Adding support for WS-Security kerberos credential delegation + a system test
Conflicts:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java
services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-service.xml
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/009e15fd
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/009e15fd
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/009e15fd
Branch: refs/heads/2.7.x-fixes
Commit: 009e15fd03ebf52622a478821ee65c1f9b8975ad
Parents: 04667db
Author: Colm O hEigeartaigh <cohei...@apache.org>
Authored: Wed Aug 6 12:21:20 2014 +0100
Committer: Colm O hEigeartaigh <cohei...@apache.org>
Committed: Wed Aug 6 15:04:01 2014 +0100
----------------------------------------------------------------------
.../cxf/ws/security/SecurityConstants.java | 14 ++
.../ws/security/kerberos/KerberosClient.java | 52 ++++++-
.../ws/security/wss4j/WSS4JInInterceptor.java | 11 ++
.../sts/kerberos/DoubleItPortTypeImpl.java | 50 +++++++
.../cxf/systest/sts/kerberos/Intermediary.java | 46 ++++++
.../sts/kerberos/IntermediaryPortTypeImpl.java | 90 ++++++++++++
.../kerberos/KerberosDelegationTokenTest.java | 113 +++++++++++++++
.../systest/sts/kerberos/KerberosTokenTest.java | 6 +-
.../sts/kerberos/DoubleItIntermediary.wsdl | 142 +++++++++++++++++++
.../sts/kerberos/cxf-intermediary-client.xml | 48 +++++++
.../systest/sts/kerberos/cxf-intermediary.xml | 102 +++++++++++++
.../cxf/systest/sts/kerberos/cxf-service.xml | 27 ++++
12 files changed, 699 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index dcf4a62..4ab0e50 100644
---
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -528,6 +528,13 @@ public final class SecurityConstants {
* The default value is "true".
*/
public static final String SC_FROM_JAAS_SUBJECT =
"ws-security.sc.jaas-subject";
+
+ /**
+ * A delegated credential to use for WS-Security. Currently only a
Kerberos GSSCredential
+ * Object is supported. This is used to retrieve a service ticket instead
of using the
+ * client credentials.
+ */
+ public static final String DELEGATED_CREDENTIAL =
"ws-security.delegated.credential";
//
// Internal tags
@@ -556,8 +563,15 @@ public final class SecurityConstants {
DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, STS_TOKEN_CRYPTO,
STS_TOKEN_PROPERTIES, STS_TOKEN_USERNAME, STS_TOKEN_ACT_AS,
STS_TOKEN_ON_BEHALF_OF,
TOKEN, TOKEN_ID, SUBJECT_ROLE_CLASSIFIER,
SUBJECT_ROLE_CLASSIFIER_TYPE, MUST_UNDERSTAND,
+<<<<<<< HEAD
ASYMMETRIC_SIGNATURE_ALGORITHM, ENABLE_SAML_ONE_TIME_USE_CACHE,
SAML_ONE_TIME_USE_CACHE_INSTANCE,
CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT,
PREFER_WSMEX_OVER_STS_CLIENT_CONFIG
+=======
+ ASYMMETRIC_SIGNATURE_ALGORITHM, PASSWORD_ENCRYPTOR_INSTANCE,
ENABLE_SAML_ONE_TIME_USE_CACHE,
+ SAML_ONE_TIME_USE_CACHE_INSTANCE, ENABLE_STREAMING_SECURITY,
RETURN_SECURITY_ERROR,
+ CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT,
PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
+ DELEGATED_CREDENTIAL
+>>>>>>> 6e6c139... Adding support for WS-Security kerberos credential
delegation + a system test
}));
ALL_PROPERTIES = Collections.unmodifiableSet(s);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java
----------------------------------------------------------------------
diff --git
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java
index 23c06ba..cc54a10 100644
---
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java
+++
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosClient.java
@@ -29,11 +29,22 @@ import org.apache.cxf.Bus;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.configuration.Configurable;
import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.PhaseInterceptorChain;
+import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+<<<<<<< HEAD
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.message.token.KerberosSecurity;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
+=======
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.message.token.KerberosSecurity;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.xml.security.utils.Base64;
+import org.ietf.jgss.GSSCredential;
+>>>>>>> 6e6c139... Adding support for WS-Security kerberos credential
delegation + a system test
/**
* A class that obtains a ticket from a KDC and wraps it in a SecurityToken
object.
@@ -47,6 +58,9 @@ public class KerberosClient implements Configurable {
private CallbackHandler callbackHandler;
private String contextName;
private WSSConfig wssConfig = WSSConfig.getNewInstance();
+ private boolean requestCredentialDelegation;
+ private boolean isUsernameServiceNameForm;
+ private boolean useDelegatedCredential;
@Deprecated
public KerberosClient(Bus b) {
@@ -126,12 +140,24 @@ public class KerberosClient implements Configurable {
}
public SecurityToken requestSecurityToken() throws Exception {
+ // See if we have a delegated Credential to use
+ Message message = PhaseInterceptorChain.getCurrentMessage();
+ GSSCredential delegatedCredential = null;
+ if (message != null && useDelegatedCredential) {
+ Object obj =
message.getContextualProperty(SecurityConstants.DELEGATED_CREDENTIAL);
+ if (obj instanceof GSSCredential) {
+ delegatedCredential = (GSSCredential)obj;
+ }
+ }
+
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("Requesting Kerberos ticket for " + serviceName
+ " using JAAS Login Module: " + getContextName());
}
KerberosSecurity bst = new KerberosSecurity(DOMUtils.createDocument());
- bst.retrieveServiceTicket(getContextName(), callbackHandler,
serviceName);
+ bst.retrieveServiceTicket(getContextName(), callbackHandler,
serviceName,
+ isUsernameServiceNameForm,
requestCredentialDelegation,
+ delegatedCredential);
bst.addWSUNamespace();
bst.setID(wssConfig.getIdAllocator().createSecureId("BST-", bst));
@@ -149,4 +175,28 @@ public class KerberosClient implements Configurable {
return token;
}
+ public boolean isUsernameServiceNameForm() {
+ return isUsernameServiceNameForm;
+ }
+
+ public void setUsernameServiceNameForm(boolean usernameServiceNameForm) {
+ this.isUsernameServiceNameForm = usernameServiceNameForm;
+ }
+
+ public boolean isRequestCredentialDelegation() {
+ return requestCredentialDelegation;
+ }
+
+ public void setRequestCredentialDelegation(boolean
requestCredentialDelegation) {
+ this.requestCredentialDelegation = requestCredentialDelegation;
+ }
+
+ public boolean isUseDelegatedCredential() {
+ return useDelegatedCredential;
+ }
+
+ public void setUseDelegatedCredential(boolean useDelegatedCredential) {
+ this.useDelegatedCredential = useDelegatedCredential;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index 0011ef1..9d7cf6e 100644
---
a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -554,7 +554,18 @@ public class WSS4JInInterceptor extends
AbstractWSS4JInterceptor {
if (!utWithCallbacks) {
WSS4JTokenConverter.convertToken(msg, p);
}
+<<<<<<< HEAD
Object receivedAssertion = null;
+=======
+ Object receivedAssertion =
o.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ if (receivedAssertion == null) {
+ receivedAssertion =
o.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
+ }
+ if (o.get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL) !=
null) {
+ msg.put(SecurityConstants.DELEGATED_CREDENTIAL,
+
o.get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL));
+ }
+>>>>>>> 6e6c139... Adding support for WS-Security kerberos credential
delegation + a system test
List<String> roles = null;
if (o.get(WSSecurityEngineResult.TAG_SAML_ASSERTION) != null) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/DoubleItPortTypeImpl.java
----------------------------------------------------------------------
diff --git
a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/DoubleItPortTypeImpl.java
b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/DoubleItPortTypeImpl.java
new file mode 100644
index 0000000..11e187a
--- /dev/null
+++
b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/DoubleItPortTypeImpl.java
@@ -0,0 +1,50 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.kerberos;
+
+import java.security.Principal;
+
+import javax.annotation.Resource;
+import javax.jws.WebService;
+import javax.xml.ws.WebServiceContext;
+
+import org.apache.cxf.feature.Features;
+import org.example.contract.doubleit.DoubleItPortType;
+import org.junit.Assert;
+
+@WebService(targetNamespace = "http://www.example.org/contract/DoubleIt";,
+ serviceName = "DoubleItService",
+ endpointInterface =
"org.example.contract.doubleit.DoubleItPortType")
+@Features(features = "org.apache.cxf.feature.LoggingFeature")
+public class DoubleItPortTypeImpl implements DoubleItPortType {
+
+ @Resource
+ WebServiceContext wsContext;
+
+ public int doubleIt(int numberToDouble) {
+ Principal pr = wsContext.getUserPrincipal();
+
+ Assert.assertNotNull("Principal must not be null", pr);
+ Assert.assertNotNull("Principal.getName() must not return null",
pr.getName());
+ Assert.assertTrue(pr.getName().startsWith("alice"));
+
+ return numberToDouble * 2;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/Intermediary.java
----------------------------------------------------------------------
diff --git
a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/Intermediary.java
b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/Intermediary.java
new file mode 100644
index 0000000..4ad2822
--- /dev/null
+++
b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/Intermediary.java
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.kerberos;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class Intermediary extends AbstractBusTestServerBase {
+
+ public Intermediary() {
+
+ }
+
+ protected void run() {
+ URL busFile = Intermediary.class.getResource("cxf-intermediary.xml");
+ Bus busLocal = new SpringBusFactory().createBus(busFile);
+ BusFactory.setDefaultBus(busLocal);
+ setBus(busLocal);
+
+ try {
+ new Intermediary();
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/IntermediaryPortTypeImpl.java
----------------------------------------------------------------------
diff --git
a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/IntermediaryPortTypeImpl.java
b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/IntermediaryPortTypeImpl.java
new file mode 100644
index 0000000..1d4bcc0
--- /dev/null
+++
b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/IntermediaryPortTypeImpl.java
@@ -0,0 +1,90 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.kerberos;
+
+import java.net.URL;
+import java.security.Principal;
+import java.util.Map;
+
+import javax.annotation.Resource;
+import javax.jws.WebService;
+import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
+import javax.xml.ws.Service;
+import javax.xml.ws.WebServiceContext;
+import javax.xml.ws.handler.MessageContext;
+
+import org.apache.cxf.feature.Features;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.trust.STSClient;
+import org.example.contract.doubleit.DoubleItPortType;
+import org.ietf.jgss.GSSCredential;
+import org.junit.Assert;
+
+@WebService(targetNamespace = "http://www.example.org/contract/DoubleIt";,
+ serviceName = "DoubleItService",
+ endpointInterface =
"org.example.contract.doubleit.DoubleItPortType")
+@Features(features = "org.apache.cxf.feature.LoggingFeature")
+public class IntermediaryPortTypeImpl extends AbstractBusClientServerTestBase
implements DoubleItPortType {
+
+ private static final String NAMESPACE =
"http://www.example.org/contract/DoubleIt";;
+ private static final QName SERVICE_QNAME = new QName(NAMESPACE,
"DoubleItService");
+
+ @Resource
+ WebServiceContext wsc;
+
+ public int doubleIt(int numberToDouble) {
+ Principal pr = wsc.getUserPrincipal();
+
+ Assert.assertNotNull("Principal must not be null", pr);
+ Assert.assertNotNull("Principal.getName() must not return null",
pr.getName());
+
+ URL wsdl = IntermediaryPortTypeImpl.class.getResource("DoubleIt.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2Port");
+ DoubleItPortType transportPort =
+ service.getPort(portQName, DoubleItPortType.class);
+ try {
+ updateAddressPort(transportPort, KerberosDelegationTokenTest.PORT);
+ } catch (Exception ex) {
+ ex.printStackTrace();
+ }
+
+ // Retrieve delegated credential + set it on the outbound message
+ MessageContext messageContext = wsc.getMessageContext();
+ GSSCredential delegatedCredential =
+
(GSSCredential)messageContext.get(SecurityConstants.DELEGATED_CREDENTIAL);
+ Map<String, Object> context =
((BindingProvider)transportPort).getRequestContext();
+ context.put(SecurityConstants.DELEGATED_CREDENTIAL,
delegatedCredential);
+
+ STSClient stsClient =
(STSClient)context.get(SecurityConstants.STS_CLIENT);
+ if (stsClient != null) {
+ String location = stsClient.getWsdlLocation();
+ if (location.contains("8443")) {
+ stsClient.setWsdlLocation(
+ location.replace("8443",
KerberosDelegationTokenTest.STSPORT)
+ );
+ }
+ }
+
+ return transportPort.doubleIt(numberToDouble);
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosDelegationTokenTest.java
----------------------------------------------------------------------
diff --git
a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosDelegationTokenTest.java
b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosDelegationTokenTest.java
new file mode 100644
index 0000000..17c33a0
--- /dev/null
+++
b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosDelegationTokenTest.java
@@ -0,0 +1,113 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.kerberos;
+
+import java.net.URL;
+
+import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
+import javax.xml.ws.Service;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.systest.sts.common.SecurityTestUtil;
+import org.apache.cxf.systest.sts.common.TokenTestUtils;
+import org.apache.cxf.systest.sts.deployment.STSServer;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.example.contract.doubleit.DoubleItPortType;
+import org.junit.BeforeClass;
+
+/**
+ * This tests credential delegation. The client enables credential delegation
+ sends a Kerberos
+ * token to an Intermediary via WS-Security. The Intermediary validates the
token, and then
+ * uses the delgated credential to obtain a ticket to in turn retrieve a SAML
token from the
+ * STS. The SAML token is used to secure access to the backend service.
+ *
+ * The tests are @Ignored by default, as a KDC is needed. To replicate the
test scenario, set up a KDC with
+ * user principal "alice" (keytab in "/etc/alice.keytab"), and host service
"b...@service.ws.apache.org"
+ * (keytab in "/etc/bob.keytab").
+ */
+@org.junit.Ignore
+public class KerberosDelegationTokenTest extends
AbstractBusClientServerTestBase {
+
+ static final String STSPORT = allocatePort(STSServer.class);
+ static final String PORT = allocatePort(Server.class);
+ static final String INTERMEDIARY_PORT = allocatePort(Intermediary.class);
+
+ private static final String NAMESPACE =
"http://www.example.org/contract/DoubleIt";;
+ private static final QName SERVICE_QNAME = new QName(NAMESPACE,
"DoubleItService");
+
+ @BeforeClass
+ public static void startServers() throws Exception {
+ assertTrue(
+ "Server failed to launch",
+ // run the server in the same process
+ // set this to false to fork
+ launchServer(Server.class, true)
+ );
+ assertTrue(
+ "Server failed to launch",
+ // run the server in the same process
+ // set this to false to fork
+ launchServer(STSServer.class, true)
+ );
+ assertTrue(
+ "Server failed to launch",
+ // run the server in the same process
+ // set this to false to fork
+ launchServer(Intermediary.class, true)
+ );
+ }
+
+ @org.junit.AfterClass
+ public static void cleanup() throws Exception {
+ SecurityTestUtil.cleanup();
+ stopAllServers();
+ }
+
+ @org.junit.Test
+ public void testKerberosToken() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile =
KerberosDelegationTokenTest.class.getResource("cxf-intermediary-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl =
KerberosDelegationTokenTest.class.getResource("DoubleItIntermediary.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE,
"DoubleItTransportKerberosPort");
+ DoubleItPortType transportSaml2Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(transportSaml2Port, INTERMEDIARY_PORT);
+
+ TokenTestUtils.updateSTSPort((BindingProvider)transportSaml2Port,
STSPORT);
+
+ doubleIt(transportSaml2Port, 25);
+
+ ((java.io.Closeable)transportSaml2Port).close();
+ bus.shutdown(true);
+ }
+
+ private static void doubleIt(DoubleItPortType port, int numToDouble) {
+ int resp = port.doubleIt(numToDouble);
+ assertEquals(numToDouble * 2 , resp);
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java
----------------------------------------------------------------------
diff --git
a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java
b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java
index 6ddc9ad..e8a8498 100644
---
a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java
+++
b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/kerberos/KerberosTokenTest.java
@@ -42,6 +42,11 @@ import org.junit.BeforeClass;
* user principal "alice" (keytab in "/etc/alice.keytab"), and host service
"b...@service.ws.apache.org"
* (keytab in "/etc/bob.keytab").
*/
+<<<<<<< HEAD
+=======
+@RunWith(value = org.junit.runners.Parameterized.class)
+@org.junit.Ignore
+>>>>>>> 6e6c139... Adding support for WS-Security kerberos credential
delegation + a system test
public class KerberosTokenTest extends AbstractBusClientServerTestBase {
static final String STSPORT = allocatePort(STSServer.class);
@@ -74,7 +79,6 @@ public class KerberosTokenTest extends
AbstractBusClientServerTestBase {
}
@org.junit.Test
- @org.junit.Ignore
public void testKerberosToken() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleItIntermediary.wsdl
----------------------------------------------------------------------
diff --git
a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleItIntermediary.wsdl
b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleItIntermediary.wsdl
new file mode 100644
index 0000000..d1d56a5
--- /dev/null
+++
b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/DoubleItIntermediary.wsdl
@@ -0,0 +1,142 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<wsdl:definitions xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
xmlns:di="http://www.example.org/schema/DoubleIt";
xmlns:tns="http://www.example.org/contract/DoubleIt";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:wsaw="http://www.w3.org/2005/08/addressing";
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"; name="DoubleIt"
targetNamespace="http://www.example.org/contract/DoubleIt";>
+ <wsdl:import location="src/test/resources/DoubleItLogical.wsdl"
namespace="http://www.example.org/contract/DoubleIt"/>
+ <wsdl:binding name="DoubleItTransportKerberosBinding"
type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItBindingTransportKerberosPolicy"/>
+ <soap:binding style="document"
transport="http://schemas.xmlsoap.org/soap/http"/>
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction=""/>
+ <wsdl:input>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference
URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
+ <wsdl:service name="DoubleItService">
+ <wsdl:port name="DoubleItTransportKerberosPort"
binding="tns:DoubleItTransportKerberosBinding">
+ <soap:address
location="https://localhost:8081/doubleit/services/doubleittransportkerberos"/>
+ </wsdl:port>
+ </wsdl:service>
+ <wsp:Policy wsu:Id="DoubleItBindingTransportKerberosPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsam:Addressing wsp:Optional="false">
+ <wsp:Policy/>
+ </wsam:Addressing>
+ <sp:TransportBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+ <wsp:Policy/>
+ </sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:TripleDes/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
+ <wsp:Policy>
+ <sp:KerberosToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Once";>
+ <wsp:Policy>
+ <sp:WssGssKerberosV5ApReqToken11/>
+ </wsp:Policy>
+ </sp:KerberosToken>
+ </wsp:Policy>
+ </sp:SupportingTokens>
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial/>
+ <sp:MustSupportRefThumbprint/>
+ <sp:MustSupportRefEncryptedKey/>
+ </wsp:Policy>
+ </sp:Wss11>
+ <sp:Trust13>
+ <wsp:Policy>
+ <sp:MustSupportIssuedTokens/>
+ <sp:RequireClientEntropy/>
+ <sp:RequireServerEntropy/>
+ </wsp:Policy>
+ </sp:Trust13>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:EncryptedParts>
+ <sp:Body/>
+ </sp:EncryptedParts>
+ <sp:SignedParts>
+ <sp:Body/>
+ <sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"/>
+ <sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing"/>
+ <sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
+ <sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
+ <sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing"/>
+ <sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
+ <sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"/>
+ <sp:Header Name="AckRequested"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
+ <sp:Header Name="SequenceAcknowledgement"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
+ <sp:Header Name="Sequence"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
+ <sp:Header Name="CreateSequence"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:EncryptedParts>
+ <sp:Body/>
+ </sp:EncryptedParts>
+ <sp:SignedParts>
+ <sp:Body/>
+ <sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"/>
+ <sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing"/>
+ <sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
+ <sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
+ <sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing"/>
+ <sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
+ <sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"/>
+ <sp:Header Name="AckRequested"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
+ <sp:Header Name="SequenceAcknowledgement"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
+ <sp:Header Name="Sequence"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
+ <sp:Header Name="CreateSequence"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
+ </sp:SignedParts>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+</wsdl:definitions>
http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary-client.xml
----------------------------------------------------------------------
diff --git
a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary-client.xml
b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary-client.xml
new file mode 100644
index 0000000..8bfbaae
--- /dev/null
+++
b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary-client.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xmlns:cxf="http://cxf.apache.org/core";
xmlns:http="http://cxf.apache.org/transports/http/configuration";
xmlns:sec="http://cxf.apache.org/configuration/security"; xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd";>
+ <bean
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+ <cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+ <bean class="org.apache.cxf.ws.security.kerberos.KerberosClient"
id="kerberosClient">
+ <constructor-arg ref="cxf"/>
+ <property name="contextName" value="alice"/>
+ <property name="serviceName" value="b...@service.ws.apache.org"/>
+ <property name="requestCredentialDelegation" value="true"/>
+ </bean>
+ <jaxws:client
name="{http://www.example.org/contract/DoubleIt}DoubleItTransportKerberosPort";
createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.kerberos.client"
value-ref="kerberosClient"/>
+ </jaxws:properties>
+ </jaxws:client>
+ <http:conduit name="https://localhost:.*";>
+ <http:tlsClientParameters disableCNCheck="true">
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="sspass"
resource="servicestore.jks"/>
+ </sec:trustManagers>
+ <sec:keyManagers keyPassword="skpass">
+ <sec:keyStore type="jks" password="sspass"
resource="servicestore.jks"/>
+ </sec:keyManagers>
+ </http:tlsClientParameters>
+ </http:conduit>
+</beans>
http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary.xml
----------------------------------------------------------------------
diff --git
a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary.xml
b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary.xml
new file mode 100644
index 0000000..0398a7e
--- /dev/null
+++
b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-intermediary.xml
@@ -0,0 +1,102 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:cxf="http://cxf.apache.org/core";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:sec="http://cxf.apache.org/configuration/security";
xmlns:http="http://cxf.apache.org/transports/http/configuration";
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration";
xmlns:jaxws="http://cxf.apache.org/jaxws"; xsi:schemaLocation="
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://cxf.apache.org/transports/http-jetty/configuration
http://cxf.apache.org/schemas/configuration/http-jetty.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd";>
+ <bean
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+ <cxf:bus>
+ <cxf:features>
+ <cxf:logging/>
+ </cxf:features>
+ </cxf:bus>
+
+ <bean id="kerberosValidator"
class="org.apache.wss4j.dom.validate.KerberosTokenValidator">
+ <property name="contextName" value="bob"/>
+ <property name="serviceName" value="b...@service.ws.apache.org"/>
+ </bean>
+
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="doubleittransportkerberos"
implementor="org.apache.cxf.systest.sts.kerberos.IntermediaryPortTypeImpl"
endpointName="s:DoubleItTransportKerberosPort" serviceName="s:DoubleItService"
depends-on="ClientAuthHttpsSettings"
address="https://localhost:${testutil.ports.Intermediary}/doubleit/services/doubleittransportkerberos";
wsdlLocation="org/apache/cxf/systest/sts/kerberos/DoubleItIntermediary.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.bst.validator"
value-ref="kerberosValidator"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+
+ <bean class="org.apache.cxf.ws.security.kerberos.KerberosClient"
id="kerberosClient">
+ <constructor-arg ref="cxf"/>
+ <property name="contextName" value="bob"/>
+ <property name="serviceName" value="b...@service.ws.apache.org"/>
+ <property name="useDelegatedCredential" value="true"/>
+ </bean>
+
+ <jaxws:client
name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSAML2Port";
createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="myclientkey"/>
+ <entry key="ws-security.signature.properties"
value="clientKeystore.properties"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+ <entry key="ws-security.sts.client">
+ <bean class="org.apache.cxf.ws.security.trust.STSClient">
+ <constructor-arg ref="cxf"/>
+ <property name="wsdlLocation"
value="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Kerberos?wsdl"/>
+ <property name="serviceName"
value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"/>
+ <property name="endpointName"
value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Kerberos_Port"/>
+ <property name="properties">
+ <map>
+ <entry key="ws-security.username" value="alice"/>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+ <entry key="ws-security.sts.token.username"
value="myclientkey"/>
+ <entry key="ws-security.sts.token.properties"
value="clientKeystore.properties"/>
+ <entry key="ws-security.sts.token.usecert"
value="true"/>
+ <entry key="ws-security.kerberos.client"
value-ref="kerberosClient"/>
+ </map>
+ </property>
+ </bean>
+ </entry>
+ </jaxws:properties>
+ </jaxws:client>
+
+ <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
+ <httpj:engine port="${testutil.ports.Intermediary}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="skpass">
+ <sec:keyStore type="jks" password="sspass"
resource="servicestore.jks"/>
+ </sec:keyManagers>
+ <sec:cipherSuitesFilter>
+ <sec:include>.*_EXPORT_.*</sec:include>
+ <sec:include>.*_EXPORT1024_.*</sec:include>
+ <sec:include>.*_WITH_DES_.*</sec:include>
+ <sec:include>.*_WITH_AES_.*</sec:include>
+ <sec:include>.*_WITH_NULL_.*</sec:include>
+ <sec:exclude>.*_DH_anon_.*</sec:exclude>
+ </sec:cipherSuitesFilter>
+ <sec:clientAuthentication want="false" required="false"/>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+
+ <http:conduit name="https://localhost:.*";>
+ <http:tlsClientParameters disableCNCheck="true">
+ <sec:trustManagers>
+ <sec:keyStore type="jks" password="sspass"
resource="servicestore.jks"/>
+ </sec:trustManagers>
+ <sec:keyManagers keyPassword="skpass">
+ <sec:keyStore type="jks" password="sspass"
resource="servicestore.jks"/>
+ </sec:keyManagers>
+ </http:tlsClientParameters>
+ </http:conduit>
+
+</beans>
http://git-wip-us.apache.org/repos/asf/cxf/blob/009e15fd/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-service.xml
----------------------------------------------------------------------
diff --git
a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-service.xml
b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-service.xml
index de1feac..717f772 100644
---
a/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-service.xml
+++
b/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/kerberos/cxf-service.xml
@@ -44,6 +44,7 @@
<cxf:logging/>
</cxf:features>
</cxf:bus>
+<<<<<<< HEAD
<jaxws:endpoint id="doubleittransportsaml2"
implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl"
@@ -80,5 +81,31 @@
</httpj:engine>
</httpj:engine-factory>
+=======
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt";
id="doubleittransportsaml2"
implementor="org.apache.cxf.systest.sts.kerberos.DoubleItPortTypeImpl"
endpointName="s:DoubleItTransportSAML2Port" serviceName="s:DoubleItService"
depends-on="ClientAuthHttpsSettings"
address="https://localhost:${testutil.ports.Server}/doubleit/services/doubleittransportsaml2";
wsdlLocation="org/apache/cxf/systest/sts/kerberos/DoubleIt.wsdl">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+ <entry key="ws-security.signature.properties"
value="serviceKeystore.properties"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
+ <httpj:engine port="${testutil.ports.Server}">
+ <httpj:tlsServerParameters>
+ <sec:keyManagers keyPassword="skpass">
+ <sec:keyStore type="jks" password="sspass"
resource="servicestore.jks"/>
+ </sec:keyManagers>
+ <sec:cipherSuitesFilter>
+ <sec:include>.*_EXPORT_.*</sec:include>
+ <sec:include>.*_EXPORT1024_.*</sec:include>
+ <sec:include>.*_WITH_DES_.*</sec:include>
+ <sec:include>.*_WITH_AES_.*</sec:include>
+ <sec:include>.*_WITH_NULL_.*</sec:include>
+ <sec:exclude>.*_DH_anon_.*</sec:exclude>
+ </sec:cipherSuitesFilter>
+ <sec:clientAuthentication want="false" required="false"/>
+ </httpj:tlsServerParameters>
+ </httpj:engine>
+ </httpj:engine-factory>
+>>>>>>> 6e6c139... Adding support for WS-Security kerberos credential
delegation + a system test
</beans>
