/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.ws.security.message;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.common.CustomHandler;
import org.apache.ws.security.common.SOAPUtil;
import org.apache.ws.security.common.UsernamePasswordCallbackHandler;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.w3c.dom.Document;
import javax.security.auth.callback.CallbackHandler;
/**
* This is a test for processing a Username Token to enforce either a plaintext or digest
* password type. See WSS-255.
*/
public class PasswordTypeTest extends org.junit.Assert {
private static final org.apache.commons.logging.Log LOG =
org.apache.commons.logging.LogFactory.getLog(PasswordTypeTest.class);
private CallbackHandler callbackHandler = new UsernamePasswordCallbackHandler();
/**
* Test that adds a UserNameToken with password Digest to a WS-Security envelope
*/
@org.junit.Test
public void testPasswordDigest() throws Exception {
WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setUserInfo("wernerd", "verySecret");
Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
Document signedDoc = builder.build(doc, secHeader);
if (LOG.isDebugEnabled()) {
LOG.debug("Message with UserNameToken PW Digest:");
String outputString =
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
LOG.debug(outputString);
}
WSSecurityEngine secEngine = new WSSecurityEngine();
WSSConfig wssConfig = WSSConfig.getNewInstance();
//
// It should pass with PASSWORD_DIGEST
//
wssConfig.setRequiredPasswordType(WSConstants.PASSWORD_DIGEST);
secEngine.setWssConfig(wssConfig);
secEngine.processSecurityHeader(doc, null, callbackHandler, null);
//
// It should pass with null
//
wssConfig.setRequiredPasswordType(null);
secEngine.setWssConfig(wssConfig);
secEngine.processSecurityHeader(doc, null, callbackHandler, null);
//
// It should fail with PASSWORD_TEXT
//
try {
wssConfig.setRequiredPasswordType(WSConstants.PASSWORD_TEXT);
secEngine.setWssConfig(wssConfig);
secEngine.processSecurityHeader(doc, null, callbackHandler, null);
fail("Expected failure on the wrong password type");
} catch (WSSecurityException ex) {
assertTrue(ex.getErrorCode() == WSSecurityException.FAILED_AUTHENTICATION);
// expected
}
}
/**
* Test that adds a UserNameToken with password text to a WS-Security envelope
*/
@org.junit.Test
public void testUsernameTokenText() throws Exception {
WSSecUsernameToken builder = new WSSecUsernameToken();
builder.setPasswordType(WSConstants.PASSWORD_TEXT);
builder.setUserInfo("wernerd", "verySecret");
Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
Document signedDoc = builder.build(doc, secHeader);
if (LOG.isDebugEnabled()) {
LOG.debug("Message with UserNameToken PW Text:");
String outputString =
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
LOG.debug(outputString);
}
WSSecurityEngine secEngine = new WSSecurityEngine();
WSSConfig wssConfig = WSSConfig.getNewInstance();
//
// It should pass with PASSWORD_TEXT
//
wssConfig.setRequiredPasswordType(WSConstants.PASSWORD_TEXT);
secEngine.setWssConfig(wssConfig);
secEngine.processSecurityHeader(doc, null, callbackHandler, null);
//
// It should pass with null
//
wssConfig.setRequiredPasswordType(null);
secEngine.setWssConfig(wssConfig);
secEngine.processSecurityHeader(doc, null, callbackHandler, null);
//
// It should fail with PASSWORD_DIGEST
//
try {
wssConfig.setRequiredPasswordType(WSConstants.PASSWORD_DIGEST);
secEngine.setWssConfig(wssConfig);
secEngine.processSecurityHeader(doc, null, callbackHandler, null);
fail("Expected failure on the wrong password type");
} catch (WSSecurityException ex) {
assertTrue(ex.getErrorCode() == WSSecurityException.FAILED_AUTHENTICATION);
// expected
}
}
/**
* Test that adds a UserNameToken via WSHandler
*/
@org.junit.Test
public void testUsernameTokenWSHandler() throws Exception {
CustomHandler handler = new CustomHandler();
Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
RequestData reqData = new RequestData();
java.util.Map<String, Object> config = new java.util.TreeMap<String, Object>();
config.put("password", "verySecret");
config.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
reqData.setUsername("wernerd");
reqData.setMsgContext(config);
java.util.List<Integer> actions = new java.util.ArrayList<Integer>();
actions.add(Integer.valueOf(WSConstants.UT));
handler.send(WSConstants.UT, doc, reqData, actions, true);
if (LOG.isDebugEnabled()) {
LOG.debug("Username Token via WSHandler");
String outputString =
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
LOG.debug(outputString);
}
//
// It should pass even on a different password type, as we haven't set the
// processing to be strict
//
config.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_DIGEST);
reqData.setMsgContext(config);
handler.receive(WSConstants.UT, reqData);
WSSecurityEngine secEngine = new WSSecurityEngine();
secEngine.setWssConfig(reqData.getWssConfig());
secEngine.processSecurityHeader(doc, null, callbackHandler, null);
//
// It should fail on strict password type processing
//
config.put(WSHandlerConstants.PASSWORD_TYPE_STRICT, "true");
reqData.setMsgContext(config);
handler.receive(WSConstants.UT, reqData);
try {
secEngine.processSecurityHeader(doc, null, callbackHandler, null);
fail("Expected failure on the wrong password type");
} catch (WSSecurityException ex) {
// expected
}
}
}