Author: coheigea
Date: Fri Nov 11 13:42:53 2011
New Revision: 1200881
URL: http://svn.apache.org/viewvc?rev=1200881&view=rev
Log:
Added support for using a SAML Token as an EndorsingSupportingToken + added a
systest.
Added support for SignedEncryptedSupportingToken policy validation + added some
tests.
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
- copied, changed from r1200419,
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/ut/DoubleItUt.wsdl
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Fri Nov 11 13:42:53 2011
@@ -75,6 +75,7 @@ import org.apache.cxf.ws.security.wss4j.
import
org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
+import
org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEncryptedTokenPolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingTokenPolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.SignedTokenPolicyValidator;
import
org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator;
@@ -583,8 +584,12 @@ public class PolicyBasedWSS4JInIntercept
new SignedEndorsingTokenPolicyValidator(msg, results,
signedResults);
signedEdorsingValidator.validatePolicy(aim);
+ SignedEncryptedTokenPolicyValidator signedEncryptedValidator =
+ new SignedEncryptedTokenPolicyValidator(msg, results,
signedResults);
+ signedEncryptedValidator.setValidateUsernameToken(utWithCallbacks);
+ signedEncryptedValidator.validatePolicy(aim);
+
//REVISIT - probably can verify some of these like if UT is encrypted
and/or signed, etc...
- assertPolicy(aim, SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS);
assertPolicy(aim, SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
if (hasEndorsement || isRequestor(msg)) {
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Fri Nov 11 13:42:53 2011
@@ -34,6 +34,7 @@ import org.apache.cxf.binding.soap.SoapM
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.policy.SP12Constants;
import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
import org.apache.cxf.ws.security.policy.model.Header;
@@ -217,6 +218,15 @@ public class TransportBindingHandler ext
addSig(signatureValues,
doX509TokenSignature(token,
endSuppTokens.getSignedParts(),
endSuppTokens));
+ } else if (token instanceof SamlToken) {
+ AssertionWrapper assertionWrapper =
addSamlToken((SamlToken)token);
+ assertionWrapper.toDOM(saaj.getSOAPPart());
+
storeAssertionAsSecurityToken(assertionWrapper);
+ addSig(signatureValues,
doIssuedTokenSignature(token,
+
endSuppTokens
+
.getSignedParts(),
+
endSuppTokens,
+
null));
}
}
}
@@ -471,7 +481,14 @@ public class TransportBindingHandler ext
sig.setX509Certificate(secTok.getX509Certificate());
crypto = secTok.getCrypto();
+ if (crypto == null) {
+ crypto = getSignatureCrypto(wrapper);
+ }
String uname =
crypto.getX509Identifier(secTok.getX509Certificate());
+ if (uname == null) {
+ String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
+ uname = (String)message.getContextualProperty(userNameKey);
+ }
String password = getPassword(uname, token,
WSPasswordCallback.SIGNATURE);
if (password == null) {
password = "";
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
Fri Nov 11 13:42:53 2011
@@ -40,6 +40,8 @@ import org.apache.ws.security.message.to
import org.apache.ws.security.message.token.PKIPathSecurity;
import org.apache.ws.security.message.token.Timestamp;
import org.apache.ws.security.message.token.X509Security;
+import org.apache.ws.security.saml.SAMLKeyInfo;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.util.WSSecurityUtil;
/**
@@ -54,6 +56,10 @@ public abstract class AbstractSupporting
protected boolean tls;
protected boolean validateUsernameToken = true;
protected Element timestamp;
+ private boolean signed;
+ private boolean encrypted;
+ private boolean derived;
+ private boolean endorsed;
public AbstractSupportingTokenPolicyValidator(
Message message,
@@ -91,10 +97,26 @@ public abstract class AbstractSupporting
this.validateUsernameToken = validateUsernameToken;
}
+ public void setSigned(boolean signed) {
+ this.signed = signed;
+ }
+
+ public void setEncrypted(boolean encrypted) {
+ this.encrypted = encrypted;
+ }
+
+ public void setDerived(boolean derived) {
+ this.derived = derived;
+ }
+
+ public void setEndorsed(boolean endorsed) {
+ this.endorsed = endorsed;
+ }
+
/**
* Process UsernameTokens. Only SignedSupportingTokens are currently
enforced.
*/
- protected boolean processUsernameTokens(boolean signed, boolean endorsed,
boolean derived) {
+ protected boolean processUsernameTokens() {
if (!validateUsernameToken) {
return true;
}
@@ -106,14 +128,20 @@ public abstract class AbstractSupporting
return false;
}
- return areTokensSigned(tokenResults);
+ if (signed && !areTokensSigned(tokenResults)) {
+ return false;
+ }
+ if (encrypted && !areTokensEncrypted(tokenResults)) {
+ return false;
+ }
+ return true;
}
/**
* Process SAML Tokens. Only SignedSupportingTokens are currently enforced.
*/
- protected boolean processSAMLTokens(boolean signed, boolean endorsed,
boolean derived) {
+ protected boolean processSAMLTokens() {
List<WSSecurityEngineResult> tokenResults = new
ArrayList<WSSecurityEngineResult>();
WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED,
tokenResults);
WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED,
tokenResults);
@@ -122,14 +150,23 @@ public abstract class AbstractSupporting
return false;
}
- return areTokensSigned(tokenResults);
+ if (signed && !areTokensSigned(tokenResults)) {
+ return false;
+ }
+ if (encrypted && !areTokensEncrypted(tokenResults)) {
+ return false;
+ }
+ if (endorsed && !checkEndorsed(tokenResults)) {
+ return false;
+ }
+ return true;
}
/**
* Process Kerberos Tokens.
*/
- protected boolean processKerberosTokens(boolean signed, boolean endorsed,
boolean derived) {
+ protected boolean processKerberosTokens() {
List<WSSecurityEngineResult> tokenResults = new
ArrayList<WSSecurityEngineResult>();
List<WSSecurityEngineResult> dktResults = new
ArrayList<WSSecurityEngineResult>();
for (WSSecurityEngineResult wser : results) {
@@ -157,6 +194,9 @@ public abstract class AbstractSupporting
if (signed && !areTokensSigned(tokenResults)) {
return false;
}
+ if (encrypted && !areTokensEncrypted(tokenResults)) {
+ return false;
+ }
tokenResults.addAll(dktResults);
if (endorsed && !checkEndorsed(tokenResults)) {
return false;
@@ -168,7 +208,7 @@ public abstract class AbstractSupporting
/**
* Process X509 Tokens.
*/
- protected boolean processX509Tokens(boolean signed, boolean endorsed,
boolean derived) {
+ protected boolean processX509Tokens() {
List<WSSecurityEngineResult> tokenResults = new
ArrayList<WSSecurityEngineResult>();
List<WSSecurityEngineResult> dktResults = new
ArrayList<WSSecurityEngineResult>();
for (WSSecurityEngineResult wser : results) {
@@ -196,6 +236,9 @@ public abstract class AbstractSupporting
if (signed && !areTokensSigned(tokenResults)) {
return false;
}
+ if (encrypted && !areTokensEncrypted(tokenResults)) {
+ return false;
+ }
tokenResults.addAll(dktResults);
if (endorsed && !checkEndorsed(tokenResults)) {
return false;
@@ -207,7 +250,7 @@ public abstract class AbstractSupporting
/**
* Process Security Context Tokens.
*/
- protected boolean processSCTokens(boolean signed, boolean endorsed,
boolean derived) {
+ protected boolean processSCTokens() {
List<WSSecurityEngineResult> tokenResults = new
ArrayList<WSSecurityEngineResult>();
List<WSSecurityEngineResult> dktResults = new
ArrayList<WSSecurityEngineResult>();
for (WSSecurityEngineResult wser : results) {
@@ -231,6 +274,9 @@ public abstract class AbstractSupporting
if (signed && !areTokensSigned(tokenResults)) {
return false;
}
+ if (encrypted && !areTokensEncrypted(tokenResults)) {
+ return false;
+ }
tokenResults.addAll(dktResults);
if (endorsed && !checkEndorsed(tokenResults)) {
return false;
@@ -320,6 +366,22 @@ public abstract class AbstractSupporting
}
/**
+ * Return true if a list of tokens were encrypted, false otherwise.
+ */
+ private boolean areTokensEncrypted(List<WSSecurityEngineResult> tokens) {
+ if (tls) {
+ return true;
+ }
+ for (WSSecurityEngineResult wser : tokens) {
+ Element tokenElement =
(Element)wser.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+ if (!isTokenEncrypted(tokenElement)) {
+ return false;
+ }
+ }
+ return true;
+ }
+
+ /**
* Return true if the Timestamp is signed by one of the token results
* @param tokenResults A list of WSSecurityEngineResults corresponding to
tokens
* @return true if the Timestamp is signed
@@ -384,6 +446,7 @@ public abstract class AbstractSupporting
// Now see if the same credential exists in the tokenResult list
for (WSSecurityEngineResult token : tokenResult) {
+ Integer actInt =
(Integer)token.get(WSSecurityEngineResult.TAG_ACTION);
BinarySecurity binarySecurity =
(BinarySecurity)token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
if (binarySecurity instanceof X509Security
@@ -393,6 +456,21 @@ public abstract class AbstractSupporting
if (foundCert.equals(cert)) {
return true;
}
+ } else if (actInt.intValue() == WSConstants.ST_SIGNED
+ || actInt.intValue() == WSConstants.ST_UNSIGNED) {
+ AssertionWrapper assertionWrapper =
+
(AssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
+ if (samlKeyInfo != null) {
+ X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
+ byte[] subjectSecretKey = samlKeyInfo.getSecret();
+ if (cert != null && subjectCerts != null &&
cert.equals(subjectCerts[0])) {
+ return true;
+ }
+ if (subjectSecretKey != null &&
Arrays.equals(subjectSecretKey, secret)) {
+ return true;
+ }
+ }
} else {
byte[] foundSecret =
(byte[])token.get(WSSecurityEngineResult.TAG_SECRET);
if (foundSecret != null && Arrays.equals(foundSecret, secret))
{
@@ -425,4 +503,20 @@ public abstract class AbstractSupporting
return false;
}
+ /**
+ * Return true if a token was encrypted, false otherwise.
+ */
+ private boolean isTokenEncrypted(Element token) {
+ for (WSSecurityEngineResult signedResult : encryptedResults) {
+ List<WSDataRef> dataRefs =
+
CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ for (WSDataRef dataRef : dataRefs) {
+ if (token == dataRef.getProtectedElement()) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+
}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
Fri Nov 11 13:42:53 2011
@@ -29,6 +29,7 @@ import org.apache.cxf.ws.security.policy
import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.policy.model.IssuedToken;
import org.apache.cxf.ws.security.policy.model.KerberosToken;
+import org.apache.cxf.ws.security.policy.model.SamlToken;
import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
import org.apache.cxf.ws.security.policy.model.SupportingToken;
import org.apache.cxf.ws.security.policy.model.Token;
@@ -62,6 +63,7 @@ public class EndorsingTokenPolicyValidat
continue;
}
ai.setAsserted(true);
+ setEndorsed(true);
List<Token> tokens = binding.getTokens();
for (Token token : tokens) {
@@ -70,17 +72,22 @@ public class EndorsingTokenPolicyValidat
}
boolean derived = token.isDerivedKeys();
+ setDerived(derived);
boolean processingFailed = false;
if (token instanceof KerberosToken) {
- if (!processKerberosTokens(false, true, derived)) {
+ if (!processKerberosTokens()) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
- if (!processX509Tokens(false, true, derived)) {
+ if (!processX509Tokens()) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken) {
- if (!processSCTokens(false, true, derived)) {
+ if (!processSCTokens()) {
+ processingFailed = true;
+ }
+ } else if (token instanceof SamlToken) {
+ if (!processSAMLTokens()) {
processingFailed = true;
}
} else if (!(token instanceof IssuedToken)) {
Copied:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
(from r1200419,
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java)
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java?p2=cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java&p1=cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java&r1=1200419&r2=1200881&rev=1200881&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
Fri Nov 11 13:42:53 2011
@@ -38,11 +38,11 @@ import org.apache.cxf.ws.security.policy
import org.apache.ws.security.WSSecurityEngineResult;
/**
- * Validate SignedSupportingToken policies.
+ * Validate a SignedEncryptedSupportingToken policy.
*/
-public class SignedTokenPolicyValidator extends
AbstractSupportingTokenPolicyValidator {
+public class SignedEncryptedTokenPolicyValidator extends
AbstractSupportingTokenPolicyValidator {
- public SignedTokenPolicyValidator(
+ public SignedEncryptedTokenPolicyValidator(
Message message,
List<WSSecurityEngineResult> results,
List<WSSecurityEngineResult> signedResults
@@ -53,18 +53,20 @@ public class SignedTokenPolicyValidator
public boolean validatePolicy(
AssertionInfoMap aim
) {
- Collection<AssertionInfo> ais =
aim.get(SP12Constants.SIGNED_SUPPORTING_TOKENS);
+ Collection<AssertionInfo> ais =
aim.get(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
if (ais == null || ais.isEmpty()) {
return true;
}
-
+
for (AssertionInfo ai : ais) {
SupportingToken binding = (SupportingToken)ai.getAssertion();
- if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED !=
binding.getTokenType()) {
+ if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED_ENCRYPTED
!= binding.getTokenType()) {
continue;
}
ai.setAsserted(true);
-
+ setSigned(true);
+ setEncrypted(true);
+
List<Token> tokens = binding.getTokens();
for (Token token : tokens) {
if (!isTokenRequired(token, message)) {
@@ -73,23 +75,23 @@ public class SignedTokenPolicyValidator
boolean processingFailed = false;
if (token instanceof UsernameToken) {
- if (!processUsernameTokens(true, false, false)) {
- processingFailed = true;
- }
- } else if (token instanceof SamlToken) {
- if (!processSAMLTokens(true, false, false)) {
+ if (!processUsernameTokens()) {
processingFailed = true;
}
} else if (token instanceof KerberosToken) {
- if (!processKerberosTokens(true, false, false)) {
+ if (!processKerberosTokens()) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
- if (!processX509Tokens(true, false, false)) {
+ if (!processX509Tokens()) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken) {
- if (!processSCTokens(true, false, false)) {
+ if (!processSCTokens()) {
+ processingFailed = true;
+ }
+ } else if (token instanceof SamlToken) {
+ if (!processSAMLTokens()) {
processingFailed = true;
}
} else if (!(token instanceof IssuedToken)) {
@@ -98,12 +100,11 @@ public class SignedTokenPolicyValidator
if (processingFailed) {
ai.setNotAsserted(
- "The received token does not match the signed
supporting token requirement"
+ "The received token does not match the signed
encrypted supporting token requirement"
);
return false;
}
}
-
}
return true;
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
Fri Nov 11 13:42:53 2011
@@ -62,6 +62,8 @@ public class SignedEndorsingTokenPolicyV
continue;
}
ai.setAsserted(true);
+ setSigned(true);
+ setEndorsed(true);
List<Token> tokens = binding.getTokens();
for (Token token : tokens) {
@@ -70,17 +72,18 @@ public class SignedEndorsingTokenPolicyV
}
boolean derived = token.isDerivedKeys();
+ setDerived(derived);
boolean processingFailed = false;
if (token instanceof KerberosToken) {
- if (!processKerberosTokens(true, true, derived)) {
+ if (!processKerberosTokens()) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
- if (!processX509Tokens(true, true, derived)) {
+ if (!processX509Tokens()) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken) {
- if (!processSCTokens(true, true, derived)) {
+ if (!processSCTokens()) {
processingFailed = true;
}
} else if (!(token instanceof IssuedToken)) {
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
Fri Nov 11 13:42:53 2011
@@ -64,6 +64,7 @@ public class SignedTokenPolicyValidator
continue;
}
ai.setAsserted(true);
+ setSigned(true);
List<Token> tokens = binding.getTokens();
for (Token token : tokens) {
@@ -73,23 +74,23 @@ public class SignedTokenPolicyValidator
boolean processingFailed = false;
if (token instanceof UsernameToken) {
- if (!processUsernameTokens(true, false, false)) {
+ if (!processUsernameTokens()) {
processingFailed = true;
}
} else if (token instanceof SamlToken) {
- if (!processSAMLTokens(true, false, false)) {
+ if (!processSAMLTokens()) {
processingFailed = true;
}
} else if (token instanceof KerberosToken) {
- if (!processKerberosTokens(true, false, false)) {
+ if (!processKerberosTokens()) {
processingFailed = true;
}
} else if (token instanceof X509Token) {
- if (!processX509Tokens(true, false, false)) {
+ if (!processX509Tokens()) {
processingFailed = true;
}
} else if (token instanceof SecurityContextToken) {
- if (!processSCTokens(true, false, false)) {
+ if (!processSCTokens()) {
processingFailed = true;
}
} else if (!(token instanceof IssuedToken)) {
Modified:
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
(original)
+++
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
Fri Nov 11 13:42:53 2011
@@ -256,6 +256,31 @@ public class KerberosTokenTest extends A
assertTrue(result.equals(BigInteger.valueOf(50)));
}
+ @org.junit.Test
+ @org.junit.Ignore
+ public void testKerberosOverAsymmetricSignedEncrypted() throws Exception {
+
+ if (!unrestrictedPoliciesInstalled) {
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = KerberosTokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ DoubleItService service = new DoubleItService();
+
+ DoubleItPortType kerberosPort =
service.getDoubleItKerberosAsymmetricSignedEncryptedPort();
+ updateAddressPort(kerberosPort, PORT);
+
+ BigInteger result = kerberosPort.doubleIt(BigInteger.valueOf(25));
+ assertTrue(result.equals(BigInteger.valueOf(50)));
+ }
+
+
private boolean checkUnrestrictedPoliciesInstalled() {
try {
byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};
Modified:
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
(original)
+++
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
Fri Nov 11 13:42:53 2011
@@ -305,7 +305,6 @@ public class SamlTokenTest extends Abstr
}
@org.junit.Test
- @org.junit.Ignore
public void testSaml2EndorsingOverTransport() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
@@ -317,14 +316,16 @@ public class SamlTokenTest extends Abstr
DoubleItService service = new DoubleItService();
- DoubleItPortType saml1Port =
service.getDoubleItSaml2EndorsingTransportPort();
- updateAddressPort(saml1Port, PORT2);
+ DoubleItPortType saml2Port =
service.getDoubleItSaml2EndorsingTransportPort();
+ updateAddressPort(saml2Port, PORT2);
- ((BindingProvider)saml1Port).getRequestContext().put(
- "ws-security.saml-callback-handler", new SamlCallbackHandler()
+ SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
+ ((BindingProvider)saml2Port).getRequestContext().put(
+ "ws-security.saml-callback-handler", callbackHandler
);
- BigInteger result = saml1Port.doubleIt(BigInteger.valueOf(25));
+ BigInteger result = saml2Port.doubleIt(BigInteger.valueOf(25));
assertTrue(result.equals(BigInteger.valueOf(50)));
}
Modified:
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
(original)
+++
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
Fri Nov 11 13:42:53 2011
@@ -136,4 +136,21 @@ public class UsernameTokenTest extends A
utPort.doubleIt(BigInteger.valueOf(25));
}
+ @org.junit.Test
+ public void testSignedEncrypted() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = UsernameTokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ DoubleItService service = new DoubleItService();
+
+ DoubleItPortType utPort = service.getDoubleItSignedEncryptedPort();
+ updateAddressPort(utPort, PORT);
+ utPort.doubleIt(BigInteger.valueOf(25));
+ }
+
}
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml
Fri Nov 11 13:42:53 2011
@@ -205,4 +205,25 @@
</jaxws:properties>
</jaxws:client>
+ <jaxws:client
name="{http://WSSec/kerberos}DoubleItKerberosAsymmetricSignedEncryptedPort";
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.encryption.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.username" value="bob"/>
+ <entry key="ws-security.signature.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ <entry key="ws-security.kerberos.client">
+ <bean
class="org.apache.cxf.ws.security.kerberos.KerberosClient">
+ <constructor-arg ref="cxf"/>
+ <property name="contextName" value="alice"/>
+ <property name="serviceName"
value="[email protected]"/>
+ </bean>
+ </entry>
+ </jaxws:properties>
+ </jaxws:client>
+
</beans>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml
Fri Nov 11 13:42:53 2011
@@ -239,7 +239,7 @@
</jaxws:endpoint>
- <jaxws:endpoint
+ <jaxws:endpoint
id="KerberosOverAsymmetricSignedEndorsing"
address="http://localhost:${testutil.ports.Server}/DoubleItKerberosAsymmetricSignedEndorsing";
serviceName="s:DoubleItService"
@@ -263,4 +263,28 @@
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="KerberosOverAsymmetricSignedEncrypted"
+
address="http://localhost:${testutil.ports.Server}/DoubleItKerberosAsymmetricSignedEncrypted";
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItKerberosAsymmetricSignedEncryptedPort"
+ xmlns:s="http://WSSec/kerberos";
+ implementor="org.apache.cxf.systest.ws.kerberos.server.DoubleItImpl"
+ wsdlLocation="wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl">
+
+ <jaxws:properties>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler"
+
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.encryption.username" value="alice"/>
+ <entry key="ws-security.bst.validator"
value-ref="kerberosValidator"/>
+ <entry key="ws-security.is-bsp-compliant" value="false"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
</beans>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
Fri Nov 11 13:42:53 2011
@@ -104,6 +104,7 @@
<entry key="ws-security.signature.username" value="alice"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.self-sign-saml-assertion" value="true"/>
</jaxws:properties>
</jaxws:client>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml
Fri Nov 11 13:42:53 2011
@@ -98,4 +98,17 @@
</jaxws:properties>
</jaxws:client>
+
+ <jaxws:client name="{http://WSSec/ut}DoubleItSignedEncryptedPort";
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="Alice"/>
+ <entry key="ws-security.callback-handler"
+
value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ <entry key="ws-security.signature.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ </jaxws:properties>
+ </jaxws:client>
+
</beans>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
Fri Nov 11 13:42:53 2011
@@ -159,4 +159,23 @@
</jaxws:endpoint>
+ <jaxws:endpoint
+ id="SignedEncrypted"
+
address="https://localhost:${testutil.ports.Server}/DoubleItUTSignedEncrypted";
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItSignedEncryptedPort"
+ xmlns:s="http://WSSec/ut";
+ implementor="org.apache.cxf.systest.ws.saml.server.DoubleItImpl"
+ wsdlLocation="wsdl_systest_wssec/ut/DoubleItUt.wsdl"
+ depends-on="tls-settings">
+
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+
value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+ <entry key="ws-security.encryption.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
</beans>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl
Fri Nov 11 13:42:53 2011
@@ -254,6 +254,26 @@
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItKerberosAsymmetricSignedEncryptedBinding"
type="tns:DoubleItPortType">
+ <wsp:PolicyReference
URI="#DoubleItKerberosAsymmetricSignedEncryptedPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http"; />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
+
<wsdl:service name="DoubleItService">
<wsdl:port name="DoubleItKerberosTransportPort"
binding="tns:DoubleItKerberosTransportBinding">
<soap:address
location="https://localhost:9009/DoubleItKerberosTransport"; />
@@ -290,6 +310,10 @@
binding="tns:DoubleItKerberosAsymmetricSignedEndorsingBinding">
<soap:address
location="http://localhost:9001/DoubleItKerberosAsymmetricSignedEndorsing"; />
</wsdl:port>
+ <wsdl:port name="DoubleItKerberosAsymmetricSignedEncryptedPort"
+
binding="tns:DoubleItKerberosAsymmetricSignedEncryptedBinding">
+ <soap:address
location="http://localhost:9001/DoubleItKerberosAsymmetricSignedEncrypted"; />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItKerberosTransportPolicy">
@@ -735,6 +759,68 @@
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItKerberosAsymmetricSignedEncryptedPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ <sp:RequireIssuerSerialReference />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ <sp:RequireIssuerSerialReference />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial/>
+ <sp:MustSupportRefThumbprint/>
+ <sp:MustSupportRefEncryptedKey/>
+ </wsp:Policy>
+ </sp:Wss11>
+ <sp:SignedEncryptedSupportingTokens>
+ <wsp:Policy>
+ <sp:KerberosToken
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Once";>
+ <wsp:Policy>
+ <sp:WssGssKerberosV5ApReqToken11/>
+ </wsp:Policy>
+ </sp:KerberosToken>
+ </wsp:Policy>
+ </sp:SignedEncryptedSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/ut/DoubleItUt.wsdl
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/ut/DoubleItUt.wsdl?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/ut/DoubleItUt.wsdl
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/ut/DoubleItUt.wsdl
Fri Nov 11 13:42:53 2011
@@ -168,6 +168,25 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItSignedEncryptedBinding"
type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItSignedEncryptedPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http"; />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:service name="DoubleItService">
<wsdl:port name="DoubleItPlaintextPort"
binding="tns:DoubleItPlaintextBinding">
@@ -185,6 +204,9 @@
<wsdl:port name="DoubleItSignedEndorsingPort"
binding="tns:DoubleItSignedEndorsingBinding">
<soap:address
location="https://localhost:9009/DoubleItUTSignedEndorsing"; />
</wsdl:port>
+ <wsdl:port name="DoubleItSignedEncryptedPort"
binding="tns:DoubleItSignedEncryptedBinding">
+ <soap:address
location="https://localhost:9009/DoubleItUTSignedEncrypted"; />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItPlaintextPolicy">
@@ -385,6 +407,43 @@
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
+
+ <wsp:Policy wsu:Id="DoubleItSignedEncryptedPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:TransportBinding>
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken
RequireClientCertificate="false" />
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:SignedEncryptedSupportingTokens>
+ <wsp:Policy>
+ <sp:UsernameToken
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:WssUsernameToken10/>
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </sp:SignedEncryptedSupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
<wsp:ExactlyOne>
