Author: coheigea
Date: Tue Jun 26 09:58:16 2012
New Revision: 1353909
URL: http://svn.apache.org/viewvc?rev=1353909&view=rev
Log:
Add support for subject cert contraints when validating chain trust on
WS-Security signatures
Added:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/client/cxfca.properties
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/server/server.xml
cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/secconv/server/server.xml
cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server/server.xml
cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/x509/server/server.xml
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/server/server.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server-derived.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
Tue Jun 26 09:58:16 2012
@@ -197,6 +197,15 @@ public final class SecurityConstants {
public static final String DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS
=
"ws-security.sts.disable-wsmex-call-using-epr-address";
+ /**
+ * This configuration tag is a comma separated String of regular
expressions which
+ * will be applied to the subject DN of the certificate used for signature
+ * validation, after trust verification of the certificate chain
associated with the
+ * certificate. These constraints are not used when the certificate is
contained in
+ * the keystore (direct trust).
+ */
+ public static final String SUBJECT_CERT_CONSTRAINTS =
"ws-security.subject.cert.constraints";
+
public static final Set<String> ALL_PROPERTIES;
static {
@@ -214,7 +223,8 @@ public final class SecurityConstants {
KERBEROS_JAAS_CONTEXT_NAME, KERBEROS_SPN, SPNEGO_CLIENT_ACTION,
ENABLE_NONCE_CACHE, NONCE_CACHE_INSTANCE, ENABLE_TIMESTAMP_CACHE,
TIMESTAMP_CACHE_INSTANCE, CACHE_CONFIG_FILE,
TOKEN_STORE_CACHE_INSTANCE,
- SAML_ROLE_ATTRIBUTENAME,
DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS
+ SAML_ROLE_ATTRIBUTENAME,
DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS,
+ SUBJECT_CERT_CONSTRAINTS
}));
ALL_PROPERTIES = Collections.unmodifiableSet(s);
}
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
Tue Jun 26 09:58:16 2012
@@ -168,6 +168,11 @@ public abstract class AbstractWSS4JInter
if (futureTTL != null) {
msg.setContextualProperty(WSHandlerConstants.TTL_FUTURE_TIMESTAMP,
futureTTL);
}
+ String certConstraints =
+
(String)msg.getContextualProperty(SecurityConstants.SUBJECT_CERT_CONSTRAINTS);
+ if (certConstraints != null) {
+
msg.setContextualProperty(WSHandlerConstants.SIG_SUBJECT_CERT_CONSTRAINTS,
certConstraints);
+ }
}
@Override
Modified:
cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/server/server.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/server/server.xml?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/server/server.xml
(original)
+++
cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/server/server.xml
Tue Jun 26 09:58:16 2012
@@ -79,6 +79,7 @@
depends-on="tls-settings">
<jaxws:properties>
<entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -95,6 +96,7 @@
value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
<entry key="ws-security.signature.properties"
value="bob.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -111,6 +113,7 @@
value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
<entry key="ws-security.signature.properties"
value="bob.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -127,6 +130,7 @@
value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
<entry key="ws-security.signature.properties"
value="bob.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -154,6 +158,7 @@
depends-on="tls-settings">
<jaxws:properties>
<entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -173,6 +178,7 @@
<entry key="ws-security.encryption.properties"
value="bob.properties"/>
<entry key="ws-security.signature.properties"
value="alice.properties"/>
<entry key="ws-security.encryption.username" value="alice"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -189,6 +195,7 @@
value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
<entry key="ws-security.signature.username" value="bob"/>
<entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
Modified:
cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/secconv/server/server.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/secconv/server/server.xml?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/secconv/server/server.xml
(original)
+++
cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/secconv/server/server.xml
Tue Jun 26 09:58:16 2012
@@ -56,6 +56,7 @@
value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
<entry key="ws-security.signature.properties.sct"
value="bob.properties"/>
<entry key="ws-security.encryption.username.sct"
value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints.sct"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
Modified:
cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server/server.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server/server.xml?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server/server.xml
(original)
+++
cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server/server.xml
Tue Jun 26 09:58:16 2012
@@ -113,6 +113,7 @@
value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
<entry key="ws-security.signature.properties"
value="bob.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -143,6 +144,7 @@
<entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
<entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
Modified:
cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/x509/server/server.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/x509/server/server.xml?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/x509/server/server.xml
(original)
+++
cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/x509/server/server.xml
Tue Jun 26 09:58:16 2012
@@ -56,6 +56,7 @@
value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
<entry key="ws-security.signature.properties"
value="bob.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -72,6 +73,7 @@
value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
<entry key="ws-security.signature.properties"
value="bob.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -88,6 +90,7 @@
value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
<entry key="ws-security.signature.username" value="bob"/>
<entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -107,6 +110,7 @@
<entry key="ws-security.encryption.properties"
value="bob.properties"/>
<entry key="ws-security.signature.properties"
value="alice.properties"/>
<entry key="ws-security.encryption.username" value="alice"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
Modified:
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
(original)
+++
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
Tue Jun 26 09:58:16 2012
@@ -553,6 +553,44 @@ public class X509TokenTest extends Abstr
}
@org.junit.Test
+ public void testTransportSupportingSignedCertConstraints() throws
Exception {
+ if (!unrestrictedPoliciesInstalled) {
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE,
"DoubleItTransportSupportingSignedCertConstraintsPort");
+ DoubleItPortType x509Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(x509Port, PORT2);
+
+
((BindingProvider)x509Port).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
+ "org/apache/cxf/systest/ws/wssec10/client/bob.properties");
+
((BindingProvider)x509Port).getRequestContext().put(SecurityConstants.SIGNATURE_USERNAME,
"bob");
+
+ try {
+ x509Port.doubleIt(25);
+ fail("Failure expected on bob");
+ } catch (Exception ex) {
+ // expected
+ }
+
+
((BindingProvider)x509Port).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
+ "org/apache/cxf/systest/ws/wssec10/client/alice.properties");
+
((BindingProvider)x509Port).getRequestContext().put(SecurityConstants.SIGNATURE_USERNAME,
"alice");
+
+ x509Port.doubleIt(25);
+ }
+
+ @org.junit.Test
public void testTransportKVT() throws Exception {
if (!unrestrictedPoliciesInstalled) {
return;
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/server/server.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/server/server.xml?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/server/server.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/server/server.xml
Tue Jun 26 09:58:16 2012
@@ -58,6 +58,7 @@
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -77,6 +78,7 @@
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -96,6 +98,7 @@
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml
Tue Jun 26 09:58:16 2012
@@ -80,6 +80,7 @@
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
<entry key="ws-security.encryption.username"
value="useReqSigCert" />
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
<jaxws:features>
<p:policies>
@@ -101,6 +102,7 @@
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
<entry key="ws-security.encryption.username" value="useReqSigCert"
/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
<jaxws:features>
<p:policies>
@@ -122,6 +124,7 @@
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
<entry key="ws-security.encryption.username" value="useReqSigCert"
/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
<jaxws:features>
<p:policies>
@@ -144,6 +147,7 @@
<jaxws:properties>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
<jaxws:features>
<p:policies>
@@ -167,6 +171,7 @@
<jaxws:properties>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
<entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" />
</jaxws:properties>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
Tue Jun 26 09:58:16 2012
@@ -119,6 +119,7 @@
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
<entry key="ws-security.saml2.validator"
value="org.apache.cxf.systest.ws.saml.server.CustomSaml2Validator"/>
@@ -140,6 +141,7 @@
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -158,6 +160,7 @@
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -176,6 +179,7 @@
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -194,6 +198,7 @@
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -214,6 +219,7 @@
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
<entry key="ws-security.saml2.validator"
value="org.apache.cxf.systest.ws.saml.server.CustomSaml2Validator"/>
</jaxws:properties>
@@ -234,6 +240,7 @@
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -254,6 +261,7 @@
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
<entry key="ws-security.saml2.validator"
value="org.apache.cxf.systest.ws.saml.server.CustomSaml2Validator"/>
</jaxws:properties>
@@ -276,6 +284,7 @@
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -294,6 +303,7 @@
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -312,6 +322,7 @@
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
<jaxws:features>
<p:policies>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server-derived.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server-derived.xml?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server-derived.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server-derived.xml
Tue Jun 26 09:58:16 2012
@@ -122,6 +122,7 @@
value="org.apache.cxf.systest.ws.wssec10.server.UTPasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -140,6 +141,7 @@
value="org.apache.cxf.systest.ws.wssec10.server.UTPasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -158,6 +160,7 @@
value="org.apache.cxf.systest.ws.wssec10.server.UTPasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
Tue Jun 26 09:58:16 2012
@@ -152,6 +152,7 @@
value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/server/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -171,6 +172,7 @@
value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/server/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
Added:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/client/cxfca.properties
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/client/cxfca.properties?rev=1353909&view=auto
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/client/cxfca.properties
(added)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/client/cxfca.properties
Tue Jun 26 09:58:16 2012
@@ -0,0 +1,23 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=password
+org.apache.ws.security.crypto.merlin.keystore.alias=cxfca
+org.apache.ws.security.crypto.merlin.keystore.file=org/apache/cxf/systest/ws/wssec10/certs/cxfca.jks
+
+
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server.xml?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server.xml
Tue Jun 26 09:58:16 2012
@@ -120,6 +120,7 @@
<entry key="ws-security.username" value="Alice"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/server/bob.properties"/>
<entry key="ws-security.encryption.username"
value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
<entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.wssec10.server.KeystorePasswordCallback"/>
</jaxws:properties>
@@ -141,6 +142,7 @@
<entry key="ws-security.username" value="Alice"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/server/bob.properties"/>
<entry key="ws-security.encryption.username"
value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
<entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.wssec10.server.KeystorePasswordCallback"/>
</jaxws:properties>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml
Tue Jun 26 09:58:16 2012
@@ -122,6 +122,7 @@
<entry key="ws-security.username" value="Alice"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/server/bob.properties"/>
<entry key="ws-security.encryption.username"
value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
<entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.wssec10.server.KeystorePasswordCallback"/>
</jaxws:properties>
@@ -143,6 +144,7 @@
<entry key="ws-security.username" value="Alice"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/server/bob.properties"/>
<entry key="ws-security.encryption.username"
value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
<entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.wssec10.server.KeystorePasswordCallback"/>
</jaxws:properties>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
Tue Jun 26 09:58:16 2012
@@ -343,6 +343,11 @@
binding="tns:DoubleItTransportSupportingSignedBinding">
<soap:address
location="https://localhost:9002/DoubleItX509TransportSupportingSigned"; />
</wsdl:port>
+ <wsdl:port name="DoubleItTransportSupportingSignedCertConstraintsPort"
+ binding="tns:DoubleItTransportSupportingSignedBinding">
+ <soap:address
+
location="https://localhost:9002/DoubleItX509TransportSupportingSignedCertConstraints";
/>
+ </wsdl:port>
<wsdl:port name="DoubleItTransportKVTPort"
binding="tns:DoubleItTransportKVTBinding">
<soap:address
location="https://localhost:9002/DoubleItX509TransportKVT"; />
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
Tue Jun 26 09:58:16 2012
@@ -222,6 +222,14 @@
</jaxws:properties>
</jaxws:client>
+ <jaxws:client
name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSupportingSignedCertConstraintsPort";
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ </jaxws:properties>
+ </jaxws:client>
+
<jaxws:client
name="{http://www.example.org/contract/DoubleIt}DoubleItTransportKVTPort";
createdFromAPI="true">
<jaxws:properties>
Modified:
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1353909&r1=1353908&r2=1353909&view=diff
==============================================================================
---
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
(original)
+++
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
Tue Jun 26 09:58:16 2012
@@ -156,6 +156,7 @@
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -174,6 +175,7 @@
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -192,6 +194,7 @@
value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -232,6 +235,7 @@
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
<entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -267,6 +271,7 @@
<jaxws:properties>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -284,6 +289,7 @@
<jaxws:properties>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -301,6 +307,7 @@
<jaxws:properties>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -318,6 +325,7 @@
<jaxws:properties>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -335,6 +343,7 @@
<jaxws:properties>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
</jaxws:properties>
</jaxws:endpoint>
@@ -352,6 +361,25 @@
<jaxws:properties>
<entry key="ws-security.signature.properties"
value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
+ <jaxws:endpoint
+ id="TransportSupportingSignedCertConstraints"
+
address="https://localhost:${testutil.ports.Server.2}/DoubleItX509TransportSupportingSignedCertConstraints";
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItTransportSupportingSignedCertConstraintsPort"
+ xmlns:s="http://www.example.org/contract/DoubleIt";
+ implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl"
+ depends-on="tls-settings">
+
+ <jaxws:properties>
+ <entry key="ws-security.signature.properties"
+
value="org/apache/cxf/systest/ws/wssec10/client/cxfca.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*CN=alice.*"/>
</jaxws:properties>
</jaxws:endpoint>
