[CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)
Conflicts:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/Saml2AudienceRestrictionValidator.java
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/737a1b13
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/737a1b13
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/737a1b13
Branch: refs/heads/2.7.x-fixes
Commit: 737a1b13a3182855ce07a6e1257f81608c24cbb7
Parents: d9ecc37
Author: Colm O hEigeartaigh <cohei...@apache.org>
Authored: Fri Jan 16 14:58:30 2015 +0000
Committer: Colm O hEigeartaigh <cohei...@apache.org>
Committed: Fri Jan 16 16:23:18 2015 +0000
----------------------------------------------------------------------
.../cxf/ws/security/SecurityConstants.java | 10 +-
.../ws/security/wss4j/WSS4JInInterceptor.java | 20 +
.../security/wss4j/WSS4JStaxInInterceptor.java | 480 +++++++++++++++++++
.../cxf/systest/ws/saml/SamlTokenTest.java | 103 ++++
.../cxf/systest/ws/saml/DoubleItSaml.wsdl | 3 +
.../org/apache/cxf/systest/ws/saml/server.xml | 270 +++++++++++
.../apache/cxf/systest/ws/saml/stax-server.xml | 298 ++++++++++++
7 files changed, 1183 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/737a1b13/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index f2f2201..61691a1 100644
---
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -230,6 +230,13 @@ public final class SecurityConstants {
public static final String KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM =
"ws-security.kerberos.is.username.in.servicename.form";
+ /**
+ * Enable SAML AudienceRestriction validation. If this is set to "true",
then IF the
+ * SAML Token contains Audience Restriction URIs, one of them must match
either the
+ * request URL or the Service QName. The default is "true".
+ */
+ public static final String AUDIENCE_RESTRICTION_VALIDATION =
"ws-security.validate.audience-restriction";
+
//
// Non-boolean WS-Security Configuration parameters
//
@@ -608,7 +615,8 @@ public final class SecurityConstants {
CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT,
PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION,
KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM,
STS_TOKEN_IMMINENT_EXPIRY_VALUE,
- KERBEROS_REQUEST_CREDENTIAL_DELEGATION,
ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL
+ KERBEROS_REQUEST_CREDENTIAL_DELEGATION,
ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL,
+ AUDIENCE_RESTRICTION_VALIDATION
}));
ALL_PROPERTIES = Collections.unmodifiableSet(s);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/737a1b13/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index c8318f1..860a09f 100644
---
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -215,6 +215,8 @@ public class WSS4JInInterceptor extends
AbstractWSS4JInterceptor {
}
reqData.setWssConfig(config);
+ // Add Audience Restrictions for SAML
+ configureAudienceRestriction(msg, reqData);
SOAPMessage doc = getSOAPMessage(msg);
@@ -337,6 +339,24 @@ public class WSS4JInInterceptor extends
AbstractWSS4JInterceptor {
reqData = null;
}
}
+
+ private void configureAudienceRestriction(SoapMessage msg, RequestData
reqData) {
+ // Add Audience Restrictions for SAML
+ boolean enableAudienceRestriction =
+ MessageUtils.getContextualBoolean(msg,
+
SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION,
+ true);
+ if (enableAudienceRestriction) {
+ List<String> audiences = new ArrayList<String>();
+ if
(msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null)
{
+
audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL));
+ }
+ if (msg.getContextualProperty("javax.xml.ws.wsdl.service") !=
null) {
+
audiences.add(msg.getContextualProperty("javax.xml.ws.wsdl.service").toString());
+ }
+ reqData.setAudienceRestrictions(audiences);
+ }
+ }
private void checkActions(
SoapMessage msg,
http://git-wip-us.apache.org/repos/asf/cxf/blob/737a1b13/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
----------------------------------------------------------------------
diff --git
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
new file mode 100644
index 0000000..eb034a1
--- /dev/null
+++
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
@@ -0,0 +1,480 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.wss4j;
+
+import java.io.IOException;
+import java.security.Provider;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.logging.Logger;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+import javax.xml.stream.util.StreamReaderDelegate;
+
+import org.apache.cxf.binding.soap.SoapFault;
+import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.binding.soap.SoapVersion;
+import org.apache.cxf.common.classloader.ClassLoaderUtils;
+import org.apache.cxf.common.i18n.Message;
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.interceptor.StaxInInterceptor;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.phase.Phase;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.cxf.ws.security.tokenstore.TokenStore;
+import org.apache.wss4j.common.ConfigurationConstants;
+import org.apache.wss4j.common.WSSPolicyException;
+import org.apache.wss4j.common.cache.ReplayCache;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.ThreadLocalSecurityProvider;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.stax.ConfigurationConverter;
+import org.apache.wss4j.stax.WSSec;
+import org.apache.wss4j.stax.ext.InboundWSSec;
+import org.apache.wss4j.stax.ext.WSSConstants;
+import org.apache.wss4j.stax.ext.WSSSecurityProperties;
+import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
+import org.apache.wss4j.stax.validate.Validator;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import
org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
+import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
+
+public class WSS4JStaxInInterceptor extends AbstractWSS4JStaxInterceptor {
+
+ public static final String SECURITY_PROCESSED =
WSS4JStaxInInterceptor.class.getName() + ".DONE";
+
+ private static final Logger LOG =
LogUtils.getL7dLogger(WSS4JStaxInInterceptor.class);
+
+ public WSS4JStaxInInterceptor(WSSSecurityProperties securityProperties) {
+ super(securityProperties);
+ setPhase(Phase.POST_STREAM);
+ getAfter().add(StaxInInterceptor.class.getName());
+ }
+
+ public WSS4JStaxInInterceptor(Map<String, Object> props) {
+ super(props);
+ setPhase(Phase.POST_STREAM);
+ getAfter().add(StaxInInterceptor.class.getName());
+ }
+
+ public WSS4JStaxInInterceptor() {
+ super();
+ setPhase(Phase.POST_STREAM);
+ getAfter().add(StaxInInterceptor.class.getName());
+ }
+
+ public final boolean isGET(SoapMessage message) {
+ String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
+ return "GET".equals(method) &&
message.getContent(XMLStreamReader.class) == null;
+ }
+
+ @Override
+ public void handleMessage(SoapMessage soapMessage) throws Fault {
+
+ if (soapMessage.containsKey(SECURITY_PROCESSED) || isGET(soapMessage))
{
+ return;
+ }
+
+ XMLStreamReader originalXmlStreamReader =
soapMessage.getContent(XMLStreamReader.class);
+ XMLStreamReader newXmlStreamReader;
+
+ soapMessage.getInterceptorChain().add(new
StaxSecurityContextInInterceptor());
+
+ try {
+ @SuppressWarnings("unchecked")
+ List<SecurityEvent> requestSecurityEvents =
+ (List<SecurityEvent>)
soapMessage.getExchange().get(SecurityEvent.class.getName() + ".out");
+
+ WSSSecurityProperties secProps = createSecurityProperties();
+ translateProperties(soapMessage, secProps);
+ configureCallbackHandler(soapMessage, secProps);
+ configureProperties(soapMessage, secProps);
+
+ if (secProps.getActions() != null && secProps.getActions().size()
> 0) {
+ soapMessage.getInterceptorChain().add(new
StaxActionInInterceptor(secProps.getActions()));
+ }
+
+ if (secProps.getAttachmentCallbackHandler() == null) {
+ secProps.setAttachmentCallbackHandler(new
AttachmentCallbackHandler(soapMessage));
+ }
+
+ final TokenStoreCallbackHandler callbackHandler =
+ new TokenStoreCallbackHandler(
+ secProps.getCallbackHandler(),
WSS4JUtils.getTokenStore(soapMessage)
+ );
+ secProps.setCallbackHandler(callbackHandler);
+
+ setTokenValidators(secProps, soapMessage);
+ secProps.setMsgContext(soapMessage);
+
+ final List<SecurityEventListener> securityEventListeners =
+ configureSecurityEventListeners(soapMessage, secProps);
+
+ final InboundWSSec inboundWSSec =
+ WSSec.getInboundWSSec(secProps,
MessageUtils.isRequestor(soapMessage));
+
+ newXmlStreamReader =
+ inboundWSSec.processInMessage(originalXmlStreamReader,
requestSecurityEvents, securityEventListeners);
+ final Object provider =
soapMessage.getExchange().get(Provider.class);
+ if (provider != null && ThreadLocalSecurityProvider.isInstalled())
{
+ newXmlStreamReader = new
StreamReaderDelegate(newXmlStreamReader) {
+ @Override
+ public int next() throws XMLStreamException {
+ try {
+
ThreadLocalSecurityProvider.setProvider((Provider)provider);
+ return super.next();
+ } finally {
+ ThreadLocalSecurityProvider.unsetProvider();
+ }
+ }
+ };
+ }
+ soapMessage.setContent(XMLStreamReader.class, newXmlStreamReader);
+
+ // Warning: The exceptions which can occur here are not security
relevant exceptions
+ // but configuration-errors. To catch security relevant exceptions
you have to catch
+ // them e.g.in the FaultOutInterceptor. Why? Because we do
streaming security. This
+ // interceptor doesn't handle the ws-security stuff but just setup
the relevant stuff
+ // for it. Exceptions will be thrown as a wrapped
XMLStreamException during further
+ // processing in the WS-Stack.
+ soapMessage.put(SECURITY_PROCESSED, Boolean.TRUE);
+ } catch (WSSecurityException e) {
+ throw createSoapFault(soapMessage.getVersion(), e);
+ } catch (XMLSecurityException e) {
+ throw new SoapFault(new Message("STAX_EX", LOG), e,
soapMessage.getVersion().getSender());
+ } catch (WSSPolicyException e) {
+ throw new SoapFault(e.getMessage(), e,
soapMessage.getVersion().getSender());
+ } catch (XMLStreamException e) {
+ throw new SoapFault(new Message("STAX_EX", LOG), e,
soapMessage.getVersion().getSender());
+ }
+ }
+
+ protected List<SecurityEventListener> configureSecurityEventListeners(
+ SoapMessage msg, WSSSecurityProperties securityProperties
+ ) throws WSSPolicyException {
+ final List<SecurityEvent> incomingSecurityEventList = new
LinkedList<SecurityEvent>();
+ msg.getExchange().put(SecurityEvent.class.getName() + ".in",
incomingSecurityEventList);
+ msg.put(SecurityEvent.class.getName() + ".in",
incomingSecurityEventList);
+
+ final SecurityEventListener securityEventListener = new
SecurityEventListener() {
+ @Override
+ public void registerSecurityEvent(SecurityEvent securityEvent)
throws WSSecurityException {
+ if (securityEvent.getSecurityEventType() ==
WSSecurityEventConstants.Timestamp
+ || securityEvent.getSecurityEventType() ==
WSSecurityEventConstants.SignatureValue
+ || securityEvent instanceof TokenSecurityEvent
+ || securityEvent instanceof
AbstractSecuredElementSecurityEvent) {
+ // Store events required for the security context setup,
or the crypto coverage checker
+ incomingSecurityEventList.add(securityEvent);
+ }
+ }
+ };
+
+ return Collections.singletonList(securityEventListener);
+ }
+
+ protected void configureProperties(
+ SoapMessage msg, WSSSecurityProperties securityProperties
+ ) throws XMLSecurityException {
+
+ // Configure replay caching
+ ReplayCache nonceCache = null;
+ if (isNonceCacheRequired(msg, securityProperties)) {
+ nonceCache = WSS4JUtils.getReplayCache(
+ msg, SecurityConstants.ENABLE_NONCE_CACHE,
SecurityConstants.NONCE_CACHE_INSTANCE
+ );
+ }
+ if (nonceCache == null) {
+ securityProperties.setEnableNonceReplayCache(false);
+ securityProperties.setNonceReplayCache(null);
+ } else {
+ securityProperties.setEnableNonceReplayCache(true);
+ securityProperties.setNonceReplayCache(nonceCache);
+ }
+
+ ReplayCache timestampCache = null;
+ if (isTimestampCacheRequired(msg, securityProperties)) {
+ timestampCache = WSS4JUtils.getReplayCache(
+ msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE,
SecurityConstants.TIMESTAMP_CACHE_INSTANCE
+ );
+ }
+ if (timestampCache == null) {
+ securityProperties.setEnableTimestampReplayCache(false);
+ securityProperties.setTimestampReplayCache(null);
+ } else {
+ securityProperties.setEnableTimestampReplayCache(true);
+ securityProperties.setTimestampReplayCache(timestampCache);
+ }
+
+ ReplayCache samlCache = null;
+ if (isSamlCacheRequired(msg, securityProperties)) {
+ samlCache = WSS4JUtils.getReplayCache(
+ msg, SecurityConstants.ENABLE_SAML_ONE_TIME_USE_CACHE,
+ SecurityConstants.SAML_ONE_TIME_USE_CACHE_INSTANCE
+ );
+ }
+ if (samlCache == null) {
+ securityProperties.setEnableSamlOneTimeUseReplayCache(false);
+ securityProperties.setSamlOneTimeUseReplayCache(null);
+ } else {
+ securityProperties.setEnableSamlOneTimeUseReplayCache(true);
+ securityProperties.setSamlOneTimeUseReplayCache(samlCache);
+ }
+
+ boolean enableRevocation =
+
MessageUtils.isTrue(msg.getContextualProperty(SecurityConstants.ENABLE_REVOCATION));
+ securityProperties.setEnableRevocation(enableRevocation);
+
+ // Crypto loading only applies for Map
+ Map<String, Object> config = getProperties();
+ if (config != null && !config.isEmpty()) {
+ Crypto sigVerCrypto =
+ loadCrypto(
+ msg,
+ ConfigurationConstants.SIG_VER_PROP_FILE,
+ ConfigurationConstants.SIG_VER_PROP_REF_ID,
+ securityProperties
+ );
+ if (sigVerCrypto == null) {
+ // Fall back to using the Signature properties for verification
+ sigVerCrypto =
+ loadCrypto(
+ msg,
+ ConfigurationConstants.SIG_PROP_FILE,
+ ConfigurationConstants.SIG_PROP_REF_ID,
+ securityProperties
+ );
+ }
+ if (sigVerCrypto != null) {
+ config.put(ConfigurationConstants.SIG_VER_PROP_REF_ID,
"RefId-" + sigVerCrypto.hashCode());
+ config.put("RefId-" + sigVerCrypto.hashCode(), sigVerCrypto);
+ }
+
+ Crypto decCrypto =
+ loadCrypto(
+ msg,
+ ConfigurationConstants.DEC_PROP_FILE,
+ ConfigurationConstants.DEC_PROP_REF_ID,
+ securityProperties
+ );
+ if (decCrypto != null) {
+ config.put(ConfigurationConstants.DEC_PROP_REF_ID, "RefId-" +
decCrypto.hashCode());
+ config.put("RefId-" + decCrypto.hashCode(), decCrypto);
+ }
+ ConfigurationConverter.parseCrypto(config, securityProperties);
+ }
+
+ // Add Audience Restrictions for SAML
+ configureAudienceRestriction(msg, securityProperties);
+ }
+
+ private void configureAudienceRestriction(SoapMessage msg,
WSSSecurityProperties securityProperties) {
+ // Add Audience Restrictions for SAML
+ boolean enableAudienceRestriction =
+ MessageUtils.getContextualBoolean(msg,
+
SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION,
+ true);
+ if (enableAudienceRestriction) {
+ List<String> audiences = new ArrayList<String>();
+ if
(msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null)
{
+
audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL));
+ }
+ if (msg.getContextualProperty("javax.xml.ws.wsdl.service") !=
null) {
+
audiences.add(msg.getContextualProperty("javax.xml.ws.wsdl.service").toString());
+ }
+ securityProperties.setAudienceRestrictions(audiences);
+ }
+ }
+
+ /**
+ * Is a Nonce Cache required, i.e. are we expecting a UsernameToken
+ */
+ protected boolean isNonceCacheRequired(SoapMessage msg,
WSSSecurityProperties securityProperties) {
+
+ if (securityProperties != null && securityProperties.getActions() !=
null) {
+ for (WSSConstants.Action action : securityProperties.getActions())
{
+ if (action == WSSConstants.USERNAMETOKEN) {
+ return true;
+ }
+ }
+ }
+
+ return false;
+ }
+
+ /**
+ * Is a Timestamp cache required, i.e. are we expecting a Timestamp
+ */
+ protected boolean isTimestampCacheRequired(
+ SoapMessage msg, WSSSecurityProperties securityProperties
+ ) {
+
+ if (securityProperties != null && securityProperties.getActions() !=
null) {
+ for (WSSConstants.Action action : securityProperties.getActions())
{
+ if (action == WSSConstants.TIMESTAMP) {
+ return true;
+ }
+ }
+ }
+
+ return false;
+ }
+
+ /**
+ * Is a SAML Cache required, i.e. are we expecting a SAML Token
+ */
+ protected boolean isSamlCacheRequired(SoapMessage msg,
WSSSecurityProperties securityProperties) {
+
+ if (securityProperties != null && securityProperties.getActions() !=
null) {
+ for (WSSConstants.Action action : securityProperties.getActions())
{
+ if (action == WSSConstants.SAML_TOKEN_UNSIGNED
+ || action == WSSConstants.SAML_TOKEN_SIGNED) {
+ return true;
+ }
+ }
+ }
+
+ return false;
+ }
+
+ /**
+ * Create a SoapFault from a WSSecurityException, following the SOAP
Message Security
+ * 1.1 specification, chapter 12 "Error Handling".
+ *
+ * When the Soap version is 1.1 then set the Fault/Code/Value from the
fault code
+ * specified in the WSSecurityException (if it exists).
+ *
+ * Otherwise set the Fault/Code/Value to env:Sender and the
Fault/Code/Subcode/Value
+ * as the fault code from the WSSecurityException.
+ */
+ private SoapFault
+ createSoapFault(SoapVersion version, WSSecurityException e) {
+ SoapFault fault;
+ javax.xml.namespace.QName faultCode = e.getFaultCode();
+ if (version.getVersion() == 1.1 && faultCode != null) {
+ fault = new SoapFault(e.getMessage(), e, faultCode);
+ } else {
+ fault = new SoapFault(e.getMessage(), e, version.getSender());
+ if (version.getVersion() != 1.1 && faultCode != null) {
+ fault.setSubCode(faultCode);
+ }
+ }
+ return fault;
+ }
+
+ private void setTokenValidators(
+ WSSSecurityProperties properties, SoapMessage message
+ ) throws WSSecurityException {
+ Validator validator =
loadValidator(SecurityConstants.SAML1_TOKEN_VALIDATOR, message);
+ if (validator != null) {
+ properties.addValidator(WSSConstants.TAG_saml_Assertion,
validator);
+ }
+ validator = loadValidator(SecurityConstants.SAML2_TOKEN_VALIDATOR,
message);
+ if (validator != null) {
+ properties.addValidator(WSSConstants.TAG_saml2_Assertion,
validator);
+ }
+ validator = loadValidator(SecurityConstants.USERNAME_TOKEN_VALIDATOR,
message);
+ if (validator != null) {
+ properties.addValidator(WSSConstants.TAG_wsse_UsernameToken,
validator);
+ }
+ validator = loadValidator(SecurityConstants.SIGNATURE_TOKEN_VALIDATOR,
message);
+ if (validator != null) {
+ properties.addValidator(WSSConstants.TAG_dsig_Signature,
validator);
+ }
+ validator = loadValidator(SecurityConstants.TIMESTAMP_TOKEN_VALIDATOR,
message);
+ if (validator != null) {
+ properties.addValidator(WSSConstants.TAG_wsu_Timestamp, validator);
+ }
+ validator = loadValidator(SecurityConstants.BST_TOKEN_VALIDATOR,
message);
+ if (validator != null) {
+ properties.addValidator(WSSConstants.TAG_wsse_BinarySecurityToken,
validator);
+ }
+ validator = loadValidator(SecurityConstants.SCT_TOKEN_VALIDATOR,
message);
+ if (validator != null) {
+
properties.addValidator(WSSConstants.TAG_wsc0502_SecurityContextToken,
validator);
+
properties.addValidator(WSSConstants.TAG_wsc0512_SecurityContextToken,
validator);
+ }
+ }
+
+ private Validator loadValidator(String validatorKey, SoapMessage message)
throws WSSecurityException {
+ Object o = message.getContextualProperty(validatorKey);
+ if (o == null) {
+ return null;
+ }
+ try {
+ if (o instanceof Validator) {
+ return (Validator)o;
+ } else if (o instanceof Class) {
+ return (Validator)((Class<?>)o).newInstance();
+ } else if (o instanceof String) {
+ return (Validator)ClassLoaderUtils.loadClass(o.toString(),
+
WSS4JStaxInInterceptor.class)
+ .newInstance();
+ } else {
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
+ "Cannot load Validator: " +
o);
+ }
+ } catch (RuntimeException t) {
+ throw t;
+ } catch (Exception ex) {
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
+ }
+ }
+
+ private class TokenStoreCallbackHandler implements CallbackHandler {
+ private CallbackHandler internal;
+ private TokenStore store;
+ public TokenStoreCallbackHandler(CallbackHandler in, TokenStore st) {
+ internal = in;
+ store = st;
+ }
+
+ public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof WSPasswordCallback) {
+ WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
+
+ String id = pc.getIdentifier();
+ SecurityToken tok = store.getToken(id);
+ if (tok != null && !tok.isExpired()) {
+ pc.setKey(tok.getSecret());
+ pc.setKey(tok.getKey());
+ pc.setCustomToken(tok.getToken());
+ return;
+ }
+ }
+ }
+ if (internal != null) {
+ internal.handle(callbacks);
+ }
+ }
+
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/737a1b13/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
----------------------------------------------------------------------
diff --git
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
index 95d8345..72ca7d6 100644
---
a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
+++
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
@@ -868,8 +868,17 @@ public class SamlTokenTest extends
AbstractBusClientServerTestBase {
QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
DoubleItPortType saml2Port =
service.getPort(portQName, DoubleItPortType.class);
+<<<<<<< HEAD
updateAddressPort(saml2Port, PORT2);
+=======
+ String portNumber = PORT2;
+ if (STAX_PORT.equals(test.getPort())) {
+ portNumber = STAX_PORT2;
+ }
+ updateAddressPort(saml2Port, portNumber);
+
+>>>>>>> ff2987d... [CXF-5674] - CXF Support in "Audience Restriction" of SAML
2 (SOAP)
// Create a SAML Token with an AudienceRestrictionCondition
ConditionsBean conditions = new ConditionsBean();
List<AudienceRestrictionBean> audienceRestrictions = new
ArrayList<AudienceRestrictionBean>();
@@ -904,4 +913,98 @@ public class SamlTokenTest extends
AbstractBusClientServerTestBase {
}
}
+ @org.junit.Test
+ public void testAudienceRestrictionServiceName() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = SamlTokenTest.class.getResource("client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
+ DoubleItPortType saml2Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ String portNumber = PORT2;
+ if (STAX_PORT.equals(test.getPort())) {
+ portNumber = STAX_PORT2;
+ }
+ updateAddressPort(saml2Port, portNumber);
+
+ // Create a SAML Token with an AudienceRestrictionCondition
+ ConditionsBean conditions = new ConditionsBean();
+ List<AudienceRestrictionBean> audienceRestrictions = new
ArrayList<AudienceRestrictionBean>();
+ AudienceRestrictionBean audienceRestriction = new
AudienceRestrictionBean();
+ audienceRestriction.setAudienceURIs(Collections.singletonList(
+ service.getServiceName().toString()));
+ audienceRestrictions.add(audienceRestriction);
+ conditions.setAudienceRestrictions(audienceRestrictions);
+
+ SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+ callbackHandler.setConditions(conditions);
+ ((BindingProvider)saml2Port).getRequestContext().put(
+ "ws-security.saml-callback-handler", callbackHandler
+ );
+
+ saml2Port.doubleIt(25);
+ }
+
+ @org.junit.Test
+ public void testDisableAudienceRestrictionValidation() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = SamlTokenTest.class.getResource("client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
+ DoubleItPortType saml2Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ String portNumber = PORT2;
+ if (STAX_PORT.equals(test.getPort())) {
+ portNumber = STAX_PORT2;
+ }
+ updateAddressPort(saml2Port, portNumber);
+
+ // Create a SAML Token with an AudienceRestrictionCondition
+ ConditionsBean conditions = new ConditionsBean();
+ List<AudienceRestrictionBean> audienceRestrictions = new
ArrayList<AudienceRestrictionBean>();
+ AudienceRestrictionBean audienceRestriction = new
AudienceRestrictionBean();
+ audienceRestriction.setAudienceURIs(Collections.singletonList(
+ service.getServiceName().toString() + ".xyz"));
+ audienceRestrictions.add(audienceRestriction);
+ conditions.setAudienceRestrictions(audienceRestrictions);
+
+ SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+ callbackHandler.setConditions(conditions);
+ ((BindingProvider)saml2Port).getRequestContext().put(
+ "ws-security.saml-callback-handler", callbackHandler
+ );
+
+ // It should fail with validation enabled
+ try {
+ saml2Port.doubleIt(25);
+ fail("Failure expected on unknown AudienceRestriction");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ // expected
+ }
+
+ // It should pass with validation disabled
+ portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort3");
+ saml2Port = service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(saml2Port, portNumber);
+
+ ((BindingProvider)saml2Port).getRequestContext().put(
+ "ws-security.saml-callback-handler", callbackHandler
+ );
+ saml2Port.doubleIt(25);
+ }
+
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/737a1b13/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
----------------------------------------------------------------------
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
index c04acd3..24cf9a6 100644
---
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
@@ -400,6 +400,9 @@
<wsdl:port name="DoubleItSaml2TransportPort2"
binding="tns:DoubleItSaml2TransportBinding">
<soap:address
location="https://localhost:9009/DoubleItSaml2Transport2"/>
</wsdl:port>
+ <wsdl:port name="DoubleItSaml2TransportPort3"
binding="tns:DoubleItSaml2TransportBinding">
+ <soap:address
location="https://localhost:9009/DoubleItSaml2Transport3"/>
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItSaml1TransportPolicy">
http://git-wip-us.apache.org/repos/asf/cxf/blob/737a1b13/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
----------------------------------------------------------------------
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
new file mode 100644
index 0000000..14a803a
--- /dev/null
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
@@ -0,0 +1,270 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:util="http://www.springframework.org/schema/util";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xmlns:http="http://cxf.apache.org/transports/http/configuration";
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration";
xmlns:sec="http://cxf.apache.org/configuration/security";
xmlns:cxf="http://cxf.apache.org/core"; xmlns:p="http://cxf.apache.org/policy";
xsi:schemaLocation=" http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/policy
http://cxf.apache.org/schemas/policy.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/sc
hemas/configuration/http-conf.xsd
http://cxf.apache.org/transports/http-jetty/configuration
http://cxf.apache.org/schemas/configuration/http-jetty.xsd
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-2.0.xsd ">
+ <bean
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+ <cxf:bus>
+ <cxf:features>
+ <p:policies/>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+ <!-- -->
+ <!-- Any services listening on port 9009 must use the following -->
+ <!-- Transport Layer Security (TLS) settings -->
+ <!-- -->
+ <httpj:engine-factory id="tls-settings">
+ <httpj:engine port="${testutil.ports.Server.2}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="jks" password="password"
resource="org/apache/cxf/systest/ws/security/Bethal.jks"/>
+ </sec:keyManagers>
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="password"
resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
+ </sec:trustManagers>
+ <sec:clientAuthentication want="true" required="true"/>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml1TokenOverTransport"
address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Transport";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml1TokenOverTransport2"
address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Transport2";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort2"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference
xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="classpath:/org/apache/cxf/systest/ws/saml/saml1-tls-policy.xml"/>
+ </p:policies>
+ </jaxws:features>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml1SupportingToken"
address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Supporting";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SupportingPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TokenOverSymmetric"
address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Symmetric";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.saml2.validator"
value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TokenOverAsymmetric"
address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Asymmetric";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.encryption.username"
value="useReqSigCert"/>
+ <entry key="ws-security.saml2.validator"
value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TokenOverAsymmetric2"
address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Asymmetric2";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort2"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.encryption.username"
value="useReqSigCert"/>
+ <entry key="ws-security.saml2.validator"
value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference
xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="classpath:/org/apache/cxf/systest/ws/saml/saml2-asym-policy.xml"/>
+ </p:policies>
+ </jaxws:features>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml1SelfSignedTokenOverTransport"
address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1SelfSignedTransport";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml1SelfSignedTransportPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml1SelfSignedTokenOverTransportSP11"
address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1SelfSignedTransportSP11";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml1SelfSignedTransportSP11Port"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2EndorsingOverTransport"
address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2EndorsingTransport";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2EndorsingTransportPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2EndorsingOverTransportSP11"
address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2EndorsingTransportSP11";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2EndorsingTransportSP11Port"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="AsymmetricSamlInitiatorPort"
address="http://localhost:${testutil.ports.Server}/DoubleItAsymmetricSamlInitiator";
serviceName="s:DoubleItService"
endpointName="s:DoubleItAsymmetricSamlInitiatorPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.encryption.username"
value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.saml2.validator"
value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TokenOverSymmetricSignedElements"
address="http://localhost:${testutil.ports.Server}/DoubleItSaml2SymmetricSignedElements";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2SymmetricSignedElementsPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TokenOverAsymmetricSignedEncrypted"
address="http://localhost:${testutil.ports.Server}/DoubleItSaml2AsymmetricSignedEncrypted";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.encryption.username"
value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.saml2.validator"
value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TokenOverAsymmetricSignedEncryptedEncryptBeforeSigning"
address="http://localhost:${testutil.ports.Server}/DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigning";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigningPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.encryption.username"
value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.saml2.validator"
value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TokenOverAsymmetricEncrypted"
address="http://localhost:${testutil.ports.Server}/DoubleItSaml2AsymmetricEncrypted";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2AsymmetricEncryptedPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.encryption.username"
value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2EndorsingEncryptedOverTransport"
address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2EndorsingEncryptedTransport";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2EndorsingEncryptedTransportPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="InlinePolicy"
address="https://localhost:${testutil.ports.Server.2}/DoubleItSamlInlinePolicy";
serviceName="s:DoubleItService" endpointName="s:DoubleItInlinePolicyPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy";>
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsp:Policy
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
wsu:Id="SamlToken">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:TransportBinding>
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+ <wsp:Policy/>
+ </sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:SupportingTokens>
+ <wsp:Policy>
+ <sp:SamlToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:WssSamlV11Token11/>
+ </wsp:Policy>
+ </sp:SamlToken>
+ </wsp:Policy>
+ </sp:SupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ </p:policies>
+ </jaxws:features>
+ </jaxws:endpoint>
+ <bean class="org.apache.cxf.systest.ws.saml.PolicyDecisionPointMockImpl"
id="MockPDP" />
+ <bean class="org.apache.cxf.rt.security.xacml.XACMLAuthorizingInterceptor"
id="XACMLInterceptor">
+ <constructor-arg ref="MockPDP"/>
+ </bean>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TokenOverSymmetricPEP"
address="http://localhost:${testutil.ports.Server}/DoubleItSaml2PEP";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2PEPPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.saml2.validator"
value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
+ </jaxws:properties>
+ <jaxws:inInterceptors>
+ <ref bean="XACMLInterceptor"/>
+ </jaxws:inInterceptors>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TransportToken"
address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TransportToken2"
address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort2"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TransportToken3"
address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport3";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort3"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.validate.audience-restriction"
value="false"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+</beans>
http://git-wip-us.apache.org/repos/asf/cxf/blob/737a1b13/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
----------------------------------------------------------------------
diff --git
a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
new file mode 100644
index 0000000..ce0eb3f
--- /dev/null
+++
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
@@ -0,0 +1,298 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:util="http://www.springframework.org/schema/util";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xmlns:http="http://cxf.apache.org/transports/http/configuration";
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration";
xmlns:sec="http://cxf.apache.org/configuration/security";
xmlns:cxf="http://cxf.apache.org/core"; xmlns:p="http://cxf.apache.org/policy";
xsi:schemaLocation=" http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/policy
http://cxf.apache.org/schemas/policy.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/sc
hemas/configuration/http-conf.xsd
http://cxf.apache.org/transports/http-jetty/configuration
http://cxf.apache.org/schemas/configuration/http-jetty.xsd
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-2.0.xsd ">
+ <bean
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+ <cxf:bus>
+ <cxf:features>
+ <p:policies/>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+ <!-- -->
+ <!-- Any services listening on port 9009 must use the following -->
+ <!-- Transport Layer Security (TLS) settings -->
+ <!-- -->
+ <httpj:engine-factory id="tls-settings">
+ <httpj:engine port="${testutil.ports.StaxServer.2}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="jks" password="password"
resource="org/apache/cxf/systest/ws/security/Bethal.jks"/>
+ </sec:keyManagers>
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="password"
resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
+ </sec:trustManagers>
+ <sec:clientAuthentication want="true" required="true"/>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml1TokenOverTransport"
address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1Transport";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml1TokenOverTransport2"
address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1Transport2";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort2"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference
xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="classpath:/org/apache/cxf/systest/ws/saml/saml1-tls-policy.xml"/>
+ </p:policies>
+ </jaxws:features>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml1SupportingToken"
address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1Supporting";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SupportingPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TokenOverSymmetric"
address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2Symmetric";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <!--<entry key="ws-security.saml2.validator"
+
value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>-->
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TokenOverAsymmetric"
address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2Asymmetric";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.encryption.username"
value="useReqSigCert"/>
+ <!--<entry key="ws-security.saml2.validator"
+
value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>-->
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TokenOverAsymmetric2"
address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2Asymmetric2";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort2"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.encryption.username"
value="useReqSigCert"/>
+ <!--<entry key="ws-security.saml2.validator"
+
value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>-->
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference
xmlns:wsp="http://www.w3.org/ns/ws-policy";
URI="classpath:/org/apache/cxf/systest/ws/saml/saml2-asym-policy.xml"/>
+ </p:policies>
+ </jaxws:features>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml1SelfSignedTokenOverTransport"
address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1SelfSignedTransport";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml1SelfSignedTransportPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml1SelfSignedTokenOverTransportSP11"
address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1SelfSignedTransportSP11";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml1SelfSignedTransportSP11Port"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2EndorsingOverTransport"
address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2EndorsingTransport";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2EndorsingTransportPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2EndorsingOverTransportSP11"
address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2EndorsingTransportSP11";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2EndorsingTransportSP11Port"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="AsymmetricSamlInitiatorPort"
address="http://localhost:${testutil.ports.StaxServer}/DoubleItAsymmetricSamlInitiator";
serviceName="s:DoubleItService"
endpointName="s:DoubleItAsymmetricSamlInitiatorPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.encryption.username"
value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <!--<entry key="ws-security.saml2.validator"
+
value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>-->
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TokenOverSymmetricSignedElements"
address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2SymmetricSignedElements";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2SymmetricSignedElementsPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TokenOverAsymmetricSignedEncrypted"
address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2AsymmetricSignedEncrypted";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.encryption.username"
value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <!--<entry key="ws-security.saml2.validator"
+
value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>-->
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TokenOverAsymmetricSignedEncryptedEncryptBeforeSigning"
address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigning";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigningPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.encryption.username"
value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <!--<entry key="ws-security.saml2.validator"
+
value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>-->
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TokenOverAsymmetricEncrypted"
address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2AsymmetricEncrypted";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2AsymmetricEncryptedPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="bob"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.encryption.username"
value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2EndorsingEncryptedOverTransport"
address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2EndorsingEncryptedTransport";
serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2EndorsingEncryptedTransportPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="InlinePolicy"
address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSamlInlinePolicy";
serviceName="s:DoubleItService" endpointName="s:DoubleItInlinePolicyPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy";>
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsp:Policy
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
wsu:Id="SamlToken">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:TransportBinding>
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+ <wsp:Policy/>
+ </sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:SupportingTokens>
+ <wsp:Policy>
+ <sp:SamlToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
+ <wsp:Policy>
+ <sp:WssSamlV11Token11/>
+ </wsp:Policy>
+ </sp:SamlToken>
+ </wsp:Policy>
+ </sp:SupportingTokens>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ </p:policies>
+ </jaxws:features>
+ </jaxws:endpoint>
+ <bean class="org.apache.cxf.systest.ws.saml.PolicyDecisionPointMockImpl"
id="MockPDP" />
+ <bean class="org.apache.cxf.rt.security.xacml.XACMLAuthorizingInterceptor"
id="XACMLInterceptor">
+ <constructor-arg ref="MockPDP"/>
+ </bean>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TokenOverSymmetricPEP"
address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2PEP";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2PEPPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <!--<entry key="ws-security.saml2.validator"
+
value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>-->
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ <jaxws:inInterceptors>
+ <ref bean="XACMLInterceptor"/>
+ </jaxws:inInterceptors>
+ </jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TransportToken"
address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TransportToken2"
address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport2";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort2"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="Saml2TransportToken3"
address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport3";
serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort3"
implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
depends-on="tls-settings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
value="bob.properties"/>
+ <entry key="ws-security.subject.cert.constraints"
value=".*O=apache.org.*"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ <entry key="ws-security.validate.audience-restriction"
value="false"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+</beans>
