cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1185276 [2/6] - in /cxf/trunk/services/sts/systests: ./ basic/ basic/src/ basic/src/test/ basic/src/test/java/ basic/src/test/java/org/ basic/src/test/java/org/apache/ basic/src/test/java/org/apache/cxf/ basic/src/test/java/org/apache/cxf/...
Date Mon, 17 Oct 2011 16:15:09 GMT
Added: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/issueunit/IssueUnitTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/issueunit/IssueUnitTest.java?rev=1185276&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/issueunit/IssueUnitTest.java (added)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/issueunit/IssueUnitTest.java Mon Oct 17 16:15:04 2011
@@ -0,0 +1,473 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.issueunit;
+
+import java.net.URL;
+import java.security.cert.X509Certificate;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.systest.sts.deployment.STSServer;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.cxf.ws.security.trust.STSClient;
+import org.apache.ws.security.WSDocInfo;
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.components.crypto.CryptoType;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.message.token.X509Security;
+import org.apache.ws.security.processor.Processor;
+import org.apache.ws.security.processor.SAMLTokenProcessor;
+import org.apache.ws.security.saml.SAMLKeyInfo;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.junit.BeforeClass;
+
+/**
+ * Some unit tests for the CXF STSClient Issue Binding.
+ */
+public class IssueUnitTest extends AbstractBusClientServerTestBase {
+    
+    private static final String SAML1_TOKEN_TYPE = 
+        "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
+    private static final String SAML2_TOKEN_TYPE = 
+        "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
+    private static final String SYMMETRIC_KEY_KEYTYPE = 
+        "http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey";
+    private static final String PUBLIC_KEY_KEYTYPE = 
+        "http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey";
+    private static final String BEARER_KEYTYPE = 
+        "http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer";
+    private static final String DEFAULT_ADDRESS = 
+        "https://localhost:8081/doubleit/services/doubleittransportsaml1";
+    
+    @BeforeClass
+    public static void startServers() throws Exception {
+        String deployment = System.getProperty("sts.deployment");
+        if ("standalone".equals(deployment)) {
+            assertTrue(
+                    "Server failed to launch",
+                    // run the server in the same process
+                    // set this to false to fork
+                    launchServer(STSServer.class, true)
+            );
+        }
+    }
+
+    /**
+     * Test the Symmetric Key SAML1 case
+     */
+    @org.junit.Test
+    public void testSymmetricKeySaml1() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        // Get a token
+        SecurityToken token = 
+            requestSecurityToken(SAML1_TOKEN_TYPE, SYMMETRIC_KEY_KEYTYPE, bus, DEFAULT_ADDRESS);
+        assertTrue(token.getSecret() != null && token.getSecret().length > 0);
+        assertTrue(SAML1_TOKEN_TYPE.equals(token.getTokenType()));
+        assertTrue(token.getToken() != null);
+        
+        // Process the token
+        List<WSSecurityEngineResult> results = processToken(token);
+
+        assertTrue(results != null && results.size() == 1);
+        AssertionWrapper assertion = 
+            (AssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+        assertTrue(assertion != null);
+        assertTrue(assertion.getSaml1() != null && assertion.getSaml2() == null);
+        assertTrue(assertion.isSigned());
+        
+        List<String> methods = assertion.getConfirmationMethods();
+        String confirmMethod = null;
+        if (methods != null && methods.size() > 0) {
+            confirmMethod = methods.get(0);
+        }
+        assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
+        SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo();
+        assertTrue(subjectKeyInfo.getSecret() != null);
+    }
+    
+    /**
+     * Test the Public Key SAML2 case
+     */
+    @org.junit.Test
+    public void testPublicKeySaml2() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        // Get a token
+        SecurityToken token = 
+            requestSecurityToken(SAML2_TOKEN_TYPE, PUBLIC_KEY_KEYTYPE, bus, DEFAULT_ADDRESS);
+        assertTrue(token.getSecret() == null && token.getX509Certificate() != null);
+        assertTrue(SAML2_TOKEN_TYPE.equals(token.getTokenType()));
+        assertTrue(token.getToken() != null);
+        
+        // Process the token
+        List<WSSecurityEngineResult> results = processToken(token);
+        assertTrue(results != null && results.size() == 1);
+        AssertionWrapper assertion = 
+            (AssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+        assertTrue(assertion != null);
+        assertTrue(assertion.getSaml1() == null && assertion.getSaml2() != null);
+        assertTrue(assertion.isSigned());
+        
+        List<String> methods = assertion.getConfirmationMethods();
+        String confirmMethod = null;
+        if (methods != null && methods.size() > 0) {
+            confirmMethod = methods.get(0);
+        }
+        assertTrue(OpenSAMLUtil.isMethodHolderOfKey(confirmMethod));
+        SAMLKeyInfo subjectKeyInfo = assertion.getSubjectKeyInfo();
+        assertTrue(subjectKeyInfo.getCerts() != null);
+    }
+    
+    /**
+     * Test the Bearer SAML1 case
+     */
+    @org.junit.Test
+    public void testBearerSaml1() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        // Get a token
+        SecurityToken token = 
+            requestSecurityToken(SAML1_TOKEN_TYPE, BEARER_KEYTYPE, bus, DEFAULT_ADDRESS);
+        assertTrue(SAML1_TOKEN_TYPE.equals(token.getTokenType()));
+        assertTrue(token.getToken() != null);
+        
+        // Process the token
+        List<WSSecurityEngineResult> results = processToken(token);
+        assertTrue(results != null && results.size() == 1);
+        AssertionWrapper assertion = 
+            (AssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+        assertTrue(assertion != null);
+        assertTrue(assertion.getSaml1() != null && assertion.getSaml2() == null);
+        assertTrue(assertion.isSigned());
+        
+        List<String> methods = assertion.getConfirmationMethods();
+        String confirmMethod = null;
+        if (methods != null && methods.size() > 0) {
+            confirmMethod = methods.get(0);
+        }
+        assertTrue(confirmMethod.contains("bearer"));
+    }
+    
+    /**
+     * Test the Bearer Sender Vouches SAML2 case
+     */
+    @org.junit.Test
+    public void testBearerSVSaml2() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        DocumentBuilder builder = factory.newDocumentBuilder();
+        Document doc = builder.newDocument();
+        
+        X509Security bst = new X509Security(doc);
+        Crypto crypto = CryptoFactory.getInstance("clientKeystore.properties");
+        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+        cryptoType.setAlias("myclientkey");
+        X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
+        bst.setX509Certificate(certs[0]);
+        
+        // Get a token
+        SecurityToken token = 
+            requestSecurityToken(
+                SAML2_TOKEN_TYPE, BEARER_KEYTYPE, bst.getElement(), bus, DEFAULT_ADDRESS, null
+            );
+        assertTrue(SAML2_TOKEN_TYPE.equals(token.getTokenType()));
+        assertTrue(token.getToken() != null);
+        
+        // Process the token
+        List<WSSecurityEngineResult> results = processToken(token);
+        assertTrue(results != null && results.size() == 1);
+        AssertionWrapper assertion = 
+            (AssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+        assertTrue(assertion != null);
+        assertTrue(assertion.getSaml1() == null && assertion.getSaml2() != null);
+        assertTrue(assertion.isSigned());
+        
+        List<String> methods = assertion.getConfirmationMethods();
+        String confirmMethod = null;
+        if (methods != null && methods.size() > 0) {
+            confirmMethod = methods.get(0);
+        }
+        assertNotNull(confirmMethod);
+    }
+    
+    /**
+     * Test the endpoint address sent to the STS as part of AppliesTo. If the STS does not
+     * recognise the endpoint address it does not issue a token.
+     */
+    @org.junit.Test
+    public void testEndpointAddress() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        try {
+            String badAddress = 
+                "https://localhost:8081/doubleit/services/doubleitbadtransportsaml1";
+            requestSecurityToken(SAML1_TOKEN_TYPE, BEARER_KEYTYPE, bus, badAddress);
+            fail("Failure expected on a bad endpoint address");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    
+    /**
+     * Test that a request with no AppliesTo can be created by the CXF STS client.
+     */
+    @org.junit.Test
+    public void testNoAppliesTo() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        try {
+            requestSecurityToken(SAML1_TOKEN_TYPE, BEARER_KEYTYPE, bus, null);
+            // fail("Failure expected on no AppliesTo value");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    
+    /**
+     * Test the Bearer SAML1 case with a Context Attribute
+     */
+    @org.junit.Test
+    public void testBearerSaml1Context() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        // Get a token
+        String context = "AuthenticationContext";
+        SecurityToken token = 
+            requestSecurityToken(SAML1_TOKEN_TYPE, BEARER_KEYTYPE, bus, DEFAULT_ADDRESS, context);
+        assertTrue(SAML1_TOKEN_TYPE.equals(token.getTokenType()));
+        assertTrue(token.getToken() != null);
+        
+        // Process the token
+        List<WSSecurityEngineResult> results = processToken(token);
+        assertTrue(results != null && results.size() == 1);
+        AssertionWrapper assertion = 
+            (AssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+        assertTrue(assertion != null);
+        assertTrue(assertion.getSaml1() != null && assertion.getSaml2() == null);
+        assertTrue(assertion.isSigned());
+        
+        List<String> methods = assertion.getConfirmationMethods();
+        String confirmMethod = null;
+        if (methods != null && methods.size() > 0) {
+            confirmMethod = methods.get(0);
+        }
+        assertTrue(confirmMethod.contains("bearer"));
+    }
+    
+    /**
+     * Test the Bearer SAML1 case with a Lifetime element
+     */
+    @org.junit.Test
+    public void testBearerSaml1Lifetime() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        // Get a token
+        SecurityToken token = 
+            requestSecurityTokenTTL(SAML1_TOKEN_TYPE, BEARER_KEYTYPE, bus, DEFAULT_ADDRESS);
+        assertTrue(SAML1_TOKEN_TYPE.equals(token.getTokenType()));
+        assertTrue(token.getToken() != null);
+        
+        // Process the token
+        List<WSSecurityEngineResult> results = processToken(token);
+        assertTrue(results != null && results.size() == 1);
+        AssertionWrapper assertion = 
+            (AssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+        assertTrue(assertion != null);
+        assertTrue(assertion.getSaml1() != null && assertion.getSaml2() == null);
+        assertTrue(assertion.isSigned());
+        
+        List<String> methods = assertion.getConfirmationMethods();
+        String confirmMethod = null;
+        if (methods != null && methods.size() > 0) {
+            confirmMethod = methods.get(0);
+        }
+        assertTrue(confirmMethod.contains("bearer"));
+    }
+    
+    private SecurityToken requestSecurityToken(
+        String tokenType, 
+        String keyType, 
+        Bus bus,
+        String endpointAddress
+    ) throws Exception {
+        return requestSecurityToken(tokenType, keyType, null, bus, endpointAddress, null);
+    }
+    
+    private SecurityToken requestSecurityToken(
+        String tokenType, 
+        String keyType, 
+        Bus bus,
+        String endpointAddress,
+        String context
+    ) throws Exception {
+        return requestSecurityToken(tokenType, keyType, null, bus, endpointAddress, context);
+    }
+    
+    private SecurityToken requestSecurityToken(
+        String tokenType, 
+        String keyType,
+        Element supportingToken,
+        Bus bus,
+        String endpointAddress,
+        String context
+    ) throws Exception {
+        STSClient stsClient = new STSClient(bus);
+        stsClient.setWsdlLocation("https://localhost:8443/SecurityTokenService/Transport?wsdl");
+        stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService");
+        stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port");
+        
+        Map<String, Object> properties = new HashMap<String, Object>();
+        properties.put("ws-security.username", "alice");
+        properties.put(
+            "ws-security.callback-handler", "org.apache.cxf.systest.sts.common.CommonCallbackHandler"
+        );
+        properties.put("ws-security.encryption.properties", "clientKeystore.properties");
+        properties.put("ws-security.encryption.username", "mystskey");
+        properties.put("ws-security.is-bsp-compliant", "false");
+        
+        if (PUBLIC_KEY_KEYTYPE.equals(keyType)) {
+            properties.put("ws-security.sts.token.username", "myclientkey");
+            properties.put("ws-security.sts.token.properties", "clientKeystore.properties");
+            stsClient.setUseCertificateForConfirmationKeyInfo(true);
+        }
+        if (supportingToken != null) {
+            stsClient.setOnBehalfOf(supportingToken);
+        }
+        if (context != null) {
+            stsClient.setContext(context);
+        }
+        
+        stsClient.setProperties(properties);
+        stsClient.setTokenType(tokenType);
+        stsClient.setKeyType(keyType);
+        stsClient.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
+        
+        return stsClient.requestSecurityToken(endpointAddress);
+    }
+    
+    private SecurityToken requestSecurityTokenTTL(
+            String tokenType, 
+            String keyType,
+            Bus bus,
+            String endpointAddress
+    ) throws Exception {
+        STSClient stsClient = new STSClient(bus);
+        stsClient.setWsdlLocation("https://localhost:8443/SecurityTokenService/Transport?wsdl");
+        stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService");
+        stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port");
+
+        Map<String, Object> properties = new HashMap<String, Object>();
+        properties.put("ws-security.username", "alice");
+        properties.put(
+            "ws-security.callback-handler", "org.apache.cxf.systest.sts.common.CommonCallbackHandler"
+        );
+        properties.put("ws-security.encryption.properties", "clientKeystore.properties");
+        properties.put("ws-security.encryption.username", "mystskey");
+        properties.put("ws-security.is-bsp-compliant", "false");
+
+        if (PUBLIC_KEY_KEYTYPE.equals(keyType)) {
+            properties.put("ws-security.sts.token.username", "myclientkey");
+            properties.put("ws-security.sts.token.properties", "clientKeystore.properties");
+            stsClient.setUseCertificateForConfirmationKeyInfo(true);
+        }
+        stsClient.setEnableLifetime(true);
+        stsClient.setTtl(60 * 30);
+
+        stsClient.setProperties(properties);
+        stsClient.setTokenType(tokenType);
+        stsClient.setKeyType(keyType);
+        stsClient.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
+
+        return stsClient.requestSecurityToken(endpointAddress);
+    }
+    
+    private List<WSSecurityEngineResult> processToken(SecurityToken token) throws Exception {
+        RequestData requestData = new RequestData();
+        WSSConfig wssConfig = WSSConfig.getNewInstance();
+        wssConfig.setWsiBSPCompliant(false);
+        requestData.setWssConfig(wssConfig);
+        CallbackHandler callbackHandler = new org.apache.cxf.systest.sts.common.CommonCallbackHandler();
+        requestData.setCallbackHandler(callbackHandler);
+        Crypto crypto = CryptoFactory.getInstance("serviceKeystore.properties");
+        requestData.setDecCrypto(crypto);
+        requestData.setSigCrypto(crypto);
+        
+        Processor processor = new SAMLTokenProcessor();
+        return processor.handleToken(
+            token.getToken(), requestData, new WSDocInfo(token.getToken().getOwnerDocument())
+        );
+    }
+}

Added: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/DoubleItPortTypeImpl.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/DoubleItPortTypeImpl.java?rev=1185276&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/DoubleItPortTypeImpl.java (added)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/DoubleItPortTypeImpl.java Mon Oct 17 16:15:04 2011
@@ -0,0 +1,88 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.sendervouches;
+
+import java.net.URL;
+import java.security.Principal;
+import java.util.List;
+
+import javax.annotation.Resource;
+import javax.jws.WebService;
+import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
+import javax.xml.ws.Service;
+import javax.xml.ws.WebServiceContext;
+import javax.xml.ws.handler.MessageContext;
+
+import org.apache.cxf.feature.Features;
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.ws.security.util.WSSecurityUtil;
+
+import org.example.contract.doubleit.DoubleItPortType;
+
+@WebService(targetNamespace = "http://www.example.org/contract/DoubleIt", 
+            serviceName = "DoubleItService", 
+            endpointInterface = "org.example.contract.doubleit.DoubleItPortType")
+@Features(features = "org.apache.cxf.feature.LoggingFeature")              
+public class DoubleItPortTypeImpl extends AbstractBusClientServerTestBase implements DoubleItPortType {
+    
+    private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt";
+    private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService");
+    
+    @Resource
+    WebServiceContext wsc;
+    
+    public int doubleIt(int numberToDouble) {
+        // Delegate request to a provider
+        URL wsdl = DoubleItPortTypeImpl.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2SupportingPort");
+        DoubleItPortType transportSAML2SupportingPort = 
+            service.getPort(portQName, DoubleItPortType.class);
+        try {
+            updateAddressPort(transportSAML2SupportingPort, SenderVouchesTest.PORT2);
+        } catch (Exception ex) {
+            ex.printStackTrace();
+        }
+
+        //
+        // Get the principal from the request context and construct a SAML Assertion
+        //
+        MessageContext context = wsc.getMessageContext();
+        final List<WSHandlerResult> handlerResults = 
+            CastUtils.cast((List<?>)context.get(WSHandlerConstants.RECV_RESULTS));
+        WSSecurityEngineResult actionResult =
+            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.UT);
+        Principal principal = 
+            (Principal)actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+        
+        Saml2CallbackHandler callbackHandler = new Saml2CallbackHandler(principal);
+        ((BindingProvider)transportSAML2SupportingPort).getRequestContext().put(
+            "ws-security.saml-callback-handler", callbackHandler
+        );
+        
+        return transportSAML2SupportingPort.doubleIt(numberToDouble);
+    }
+    
+}

Added: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Intermediary.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Intermediary.java?rev=1185276&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Intermediary.java (added)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Intermediary.java Mon Oct 17 16:15:04 2011
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.sendervouches;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class Intermediary extends AbstractBusTestServerBase {
+
+    public Intermediary() {
+
+    }
+
+    protected void run()  {
+        URL busFile = Intermediary.class.getResource("cxf-intermediary.xml");
+        Bus busLocal = new SpringBusFactory().createBus(busFile);
+        BusFactory.setDefaultBus(busLocal);
+        setBus(busLocal);
+
+        try {
+            new Intermediary();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}

Added: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Saml2CallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Saml2CallbackHandler.java?rev=1185276&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Saml2CallbackHandler.java (added)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Saml2CallbackHandler.java Mon Oct 17 16:15:04 2011
@@ -0,0 +1,75 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.sendervouches;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.Collections;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.ws.security.saml.ext.SAMLCallback;
+import org.apache.ws.security.saml.ext.bean.AttributeBean;
+import org.apache.ws.security.saml.ext.bean.AttributeStatementBean;
+import org.apache.ws.security.saml.ext.bean.SubjectBean;
+import org.apache.ws.security.saml.ext.builder.SAML2Constants;
+import org.opensaml.common.SAMLVersion;
+
+/**
+ * Create a SAML2 Assertion via some authenticated information (Principal).
+ */
+public class Saml2CallbackHandler implements CallbackHandler {
+    
+    private Principal principal;
+    
+    public Saml2CallbackHandler(Principal principal) {
+        this.principal = principal;
+    }
+    
+    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+        for (int i = 0; i < callbacks.length; i++) {
+            if (callbacks[i] instanceof SAMLCallback) {
+                
+                SAMLCallback callback = (SAMLCallback) callbacks[i];
+                callback.setSamlVersion(SAMLVersion.VERSION_20);
+                
+                callback.setIssuer("intermediary");
+                String subjectName = "uid=" + principal.getName();
+                String confirmationMethod = SAML2Constants.CONF_SENDER_VOUCHES;
+
+                SubjectBean subjectBean = 
+                    new SubjectBean(subjectName, null, confirmationMethod);
+                callback.setSubject(subjectBean);
+                
+                AttributeStatementBean attrBean = new AttributeStatementBean();
+                if (subjectBean != null) {
+                    attrBean.setSubject(subjectBean);
+                }
+                AttributeBean attributeBean = new AttributeBean();
+                attributeBean.setSimpleName("role");
+                attributeBean.setAttributeValues(Collections.singletonList("user"));
+                attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
+                callback.setAttributeStatementData(Collections.singletonList(attrBean));
+            }
+        }
+    }
+    
+}

Added: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/SenderVouchesTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/SenderVouchesTest.java?rev=1185276&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/SenderVouchesTest.java (added)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/SenderVouchesTest.java Mon Oct 17 16:15:04 2011
@@ -0,0 +1,88 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.sendervouches;
+
+import java.net.URL;
+
+import javax.xml.namespace.QName;
+import javax.xml.ws.Service;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+
+import org.example.contract.doubleit.DoubleItPortType;
+import org.junit.BeforeClass;
+
+/**
+ * In this test case, a CXF client sends a Username Token via (1-way) TLS to a CXF intermediary.
+ * The intermediary validates the UsernameToken, and then inserts the username into a SAML
+ * Assertion which it signs and sends to a provider (via TLS).
+ */
+public class SenderVouchesTest extends AbstractBusClientServerTestBase {
+    
+    static final String PORT2 = allocatePort(Server.class, 2);
+    
+    private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt";
+    private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService");
+    
+    private static final String PORT = allocatePort(Intermediary.class);
+
+    @BeforeClass
+    public static void startServers() throws Exception {
+        assertTrue(
+            "Server failed to launch",
+            // run the server in the same process
+            // set this to false to fork
+            launchServer(Server.class, true)
+        );
+        assertTrue(
+            "Server failed to launch",
+            // run the server in the same process
+            // set this to false to fork
+            launchServer(Intermediary.class, true)
+        );
+    }
+
+    @org.junit.Test
+    public void testSenderVouches() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SenderVouchesTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = SenderVouchesTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportUTPort");
+        DoubleItPortType transportUTPort = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportUTPort, PORT);
+        
+        doubleIt(transportUTPort, 25);
+    }
+    
+    private static void doubleIt(DoubleItPortType port, int numToDouble) {
+        int resp = port.doubleIt(numToDouble);
+        System.out.println("The number " + numToDouble + " doubled is " + resp);
+        assertTrue(resp == 2 * numToDouble);
+    }
+}

Added: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Server.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Server.java?rev=1185276&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Server.java (added)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/sendervouches/Server.java Mon Oct 17 16:15:04 2011
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.sendervouches;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class Server extends AbstractBusTestServerBase {
+
+    public Server() {
+
+    }
+
+    protected void run()  {
+        URL busFile = Server.class.getResource("cxf-service.xml");
+        Bus busLocal = new SpringBusFactory().createBus(busFile);
+        BusFactory.setDefaultBus(busLocal);
+        setBus(busLocal);
+
+        try {
+            new Server();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}

Added: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/Server.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/Server.java?rev=1185276&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/Server.java (added)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/Server.java Mon Oct 17 16:15:04 2011
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.symmetric;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class Server extends AbstractBusTestServerBase {
+
+    public Server() {
+
+    }
+
+    protected void run()  {
+        URL busFile = Server.class.getResource("cxf-service.xml");
+        Bus busLocal = new SpringBusFactory().createBus(busFile);
+        BusFactory.setDefaultBus(busLocal);
+        setBus(busLocal);
+
+        try {
+            new Server();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}

Added: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/SymmetricBindingTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/SymmetricBindingTest.java?rev=1185276&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/SymmetricBindingTest.java (added)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/SymmetricBindingTest.java Mon Oct 17 16:15:04 2011
@@ -0,0 +1,114 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.symmetric;
+
+import java.net.URL;
+
+import javax.xml.namespace.QName;
+import javax.xml.ws.Service;
+
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.systest.sts.common.TokenTestUtils;
+import org.apache.cxf.systest.sts.deployment.STSServer;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+
+import org.example.contract.doubleit.DoubleItPortType;
+import org.junit.BeforeClass;
+
+/**
+ * Test the Symmetric binding. The CXF client gets a token from the STS by authenticating via a
+ * Username Token over the symmetric binding, and then sends it to the CXF endpoint using 
+ * the symmetric binding.
+ */
+public class SymmetricBindingTest extends AbstractBusClientServerTestBase {
+    
+    private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt";
+    private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService");
+    
+    private static final String PORT = allocatePort(Server.class);
+    
+    @BeforeClass
+    public static void startServers() throws Exception {
+        assertTrue(
+            "Server failed to launch",
+            // run the server in the same process
+            // set this to false to fork
+            launchServer(Server.class, true)
+        );
+        String deployment = System.getProperty("sts.deployment");
+        if ("standalone".equals(deployment)) {
+            assertTrue(
+                    "Server failed to launch",
+                    // run the server in the same process
+                    // set this to false to fork
+                    launchServer(STSServer.class, true)
+            );
+        }
+    }
+    
+    @org.junit.Test
+    public void testUsernameTokenSAML1() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SymmetricBindingTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = SymmetricBindingTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSymmetricSAML1Port");
+        DoubleItPortType symmetricSaml1Port = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(symmetricSaml1Port, PORT);
+
+        doubleIt(symmetricSaml1Port, 25);
+
+        TokenTestUtils.verifyToken(symmetricSaml1Port);
+    }
+
+    @org.junit.Test
+    public void testUsernameTokenSAML2() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SymmetricBindingTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = SymmetricBindingTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSymmetricSAML2Port");
+        DoubleItPortType symmetricSaml2Port = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(symmetricSaml2Port, PORT);
+        
+        doubleIt(symmetricSaml2Port, 30);
+
+        TokenTestUtils.verifyToken(symmetricSaml2Port);
+    }
+
+    private static void doubleIt(DoubleItPortType port, int numToDouble) {
+        int resp = port.doubleIt(numToDouble);
+        System.out.println("The number " + numToDouble + " doubled is " + resp);
+    }
+}

Added: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/Server.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/Server.java?rev=1185276&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/Server.java (added)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/Server.java Mon Oct 17 16:15:04 2011
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.transport;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class Server extends AbstractBusTestServerBase {
+
+    public Server() {
+
+    }
+
+    protected void run()  {
+        URL busFile = Server.class.getResource("cxf-service.xml");
+        Bus busLocal = new SpringBusFactory().createBus(busFile);
+        BusFactory.setDefaultBus(busLocal);
+        setBus(busLocal);
+
+        try {
+            new Server();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}

Added: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java?rev=1185276&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java (added)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java Mon Oct 17 16:15:04 2011
@@ -0,0 +1,191 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.transport;
+
+import java.net.URL;
+
+import javax.xml.namespace.QName;
+import javax.xml.ws.Service;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.systest.sts.deployment.STSServer;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+
+import org.example.contract.doubleit.DoubleItPortType;
+import org.junit.BeforeClass;
+
+/**
+ * Test the TransportBinding. The CXF client gets a token from the STS over TLS, and then
+ * sends it to the CXF endpoint over TLS.
+ */
+public class TransportBindingTest extends AbstractBusClientServerTestBase {
+    
+    private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt";
+    private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService");
+
+    private static final String PORT = allocatePort(Server.class);
+    
+    @BeforeClass
+    public static void startServers() throws Exception {
+        assertTrue(
+                   "Server failed to launch",
+                   // run the server in the same process
+                   // set this to false to fork
+                   launchServer(Server.class, true)
+        );
+        String deployment = System.getProperty("sts.deployment");
+        if ("standalone".equals(deployment)) {
+            assertTrue(
+                    "Server failed to launch",
+                    // run the server in the same process
+                    // set this to false to fork
+                    launchServer(STSServer.class, true)
+            );
+        }
+    }
+
+    @org.junit.Test
+    public void testSAML1() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = TransportBindingTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = TransportBindingTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML1Port");
+        DoubleItPortType transportSaml1Port = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportSaml1Port, PORT);
+        
+        doubleIt(transportSaml1Port, 25);
+        
+    }
+
+    @org.junit.Test
+    public void testSAML2() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = TransportBindingTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = TransportBindingTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2Port");
+        DoubleItPortType transportSaml2Port = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportSaml2Port, PORT);
+        
+        doubleIt(transportSaml2Port, 30);
+    }
+    
+    /**
+     * In this test-case, the client sends another cert to the STS for inclusion in the
+     * SAML Assertion and connects via 2-way TLS as normal to the service provider. The
+     * service provider will fail, as the TLS cert does not match the cert provided in
+     * the SAML Assertion.
+     */
+    @org.junit.Test
+    public void testUnknownClient() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = TransportBindingTest.class.getResource("cxf-bad-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = TransportBindingTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML1Port");
+        DoubleItPortType transportSaml1Port = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportSaml1Port, PORT);
+        
+        try {
+            doubleIt(transportSaml1Port, 35);
+            fail("Expected failure on an unknown client");
+        } catch (javax.xml.ws.soap.SOAPFaultException fault) {
+            // expected
+        }
+    }
+
+    @org.junit.Test
+    public void testSAML1Endorsing() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = TransportBindingTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = TransportBindingTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML1EndorsingPort");
+        DoubleItPortType transportSaml1Port = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportSaml1Port, PORT);
+        
+        doubleIt(transportSaml1Port, 40);
+    }
+    
+    /**
+     * In this test-case, the client sends a request for a Security Token with no
+     * AppliesTo address (configured in Spring on the STSClient object). The STS fails as
+     * it will not issue a token to an unknown address.
+     */
+    @org.junit.Test
+    public void testUnknownAddress() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = TransportBindingTest.class.getResource("cxf-bad-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = TransportBindingTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML1EndorsingPort");
+        DoubleItPortType transportSaml1Port = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportSaml1Port, PORT);
+        
+        try {
+            doubleIt(transportSaml1Port, 35);
+            //fail("Expected failure on an unknown address");
+        } catch (javax.xml.ws.soap.SOAPFaultException fault) {
+            // expected
+        }
+    }
+
+    
+    private static void doubleIt(DoubleItPortType port, int numToDouble) {
+        int resp = port.doubleIt(numToDouble);
+        System.out.println("The number " + numToDouble + " doubled is " + resp);
+    }
+}

Added: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java?rev=1185276&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java (added)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/ActAsValidator.java Mon Oct 17 16:15:04 2011
@@ -0,0 +1,75 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.username_actas;
+
+import java.util.List;
+
+import org.w3c.dom.Element;
+
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.ws.security.validate.Credential;
+import org.apache.ws.security.validate.SamlAssertionValidator;
+import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.core.Attribute;
+import org.opensaml.saml2.core.AttributeStatement;
+import org.opensaml.xml.XMLObject;
+
+/**
+ * This class validates a SAML 2 Assertion and checks that it has a CustomActAs Attribute with
+ * a value containing "alice" or "bob".
+ */
+public class ActAsValidator extends SamlAssertionValidator {
+    
+    @Override
+    public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
+        Credential validatedCredential = super.validate(credential, data);
+        AssertionWrapper assertion = validatedCredential.getAssertion();
+        
+        Assertion saml2Assertion = assertion.getSaml2();
+        if (saml2Assertion == null) {
+            throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+        }
+        
+        List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements();
+        if (attributeStatements == null || attributeStatements.isEmpty()) {
+            throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+        }
+        
+        for (AttributeStatement statement : attributeStatements) {
+            List<Attribute> attributes = statement.getAttributes();
+            for (Attribute attribute : attributes) {
+                if (!"CustomActAs".equals(attribute.getName()) && !"ActAs".equals(attribute.getName())) {
+                    continue;
+                }
+                for (XMLObject attributeValue : attribute.getAttributeValues()) {
+                    Element attributeValueElement = attributeValue.getDOM();
+                    String text = attributeValueElement.getTextContent();
+                    if (text.contains("alice") || text.contains("bob")) {
+                        return validatedCredential;
+                    }
+                }
+            }
+        }
+        
+        throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
+    }
+
+}

Added: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/Server.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/Server.java?rev=1185276&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/Server.java (added)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/Server.java Mon Oct 17 16:15:04 2011
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.username_actas;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class Server extends AbstractBusTestServerBase {
+
+    public Server() {
+
+    }
+
+    protected void run()  {
+        URL busFile = Server.class.getResource("cxf-service.xml");
+        Bus busLocal = new SpringBusFactory().createBus(busFile);
+        BusFactory.setDefaultBus(busLocal);
+        setBus(busLocal);
+
+        try {
+            new Server();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}

Added: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/UsernameActAsTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/UsernameActAsTest.java?rev=1185276&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/UsernameActAsTest.java (added)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/UsernameActAsTest.java Mon Oct 17 16:15:04 2011
@@ -0,0 +1,430 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.username_actas;
+
+import java.net.URL;
+
+import javax.xml.namespace.QName;
+import javax.xml.ws.BindingProvider;
+import javax.xml.ws.Service;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.systest.sts.deployment.STSServer;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.tokenstore.MemoryTokenStore;
+import org.apache.cxf.ws.security.tokenstore.TokenStore;
+import org.apache.cxf.ws.security.trust.STSClient;
+import org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler;
+import org.example.contract.doubleit.DoubleItPortType;
+import org.junit.BeforeClass;
+
+
+/**
+ * In this test case, a CXF client requests a Security Token from an STS, passing a username that
+ * it has obtained from an unknown client as an "ActAs" element. This username is obtained
+ * by parsing the "ws-security.username" property. The client then invokes on the service 
+ * provider using the returned token from the STS. 
+ */
+public class UsernameActAsTest extends AbstractBusClientServerTestBase {
+    
+    private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt";
+    private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService");
+
+    private static final String PORT = allocatePort(Server.class);
+    
+    @BeforeClass
+    public static void startServers() throws Exception {
+        assertTrue(
+            "Server failed to launch",
+            // run the server in the same process
+            // set this to false to fork
+            launchServer(Server.class, true)
+        );
+        String deployment = System.getProperty("sts.deployment");
+        if ("standalone".equals(deployment)) {
+            assertTrue(
+                    "Server failed to launch",
+                    // run the server in the same process
+                    // set this to false to fork
+                    launchServer(STSServer.class, true)
+            );
+        }
+    }
+
+    @org.junit.Test
+    public void testUsernameActAs() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = UsernameActAsTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = UsernameActAsTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricSAML2BearerPort");
+        DoubleItPortType transportPort = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportPort, PORT);
+
+        // Transport port
+        ((BindingProvider)transportPort).getRequestContext().put(
+            "ws-security.username", "alice"
+        );
+        doubleIt(transportPort, 25);
+        
+        DoubleItPortType transportPort2 = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportPort2, PORT);
+        
+        ((BindingProvider)transportPort2).getRequestContext().put(
+            "ws-security.username", "eve"
+        );
+        // This time we expect a failure as the server validator doesn't accept "eve".
+        try {
+            doubleIt(transportPort2, 30);
+            fail("Failure expected on an unknown user");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    
+    /**
+     * Test caching the issued token
+     */
+    @org.junit.Test
+    public void testUsernameActAsCaching() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = UsernameActAsTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = UsernameActAsTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricSAML2BearerPort");
+        
+        //
+        // Proxy no. 1
+        // 
+        DoubleItPortType transportPort = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportPort, PORT);
+        
+        TokenStore tokenStore = new MemoryTokenStore();
+        ((BindingProvider)transportPort).getRequestContext().put(
+            TokenStore.class.getName(), tokenStore
+        );
+
+        // Make a successful invocation
+        ((BindingProvider)transportPort).getRequestContext().put(
+            "ws-security.username", "alice"
+        );
+        doubleIt(transportPort, 25);
+        
+        // Change the STSClient so that it can no longer find the STS
+        STSClient stsClient = new STSClient(bus);
+        stsClient.setOnBehalfOf(new WSSUsernameCallbackHandler());
+        BindingProvider p = (BindingProvider)transportPort;
+        p.getRequestContext().put(SecurityConstants.STS_CLIENT, stsClient);
+        
+        // This invocation should be successful as the token is cached
+        doubleIt(transportPort, 25);
+        
+        // 
+        // Proxy no. 2
+        //
+        DoubleItPortType transportPort2 = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportPort2, PORT);
+        
+        // Change the STSClient so that it can no longer find the STS
+        stsClient = new STSClient(bus);
+        stsClient.setOnBehalfOf(new WSSUsernameCallbackHandler());
+        p = (BindingProvider)transportPort2;
+        p.getRequestContext().put(SecurityConstants.STS_CLIENT, stsClient);
+        
+        // This should fail as the cache is not being used
+        try {
+            doubleIt(transportPort2, 40);
+            fail("Failure expected as the token is not stored in the cache");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Set the cache correctly
+        p.getRequestContext().put(TokenStore.class.getName(), tokenStore);
+        
+        // Make another invocation - this should succeed as the token is cached
+        p.getRequestContext().put("ws-security.username", "alice");
+        doubleIt(transportPort2, 40);
+        
+        // Reset the cache - this invocation should fail
+        p.getRequestContext().put(TokenStore.class.getName(), new MemoryTokenStore());
+        try {
+            doubleIt(transportPort2, 40);
+            fail("Failure expected as the cache is reset");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    
+    /**
+     * Test caching the issued token when the STSClient is deployed in an intermediary
+     */
+    @org.junit.Test
+    public void testDifferentUsersCaching() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = UsernameActAsTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = UsernameActAsTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricSAML2BearerPort");
+        
+        DoubleItPortType transportPort = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportPort, PORT);
+        
+        // Disable storing tokens per-proxy
+        ((BindingProvider)transportPort).getRequestContext().put(
+            SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT, "false"
+        );
+        
+        // Make a successful invocation
+        ((BindingProvider)transportPort).getRequestContext().put(
+            "ws-security.username", "alice"
+        );
+        doubleIt(transportPort, 25);
+        
+        ((BindingProvider)transportPort).getRequestContext().put(
+            "ws-security.username", "bob"
+        );
+        doubleIt(transportPort, 30);
+        
+        ((BindingProvider)transportPort).getRequestContext().put(
+            "ws-security.username", "eve"
+        );
+        try {
+            doubleIt(transportPort, 30);
+            fail("Failure expected on a bad user");
+        } catch (Exception ex) {
+            //
+        }
+        
+        // Change the STSClient so that it can no longer find the STS
+        STSClient stsClient = new STSClient(bus);
+        stsClient.setOnBehalfOf(new WSSUsernameCallbackHandler());
+        BindingProvider p = (BindingProvider)transportPort;
+        p.getRequestContext().put(SecurityConstants.STS_CLIENT, stsClient);
+        
+        // Make a successful invocation
+        ((BindingProvider)transportPort).getRequestContext().put(
+            "ws-security.username", "alice"
+        );
+        doubleIt(transportPort, 25);
+        
+        ((BindingProvider)transportPort).getRequestContext().put(
+            "ws-security.username", "bob"
+        );
+        doubleIt(transportPort, 30);
+        
+        ((BindingProvider)transportPort).getRequestContext().put(
+            "ws-security.username", "eve2"
+        );
+        try {
+            doubleIt(transportPort, 30);
+            fail("Failure expected on a bad user");
+        } catch (Exception ex) {
+            //
+        }
+        
+        // Reset the cache - this invocation should fail
+        p.getRequestContext().put(TokenStore.class.getName(), new MemoryTokenStore());
+        ((BindingProvider)transportPort).getRequestContext().put(
+            "ws-security.username", "alice"
+        );
+        try {
+            doubleIt(transportPort, 30);
+            fail("Failure expected");
+        } catch (Exception ex) {
+            //
+        }
+    }
+    
+    /**
+     * Test caching the issued token when the STSClient is deployed in an intermediary
+     */
+    @org.junit.Test
+    public void testAppliesToCaching() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = UsernameActAsTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = UsernameActAsTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricSAML2BearerPort");
+        
+        DoubleItPortType transportPort = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportPort, PORT);
+        
+        // Disable storing tokens per-proxy
+        ((BindingProvider)transportPort).getRequestContext().put(
+            SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT, "false"
+        );
+        
+        // Make a successful invocation
+        ((BindingProvider)transportPort).getRequestContext().put(
+            "ws-security.username", "alice"
+        );
+        BindingProvider p = (BindingProvider)transportPort;
+        p.getRequestContext().put(
+            SecurityConstants.STS_APPLIES_TO, 
+            "http://localhost:" + PORT + "/doubleit/services/doubleitasymmetricnew"
+        );
+        doubleIt(transportPort, 25);
+        
+        // Make a successful invocation
+        ((BindingProvider)transportPort).getRequestContext().put(
+            "ws-security.username", "bob"
+        );
+        p.getRequestContext().put(
+            SecurityConstants.STS_APPLIES_TO, 
+            "http://localhost:" + PORT + "/doubleit/services/doubleitasymmetricnew2"
+        );
+        doubleIt(transportPort, 25);
+        
+        // Change the STSClient so that it can no longer find the STS
+        STSClient stsClient = new STSClient(bus);
+        stsClient.setOnBehalfOf(new WSSUsernameCallbackHandler());
+        p.getRequestContext().put(SecurityConstants.STS_CLIENT, stsClient);
+        
+        // Make a successful invocation - should work as token is cached
+        ((BindingProvider)transportPort).getRequestContext().put(
+            "ws-security.username", "alice"
+        );
+        p.getRequestContext().put(
+            SecurityConstants.STS_APPLIES_TO, 
+            "http://localhost:" + PORT + "/doubleit/services/doubleitasymmetricnew"
+        );
+        doubleIt(transportPort, 25);
+        
+        // Make a successful invocation - should work as token is cached
+        ((BindingProvider)transportPort).getRequestContext().put(
+            "ws-security.username", "bob"
+        );
+        p.getRequestContext().put(
+            SecurityConstants.STS_APPLIES_TO, 
+            "http://localhost:" + PORT + "/doubleit/services/doubleitasymmetricnew2"
+        );
+        doubleIt(transportPort, 25);
+        
+        // Change appliesTo - should fail
+        ((BindingProvider)transportPort).getRequestContext().put(
+            "ws-security.username", "alice"
+        );
+        p.getRequestContext().put(
+            SecurityConstants.STS_APPLIES_TO, 
+            "http://localhost:" + PORT + "/doubleit/services/doubleitasymmetricnew2"
+        );
+        try {
+            doubleIt(transportPort, 30);
+            fail("Failure expected");
+        } catch (Exception ex) {
+            //
+        }
+    }
+    
+    /**
+     * Test caching the issued token when the STSClient is deployed in an intermediary
+     */
+    @org.junit.Test
+    public void testNoAppliesToCaching() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = UsernameActAsTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = UsernameActAsTest.class.getResource("DoubleIt.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricSAML2BearerPort");
+        
+        DoubleItPortType transportPort = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportPort, PORT);
+        
+        // Disable storing tokens per-proxy
+        ((BindingProvider)transportPort).getRequestContext().put(
+            SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT, "false"
+        );
+        
+        // Make a successful invocation
+        ((BindingProvider)transportPort).getRequestContext().put(
+            "ws-security.username", "alice"
+        );
+        // Disable appliesTo
+        BindingProvider p = (BindingProvider)transportPort;
+        STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT);
+        stsClient.setEnableAppliesTo(false);
+        doubleIt(transportPort, 25);
+        
+        // Change the STSClient so that it can no longer find the STS
+        stsClient = new STSClient(bus);
+        stsClient.setOnBehalfOf(new WSSUsernameCallbackHandler());
+        stsClient.setEnableAppliesTo(false);
+        p.getRequestContext().put(SecurityConstants.STS_CLIENT, stsClient);
+        
+        // This should work
+        doubleIt(transportPort, 25);
+        
+        // Bob should fail
+        ((BindingProvider)transportPort).getRequestContext().put(
+            "ws-security.username", "bob"
+        );
+        try {
+            doubleIt(transportPort, 30);
+            fail("Failure expected");
+        } catch (Exception ex) {
+            //
+        }
+    }
+
+    private static void doubleIt(DoubleItPortType port, int numToDouble) {
+        int resp = port.doubleIt(numToDouble);
+        System.out.println("The number " + numToDouble + " doubled is " + resp);
+        assertTrue(resp == 2 * numToDouble);
+    }
+}

Added: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/Server.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/Server.java?rev=1185276&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/Server.java (added)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/Server.java Mon Oct 17 16:15:04 2011
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.username_onbehalfof;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class Server extends AbstractBusTestServerBase {
+
+    public Server() {
+
+    }
+
+    protected void run()  {
+        URL busFile = Server.class.getResource("cxf-service.xml");
+        Bus busLocal = new SpringBusFactory().createBus(busFile);
+        BusFactory.setDefaultBus(busLocal);
+        setBus(busLocal);
+
+        try {
+            new Server();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}



Mime
View raw message