org.apache.cxf.configuration.security.AuthorizationPolicy Java Examples

private void verifyRequestHeaders() throws Exception {
    Map<String, List<String>> requestHeaders =
        CastUtils.cast((Map<?, ?>)inMessage.get(Message.PROTOCOL_HEADERS));
    assertNotNull("expected request headers",
                  requestHeaders);
    List<String> values = requestHeaders.get("content-type");
    assertNotNull("expected field", values);
    assertEquals("unexpected values", 2, values.size());
    assertTrue("expected value", values.contains("text/xml"));
    assertTrue("expected value", values.contains("charset=utf8"));
    values = requestHeaders.get(AUTH_HEADER);
    assertNotNull("expected field", values);
    assertEquals("unexpected values", 1, values.size());
    assertTrue("expected value", values.contains(BASIC_AUTH));

    AuthorizationPolicy authpolicy =
        inMessage.get(AuthorizationPolicy.class);
    assertNotNull("Expected some auth tokens", policy);
    assertEquals("expected user",
                 USER,
                 authpolicy.getUserName());
    assertEquals("expected passwd",
                 PASSWD,
                 authpolicy.getPassword());
}
 

@Test
public void testValidateAuthorizationPolicy() throws Exception {
    AuthPolicyValidatingInterceptor in = new AuthPolicyValidatingInterceptor();
    TestSTSTokenValidator validator = new TestSTSTokenValidator();
    in.setValidator(validator);
    
    AuthorizationPolicy policy = new AuthorizationPolicy();
    policy.setUserName("bob");
    policy.setPassword("pswd");
    Message message = new MessageImpl();
    message.put(AuthorizationPolicy.class, policy);
    
    in.handleMessage(message);
    
    assertTrue(validator.isValidated());
}
 

public void handleMessage(Message message) throws Fault {

        String method = (String)message.get(Message.HTTP_REQUEST_METHOD);
        String query = (String)message.get(Message.QUERY_STRING);
        if (!"GET".equals(method) || StringUtils.isEmpty(query)) {
            return;
        }
        Endpoint endpoint = message.getExchange().getEndpoint();
        synchronized (endpoint) {
            if (!StringUtils.isEmpty(contextName)) {
                AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
                if (policy == null) {
                    handle401response(message, endpoint);
                    return;
                }
                Subject subject = (Subject)authenticate(policy.getUserName(), policy.getPassword());
                if (subject == null) {
                    handle401response(message, endpoint);
                    return;
                }

            }

        }
    }
 

public String getAuthorization(AuthorizationPolicy authPolicy,
                               URI currentURI,
                               Message message) {
    if (!HttpAuthHeader.AUTH_TYPE_NEGOTIATE.equals(authPolicy.getAuthorizationType())) {
        return null;
    }
    try {
        String spn = getCompleteServicePrincipalName(currentURI);

        boolean useKerberosOid = MessageUtils.getContextualBoolean(message, PROPERTY_USE_KERBEROS_OID);
        Oid oid = new Oid(useKerberosOid ? KERBEROS_OID : SPNEGO_OID);

        byte[] token = getToken(authPolicy, spn, oid, message);
        return HttpAuthHeader.AUTH_TYPE_NEGOTIATE + " " + Base64Utility.encode(token);
    } catch (LoginException | GSSException e) {
        throw new RuntimeException(e.getMessage(), e);
    }
}
 

@Test
public void testValidateAuthorizationPolicy() throws Exception {
    AuthPolicyValidatingInterceptor in = new AuthPolicyValidatingInterceptor();
    TestSTSTokenValidator validator = new TestSTSTokenValidator();
    in.setValidator(validator);
    
    AuthorizationPolicy policy = new AuthorizationPolicy();
    policy.setUserName("bob");
    policy.setPassword("pswd");
    Message message = new MessageImpl();
    message.put(AuthorizationPolicy.class, policy);
    
    in.handleMessage(message);
    
    assertTrue(validator.isValidated());
}
 

private void verifyConduit(HTTPConduit conduit) {
    AuthorizationPolicy authp = conduit.getAuthorization();
    assertNotNull(authp);
    assertEquals("Betty", authp.getUserName());
    assertEquals("password", authp.getPassword());
    TLSClientParameters tlscps = conduit.getTlsClientParameters();
    assertNotNull(tlscps);
    assertTrue(tlscps.isDisableCNCheck());
    assertEquals(3600000, tlscps.getSslCacheTimeout());

    KeyManager[] kms = tlscps.getKeyManagers();
    assertTrue(kms != null && kms.length == 1);
    assertTrue(kms[0] instanceof X509KeyManager);

    TrustManager[] tms = tlscps.getTrustManagers();
    assertTrue(tms != null && tms.length == 1);
    assertTrue(tms[0] instanceof X509TrustManager);

    FiltersType csfs = tlscps.getCipherSuitesFilter();
    assertNotNull(csfs);
    assertEquals(1, csfs.getInclude().size());
    assertEquals(1, csfs.getExclude().size());
    HTTPClientPolicy clientPolicy = conduit.getClient();
    assertEquals(10240, clientPolicy.getChunkLength());
}
 

@Test
public void testValidateAuthorizationPolicy() throws Exception {
    AuthPolicyValidatingInterceptor in = new AuthPolicyValidatingInterceptor();
    TestSTSTokenValidator validator = new TestSTSTokenValidator();
    in.setValidator(validator);
    
    AuthorizationPolicy policy = new AuthorizationPolicy();
    policy.setUserName("bob");
    policy.setPassword("pswd");
    Message message = new MessageImpl();
    message.put(AuthorizationPolicy.class, policy);
    
    in.handleMessage(message);
    
    assertTrue(validator.isValidated());
}
 

@Test
public void testValidateAuthorizationPolicy() throws Exception {
    AuthPolicyValidatingInterceptor in = new AuthPolicyValidatingInterceptor();
    TestSTSTokenValidator validator = new TestSTSTokenValidator();
    in.setValidator(validator);
    
    AuthorizationPolicy policy = new AuthorizationPolicy();
    policy.setUserName("bob");
    policy.setPassword("pswd");
    Message message = new MessageImpl();
    message.put(AuthorizationPolicy.class, policy);
    
    in.handleMessage(message);
    
    assertTrue(validator.isValidated());
}
 

public String getAuthorization(AuthorizationPolicy authPolicy,
                               URI currentURI,
                               Message message,
                               String fullHeader) {
    if (getClientAccessToken().getTokenKey() == null) {
        return null;
    }


    if (fullHeader == null) {
        // regular authorization
        if (refreshEarly) {
            refreshAccessTokenIfExpired(authPolicy);
        }
        return createAuthorizationHeader();
    }
    // the last call resulted in 401, trying to refresh the token(s)
    if (refreshAccessToken(authPolicy)) {
        return createAuthorizationHeader();
    }
    return null;
}
 

/**
 * isUserPermitted requests received at the ml endpoint, using HTTP basic-auth headers as the authentication
 * mechanism. This method returns a null value which indicates that the request to be processed.
 */
public boolean handleRequest(Message message, ClassResourceInfo resourceInfo) {

    if (logger.isDebugEnabled()) {
        logger.debug(String.format("Authenticating request: " + message.getId()));
    }
    AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
    if (policy == null) {
        logger.error("Authentication failed: Basic authentication header is missing");
        return false;
    }
    Object certObject = null;
    String username = StringUtils.trim(policy.getUserName());
    if (StringUtils.isEmpty(username)) {
        logger.error("Username cannot be null/empty.");
        return false;
    }
    return isUserPermitted(username, (String) message.get(Message.REQUEST_URI),
            (String) message.get(Message.HTTP_REQUEST_METHOD), null);
}
 

public String getAuthorization(AuthorizationPolicy authPolicy,
                               URI currentURI,
                               Message message,
                               String fullHeader) {
    if (code != null) {
        synchronized (tokenSupplier) {
            if (tokenSupplier.getClientAccessToken().getTokenKey() == null) {
                WebClient wc = tokenSupplier.createAccessTokenServiceClient();
                ClientAccessToken at = OAuthClientUtils.getAccessToken(wc,
                                                tokenSupplier.getConsumer(),
                                                new AuthorizationCodeGrant(code));
                code = null;
                tokenSupplier.setClientAccessToken(at);
            }
        }
    }
    return tokenSupplier.getAuthorization(authPolicy, currentURI, message, fullHeader);
}
 

public void filter(ContainerRequestContext requestContext) throws IOException {
    Message message = JAXRSUtils.getCurrentMessage();
    AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);

    if (policy == null || policy.getUserName() == null || policy.getPassword() == null) {
        requestContext.abortWith(
            Response.status(401).header("WWW-Authenticate", "Basic realm=\"IdP\"").build());
        return;
    }

    try {
        super.validate(message);
    } catch (Exception ex) {
        throw ExceptionUtils.toInternalServerErrorException(ex, null);
    }
}
 

private void verifyRequestHeaders() throws Exception {
    Map<String, List<String>> requestHeaders =
        CastUtils.cast((Map<?, ?>)inMessage.get(Message.PROTOCOL_HEADERS));
    assertNotNull("expected request headers",
                  requestHeaders);
    List<String> values = requestHeaders.get("content-type");
    assertNotNull("expected field", values);
    assertEquals("unexpected values", 2, values.size());
    assertTrue("expected value", values.contains("text/xml"));
    assertTrue("expected value", values.contains("charset=utf8"));
    values = requestHeaders.get(AUTH_HEADER);
    assertNotNull("expected field", values);
    assertEquals("unexpected values", 1, values.size());
    assertTrue("expected value", values.contains(BASIC_AUTH));

    AuthorizationPolicy authpolicy =
        inMessage.get(AuthorizationPolicy.class);
    assertNotNull("Expected some auth tokens", policy);
    assertEquals("expected user",
                 USER,
                 authpolicy.getUserName());
    assertEquals("expected passwd",
                 PASSWD,
                 authpolicy.getPassword());
}
 

public void filter(ContainerRequestContext requestContext) throws IOException {
    if (requestContext.getUriInfo().getPath().contains(WellKnownService.WELL_KNOWN_PATH)) {
        return;
    }

    Message message = JAXRSUtils.getCurrentMessage();
    AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);

    if (policy == null || policy.getUserName() == null || policy.getPassword() == null) {
        requestContext.abortWith(
            Response.status(401).header("WWW-Authenticate", "Basic realm=\"IdP\"").build());
        return;
    }

    try {
        super.validate(message);
    } catch (Exception ex) {
        throw ExceptionUtils.toInternalServerErrorException(ex, null);
    }
}
 

private String getPrincipal(Message message) {
    String principal = getJAASPrincipal();
    if (principal != null) {
        return principal;
    }
    SecurityContext sc = message.get(SecurityContext.class);
    if (sc != null && sc.getUserPrincipal() != null) {
        return sc.getUserPrincipal().getName();
    }

    AuthorizationPolicy authPolicy = message.get(AuthorizationPolicy.class);
    if (authPolicy != null) {
        return authPolicy.getUserName();
    }
    return null;
}
 

@Test
public void testNoUsername() throws Exception {
    AuthPolicyValidatingInterceptor in = new AuthPolicyValidatingInterceptor();
    TestSTSTokenValidator validator = new TestSTSTokenValidator();
    in.setValidator(validator);

    AuthorizationPolicy policy = new AuthorizationPolicy();
    policy.setPassword("pswd");
    Message message = new MessageImpl();
    message.put(AuthorizationPolicy.class, policy);

    try {
        in.handleMessage(message);
        fail("Failure expected with no username");
    } catch (SecurityException ex) {
        // expected
    }
}
 

@Test
public void testInvalidUsernamePassword() throws Exception {
    AuthPolicyValidatingInterceptor in = new AuthPolicyValidatingInterceptor();
    TestSTSTokenValidator validator = new TestSTSTokenValidator();
    in.setValidator(validator);

    AuthorizationPolicy policy = new AuthorizationPolicy();
    policy.setUserName("bob");
    policy.setPassword("pswd2");
    Message message = new MessageImpl();
    message.put(AuthorizationPolicy.class, policy);

    in.handleMessage(message);

    assertFalse(validator.isValidated());
}
 

@Test
public void testValidateAuthorizationPolicy() throws Exception {
    AuthPolicyValidatingInterceptor in = new AuthPolicyValidatingInterceptor();
    TestSTSTokenValidator validator = new TestSTSTokenValidator();
    in.setValidator(validator);

    AuthorizationPolicy policy = new AuthorizationPolicy();
    policy.setUserName("bob");
    policy.setPassword("pswd");
    Message message = new MessageImpl();
    message.put(AuthorizationPolicy.class, policy);

    in.handleMessage(message);

    assertTrue(validator.isValidated());
}
 

private void verifyRequestHeaders() throws Exception {
    Map<String, List<String>> requestHeaders =
        CastUtils.cast((Map<?, ?>)inMessage.get(Message.PROTOCOL_HEADERS));
    assertNotNull("expected request headers",
                  requestHeaders);
    List<String> values = requestHeaders.get("content-type");
    assertNotNull("expected field", values);
    assertEquals("unexpected values", 2, values.size());
    assertTrue("expected value", values.contains("text/xml"));
    assertTrue("expected value", values.contains("charset=utf8"));
    values = requestHeaders.get(AUTH_HEADER);
    assertNotNull("expected field", values);
    assertEquals("unexpected values", 1, values.size());
    assertTrue("expected value", values.contains(BASIC_AUTH));

    AuthorizationPolicy authpolicy =
        inMessage.get(AuthorizationPolicy.class);
    assertNotNull("Expected some auth tokens", policy);
    assertEquals("expected user",
                 USER,
                 authpolicy.getUserName());
    assertEquals("expected passwd",
                 PASSWD,
                 authpolicy.getPassword());
}
 

/**
 * If we don't have the realm set, then we loop
 * through the realms.
 */
public String getAuthorization(
        AuthorizationPolicy authPolicy,
        URI     currentURI,
        Message message,
        String fullHeader
) {
    String reqestedRealm = new HttpAuthHeader(fullHeader).getRealm();
    if (realm != null && realm.equals(reqestedRealm)) {
        return createUserPass(user, pass);
    }
    if ("Andromeda".equals(reqestedRealm)) {
        // This will get us another 401 to Zorantius
        return createUserPass("Edward", "password");
    }
    if ("Zorantius".equals(reqestedRealm)) {
        // George will get us another 401 to Cronus
        return createUserPass("George", "password");
    }
    if ("Cronus".equals(reqestedRealm)) {
        // Mary will get us another 401 to Andromeda
        return createUserPass("Mary", "password");
    }
    return null;
}
 

@Test
public void testJaasFilterAuthenticationFailure() throws Exception {
    String endpointAddress =
        "http://localhost:" + PORT + "/service/jaas2/bookstorestorage/thosebooks/123";
    WebClient wc = WebClient.create(endpointAddress);
    AuthorizationPolicy pol = new AuthorizationPolicy();
    pol.setUserName("foo");
    pol.setPassword("bar1");
    WebClient.getConfig(wc).getHttpConduit().setAuthorization(pol);

    wc.accept("application/xml");

    //wc.header(HttpHeaders.AUTHORIZATION,
    //          "Basic " + base64Encode("foo" + ":" + "bar1"));
    Response r = wc.get();
    assertEquals(401, r.getStatus());
    Object wwwAuthHeader = r.getMetadata().getFirst(HttpHeaders.WWW_AUTHENTICATE);
    assertNotNull(wwwAuthHeader);
    assertEquals("Basic", wwwAuthHeader.toString());
}
 

public final Object remove(Object key) {
    key = mapKey((String)key);
    scopes.remove(key);
    if (BindingProvider.PASSWORD_PROPERTY.equals(key)
        || BindingProvider.USERNAME_PROPERTY.equals(key)) {
        message.remove(AuthorizationPolicy.class.getName());
    }
    return message.remove(key);
}
 

public String getAuthorization(AuthorizationPolicy  authPolicy,
                               URI currentURI,
                               Message message,
                               String fullHeader) {
    if (authPolicy.getAuthorizationType() != null && authPolicy.getAuthorization() != null) {
        return authPolicy.getAuthorizationType() + " " + authPolicy.getAuthorization();
    }
    return null;
}
 

protected UsernameToken convertPolicyToToken(AuthorizationPolicy policy)
    throws Exception {

    Document doc = DOMUtils.createDocument();
    UsernameToken token = new UsernameToken(false, doc,
                                            WSConstants.PASSWORD_TEXT);
    token.setName(policy.getUserName());
    token.setPassword(policy.getPassword());
    return token;
}
 

protected void applyProperties(Endpoint ep) {
    //Apply the AuthorizationPolicy to the endpointInfo
    Map<String, Object> props = this.getProperties();
    if (props != null && props.get(AuthorizationPolicy.class.getName()) != null) {
        AuthorizationPolicy ap = (AuthorizationPolicy)props.get(AuthorizationPolicy.class.getName());
        ep.getEndpointInfo().addExtensor(ap);
    }
}
 

public void handleMessage(Message message) throws Fault {

        AuthorizationPolicy policy = message.get(AuthorizationPolicy.class);
        if (policy == null || policy.getUserName() == null || policy.getPassword() == null) {
            String name = null;
            String password = null;
            if (policy != null) {
                name = policy.getUserName();
                password = policy.getPassword();
            }
            org.apache.cxf.common.i18n.Message errorMsg = 
                new org.apache.cxf.common.i18n.Message("NO_USER_PASSWORD", 
                                                       BUNDLE, 
                                                       name, password);
            LOG.warning(errorMsg.toString());
            throw new SecurityException(errorMsg.toString());
        }
        
        try {
            UsernameToken token = convertPolicyToToken(policy);
            Credential credential = new Credential();
            credential.setUsernametoken(token);
            validator.validateWithSTS(credential, message);
        } catch (Exception ex) {
            throw new Fault(ex);
        }
    }
 

@Override
public ThrottleResponse getThrottleResponse(String phase, Message m) {
    AuthorizationPolicy ap = m.get(AuthorizationPolicy.class);
    if (ap != null && "alice".equals(ap.getUserName())) {
        return null;
    }
    return new ThrottleResponse(503, 2000);
}
 

@Test
public void testJaasFilterWebClientAuthorizationPolicy() throws Exception {
    String endpointAddress =
        "http://localhost:" + PORT + "/service/jaas2/bookstorestorage/thosebooks/123";
    WebClient wc = WebClient.create(endpointAddress);
    AuthorizationPolicy pol = new AuthorizationPolicy();
    pol.setUserName("bob");
    pol.setPassword("bobspassword");
    WebClient.getConfig(wc).getHttpConduit().setAuthorization(pol);
    wc.accept("application/xml");
    Book book = wc.get(Book.class);
    assertEquals(123L, book.getId());
}
 

private Message createMessageWithUsernameAndPassword(String username, String password) {
    Message message = createEmptyMessage();

    AuthorizationPolicy policy = new AuthorizationPolicy();
    policy.setUserName(username);
    policy.setPassword(password);
    message.put(AuthorizationPolicy.class, policy);
    return message;
}
 

private static void configureConduitFromEndpointInfo(HTTPConduit conduit,
        EndpointInfo endpointInfo) {
    if (conduit.getClient() == null) {
        conduit.setClient(endpointInfo.getTraversedExtensor(
                new HTTPClientPolicy(), HTTPClientPolicy.class));
    }
    if (conduit.getAuthorization() == null) {
        conduit.setAuthorization(endpointInfo.getTraversedExtensor(
                new AuthorizationPolicy(), AuthorizationPolicy.class));

    }
    if (conduit.getProxyAuthorization() == null) {
        conduit.setProxyAuthorization(endpointInfo.getTraversedExtensor(
                new ProxyAuthorizationPolicy(),
                ProxyAuthorizationPolicy.class));

    }
    if (conduit.getTlsClientParameters() == null) {
        conduit.setTlsClientParameters(endpointInfo.getTraversedExtensor(
                null, TLSClientParameters.class));
    }
    if (conduit.getTrustDecider() == null) {
        conduit.setTrustDecider(endpointInfo.getTraversedExtensor(null,
                MessageTrustDecider.class));
    }
    if (conduit.getAuthSupplier() == null) {
        conduit.setAuthSupplier(endpointInfo.getTraversedExtensor(null,
                HttpAuthSupplier.class));
    }
}