View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.stax.test;
20  
21  import java.io.ByteArrayInputStream;
22  import java.io.ByteArrayOutputStream;
23  import java.io.InputStream;
24  import java.util.Properties;
25  
26  import javax.xml.stream.XMLStreamException;
27  import javax.xml.stream.XMLStreamReader;
28  import javax.xml.transform.dom.DOMSource;
29  import javax.xml.transform.stream.StreamResult;
30  
31  import org.apache.wss4j.common.ext.WSSecurityException;
32  import org.apache.wss4j.dom.WSConstants;
33  import org.apache.wss4j.dom.handler.WSHandlerConstants;
34  import org.apache.wss4j.stax.ext.WSSConstants;
35  import org.apache.wss4j.stax.ext.WSSSecurityProperties;
36  import org.apache.wss4j.stax.setup.InboundWSSec;
37  import org.apache.wss4j.stax.setup.WSSec;
38  import org.apache.wss4j.stax.test.utils.StAX2DOM;
39  import org.junit.jupiter.api.Test;
40  import org.w3c.dom.Document;
41  import org.w3c.dom.Element;
42  import org.w3c.dom.NodeList;
43  
44  import static org.junit.jupiter.api.Assertions.assertEquals;
45  import static org.junit.jupiter.api.Assertions.assertNotNull;
46  import static org.junit.jupiter.api.Assertions.assertTrue;
47  import static org.junit.jupiter.api.Assertions.fail;
48  
49  /**
50   * This is a test for processing a Username Token to enforce either a plaintext or digest
51   * password type.
52   */
53  public class PasswordTypeTest extends AbstractTestBase {
54  
55      @Test
56      public void testPasswordDigest() throws Exception {
57          ByteArrayOutputStream baos = new ByteArrayOutputStream();
58          {
59              InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
60              String action = WSHandlerConstants.USERNAME_TOKEN;
61              Properties properties = new Properties();
62              Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
63  
64              //some test that we can really sure we get what we want from WSS4J
65              NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
66              assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
67  
68              nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart());
69              assertEquals(nodeList.getLength(), 1);
70              assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST.getNamespace());
71  
72              javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
73              transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
74          }
75  
76          // It should pass with PASSWORD_DIGEST
77          {
78              WSSSecurityProperties securityProperties = new WSSSecurityProperties();
79              securityProperties.setCallbackHandler(new CallbackHandlerImpl());
80              securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST);
81              InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
82  
83              XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null);
84  
85              StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
86          }
87  
88          // It should pass with null
89          {
90              WSSSecurityProperties securityProperties = new WSSSecurityProperties();
91              securityProperties.setCallbackHandler(new CallbackHandlerImpl());
92              securityProperties.setUsernameTokenPasswordType(null);
93              InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
94  
95              XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null);
96  
97              StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
98          }
99  
100         // It should fail with PASSWORD_TEXT
101         {
102             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
103             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
104             securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT);
105             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
106 
107             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null);
108 
109             try {
110                 StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
111                 fail("Expected XMLStreamException");
112             } catch (XMLStreamException e) {
113                 assertNotNull(e.getCause());
114                 assertTrue(e.getCause() instanceof WSSecurityException);
115                 assertEquals(e.getCause().getMessage(), "The security token could not be authenticated or authorized");
116                 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.FAILED_AUTHENTICATION);
117             }
118         }
119     }
120 
121     @Test
122     public void testPasswordText() throws Exception {
123         ByteArrayOutputStream baos = new ByteArrayOutputStream();
124         {
125             InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
126             String action = WSHandlerConstants.USERNAME_TOKEN;
127             Properties properties = new Properties();
128             properties.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
129             Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
130 
131             //some test that we can really sure we get what we want from WSS4J
132             NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_USERNAME_TOKEN.getNamespaceURI(), WSSConstants.TAG_WSSE_USERNAME_TOKEN.getLocalPart());
133             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
134 
135             nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_WSSE_PASSWORD.getNamespaceURI(), WSSConstants.TAG_WSSE_PASSWORD.getLocalPart());
136             assertEquals(nodeList.getLength(), 1);
137             assertEquals(((Element) nodeList.item(0)).getAttributeNS(null, WSSConstants.ATT_NULL_Type.getLocalPart()), WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT.getNamespace());
138 
139             javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
140             transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
141         }
142 
143         // It should pass with PASSWORD_TEXT
144         {
145             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
146             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
147             securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT);
148             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
149 
150             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null);
151 
152             StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
153         }
154 
155         // It should pass with null
156         {
157             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
158             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
159             securityProperties.setUsernameTokenPasswordType(null);
160             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
161 
162             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null);
163 
164             StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
165         }
166 
167         // It should fail with PASSWORD_DIGEST
168         {
169             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
170             securityProperties.setCallbackHandler(new CallbackHandlerImpl());
171             securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST);
172             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties, false, true);
173 
174             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())), null);
175 
176             try {
177                 StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
178                 fail("Expected XMLStreamException");
179             } catch (XMLStreamException e) {
180                 assertNotNull(e.getCause());
181                 assertTrue(e.getCause() instanceof WSSecurityException);
182                 assertEquals(e.getCause().getMessage(), "The security token could not be authenticated or authorized");
183                 assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.FAILED_AUTHENTICATION);
184             }
185         }
186     }
187 
188 
189 }