Hi CXF devs,
I'm running into an interoperability issue between Apache Axis2 and CXF
and I need some help in identifying which framework is acting according to
the WS Security policy spec. The policy my customer is using is an
Asymmetric binding without integrity and confidentiality protection (no
signed/encrypted parts and elements) but using an additional x509 endorsing
supporting token that must sign certain parts (body & addressing To
header). The binding also requires that a timestamp is included.
The request message generated with both frameworks is similar
(Axis2/Rampart adds one additional BST but since the x509 token protection
token is same as the endorsing one, I assume this is not a problem).
However, I'm observing different behavior when generating the security
header of the response:
- Axis2/Rampart is signing just the timestamp element
- CXF is signing the same, plus the Body and the addressing To header
I'm attaching CXF request/response messages for reference.
I looked in the CXF code and find out that prior version 2.4.4, the
AsymmetricBindingHandler handled the supporting tokens on the requestor
side only. However, as part of CXF-3970
<https://issues.apache.org/jira/browse/CXF-3970>, it has been changed to
always handle them:
https://fisheye6.atlassian.com/viewrep/cxf/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?r1&r2=ec64c5d373f28de7d346c976b6834bb7e3c11fde
I believe this change results in the observed behavior and I'm wondering
whether this is according to the spec and Apache Rampart should follow the
same approach?
I'm attaching a patch for CXF's EndorsingSupportingTokenTest
<https://svn.apache.org/repos/asf/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/EndorsingSupportingTokenTest.java>
that adds this scenario to the test case so whoever is interested can repro
it.
I will be glad if someone can help me to clarify this.
Thanks,
Detelin
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>
<Action xmlns="http://www.w3.org/2005/08/addressing";>
http://www.example.org/contract/DoubleIt/DoubleItPortType/DoubleItRequest</Action>
<MessageID xmlns="http://www.w3.org/2005/08/addressing";>
urn:uuid:61498cee-114f-407f-ae79-5081d6ef32fe</MessageID>
<To xmlns="http://www.w3.org/2005/08/addressing";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="_83132300-c552-4e0e-8f51-7d37c3243754">
http://localhost:9001/DoubleItEndorsingSupporting4</To>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
<Address>
http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="X509-8006c88c-1903-44fb-be9d-a9973650887d">
MIICGjCCAYOgAwIBAgIESVRgATANBgkqhkiG9w0BAQUFADAzMRMwEQYDVQQKEwphcGFjaGUub3JnMQwwCgYDVQQLEwNlbmcxDjAMBgNVBAMTBWN4ZmNhMB4XDTcwMDEwMTAwMDAwMFoXDTM4MDExOTAzMTQwN1owMzETMBEGA1UEChMKYXBhY2hlLm9yZzEMMAoGA1UECxMDZW5nMQ4wDAYDVQQDEwVhbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzsCAwEAAaM7MDkwIQYDVR0SBBowGIIWTk9UX0ZPUl9QUk9EVUNUSU9OX1VTRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQEFBQADgYEAhLwkm+8psKt4gnbikGzV0TgpSWGcWxWKBi+z8tI2n6hFA5v1jVHHa4G9h3s0nxQ2TewzeR/k7gmgV2sI483NgrYHmTmLKaDBWza2pAuZuDhQH8GAEhJakFtKBP++EC9rNNpZnqqHxx3qb2tW25qRtBzDmK921gg9PMomMc7uqRQ=</wsse:BinarySecurityToken>
<wsu:Timestamp wsu:Id="TS-b9a9a1af-f890-49ec-8362-82ea75c033d8">
<wsu:Created>2014-07-23T21:48:11.293Z</wsu:Created>
<wsu:Expires>2014-07-23T21:53:11.293Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="X509-6fadcc64-4eb6-46db-a996-276e2aabcc59">
MIICGjCCAYOgAwIBAgIESVRgATANBgkqhkiG9w0BAQUFADAzMRMwEQYDVQQKEwphcGFjaGUub3JnMQwwCgYDVQQLEwNlbmcxDjAMBgNVBAMTBWN4ZmNhMB4XDTcwMDEwMTAwMDAwMFoXDTM4MDExOTAzMTQwN1owMzETMBEGA1UEChMKYXBhY2hlLm9yZzEMMAoGA1UECxMDZW5nMQ4wDAYDVQQDEwVhbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvu747/VShQ85f16DGSc4Ixh9PVpGguyEqrCsK8q9XHOYX9l9/g5wEC6ZcR2FwfNsoaHcKNPjd5sSTzVtBWmQjfBEfIqwTR7vuihOxyNTwEzVwIJzvo7p8/aYxk+VdBtQxq4UweIcf/iFkUbM1cZ1oiXRQzciRBi+C1BQCQE0qzsCAwEAAaM7MDkwIQYDVR0SBBowGIIWTk9UX0ZPUl9QUk9EVUNUSU9OX1VTRTAUBgNVHREEDTALgglsb2NhbGhvc3QwDQYJKoZIhvcNAQEFBQADgYEAhLwkm+8psKt4gnbikGzV0TgpSWGcWxWKBi+z8tI2n6hFA5v1jVHHa4G9h3s0nxQ2TewzeR/k7gmgV2sI483NgrYHmTmLKaDBWza2pAuZuDhQH8GAEhJakFtKBP++EC9rNNpZnqqHxx3qb2tW25qRtBzDmK921gg9PMomMc7uqRQ=</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="SIG-de02d374-fad9-4c43-aa6b-c5760a3e1b61">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="soap" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference URI="#TS-b9a9a1af-f890-49ec-8362-82ea75c033d8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="wsse soap" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
/>
<ds:DigestValue>
h0JCz8oWwI2x0gP3San5s5IQUdM=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_4d46664f-07a0-4bc4-bab5-6087496504c3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
/>
<ds:DigestValue>
1K+sx75lXOSrvDLVYH0MAKHSXik=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_83132300-c552-4e0e-8f51-7d37c3243754">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="soap" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
/>
<ds:DigestValue>
svyitwse/Z9iTdG1zZqql0kvWLc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
Y4+v5cAHK27mqPLNYq7oiMmBJzmK0gtzyaDxVJgQ38LZm9JTvfiWuZm2VzT4zgXbQGov3LPPPaxmfj+HaELELz6E8Es6KtoDitSCMqlN/W5OUE6i+ToYoffCD82dNAWjXRCm3eHf65C1tBwqNTpecDNES+FNJfrusCsBRDOGMaA=</ds:SignatureValue>
<ds:KeyInfo Id="KI-be6de142-b6e5-4686-b397-ced69e139eb5">
<wsse:SecurityTokenReference
wsu:Id="STR-18d04311-a2ee-404a-a84a-4eab09ede3bb">
<wsse:Reference URI="#X509-6fadcc64-4eb6-46db-a996-276e2aabcc59"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="SIG-43ee35f3-6b90-4cd7-bc2f-d7b82c40c008">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="soap" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference URI="#SIG-de02d374-fad9-4c43-aa6b-c5760a3e1b61">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="wsse wsu soap" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
/>
<ds:DigestValue>
Z7FUZ10xubQGRpEaU8+ylP1+yK4=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
hwtuZggcj/mbdo/AO4KO0uatz+hGig2u4kXrg+Q9455p/+k613/TNdqmr4P8FeAUCCFQ1CSdsiDDATCLMV7B9nadr2Srms0NHXALNLIN72m8Oe3fyWAIV+NZk77ZRFfgIek60kVsUQFldB4oKtKurHvQS5+JIFO3I6aDhMHldCw=</ds:SignatureValue>
<ds:KeyInfo Id="KI-0289e354-42e8-4dd9-8c39-05341b3dcf60">
<wsse:SecurityTokenReference
wsu:Id="STR-b7db5e6c-e2c9-40cb-9305-43dbd219aa89">
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>
edP7XXtsiRvN1CU/oId0CQcrH3c=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="_4d46664f-07a0-4bc4-bab5-6087496504c3">
<ns2:DoubleIt xmlns:ns2="http://www.example.org/schema/DoubleIt";>
<numberToDouble>25</numberToDouble>
</ns2:DoubleIt>
</soap:Body>
</soap:Envelope>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>
<Action xmlns="http://www.w3.org/2005/08/addressing";>
http://www.example.org/contract/DoubleIt/DoubleItPortType/DoubleItResponse</Action>
<MessageID xmlns="http://www.w3.org/2005/08/addressing";>
urn:uuid:656e2143-1064-4d8e-b0f4-608c03f92554</MessageID>
<To xmlns="http://www.w3.org/2005/08/addressing";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="_5251d214-5cd1-4d0c-a928-5e11fb66213b">
http://www.w3.org/2005/08/addressing/anonymous</To>
<RelatesTo xmlns="http://www.w3.org/2005/08/addressing";>
urn:uuid:61498cee-114f-407f-ae79-5081d6ef32fe</RelatesTo>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="TS-ad6e9985-d4ab-4cf8-8cf9-0d3fb7de65d0">
<wsu:Created>2014-07-23T21:48:11.793Z</wsu:Created>
<wsu:Expires>2014-07-23T21:53:11.793Z</wsu:Expires>
</wsu:Timestamp>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="SIG-d090fb36-68bd-4b37-9a47-02d6fcb2f872">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="soap" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference URI="#TS-ad6e9985-d4ab-4cf8-8cf9-0d3fb7de65d0">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="wsse soap" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
/>
<ds:DigestValue>
QqGPJbBUUxeqZXxNU7/44VWfry4=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_6f4caf62-af82-4640-985e-cffeeeb4dc54">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
/>
<ds:DigestValue>
PVKKUKni3Nzstg0QMWT5Dd6Mv2E=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_5251d214-5cd1-4d0c-a928-5e11fb66213b">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="soap" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
/>
<ds:DigestValue>
1YgKbo72l/XQ+f81OZBa6dNRiAY=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
LW1KXOr2zWpIjx9GT8SqunydD6sFohQQ/mbkG+ZrUUKpYmzev1wNUqxzoMjRtdjkTk107RI9RqiDO4zG3VmETLIGFdYsQ2mdTJyGzCoRq/vTp4TcQoWSAeSTV/2WtnJSHgXGtTizlbNIXtDhgvmFd6sVOGueNyUuGF3bkNUyhP4=</ds:SignatureValue>
<ds:KeyInfo Id="KI-45d84bd5-f10a-4fdd-a748-a4227ee4dbb9">
<wsse:SecurityTokenReference
wsu:Id="STR-42e67c30-3a7d-4a66-82ca-fc48c810f27e">
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier";>
u4QVnVV7jQhG8h2GiTSVJyB2g9c=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="_6f4caf62-af82-4640-985e-cffeeeb4dc54">
<ns2:DoubleItResponse xmlns:ns2="http://www.example.org/schema/DoubleIt";>
<doubledNumber>50</doubledNumber>
</ns2:DoubleItResponse>
</soap:Body>
</soap:Envelope>
Index: systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/EndorsingSupportingTokenTest.java
===================================================================
--- systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/EndorsingSupportingTokenTest.java (revision 1612953)
+++ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/EndorsingSupportingTokenTest.java (working copy)
@@ -139,6 +139,30 @@
}
@org.junit.Test
+ public void testEndorsingSupportingOnly() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = EndorsingSupportingTokenTest.class.getResource("endorsing-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = EndorsingSupportingTokenTest.class.getResource("DoubleItTokens.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+
+ // Successful invocation
+ QName portQName = new QName(NAMESPACE, "DoubleItEndorsingSupportingPort4");
+ DoubleItPortType port = service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(port, test.getPort());
+
+ port.doubleIt(25);
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
public void testSignedEndorsingSupporting() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
Index: systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl
===================================================================
--- systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl (revision 1612828)
+++ systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl (working copy)
@@ -37,6 +37,21 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItEndorsingOnlyBinding" type="tns:DoubleItPortType">
+ <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction=""/>
+ <wsdl:input>
+ <soap:body use="literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault"/>
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:service name="DoubleItService">
<wsdl:port name="DoubleItSignedSupportingPort" binding="tns:DoubleItStandardBinding">
<soap:address location="http://localhost:9010/DoubleItSignedSupporting"/>
@@ -74,6 +89,9 @@
<wsdl:port name="DoubleItEndorsingSupportingPort3" binding="tns:DoubleItStandardBinding">
<soap:address location="http://localhost:9010/DoubleItEndorsingSupporting3"/>
</wsdl:port>
+ <wsdl:port name="DoubleItEndorsingSupportingPort4" binding="tns:DoubleItEndorsingOnlyBinding">
+ <soap:address location="http://localhost:9010/DoubleItEndorsingSupporting4"/>
+ </wsdl:port>
<wsdl:port name="DoubleItSignedEndorsingSupportingPort" binding="tns:DoubleItStandardBinding">
<soap:address location="http://localhost:9010/DoubleItSignedEndorsingSupporting"/>
</wsdl:port>
Index: systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/endorsing-client.xml
===================================================================
--- systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/endorsing-client.xml (revision 1612828)
+++ systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/endorsing-client.xml (working copy)
@@ -69,6 +69,21 @@
</p:policies>
</jaxws:features>
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItEndorsingSupportingPort4"; createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="Alice"/>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ <entry key="ws-security.encryption.properties" value="bob.properties"/>
+ <entry key="ws-security.encryption.username" value="bob"/>
+ <entry key="ws-security.signature.properties" value="alice.properties"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; URI="classpath:/org/apache/cxf/systest/ws/tokens/endorsing-only-x509-supp-token-policy.xml"/>
+ </p:policies>
+ </jaxws:features>
+ </jaxws:client>
<jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSignedEndorsingSupportingPort"; createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.username" value="Alice"/>
Index: systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/endorsing-only-x509-supp-token-policy.xml
===================================================================
--- systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/endorsing-only-x509-supp-token-policy.xml (revision 0)
+++ systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/endorsing-only-x509-supp-token-policy.xml (revision 0)
@@ -0,0 +1,62 @@
+<wsp:Policy wsu:Id="AsymmetricEndorsingSupportingPolicy"
+ xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
+ xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
+ <wsp:Policy>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic256/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:RequireThumbprintReference/>
+ <sp:WssX509V3Token10/>
+ </wsp:Policy>
+ </sp:X509Token>
+ <sp:SignedParts>
+ <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
+ <sp:Body/>
+ </sp:SignedParts>
+ </wsp:Policy>
+ </sp:EndorsingSupportingTokens>
+ <sp:Wss11 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
+ <wsp:Policy>
+ <sp:MustSupportRefKeyIdentifier/>
+ <sp:MustSupportRefIssuerSerial/>
+ </wsp:Policy>
+ </sp:Wss11>
+ <wsaw:UsingAddressing xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"/>
+ </wsp:All>
+ </wsp:ExactlyOne>
+</wsp:Policy>
\ No newline at end of file
Index: systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/endorsing-server.xml
===================================================================
--- systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/endorsing-server.xml (revision 1612828)
+++ systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/endorsing-server.xml (working copy)
@@ -64,6 +64,19 @@
</p:policies>
</jaxws:features>
</jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="EndorsingSupportingTokens4" address="http://localhost:${testutil.ports.EndorsingServer}/DoubleItEndorsingSupporting4"; serviceName="s:DoubleItService" endpointName="s:DoubleItEndorsingSupportingPort4" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+ <entry key="ws-security.signature.properties" value="bob.properties"/>
+ <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"; URI="classpath:/org/apache/cxf/systest/ws/tokens/endorsing-only-x509-supp-token-policy.xml"/>
+ </p:policies>
+ </jaxws:features>
+ </jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="SignedEndorsingSupportingTokens" address="http://localhost:${testutil.ports.EndorsingServer}/DoubleItSignedEndorsingSupporting"; serviceName="s:DoubleItService" endpointName="s:DoubleItSignedEndorsingSupportingPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl">
<jaxws:properties>
<entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
