cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1200336 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/ ...
Date Thu, 10 Nov 2011 14:15:59 GMT
Author: coheigea
Date: Thu Nov 10 14:15:58 2011
New Revision: 1200336

URL: http://svn.apache.org/viewvc?rev=1200336&view=rev
Log:
Abstracted most of the supporting token policy validation code in CXF into a common abstract class.
Added support for SignedEndorsingSupportingToken policy validation.
Added some tests for SignedEndorsingSupportingToken policy validation in CXF.

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
      - copied, changed from r1200189, cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
Removed:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SupportingTokenPolicyValidator.java
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
    cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl
    cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1200336&r1=1200335&r2=1200336&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Thu Nov 10 14:15:58 2011
@@ -75,7 +75,8 @@ import org.apache.cxf.ws.security.wss4j.
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.SupportingTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
@@ -569,21 +570,24 @@ public class PolicyBasedWSS4JInIntercept
             new SecurityContextTokenPolicyValidator(msg, results);
         sctValidator.validatePolicy(aim);
         
-        SupportingTokenPolicyValidator suppValidator = 
-            new SupportingTokenPolicyValidator(msg, results, signedResults);
+        SignedTokenPolicyValidator suppValidator = 
+            new SignedTokenPolicyValidator(msg, results, signedResults);
         suppValidator.setValidateUsernameToken(utWithCallbacks);
         suppValidator.validatePolicy(aim);
         
         EndorsingTokenPolicyValidator endorsingValidator = 
-            new EndorsingTokenPolicyValidator(results, signedResults, msg);
+            new EndorsingTokenPolicyValidator(msg, results, signedResults);
         endorsingValidator.validatePolicy(aim);
         
+        SignedEndorsingTokenPolicyValidator signedEdorsingValidator = 
+            new SignedEndorsingTokenPolicyValidator(msg, results, signedResults);
+        signedEdorsingValidator.validatePolicy(aim);
+        
         //REVISIT - probably can verify some of these like if UT is encrypted and/or signed, etc...
         assertPolicy(aim, SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
         assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS);
         assertPolicy(aim, SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
         if (hasEndorsement || isRequestor(msg)) {
-            assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
             assertPolicy(aim, SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
             assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
         }

Copied: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java (from r1200189, cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java)
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java?p2=cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java&p1=cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java&r1=1200189&r2=1200336&rev=1200336&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java Thu Nov 10 14:15:58 2011
@@ -22,7 +22,6 @@ package org.apache.cxf.ws.security.wss4j
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Collection;
 import java.util.List;
 
 import javax.xml.namespace.QName;
@@ -32,15 +31,6 @@ import org.w3c.dom.Element;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.security.transport.TLSSessionInfo;
-import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.X509Token;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDataRef;
 import org.apache.ws.security.WSSecurityEngine;
@@ -53,30 +43,43 @@ import org.apache.ws.security.message.to
 import org.apache.ws.security.util.WSSecurityUtil;
 
 /**
- * Validate an EndorsingSupportingToken policy. 
+ * A base class to use to validate various SupportingToken policies.
  */
-public class EndorsingTokenPolicyValidator extends AbstractTokenPolicyValidator {
+public abstract class AbstractSupportingTokenPolicyValidator extends AbstractTokenPolicyValidator {
     
-    private List<WSSecurityEngineResult> results;
-    private List<WSSecurityEngineResult> signedResults;
-    private Message message;
-    private Element timestamp;
-    private boolean tls;
-    
-    public EndorsingTokenPolicyValidator(
+    protected Message message;
+    protected List<WSSecurityEngineResult> results;
+    protected List<WSSecurityEngineResult> signedResults;
+    protected List<WSSecurityEngineResult> encryptedResults;
+    protected boolean tls;
+    protected boolean validateUsernameToken = true;
+    protected Element timestamp;
+
+    public AbstractSupportingTokenPolicyValidator(
+        Message message,
         List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults,
-        Message message
+        List<WSSecurityEngineResult> signedResults
     ) {
+        this.message = message;
         this.results = results;
         this.signedResults = signedResults;
-        this.message = message;
-        WSSecurityEngineResult result = WSSecurityUtil.fetchActionResult(results, WSConstants.TS);
-        if (result != null) {
-            Timestamp ts = (Timestamp)result.get(WSSecurityEngineResult.TAG_TIMESTAMP);
+        
+        // Store the timestamp element
+        WSSecurityEngineResult tsResult = WSSecurityUtil.fetchActionResult(results, WSConstants.TS);
+        if (tsResult != null) {
+            Timestamp ts = (Timestamp)tsResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
             timestamp = ts.getElement();
         }
         
+        // Store the encryption results
+        encryptedResults = new ArrayList<WSSecurityEngineResult>();
+        for (WSSecurityEngineResult result : results) {
+            Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+            if (actInt.intValue() == WSConstants.ENCR) {
+                encryptedResults.add(result);
+            }
+        }
+        
         // See whether TLS is in use or not
         TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
         if (tlsInfo != null) {
@@ -84,60 +87,62 @@ public class EndorsingTokenPolicyValidat
         }
     }
     
-    public boolean validatePolicy(
-        AssertionInfoMap aim
-    ) {
-        Collection<AssertionInfo> endorsingAis = aim.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
-        if (endorsingAis != null && !endorsingAis.isEmpty()) {
-            for (AssertionInfo ai : endorsingAis) {
-                SupportingToken binding = (SupportingToken)ai.getAssertion();
-                if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENDORSING != binding.getTokenType()) {
-                    continue;
-                }
-                ai.setAsserted(true);
-                
-                List<Token> tokens = binding.getTokens();
-                for (Token token : tokens) {
-                    if (!isTokenRequired(token, message)) {
-                        continue;
-                    }
-                    boolean derived = token.isDerivedKeys();
-                    if (token instanceof KerberosToken && !processKerberosTokens(derived)) {
-                        ai.setNotAsserted(
-                             "The received token does not match the supporting token requirement"
-                        );
-                        return false;
-                    } else if (token instanceof X509Token && !processX509Tokens(derived)) {
-                        ai.setNotAsserted(
-                            "The received token does not match the supporting token requirement"
-                        );
-                        return false;
-                    } else if (token instanceof SecurityContextToken && !processSCTokens(derived)) {
-                        ai.setNotAsserted(
-                            "The received token does not match the supporting token requirement"
-                        );
-                        return false;
-                    }
-                }
-            }
+    public void setValidateUsernameToken(boolean validateUsernameToken) {
+        this.validateUsernameToken = validateUsernameToken;
+    }
+    
+    /**
+     * Process UsernameTokens. Only SignedSupportingTokens are currently enforced.
+     */
+    protected boolean processUsernameTokens(boolean signed, boolean endorsed, boolean derived) {
+        if (!validateUsernameToken) {
+            return true;
         }
+        List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT, tokenResults);
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_NOPASSWORD, tokenResults);
         
-        return true;
+        if (tokenResults.isEmpty()) {
+            return false;
+        }
+        
+        return areTokensSigned(tokenResults);
     }
     
-    private boolean processKerberosTokens(boolean derived) {
+    
+    /**
+     * Process SAML Tokens. Only SignedSupportingTokens are currently enforced.
+     */
+    protected boolean processSAMLTokens(boolean signed, boolean endorsed, boolean derived) {
         List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, tokenResults);
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, tokenResults);
+        
+        if (tokenResults.isEmpty()) {
+            return false;
+        }
+        
+        return areTokensSigned(tokenResults);
+    }
+    
+    
+    /**
+     * Process Kerberos Tokens.
+     */
+    protected boolean processKerberosTokens(boolean signed, boolean endorsed, boolean derived) {
+        List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
+        List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
         for (WSSecurityEngineResult wser : results) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.BST) {
                 BinarySecurity binarySecurity = 
                     (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
                 if (binarySecurity instanceof KerberosSecurity) {
-                    if (derived) {
+                    if (endorsed && derived) {
                         byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                         WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
                         if (dktResult != null) {
-                            tokenResults.add(dktResult);
+                            dktResults.add(dktResult);
                         }
                     }
                     tokenResults.add(wser);
@@ -149,11 +154,23 @@ public class EndorsingTokenPolicyValidat
             return false;
         }
         
-        return checkEndorsed(tokenResults, tls);
+        if (signed && !areTokensSigned(tokenResults)) {
+            return false;
+        }
+        tokenResults.addAll(dktResults);
+        if (endorsed && !checkEndorsed(tokenResults)) {
+            return false;
+        }
+        return true;
     }
     
-    private boolean processX509Tokens(boolean derived) {
+    
+    /**
+     * Process X509 Tokens.
+     */
+    protected boolean processX509Tokens(boolean signed, boolean endorsed, boolean derived) {
         List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
+        List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
         for (WSSecurityEngineResult wser : results) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.BST) {
@@ -161,10 +178,10 @@ public class EndorsingTokenPolicyValidat
                     (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
                 if (binarySecurity instanceof X509Security
                     || binarySecurity instanceof PKIPathSecurity) {
-                    if (derived) {
+                    if (endorsed && derived) {
                         WSSecurityEngineResult resultToStore = processX509DerivedTokenResult(wser);
                         if (resultToStore != null) {
-                            tokenResults.add(resultToStore);
+                            dktResults.add(resultToStore);
                         }
                     }
                     tokenResults.add(wser);
@@ -176,33 +193,31 @@ public class EndorsingTokenPolicyValidat
             return false;
         }
         
-        return checkEndorsed(tokenResults, tls);
-    }
-    
-    private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult result) {
-        X509Certificate cert = 
-            (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
-        WSSecurityEngineResult encrResult = getMatchingEncryptedKey(cert);
-        if (encrResult != null) {
-            byte[] secret = (byte[])encrResult.get(WSSecurityEngineResult.TAG_SECRET);
-            WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
-            if (dktResult != null) {
-                return dktResult;
-            }
+        if (signed && !areTokensSigned(tokenResults)) {
+            return false;
         }
-        return null;
+        tokenResults.addAll(dktResults);
+        if (endorsed && !checkEndorsed(tokenResults)) {
+            return false;
+        }
+        return true;
     }
     
-    private boolean processSCTokens(boolean derived) {
+    
+    /**
+     * Process Security Context Tokens.
+     */
+    protected boolean processSCTokens(boolean signed, boolean endorsed, boolean derived) {
         List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
+        List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
         for (WSSecurityEngineResult wser : results) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.SCT) {
-                if (derived) {
+                if (endorsed && derived) {
                     byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                     WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
                     if (dktResult != null) {
-                        tokenResults.add(dktResult);
+                        dktResults.add(dktResult);
                     }
                 }
                 tokenResults.add(wser);
@@ -213,7 +228,32 @@ public class EndorsingTokenPolicyValidat
             return false;
         }
         
-        return checkEndorsed(tokenResults, tls);
+        if (signed && !areTokensSigned(tokenResults)) {
+            return false;
+        }
+        tokenResults.addAll(dktResults);
+        if (endorsed && !checkEndorsed(tokenResults)) {
+            return false;
+        }
+        return true;
+    }
+    
+    /**
+     * Find an EncryptedKey element that has a cert that matches the cert of the signature, then
+     * find a DerivedKey element that matches that EncryptedKey element.
+     */
+    private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult result) {
+        X509Certificate cert = 
+            (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+        WSSecurityEngineResult encrResult = getMatchingEncryptedKey(cert);
+        if (encrResult != null) {
+            byte[] secret = (byte[])encrResult.get(WSSecurityEngineResult.TAG_SECRET);
+            WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
+            if (dktResult != null) {
+                return dktResult;
+            }
+        }
+        return null;
     }
     
     /**
@@ -253,16 +293,32 @@ public class EndorsingTokenPolicyValidat
     /**
      * Check the endorsing supporting token policy. If we're using the Transport Binding then
      * check that the Timestamp is signed. Otherwise, check that the signature is signed.
-     * @param transport
      * @return true if the endorsed supporting token policy is correct
      */
-    private boolean checkEndorsed(List<WSSecurityEngineResult> tokenResults, boolean transport) {
-        if (transport) {
+    private boolean checkEndorsed(List<WSSecurityEngineResult> tokenResults) {
+        if (tls) {
             return checkTimestampIsSigned(tokenResults);
         }
         return checkSignatureIsSigned(tokenResults);
     }
     
+    
+    /**
+     * Return true if a list of tokens were signed, false otherwise.
+     */
+    private boolean areTokensSigned(List<WSSecurityEngineResult> tokens) {
+        if (tls) {
+            return true;
+        }
+        for (WSSecurityEngineResult wser : tokens) {
+            Element tokenElement = (Element)wser.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+            if (!isTokenSigned(tokenElement)) {
+                return false;
+            }
+        }
+        return true;
+    }
+    
     /**
      * Return true if the Timestamp is signed by one of the token results
      * @param tokenResults A list of WSSecurityEngineResults corresponding to tokens
@@ -352,4 +408,21 @@ public class EndorsingTokenPolicyValidat
         
         return false;
     }
+    
+    /**
+     * Return true if a token was signed, false otherwise.
+     */
+    private boolean isTokenSigned(Element token) {
+        for (WSSecurityEngineResult signedResult : signedResults) {
+            List<WSDataRef> dataRefs = 
+                CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+            for (WSDataRef dataRef : dataRefs) {
+                if (token == dataRef.getProtectedElement()) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+    
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java?rev=1200336&r1=1200335&r2=1200336&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java Thu Nov 10 14:15:58 2011
@@ -19,337 +19,84 @@
 
 package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collection;
 import java.util.List;
 
-import javax.xml.namespace.QName;
-
-import org.w3c.dom.Element;
-
-import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.message.Message;
-import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.IssuedToken;
 import org.apache.cxf.ws.security.policy.model.KerberosToken;
 import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
 import org.apache.cxf.ws.security.policy.model.SupportingToken;
 import org.apache.cxf.ws.security.policy.model.Token;
 import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSSecurityEngine;
 import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.message.token.KerberosSecurity;
-import org.apache.ws.security.message.token.PKIPathSecurity;
-import org.apache.ws.security.message.token.Timestamp;
-import org.apache.ws.security.message.token.X509Security;
-import org.apache.ws.security.util.WSSecurityUtil;
 
 /**
  * Validate an EndorsingSupportingToken policy. 
  */
-public class EndorsingTokenPolicyValidator extends AbstractTokenPolicyValidator {
-    
-    private List<WSSecurityEngineResult> results;
-    private List<WSSecurityEngineResult> signedResults;
-    private Message message;
-    private Element timestamp;
-    private boolean tls;
+public class EndorsingTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
     
     public EndorsingTokenPolicyValidator(
+        Message message,
         List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults,
-        Message message
+        List<WSSecurityEngineResult> signedResults
     ) {
-        this.results = results;
-        this.signedResults = signedResults;
-        this.message = message;
-        WSSecurityEngineResult result = WSSecurityUtil.fetchActionResult(results, WSConstants.TS);
-        if (result != null) {
-            Timestamp ts = (Timestamp)result.get(WSSecurityEngineResult.TAG_TIMESTAMP);
-            timestamp = ts.getElement();
-        }
-        
-        // See whether TLS is in use or not
-        TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
-        if (tlsInfo != null) {
-            tls = true;
-        }
+        super(message, results, signedResults);
     }
     
     public boolean validatePolicy(
         AssertionInfoMap aim
     ) {
-        Collection<AssertionInfo> endorsingAis = aim.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
-        if (endorsingAis != null && !endorsingAis.isEmpty()) {
-            for (AssertionInfo ai : endorsingAis) {
-                SupportingToken binding = (SupportingToken)ai.getAssertion();
-                if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENDORSING != binding.getTokenType()) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
+        if (ais == null || ais.isEmpty()) {                       
+            return true;
+        }
+
+        for (AssertionInfo ai : ais) {
+            SupportingToken binding = (SupportingToken)ai.getAssertion();
+            if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENDORSING != binding.getTokenType()) {
+                continue;
+            }
+            ai.setAsserted(true);
+
+            List<Token> tokens = binding.getTokens();
+            for (Token token : tokens) {
+                if (!isTokenRequired(token, message)) {
                     continue;
                 }
-                ai.setAsserted(true);
                 
-                List<Token> tokens = binding.getTokens();
-                for (Token token : tokens) {
-                    if (!isTokenRequired(token, message)) {
-                        continue;
+                boolean derived = token.isDerivedKeys();
+                boolean processingFailed = false;
+                if (token instanceof KerberosToken) {
+                    if (!processKerberosTokens(false, true, derived)) {
+                        processingFailed = true;
+                    }
+                } else if (token instanceof X509Token) {
+                    if (!processX509Tokens(false, true, derived)) {
+                        processingFailed = true;
+                    }
+                } else if (token instanceof SecurityContextToken) {
+                    if (!processSCTokens(false, true, derived)) {
+                        processingFailed = true;
                     }
-                    boolean derived = token.isDerivedKeys();
-                    if (token instanceof KerberosToken && !processKerberosTokens(derived)) {
-                        ai.setNotAsserted(
-                             "The received token does not match the supporting token requirement"
-                        );
-                        return false;
-                    } else if (token instanceof X509Token && !processX509Tokens(derived)) {
-                        ai.setNotAsserted(
-                            "The received token does not match the supporting token requirement"
-                        );
-                        return false;
-                    } else if (token instanceof SecurityContextToken && !processSCTokens(derived)) {
-                        ai.setNotAsserted(
-                            "The received token does not match the supporting token requirement"
-                        );
-                        return false;
-                    }
-                }
-            }
-        }
-        
-        return true;
-    }
-    
-    private boolean processKerberosTokens(boolean derived) {
-        List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
-        for (WSSecurityEngineResult wser : results) {
-            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-            if (actInt.intValue() == WSConstants.BST) {
-                BinarySecurity binarySecurity = 
-                    (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
-                if (binarySecurity instanceof KerberosSecurity) {
-                    if (derived) {
-                        byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
-                        WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
-                        if (dktResult != null) {
-                            tokenResults.add(dktResult);
-                        }
-                    }
-                    tokenResults.add(wser);
+                } else if (!(token instanceof IssuedToken)) {
+                    processingFailed = true;
                 }
-            }
-        }
-        
-        if (tokenResults.isEmpty()) {
-            return false;
-        }
-        
-        return checkEndorsed(tokenResults, tls);
-    }
-    
-    private boolean processX509Tokens(boolean derived) {
-        List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
-        for (WSSecurityEngineResult wser : results) {
-            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-            if (actInt.intValue() == WSConstants.BST) {
-                BinarySecurity binarySecurity = 
-                    (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
-                if (binarySecurity instanceof X509Security
-                    || binarySecurity instanceof PKIPathSecurity) {
-                    if (derived) {
-                        WSSecurityEngineResult resultToStore = processX509DerivedTokenResult(wser);
-                        if (resultToStore != null) {
-                            tokenResults.add(resultToStore);
-                        }
-                    }
-                    tokenResults.add(wser);
-                }
-            }
-        }
-        
-        if (tokenResults.isEmpty()) {
-            return false;
-        }
-        
-        return checkEndorsed(tokenResults, tls);
-    }
-    
-    private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult result) {
-        X509Certificate cert = 
-            (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
-        WSSecurityEngineResult encrResult = getMatchingEncryptedKey(cert);
-        if (encrResult != null) {
-            byte[] secret = (byte[])encrResult.get(WSSecurityEngineResult.TAG_SECRET);
-            WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
-            if (dktResult != null) {
-                return dktResult;
-            }
-        }
-        return null;
-    }
-    
-    private boolean processSCTokens(boolean derived) {
-        List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
-        for (WSSecurityEngineResult wser : results) {
-            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-            if (actInt.intValue() == WSConstants.SCT) {
-                if (derived) {
-                    byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
-                    WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
-                    if (dktResult != null) {
-                        tokenResults.add(dktResult);
-                    }
+                
+                if (processingFailed) {
+                    ai.setNotAsserted(
+                        "The received token does not match the endorsing supporting token requirement"
+                    );
+                    return false;
                 }
-                tokenResults.add(wser);
             }
         }
         
-        if (tokenResults.isEmpty()) {
-            return false;
-        }
-        
-        return checkEndorsed(tokenResults, tls);
-    }
-    
-    /**
-     * Get a security result representing a Derived Key that has a secret key that
-     * matches the parameter.
-     */
-    private WSSecurityEngineResult getMatchingDerivedKey(byte[] secret) {
-        for (WSSecurityEngineResult wser : results) {
-            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-            if (actInt.intValue() == WSConstants.DKT) {
-                byte[] dktSecret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
-                if (Arrays.equals(secret, dktSecret)) {
-                    return wser;
-                }
-            }
-        }
-        return null;
-    }
-    
-    /**
-     * Get a security result representing an EncryptedKey that matches the parameter.
-     */
-    private WSSecurityEngineResult getMatchingEncryptedKey(X509Certificate cert) {
-        for (WSSecurityEngineResult wser : results) {
-            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-            if (actInt.intValue() == WSConstants.ENCR) {
-                X509Certificate encrCert = 
-                    (X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
-                if (cert.equals(encrCert)) {
-                    return wser;
-                }
-            }
-        }
-        return null;
-    }
-    
-    /**
-     * Check the endorsing supporting token policy. If we're using the Transport Binding then
-     * check that the Timestamp is signed. Otherwise, check that the signature is signed.
-     * @param transport
-     * @return true if the endorsed supporting token policy is correct
-     */
-    private boolean checkEndorsed(List<WSSecurityEngineResult> tokenResults, boolean transport) {
-        if (transport) {
-            return checkTimestampIsSigned(tokenResults);
-        }
-        return checkSignatureIsSigned(tokenResults);
-    }
-    
-    /**
-     * Return true if the Timestamp is signed by one of the token results
-     * @param tokenResults A list of WSSecurityEngineResults corresponding to tokens
-     * @return true if the Timestamp is signed
-     */
-    private boolean checkTimestampIsSigned(List<WSSecurityEngineResult> tokenResults) {
-        for (WSSecurityEngineResult signedResult : signedResults) {
-            List<WSDataRef> sl =
-                CastUtils.cast((List<?>)signedResult.get(
-                    WSSecurityEngineResult.TAG_DATA_REF_URIS
-                ));
-            if (sl != null) {
-                for (WSDataRef dataRef : sl) {
-                    if (timestamp == dataRef.getProtectedElement()
-                        && checkSignature(signedResult, tokenResults)) {
-                        return true;
-                    }
-                }
-            }
-        }
-        return false;
-    }
-    
-    /**
-     * Return true if the Signature is itself signed by one of the token results
-     * @param tokenResults A list of WSSecurityEngineResults corresponding to tokens
-     * @return true if the Signature is itself signed
-     */
-    private boolean checkSignatureIsSigned(List<WSSecurityEngineResult> tokenResults) {
-        for (WSSecurityEngineResult signedResult : signedResults) {
-            List<WSDataRef> sl =
-                CastUtils.cast((List<?>)signedResult.get(
-                    WSSecurityEngineResult.TAG_DATA_REF_URIS
-                ));
-            if (sl != null && sl.size() == 1) {
-                for (WSDataRef dataRef : sl) {
-                    QName signedQName = dataRef.getName();
-                    if (WSSecurityEngine.SIGNATURE.equals(signedQName)
-                        && checkSignature(signedResult, tokenResults)) {
-                        return true;
-                    }
-                }
-            }
-        }
-        return false;
+        return true;
     }
     
-    /**
-     * Check that a WSSecurityEngineResult corresponding to a signature uses the same 
-     * signing credential as one of the tokens.
-     * @param signatureResult a WSSecurityEngineResult corresponding to a signature
-     * @param tokenResult A list of WSSecurityEngineResults corresponding to tokens
-     * @return 
-     */
-    private boolean checkSignature(
-        WSSecurityEngineResult signatureResult,
-        List<WSSecurityEngineResult> tokenResult
-    ) {
-        // See what was used to sign this result
-        X509Certificate cert = 
-            (X509Certificate)signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
-        byte[] secret = (byte[])signatureResult.get(WSSecurityEngineResult.TAG_SECRET);
-        
-        // Now see if the same credential exists in the tokenResult list
-        for (WSSecurityEngineResult token : tokenResult) {
-            BinarySecurity binarySecurity = 
-                (BinarySecurity)token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
-            if (binarySecurity instanceof X509Security
-                || binarySecurity instanceof PKIPathSecurity) {
-                X509Certificate foundCert = 
-                    (X509Certificate)token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
-                if (foundCert.equals(cert)) {
-                    return true;
-                }
-            } else {
-                byte[] foundSecret = (byte[])token.get(WSSecurityEngineResult.TAG_SECRET);
-                if (foundSecret != null && Arrays.equals(foundSecret, secret)) {
-                    return true;
-                }
-                byte[] derivedKey = 
-                    (byte[])token.get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY);
-                if (derivedKey != null && Arrays.equals(derivedKey, secret)) {
-                    return true;
-                }
-            }
-        }
-        
-        return false;
-    }
 }

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java?rev=1200336&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java Thu Nov 10 14:15:58 2011
@@ -0,0 +1,102 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.IssuedToken;
+import org.apache.cxf.ws.security.policy.model.KerberosToken;
+import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
+import org.apache.cxf.ws.security.policy.model.SupportingToken;
+import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.security.policy.model.X509Token;
+import org.apache.ws.security.WSSecurityEngineResult;
+
+/**
+ * Validate a SignedEndorsingSupportingToken policy. 
+ */
+public class SignedEndorsingTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
+    
+    public SignedEndorsingTokenPolicyValidator(
+        Message message,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
+        super(message, results, signedResults);
+    }
+    
+    public boolean validatePolicy(
+        AssertionInfoMap aim
+    ) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+        if (ais == null || ais.isEmpty()) {                       
+            return true;
+        }
+
+        for (AssertionInfo ai : ais) {
+            SupportingToken binding = (SupportingToken)ai.getAssertion();
+            if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED_ENDORSING != binding.getTokenType()) {
+                continue;
+            }
+            ai.setAsserted(true);
+
+            List<Token> tokens = binding.getTokens();
+            for (Token token : tokens) {
+                if (!isTokenRequired(token, message)) {
+                    continue;
+                }
+                
+                boolean derived = token.isDerivedKeys();
+                boolean processingFailed = false;
+                if (token instanceof KerberosToken) {
+                    if (!processKerberosTokens(true, true, derived)) {
+                        processingFailed = true;
+                    }
+                } else if (token instanceof X509Token) {
+                    if (!processX509Tokens(true, true, derived)) {
+                        processingFailed = true;
+                    }
+                } else if (token instanceof SecurityContextToken) {
+                    if (!processSCTokens(true, true, derived)) {
+                        processingFailed = true;
+                    }
+                } else if (!(token instanceof IssuedToken)) {
+                    processingFailed = true;
+                }
+                
+                if (processingFailed) {
+                    ai.setNotAsserted(
+                        "The received token does not match the signed endorsing supporting token requirement"
+                    );
+                    return false;
+                }
+            }
+        }
+        
+        return true;
+    }
+    
+}

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java?rev=1200336&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java Thu Nov 10 14:15:58 2011
@@ -0,0 +1,112 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.IssuedToken;
+import org.apache.cxf.ws.security.policy.model.KerberosToken;
+import org.apache.cxf.ws.security.policy.model.SamlToken;
+import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
+import org.apache.cxf.ws.security.policy.model.SupportingToken;
+import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.security.policy.model.UsernameToken;
+import org.apache.cxf.ws.security.policy.model.X509Token;
+import org.apache.ws.security.WSSecurityEngineResult;
+
+/**
+ * Validate SignedSupportingToken policies.
+ */
+public class SignedTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
+    
+    public SignedTokenPolicyValidator(
+        Message message,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
+        super(message, results, signedResults);
+    }
+    
+    public boolean validatePolicy(
+        AssertionInfoMap aim
+    ) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_SUPPORTING_TOKENS);
+        if (ais == null || ais.isEmpty()) {                       
+            return true;
+        }
+        
+        for (AssertionInfo ai : ais) {
+            SupportingToken binding = (SupportingToken)ai.getAssertion();
+            if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED != binding.getTokenType()) {
+                continue;
+            }
+            ai.setAsserted(true);
+            
+            List<Token> tokens = binding.getTokens();
+            for (Token token : tokens) {
+                if (!isTokenRequired(token, message)) {
+                    continue;
+                }
+                
+                boolean processingFailed = false;
+                if (token instanceof UsernameToken) {
+                    if (!processUsernameTokens(true, false, false)) {
+                        processingFailed = true;
+                    }
+                } else if (token instanceof SamlToken) {
+                    if (!processSAMLTokens(true, false, false)) {
+                        processingFailed = true;
+                    }
+                } else if (token instanceof KerberosToken) {
+                    if (!processKerberosTokens(true, false, false)) {
+                        processingFailed = true;
+                    }
+                } else if (token instanceof X509Token) {
+                    if (!processX509Tokens(true, false, false)) {
+                        processingFailed = true;
+                    }
+                } else if (token instanceof SecurityContextToken) {
+                    if (!processSCTokens(true, false, false)) {
+                        processingFailed = true;
+                    }
+                } else if (!(token instanceof IssuedToken)) {
+                    processingFailed = true;
+                }
+                
+                if (processingFailed) {
+                    ai.setNotAsserted(
+                        "The received token does not match the signed supporting token requirement"
+                    );
+                    return false;
+                }
+            }
+
+        }
+        
+        return true;
+    }
+    
+}

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java?rev=1200336&r1=1200335&r2=1200336&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java Thu Nov 10 14:15:58 2011
@@ -44,6 +44,9 @@ import wssec.kerberos.DoubleItService;
  * @Ignore annotations and run the tests with:
  *  
  * mvn test -Dtest=KerberosTokenTest -Djava.security.auth.login.config=src/test/resources/kerberos.jaas
+ * 
+ * See here for more information:
+ * http://coheigea.blogspot.com/2011/10/using-kerberos-with-web-services-part.html
  */
 public class KerberosTokenTest extends AbstractBusClientServerTestBase {
     static final String PORT = allocatePort(Server.class);
@@ -229,6 +232,30 @@ public class KerberosTokenTest extends A
         assertTrue(result.equals(BigInteger.valueOf(50)));
     }
     
+    @org.junit.Test
+    @org.junit.Ignore
+    public void testKerberosOverAsymmetricSignedEndorsing() throws Exception {
+        
+        if (!unrestrictedPoliciesInstalled) {
+            return;
+        }
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = KerberosTokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        DoubleItService service = new DoubleItService();
+        
+        DoubleItPortType kerberosPort = service.getDoubleItKerberosAsymmetricSignedEndorsingPort();
+        updateAddressPort(kerberosPort, PORT);
+        
+        BigInteger result = kerberosPort.doubleIt(BigInteger.valueOf(25));
+        assertTrue(result.equals(BigInteger.valueOf(50)));
+    }
+    
     private boolean checkUnrestrictedPoliciesInstalled() {
         try {
             byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1200336&r1=1200335&r2=1200336&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java Thu Nov 10 14:15:58 2011
@@ -188,6 +188,25 @@ public class X509TokenTest extends Abstr
         x509Port.doubleIt(BigInteger.valueOf(25));
     }
     
+    @org.junit.Test
+    public void testTransportSignedEndorsing() throws Exception {
+        if (!unrestrictedPoliciesInstalled) {
+            return;
+        }
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        DoubleItService service = new DoubleItService();
+        DoubleItPortType x509Port = service.getDoubleItTransportSignedEndorsingPort();
+        updateAddressPort(x509Port, PORT2);
+        x509Port.doubleIt(BigInteger.valueOf(25));
+    }
+    
     private boolean checkUnrestrictedPoliciesInstalled() {
         try {
             byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml?rev=1200336&r1=1200335&r2=1200336&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml Thu Nov 10 14:15:58 2011
@@ -184,4 +184,25 @@
        </jaxws:properties>
     </jaxws:client>
     
+    <jaxws:client name="{http://WSSec/kerberos}DoubleItKerberosAsymmetricSignedEndorsingPort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.encryption.username" value="bob"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+           <entry key="ws-security.signature.username" value="alice"/> 
+           <entry key="ws-security.kerberos.client">
+               <bean class="org.apache.cxf.ws.security.kerberos.KerberosClient">
+                   <constructor-arg ref="cxf"/>
+                   <property name="contextName" value="alice"/>
+                   <property name="serviceName" value="bob@service.ws.apache.org"/>
+               </bean>            
+           </entry> 
+       </jaxws:properties>
+    </jaxws:client>
+    
 </beans>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml?rev=1200336&r1=1200335&r2=1200336&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml Thu Nov 10 14:15:58 2011
@@ -239,4 +239,28 @@
      
     </jaxws:endpoint>  
     
+     <jaxws:endpoint 
+       id="KerberosOverAsymmetricSignedEndorsing"
+       address="http://localhost:${testutil.ports.Server}/DoubleItKerberosAsymmetricSignedEndorsing" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItKerberosAsymmetricSignedEndorsingPort"
+       xmlns:s="http://WSSec/kerberos"
+       implementor="org.apache.cxf.systest.ws.kerberos.server.DoubleItImpl"
+       wsdlLocation="wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl">
+        
+       <jaxws:properties>
+           <entry key="ws-security.username" value="bob"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+           <entry key="ws-security.encryption.username" value="alice"/>
+           <entry key="ws-security.bst.validator" value-ref="kerberosValidator"/>
+           <entry key="ws-security.is-bsp-compliant" value="false"/>
+       </jaxws:properties> 
+     
+    </jaxws:endpoint>
+    
 </beans>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml?rev=1200336&r1=1200335&r2=1200336&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml Thu Nov 10 14:15:58 2011
@@ -114,6 +114,17 @@
        </jaxws:properties>
     </jaxws:client>
     
+    <jaxws:client name="{http://WSSec/x509}DoubleItTransportSignedEndorsingPort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+           <entry key="ws-security.signature.username" value="alice"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+       </jaxws:properties>
+    </jaxws:client>
+    
     <http:conduit name="https://localhost:.*">
         <http:tlsClientParameters disableCNCheck="true">
             <sec:trustManagers>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1200336&r1=1200335&r2=1200336&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml Thu Nov 10 14:15:58 2011
@@ -137,8 +137,6 @@
                   value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
-          <entry key="ws-security.callback-handler" 
-                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
           <entry key="ws-security.encryption.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
           <entry key="ws-security.encryption.username" value="alice"/>
@@ -160,8 +158,6 @@
                   value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
-          <entry key="ws-security.callback-handler" 
-                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
           <entry key="ws-security.encryption.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
           <entry key="ws-security.encryption.username" value="alice"/>
@@ -204,4 +200,21 @@
      
     </jaxws:endpoint> 
     
+    <jaxws:endpoint 
+       id="TransportSignedEndorsing"
+       address="https://localhost:${testutil.ports.Server.2}/DoubleItX509TransportSignedEndorsing" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItTransportSignedEndorsingPort"
+       xmlns:s="http://WSSec/x509"
+       implementor="org.apache.cxf.systest.ws.x509.server.DoubleItImpl"
+       wsdlLocation="wsdl_systest_wssec/x509/DoubleItX509.wsdl"
+       depends-on="tls-settings">
+        
+       <jaxws:properties>
+          <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
 </beans>

Modified: cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl?rev=1200336&r1=1200335&r2=1200336&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl Thu Nov 10 14:15:58 2011
@@ -234,6 +234,26 @@
         </wsdl:operation>
     </wsdl:binding>
     
+    <wsdl:binding name="DoubleItKerberosAsymmetricSignedEndorsingBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItKerberosAsymmetricSignedEndorsingPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
+    
     <wsdl:service name="DoubleItService">
         <wsdl:port name="DoubleItKerberosTransportPort" binding="tns:DoubleItKerberosTransportBinding">
             <soap:address location="https://localhost:9009/DoubleItKerberosTransport" />
@@ -266,6 +286,10 @@
                    binding="tns:DoubleItKerberosSymmetricDerivedProtectionBinding">
             <soap:address location="http://localhost:9001/DoubleItKerberosSymmetricDerivedProtection" />
         </wsdl:port>
+        <wsdl:port name="DoubleItKerberosAsymmetricSignedEndorsingPort"
+                   binding="tns:DoubleItKerberosAsymmetricSignedEndorsingBinding">
+            <soap:address location="http://localhost:9001/DoubleItKerberosAsymmetricSignedEndorsing" />
+        </wsdl:port>
     </wsdl:service>
 
     <wsp:Policy wsu:Id="DoubleItKerberosTransportPolicy">
@@ -649,6 +673,68 @@
       </wsp:ExactlyOne>
     </wsp:Policy>
     
+    <wsp:Policy wsu:Id="DoubleItKerberosAsymmetricSignedEndorsingPolicy">
+       <wsp:ExactlyOne>
+         <wsp:All>
+            <sp:AsymmetricBinding>
+               <wsp:Policy>
+                  <sp:InitiatorToken>
+                     <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                              <sp:RequireIssuerSerialReference />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                     </wsp:Policy>
+                  </sp:InitiatorToken>
+                  <sp:RecipientToken>
+                     <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                              <sp:RequireIssuerSerialReference />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                     </wsp:Policy>
+                  </sp:RecipientToken>
+                  <sp:Layout>
+                     <wsp:Policy>
+                        <sp:Lax/>
+                     </wsp:Policy>
+                  </sp:Layout>
+                  <sp:IncludeTimestamp/>
+                  <sp:OnlySignEntireHeadersAndBody/>
+                  <sp:AlgorithmSuite>
+                     <wsp:Policy>
+                        <sp:Basic128/>
+                     </wsp:Policy>
+                  </sp:AlgorithmSuite>
+               </wsp:Policy>
+            </sp:AsymmetricBinding>
+            <sp:Wss11>
+               <wsp:Policy>
+                  <sp:MustSupportRefIssuerSerial/>
+                  <sp:MustSupportRefThumbprint/>
+                  <sp:MustSupportRefEncryptedKey/>
+               </wsp:Policy>
+            </sp:Wss11>
+            <sp:SignedEndorsingSupportingTokens>
+               <wsp:Policy>
+                  <sp:KerberosToken
+                      sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Once">
+                      <wsp:Policy>
+                          <sp:WssGssKerberosV5ApReqToken11/>
+                      </wsp:Policy>
+                  </sp:KerberosToken>
+              </wsp:Policy>
+            </sp:SignedEndorsingSupportingTokens>
+         </wsp:All>
+      </wsp:ExactlyOne>
+    </wsp:Policy>
+    
     <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
       <wsp:ExactlyOne>
          <wsp:All>

Modified: cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl?rev=1200336&r1=1200335&r2=1200336&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl Thu Nov 10 14:15:58 2011
@@ -187,7 +187,7 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
-     <wsdl:binding name="DoubleItTransportEndorsingBinding" type="tns:DoubleItPortType">
+    <wsdl:binding name="DoubleItTransportEndorsingBinding" type="tns:DoubleItPortType">
         <wsp:PolicyReference URI="#DoubleItTransportEndorsingPolicy" />
         <soap:binding style="document"
             transport="http://schemas.xmlsoap.org/soap/http" />
@@ -206,6 +206,25 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
+    <wsdl:binding name="DoubleItTransportSignedEndorsingBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItTransportSignedEndorsingPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
     
     <wsdl:service name="DoubleItService">
         <wsdl:port name="DoubleItKeyIdentifierPort" binding="tns:DoubleItKeyIdentifierBinding">
@@ -233,6 +252,10 @@
                    binding="tns:DoubleItTransportEndorsingBinding">
             <soap:address location="https://localhost:9002/DoubleItX509TransportEndorsing" />
         </wsdl:port>
+        <wsdl:port name="DoubleItTransportSignedEndorsingPort" 
+                   binding="tns:DoubleItTransportSignedEndorsingBinding">
+            <soap:address location="https://localhost:9002/DoubleItX509TransportSignedEndorsing" />
+        </wsdl:port>
     </wsdl:service>
 
     <wsp:Policy wsu:Id="DoubleItKeyIdentifierPolicy">
@@ -500,6 +523,43 @@
         </wsp:ExactlyOne>
     </wsp:Policy>
     
+    <wsp:Policy wsu:Id="DoubleItTransportSignedEndorsingPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:TransportBinding>
+                    <wsp:Policy>
+                        <sp:TransportToken>
+                            <wsp:Policy>
+                                <sp:HttpsToken RequireClientCertificate="false" />
+                            </wsp:Policy>
+                        </sp:TransportToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp />
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:TransportBinding>
+                <sp:SignedEndorsingSupportingTokens>
+                   <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                    </wsp:Policy>
+                </sp:SignedEndorsingSupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
+    
     <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
       <wsp:ExactlyOne>
          <wsp:All>



Mime
View raw message