[CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)
Conflicts: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/Saml2AudienceRestrictionValidator.java systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/737a1b13 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/737a1b13 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/737a1b13 Branch: refs/heads/2.7.x-fixes Commit: 737a1b13a3182855ce07a6e1257f81608c24cbb7 Parents: d9ecc37 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Fri Jan 16 14:58:30 2015 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Fri Jan 16 16:23:18 2015 +0000 ---------------------------------------------------------------------- .../cxf/ws/security/SecurityConstants.java | 10 +- .../ws/security/wss4j/WSS4JInInterceptor.java | 20 + .../security/wss4j/WSS4JStaxInInterceptor.java | 480 +++++++++++++++++++ .../cxf/systest/ws/saml/SamlTokenTest.java | 103 ++++ .../cxf/systest/ws/saml/DoubleItSaml.wsdl | 3 + .../org/apache/cxf/systest/ws/saml/server.xml | 270 +++++++++++ .../apache/cxf/systest/ws/saml/stax-server.xml | 298 ++++++++++++ 7 files changed, 1183 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/737a1b13/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java index f2f2201..61691a1 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java @@ -230,6 +230,13 @@ public final class SecurityConstants { public static final String KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM = "ws-security.kerberos.is.username.in.servicename.form"; + /** + * Enable SAML AudienceRestriction validation. If this is set to "true", then IF the + * SAML Token contains Audience Restriction URIs, one of them must match either the + * request URL or the Service QName. The default is "true". + */ + public static final String AUDIENCE_RESTRICTION_VALIDATION = "ws-security.validate.audience-restriction"; + // // Non-boolean WS-Security Configuration parameters // @@ -608,7 +615,8 @@ public final class SecurityConstants { CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG, DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, STS_TOKEN_IMMINENT_EXPIRY_VALUE, - KERBEROS_REQUEST_CREDENTIAL_DELEGATION, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL + KERBEROS_REQUEST_CREDENTIAL_DELEGATION, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, + AUDIENCE_RESTRICTION_VALIDATION })); ALL_PROPERTIES = Collections.unmodifiableSet(s); } http://git-wip-us.apache.org/repos/asf/cxf/blob/737a1b13/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java index c8318f1..860a09f 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java @@ -215,6 +215,8 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor { } reqData.setWssConfig(config); + // Add Audience Restrictions for SAML + configureAudienceRestriction(msg, reqData); SOAPMessage doc = getSOAPMessage(msg); @@ -337,6 +339,24 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor { reqData = null; } } + + private void configureAudienceRestriction(SoapMessage msg, RequestData reqData) { + // Add Audience Restrictions for SAML + boolean enableAudienceRestriction = + MessageUtils.getContextualBoolean(msg, + SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION, + true); + if (enableAudienceRestriction) { + List<String> audiences = new ArrayList<String>(); + if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) { + audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL)); + } + if (msg.getContextualProperty("javax.xml.ws.wsdl.service") != null) { + audiences.add(msg.getContextualProperty("javax.xml.ws.wsdl.service").toString()); + } + reqData.setAudienceRestrictions(audiences); + } + } private void checkActions( SoapMessage msg, http://git-wip-us.apache.org/repos/asf/cxf/blob/737a1b13/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java new file mode 100644 index 0000000..eb034a1 --- /dev/null +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java @@ -0,0 +1,480 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.ws.security.wss4j; + +import java.io.IOException; +import java.security.Provider; +import java.util.ArrayList; +import java.util.Collections; +import java.util.LinkedList; +import java.util.List; +import java.util.Map; +import java.util.logging.Logger; + +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.xml.stream.XMLStreamException; +import javax.xml.stream.XMLStreamReader; +import javax.xml.stream.util.StreamReaderDelegate; + +import org.apache.cxf.binding.soap.SoapFault; +import org.apache.cxf.binding.soap.SoapMessage; +import org.apache.cxf.binding.soap.SoapVersion; +import org.apache.cxf.common.classloader.ClassLoaderUtils; +import org.apache.cxf.common.i18n.Message; +import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.interceptor.Fault; +import org.apache.cxf.interceptor.StaxInInterceptor; +import org.apache.cxf.message.MessageUtils; +import org.apache.cxf.phase.Phase; +import org.apache.cxf.ws.security.SecurityConstants; +import org.apache.cxf.ws.security.tokenstore.SecurityToken; +import org.apache.cxf.ws.security.tokenstore.TokenStore; +import org.apache.wss4j.common.ConfigurationConstants; +import org.apache.wss4j.common.WSSPolicyException; +import org.apache.wss4j.common.cache.ReplayCache; +import org.apache.wss4j.common.crypto.Crypto; +import org.apache.wss4j.common.crypto.ThreadLocalSecurityProvider; +import org.apache.wss4j.common.ext.WSPasswordCallback; +import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.stax.ConfigurationConverter; +import org.apache.wss4j.stax.WSSec; +import org.apache.wss4j.stax.ext.InboundWSSec; +import org.apache.wss4j.stax.ext.WSSConstants; +import org.apache.wss4j.stax.ext.WSSSecurityProperties; +import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants; +import org.apache.wss4j.stax.validate.Validator; +import org.apache.xml.security.exceptions.XMLSecurityException; +import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent; +import org.apache.xml.security.stax.securityEvent.SecurityEvent; +import org.apache.xml.security.stax.securityEvent.SecurityEventListener; +import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent; + +public class WSS4JStaxInInterceptor extends AbstractWSS4JStaxInterceptor { + + public static final String SECURITY_PROCESSED = WSS4JStaxInInterceptor.class.getName() + ".DONE"; + + private static final Logger LOG = LogUtils.getL7dLogger(WSS4JStaxInInterceptor.class); + + public WSS4JStaxInInterceptor(WSSSecurityProperties securityProperties) { + super(securityProperties); + setPhase(Phase.POST_STREAM); + getAfter().add(StaxInInterceptor.class.getName()); + } + + public WSS4JStaxInInterceptor(Map<String, Object> props) { + super(props); + setPhase(Phase.POST_STREAM); + getAfter().add(StaxInInterceptor.class.getName()); + } + + public WSS4JStaxInInterceptor() { + super(); + setPhase(Phase.POST_STREAM); + getAfter().add(StaxInInterceptor.class.getName()); + } + + public final boolean isGET(SoapMessage message) { + String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD); + return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null; + } + + @Override + public void handleMessage(SoapMessage soapMessage) throws Fault { + + if (soapMessage.containsKey(SECURITY_PROCESSED) || isGET(soapMessage)) { + return; + } + + XMLStreamReader originalXmlStreamReader = soapMessage.getContent(XMLStreamReader.class); + XMLStreamReader newXmlStreamReader; + + soapMessage.getInterceptorChain().add(new StaxSecurityContextInInterceptor()); + + try { + @SuppressWarnings("unchecked") + List<SecurityEvent> requestSecurityEvents = + (List<SecurityEvent>) soapMessage.getExchange().get(SecurityEvent.class.getName() + ".out"); + + WSSSecurityProperties secProps = createSecurityProperties(); + translateProperties(soapMessage, secProps); + configureCallbackHandler(soapMessage, secProps); + configureProperties(soapMessage, secProps); + + if (secProps.getActions() != null && secProps.getActions().size() > 0) { + soapMessage.getInterceptorChain().add(new StaxActionInInterceptor(secProps.getActions())); + } + + if (secProps.getAttachmentCallbackHandler() == null) { + secProps.setAttachmentCallbackHandler(new AttachmentCallbackHandler(soapMessage)); + } + + final TokenStoreCallbackHandler callbackHandler = + new TokenStoreCallbackHandler( + secProps.getCallbackHandler(), WSS4JUtils.getTokenStore(soapMessage) + ); + secProps.setCallbackHandler(callbackHandler); + + setTokenValidators(secProps, soapMessage); + secProps.setMsgContext(soapMessage); + + final List<SecurityEventListener> securityEventListeners = + configureSecurityEventListeners(soapMessage, secProps); + + final InboundWSSec inboundWSSec = + WSSec.getInboundWSSec(secProps, MessageUtils.isRequestor(soapMessage)); + + newXmlStreamReader = + inboundWSSec.processInMessage(originalXmlStreamReader, requestSecurityEvents, securityEventListeners); + final Object provider = soapMessage.getExchange().get(Provider.class); + if (provider != null && ThreadLocalSecurityProvider.isInstalled()) { + newXmlStreamReader = new StreamReaderDelegate(newXmlStreamReader) { + @Override + public int next() throws XMLStreamException { + try { + ThreadLocalSecurityProvider.setProvider((Provider)provider); + return super.next(); + } finally { + ThreadLocalSecurityProvider.unsetProvider(); + } + } + }; + } + soapMessage.setContent(XMLStreamReader.class, newXmlStreamReader); + + // Warning: The exceptions which can occur here are not security relevant exceptions + // but configuration-errors. To catch security relevant exceptions you have to catch + // them e.g.in the FaultOutInterceptor. Why? Because we do streaming security. This + // interceptor doesn't handle the ws-security stuff but just setup the relevant stuff + // for it. Exceptions will be thrown as a wrapped XMLStreamException during further + // processing in the WS-Stack. + soapMessage.put(SECURITY_PROCESSED, Boolean.TRUE); + } catch (WSSecurityException e) { + throw createSoapFault(soapMessage.getVersion(), e); + } catch (XMLSecurityException e) { + throw new SoapFault(new Message("STAX_EX", LOG), e, soapMessage.getVersion().getSender()); + } catch (WSSPolicyException e) { + throw new SoapFault(e.getMessage(), e, soapMessage.getVersion().getSender()); + } catch (XMLStreamException e) { + throw new SoapFault(new Message("STAX_EX", LOG), e, soapMessage.getVersion().getSender()); + } + } + + protected List<SecurityEventListener> configureSecurityEventListeners( + SoapMessage msg, WSSSecurityProperties securityProperties + ) throws WSSPolicyException { + final List<SecurityEvent> incomingSecurityEventList = new LinkedList<SecurityEvent>(); + msg.getExchange().put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList); + msg.put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList); + + final SecurityEventListener securityEventListener = new SecurityEventListener() { + @Override + public void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException { + if (securityEvent.getSecurityEventType() == WSSecurityEventConstants.Timestamp + || securityEvent.getSecurityEventType() == WSSecurityEventConstants.SignatureValue + || securityEvent instanceof TokenSecurityEvent + || securityEvent instanceof AbstractSecuredElementSecurityEvent) { + // Store events required for the security context setup, or the crypto coverage checker + incomingSecurityEventList.add(securityEvent); + } + } + }; + + return Collections.singletonList(securityEventListener); + } + + protected void configureProperties( + SoapMessage msg, WSSSecurityProperties securityProperties + ) throws XMLSecurityException { + + // Configure replay caching + ReplayCache nonceCache = null; + if (isNonceCacheRequired(msg, securityProperties)) { + nonceCache = WSS4JUtils.getReplayCache( + msg, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE + ); + } + if (nonceCache == null) { + securityProperties.setEnableNonceReplayCache(false); + securityProperties.setNonceReplayCache(null); + } else { + securityProperties.setEnableNonceReplayCache(true); + securityProperties.setNonceReplayCache(nonceCache); + } + + ReplayCache timestampCache = null; + if (isTimestampCacheRequired(msg, securityProperties)) { + timestampCache = WSS4JUtils.getReplayCache( + msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE + ); + } + if (timestampCache == null) { + securityProperties.setEnableTimestampReplayCache(false); + securityProperties.setTimestampReplayCache(null); + } else { + securityProperties.setEnableTimestampReplayCache(true); + securityProperties.setTimestampReplayCache(timestampCache); + } + + ReplayCache samlCache = null; + if (isSamlCacheRequired(msg, securityProperties)) { + samlCache = WSS4JUtils.getReplayCache( + msg, SecurityConstants.ENABLE_SAML_ONE_TIME_USE_CACHE, + SecurityConstants.SAML_ONE_TIME_USE_CACHE_INSTANCE + ); + } + if (samlCache == null) { + securityProperties.setEnableSamlOneTimeUseReplayCache(false); + securityProperties.setSamlOneTimeUseReplayCache(null); + } else { + securityProperties.setEnableSamlOneTimeUseReplayCache(true); + securityProperties.setSamlOneTimeUseReplayCache(samlCache); + } + + boolean enableRevocation = + MessageUtils.isTrue(msg.getContextualProperty(SecurityConstants.ENABLE_REVOCATION)); + securityProperties.setEnableRevocation(enableRevocation); + + // Crypto loading only applies for Map + Map<String, Object> config = getProperties(); + if (config != null && !config.isEmpty()) { + Crypto sigVerCrypto = + loadCrypto( + msg, + ConfigurationConstants.SIG_VER_PROP_FILE, + ConfigurationConstants.SIG_VER_PROP_REF_ID, + securityProperties + ); + if (sigVerCrypto == null) { + // Fall back to using the Signature properties for verification + sigVerCrypto = + loadCrypto( + msg, + ConfigurationConstants.SIG_PROP_FILE, + ConfigurationConstants.SIG_PROP_REF_ID, + securityProperties + ); + } + if (sigVerCrypto != null) { + config.put(ConfigurationConstants.SIG_VER_PROP_REF_ID, "RefId-" + sigVerCrypto.hashCode()); + config.put("RefId-" + sigVerCrypto.hashCode(), sigVerCrypto); + } + + Crypto decCrypto = + loadCrypto( + msg, + ConfigurationConstants.DEC_PROP_FILE, + ConfigurationConstants.DEC_PROP_REF_ID, + securityProperties + ); + if (decCrypto != null) { + config.put(ConfigurationConstants.DEC_PROP_REF_ID, "RefId-" + decCrypto.hashCode()); + config.put("RefId-" + decCrypto.hashCode(), decCrypto); + } + ConfigurationConverter.parseCrypto(config, securityProperties); + } + + // Add Audience Restrictions for SAML + configureAudienceRestriction(msg, securityProperties); + } + + private void configureAudienceRestriction(SoapMessage msg, WSSSecurityProperties securityProperties) { + // Add Audience Restrictions for SAML + boolean enableAudienceRestriction = + MessageUtils.getContextualBoolean(msg, + SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION, + true); + if (enableAudienceRestriction) { + List<String> audiences = new ArrayList<String>(); + if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) { + audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL)); + } + if (msg.getContextualProperty("javax.xml.ws.wsdl.service") != null) { + audiences.add(msg.getContextualProperty("javax.xml.ws.wsdl.service").toString()); + } + securityProperties.setAudienceRestrictions(audiences); + } + } + + /** + * Is a Nonce Cache required, i.e. are we expecting a UsernameToken + */ + protected boolean isNonceCacheRequired(SoapMessage msg, WSSSecurityProperties securityProperties) { + + if (securityProperties != null && securityProperties.getActions() != null) { + for (WSSConstants.Action action : securityProperties.getActions()) { + if (action == WSSConstants.USERNAMETOKEN) { + return true; + } + } + } + + return false; + } + + /** + * Is a Timestamp cache required, i.e. are we expecting a Timestamp + */ + protected boolean isTimestampCacheRequired( + SoapMessage msg, WSSSecurityProperties securityProperties + ) { + + if (securityProperties != null && securityProperties.getActions() != null) { + for (WSSConstants.Action action : securityProperties.getActions()) { + if (action == WSSConstants.TIMESTAMP) { + return true; + } + } + } + + return false; + } + + /** + * Is a SAML Cache required, i.e. are we expecting a SAML Token + */ + protected boolean isSamlCacheRequired(SoapMessage msg, WSSSecurityProperties securityProperties) { + + if (securityProperties != null && securityProperties.getActions() != null) { + for (WSSConstants.Action action : securityProperties.getActions()) { + if (action == WSSConstants.SAML_TOKEN_UNSIGNED + || action == WSSConstants.SAML_TOKEN_SIGNED) { + return true; + } + } + } + + return false; + } + + /** + * Create a SoapFault from a WSSecurityException, following the SOAP Message Security + * 1.1 specification, chapter 12 "Error Handling". + * + * When the Soap version is 1.1 then set the Fault/Code/Value from the fault code + * specified in the WSSecurityException (if it exists). + * + * Otherwise set the Fault/Code/Value to env:Sender and the Fault/Code/Subcode/Value + * as the fault code from the WSSecurityException. + */ + private SoapFault + createSoapFault(SoapVersion version, WSSecurityException e) { + SoapFault fault; + javax.xml.namespace.QName faultCode = e.getFaultCode(); + if (version.getVersion() == 1.1 && faultCode != null) { + fault = new SoapFault(e.getMessage(), e, faultCode); + } else { + fault = new SoapFault(e.getMessage(), e, version.getSender()); + if (version.getVersion() != 1.1 && faultCode != null) { + fault.setSubCode(faultCode); + } + } + return fault; + } + + private void setTokenValidators( + WSSSecurityProperties properties, SoapMessage message + ) throws WSSecurityException { + Validator validator = loadValidator(SecurityConstants.SAML1_TOKEN_VALIDATOR, message); + if (validator != null) { + properties.addValidator(WSSConstants.TAG_saml_Assertion, validator); + } + validator = loadValidator(SecurityConstants.SAML2_TOKEN_VALIDATOR, message); + if (validator != null) { + properties.addValidator(WSSConstants.TAG_saml2_Assertion, validator); + } + validator = loadValidator(SecurityConstants.USERNAME_TOKEN_VALIDATOR, message); + if (validator != null) { + properties.addValidator(WSSConstants.TAG_wsse_UsernameToken, validator); + } + validator = loadValidator(SecurityConstants.SIGNATURE_TOKEN_VALIDATOR, message); + if (validator != null) { + properties.addValidator(WSSConstants.TAG_dsig_Signature, validator); + } + validator = loadValidator(SecurityConstants.TIMESTAMP_TOKEN_VALIDATOR, message); + if (validator != null) { + properties.addValidator(WSSConstants.TAG_wsu_Timestamp, validator); + } + validator = loadValidator(SecurityConstants.BST_TOKEN_VALIDATOR, message); + if (validator != null) { + properties.addValidator(WSSConstants.TAG_wsse_BinarySecurityToken, validator); + } + validator = loadValidator(SecurityConstants.SCT_TOKEN_VALIDATOR, message); + if (validator != null) { + properties.addValidator(WSSConstants.TAG_wsc0502_SecurityContextToken, validator); + properties.addValidator(WSSConstants.TAG_wsc0512_SecurityContextToken, validator); + } + } + + private Validator loadValidator(String validatorKey, SoapMessage message) throws WSSecurityException { + Object o = message.getContextualProperty(validatorKey); + if (o == null) { + return null; + } + try { + if (o instanceof Validator) { + return (Validator)o; + } else if (o instanceof Class) { + return (Validator)((Class<?>)o).newInstance(); + } else if (o instanceof String) { + return (Validator)ClassLoaderUtils.loadClass(o.toString(), + WSS4JStaxInInterceptor.class) + .newInstance(); + } else { + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, + "Cannot load Validator: " + o); + } + } catch (RuntimeException t) { + throw t; + } catch (Exception ex) { + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex); + } + } + + private class TokenStoreCallbackHandler implements CallbackHandler { + private CallbackHandler internal; + private TokenStore store; + public TokenStoreCallbackHandler(CallbackHandler in, TokenStore st) { + internal = in; + store = st; + } + + public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { + for (int i = 0; i < callbacks.length; i++) { + if (callbacks[i] instanceof WSPasswordCallback) { + WSPasswordCallback pc = (WSPasswordCallback)callbacks[i]; + + String id = pc.getIdentifier(); + SecurityToken tok = store.getToken(id); + if (tok != null && !tok.isExpired()) { + pc.setKey(tok.getSecret()); + pc.setKey(tok.getKey()); + pc.setCustomToken(tok.getToken()); + return; + } + } + } + if (internal != null) { + internal.handle(callbacks); + } + } + + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/737a1b13/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java index 95d8345..72ca7d6 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java @@ -868,8 +868,17 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase { QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2"); DoubleItPortType saml2Port = service.getPort(portQName, DoubleItPortType.class); +<<<<<<< HEAD updateAddressPort(saml2Port, PORT2); +======= + String portNumber = PORT2; + if (STAX_PORT.equals(test.getPort())) { + portNumber = STAX_PORT2; + } + updateAddressPort(saml2Port, portNumber); + +>>>>>>> ff2987d... [CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP) // Create a SAML Token with an AudienceRestrictionCondition ConditionsBean conditions = new ConditionsBean(); List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<AudienceRestrictionBean>(); @@ -904,4 +913,98 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase { } } + @org.junit.Test + public void testAudienceRestrictionServiceName() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = SamlTokenTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2"); + DoubleItPortType saml2Port = + service.getPort(portQName, DoubleItPortType.class); + String portNumber = PORT2; + if (STAX_PORT.equals(test.getPort())) { + portNumber = STAX_PORT2; + } + updateAddressPort(saml2Port, portNumber); + + // Create a SAML Token with an AudienceRestrictionCondition + ConditionsBean conditions = new ConditionsBean(); + List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<AudienceRestrictionBean>(); + AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); + audienceRestriction.setAudienceURIs(Collections.singletonList( + service.getServiceName().toString())); + audienceRestrictions.add(audienceRestriction); + conditions.setAudienceRestrictions(audienceRestrictions); + + SamlCallbackHandler callbackHandler = new SamlCallbackHandler(); + callbackHandler.setConditions(conditions); + ((BindingProvider)saml2Port).getRequestContext().put( + "ws-security.saml-callback-handler", callbackHandler + ); + + saml2Port.doubleIt(25); + } + + @org.junit.Test + public void testDisableAudienceRestrictionValidation() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = SamlTokenTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2"); + DoubleItPortType saml2Port = + service.getPort(portQName, DoubleItPortType.class); + String portNumber = PORT2; + if (STAX_PORT.equals(test.getPort())) { + portNumber = STAX_PORT2; + } + updateAddressPort(saml2Port, portNumber); + + // Create a SAML Token with an AudienceRestrictionCondition + ConditionsBean conditions = new ConditionsBean(); + List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<AudienceRestrictionBean>(); + AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); + audienceRestriction.setAudienceURIs(Collections.singletonList( + service.getServiceName().toString() + ".xyz")); + audienceRestrictions.add(audienceRestriction); + conditions.setAudienceRestrictions(audienceRestrictions); + + SamlCallbackHandler callbackHandler = new SamlCallbackHandler(); + callbackHandler.setConditions(conditions); + ((BindingProvider)saml2Port).getRequestContext().put( + "ws-security.saml-callback-handler", callbackHandler + ); + + // It should fail with validation enabled + try { + saml2Port.doubleIt(25); + fail("Failure expected on unknown AudienceRestriction"); + } catch (javax.xml.ws.soap.SOAPFaultException ex) { + // expected + } + + // It should pass with validation disabled + portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort3"); + saml2Port = service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(saml2Port, portNumber); + + ((BindingProvider)saml2Port).getRequestContext().put( + "ws-security.saml-callback-handler", callbackHandler + ); + saml2Port.doubleIt(25); + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/737a1b13/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl index c04acd3..24cf9a6 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl @@ -400,6 +400,9 @@ <wsdl:port name="DoubleItSaml2TransportPort2" binding="tns:DoubleItSaml2TransportBinding"> <soap:address location="https://localhost:9009/DoubleItSaml2Transport2"/> </wsdl:port> + <wsdl:port name="DoubleItSaml2TransportPort3" binding="tns:DoubleItSaml2TransportBinding"> + <soap:address location="https://localhost:9009/DoubleItSaml2Transport3"/> + </wsdl:port> </wsdl:service> <wsp:Policy wsu:Id="DoubleItSaml1TransportPolicy"> http://git-wip-us.apache.org/repos/asf/cxf/blob/737a1b13/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml new file mode 100644 index 0000000..14a803a --- /dev/null +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml @@ -0,0 +1,270 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/sc hemas/configuration/http-conf.xsd http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd "> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <p:policies/> + <cxf:logging/> + </cxf:features> + </cxf:bus> + <!-- --> + <!-- Any services listening on port 9009 must use the following --> + <!-- Transport Layer Security (TLS) settings --> + <!-- --> + <httpj:engine-factory id="tls-settings"> + <httpj:engine port="${testutil.ports.Server.2}"> + <httpj:tlsServerParameters> + <sec:keyManagers keyPassword="password"> + <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/> + </sec:keyManagers> + <sec:trustManagers> + <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/> + </sec:trustManagers> + <sec:clientAuthentication want="true" required="true"/> + </httpj:tlsServerParameters> + </httpj:engine> + </httpj:engine-factory> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1TokenOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Transport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1TokenOverTransport2" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/saml/saml1-tls-policy.xml"/> + </p:policies> + </jaxws:features> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SupportingToken" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Supporting" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SupportingPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetric" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Symmetric" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetric" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Asymmetric" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.username" value="bob"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.encryption.username" value="useReqSigCert"/> + <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetric2" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Asymmetric2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.username" value="bob"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.encryption.username" value="useReqSigCert"/> + <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/saml/saml2-asym-policy.xml"/> + </p:policies> + </jaxws:features> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SelfSignedTokenOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1SelfSignedTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SelfSignedTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SelfSignedTokenOverTransportSP11" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1SelfSignedTransportSP11" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SelfSignedTransportSP11Port" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2EndorsingTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingOverTransportSP11" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2EndorsingTransportSP11" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingTransportSP11Port" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="AsymmetricSamlInitiatorPort" address="http://localhost:${testutil.ports.Server}/DoubleItAsymmetricSamlInitiator" serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricSamlInitiatorPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.username" value="bob"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.encryption.username" value="useReqSigCert"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricSignedElements" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2SymmetricSignedElements" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricSignedElementsPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricSignedEncrypted" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2AsymmetricSignedEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.username" value="bob"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.encryption.username" value="useReqSigCert"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricSignedEncryptedEncryptBeforeSigning" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigning" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigningPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.username" value="bob"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.encryption.username" value="useReqSigCert"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricEncrypted" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2AsymmetricEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.username" value="bob"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.encryption.username" value="useReqSigCert"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingEncryptedOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2EndorsingEncryptedTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingEncryptedTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="InlinePolicy" address="https://localhost:${testutil.ports.Server.2}/DoubleItSamlInlinePolicy" serviceName="s:DoubleItService" endpointName="s:DoubleItInlinePolicyPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"> + <wsp:ExactlyOne> + <wsp:All> + <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" wsu:Id="SamlToken"> + <wsp:ExactlyOne> + <wsp:All> + <sp:TransportBinding> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy/> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128/> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:TransportBinding> + <sp:SupportingTokens> + <wsp:Policy> + <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy> + <sp:WssSamlV11Token11/> + </wsp:Policy> + </sp:SamlToken> + </wsp:Policy> + </sp:SupportingTokens> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + </p:policies> + </jaxws:features> + </jaxws:endpoint> + <bean class="org.apache.cxf.systest.ws.saml.PolicyDecisionPointMockImpl" id="MockPDP" /> + <bean class="org.apache.cxf.rt.security.xacml.XACMLAuthorizingInterceptor" id="XACMLInterceptor"> + <constructor-arg ref="MockPDP"/> + </bean> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricPEP" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2PEP" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2PEPPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/> + </jaxws:properties> + <jaxws:inInterceptors> + <ref bean="XACMLInterceptor"/> + </jaxws:inInterceptors> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + </jaxws:properties> + </jaxws:endpoint> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken2" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + </jaxws:properties> + </jaxws:endpoint> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken3" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport3" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort3" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.validate.audience-restriction" value="false"/> + </jaxws:properties> + </jaxws:endpoint> +</beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/737a1b13/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml new file mode 100644 index 0000000..ce0eb3f --- /dev/null +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml @@ -0,0 +1,298 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/sc hemas/configuration/http-conf.xsd http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd "> + <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> + <cxf:bus> + <cxf:features> + <p:policies/> + <cxf:logging/> + </cxf:features> + </cxf:bus> + <!-- --> + <!-- Any services listening on port 9009 must use the following --> + <!-- Transport Layer Security (TLS) settings --> + <!-- --> + <httpj:engine-factory id="tls-settings"> + <httpj:engine port="${testutil.ports.StaxServer.2}"> + <httpj:tlsServerParameters> + <sec:keyManagers keyPassword="password"> + <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/> + </sec:keyManagers> + <sec:trustManagers> + <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/> + </sec:trustManagers> + <sec:clientAuthentication want="true" required="true"/> + </httpj:tlsServerParameters> + </httpj:engine> + </httpj:engine-factory> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1TokenOverTransport" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1Transport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1TokenOverTransport2" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/saml/saml1-tls-policy.xml"/> + </p:policies> + </jaxws:features> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SupportingToken" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1Supporting" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SupportingPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetric" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2Symmetric" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <!--<entry key="ws-security.saml2.validator" + value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>--> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetric" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2Asymmetric" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.username" value="bob"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.encryption.username" value="useReqSigCert"/> + <!--<entry key="ws-security.saml2.validator" + value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>--> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetric2" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2Asymmetric2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.username" value="bob"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.encryption.username" value="useReqSigCert"/> + <!--<entry key="ws-security.saml2.validator" + value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>--> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/saml/saml2-asym-policy.xml"/> + </p:policies> + </jaxws:features> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SelfSignedTokenOverTransport" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1SelfSignedTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SelfSignedTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SelfSignedTokenOverTransportSP11" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1SelfSignedTransportSP11" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SelfSignedTransportSP11Port" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingOverTransport" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2EndorsingTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingOverTransportSP11" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2EndorsingTransportSP11" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingTransportSP11Port" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="AsymmetricSamlInitiatorPort" address="http://localhost:${testutil.ports.StaxServer}/DoubleItAsymmetricSamlInitiator" serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricSamlInitiatorPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.username" value="bob"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.encryption.username" value="useReqSigCert"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <!--<entry key="ws-security.saml2.validator" + value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>--> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricSignedElements" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2SymmetricSignedElements" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricSignedElementsPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricSignedEncrypted" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2AsymmetricSignedEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.username" value="bob"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.encryption.username" value="useReqSigCert"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <!--<entry key="ws-security.saml2.validator" + value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>--> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricSignedEncryptedEncryptBeforeSigning" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigning" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigningPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.username" value="bob"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.encryption.username" value="useReqSigCert"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <!--<entry key="ws-security.saml2.validator" + value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>--> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricEncrypted" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2AsymmetricEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.username" value="bob"/> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.encryption.username" value="useReqSigCert"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingEncryptedOverTransport" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2EndorsingEncryptedTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingEncryptedTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="InlinePolicy" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSamlInlinePolicy" serviceName="s:DoubleItService" endpointName="s:DoubleItInlinePolicyPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + <jaxws:features> + <p:policies> + <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"> + <wsp:ExactlyOne> + <wsp:All> + <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" wsu:Id="SamlToken"> + <wsp:ExactlyOne> + <wsp:All> + <sp:TransportBinding> + <wsp:Policy> + <sp:TransportToken> + <wsp:Policy> + <sp:HttpsToken> + <wsp:Policy/> + </sp:HttpsToken> + </wsp:Policy> + </sp:TransportToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp:Basic128/> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:TransportBinding> + <sp:SupportingTokens> + <wsp:Policy> + <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> + <wsp:Policy> + <sp:WssSamlV11Token11/> + </wsp:Policy> + </sp:SamlToken> + </wsp:Policy> + </sp:SupportingTokens> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> + </p:policies> + </jaxws:features> + </jaxws:endpoint> + <bean class="org.apache.cxf.systest.ws.saml.PolicyDecisionPointMockImpl" id="MockPDP" /> + <bean class="org.apache.cxf.rt.security.xacml.XACMLAuthorizingInterceptor" id="XACMLInterceptor"> + <constructor-arg ref="MockPDP"/> + </bean> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricPEP" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2PEP" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2PEPPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <!--<entry key="ws-security.saml2.validator" + value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>--> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + <jaxws:inInterceptors> + <ref bean="XACMLInterceptor"/> + </jaxws:inInterceptors> + </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken2" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken3" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport3" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort3" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" value="bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.enable.streaming" value="true"/> + <entry key="ws-security.validate.audience-restriction" value="false"/> + </jaxws:properties> + </jaxws:endpoint> +</beans>