAMLCallback) callbacks[i];
+                callback.setSamlVersion(SAMLVersion.VERSION_11);
+                callback.setIssuer(issuer);
+                SubjectBean subjectBean =
+                        new SubjectBean(
+                                subjectName, subjectQualifier, confirmationMethod
+                        );
+                if (SAML1Constants.CONF_HOLDER_KEY.equals(confirmationMethod)) {
+                    try {
+                        KeyInfoBean keyInfo = createKeyInfo();
+                        subjectBean.setKeyInfo(keyInfo);
+                    } catch (Exception ex) {
+                        throw new IOException("Problem creating KeyInfo: " + ex.getMessage());
+                    }
+                }
+                createAndSetStatement(subjectBean, callback);
+            } else {
+                throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
+            }
+        }
+    }
+
+}

Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML1CallbackHandler.java
------------------------------------------------------------------------------
    svn:executable = *

Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML1CallbackHandler.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Added: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML2CallbackHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML2CallbackHandler.java?rev=1172285&view=auto
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML2CallbackHandler.java (added)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML2CallbackHandler.java Sun Sep 18 13:51:23 2011
@@ -0,0 +1,81 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.swssf.test.saml;
+
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.components.crypto.CryptoType;
+import org.apache.ws.security.saml.ext.SAMLCallback;
+import org.apache.ws.security.saml.ext.bean.KeyInfoBean;
+import org.apache.ws.security.saml.ext.bean.SubjectBean;
+import org.apache.ws.security.saml.ext.builder.SAML2Constants;
+import org.opensaml.common.SAMLVersion;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import java.io.IOException;
+
+/**
+ * A Callback Handler implementation for a SAML 2 assertion. By default it creates an
+ * authentication assertion using Sender Vouches.
+ */
+public class SAML2CallbackHandler extends AbstractSAMLCallbackHandler {
+
+    public SAML2CallbackHandler() throws Exception {
+        if (certs == null) {
+            Crypto crypto = CryptoFactory.getInstance("saml/saml-signed.properties");
+            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+            cryptoType.setAlias("transmitter");
+            certs = crypto.getX509Certificates(cryptoType);
+        }
+
+        subjectName = "uid=joe,ou=people,ou=saml-demo,o=example.com";
+        subjectQualifier = "www.example.com";
+        confirmationMethod = SAML2Constants.CONF_SENDER_VOUCHES;
+    }
+
+    public void handle(Callback[] callbacks)
+            throws IOException, UnsupportedCallbackException {
+        for (int i = 0; i < callbacks.length; i++) {
+            if (callbacks[i] instanceof SAMLCallback) {
+                SAMLCallback callback = (SAMLCallback) callbacks[i];
+                callback.setSamlVersion(SAMLVersion.VERSION_20);
+                callback.setIssuer(issuer);
+                SubjectBean subjectBean =
+                        new SubjectBean(
+                                subjectName, subjectQualifier, confirmationMethod
+                        );
+                if (SAML2Constants.CONF_HOLDER_KEY.equals(confirmationMethod)) {
+                    try {
+                        KeyInfoBean keyInfo = createKeyInfo();
+                        subjectBean.setKeyInfo(keyInfo);
+                    } catch (Exception ex) {
+                        throw new IOException("Problem creating KeyInfo: " + ex.getMessage());
+                    }
+                }
+                callback.setSubject(subjectBean);
+                createAndSetStatement(null, callback);
+            } else {
+                throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
+            }
+        }
+    }
+
+}

Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML2CallbackHandler.java
------------------------------------------------------------------------------
    svn:executable = *

Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/test/saml/SAML2CallbackHandler.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision



Mime
View raw message