Repository: cxf Updated Branches: refs/heads/master 534ce5c38 -> dbc4a26cd
[CXF-6333] - Support Inclusive C14N via security policy Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/dbc4a26c Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/dbc4a26c Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/dbc4a26c Branch: refs/heads/master Commit: dbc4a26cd47c2609c601dc3640b655ea0a2b60b9 Parents: 534ce5c Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Apr 7 10:08:59 2015 +0100 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Apr 7 10:09:31 2015 +0100 ---------------------------------------------------------------------- .../security/policy/WSSecurityPolicyLoader.java | 3 + .../wss4j/AlgorithmSuiteTranslater.java | 1 + .../policyhandlers/AbstractBindingBuilder.java | 3 +- .../AbstractStaxBindingHandler.java | 2 + .../AsymmetricBindingHandler.java | 4 +- .../StaxTransportBindingHandler.java | 6 ++ .../policyhandlers/SymmetricBindingHandler.java | 2 + .../AlgorithmSuitePolicyValidator.java | 6 ++ .../systest/ws/algsuite/AlgorithmSuiteTest.java | 52 +++++++++++++++ .../systest/ws/algsuite/DoubleItAlgSuite.wsdl | 6 ++ .../apache/cxf/systest/ws/algsuite/client.xml | 67 ++++++++++++++++++++ .../apache/cxf/systest/ws/algsuite/server.xml | 65 +++++++++++++++++++ .../cxf/systest/ws/algsuite/stax-server.xml | 67 ++++++++++++++++++++ 13 files changed, 281 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/dbc4a26c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java index 4d67ee4..8b05935 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java @@ -265,6 +265,9 @@ public final class WSSecurityPolicyLoader implements PolicyInterceptorProviderLo SP13Constants.SCOPE_POLICY_15, SP13Constants.MUST_SUPPORT_INTERACTIVE_CHALLENGE, + // AlgorithmSuite misc + new QName(SP11Constants.SP_NS, SPConstants.INCLUSIVE_C14N), + new QName(SP12Constants.SP_NS, SPConstants.INCLUSIVE_C14N), }); final Map<QName, Assertion> assertions = new HashMap<QName, Assertion>(); for (QName q : others) { http://git-wip-us.apache.org/repos/asf/cxf/blob/dbc4a26c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java index fac455b..63dfd56 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java @@ -130,6 +130,7 @@ public final class AlgorithmSuiteTranslater { algorithmSuite.addTransformAlgorithm(cxfAlgorithmSuite.getC14n().getValue()); algorithmSuite.addTransformAlgorithm(SPConstants.STRT10); + algorithmSuite.addTransformAlgorithm(WSConstants.C14N_EXCL_OMIT_COMMENTS); algorithmSuite.addTransformAlgorithm(WSConstants.NS_XMLDSIG_ENVELOPED_SIGNATURE); algorithmSuite.addTransformAlgorithm(WSConstants.SWA_ATTACHMENT_CONTENT_SIG_TRANS); algorithmSuite.addTransformAlgorithm(WSConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS); http://git-wip-us.apache.org/repos/asf/cxf/blob/dbc4a26c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java index 0ceb193..177b598 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java @@ -1928,6 +1928,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle //Set the algo info dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature()); + dkSign.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue()); AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8); if (tok.getSHA1() != null) { @@ -2007,8 +2008,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle sigTokId = XMLUtils.getIDFromReference(sigTokId); sig.setCustomTokenId(sigTokId); sig.setSecretKey(tok.getSecret()); - sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature()); sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature()); + sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue()); sig.prepare(doc, getSignatureCrypto(null), secHeader); sig.getParts().addAll(sigParts); http://git-wip-us.apache.org/repos/asf/cxf/blob/dbc4a26c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java index 56cf6a8..efdf187 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java @@ -530,6 +530,8 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa properties.setSignatureAlgorithm( binding.getAlgorithmSuite().getAsymmetricSignature()); } + properties.setSignatureCanonicalizationAlgorithm( + binding.getAlgorithmSuite().getC14n().getValue()); String sigUser = (String)message.getContextualProperty(userNameKey); if (sigUser == null) { sigUser = (String)message.getContextualProperty(SecurityConstants.USERNAME); http://git-wip-us.apache.org/repos/asf/cxf/blob/dbc4a26c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java index e3a7b37..0900c21 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java @@ -625,8 +625,8 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { dkSign.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId); // Set the algo info - dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite() - .getSymmetricSignature()); + dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite().getSymmetricSignature()); + dkSign.setSigCanonicalization(abinding.getAlgorithmSuite().getC14n().getValue()); AlgorithmSuiteType algType = abinding.getAlgorithmSuite().getAlgorithmSuiteType(); dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8); dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#" http://git-wip-us.apache.org/repos/asf/cxf/blob/dbc4a26c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java index 4294c97..5983b91 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java @@ -327,6 +327,8 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler { properties.setIncludeSignatureToken(true); properties.setSignatureAlgorithm( tbinding.getAlgorithmSuite().getSymmetricSignature()); + properties.setSignatureCanonicalizationAlgorithm( + tbinding.getAlgorithmSuite().getC14n().getValue()); AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType(); properties.setSignatureDigestAlgorithm(algType.getDigest()); } else if (token instanceof X509Token || token instanceof KeyValueToken) { @@ -338,6 +340,8 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler { WSSSecurityProperties properties = getProperties(); properties.setSignatureAlgorithm( tbinding.getAlgorithmSuite().getAsymmetricSignature()); + properties.setSignatureCanonicalizationAlgorithm( + tbinding.getAlgorithmSuite().getC14n().getValue()); AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType(); properties.setSignatureDigestAlgorithm(algType.getDigest()); } else if (token instanceof UsernameToken) { @@ -352,6 +356,8 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler { properties.setSignatureAlgorithm( tbinding.getAlgorithmSuite().getSymmetricSignature()); + properties.setSignatureCanonicalizationAlgorithm( + tbinding.getAlgorithmSuite().getC14n().getValue()); AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType(); properties.setSignatureDigestAlgorithm(algType.getDigest()); } http://git-wip-us.apache.org/repos/asf/cxf/blob/dbc4a26c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java index 944b035..bcc2c6e 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java @@ -680,6 +680,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { //Set the algo info dkSign.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature()); + dkSign.setSigCanonicalization(sbinding.getAlgorithmSuite().getC14n().getValue()); AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType(); dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8); if (tok.getSHA1() != null) { @@ -837,6 +838,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { sig.setCustomTokenId(sigTokId); sig.setSecretKey(tok.getSecret()); sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature()); + sig.setSigCanonicalization(sbinding.getAlgorithmSuite().getC14n().getValue()); Crypto crypto = null; if (sbinding.getProtectionToken() != null) { crypto = getEncryptionCrypto(sbinding.getProtectionToken()); http://git-wip-us.apache.org/repos/asf/cxf/blob/dbc4a26c/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java index ac8a701..d09f974 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java @@ -31,6 +31,7 @@ import javax.xml.namespace.QName; import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.ws.policy.AssertionInfo; +import org.apache.cxf.ws.security.policy.PolicyUtils; import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSDataRef; @@ -76,6 +77,10 @@ public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidat algSuiteAi.setAsserted(true); } } + + PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), + new QName(algorithmSuite.getName().getNamespaceURI(), + algorithmSuite.getC14n().name())); } else if (!valid && ai.isAsserted()) { ai.setNotAsserted("Error in validating AlgorithmSuite policy"); } @@ -161,6 +166,7 @@ public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidat } for (String transformAlgorithm : transformAlgorithms) { if (!(algorithmPolicy.getC14n().getValue().equals(transformAlgorithm) + || WSConstants.C14N_EXCL_OMIT_COMMENTS.equals(transformAlgorithm) || STRTransform.TRANSFORM_URI.equals(transformAlgorithm) || WSConstants.SWA_ATTACHMENT_CONTENT_SIG_TRANS.equals(transformAlgorithm) || WSConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS.equals(transformAlgorithm))) { http://git-wip-us.apache.org/repos/asf/cxf/blob/dbc4a26c/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/algsuite/AlgorithmSuiteTest.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/algsuite/AlgorithmSuiteTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/algsuite/AlgorithmSuiteTest.java index 2796af4..1580c22 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/algsuite/AlgorithmSuiteTest.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/algsuite/AlgorithmSuiteTest.java @@ -258,4 +258,56 @@ public class AlgorithmSuiteTest extends AbstractBusClientServerTestBase { bus.shutdown(true); } + @org.junit.Test + public void testInclusiveC14NPolicy() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = AlgorithmSuiteTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = AlgorithmSuiteTest.class.getResource("DoubleItAlgSuite.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSymmetric128InclusivePort"); + + DoubleItPortType port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + // This should succeed as the client + server policies match + // DOM + port.doubleIt(25); + + // Streaming + SecurityTestUtil.enableStreaming(port); + port.doubleIt(25); + + portQName = new QName(NAMESPACE, "DoubleItSymmetric128InclusivePort2"); + port = service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(port, PORT); + + // This should fail as the client uses Exclusive C14N for the signature c14n method + // + the server uses Inclusive C14n + try { + // DOM + port.doubleIt(25); + fail("Failure expected on Exclusive C14n"); + } catch (Exception ex) { + // expected + } + + try { + // Streaming + SecurityTestUtil.enableStreaming(port); + port.doubleIt(25); + fail("Failure expected on Exclusive C14n"); + } catch (Exception ex) { + // expected + } + + bus.shutdown(true); + } + } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf/blob/dbc4a26c/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl index 297586b..b5f3bee 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl @@ -44,6 +44,12 @@ <wsdl:port name="DoubleItSymmetric128Port3" binding="tns:DoubleItInlinePolicyBinding"> <soap:address location="http://localhost:9010/DoubleItSymmetric128no3"/> </wsdl:port> + <wsdl:port name="DoubleItSymmetric128InclusivePort" binding="tns:DoubleItInlinePolicyBinding"> + <soap:address location="http://localhost:9010/DoubleItSymmetric128Inclusive"/> + </wsdl:port> + <wsdl:port name="DoubleItSymmetric128InclusivePort2" binding="tns:DoubleItInlinePolicyBinding"> + <soap:address location="http://localhost:9010/DoubleItSymmetric128Inclusive2"/> + </wsdl:port> <wsdl:port name="DoubleItSymmetricCombinedPort" binding="tns:DoubleItInlinePolicyBinding"> <soap:address location="http://localhost:9010/DoubleItSymmetricCombined"/> </wsdl:port> http://git-wip-us.apache.org/repos/asf/cxf/blob/dbc4a26c/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/client.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/client.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/client.xml index 02960d2..a5f4036 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/client.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/client.xml @@ -63,6 +63,34 @@ </p:policies> </jaxws:features> </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetric128InclusivePort"; createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.username" value="Alice"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> + <entry key="ws-security.encryption.properties" value="bob.properties"/> + <entry key="ws-security.encryption.username" value="bob"/> + <entry key="ws-security.is-bsp-compliant" value="false"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; URI="#DoubleItSymmetric128InclusivePolicy"/> + </p:policies> + </jaxws:features> + </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetric128InclusivePort2"; createdFromAPI="true"> + <jaxws:properties> + <entry key="ws-security.username" value="Alice"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> + <entry key="ws-security.encryption.properties" value="bob.properties"/> + <entry key="ws-security.encryption.username" value="bob"/> + <entry key="ws-security.is-bsp-compliant" value="false"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; URI="#DoubleItSymmetric128Policy"/> + </p:policies> + </jaxws:features> + </jaxws:client> <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricCombinedPort"; createdFromAPI="true"> <jaxws:properties> <entry key="ws-security.username" value="Alice"/> @@ -269,4 +297,43 @@ </wsp:All> </wsp:ExactlyOne> </wsp:Policy> + <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; wsu:Id="DoubleItSymmetric128InclusivePolicy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:SymmetricBinding> + <wsp:Policy> + <sp:ProtectionToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> + <wsp:Policy> + <sp:WssX509V3Token10/> + <sp:RequireKeyIdentifierReference/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:ProtectionToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + <sp:OnlySignEntireHeadersAndBody/> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128/> + <sp:InclusiveC14N/> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:SymmetricBinding> + <sp:EncryptedParts> + <sp:Body/> + </sp:EncryptedParts> + <sp:SignedParts> + <sp:Body/> + </sp:SignedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> </beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/dbc4a26c/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/server.xml index 064eed0..a8f7e27 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/server.xml @@ -61,6 +61,32 @@ </p:policies> </jaxws:features> </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="Symmetric128InclusiveEndpoint" address="http://localhost:${testutil.ports.Server}/DoubleItSymmetric128Inclusive"; serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetric128InclusivePort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.is-bsp-compliant" value="false"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; URI="#DoubleItSymmetric128InclusivePolicy"/> + </p:policies> + </jaxws:features> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="Symmetric128InclusiveEndpoint2" address="http://localhost:${testutil.ports.Server}/DoubleItSymmetric128Inclusive2"; serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetric128InclusivePort2" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.is-bsp-compliant" value="false"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; URI="#DoubleItSymmetric128InclusivePolicy"/> + </p:policies> + </jaxws:features> + </jaxws:endpoint> <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="SymmetricEndpointCombined" address="http://localhost:${testutil.ports.Server}/DoubleItSymmetricCombined"; serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetricCombinedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl"> <jaxws:properties> <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> @@ -184,6 +210,45 @@ </wsp:All> </wsp:ExactlyOne> </wsp:Policy> + <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; wsu:Id="DoubleItSymmetric128InclusivePolicy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:SymmetricBinding> + <wsp:Policy> + <sp:ProtectionToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> + <wsp:Policy> + <sp:WssX509V3Token10/> + <sp:RequireKeyIdentifierReference/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:ProtectionToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + <sp:OnlySignEntireHeadersAndBody/> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128/> + <sp:InclusiveC14N/> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:SymmetricBinding> + <sp:EncryptedParts> + <sp:Body/> + </sp:EncryptedParts> + <sp:SignedParts> + <sp:Body/> + </sp:SignedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; wsu:Id="Combined"> <wsp:ExactlyOne> <wsp:All> http://git-wip-us.apache.org/repos/asf/cxf/blob/dbc4a26c/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/stax-server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/stax-server.xml index 1536714..271d1fc 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/stax-server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/stax-server.xml @@ -64,6 +64,34 @@ </p:policies> </jaxws:features> </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="Symmetric128InclusiveEndpoint" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSymmetric128Inclusive"; serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetric128InclusivePort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.enable.streaming" value="true"/> + <entry key="ws-security.is-bsp-compliant" value="false"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; URI="#DoubleItSymmetric128InclusivePolicy"/> + </p:policies> + </jaxws:features> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="Symmetric128InclusiveEndpoint2" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSymmetric128Inclusive2"; serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetric128InclusivePort2" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.enable.streaming" value="true"/> + <entry key="ws-security.is-bsp-compliant" value="false"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; URI="#DoubleItSymmetric128InclusivePolicy"/> + </p:policies> + </jaxws:features> + </jaxws:endpoint> <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; wsu:Id="DoubleItSymmetric128Policy"> <wsp:ExactlyOne> <wsp:All> @@ -102,4 +130,43 @@ </wsp:All> </wsp:ExactlyOne> </wsp:Policy> + <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; wsu:Id="DoubleItSymmetric128InclusivePolicy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:SymmetricBinding> + <wsp:Policy> + <sp:ProtectionToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> + <wsp:Policy> + <sp:WssX509V3Token10/> + <sp:RequireKeyIdentifierReference/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:ProtectionToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + <sp:OnlySignEntireHeadersAndBody/> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128/> + <sp:InclusiveC14N/> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:SymmetricBinding> + <sp:EncryptedParts> + <sp:Body/> + </sp:EncryptedParts> + <sp:SignedParts> + <sp:Body/> + </sp:SignedParts> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> </beans>
