Author: dvaleri
Date: Fri Jul 30 20:25:26 2010
New Revision: 980941
URL: http://svn.apache.org/viewvc?rev=980941&view=rev
Log:
[CXF-2915] Applied patches for SignedSupportingToken with mod to fix regression
against SignatureConfirmation tests.
Added:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
(with props)
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/signed_elements_with_sst_issued_token_policy.xml
(with props)
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=980941&r1=980940&r2=980941&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Fri Jul 30 20:25:26 2010
@@ -119,7 +119,11 @@ import org.apache.ws.security.message.WS
import org.apache.ws.security.message.WSSecTimestamp;
import org.apache.ws.security.message.WSSecUsernameToken;
import org.apache.ws.security.message.token.SecurityTokenReference;
+import org.apache.ws.security.transform.STRTransform;
import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.xml.security.signature.XMLSignatureException;
+import org.apache.xml.security.transforms.TransformationException;
+import org.apache.xml.security.transforms.Transforms;
/**
*
@@ -462,11 +466,11 @@ public abstract class AbstractBindingBui
this.encryptedTokensIdList.add(secToken.getId());
}
- if (secToken.getX509Certificate() == null) {
+ if (secToken.getX509Certificate() == null) {
//Add the extracted token
ret.put(token, new WSSecurityTokenHolder(secToken));
} else {
- WSSecSignature sig = new WSSecSignature();
+ WSSecSignatureHelper sig = new WSSecSignatureHelper();
sig.setX509Certificate(secToken.getX509Certificate());
sig.setCustomTokenId(secToken.getId());
sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
@@ -500,8 +504,10 @@ public abstract class AbstractBindingBui
throw new Fault(e);
}
+
addSupportingElement(cloneElement(sig.getSecRef().getElement()));
+
if (suppTokens.isEncryptedToken()) {
- encryptedTokensIdList.add(sig.getBSTTokenId());
+ encryptedTokensIdList.add(secToken.getId());
}
ret.put(token, sig);
}
@@ -554,10 +560,22 @@ public abstract class AbstractBindingBui
Object tempTok = entry.getValue();
WSEncryptionPart part = null;
- if (tempTok instanceof WSSecSignature) {
- WSSecSignature tempSig = (WSSecSignature) tempTok;
- if (tempSig.getBSTTokenId() != null) {
- part = new WSEncryptionPart(tempSig.getBSTTokenId());
+ if (tempTok instanceof WSSecSignatureHelper) {
+ WSSecSignatureHelper tempSig = (WSSecSignatureHelper) tempTok;
+ if ((WSConstants.WSS_SAML_NS + WSConstants.SAML_ASSERTION_ID).
+ equals(tempSig.getSecRef().getKeyIdentifierValueType())) {
+
+ // NOTE: This usage of WSEncryptionPart is a workaroud
that is
+ // coupled with WSSecSignatureHelper. This approach is
used so that
+ // we can force WSS4J to sign the assertion through a STR
that
+ // WSS4J did not create during message signature creation.
+ part = new WSEncryptionPart(tempSig.getStrUri(),
"ExternalSTRTransform", "Element",
+ WSConstants.PART_TYPE_ELEMENT);
+
+ } else {
+ if (tempSig.getBSTTokenId() != null) {
+ part = new WSEncryptionPart(tempSig.getBSTTokenId());
+ }
}
} else if (tempTok instanceof WSSecUsernameToken) {
WSSecUsernameToken unt = (WSSecUsernameToken)tempTok;
@@ -1282,8 +1300,8 @@ public abstract class AbstractBindingBui
}
}
}
- protected WSSecSignature getSignatureBuider(TokenWrapper wrapper, Token
token, boolean endorse) {
- WSSecSignature sig = new WSSecSignature();
+ protected WSSecSignatureHelper getSignatureBuider(TokenWrapper wrapper,
Token token, boolean endorse) {
+ WSSecSignatureHelper sig = new WSSecSignatureHelper();
checkForX509PkiPath(sig, token);
setKeyIdentifierType(sig, wrapper, token);
@@ -1717,4 +1735,48 @@ public abstract class AbstractBindingBui
signedParts.addAll(signedEncryptedParts);
}
+
+ private static final class WSSecSignatureHelper extends WSSecSignature {
+ public SecurityTokenReference getSecRef() {
+ return this.secRef;
+ }
+
+ public String getStrUri() {
+ return this.strUri;
+ }
+
+ @Override
+ public void addReferencesToSign(Vector references,
+ WSSecHeader secHeader) throws WSSecurityException {
+ final Vector<Object> unalteredReferences = new Vector<Object>();
+
+ try {
+ for (int part = 0; part < references.size(); part++) {
+ final WSEncryptionPart encPart = (WSEncryptionPart)
references.get(part);
+
+ final String elemName = encPart.getName();
+ final Transforms transforms = new Transforms(document);
+
+ if (elemName != null &&
"ExternalSTRTransform".equals(encPart.getNamespace())) {
+ final Element ctx = this.createSTRParameter(document);
+
transforms.addTransform(STRTransform.implementedTransformURI, ctx);
+ this.sig.addDocument("#" + elemName, transforms,
this.getDigestAlgo());
+ } else {
+ unalteredReferences.add(encPart);
+ }
+ }
+ } catch (TransformationException e1) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, e1
+ );
+ } catch (XMLSignatureException e1) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, e1
+ );
+ }
+
+ super.addReferencesToSign(unalteredReferences, secHeader);
+ }
+ }
+
}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=980941&r1=980940&r2=980941&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
Fri Jul 30 20:25:26 2010
@@ -95,7 +95,7 @@ public class AsymmetricBindingHandler ex
private void doSignBeforeEncrypt() {
try {
- Vector<WSEncryptionPart> sigs = getSignedParts();
+ Vector<WSEncryptionPart> sigs = new Vector<WSEncryptionPart>();
if (isRequestor()) {
//Add timestamp
if (timestampEl != null) {
@@ -197,6 +197,9 @@ public class AsymmetricBindingHandler ex
} catch (WSSecurityException e) {
//REVISIT - exception
e.printStackTrace();
+ } catch (SOAPException e) {
+ //REVISIT - exception
+ e.printStackTrace();
}
}
@@ -334,7 +337,8 @@ public class AsymmetricBindingHandler ex
}
}
}
- private void doSignature(Vector<WSEncryptionPart> sigParts) throws
WSSecurityException {
+
+ private void doSignature(Vector<WSEncryptionPart> sigParts) throws
WSSecurityException, SOAPException {
Token sigToken = null;
TokenWrapper wrapper = null;
if (isRequestor()) {
@@ -385,18 +389,16 @@ public class AsymmetricBindingHandler ex
}
} else {
WSSecSignature sig = getSignatureBuider(wrapper, sigToken, false);
- sig.prependBSTElementToHeader(secHeader);
- insertBeforeBottomUp(sig.getSignatureElement());
-
- if (abinding.isTokenProtection()) {
- // Special flag telling WSS4J to sign the initiator token.
- // Use this instead of the BST ID so that we don't
- // have to deal with maintaining such logic here.
- sigParts.add(new WSEncryptionPart("Token", null,
- "Element", WSConstants.PART_TYPE_ELEMENT));
+
+ // This action must occur before sig.prependBSTElementToHeader
+ if (abinding.isTokenProtection()
+ && sig.getBSTTokenId() != null) {
+ sigParts.add(new WSEncryptionPart(sig.getBSTTokenId()));
}
-
+
sig.prependBSTElementToHeader(secHeader);
+ insertBeforeBottomUp(sig.getSignatureElement());
+ sigParts.addAll(this.getSignedParts());
AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
sig.setSignatureAlgorithm(algorithmSuite.getAsymmetricSignature());
@@ -406,7 +408,6 @@ public class AsymmetricBindingHandler ex
sig.addReferencesToSign(sigParts, secHeader);
sig.computeSignature();
signatures.add(sig.getSignatureValue());
-
mainSigId = addWsuIdToElement(sig.getSignatureElement());
}
Modified:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java?rev=980941&r1=980940&r2=980941&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
(original)
+++
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
Fri Jul 30 20:25:26 2010
@@ -18,12 +18,13 @@
*/
package org.apache.cxf.ws.security.wss4j;
-
+import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Map;
+import java.util.Properties;
import java.util.Vector;
import java.util.concurrent.Executor;
@@ -59,12 +60,17 @@ import org.apache.cxf.ws.policy.PolicyEx
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
+import org.apache.cxf.ws.security.tokenstore.MemoryTokenStore;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
import
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor.PolicyBasedWSS4JOutInterceptorInternal;
import org.apache.neethi.Policy;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.util.WSSecurityUtil;
@@ -113,6 +119,8 @@ public class PolicyBasedWss4JInOutTest e
null,
new ArrayList<CoverageType>());
+ // Note that outbound does not asset TRANSPORT_TOKEN as another handler
+ // would assert that.
this.runAndValidate(
"wsse-request-clean.xml",
"transport_binding_policy.xml",
@@ -132,6 +140,15 @@ public class PolicyBasedWss4JInOutTest e
runOutInterceptorAndValidateAsymmetricBinding("signed_elements_policy.xml");
runOutInterceptorAndValidateAsymmetricBinding("signed_elements_Basic256Sha256_policy.xml");
}
+
+ // TODO this test does not follow the traditional pattern as no
server-side enforcement
+ // of algorithm suites yet exists. This support is blocked on WSS4J
patches. In the interim
+ // the outbound side is tested ONLY.
+ @Test
+ public void testSignedElementsWithIssuedSAMLToken() throws Exception {
+ this.runOutInterceptorAndValidateSamlTokenAttached(
+ "signed_elements_with_sst_issued_token_policy.xml");
+ }
@Test
public void testSignedPartsPolicyWithIncompleteCoverage() throws Exception
{
@@ -749,7 +766,17 @@ public class PolicyBasedWss4JInOutTest e
AssertionInfoMap aim = new AssertionInfoMap(policy);
final SoapMessage msg =
- this.getOutSoapMessageForDom(document, aim);
+ this.getOutSoapMessageForDom(document, aim);
+
+ return this.runOutInterceptorAndValidate(msg, policy, aim,
+ assertedOutAssertions, notAssertedOutAssertions);
+ }
+
+
+ private Document runOutInterceptorAndValidate(SoapMessage msg, Policy
policy,
+ AssertionInfoMap aim,
+ List<QName> assertedOutAssertions,
+ List<QName> notAssertedOutAssertions) throws Exception {
this.getOutInterceptor().handleMessage(msg);
@@ -784,7 +811,7 @@ public class PolicyBasedWss4JInOutTest e
return msg.getContent(SOAPMessage.class).getSOAPPart();
}
- // TODO: This method can be removed when
testAsymmetricBindingPolicyWithSignedElements
+ // TODO: This method can be removed when
testAsymmetricBindingAlgorithmSuitePolicy
// is cleaned up by adding server side enforcement of signature related
algorithms.
private void runOutInterceptorAndValidateAsymmetricBinding(String
policyDoc) throws Exception {
final Document originalDoc =
this.readDocument("wsse-request-clean.xml");
@@ -800,6 +827,50 @@ public class PolicyBasedWss4JInOutTest e
this.verifySignatureAlgorithms(signedDoc, aim);
}
+
+ // TODO: This method can be removed or reduced when
testSignedElementsWithIssuedSAMLToken is
+ // cleaned up.
+ private void runOutInterceptorAndValidateSamlTokenAttached(String
policyDoc) throws Exception {
+ // create the request message
+ final Document document = this.readDocument("wsse-request-clean.xml");
+ final Element outPolicyElement =
+ this.readDocument(policyDoc).getDocumentElement();
+ final Policy policy = this.policyBuilder.getPolicy(outPolicyElement);
+
+ AssertionInfoMap aim = new AssertionInfoMap(policy);
+ SoapMessage msg = this.getOutSoapMessageForDom(document, aim);
+
+ // add an "issued" assertion into the message exchange
+ Element issuedAssertion =
+
this.readDocument("example-sts-issued-saml-assertion.xml").getDocumentElement();
+
+ String assertionId =
issuedAssertion.getAttributeNode("AssertionID").getNodeValue();
+
+ SecurityToken issuedToken =
+ new SecurityToken(assertionId, issuedAssertion, null);
+
+ Properties cryptoProps = new Properties();
+ URL url =
ClassLoader.getSystemResource("META-INF/cxf/outsecurity.properties");
+ cryptoProps.load(url.openStream());
+ Crypto crypto = CryptoFactory.getInstance(cryptoProps);
+ String alias =
cryptoProps.getProperty("org.apache.ws.security.crypto.merlin.keystore.alias");
+ issuedToken.setX509Certificate(crypto.getCertificates(alias)[0],
crypto);
+
+ msg.getExchange().get(Endpoint.class).put(SecurityConstants.TOKEN_ID,
+ issuedToken.getId());
+ msg.getExchange().put(SecurityConstants.TOKEN_ID, issuedToken.getId());
+
+ TokenStore tokenStore = new MemoryTokenStore();
+ msg.getExchange().get(Endpoint.class).getEndpointInfo()
+ .setProperty(TokenStore.class.getName(), tokenStore);
+ tokenStore.add(issuedToken);
+
+ // fire the interceptor and verify results
+ final Document signedDoc = this.runOutInterceptorAndValidate(
+ msg, policy, aim, null, null);
+
+ verifySignatureCoversAssertion(signedDoc, assertionId);
+ }
private PolicyBasedWSS4JOutInterceptorInternal getOutInterceptor() {
return (new
PolicyBasedWSS4JOutInterceptor()).createEndingInterceptor();
@@ -899,6 +970,7 @@ public class PolicyBasedWss4JInOutTest e
// TODO: This method can be removed when
runOutInterceptorAndValidateAsymmetricBinding
// is cleaned up by adding server side enforcement of signature related
algorithms.
+ // See https://issues.apache.org/jira/browse/WSS-222
private void verifySignatureAlgorithms(Document signedDoc,
AssertionInfoMap aim) throws Exception {
final AssertionInfo assertInfo =
aim.get(SP12Constants.ASYMMETRIC_BINDING).iterator().next();
assertNotNull(assertInfo);
@@ -941,7 +1013,55 @@ public class PolicyBasedWss4JInOutTest e
final String canonMethod = (String) canonAlgoExpr.evaluate(signedDoc,
XPathConstants.STRING);
assertEquals(expectedCanonAlgorithm, canonMethod);
}
-
+
+ // TODO: This method can be removed when
runOutInterceptorAndValidateSamlTokenAttached
+ // is cleaned up.
+ private void verifySignatureCoversAssertion(Document signedDoc, String
assertionId) throws Exception {
+ XPathFactory factory = XPathFactory.newInstance();
+ XPath xpath = factory.newXPath();
+ final NamespaceContext nsContext = this.getNamespaceContext();
+ xpath.setNamespaceContext(nsContext);
+
+ // Find the SecurityTokenReference for the assertion
+ final XPathExpression strExpr = xpath.compile(
+
"/s:Envelope/s:Header/wsse:Security/wsse:SecurityTokenReference/wsse:KeyIdentifier");
+
+ final NodeList strKeyIdNodes =
+ (NodeList) strExpr.evaluate(signedDoc, XPathConstants.NODESET);
+
+ String strId = null;
+ for (int i = 0; i < strKeyIdNodes.getLength(); i++) {
+ Node keyIdNode = (Node) strKeyIdNodes.item(i);
+ String strKey = keyIdNode.getTextContent();
+ if (strKey.equals(assertionId)) {
+ Node strNode = (Node) keyIdNode.getParentNode();
+ strId = strNode.getAttributes().
+ getNamedItemNS(nsContext.getNamespaceURI("wsu"),
"Id").getNodeValue();
+ break;
+ }
+ }
+ assertNotNull("SecurityTokenReference for " + assertionId + " not
found in security header.", strId);
+
+ // Verify STR is included in the signature references
+ final XPathExpression sigRefExpr = xpath.compile(
+
"/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference");
+
+ final NodeList sigReferenceNodes =
+ (NodeList) sigRefExpr.evaluate(signedDoc, XPathConstants.NODESET);
+
+ boolean foundStrReference = false;
+ for (int i = 0; i < sigReferenceNodes.getLength(); i++) {
+ Node sigRefNode = (Node) sigReferenceNodes.item(i);
+ String sigRefURI =
sigRefNode.getAttributes().getNamedItem("URI").getNodeValue();
+ if (sigRefURI.equals("#" + strId)) {
+ foundStrReference = true;
+ break;
+ }
+ }
+
+ assertTrue("SecurityTokenReference for " + assertionId + " is not
signed.", foundStrReference);
+ }
+
private static final class MockEndpoint extends
AbstractAttributedInterceptorProvider implements Endpoint {
Added:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml?rev=980941&view=auto
==============================================================================
---
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
(added)
+++
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
Fri Jul 30 20:25:26 2010
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ NOTE: this test assertion will not pass signature validation tests nor
enable proof of possession
+ verifications to be made in relation to the certificates in the test
keystores
+-->
+<saml:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
+ xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#";
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
+ xmlns:xs="http://www.w3.org/2001/XMLSchema";
AssertionID="uuid-c318f4ea-a9c4-4d3c-8f11-218d30028522"
+ IssueInstant="2010-07-29T20:48:46.229Z" Issuer="TEST-STS"
+ MajorVersion="1" MinorVersion="1">
+ <saml:Conditions NotBefore="2010-07-29T20:48:46.229Z"
+ NotOnOrAfter="2010-07-29T20:49:22.229Z">
+ <saml:AudienceRestrictionCondition>
+ <saml:Audience>test-service</saml:Audience>
+ </saml:AudienceRestrictionCondition>
+ </saml:Conditions>
+ <saml:Advice />
+ <saml:AuthenticationStatement
AuthenticationInstant="2010-07-29T20:48:46.229Z"
+ AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
+ <saml:Subject>
+ <saml:NameIdentifier>CN=test-user,OU=test,OU=CXF,O=Apache Software
Foundation</saml:NameIdentifier>
+ <saml:SubjectConfirmation>
+ <saml:ConfirmationMethod>
+ urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
+ </saml:ConfirmationMethod>
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>MII
+
DmjCCAoKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBYMSYwJAYDVQQKEx1Qcm9ncmVzcyBTb2Z0d2FyZSBDb3Jwb3JhdGlvbjELMAkGA1UECxMCcHMxDTALBgNVBAsTBHRlc3QxEjAQBgN
+
VBAMTCVRlc3QgQ0EgMTAeFw0wOTEyMTgwMTQ3NTBaFw0xOTEyMTYwMTQ2NDFaMFgxJjAkBgNVBAoTHVByb2dyZXNzIFNvZnR3YXJlIENvcnBvcmF0aW9uMQswCQYDVQQLEwJwczENMAs
+
GA1UECxMEdGVzdDESMBAGA1UEAxMJdGVzdC11c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxvK451fg0wMOFEr9Idhr88bOZUOvyTuemIy5ClWZryfomKsxwXxifb2
+
h3Zj+NJmJtG2lXOiXHCVM/qO/o6uZvkhIBNA51MvxgadGvgjTpx8Y9O9Z4C5kWOXkEDCZA/JcjW6zMhSr5g8X2n1qmG457cf7P3OxSVRvVO9WN7okuhcxZOSAGbq/XYw6Bt3YNDOIe2e
+
cgg8qbzkqnC92pQNM01QekEoIlrTyiQllPq5W5PX+7AxAUc8MjkoORdLIA9X1BnTIC8fNxwuS8OdJTerK56EiJ5FBqAst2DGQXSSkHURC6Tai/p0rm7sDDry2zmsRE2WSTcsCCAKpbAb
+
wJwXhqQIDAQABo28wbTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQeoRFv6WclHWP31CwGOU3CRhb80jALBgNVHQ8EBAMCBLAwEQYJYIZIAYb4QgEBBAQDAgWgMB4GCWCGSAGG+EIBDQQ
+
RFg94Y2EgY2VydGlmaWNhdGUwDQYJKoZIhvcNAQEFBQADggEBAI5X4Q+xcyZK7XcU71Eaud2HnzLINhJg3owbGKnGrlpMKToH4ejI5jYgV8XQ69jcWF16Z6NPxg4NDud7s6CqNnlV5AA
+
CtzEnDEe00ykitiHHvG7ErDh3X3iZf3Sv0Rpg/lnb8v5IbVSo8pfvJRSMcJ3src2aKUtHpPy8TGfUT/58QfLWv2DXgpv3ocyYQIVjS7f/NirdcR88utIV4f119UyTQIy4uTKbEJLKs7G
+
A8UW4YjTw0G+FdZPxrr5nKmO9nnEBDDnfKqeorO3VUHXxk6eT5g0vU7SWSbdbEKAGlUz/ukUzWZS4vZMFRGKSM/+BMaoVqP13RHsL1Seofr9hPAI=
+ </ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </saml:SubjectConfirmation>
+ </saml:Subject>
+ </saml:AuthenticationStatement>
+ <ds:Signature>
+ <ds:SignedInfo>
+ <ds:CanonicalizationMethod
+ Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
+ <ds:SignatureMethod
+ Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
+ <ds:Reference
+ URI="#uuid-c318f4ea-a9c4-4d3c-8f11-218d30028522">
+ <ds:Transforms>
+ <ds:Transform
+
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"; />
+ <ds:Transform
+
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
+ </ds:Transforms>
+ <ds:DigestMethod
+ Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
+ <ds:DigestValue>+oA6MZcwrQrVa+IwsOejQW91VwM=
+ </ds:DigestValue>
+ </ds:Reference>
+ </ds:SignedInfo>
+ <ds:SignatureValue>
+
WNU2nQEnGtMl3f+bApcFB/fFb36WCfBMae/9wFs5Y2Be6RVZ0FMv6NYMhEboWwuUuRMAZ8L8Ac4H
+
2Xp76pd/9ypO/IY+oM5k6A4N+p8q/VX5f3Qnkh5EcF2k69LVfMNpBje+eksUyHyREUd8w6Ejh1O1
+
kLkR4oxBLjvYm+GLGFEmMYTpFHFyAK1bn1BdvAtDb3/hDZeGASRWUPnYFuqMTMUqa1O6iBISQFM1
+
3KUwhvKk7xODSsIsivFYFcP/7MamYOwr5UWyDex2xID9ubXdzu0B/Ey6IslaCCFZSZK1WfSiTU2Q
+ yZarJS6WBDTNCt2ad29A5oURJpwEsdXQsOtNmA==
+ </ds:SignatureValue>
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>MIIDmzCCAoOgAwIBAgIBAzANBgkqhkiG9w0
+ BAQUFADBYMSYwJAYDVQQKEx1Qcm9ncmVzcyBTb2Z0
+
d2FyZSBDb3Jwb3JhdGlvbjELMAkGA1UECxMCcHMxDTALBgNVBAsTBHRlc3QxEjAQBgNVBAMTCVRl
+
c3QgQ0EgMTAeFw0wOTEyMTgwMTQ5MDFaFw0xOTEyMTYwMTQ2NDFaMFkxJjAkBgNVBAoTHVByb2dy
+
ZXNzIFNvZnR3YXJlIENvcnBvcmF0aW9uMQswCQYDVQQLEwJwczENMAsGA1UECxMEdGVzdDETMBEG
+
A1UEAxMKc3RzLWlzc3VlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf6fT4yXU8J
+
sfQAa6Kidu8NVONLF4HPgGMnB/JxcMJFzYvG9J2WtWTV0PEwzoLronC/92NcEmHktaY6mbgXQx90
+
4nnyXVs1mhSFbFjuunOCwbYbLoP0hTSOAFEXIMZfIev6ecnSS2jbuhz4CRKxdbtf5d1QF2MWataN
+
zTXYqoWuHKcSxzha4DlS8W9MVAp4gi6yubbbb0KZxMDeTiuCM8kJ1B0et+qAw3hVRosWHxzvcJz7
+
zzc2fscOSVBtwDyYZdEShHt8oL+9bs1oiWHZm35/YP476AOC9rznYU6ekXtVszwak5kOAheJC9sx
+
BF+WMmMRZc3w3ZMEJUcLMgYj678CAwEAAaNvMG0wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU6hTh
+
MTVrJEvhmPWvHzgFS4fbPr4wCwYDVR0PBAQDAgSwMBEGCWCGSAGG+EIBAQQEAwIFoDAeBglghkgB
+
hvhCAQ0EERYPeGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAA4IBAQAbb5autCceUfJLII1T
+
C2zqTFdxFzW6Pa1Ni8VYtxEVli5d48R3VgfPm4o1uP5MeJJc1LzgwQ7TYWhdmwDAWIbXvNtaMzDZ
+
FZK2kgU4yjhPSTTqMZvvdJlADBQbZPKxsd9NT5K7FEcxuWNOnjRl1vZZ3pbgbR/aq12g9ERWjvt6
+
ZOS0/Rc2mv8uie1rCpPIdes/nj9yTP+pMIGI65RhMHrr3zPIkl6ZWPPWFoXkOS26e8AKkfMadaZd
+
WKrB3xkBW5eDoUz22DaolFw5WfJJD2s3kto26/UYjjRviZ9j+YkRVRDLDn3j/8wcdYD2p1anzMKU
+ TjZe7HgwbK7N/J5QJ/KQ
+ </ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </ds:Signature>
+</saml:Assertion>
Propchange:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
------------------------------------------------------------------------------
svn:eol-style = native
Added:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/signed_elements_with_sst_issued_token_policy.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/signed_elements_with_sst_issued_token_policy.xml?rev=980941&view=auto
==============================================================================
---
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/signed_elements_with_sst_issued_token_policy.xml
(added)
+++
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/signed_elements_with_sst_issued_token_policy.xml
Fri Jul 30 20:25:26 2010
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<wsp:Policy
+ xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
+ xmlns:wsa="http://www.w3.org/2005/08/addressing";
+ xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512/";
+ xmlns:ser="http://www.sdj.pl";>
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:SignedSupportingTokens>
+ <wsp:Policy>
+ <sp:IssuedToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always";>
+ <sp:Issuer>
+ <wsa:Address>not used in test</wsa:Address>
+ </sp:Issuer>
+ <sp:RequestSecurityTokenTemplate>
+
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
+ <wst:AppliesTo>
+ <wsp:URI>service-1</wsp:URI>
+ </wst:AppliesTo>
+ <wst:Participants>
+ <wst:Participant>
+ <wsp:URI>service-1</wsp:URI>
+ </wst:Participant>
+ </wst:Participants>
+
<wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</wst:KeyType>
+ </sp:RequestSecurityTokenTemplate>
+ </sp:IssuedToken>
+ </wsp:Policy>
+ </sp:SignedSupportingTokens>
+ <sp:AsymmetricBinding>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
+ <wsp:Policy>
+ <sp:RequireIssuerSerialReference />
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
+ <wsp:Policy>
+ <sp:RequireIssuerSerialReference />
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic256Sha256 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Strict />
+ </wsp:Policy>
+ </sp:Layout>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ <sp:SignedElements>
+ <sp:XPath>//ser:Header</sp:XPath>
+ </sp:SignedElements>
+ </wsp:All>
+ </wsp:ExactlyOne>
+</wsp:Policy>
Propchange:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/signed_elements_with_sst_issued_token_policy.xml
------------------------------------------------------------------------------
svn:eol-style = native
