[CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/abafca6d Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/abafca6d Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/abafca6d Branch: refs/heads/master Commit: abafca6d4a4f48e4affdc67f368a1ab33cdd79e0 Parents: 6359c93 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Fri Jan 16 14:58:30 2015 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Fri Jan 16 15:43:48 2015 +0000 ---------------------------------------------------------------------- .../cxf/ws/security/SecurityConstants.java | 10 +- .../ws/security/wss4j/WSS4JInInterceptor.java | 20 ++++ .../security/wss4j/WSS4JStaxInInterceptor.java | 22 +++++ .../saml/Saml2AudienceRestrictionValidator.java | 92 ------------------- .../cxf/systest/ws/saml/SamlTokenTest.java | 96 +++++++++++++++++++- .../StaxSaml2AudienceRestrictionValidator.java | 82 ----------------- .../cxf/systest/ws/saml/DoubleItSaml.wsdl | 3 + .../org/apache/cxf/systest/ws/saml/server.xml | 19 ++-- .../apache/cxf/systest/ws/saml/stax-server.xml | 20 ++-- 9 files changed, 168 insertions(+), 196 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java index b5b32b3..daedbb0 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java @@ -229,6 +229,13 @@ public final class SecurityConstants { */ public static final String SC_FROM_JAAS_SUBJECT = "ws-security.sc.jaas-subject"; + /** + * Enable SAML AudienceRestriction validation. If this is set to "true", then IF the + * SAML Token contains Audience Restriction URIs, one of them must match either the + * request URL or the Service QName. The default is "true". + */ + public static final String AUDIENCE_RESTRICTION_VALIDATION = "ws-security.validate.audience-restriction"; + // // Non-boolean WS-Security Configuration parameters // @@ -633,7 +640,8 @@ public final class SecurityConstants { CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG, DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, STS_TOKEN_IMMINENT_EXPIRY_VALUE, - KERBEROS_REQUEST_CREDENTIAL_DELEGATION, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL + KERBEROS_REQUEST_CREDENTIAL_DELEGATION, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, + AUDIENCE_RESTRICTION_VALIDATION })); ALL_PROPERTIES = Collections.unmodifiableSet(s); } http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java index 4fec350..2ab48ea 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java @@ -216,6 +216,8 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor { } reqData.setWssConfig(config); + // Add Audience Restrictions for SAML + configureAudienceRestriction(msg, reqData); SOAPMessage doc = getSOAPMessage(msg); @@ -339,6 +341,24 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor { reqData = null; } } + + private void configureAudienceRestriction(SoapMessage msg, RequestData reqData) { + // Add Audience Restrictions for SAML + boolean enableAudienceRestriction = + MessageUtils.getContextualBoolean(msg, + SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION, + true); + if (enableAudienceRestriction) { + List<String> audiences = new ArrayList<String>(); + if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) { + audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL)); + } + if (msg.getContextualProperty("javax.xml.ws.wsdl.service") != null) { + audiences.add(msg.getContextualProperty("javax.xml.ws.wsdl.service").toString()); + } + reqData.setAudienceRestrictions(audiences); + } + } private void checkActions( SoapMessage msg, http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java index 19e4240..eb034a1 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java @@ -20,6 +20,7 @@ package org.apache.cxf.ws.security.wss4j; import java.io.IOException; import java.security.Provider; +import java.util.ArrayList; import java.util.Collections; import java.util.LinkedList; import java.util.List; @@ -289,6 +290,27 @@ public class WSS4JStaxInInterceptor extends AbstractWSS4JStaxInterceptor { } ConfigurationConverter.parseCrypto(config, securityProperties); } + + // Add Audience Restrictions for SAML + configureAudienceRestriction(msg, securityProperties); + } + + private void configureAudienceRestriction(SoapMessage msg, WSSSecurityProperties securityProperties) { + // Add Audience Restrictions for SAML + boolean enableAudienceRestriction = + MessageUtils.getContextualBoolean(msg, + SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION, + true); + if (enableAudienceRestriction) { + List<String> audiences = new ArrayList<String>(); + if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) { + audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL)); + } + if (msg.getContextualProperty("javax.xml.ws.wsdl.service") != null) { + audiences.add(msg.getContextualProperty("javax.xml.ws.wsdl.service").toString()); + } + securityProperties.setAudienceRestrictions(audiences); + } } /** http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/Saml2AudienceRestrictionValidator.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/Saml2AudienceRestrictionValidator.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/Saml2AudienceRestrictionValidator.java deleted file mode 100644 index add4394..0000000 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/Saml2AudienceRestrictionValidator.java +++ /dev/null @@ -1,92 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.systest.ws.saml; - -import java.util.List; - -import org.apache.wss4j.common.ext.WSSecurityException; -import org.apache.wss4j.common.saml.SamlAssertionWrapper; -import org.apache.wss4j.dom.handler.RequestData; -import org.apache.wss4j.dom.validate.Credential; -import org.apache.wss4j.dom.validate.SamlAssertionValidator; -import org.opensaml.saml2.core.Assertion; -import org.opensaml.saml2.core.Audience; -import org.opensaml.saml2.core.AudienceRestriction; -import org.opensaml.saml2.core.Conditions; - -/** - * This class checks that the Audiences received as part of AudienceRestrictions match a set - * list of endpoints. - */ -public class Saml2AudienceRestrictionValidator extends SamlAssertionValidator { - - private List<String> endpointAddresses; - - @Override - public Credential validate(Credential credential, RequestData data) throws WSSecurityException { - Credential validatedCredential = super.validate(credential, data); - SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion(); - - Assertion saml2Assertion = assertion.getSaml2(); - if (saml2Assertion == null) { - throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); - } - - return validatedCredential; - } - - @Override - public void checkConditions(SamlAssertionWrapper samlAssertion) throws WSSecurityException { - super.checkConditions(samlAssertion); - - if (endpointAddresses == null || endpointAddresses.isEmpty()) { - return; - } - - Conditions conditions = samlAssertion.getSaml2().getConditions(); - if (conditions != null && conditions.getAudienceRestrictions() != null) { - boolean foundAddress = false; - for (AudienceRestriction audienceRestriction : conditions.getAudienceRestrictions()) { - List<Audience> audiences = audienceRestriction.getAudiences(); - if (audiences != null) { - for (Audience audience : audiences) { - String audienceURI = audience.getAudienceURI(); - if (endpointAddresses.contains(audienceURI)) { - foundAddress = true; - break; - } - } - } - } - - if (!foundAddress) { - throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); - } - } - } - - public List<String> getEndpointAddresses() { - return endpointAddresses; - } - - public void setEndpointAddresses(List<String> endpointAddresses) { - this.endpointAddresses = endpointAddresses; - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java index f8d2227..e014f0a 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java @@ -1024,7 +1024,7 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase { portNumber = STAX_PORT2; } updateAddressPort(saml2Port, portNumber); - + // Create a SAML Token with an AudienceRestrictionCondition ConditionsBean conditions = new ConditionsBean(); List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<AudienceRestrictionBean>(); @@ -1059,4 +1059,98 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase { } } + @org.junit.Test + public void testAudienceRestrictionServiceName() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = SamlTokenTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2"); + DoubleItPortType saml2Port = + service.getPort(portQName, DoubleItPortType.class); + String portNumber = PORT2; + if (STAX_PORT.equals(test.getPort())) { + portNumber = STAX_PORT2; + } + updateAddressPort(saml2Port, portNumber); + + // Create a SAML Token with an AudienceRestrictionCondition + ConditionsBean conditions = new ConditionsBean(); + List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<AudienceRestrictionBean>(); + AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); + audienceRestriction.setAudienceURIs(Collections.singletonList( + service.getServiceName().toString())); + audienceRestrictions.add(audienceRestriction); + conditions.setAudienceRestrictions(audienceRestrictions); + + SamlCallbackHandler callbackHandler = new SamlCallbackHandler(); + callbackHandler.setConditions(conditions); + ((BindingProvider)saml2Port).getRequestContext().put( + "ws-security.saml-callback-handler", callbackHandler + ); + + saml2Port.doubleIt(25); + } + + @org.junit.Test + public void testDisableAudienceRestrictionValidation() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = SamlTokenTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2"); + DoubleItPortType saml2Port = + service.getPort(portQName, DoubleItPortType.class); + String portNumber = PORT2; + if (STAX_PORT.equals(test.getPort())) { + portNumber = STAX_PORT2; + } + updateAddressPort(saml2Port, portNumber); + + // Create a SAML Token with an AudienceRestrictionCondition + ConditionsBean conditions = new ConditionsBean(); + List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<AudienceRestrictionBean>(); + AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); + audienceRestriction.setAudienceURIs(Collections.singletonList( + service.getServiceName().toString() + ".xyz")); + audienceRestrictions.add(audienceRestriction); + conditions.setAudienceRestrictions(audienceRestrictions); + + SamlCallbackHandler callbackHandler = new SamlCallbackHandler(); + callbackHandler.setConditions(conditions); + ((BindingProvider)saml2Port).getRequestContext().put( + "ws-security.saml-callback-handler", callbackHandler + ); + + // It should fail with validation enabled + try { + saml2Port.doubleIt(25); + fail("Failure expected on unknown AudienceRestriction"); + } catch (javax.xml.ws.soap.SOAPFaultException ex) { + // expected + } + + // It should pass with validation disabled + portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort3"); + saml2Port = service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(saml2Port, portNumber); + + ((BindingProvider)saml2Port).getRequestContext().put( + "ws-security.saml-callback-handler", callbackHandler + ); + saml2Port.doubleIt(25); + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSaml2AudienceRestrictionValidator.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSaml2AudienceRestrictionValidator.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSaml2AudienceRestrictionValidator.java deleted file mode 100644 index 778c068..0000000 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSaml2AudienceRestrictionValidator.java +++ /dev/null @@ -1,82 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.systest.ws.saml; - -import java.util.List; - -import org.apache.wss4j.common.ext.WSSecurityException; -import org.apache.wss4j.common.saml.SamlAssertionWrapper; -import org.apache.wss4j.stax.validate.SamlTokenValidatorImpl; -import org.opensaml.saml2.core.Assertion; -import org.opensaml.saml2.core.Audience; -import org.opensaml.saml2.core.AudienceRestriction; -import org.opensaml.saml2.core.Conditions; - -/** - * This class checks that the Audiences received as part of AudienceRestrictions match a set - * list of endpoints. - */ -public class StaxSaml2AudienceRestrictionValidator extends SamlTokenValidatorImpl { - - private List<String> endpointAddresses; - - @Override - public void checkConditions(SamlAssertionWrapper samlAssertion) throws WSSecurityException { - super.checkConditions(samlAssertion); - - Assertion saml2Assertion = samlAssertion.getSaml2(); - if (saml2Assertion == null) { - throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); - } - - if (endpointAddresses == null || endpointAddresses.isEmpty()) { - return; - } - - Conditions conditions = samlAssertion.getSaml2().getConditions(); - if (conditions != null && conditions.getAudienceRestrictions() != null) { - boolean foundAddress = false; - for (AudienceRestriction audienceRestriction : conditions.getAudienceRestrictions()) { - List<Audience> audiences = audienceRestriction.getAudiences(); - if (audiences != null) { - for (Audience audience : audiences) { - String audienceURI = audience.getAudienceURI(); - if (endpointAddresses.contains(audienceURI)) { - foundAddress = true; - break; - } - } - } - } - - if (!foundAddress) { - throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); - } - } - } - - public List<String> getEndpointAddresses() { - return endpointAddresses; - } - - public void setEndpointAddresses(List<String> endpointAddresses) { - this.endpointAddresses = endpointAddresses; - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl index 09ce8b8..ea0d132 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl @@ -383,6 +383,9 @@ <wsdl:port name="DoubleItSaml2TransportPort2" binding="tns:DoubleItSaml2TransportBinding"> <soap:address location="https://localhost:9009/DoubleItSaml2Transport2"/> </wsdl:port> + <wsdl:port name="DoubleItSaml2TransportPort3" binding="tns:DoubleItSaml2TransportBinding"> + <soap:address location="https://localhost:9009/DoubleItSaml2Transport3"/> + </wsdl:port> </wsdl:service> <wsp:Policy wsu:Id="DoubleItSaml1TransportPolicy"> <wsp:ExactlyOne> http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml index 2f69dc2..14a803a 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml @@ -251,21 +251,20 @@ </jaxws:properties> </jaxws:endpoint> - <bean id="audienceRestrictionValidator" class="org.apache.cxf.systest.ws.saml.Saml2AudienceRestrictionValidator"> - <property name="endpointAddresses"> - <list> - <value>https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2</value> - <value>https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport2</value> - </list> - </property> - </bean> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken2" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> <jaxws:properties> <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> <entry key="ws-security.signature.properties" value="bob.properties"/> <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.saml2.validator" value-ref="audienceRestrictionValidator"/> + </jaxws:properties> + </jaxws:endpoint> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken3" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport3" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort3" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.validate.audience-restriction" value="false"/> </jaxws:properties> </jaxws:endpoint> </beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml index 3ba931b..ce0eb3f 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml @@ -277,22 +277,22 @@ </jaxws:properties> </jaxws:endpoint> - <bean id="audienceRestrictionValidator" class="org.apache.cxf.systest.ws.saml.StaxSaml2AudienceRestrictionValidator"> - <property name="endpointAddresses"> - <list> - <value>https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2</value> - <value>https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport2</value> - </list> - </property> - </bean> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken2" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> <jaxws:properties> <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> <entry key="ws-security.signature.properties" value="bob.properties"/> <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> <entry key="ws-security.enable.streaming" value="true"/> - <entry key="ws-security.saml2.validator" value-ref="audienceRestrictionValidator"/> + </jaxws:properties> + </jaxws:endpoint> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken3" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport3" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort3" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.enable.streaming" value="true"/> + <entry key="ws-security.validate.audience-restriction" value="false"/> </jaxws:properties> </jaxws:endpoint> </beans>