cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dval...@apache.org
Subject svn commit: r980941 - in /cxf/trunk/rt/ws/security/src: main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/ test/java/org/apache/cxf/ws/security/wss4j/
Date Fri, 30 Jul 2010 20:25:26 GMT
Author: dvaleri
Date: Fri Jul 30 20:25:26 2010
New Revision: 980941

URL: http://svn.apache.org/viewvc?rev=980941&view=rev
Log:
[CXF-2915] Applied patches for SignedSupportingToken with mod to fix regression against SignatureConfirmation
tests.

Added:
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
  (with props)
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/signed_elements_with_sst_issued_token_policy.xml
  (with props)
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=980941&r1=980940&r2=980941&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
Fri Jul 30 20:25:26 2010
@@ -119,7 +119,11 @@ import org.apache.ws.security.message.WS
 import org.apache.ws.security.message.WSSecTimestamp;
 import org.apache.ws.security.message.WSSecUsernameToken;
 import org.apache.ws.security.message.token.SecurityTokenReference;
+import org.apache.ws.security.transform.STRTransform;
 import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.xml.security.signature.XMLSignatureException;
+import org.apache.xml.security.transforms.TransformationException;
+import org.apache.xml.security.transforms.Transforms;
 
 /**
  * 
@@ -462,11 +466,11 @@ public abstract class AbstractBindingBui
                     this.encryptedTokensIdList.add(secToken.getId());
                 }
         
-                if (secToken.getX509Certificate() == null) {
+                if (secToken.getX509Certificate() == null) {   
                     //Add the extracted token
                     ret.put(token, new WSSecurityTokenHolder(secToken));
                 } else {
-                    WSSecSignature sig = new WSSecSignature();                    
+                    WSSecSignatureHelper sig = new WSSecSignatureHelper();              
     
                     sig.setX509Certificate(secToken.getX509Certificate());
                     sig.setCustomTokenId(secToken.getId());
                     sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
@@ -500,8 +504,10 @@ public abstract class AbstractBindingBui
                         throw new Fault(e);
                     }
                     
+                    addSupportingElement(cloneElement(sig.getSecRef().getElement()));
+                    
                     if (suppTokens.isEncryptedToken()) {
-                        encryptedTokensIdList.add(sig.getBSTTokenId());
+                        encryptedTokensIdList.add(secToken.getId());
                     }
                     ret.put(token, sig);                
                 }
@@ -554,10 +560,22 @@ public abstract class AbstractBindingBui
             Object tempTok =  entry.getValue();
             WSEncryptionPart part = null;
             
-            if (tempTok instanceof WSSecSignature) {
-                WSSecSignature tempSig = (WSSecSignature) tempTok;
-                if (tempSig.getBSTTokenId() != null) {
-                    part = new WSEncryptionPart(tempSig.getBSTTokenId());
+            if (tempTok instanceof WSSecSignatureHelper) {
+                WSSecSignatureHelper tempSig = (WSSecSignatureHelper) tempTok;
+                if ((WSConstants.WSS_SAML_NS + WSConstants.SAML_ASSERTION_ID).
+                    equals(tempSig.getSecRef().getKeyIdentifierValueType())) {
+                               
+                    // NOTE: This usage of WSEncryptionPart is a workaroud that is
+                    // coupled with WSSecSignatureHelper. This approach is used so that
+                    // we can force WSS4J to sign the assertion through a STR that
+                    // WSS4J did not create during message signature creation.
+                    part = new WSEncryptionPart(tempSig.getStrUri(), "ExternalSTRTransform",
"Element",
+                          WSConstants.PART_TYPE_ELEMENT);
+            
+                } else {
+                    if (tempSig.getBSTTokenId() != null) {
+                        part = new WSEncryptionPart(tempSig.getBSTTokenId());
+                    }
                 }
             } else if (tempTok instanceof WSSecUsernameToken) {
                 WSSecUsernameToken unt = (WSSecUsernameToken)tempTok;
@@ -1282,8 +1300,8 @@ public abstract class AbstractBindingBui
             }
         }
     }
-    protected WSSecSignature getSignatureBuider(TokenWrapper wrapper, Token token, boolean
endorse) {
-        WSSecSignature sig = new WSSecSignature();
+    protected WSSecSignatureHelper getSignatureBuider(TokenWrapper wrapper, Token token,
boolean endorse) {
+        WSSecSignatureHelper sig = new WSSecSignatureHelper();
         checkForX509PkiPath(sig, token);        
         setKeyIdentifierType(sig, wrapper, token);
         
@@ -1717,4 +1735,48 @@ public abstract class AbstractBindingBui
         
         signedParts.addAll(signedEncryptedParts);
     }
+    
+    private static final class WSSecSignatureHelper extends WSSecSignature {
+        public SecurityTokenReference getSecRef() {
+            return this.secRef;
+        }
+
+        public String getStrUri() {
+            return this.strUri;
+        }
+
+        @Override
+        public void addReferencesToSign(Vector references,
+                WSSecHeader secHeader) throws WSSecurityException {
+            final Vector<Object> unalteredReferences = new Vector<Object>();
+
+            try {
+                for (int part = 0; part < references.size(); part++) {
+                    final WSEncryptionPart encPart = (WSEncryptionPart) references.get(part);
+
+                    final String elemName = encPart.getName();
+                    final Transforms transforms = new Transforms(document);
+
+                    if (elemName != null && "ExternalSTRTransform".equals(encPart.getNamespace()))
{
+                        final Element ctx = this.createSTRParameter(document);
+                        transforms.addTransform(STRTransform.implementedTransformURI, ctx);
+                        this.sig.addDocument("#" + elemName, transforms, this.getDigestAlgo());
+                    } else {
+                        unalteredReferences.add(encPart);
+                    }
+                }
+            } catch (TransformationException e1) {
+                throw new WSSecurityException(
+                    WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, e1
+                );
+            } catch (XMLSignatureException e1) {
+                throw new WSSecurityException(
+                    WSSecurityException.FAILED_SIGNATURE, "noXMLSig", null, e1
+                );
+            }
+
+            super.addReferencesToSign(unalteredReferences, secHeader);
+        }
+    }
+    
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=980941&r1=980940&r2=980941&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
Fri Jul 30 20:25:26 2010
@@ -95,7 +95,7 @@ public class AsymmetricBindingHandler ex
 
     private void doSignBeforeEncrypt() {
         try {
-            Vector<WSEncryptionPart> sigs = getSignedParts();
+            Vector<WSEncryptionPart> sigs = new Vector<WSEncryptionPart>();
             if (isRequestor()) {
                 //Add timestamp
                 if (timestampEl != null) {
@@ -197,6 +197,9 @@ public class AsymmetricBindingHandler ex
                 } catch (WSSecurityException e) {
                     //REVISIT - exception
                     e.printStackTrace();
+                } catch (SOAPException e) {
+                    //REVISIT - exception
+                    e.printStackTrace();
                 }
             }
 
@@ -334,7 +337,8 @@ public class AsymmetricBindingHandler ex
             }
         }
     }
-    private void doSignature(Vector<WSEncryptionPart> sigParts) throws WSSecurityException
{
+    
+    private void doSignature(Vector<WSEncryptionPart> sigParts) throws WSSecurityException,
SOAPException {
         Token sigToken = null;
         TokenWrapper wrapper = null;
         if (isRequestor()) {
@@ -385,18 +389,16 @@ public class AsymmetricBindingHandler ex
             }
         } else {
             WSSecSignature sig = getSignatureBuider(wrapper, sigToken, false);
-            sig.prependBSTElementToHeader(secHeader);
-            insertBeforeBottomUp(sig.getSignatureElement());
-            
-            if (abinding.isTokenProtection()) {                
-                // Special flag telling WSS4J to sign the initiator token.
-                // Use this instead of the BST ID so that we don't
-                // have to deal with maintaining such logic here.
-                sigParts.add(new WSEncryptionPart("Token", null, 
-                        "Element", WSConstants.PART_TYPE_ELEMENT));
+                      
+            // This action must occur before sig.prependBSTElementToHeader
+            if (abinding.isTokenProtection()
+                    && sig.getBSTTokenId() != null) {
+                sigParts.add(new WSEncryptionPart(sig.getBSTTokenId()));
             }
-                    
+
             sig.prependBSTElementToHeader(secHeader);
+            insertBeforeBottomUp(sig.getSignatureElement());
+            sigParts.addAll(this.getSignedParts());
             
             AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
             sig.setSignatureAlgorithm(algorithmSuite.getAsymmetricSignature());
@@ -406,7 +408,6 @@ public class AsymmetricBindingHandler ex
             sig.addReferencesToSign(sigParts, secHeader);
             sig.computeSignature();
             signatures.add(sig.getSignatureValue());
-
                         
             mainSigId = addWsuIdToElement(sig.getSignatureElement());
         }

Modified: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java?rev=980941&r1=980940&r2=980941&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
(original)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
Fri Jul 30 20:25:26 2010
@@ -18,12 +18,13 @@
  */
 package org.apache.cxf.ws.security.wss4j;
 
-
+import java.net.URL;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
+import java.util.Properties;
 import java.util.Vector;
 import java.util.concurrent.Executor;
 
@@ -59,12 +60,17 @@ import org.apache.cxf.ws.policy.PolicyEx
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
+import org.apache.cxf.ws.security.tokenstore.MemoryTokenStore;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
 import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor.PolicyBasedWSS4JOutInterceptorInternal;
 import org.apache.neethi.Policy;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDataRef;
 import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
 import org.apache.ws.security.handler.WSHandlerConstants;
 import org.apache.ws.security.handler.WSHandlerResult;
 import org.apache.ws.security.util.WSSecurityUtil;
@@ -113,6 +119,8 @@ public class PolicyBasedWss4JInOutTest e
                 null,
                 new ArrayList<CoverageType>());
         
+        // Note that outbound does not asset TRANSPORT_TOKEN as another handler
+        // would assert that.
         this.runAndValidate(
                 "wsse-request-clean.xml",
                 "transport_binding_policy.xml",
@@ -132,6 +140,15 @@ public class PolicyBasedWss4JInOutTest e
         runOutInterceptorAndValidateAsymmetricBinding("signed_elements_policy.xml");
         runOutInterceptorAndValidateAsymmetricBinding("signed_elements_Basic256Sha256_policy.xml");
     }
+    
+    // TODO this test does not follow the traditional pattern as no server-side enforcement
+    // of algorithm suites yet exists.  This support is blocked on WSS4J patches.  In the
interim
+    // the outbound side is tested ONLY.
+    @Test
+    public void testSignedElementsWithIssuedSAMLToken() throws Exception {
+        this.runOutInterceptorAndValidateSamlTokenAttached(
+                "signed_elements_with_sst_issued_token_policy.xml");
+    }
 
     @Test
     public void testSignedPartsPolicyWithIncompleteCoverage() throws Exception {
@@ -749,7 +766,17 @@ public class PolicyBasedWss4JInOutTest e
         AssertionInfoMap aim = new AssertionInfoMap(policy);
         
         final SoapMessage msg = 
-            this.getOutSoapMessageForDom(document, aim); 
+            this.getOutSoapMessageForDom(document, aim);
+        
+        return this.runOutInterceptorAndValidate(msg, policy, aim,
+                assertedOutAssertions, notAssertedOutAssertions);       
+    }    
+        
+    
+    private Document runOutInterceptorAndValidate(SoapMessage msg, Policy policy,
+            AssertionInfoMap aim,
+            List<QName> assertedOutAssertions, 
+            List<QName> notAssertedOutAssertions) throws Exception {
         
         this.getOutInterceptor().handleMessage(msg);
         
@@ -784,7 +811,7 @@ public class PolicyBasedWss4JInOutTest e
         return msg.getContent(SOAPMessage.class).getSOAPPart();
     }
     
-    // TODO: This method can be removed when testAsymmetricBindingPolicyWithSignedElements
+    // TODO: This method can be removed when testAsymmetricBindingAlgorithmSuitePolicy
     // is cleaned up by adding server side enforcement of signature related algorithms.
     private void runOutInterceptorAndValidateAsymmetricBinding(String policyDoc) throws Exception
{
         final Document originalDoc = this.readDocument("wsse-request-clean.xml");
@@ -800,6 +827,50 @@ public class PolicyBasedWss4JInOutTest e
         
         this.verifySignatureAlgorithms(signedDoc, aim);
     }
+      
+    // TODO: This method can be removed or reduced when testSignedElementsWithIssuedSAMLToken
is
+    // cleaned up.
+    private void runOutInterceptorAndValidateSamlTokenAttached(String policyDoc) throws Exception
{
+        // create the request message
+        final Document document = this.readDocument("wsse-request-clean.xml");
+        final Element outPolicyElement = 
+            this.readDocument(policyDoc).getDocumentElement();
+        final Policy policy = this.policyBuilder.getPolicy(outPolicyElement);
+        
+        AssertionInfoMap aim = new AssertionInfoMap(policy);        
+        SoapMessage msg = this.getOutSoapMessageForDom(document, aim);
+        
+        // add an "issued" assertion into the message exchange
+        Element issuedAssertion = 
+            this.readDocument("example-sts-issued-saml-assertion.xml").getDocumentElement();
+        
+        String assertionId = issuedAssertion.getAttributeNode("AssertionID").getNodeValue();
+        
+        SecurityToken issuedToken = 
+            new SecurityToken(assertionId, issuedAssertion, null);
+        
+        Properties cryptoProps = new Properties();
+        URL url = ClassLoader.getSystemResource("META-INF/cxf/outsecurity.properties");
+        cryptoProps.load(url.openStream());
+        Crypto crypto = CryptoFactory.getInstance(cryptoProps);
+        String alias = cryptoProps.getProperty("org.apache.ws.security.crypto.merlin.keystore.alias");
+        issuedToken.setX509Certificate(crypto.getCertificates(alias)[0], crypto);
+        
+        msg.getExchange().get(Endpoint.class).put(SecurityConstants.TOKEN_ID, 
+                issuedToken.getId());
+        msg.getExchange().put(SecurityConstants.TOKEN_ID, issuedToken.getId());
+        
+        TokenStore tokenStore = new MemoryTokenStore();
+        msg.getExchange().get(Endpoint.class).getEndpointInfo()
+            .setProperty(TokenStore.class.getName(), tokenStore);
+        tokenStore.add(issuedToken);
+        
+        // fire the interceptor and verify results
+        final Document signedDoc = this.runOutInterceptorAndValidate(
+                msg, policy, aim, null, null);
+        
+        verifySignatureCoversAssertion(signedDoc, assertionId);
+    }
     
     private PolicyBasedWSS4JOutInterceptorInternal getOutInterceptor() {
         return (new PolicyBasedWSS4JOutInterceptor()).createEndingInterceptor();
@@ -899,6 +970,7 @@ public class PolicyBasedWss4JInOutTest e
     
     // TODO: This method can be removed when runOutInterceptorAndValidateAsymmetricBinding
     // is cleaned up by adding server side enforcement of signature related algorithms.
+    // See https://issues.apache.org/jira/browse/WSS-222
     private void verifySignatureAlgorithms(Document signedDoc, AssertionInfoMap aim) throws
Exception { 
         final AssertionInfo assertInfo = aim.get(SP12Constants.ASYMMETRIC_BINDING).iterator().next();
         assertNotNull(assertInfo);
@@ -941,7 +1013,55 @@ public class PolicyBasedWss4JInOutTest e
         final String canonMethod =  (String) canonAlgoExpr.evaluate(signedDoc, XPathConstants.STRING);
         assertEquals(expectedCanonAlgorithm, canonMethod);
     }
-
+    
+    // TODO: This method can be removed when runOutInterceptorAndValidateSamlTokenAttached
+    // is cleaned up.
+    private void verifySignatureCoversAssertion(Document signedDoc, String assertionId) throws
Exception {
+        XPathFactory factory = XPathFactory.newInstance();
+        XPath xpath = factory.newXPath();
+        final NamespaceContext nsContext = this.getNamespaceContext();
+        xpath.setNamespaceContext(nsContext);
+        
+        // Find the SecurityTokenReference for the assertion
+        final XPathExpression strExpr = xpath.compile(
+            "/s:Envelope/s:Header/wsse:Security/wsse:SecurityTokenReference/wsse:KeyIdentifier");
+        
+        final NodeList strKeyIdNodes = 
+            (NodeList) strExpr.evaluate(signedDoc, XPathConstants.NODESET);
+        
+        String strId = null;
+        for (int i = 0; i < strKeyIdNodes.getLength(); i++) {
+            Node keyIdNode = (Node) strKeyIdNodes.item(i);
+            String strKey = keyIdNode.getTextContent();
+            if (strKey.equals(assertionId)) {
+                Node strNode = (Node) keyIdNode.getParentNode();
+                strId = strNode.getAttributes().
+                    getNamedItemNS(nsContext.getNamespaceURI("wsu"), "Id").getNodeValue();
+                break;
+            }
+        }
+        assertNotNull("SecurityTokenReference for " + assertionId + " not found in security
header.", strId);
+        
+        // Verify STR is included in the signature references
+        final XPathExpression sigRefExpr = xpath.compile(
+            "/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference");
+        
+        final NodeList sigReferenceNodes = 
+            (NodeList) sigRefExpr.evaluate(signedDoc, XPathConstants.NODESET);
+        
+        boolean foundStrReference = false;
+        for (int i = 0; i < sigReferenceNodes.getLength(); i++) {
+            Node sigRefNode = (Node) sigReferenceNodes.item(i);
+            String sigRefURI = sigRefNode.getAttributes().getNamedItem("URI").getNodeValue();
+            if (sigRefURI.equals("#" + strId)) {
+                foundStrReference = true;
+                break;
+            }
+        }
+        
+        assertTrue("SecurityTokenReference for " + assertionId + " is not signed.", foundStrReference);
+    }
+    
     private static final class MockEndpoint extends 
         AbstractAttributedInterceptorProvider implements Endpoint {
 

Added: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml?rev=980941&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
(added)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
Fri Jul 30 20:25:26 2010
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--  
+  NOTE:  this test assertion will not pass signature validation tests nor enable proof of
possession
+         verifications to be made in relation to the certificates in the test keystores
+-->
+<saml:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+    xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
+    xmlns:xs="http://www.w3.org/2001/XMLSchema" AssertionID="uuid-c318f4ea-a9c4-4d3c-8f11-218d30028522"
+    IssueInstant="2010-07-29T20:48:46.229Z" Issuer="TEST-STS"
+    MajorVersion="1" MinorVersion="1">
+    <saml:Conditions NotBefore="2010-07-29T20:48:46.229Z"
+        NotOnOrAfter="2010-07-29T20:49:22.229Z">
+        <saml:AudienceRestrictionCondition>
+            <saml:Audience>test-service</saml:Audience>
+        </saml:AudienceRestrictionCondition>
+    </saml:Conditions>
+    <saml:Advice />
+    <saml:AuthenticationStatement AuthenticationInstant="2010-07-29T20:48:46.229Z"
+        AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:X509-PKI">
+        <saml:Subject>
+            <saml:NameIdentifier>CN=test-user,OU=test,OU=CXF,O=Apache Software Foundation</saml:NameIdentifier>
+            <saml:SubjectConfirmation>
+                <saml:ConfirmationMethod>
+                    urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
+                </saml:ConfirmationMethod>
+                    <ds:KeyInfo>
+                        <ds:X509Data>
+                            <ds:X509Certificate>MII
+                                DmjCCAoKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBYMSYwJAYDVQQKEx1Qcm9ncmVzcyBTb2Z0d2FyZSBDb3Jwb3JhdGlvbjELMAkGA1UECxMCcHMxDTALBgNVBAsTBHRlc3QxEjAQBgN
+                                VBAMTCVRlc3QgQ0EgMTAeFw0wOTEyMTgwMTQ3NTBaFw0xOTEyMTYwMTQ2NDFaMFgxJjAkBgNVBAoTHVByb2dyZXNzIFNvZnR3YXJlIENvcnBvcmF0aW9uMQswCQYDVQQLEwJwczENMAs
+                                GA1UECxMEdGVzdDESMBAGA1UEAxMJdGVzdC11c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxvK451fg0wMOFEr9Idhr88bOZUOvyTuemIy5ClWZryfomKsxwXxifb2
+                                h3Zj+NJmJtG2lXOiXHCVM/qO/o6uZvkhIBNA51MvxgadGvgjTpx8Y9O9Z4C5kWOXkEDCZA/JcjW6zMhSr5g8X2n1qmG457cf7P3OxSVRvVO9WN7okuhcxZOSAGbq/XYw6Bt3YNDOIe2e
+                                cgg8qbzkqnC92pQNM01QekEoIlrTyiQllPq5W5PX+7AxAUc8MjkoORdLIA9X1BnTIC8fNxwuS8OdJTerK56EiJ5FBqAst2DGQXSSkHURC6Tai/p0rm7sDDry2zmsRE2WSTcsCCAKpbAb
+                                wJwXhqQIDAQABo28wbTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQeoRFv6WclHWP31CwGOU3CRhb80jALBgNVHQ8EBAMCBLAwEQYJYIZIAYb4QgEBBAQDAgWgMB4GCWCGSAGG+EIBDQQ
+                                RFg94Y2EgY2VydGlmaWNhdGUwDQYJKoZIhvcNAQEFBQADggEBAI5X4Q+xcyZK7XcU71Eaud2HnzLINhJg3owbGKnGrlpMKToH4ejI5jYgV8XQ69jcWF16Z6NPxg4NDud7s6CqNnlV5AA
+                                CtzEnDEe00ykitiHHvG7ErDh3X3iZf3Sv0Rpg/lnb8v5IbVSo8pfvJRSMcJ3src2aKUtHpPy8TGfUT/58QfLWv2DXgpv3ocyYQIVjS7f/NirdcR88utIV4f119UyTQIy4uTKbEJLKs7G
+                                A8UW4YjTw0G+FdZPxrr5nKmO9nnEBDDnfKqeorO3VUHXxk6eT5g0vU7SWSbdbEKAGlUz/ukUzWZS4vZMFRGKSM/+BMaoVqP13RHsL1Seofr9hPAI=
+                            </ds:X509Certificate>
+                        </ds:X509Data>
+                    </ds:KeyInfo>
+            </saml:SubjectConfirmation>
+        </saml:Subject>
+    </saml:AuthenticationStatement>
+        <ds:Signature>
+            <ds:SignedInfo>
+                <ds:CanonicalizationMethod
+                    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
+                <ds:SignatureMethod
+                    Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
+                <ds:Reference
+                    URI="#uuid-c318f4ea-a9c4-4d3c-8f11-218d30028522">
+                    <ds:Transforms>
+                        <ds:Transform
+                            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
/>
+                        <ds:Transform
+                            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
+                    </ds:Transforms>
+                    <ds:DigestMethod
+                        Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
+                    <ds:DigestValue>+oA6MZcwrQrVa+IwsOejQW91VwM=
+                    </ds:DigestValue>
+                </ds:Reference>
+            </ds:SignedInfo>
+            <ds:SignatureValue>
+                WNU2nQEnGtMl3f+bApcFB/fFb36WCfBMae/9wFs5Y2Be6RVZ0FMv6NYMhEboWwuUuRMAZ8L8Ac4H
+                2Xp76pd/9ypO/IY+oM5k6A4N+p8q/VX5f3Qnkh5EcF2k69LVfMNpBje+eksUyHyREUd8w6Ejh1O1
+                kLkR4oxBLjvYm+GLGFEmMYTpFHFyAK1bn1BdvAtDb3/hDZeGASRWUPnYFuqMTMUqa1O6iBISQFM1
+                3KUwhvKk7xODSsIsivFYFcP/7MamYOwr5UWyDex2xID9ubXdzu0B/Ey6IslaCCFZSZK1WfSiTU2Q
+                yZarJS6WBDTNCt2ad29A5oURJpwEsdXQsOtNmA==
+            </ds:SignatureValue>
+            <ds:KeyInfo>
+                <ds:X509Data>
+                    <ds:X509Certificate>MIIDmzCCAoOgAwIBAgIBAzANBgkqhkiG9w0
+                        BAQUFADBYMSYwJAYDVQQKEx1Qcm9ncmVzcyBTb2Z0
+                        d2FyZSBDb3Jwb3JhdGlvbjELMAkGA1UECxMCcHMxDTALBgNVBAsTBHRlc3QxEjAQBgNVBAMTCVRl
+                        c3QgQ0EgMTAeFw0wOTEyMTgwMTQ5MDFaFw0xOTEyMTYwMTQ2NDFaMFkxJjAkBgNVBAoTHVByb2dy
+                        ZXNzIFNvZnR3YXJlIENvcnBvcmF0aW9uMQswCQYDVQQLEwJwczENMAsGA1UECxMEdGVzdDETMBEG
+                        A1UEAxMKc3RzLWlzc3VlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf6fT4yXU8J
+                        sfQAa6Kidu8NVONLF4HPgGMnB/JxcMJFzYvG9J2WtWTV0PEwzoLronC/92NcEmHktaY6mbgXQx90
+                        4nnyXVs1mhSFbFjuunOCwbYbLoP0hTSOAFEXIMZfIev6ecnSS2jbuhz4CRKxdbtf5d1QF2MWataN
+                        zTXYqoWuHKcSxzha4DlS8W9MVAp4gi6yubbbb0KZxMDeTiuCM8kJ1B0et+qAw3hVRosWHxzvcJz7
+                        zzc2fscOSVBtwDyYZdEShHt8oL+9bs1oiWHZm35/YP476AOC9rznYU6ekXtVszwak5kOAheJC9sx
+                        BF+WMmMRZc3w3ZMEJUcLMgYj678CAwEAAaNvMG0wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU6hTh
+                        MTVrJEvhmPWvHzgFS4fbPr4wCwYDVR0PBAQDAgSwMBEGCWCGSAGG+EIBAQQEAwIFoDAeBglghkgB
+                        hvhCAQ0EERYPeGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAA4IBAQAbb5autCceUfJLII1T
+                        C2zqTFdxFzW6Pa1Ni8VYtxEVli5d48R3VgfPm4o1uP5MeJJc1LzgwQ7TYWhdmwDAWIbXvNtaMzDZ
+                        FZK2kgU4yjhPSTTqMZvvdJlADBQbZPKxsd9NT5K7FEcxuWNOnjRl1vZZ3pbgbR/aq12g9ERWjvt6
+                        ZOS0/Rc2mv8uie1rCpPIdes/nj9yTP+pMIGI65RhMHrr3zPIkl6ZWPPWFoXkOS26e8AKkfMadaZd
+                        WKrB3xkBW5eDoUz22DaolFw5WfJJD2s3kto26/UYjjRviZ9j+YkRVRDLDn3j/8wcdYD2p1anzMKU
+                        TjZe7HgwbK7N/J5QJ/KQ
+                            </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </ds:Signature>
+</saml:Assertion>

Propchange: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
------------------------------------------------------------------------------
    svn:eol-style = native

Added: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/signed_elements_with_sst_issued_token_policy.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/signed_elements_with_sst_issued_token_policy.xml?rev=980941&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/signed_elements_with_sst_issued_token_policy.xml
(added)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/signed_elements_with_sst_issued_token_policy.xml
Fri Jul 30 20:25:26 2010
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<wsp:Policy 
+    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
+    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
+    xmlns:wsa="http://www.w3.org/2005/08/addressing"
+    xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"    
+    xmlns:ser="http://www.sdj.pl">
+  <wsp:ExactlyOne>
+    <wsp:All>
+      <sp:SignedSupportingTokens>
+        <wsp:Policy>
+          <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
+            <sp:Issuer>
+                <wsa:Address>not used in test</wsa:Address>
+            </sp:Issuer>
+            <sp:RequestSecurityTokenTemplate>
+                <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
+                <wst:AppliesTo>
+                    <wsp:URI>service-1</wsp:URI>
+                </wst:AppliesTo>
+                <wst:Participants>
+                  <wst:Participant>
+                      <wsp:URI>service-1</wsp:URI>
+                    </wst:Participant>
+                </wst:Participants>
+                <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</wst:KeyType>
+              </sp:RequestSecurityTokenTemplate>
+           </sp:IssuedToken>
+        </wsp:Policy>
+      </sp:SignedSupportingTokens>
+      <sp:AsymmetricBinding>
+        <wsp:Policy>
+          <sp:InitiatorToken>
+             <wsp:Policy>
+              <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                <wsp:Policy>
+                  <sp:RequireIssuerSerialReference />
+                  <sp:WssX509V3Token10 />
+                </wsp:Policy>
+              </sp:X509Token>
+            </wsp:Policy>
+          </sp:InitiatorToken>
+          <sp:RecipientToken>
+            <wsp:Policy>
+              <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                <wsp:Policy>
+                  <sp:RequireIssuerSerialReference />
+                  <sp:WssX509V3Token10 />
+                </wsp:Policy>
+              </sp:X509Token>
+            </wsp:Policy>
+          </sp:RecipientToken>
+          <sp:AlgorithmSuite>
+            <wsp:Policy>
+              <sp:Basic256Sha256 />
+            </wsp:Policy>
+          </sp:AlgorithmSuite>
+          <sp:Layout>
+            <wsp:Policy>
+              <sp:Strict />
+            </wsp:Policy>
+          </sp:Layout>
+        </wsp:Policy>
+      </sp:AsymmetricBinding>
+      <sp:SignedElements>
+        <sp:XPath>//ser:Header</sp:XPath>
+      </sp:SignedElements>  
+    </wsp:All>
+  </wsp:ExactlyOne>
+</wsp:Policy>

Propchange: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/signed_elements_with_sst_issued_token_policy.xml
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message