Author: coheigea
Date: Mon May 21 15:55:04 2012
New Revision: 1341084
URL: http://svn.apache.org/viewvc?rev=1341084&view=rev
Log:
[CXF-4330] - Enforce that received IssuedTokens contain the required claims
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java
cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleItWrongClaims.wsdl
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsValidator.java
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java?rev=1341084&view=auto
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java
(added)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java
Mon May 21 15:55:04 2012
@@ -0,0 +1,44 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import org.w3c.dom.Element;
+
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+/**
+ * Validate a WS-SecurityPolicy Claims policy.
+ */
+public interface ClaimsPolicyValidator {
+
+ /**
+ * Validate a particular Claims policy against a received SAML Assertion.
+ * Return true if the policy is valid.
+ */
+ boolean validatePolicy(
+ Element claimsPolicy,
+ AssertionWrapper assertion
+ );
+
+ /**
+ * Return the dialect that this ClaimsPolicyValidator can parse
+ */
+ String getDialect();
+}
Added:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java?rev=1341084&view=auto
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java
(added)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java
Mon May 21 15:55:04 2012
@@ -0,0 +1,135 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.net.URI;
+import java.util.List;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+/**
+ * Validate a WS-SecurityPolicy Claims policy for the
+ * "http://schemas.xmlsoap.org/ws/2005/05/identity"; namespace.
+ */
+public class DefaultClaimsPolicyValidator implements ClaimsPolicyValidator {
+
+ private static final String DEFAULT_CLAIMS_NAMESPACE =
+ "http://schemas.xmlsoap.org/ws/2005/05/identity";;
+
+ /**
+ * Validate a particular Claims policy against a received SAML Assertion.
+ * Return true if the policy is valid.
+ */
+ public boolean validatePolicy(
+ Element claimsPolicy,
+ AssertionWrapper assertion
+ ) {
+ if (claimsPolicy == null) {
+ return false;
+ }
+
+ String dialect = claimsPolicy.getAttributeNS(null, "Dialect");
+ if (!DEFAULT_CLAIMS_NAMESPACE.equals(dialect)) {
+ return false;
+ }
+
+ Element claimType = DOMUtils.getFirstElement(claimsPolicy);
+ while (claimType != null) {
+ if ("ClaimType".equals(claimType.getLocalName())) {
+ String claimTypeUri = claimType.getAttributeNS(null, "Uri");
+ String claimTypeOptional = claimType.getAttributeNS(null,
"Optional");
+
+ if (("".equals(claimTypeOptional) ||
!Boolean.parseBoolean(claimTypeOptional))
+ && !findClaimInAssertion(assertion,
URI.create(claimTypeUri))) {
+ return false;
+ }
+ }
+
+ claimType = DOMUtils.getNextElement(claimType);
+ }
+
+ return true;
+ }
+
+ /**
+ * Return the dialect that this ClaimsPolicyValidator can parse
+ */
+ public String getDialect() {
+ return DEFAULT_CLAIMS_NAMESPACE;
+ }
+
+ private boolean findClaimInAssertion(AssertionWrapper assertion, URI
claimURI) {
+ if (assertion.getSaml1() != null) {
+ return findClaimInAssertion(assertion.getSaml1(), claimURI);
+ } else if (assertion.getSaml2() != null) {
+ return findClaimInAssertion(assertion.getSaml2(), claimURI);
+ }
+ return false;
+ }
+
+ private boolean findClaimInAssertion(org.opensaml.saml2.core.Assertion
assertion, URI claimURI) {
+ List<org.opensaml.saml2.core.AttributeStatement> attributeStatements =
+ assertion.getAttributeStatements();
+ if (attributeStatements == null || attributeStatements.isEmpty()) {
+ return false;
+ }
+
+ for (org.opensaml.saml2.core.AttributeStatement statement :
attributeStatements) {
+
+ List<org.opensaml.saml2.core.Attribute> attributes =
statement.getAttributes();
+ for (org.opensaml.saml2.core.Attribute attribute : attributes) {
+
+ URI attributeNamespace = URI.create(attribute.getNameFormat());
+ String desiredRole =
attributeNamespace.relativize(claimURI).toString();
+ if (attribute.getName().equals(desiredRole)
+ && attribute.getAttributeValues() != null &&
!attribute.getAttributeValues().isEmpty()) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+
+ private boolean findClaimInAssertion(org.opensaml.saml1.core.Assertion
assertion, URI claimURI) {
+ List<org.opensaml.saml1.core.AttributeStatement> attributeStatements =
+ assertion.getAttributeStatements();
+ if (attributeStatements == null || attributeStatements.isEmpty()) {
+ return false;
+ }
+
+ for (org.opensaml.saml1.core.AttributeStatement statement :
attributeStatements) {
+
+ List<org.opensaml.saml1.core.Attribute> attributes =
statement.getAttributes();
+ for (org.opensaml.saml1.core.Attribute attribute : attributes) {
+
+ URI attributeNamespace =
URI.create(attribute.getAttributeNamespace());
+ String desiredRole =
attributeNamespace.relativize(claimURI).toString();
+ if (attribute.getAttributeName().equals(desiredRole)
+ && attribute.getAttributeValues() != null &&
!attribute.getAttributeValues().isEmpty()) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java?rev=1341084&r1=1341083&r2=1341084&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
Mon May 21 15:55:04 2012
@@ -46,6 +46,7 @@ public class IssuedTokenPolicyValidator
private List<WSSecurityEngineResult> signedResults;
private Message message;
+ private ClaimsPolicyValidator claimsValidator = new
DefaultClaimsPolicyValidator();
public IssuedTokenPolicyValidator(
List<WSSecurityEngineResult> signedResults,
@@ -157,6 +158,12 @@ public class IssuedTokenPolicyValidator
return false;
}
}
+ } else if ("Claims".equals(child.getLocalName())) {
+ String dialect = child.getAttributeNS(null, "Dialect");
+ if (claimsValidator.getDialect().equals(dialect)
+ && !claimsValidator.validatePolicy(child,
assertionWrapper)) {
+ return false;
+ }
}
child = DOMUtils.getNextElement(child);
}
@@ -180,5 +187,6 @@ public class IssuedTokenPolicyValidator
}
return true;
}
+
}
Modified:
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java?rev=1341084&r1=1341083&r2=1341084&view=diff
==============================================================================
---
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java
(original)
+++
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java
Mon May 21 15:55:04 2012
@@ -92,6 +92,33 @@ public class ClaimsTest extends Abstract
}
@org.junit.Test
+ public void testSaml1WrongClaims() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = ClaimsTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = ClaimsTest.class.getResource("DoubleItWrongClaims.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE,
"DoubleItTransportSAML1ClaimsPort");
+ DoubleItPortType transportClaimsPort =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(transportClaimsPort, PORT);
+
+ try {
+ doubleIt(transportClaimsPort, 25);
+ fail("Expected Exception");
+ } catch (Exception ex) {
+ // expected
+ }
+
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
public void testSaml1ClaimsWrongRole() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
@@ -140,6 +167,34 @@ public class ClaimsTest extends Abstract
bus.shutdown(true);
}
+ @org.junit.Test
+ public void testSaml2WrongClaims() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = ClaimsTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = ClaimsTest.class.getResource("DoubleItWrongClaims.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE,
"DoubleItTransportSAML2ClaimsPort");
+ DoubleItPortType transportClaimsPort =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(transportClaimsPort, PORT);
+
+ try {
+ doubleIt(transportClaimsPort, 25);
+ fail("Expected Exception");
+ } catch (Exception ex) {
+ // expected
+ }
+
+
+ bus.shutdown(true);
+ }
+
private static void doubleIt(DoubleItPortType port, int numToDouble) {
int resp = port.doubleIt(numToDouble);
assertEquals(numToDouble * 2 , resp);
Modified:
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsValidator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsValidator.java?rev=1341084&r1=1341083&r2=1341084&view=diff
==============================================================================
---
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsValidator.java
(original)
+++
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsValidator.java
Mon May 21 15:55:04 2012
@@ -31,7 +31,9 @@ import org.opensaml.xml.XMLObject;
/**
* This class validates a SAML Assertion and checks that it has an
"AuthenticatedRole" attribute
- * corresponding to "admin-user".
+ * corresponding to "admin-user". Note that it only throws an error if the
role has the wrong
+ * value, not if the role doesn't exist. This is because the WS-SecurityPolicy
validation will
+ * check to make sure that the correct defined Claims have been met in the
token.
*/
public class ClaimsValidator extends SamlAssertionValidator {
@@ -72,13 +74,13 @@ public class ClaimsValidator extends Sam
for (XMLObject attributeValue :
attribute.getAttributeValues()) {
Element attributeValueElement = attributeValue.getDOM();
String text = attributeValueElement.getTextContent();
- if ("admin-user".equals(text)) {
- return true;
+ if (!"admin-user".equals(text)) {
+ return false;
}
}
}
}
- return false;
+ return true;
}
private boolean handleSAML2Assertion(
@@ -99,13 +101,13 @@ public class ClaimsValidator extends Sam
for (XMLObject attributeValue :
attribute.getAttributeValues()) {
Element attributeValueElement = attributeValue.getDOM();
String text = attributeValueElement.getTextContent();
- if ("admin-user".equals(text)) {
- return true;
+ if (!"admin-user".equals(text)) {
+ return false;
}
}
}
}
- return false;
+ return true;
}
}
Modified:
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java?rev=1341084&r1=1341083&r2=1341084&view=diff
==============================================================================
---
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java
(original)
+++
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java
Mon May 21 15:55:04 2012
@@ -36,6 +36,8 @@ public class CustomClaimsHandler impleme
public static final URI ROLE =
URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";);
+ public static final URI GIVEN_NAME =
+
URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname";);
public ClaimCollection retrieveClaimValues(
RequestClaimCollection claims, ClaimsParameters parameters) {
@@ -45,9 +47,15 @@ public class CustomClaimsHandler impleme
for (RequestClaim requestClaim : claims) {
Claim claim = new Claim();
claim.setClaimType(requestClaim.getClaimType());
- claim.setIssuer("Test Issuer");
- claim.setOriginalIssuer("Original Issuer");
- claim.setValue("admin-user");
+ if (ROLE.equals(requestClaim.getClaimType())) {
+ claim.setIssuer("Test Issuer");
+ claim.setOriginalIssuer("Original Issuer");
+ claim.setValue("admin-user");
+ } else if (GIVEN_NAME.equals(requestClaim.getClaimType())) {
+ claim.setIssuer("Test Issuer");
+ claim.setOriginalIssuer("Original Issuer");
+ claim.setValue(parameters.getPrincipal().getName());
+ }
claimCollection.add(claim);
}
return claimCollection;
@@ -58,6 +66,7 @@ public class CustomClaimsHandler impleme
public List<URI> getSupportedClaimTypes() {
List<URI> list = new ArrayList<URI>();
list.add(ROLE);
+ list.add(GIVEN_NAME);
return list;
}
Added:
cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleItWrongClaims.wsdl
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleItWrongClaims.wsdl?rev=1341084&view=auto
==============================================================================
---
cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleItWrongClaims.wsdl
(added)
+++
cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleItWrongClaims.wsdl
Mon May 21 15:55:04 2012
@@ -0,0 +1,287 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<wsdl:definitions name="DoubleIt"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
+ xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
xmlns:di="http://www.example.org/schema/DoubleIt";
+ xmlns:tns="http://www.example.org/contract/DoubleIt";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
+
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
+ xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
+ xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:wsaw="http://www.w3.org/2005/08/addressing";
+ xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex";
targetNamespace="http://www.example.org/contract/DoubleIt";>
+
+ <wsdl:import location="src/test/resources/DoubleItLogical.wsdl"
+ namespace="http://www.example.org/contract/DoubleIt"/>
+
+ <wsdl:binding name="DoubleItTransportSAML1ClaimsBinding"
type="tns:DoubleItPortType">
+ <wsp:PolicyReference
URI="#DoubleItBindingTransportSAML1ClaimsPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http"; />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Input_Policy" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Output_Policy" />
+ </wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
+
+ <wsdl:binding name="DoubleItTransportSAML2ClaimsBinding"
type="tns:DoubleItPortType">
+ <wsp:PolicyReference
URI="#DoubleItBindingTransportSAML2ClaimsPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http"; />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Input_Policy" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Output_Policy" />
+ </wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
+
+ <wsdl:service name="DoubleItService">
+ <wsdl:port name="DoubleItTransportSAML1ClaimsPort"
+ binding="tns:DoubleItTransportSAML1ClaimsBinding">
+ <soap:address
+
location="https://localhost:8081/doubleit/services/doubleittransportsaml1claims";
/>
+ </wsdl:port>
+ <wsdl:port name="DoubleItTransportSAML2ClaimsPort"
+ binding="tns:DoubleItTransportSAML2ClaimsBinding">
+ <soap:address
+
location="https://localhost:8081/doubleit/services/doubleittransportsaml2claims";
/>
+ </wsdl:port>
+ </wsdl:service>
+
+ <wsp:Policy wsu:Id="DoubleItBindingTransportSAML1ClaimsPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsam:Addressing wsp:Optional="false">
+ <wsp:Policy />
+ </wsam:Addressing>
+ <sp:TransportBinding
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:IssuedToken
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
+
<sp:RequestSecurityTokenTemplate>
+
<t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType>
+
<t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
+
<t:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity";
+
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity";>
+ <ic:ClaimType
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"/>
+ </t:Claims>
+
</sp:RequestSecurityTokenTemplate>
+
<wsp:Policy>
+
<sp:RequireInternalReference />
+
</wsp:Policy>
+
<sp:Issuer>
+
<wsaw:Address>http://localhost:8080/SecurityTokenService/UT
+
</wsaw:Address>
+
<wsaw:Metadata>
+
<wsx:Metadata>
+
<wsx:MetadataSection>
+
<wsx:MetadataReference>
+
<wsaw:Address>http://localhost:8080/SecurityTokenService/UT/mex
+
</wsaw:Address>
+
</wsx:MetadataReference>
+
</wsx:MetadataSection>
+
</wsx:Metadata>
+
</wsaw:Metadata>
+
</sp:Issuer>
+
</sp:IssuedToken>
+ <sp:HttpsToken>
+
<wsp:Policy/>
+
</sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+
<sp:TripleDesRsa15 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial
/>
+ <sp:MustSupportRefThumbprint />
+ <sp:MustSupportRefEncryptedKey
/>
+ </wsp:Policy>
+ </sp:Wss11>
+ <sp:Trust13>
+ <wsp:Policy>
+ <sp:MustSupportIssuedTokens />
+ <sp:RequireClientEntropy />
+ <sp:RequireServerEntropy />
+ </wsp:Policy>
+ </sp:Trust13>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy wsu:Id="DoubleItBindingTransportSAML2ClaimsPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsam:Addressing wsp:Optional="false">
+ <wsp:Policy />
+ </wsam:Addressing>
+ <sp:TransportBinding
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+
<wsp:Policy/>
+
</sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+
<sp:TripleDesRsa15 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:SupportingTokens
+
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
+ <wsp:Policy>
+ <sp:IssuedToken
+
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
+
<sp:RequestSecurityTokenTemplate>
+
<t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
+
<t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
+ <t:Claims
Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity";
+
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity";>
+ <ic:ClaimType
Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"/>
+ </t:Claims>
+
</sp:RequestSecurityTokenTemplate>
+ <wsp:Policy>
+
<sp:RequireInternalReference />
+ </wsp:Policy>
+ <sp:Issuer>
+
<wsaw:Address>http://localhost:8080/SecurityTokenService/UT
+ </wsaw:Address>
+ <wsaw:Metadata>
+
<wsx:Metadata>
+
<wsx:MetadataSection>
+
<wsx:MetadataReference>
+
<wsaw:Address>http://localhost:8080/SecurityTokenService/UT/mex
+
</wsaw:Address>
+
</wsx:MetadataReference>
+
</wsx:MetadataSection>
+
</wsx:Metadata>
+ </wsaw:Metadata>
+ </sp:Issuer>
+ </sp:IssuedToken>
+ </wsp:Policy>
+ </sp:SupportingTokens>
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial
/>
+ <sp:MustSupportRefThumbprint />
+ <sp:MustSupportRefEncryptedKey
/>
+ </wsp:Policy>
+ </sp:Wss11>
+ <sp:Trust13>
+ <wsp:Policy>
+ <sp:MustSupportIssuedTokens />
+ <sp:RequireClientEntropy />
+ <sp:RequireServerEntropy />
+ </wsp:Policy>
+ </sp:Trust13>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:EncryptedParts>
+ <sp:Body />
+ </sp:EncryptedParts>
+ <sp:SignedParts>
+ <sp:Body />
+ <sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"; />
+ <sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing"; />
+ <sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing"; />
+ <sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing"; />
+ <sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing"; />
+ <sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing"; />
+ <sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"; />
+ <sp:Header Name="AckRequested"
+
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"; />
+ <sp:Header
Name="SequenceAcknowledgement"
+
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"; />
+ <sp:Header Name="Sequence"
+
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"; />
+ <sp:Header Name="CreateSequence"
+
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"; />
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:EncryptedParts>
+ <sp:Body />
+ </sp:EncryptedParts>
+ <sp:SignedParts>
+ <sp:Body />
+ <sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"; />
+ <sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing"; />
+ <sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing"; />
+ <sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing"; />
+ <sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing"; />
+ <sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing"; />
+ <sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"; />
+ <sp:Header Name="AckRequested"
+
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"; />
+ <sp:Header
Name="SequenceAcknowledgement"
+
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"; />
+ <sp:Header Name="Sequence"
+
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"; />
+ <sp:Header Name="CreateSequence"
+
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"; />
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+</wsdl:definitions>
