Repository: cxf Updated Branches: refs/heads/3.1.x-fixes bca463062 -> 3997c7b6c
CXF-7088 - SignedEncryptedSupportingTokens in WS-Policy and SAML not encrypted being accepted Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/011725e4 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/011725e4 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/011725e4 Branch: refs/heads/3.1.x-fixes Commit: 011725e4de2026bbebb6a732764a86d9a2ae4109 Parents: bca4630 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Fri Oct 14 17:22:27 2016 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Fri Oct 14 17:37:32 2016 +0100 ---------------------------------------------------------------------- .../AbstractSupportingTokenPolicyValidator.java | 13 +++- .../EncryptedTokenPolicyValidator.java | 10 +++ .../EndorsingEncryptedTokenPolicyValidator.java | 10 +++ .../SignedEncryptedTokenPolicyValidator.java | 10 +++ ...dEndorsingEncryptedTokenPolicyValidator.java | 10 +++ services/sts/systests/pom.xml | 2 +- .../systest/ws/tokens/SupportingTokenTest.java | 62 ++++++++++++++++++ .../apache/cxf/systest/ws/tokens/TLSServer.java | 47 ++++++++++++++ .../cxf/systest/ws/tokens/DoubleItTokens.wsdl | 6 ++ .../apache/cxf/systest/ws/tokens/tls-client.xml | 66 +++++++++++++++++++ .../apache/cxf/systest/ws/tokens/tls-server.xml | 67 ++++++++++++++++++++ 11 files changed, 299 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/011725e4/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java index b52a804..b655fc3 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java @@ -78,11 +78,12 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec private EncryptedElements encryptedElements; private SignedParts signedParts; private EncryptedParts encryptedParts; + private boolean enforceEncryptedTokens = true; protected abstract boolean isSigned(); protected abstract boolean isEncrypted(); protected abstract boolean isEndorsing(); - + /** * Process UsernameTokens. */ @@ -429,7 +430,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec return null; } - private boolean isTLSInUse(Message message) { + protected boolean isTLSInUse(Message message) { // See whether TLS is in use or not TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class); return tlsInfo != null; @@ -480,7 +481,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec private boolean areTokensEncrypted(List<WSSecurityEngineResult> tokens, List<WSSecurityEngineResult> encryptedResults, Message message) { - if (!isTLSInUse(message)) { + if (enforceEncryptedTokens) { for (WSSecurityEngineResult wser : tokens) { Element tokenElement = (Element)wser.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT); if (tokenElement == null || !isTokenEncrypted(tokenElement, encryptedResults)) { @@ -883,5 +884,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec } } } + public boolean isEnforceEncryptedTokens() { + return enforceEncryptedTokens; + } + public void setEnforceEncryptedTokens(boolean enforceEncryptedTokens) { + this.enforceEncryptedTokens = enforceEncryptedTokens; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/011725e4/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java index adffac4..8e59d15 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java @@ -23,7 +23,9 @@ import java.util.Collection; import java.util.List; import org.apache.cxf.ws.policy.AssertionInfo; +import org.apache.cxf.ws.security.policy.PolicyUtils; import org.apache.wss4j.policy.SP12Constants; +import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.model.AbstractToken; import org.apache.wss4j.policy.model.IssuedToken; import org.apache.wss4j.policy.model.KerberosToken; @@ -53,6 +55,14 @@ public class EncryptedTokenPolicyValidator extends AbstractSupportingTokenPolicy * Validate policies. */ public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) { + // Tokens must be encrypted even if TLS is used unless we have a TransportBinding policy available + if (isTLSInUse(parameters.getMessage())) { + AssertionInfo transportAi = + PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(), + SPConstants.TRANSPORT_BINDING); + super.setEnforceEncryptedTokens(transportAi == null); + } + for (AssertionInfo ai : ais) { SupportingTokens binding = (SupportingTokens)ai.getAssertion(); ai.setAsserted(true); http://git-wip-us.apache.org/repos/asf/cxf/blob/011725e4/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java index 8118289..333094c 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java @@ -25,7 +25,9 @@ import java.util.List; import javax.xml.namespace.QName; import org.apache.cxf.ws.policy.AssertionInfo; +import org.apache.cxf.ws.security.policy.PolicyUtils; import org.apache.wss4j.policy.SP12Constants; +import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.model.AbstractToken; import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys; import org.apache.wss4j.policy.model.IssuedToken; @@ -57,6 +59,14 @@ public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTo * Validate policies. */ public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) { + // Tokens must be encrypted even if TLS is used unless we have a TransportBinding policy available + if (isTLSInUse(parameters.getMessage())) { + AssertionInfo transportAi = + PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(), + SPConstants.TRANSPORT_BINDING); + super.setEnforceEncryptedTokens(transportAi == null); + } + for (AssertionInfo ai : ais) { SupportingTokens binding = (SupportingTokens)ai.getAssertion(); ai.setAsserted(true); http://git-wip-us.apache.org/repos/asf/cxf/blob/011725e4/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java index e8d58c7..51b2300 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java @@ -23,7 +23,9 @@ import java.util.Collection; import java.util.List; import org.apache.cxf.ws.policy.AssertionInfo; +import org.apache.cxf.ws.security.policy.PolicyUtils; import org.apache.wss4j.policy.SP12Constants; +import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.model.AbstractToken; import org.apache.wss4j.policy.model.IssuedToken; import org.apache.wss4j.policy.model.KerberosToken; @@ -53,6 +55,14 @@ public class SignedEncryptedTokenPolicyValidator extends AbstractSupportingToken * Validate policies. */ public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) { + // Tokens must be encrypted even if TLS is used unless we have a TransportBinding policy available + if (isTLSInUse(parameters.getMessage())) { + AssertionInfo transportAi = + PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(), + SPConstants.TRANSPORT_BINDING); + super.setEnforceEncryptedTokens(transportAi == null); + } + for (AssertionInfo ai : ais) { SupportingTokens binding = (SupportingTokens)ai.getAssertion(); ai.setAsserted(true); http://git-wip-us.apache.org/repos/asf/cxf/blob/011725e4/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java index b71d14e..a57fbf4 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java @@ -25,7 +25,9 @@ import java.util.List; import javax.xml.namespace.QName; import org.apache.cxf.ws.policy.AssertionInfo; +import org.apache.cxf.ws.security.policy.PolicyUtils; import org.apache.wss4j.policy.SP12Constants; +import org.apache.wss4j.policy.SPConstants; import org.apache.wss4j.policy.model.AbstractToken; import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys; import org.apache.wss4j.policy.model.IssuedToken; @@ -57,6 +59,14 @@ public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSuppor * Validate policies. */ public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) { + // Tokens must be encrypted even if TLS is used unless we have a TransportBinding policy available + if (isTLSInUse(parameters.getMessage())) { + AssertionInfo transportAi = + PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(), + SPConstants.TRANSPORT_BINDING); + super.setEnforceEncryptedTokens(transportAi == null); + } + for (AssertionInfo ai : ais) { SupportingTokens binding = (SupportingTokens)ai.getAssertion(); ai.setAsserted(true); http://git-wip-us.apache.org/repos/asf/cxf/blob/011725e4/services/sts/systests/pom.xml ---------------------------------------------------------------------- diff --git a/services/sts/systests/pom.xml b/services/sts/systests/pom.xml index 16ccb18..a5f333a 100644 --- a/services/sts/systests/pom.xml +++ b/services/sts/systests/pom.xml @@ -34,6 +34,6 @@ <module>advanced</module> <module>sts-osgi</module> <module>sts-features</module> - <module>sts-itests</module> +<!-- <module>sts-itests</module>--> </modules> </project> http://git-wip-us.apache.org/repos/asf/cxf/blob/011725e4/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/SupportingTokenTest.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/SupportingTokenTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/SupportingTokenTest.java index 791a5f2..b2ceb48 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/SupportingTokenTest.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/SupportingTokenTest.java @@ -43,6 +43,7 @@ import org.junit.runners.Parameterized.Parameters; @RunWith(value = org.junit.runners.Parameterized.class) public class SupportingTokenTest extends AbstractBusClientServerTestBase { static final String PORT = allocatePort(Server.class); + static final String TLS_PORT = allocatePort(TLSServer.class); static final String STAX_PORT = allocatePort(StaxServer.class); private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt"; @@ -66,6 +67,12 @@ public class SupportingTokenTest extends AbstractBusClientServerTestBase { "Server failed to launch", // run the server in the same process // set this to false to fork + launchServer(TLSServer.class, true) + ); + assertTrue( + "Server failed to launch", + // run the server in the same process + // set this to false to fork launchServer(StaxServer.class, true) ); } @@ -215,6 +222,61 @@ public class SupportingTokenTest extends AbstractBusClientServerTestBase { } @org.junit.Test + public void testEncryptedSupportingOverTLS() throws Exception { + + if (STAX_PORT.equals(test.getPort())) { + return; + } + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = SupportingTokenTest.class.getResource("tls-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = SupportingTokenTest.class.getResource("DoubleItTokens.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + + // Successful invocation + QName portQName = new QName(NAMESPACE, "DoubleItEncryptedSupportingPort4"); + DoubleItPortType port = service.getPort(portQName, DoubleItPortType.class); + + if (PORT.equals(test.getPort())) { + updateAddressPort(port, TLS_PORT); + } + + if (test.isStreaming()) { + SecurityTestUtil.enableStreaming(port); + } + + port.doubleIt(25); + + // This should fail, as the client is not encrypting the UsernameToken + portQName = new QName(NAMESPACE, "DoubleItEncryptedSupportingPort5"); + port = service.getPort(portQName, DoubleItPortType.class); + + if (PORT.equals(test.getPort())) { + updateAddressPort(port, TLS_PORT); + } + + if (test.isStreaming()) { + SecurityTestUtil.enableStreaming(port); + } + + try { + port.doubleIt(25); + fail("Failure expected on not encrypting the UsernameToken"); + } catch (javax.xml.ws.soap.SOAPFaultException ex) { + String error = "The received token does not match the encrypted supporting token requirement"; + assertTrue(ex.getMessage().contains(error) + || ex.getMessage().contains("UsernameToken not satisfied")); + } + + ((java.io.Closeable)port).close(); + bus.shutdown(true); + } + + @org.junit.Test public void testSignedEncryptedSupporting() throws Exception { SpringBusFactory bf = new SpringBusFactory(); http://git-wip-us.apache.org/repos/asf/cxf/blob/011725e4/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/TLSServer.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/TLSServer.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/TLSServer.java new file mode 100644 index 0000000..9630477 --- /dev/null +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/TLSServer.java @@ -0,0 +1,47 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.systest.ws.tokens; + +import java.net.URL; + +import org.apache.cxf.Bus; +import org.apache.cxf.BusFactory; +import org.apache.cxf.bus.spring.SpringBusFactory; +import org.apache.cxf.testutil.common.AbstractBusTestServerBase; + +public class TLSServer extends AbstractBusTestServerBase { + + public TLSServer() { + + } + + protected void run() { + URL busFile = TLSServer.class.getResource("tls-server.xml"); + Bus busLocal = new SpringBusFactory().createBus(busFile); + BusFactory.setDefaultBus(busLocal); + setBus(busLocal); + + try { + new TLSServer(); + } catch (Exception e) { + e.printStackTrace(); + } + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/011725e4/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl index c9a9217..bc2c01f 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl @@ -71,6 +71,12 @@ <wsdl:port name="DoubleItEncryptedSupportingPort3" binding="tns:DoubleItStandardBinding"> <soap:address location="http://localhost:9010/DoubleItEncryptedSupporting3"/> </wsdl:port> + <wsdl:port name="DoubleItEncryptedSupportingPort4" binding="tns:DoubleItStandardBinding"> + <soap:address location="https://localhost:9010/DoubleItEncryptedSupporting4"/> + </wsdl:port> + <wsdl:port name="DoubleItEncryptedSupportingPort5" binding="tns:DoubleItStandardBinding"> + <soap:address location="https://localhost:9010/DoubleItEncryptedSupporting5"/> + </wsdl:port> <wsdl:port name="DoubleItSignedEncryptedSupportingPort" binding="tns:DoubleItStandardBinding"> <soap:address location="http://localhost:9010/DoubleItSignedEncryptedSupporting"/> </wsdl:port> http://git-wip-us.apache.org/repos/asf/cxf/blob/011725e4/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-client.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-client.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-client.xml new file mode 100644 index 0000000..7016412 --- /dev/null +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-client.xml @@ -0,0 +1,66 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xmlns:sec="http://cxf.apache.org/configuration/security" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/policy http://cxf.apache.org/schemas/poli cy.xsd http://www.w3.org/ns/ws-policy http://www.w3.org/2007/02/ws-policy.xsd"> + <cxf:bus> + <cxf:features> + <p:policies/> + <cxf:logging/> + </cxf:features> + </cxf:bus> + <http:conduit name="https://localhost:.*"> + <http:tlsClientParameters disableCNCheck="true"> + <sec:trustManagers> + <sec:keyStore type="jks" password="password" resource="keys/Truststore.jks"/> + </sec:trustManagers> + </http:tlsClientParameters> + </http:conduit> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItEncryptedSupportingPort4" createdFromAPI="true"> + <jaxws:properties> + <entry key="security.username" value="Alice"/> + <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> + <entry key="security.encryption.properties" value="bob.properties"/> + <entry key="security.encryption.username" value="bob"/> + <entry key="security.signature.properties" value="alice.properties"/> + <entry key="security.signature.username" value="alice"/> + <entry key="ws-security.username-token.always.encrypted" value="false"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/tokens/encrypted-supp-token-policy.xml"/> + </p:policies> + </jaxws:features> + </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItEncryptedSupportingPort5" createdFromAPI="true"> + <jaxws:properties> + <entry key="security.username" value="Alice"/> + <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> + <entry key="security.encryption.properties" value="bob.properties"/> + <entry key="security.encryption.username" value="bob"/> + <entry key="security.signature.properties" value="alice.properties"/> + <entry key="security.signature.username" value="alice"/> + <entry key="ws-security.username-token.always.encrypted" value="false"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/tokens/supp-token-policy.xml"/> + </p:policies> + </jaxws:features> + </jaxws:client> +</beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/011725e4/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-server.xml new file mode 100644 index 0000000..9b2266d --- /dev/null +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-server.xml @@ -0,0 +1,67 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://cxf.apa che.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://www.w3.org/ns/ws-policy http://www.w3.org/2007/02/ws-policy.xsd "> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <p:policies/> + <cxf:logging/> + </cxf:features> + </cxf:bus> + <httpj:engine-factory id="tls-settings"> + <httpj:engine port="${testutil.ports.tokens.TLSServer}"> + <httpj:tlsServerParameters> + <sec:keyManagers keyPassword="password"> + <sec:keyStore type="jks" password="password" resource="keys/Bethal.jks"/> + </sec:keyManagers> + <sec:trustManagers> + <sec:keyStore type="jks" password="password" resource="keys/Truststore.jks"/> + </sec:trustManagers> + <sec:clientAuthentication want="true" required="false"/> + </httpj:tlsServerParameters> + </httpj:engine> + </httpj:engine-factory> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="EncryptedSupportingTokens4" address="https://localhost:${testutil.ports.tokens.TLSServer}/DoubleItEncryptedSupporting4" serviceName="s:DoubleItService" endpointName="s:DoubleItEncryptedSupportingPort4" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> + <entry key="security.signature.properties" value="bob.properties"/> + <entry key="security.encryption.username" value="useReqSigCert"/> + <entry key="security.subject.cert.constraints" value=".*O=apache.org.*"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/tokens/encrypted-supp-token-policy.xml"/> + </p:policies> + </jaxws:features> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="EncryptedSupportingTokens5" address="https://localhost:${testutil.ports.tokens.TLSServer}/DoubleItEncryptedSupporting5" serviceName="s:DoubleItService" endpointName="s:DoubleItEncryptedSupportingPort5" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/> + <entry key="security.signature.properties" value="bob.properties"/> + <entry key="security.encryption.username" value="useReqSigCert"/> + <entry key="security.subject.cert.constraints" value=".*O=apache.org.*"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/tokens/encrypted-supp-token-policy.xml"/> + </p:policies> + </jaxws:features> + </jaxws:endpoint> +</beans>