Repository: cxf Updated Branches: refs/heads/3.0.x-fixes e4ed50ca5 -> 21472024a
Added some STS Delegation tests + fixed a bug with ActAs Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/21472024 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/21472024 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/21472024 Branch: refs/heads/3.0.x-fixes Commit: 21472024a8fe2fcd94d58d4be4dcd792ea1fe1ee Parents: e4ed50c Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Thu Sep 18 12:07:44 2014 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Thu Sep 18 12:09:34 2014 +0100 ---------------------------------------------------------------------- .../token/provider/DefaultSubjectProvider.java | 6 +- .../token/provider/SAMLProviderActAsTest.java | 17 +- .../sts/delegation/SAMLDelegationTest.java | 398 +++++++++++++++++++ .../cxf/systest/sts/delegation/STSServer.java | 46 +++ .../cxf/systest/sts/delegation/cxf-client.xml | 38 ++ .../sts/delegation/cxf-sts-transport.xml | 150 +++++++ .../sts/delegation/ws-trust-1.4-service.wsdl | 348 ++++++++++++++++ 7 files changed, 1000 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/21472024/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java index 95ac573..154ab7c 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java @@ -92,7 +92,6 @@ public class DefaultSubjectProvider implements SubjectProvider { Principal principal = null; ReceivedToken receivedToken = null; - //[TODO] ActAs support //TokenValidator in IssueOperation has validated the ReceivedToken //if validation was successful, the principal was set in ReceivedToken if (providerParameters.getTokenRequirements().getOnBehalfOf() != null) { @@ -100,6 +99,11 @@ public class DefaultSubjectProvider implements SubjectProvider { if (receivedToken.getState().equals(STATE.VALID)) { principal = receivedToken.getPrincipal(); } + } else if (providerParameters.getTokenRequirements().getActAs() != null) { + receivedToken = providerParameters.getTokenRequirements().getActAs(); + if (receivedToken.getState().equals(STATE.VALID)) { + principal = receivedToken.getPrincipal(); + } } else if (providerParameters.getTokenRequirements().getValidateTarget() != null) { receivedToken = providerParameters.getTokenRequirements().getValidateTarget(); if (receivedToken.getState().equals(STATE.VALID)) { http://git-wip-us.apache.org/repos/asf/cxf/blob/21472024/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderActAsTest.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderActAsTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderActAsTest.java index 4da906d..48a4263 100644 --- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderActAsTest.java +++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderActAsTest.java @@ -25,7 +25,6 @@ import java.util.Properties; import javax.xml.bind.JAXBElement; import org.w3c.dom.Element; - import org.apache.cxf.jaxws.context.WebServiceContextImpl; import org.apache.cxf.jaxws.context.WrappedMessageContext; import org.apache.cxf.message.MessageImpl; @@ -36,6 +35,7 @@ import org.apache.cxf.sts.common.CustomAttributeProvider; import org.apache.cxf.sts.common.PasswordCallbackHandler; import org.apache.cxf.sts.request.KeyRequirements; import org.apache.cxf.sts.request.ReceivedToken; +import org.apache.cxf.sts.request.ReceivedToken.STATE; import org.apache.cxf.sts.request.TokenRequirements; import org.apache.cxf.sts.service.EncryptionProperties; import org.apache.cxf.ws.security.sts.provider.model.secext.AttributedString; @@ -72,6 +72,10 @@ public class SAMLProviderActAsTest extends org.junit.Assert { createProviderParameters( WSConstants.WSS_SAML_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, usernameTokenType ); + //Principal must be set in ReceivedToken/ActAs + providerParameters.getTokenRequirements().getActAs().setPrincipal( + new CustomTokenPrincipal(username.getValue())); + assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML_TOKEN_TYPE)); TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters); assertTrue(providerResponse != null); @@ -92,12 +96,17 @@ public class SAMLProviderActAsTest extends org.junit.Assert { public void testDefaultSaml2ActAsAssertion() throws Exception { TokenProvider samlTokenProvider = new SAMLTokenProvider(); + String user = "alice"; Element saml1Assertion = getSAMLAssertion(); TokenProviderParameters providerParameters = createProviderParameters( WSConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, saml1Assertion ); + //Principal must be set in ReceivedToken/ActAs + providerParameters.getTokenRequirements().getActAs().setPrincipal( + new CustomTokenPrincipal(user)); + assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML2_TOKEN_TYPE)); TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters); assertTrue(providerResponse != null); @@ -131,6 +140,10 @@ public class SAMLProviderActAsTest extends org.junit.Assert { createProviderParameters( WSConstants.WSS_SAML_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, usernameTokenType ); + //Principal must be set in ReceivedToken/ActAs + providerParameters.getTokenRequirements().getActAs().setPrincipal( + new CustomTokenPrincipal(username.getValue())); + assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML_TOKEN_TYPE)); TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters); assertTrue(providerResponse != null); @@ -162,7 +175,6 @@ public class SAMLProviderActAsTest extends org.junit.Assert { assertTrue(tokenString.contains("CustomActAs")); } - private Element getSAMLAssertion() throws Exception { TokenProvider samlTokenProvider = new SAMLTokenProvider(); TokenProviderParameters providerParameters = @@ -186,6 +198,7 @@ public class SAMLProviderActAsTest extends org.junit.Assert { if (actAs != null) { ReceivedToken actAsToken = new ReceivedToken(actAs); + actAsToken.setState(STATE.VALID); tokenRequirements.setActAs(actAsToken); } parameters.setTokenRequirements(tokenRequirements); http://git-wip-us.apache.org/repos/asf/cxf/blob/21472024/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java new file mode 100644 index 0000000..4126a44 --- /dev/null +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/SAMLDelegationTest.java @@ -0,0 +1,398 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.systest.sts.delegation; + +import java.net.URL; +import java.util.HashMap; +import java.util.Map; +import java.util.Properties; + +import javax.security.auth.callback.CallbackHandler; + +import org.w3c.dom.Element; +import org.apache.cxf.Bus; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.jaxws.context.WebServiceContextImpl; +import org.apache.cxf.jaxws.context.WrappedMessageContext; +import org.apache.cxf.message.MessageImpl; +import org.apache.cxf.sts.STSConstants; +import org.apache.cxf.sts.StaticSTSProperties; +import org.apache.cxf.sts.request.KeyRequirements; +import org.apache.cxf.sts.request.TokenRequirements; +import org.apache.cxf.sts.service.EncryptionProperties; +import org.apache.cxf.sts.token.provider.SAMLTokenProvider; +import org.apache.cxf.sts.token.provider.TokenProviderParameters; +import org.apache.cxf.sts.token.provider.TokenProviderResponse; +import org.apache.cxf.systest.sts.common.CommonCallbackHandler; +import org.apache.cxf.systest.sts.common.SecurityTestUtil; +import org.apache.cxf.systest.sts.issueunit.IssueUnitTest; +import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase; +import org.apache.cxf.ws.security.SecurityConstants; +import org.apache.cxf.ws.security.tokenstore.SecurityToken; +import org.apache.cxf.ws.security.trust.STSClient; +import org.apache.wss4j.common.crypto.Crypto; +import org.apache.wss4j.common.crypto.CryptoFactory; +import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.common.principal.CustomTokenPrincipal; +import org.apache.wss4j.dom.WSConstants; +import org.junit.BeforeClass; + +/** + * Some tests for sending a SAML Token OnBehalfOf/ActAs to the STS. The STS is set up with + * two endpoints, one requiring a UsernameToken over TLS, the other just requiring TLS + * without client authentication (insecure, but used as part of the test process) with a + * SAML DelegationHandler. + */ +public class SAMLDelegationTest extends AbstractBusClientServerTestBase { + + private static final String STSPORT = allocatePort(STSServer.class); + + private static final String SAML2_TOKEN_TYPE = + "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; + private static final String PUBLIC_KEY_KEYTYPE = + "http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey"; + private static final String BEARER_KEYTYPE = + "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer"; + private static final String DEFAULT_ADDRESS = + "https://localhost:8081/doubleit/services/doubleittransportsaml1"; + + @BeforeClass + public static void startServers() throws Exception { + assertTrue( + "Server failed to launch", + // run the server in the same process + // set this to false to fork + launchServer(STSServer.class, true) + ); + } + + @org.junit.AfterClass + public static void cleanup() throws Exception { + SecurityTestUtil.cleanup(); + stopAllServers(); + } + + @org.junit.Test + public void testSAMLOnBehalfOf() throws Exception { + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + // Get a token from the UT endpoint first + SecurityToken token = + requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, bus, + DEFAULT_ADDRESS, "Transport_UT_Port"); + assertTrue(SAML2_TOKEN_TYPE.equals(token.getTokenType())); + assertTrue(token.getToken() != null); + + // Use the first token as OnBehalfOf to get another token + + // First try with the UT endpoint. This should fail as there is no Delegation Handler. + try { + requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, token.getToken(), bus, + DEFAULT_ADDRESS, true, "Transport_UT_Port"); + fail("Failure expected on no delegation handler"); + } catch (Exception ex) { + // expected + } + + // Now send to the Transport endpoint. + SecurityToken token2 = + requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, token.getToken(), bus, + DEFAULT_ADDRESS, true, "Transport_Port"); + assertTrue(SAML2_TOKEN_TYPE.equals(token2.getTokenType())); + assertTrue(token2.getToken() != null); + + bus.shutdown(true); + } + + @org.junit.Test + public void testSAMLActAs() throws Exception { + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + // Get a token from the UT endpoint first + SecurityToken token = + requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, bus, + DEFAULT_ADDRESS, "Transport_UT_Port"); + assertTrue(SAML2_TOKEN_TYPE.equals(token.getTokenType())); + assertTrue(token.getToken() != null); + + // Use the first token as ActAs to get another token + + // First try with the UT endpoint. This should fail as there is no Delegation Handler. + try { + requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, token.getToken(), bus, + DEFAULT_ADDRESS, false, "Transport_UT_Port"); + fail("Failure expected on no delegation handler"); + } catch (Exception ex) { + // expected + } + + // Now send to the Transport endpoint. + SecurityToken token2 = + requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, token.getToken(), bus, + DEFAULT_ADDRESS, false, "Transport_Port"); + assertTrue(SAML2_TOKEN_TYPE.equals(token2.getTokenType())); + assertTrue(token2.getToken() != null); + + bus.shutdown(true); + } + + @org.junit.Test + public void testTransportNoDelegationToken() throws Exception { + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + try { + requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, bus, + DEFAULT_ADDRESS, "Transport_Port"); + fail("Failure expected on no delegation token"); + } catch (Exception ex) { + // expected + } + + bus.shutdown(true); + } + + @org.junit.Test + public void testTransportForgedDelegationToken() throws Exception { + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties()); + CallbackHandler callbackHandler = new CommonCallbackHandler(); + + // Create SAML token + Element samlToken = + createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, + crypto, "eve", callbackHandler, "alice", "a-issuer"); + + try { + requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, samlToken, bus, + DEFAULT_ADDRESS, true, "Transport_Port"); + fail("Failure expected on a forged delegation token"); + } catch (Exception ex) { + // expected + } + + try { + requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, samlToken, bus, + DEFAULT_ADDRESS, false, "Transport_Port"); + fail("Failure expected on a forged delegation token"); + } catch (Exception ex) { + // expected + } + + bus.shutdown(true); + } + + @org.junit.Test + public void testTransportUnsignedDelegationToken() throws Exception { + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = IssueUnitTest.class.getResource("cxf-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + // Create SAML token + Element samlToken = + createUnsignedSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, + "alice", "a-issuer"); + + try { + requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, samlToken, bus, + DEFAULT_ADDRESS, true, "Transport_Port"); + fail("Failure expected on a unsigned delegation token"); + } catch (Exception ex) { + // expected + } + + try { + requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, samlToken, bus, + DEFAULT_ADDRESS, false, "Transport_Port"); + fail("Failure expected on a unsigned delegation token"); + } catch (Exception ex) { + // expected + } + + bus.shutdown(true); + } + + private SecurityToken requestSecurityToken( + String tokenType, + String keyType, + Bus bus, + String endpointAddress, + String wsdlPort + ) throws Exception { + return requestSecurityToken(tokenType, keyType, null, bus, endpointAddress, true, wsdlPort); + } + + private SecurityToken requestSecurityToken( + String tokenType, + String keyType, + Element supportingToken, + Bus bus, + String endpointAddress, + boolean onBehalfOf, + String wsdlPort + ) throws Exception { + STSClient stsClient = new STSClient(bus); + String port = STSPORT; + + stsClient.setWsdlLocation("https://localhost:" + port + "/SecurityTokenService/Transport?wsdl"); + + stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"); + if (wsdlPort != null) { + stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}" + wsdlPort); + } else { + stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port"); + } + + Map<String, Object> properties = new HashMap<String, Object>(); + properties.put(SecurityConstants.USERNAME, "alice"); + properties.put(SecurityConstants.CALLBACK_HANDLER, + "org.apache.cxf.systest.sts.common.CommonCallbackHandler"); + properties.put(SecurityConstants.IS_BSP_COMPLIANT, "false"); + + if (PUBLIC_KEY_KEYTYPE.equals(keyType)) { + properties.put(SecurityConstants.STS_TOKEN_USERNAME, "myclientkey"); + properties.put(SecurityConstants.STS_TOKEN_PROPERTIES, "clientKeystore.properties"); + stsClient.setUseCertificateForConfirmationKeyInfo(true); + } + if (supportingToken != null) { + if (onBehalfOf) { + stsClient.setOnBehalfOf(supportingToken); + } else { + stsClient.setActAs(supportingToken); + } + } + + stsClient.setProperties(properties); + stsClient.setTokenType(tokenType); + stsClient.setKeyType(keyType); + + return stsClient.requestSecurityToken(endpointAddress); + } + + /* + * Mock up an SAML assertion element + */ + private Element createSAMLAssertion( + String tokenType, String keyType, Crypto crypto, String signatureUsername, + CallbackHandler callbackHandler, String user, String issuer + ) throws WSSecurityException { + SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider(); + + TokenProviderParameters providerParameters = + createProviderParameters( + tokenType, keyType, crypto, signatureUsername, callbackHandler, user, issuer + ); + + TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters); + assertTrue(providerResponse != null); + assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null); + + return providerResponse.getToken(); + } + + private Element createUnsignedSAMLAssertion( + String tokenType, String keyType, String user, String issuer + ) throws WSSecurityException { + SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider(); + samlTokenProvider.setSignToken(false); + + TokenProviderParameters providerParameters = + createProviderParameters( + tokenType, keyType, null, null, null, user, issuer + ); + + TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters); + assertTrue(providerResponse != null); + assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null); + + return providerResponse.getToken(); + } + + private TokenProviderParameters createProviderParameters( + String tokenType, String keyType, Crypto crypto, + String signatureUsername, CallbackHandler callbackHandler, + String username, String issuer + ) throws WSSecurityException { + TokenProviderParameters parameters = new TokenProviderParameters(); + + TokenRequirements tokenRequirements = new TokenRequirements(); + tokenRequirements.setTokenType(tokenType); + parameters.setTokenRequirements(tokenRequirements); + + KeyRequirements keyRequirements = new KeyRequirements(); + keyRequirements.setKeyType(keyType); + parameters.setKeyRequirements(keyRequirements); + + parameters.setPrincipal(new CustomTokenPrincipal(username)); + // Mock up message context + MessageImpl msg = new MessageImpl(); + WrappedMessageContext msgCtx = new WrappedMessageContext(msg); + WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx); + parameters.setWebServiceContext(webServiceContext); + + parameters.setAppliesToAddress("http://dummy-service.com/dummy"); + + // Add STSProperties object + StaticSTSProperties stsProperties = new StaticSTSProperties(); + stsProperties.setSignatureCrypto(crypto); + stsProperties.setSignatureUsername(signatureUsername); + stsProperties.setCallbackHandler(callbackHandler); + stsProperties.setIssuer(issuer); + parameters.setStsProperties(stsProperties); + + parameters.setEncryptionProperties(new EncryptionProperties()); + + return parameters; + } + + private Properties getEncryptionProperties() { + Properties properties = new Properties(); + properties.put( + "org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin" + ); + properties.put("org.apache.ws.security.crypto.merlin.keystore.password", "evespass"); + properties.put("org.apache.ws.security.crypto.merlin.keystore.file", "eve.jks"); + + return properties; + } + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/21472024/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/STSServer.java ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/STSServer.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/STSServer.java new file mode 100644 index 0000000..4392606 --- /dev/null +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/delegation/STSServer.java @@ -0,0 +1,46 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.systest.sts.delegation; + +import java.net.URL; + +import org.apache.cxf.Bus; +import org.apache.cxf.BusFactory; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.testutil.common.AbstractBusTestServerBase; + +public class STSServer extends AbstractBusTestServerBase { + + public STSServer() { + + } + + protected void run() { + URL busFile = STSServer.class.getResource("cxf-sts-transport.xml"); + Bus busLocal = new SpringBusFactory().createBus(busFile); + BusFactory.setDefaultBus(busLocal); + setBus(busLocal); + + try { + new STSServer(); + } catch (Exception e) { + e.printStackTrace(); + } + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/21472024/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-client.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-client.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-client.xml new file mode 100644 index 0000000..5d8cff2 --- /dev/null +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-client.xml @@ -0,0 +1,38 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:cxf="http://cxf.apache.org/core" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:sec="http://cxf.apache.org/configuration/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd"> + <cxf:bus> + <cxf:features> + <cxf:logging/> + </cxf:features> + </cxf:bus> + + <http:conduit name="https://localhost.*"> + <http:tlsClientParameters disableCNCheck="true"> + <sec:keyManagers keyPassword="ckpass"> + <sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/> + </sec:keyManagers> + <sec:trustManagers> + <sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/> + </sec:trustManagers> + </http:tlsClientParameters> + </http:conduit> + +</beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/21472024/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml new file mode 100644 index 0000000..f57cd47 --- /dev/null +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/cxf-sts-transport.xml @@ -0,0 +1,150 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" xmlns:cxf="http://cxf.apache.org/core" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:test="http://apache.org/hello_world_soap_http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation=" http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/sc hemas/configuration/http-jetty.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd"> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <cxf:logging/> + </cxf:features> + </cxf:bus> + <bean id="samlDelegationHandler" class="org.apache.cxf.sts.token.delegation.SAMLDelegationHandler"/> + <bean id="transportUTSTSProviderBean" class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider"> + <property name="issueOperation" ref="transportIssueDelegate2"/> + <property name="validateOperation" ref="transportValidateDelegate2"/> + </bean> + <bean id="transportIssueDelegate2" class="org.apache.cxf.sts.operation.TokenIssueOperation"> + <property name="tokenProviders" ref="transportTokenProviders2"/> + <property name="tokenValidators" ref="transportTokenValidators"/> + <property name="services" ref="transportService"/> + <property name="stsProperties" ref="transportSTSProperties"/> + </bean> + <bean id="transportValidateDelegate2" class="org.apache.cxf.sts.operation.TokenValidateOperation"> + <property name="tokenValidators" ref="transportTokenValidators2"/> + <property name="stsProperties" ref="transportSTSProperties"/> + </bean> + <util:list id="transportTokenValidators2"> + <ref bean="transportSamlTokenValidator2"/> + </util:list> + <util:list id="transportTokenProviders2"> + <ref bean="transportSamlTokenProvider2"/> + </util:list> + <bean id="transportSamlTokenValidator2" class="org.apache.cxf.sts.token.validator.SAMLTokenValidator"> + <property name="samlRealmCodec" ref="samlRealmCodec"/> + </bean> + <bean id="transportSamlTokenProvider2" class="org.apache.cxf.sts.token.provider.SAMLTokenProvider"> + <property name="realmMap" ref="realms"/> + </bean> + <bean id="transportIssueDelegate" class="org.apache.cxf.sts.operation.TokenIssueOperation"> + <property name="tokenProviders" ref="transportTokenProviders"/> + <property name="tokenValidators" ref="transportTokenValidators"/> + <property name="services" ref="transportService"/> + <property name="stsProperties" ref="transportSTSProperties"/> + <property name="delegationHandlers" ref="samlDelegationHandler"/> + </bean> + <bean id="transportValidateDelegate" class="org.apache.cxf.sts.operation.TokenValidateOperation"> + <property name="tokenValidators" ref="transportTokenValidators"/> + <property name="stsProperties" ref="transportSTSProperties"/> + </bean> + <util:list id="transportTokenValidators"> + <ref bean="transportSamlTokenValidator"/> + </util:list> + <util:list id="transportTokenProviders"> + <ref bean="transportSamlTokenProvider"/> + </util:list> + <bean id="transportSamlTokenValidator" class="org.apache.cxf.sts.token.validator.SAMLTokenValidator"> + </bean> + <bean id="transportSamlTokenProvider" class="org.apache.cxf.sts.token.provider.SAMLTokenProvider"> + </bean> + <bean id="transportSTSProviderBean" class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider"> + <property name="issueOperation" ref="transportIssueDelegate"/> + <property name="validateOperation" ref="transportValidateDelegate"/> + </bean> + <bean id="transportService" class="org.apache.cxf.sts.service.StaticService"> + <property name="endpoints" ref="transportEndpoints"/> + </bean> + <util:list id="transportEndpoints"> + <value>https://localhost:(\d)*/doubleit/services/doubleittransport.* + </value> + </util:list> + <bean id="realmA" class="org.apache.cxf.sts.token.realm.SAMLRealm"> + <property name="issuer" value="a-issuer"/> + </bean> + <bean id="realmB" class="org.apache.cxf.sts.token.realm.SAMLRealm"> + <property name="issuer" value="b-issuer"/> + </bean> + <util:map id="realms"> + <entry key="a-issuer" value-ref="realmA"/> + <entry key="b-issuer" value-ref="realmB"/> + </util:map> + <bean id="samlRealmCodec" class="org.apache.cxf.systest.sts.common.SAMLRealmCNCodec"/> + <bean id="customRealmParser" class="org.apache.cxf.systest.sts.common.UriRealmParser"/> + <bean id="identityMapper" class="org.apache.cxf.systest.sts.common.CustomIdentityMapper"/> + <util:list id="relationships"> + <bean class="org.apache.cxf.sts.token.realm.Relationship"> + <property name="sourceRealm" value="a-issuer"/> + <property name="targetRealm" value="b-issuer"/> + <property name="identityMapper" ref="identityMapper"/> + <property name="type" value="FederatedIdentity"/> + </bean> + </util:list> + <bean id="transportSTSProperties" class="org.apache.cxf.sts.StaticSTSProperties"> + <property name="signaturePropertiesFile" value="stsKeystore.properties"/> + <property name="signatureUsername" value="mystskey"/> + <property name="callbackHandlerClass" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/> + <property name="encryptionPropertiesFile" value="stsKeystore.properties"/> + <property name="issuer" value="DoubleItSTSIssuer"/> + <property name="encryptionUsername" value="myservicekey"/> + <property name="realmParser" ref="customRealmParser"/> + <property name="relationships" ref="relationships"/> + <property name="samlRealmCodec" ref="samlRealmCodec"/> + </bean> + <jaxws:endpoint xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" id="transportSTS" implementor="#transportSTSProviderBean" address="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Transport" wsdlLocation="src/test/resources/org/apache/cxf/systest/sts/delegation/ws-trust-1.4-service.wsdl" serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_Port" depends-on="ClientAuthHttpsSettings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" id="transportSTSUT" implementor="#transportUTSTSProviderBean" address="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/TransportUT" wsdlLocation="src/test/resources/org/apache/cxf/systest/sts/delegation/ws-trust-1.4-service.wsdl" serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_UT_Port" depends-on="ClientAuthHttpsSettings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/> + </jaxws:properties> + </jaxws:endpoint> + + <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf"> + <httpj:engine port="${testutil.ports.STSServer}"> + <httpj:tlsServerParameters> + <sec:keyManagers keyPassword="skpass"> + <sec:keyStore type="jks" password="sspass" resource="servicestore.jks"/> + </sec:keyManagers> + <sec:trustManagers> + <sec:keyStore type="jks" password="stsspass" resource="stsstore.jks"/> + </sec:trustManagers> + <sec:cipherSuitesFilter> + <sec:include>.*_EXPORT_.*</sec:include> + <sec:include>.*_EXPORT1024_.*</sec:include> + <sec:include>.*_WITH_DES_.*</sec:include> + <sec:include>.*_WITH_AES_.*</sec:include> + <sec:include>.*_WITH_NULL_.*</sec:include> + <sec:exclude>.*_DH_anon_.*</sec:exclude> + </sec:cipherSuitesFilter> + <sec:clientAuthentication want="false" required="false"/> + </httpj:tlsServerParameters> + </httpj:engine> + </httpj:engine-factory> +</beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/21472024/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/ws-trust-1.4-service.wsdl ---------------------------------------------------------------------- diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/ws-trust-1.4-service.wsdl b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/ws-trust-1.4-service.wsdl new file mode 100644 index 0000000..864c402 --- /dev/null +++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/delegation/ws-trust-1.4-service.wsdl @@ -0,0 +1,348 @@ +<?xml version="1.0" encoding="UTF-8"?> +<wsdl:definitions xmlns:tns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" xmlns:wstrust="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"> + <wsdl:types> + <xs:schema elementFormDefault="qualified" targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> + <xs:element name="RequestSecurityToken" type="wst:AbstractRequestSecurityTokenType"/> + <xs:element name="RequestSecurityTokenResponse" type="wst:AbstractRequestSecurityTokenType"/> + <xs:complexType name="AbstractRequestSecurityTokenType"> + <xs:sequence> + <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> + </xs:sequence> + <xs:attribute name="Context" type="xs:anyURI" use="optional"/> + <xs:anyAttribute namespace="##other" processContents="lax"/> + </xs:complexType> + <xs:element name="RequestSecurityTokenCollection" type="wst:RequestSecurityTokenCollectionType"/> + <xs:complexType name="RequestSecurityTokenCollectionType"> + <xs:sequence> + <xs:element name="RequestSecurityToken" type="wst:AbstractRequestSecurityTokenType" minOccurs="2" maxOccurs="unbounded"/> + </xs:sequence> + </xs:complexType> + <xs:element name="RequestSecurityTokenResponseCollection" type="wst:RequestSecurityTokenResponseCollectionType"/> + <xs:complexType name="RequestSecurityTokenResponseCollectionType"> + <xs:sequence> + <xs:element ref="wst:RequestSecurityTokenResponse" minOccurs="1" maxOccurs="unbounded"/> + </xs:sequence> + <xs:anyAttribute namespace="##other" processContents="lax"/> + </xs:complexType> + </xs:schema> + </wsdl:types> + <!-- WS-Trust defines the following GEDs --> + <wsdl:message name="RequestSecurityTokenMsg"> + <wsdl:part name="request" element="wst:RequestSecurityToken"/> + </wsdl:message> + <wsdl:message name="RequestSecurityTokenResponseMsg"> + <wsdl:part name="response" element="wst:RequestSecurityTokenResponse"/> + </wsdl:message> + <wsdl:message name="RequestSecurityTokenCollectionMsg"> + <wsdl:part name="requestCollection" element="wst:RequestSecurityTokenCollection"/> + </wsdl:message> + <wsdl:message name="RequestSecurityTokenResponseCollectionMsg"> + <wsdl:part name="responseCollection" element="wst:RequestSecurityTokenResponseCollection"/> + </wsdl:message> + <!-- This portType an example of a Requestor (or other) endpoint that + Accepts SOAP-based challenges from a Security Token Service --> + <wsdl:portType name="WSSecurityRequestor"> + <wsdl:operation name="Challenge"> + <wsdl:input message="tns:RequestSecurityTokenResponseMsg"/> + <wsdl:output message="tns:RequestSecurityTokenResponseMsg"/> + </wsdl:operation> + </wsdl:portType> + <!-- This portType is an example of an STS supporting full protocol --> + <wsdl:portType name="STS"> + <wsdl:operation name="Cancel"> + <wsdl:input wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel" message="tns:RequestSecurityTokenMsg"/> + <wsdl:output wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal" message="tns:RequestSecurityTokenResponseMsg"/> + </wsdl:operation> + <wsdl:operation name="Issue"> + <wsdl:input wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" message="tns:RequestSecurityTokenMsg"/> + <wsdl:output wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal" message="tns:RequestSecurityTokenResponseCollectionMsg"/> + </wsdl:operation> + <wsdl:operation name="Renew"> + <wsdl:input wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew" message="tns:RequestSecurityTokenMsg"/> + <wsdl:output wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal" message="tns:RequestSecurityTokenResponseMsg"/> + </wsdl:operation> + <wsdl:operation name="Validate"> + <wsdl:input wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate" message="tns:RequestSecurityTokenMsg"/> + <wsdl:output wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal" message="tns:RequestSecurityTokenResponseMsg"/> + </wsdl:operation> + <wsdl:operation name="KeyExchangeToken"> + <wsdl:input wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KET" message="tns:RequestSecurityTokenMsg"/> + <wsdl:output wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/KETFinal" message="tns:RequestSecurityTokenResponseMsg"/> + </wsdl:operation> + <wsdl:operation name="RequestCollection"> + <wsdl:input message="tns:RequestSecurityTokenCollectionMsg"/> + <wsdl:output message="tns:RequestSecurityTokenResponseCollectionMsg"/> + </wsdl:operation> + </wsdl:portType> + <!-- This portType is an example of an endpoint that accepts + Unsolicited RequestSecurityTokenResponse messages --> + <wsdl:portType name="SecurityTokenResponseService"> + <wsdl:operation name="RequestSecurityTokenResponse"> + <wsdl:input message="tns:RequestSecurityTokenResponseMsg"/> + </wsdl:operation> + </wsdl:portType> + <wsdl:binding name="Transport_Binding" type="wstrust:STS"> + <wsp:PolicyReference URI="#Transport_policy"/> + <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> + <wsdl:operation name="Issue"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"/> + <wsdl:input> + <wsp:PolicyReference URI="#Input_policy"/> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <wsp:PolicyReference URI="#Output_policy"/> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + <wsdl:operation name="Validate"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate"/> + <wsdl:input> + <wsp:PolicyReference URI="#Input_policy"/> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <wsp:PolicyReference URI="#Output_policy"/> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + <wsdl:operation name="Cancel"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"/> + <wsdl:input> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + <wsdl:operation name="Renew"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"/> + <wsdl:input> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + <wsdl:operation name="KeyExchangeToken"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken"/> + <wsdl:input> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + <wsdl:operation name="RequestCollection"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection"/> + <wsdl:input> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + </wsdl:binding> + <wsdl:binding name="Transport_UT_Binding" type="wstrust:STS"> + <wsp:PolicyReference URI="#Transport_UT_policy"/> + <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> + <wsdl:operation name="Issue"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"/> + <wsdl:input> + <wsp:PolicyReference URI="#Input_policy"/> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <wsp:PolicyReference URI="#Output_policy"/> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + <wsdl:operation name="Validate"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate"/> + <wsdl:input> + <wsp:PolicyReference URI="#Input_policy"/> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <wsp:PolicyReference URI="#Output_policy"/> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + <wsdl:operation name="Cancel"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"/> + <wsdl:input> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + <wsdl:operation name="Renew"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"/> + <wsdl:input> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + <wsdl:operation name="KeyExchangeToken"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken"/> + <wsdl:input> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + <wsdl:operation name="RequestCollection"> + <soap:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection"/> + <wsdl:input> + <soap:body use="literal"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + </wsdl:output> + </wsdl:operation> + </wsdl:binding> + <wsdl:service name="SecurityTokenService"> + <wsdl:port name="Transport_Port" binding="tns:Transport_Binding"> + <soap:address location="https://localhost:8443/SecurityTokenService/Transport"/> + </wsdl:port> + <wsdl:port name="Transport_UT_Port" binding="tns:Transport_UT_Binding"> + <soap:address location="https://localhost:8443/SecurityTokenService/TransportUT"/> + </wsdl:port> + </wsdl:service> + <wsp:Policy wsu:Id="Transport_policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy/> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128/> + </wsp:Policy> + </sp:AlgorithmSuite> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + </wsp:Policy> + </sp:TransportBinding> + <sp:Wss11 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:MustSupportRefKeyIdentifier/> + <sp:MustSupportRefIssuerSerial/> + <sp:MustSupportRefThumbprint/> + <sp:MustSupportRefEncryptedKey/> + </wsp:Policy> + </sp:Wss11> + <sp:Trust13 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:MustSupportIssuedTokens/> + <sp:RequireClientEntropy/> + <sp:RequireServerEntropy/> + </wsp:Policy> + </sp:Trust13> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="Transport_UT_policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy/> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128/> + </wsp:Policy> + </sp:AlgorithmSuite> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + </wsp:Policy> + </sp:TransportBinding> + <sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy> + <sp:WssUsernameToken10/> + </wsp:Policy> + </sp:UsernameToken> + </wsp:Policy> + </sp:SignedSupportingTokens> + <sp:Wss11 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:MustSupportRefKeyIdentifier/> + <sp:MustSupportRefIssuerSerial/> + <sp:MustSupportRefThumbprint/> + <sp:MustSupportRefEncryptedKey/> + </wsp:Policy> + </sp:Wss11> + <sp:Trust13 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <wsp:Policy> + <sp:MustSupportIssuedTokens/> + <sp:RequireClientEntropy/> + <sp:RequireServerEntropy/> + </wsp:Policy> + </sp:Trust13> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="Input_policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <sp:Body/> + <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/> + </sp:SignedParts> + <sp:EncryptedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <sp:Body/> + </sp:EncryptedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + <wsp:Policy wsu:Id="Output_policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <sp:Body/> + <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/> + <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/> + </sp:SignedParts> + <sp:EncryptedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> + <sp:Body/> + </sp:EncryptedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> +</wsdl:definitions>