cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1200881 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalid...
Date Fri, 11 Nov 2011 13:42:54 GMT
Author: coheigea
Date: Fri Nov 11 13:42:53 2011
New Revision: 1200881

URL: http://svn.apache.org/viewvc?rev=1200881&view=rev
Log:
Added support for using a SAML Token as an EndorsingSupportingToken + added a systest.
Added support for SignedEncryptedSupportingToken policy validation + added some tests.

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
      - copied, changed from r1200419, cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
    cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl
    cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/ut/DoubleItUt.wsdl

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Fri Nov 11 13:42:53 2011
@@ -75,6 +75,7 @@ import org.apache.cxf.ws.security.wss4j.
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEncryptedTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator;
@@ -583,8 +584,12 @@ public class PolicyBasedWSS4JInIntercept
             new SignedEndorsingTokenPolicyValidator(msg, results, signedResults);
         signedEdorsingValidator.validatePolicy(aim);
         
+        SignedEncryptedTokenPolicyValidator signedEncryptedValidator = 
+            new SignedEncryptedTokenPolicyValidator(msg, results, signedResults);
+        signedEncryptedValidator.setValidateUsernameToken(utWithCallbacks);
+        signedEncryptedValidator.validatePolicy(aim);
+        
         //REVISIT - probably can verify some of these like if UT is encrypted and/or signed, etc...
-        assertPolicy(aim, SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
         assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS);
         assertPolicy(aim, SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
         if (hasEndorsement || isRequestor(msg)) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Fri Nov 11 13:42:53 2011
@@ -34,6 +34,7 @@ import org.apache.cxf.binding.soap.SoapM
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
 import org.apache.cxf.ws.security.policy.model.Header;
@@ -217,6 +218,15 @@ public class TransportBindingHandler ext
                                 addSig(signatureValues, doX509TokenSignature(token, 
                                                                              endSuppTokens.getSignedParts(), 
                                                                              endSuppTokens));
+                            } else if (token instanceof SamlToken) {
+                                AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
+                                assertionWrapper.toDOM(saaj.getSOAPPart());
+                                storeAssertionAsSecurityToken(assertionWrapper);
+                                addSig(signatureValues, doIssuedTokenSignature(token, 
+                                                                               endSuppTokens
+                                                                               .getSignedParts(), 
+                                                                               endSuppTokens,
+                                                                               null));
                             }
                         }
                     }
@@ -471,7 +481,14 @@ public class TransportBindingHandler ext
             sig.setX509Certificate(secTok.getX509Certificate());
 
             crypto = secTok.getCrypto();
+            if (crypto == null) {
+                crypto = getSignatureCrypto(wrapper);
+            }
             String uname = crypto.getX509Identifier(secTok.getX509Certificate());
+            if (uname == null) {
+                String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
+                uname = (String)message.getContextualProperty(userNameKey);
+            }
             String password = getPassword(uname, token, WSPasswordCallback.SIGNATURE);
             if (password == null) {
                 password = "";

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java Fri Nov 11 13:42:53 2011
@@ -40,6 +40,8 @@ import org.apache.ws.security.message.to
 import org.apache.ws.security.message.token.PKIPathSecurity;
 import org.apache.ws.security.message.token.Timestamp;
 import org.apache.ws.security.message.token.X509Security;
+import org.apache.ws.security.saml.SAMLKeyInfo;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
 import org.apache.ws.security.util.WSSecurityUtil;
 
 /**
@@ -54,6 +56,10 @@ public abstract class AbstractSupporting
     protected boolean tls;
     protected boolean validateUsernameToken = true;
     protected Element timestamp;
+    private boolean signed;
+    private boolean encrypted;
+    private boolean derived;
+    private boolean endorsed;
 
     public AbstractSupportingTokenPolicyValidator(
         Message message,
@@ -91,10 +97,26 @@ public abstract class AbstractSupporting
         this.validateUsernameToken = validateUsernameToken;
     }
     
+    public void setSigned(boolean signed) {
+        this.signed = signed;
+    }
+    
+    public void setEncrypted(boolean encrypted) {
+        this.encrypted = encrypted;
+    }
+    
+    public void setDerived(boolean derived) {
+        this.derived = derived;
+    }
+    
+    public void setEndorsed(boolean endorsed) {
+        this.endorsed = endorsed;
+    }
+    
     /**
      * Process UsernameTokens. Only SignedSupportingTokens are currently enforced.
      */
-    protected boolean processUsernameTokens(boolean signed, boolean endorsed, boolean derived) {
+    protected boolean processUsernameTokens() {
         if (!validateUsernameToken) {
             return true;
         }
@@ -106,14 +128,20 @@ public abstract class AbstractSupporting
             return false;
         }
         
-        return areTokensSigned(tokenResults);
+        if (signed && !areTokensSigned(tokenResults)) {
+            return false;
+        }
+        if (encrypted && !areTokensEncrypted(tokenResults)) {
+            return false;
+        }
+        return true;
     }
     
     
     /**
      * Process SAML Tokens. Only SignedSupportingTokens are currently enforced.
      */
-    protected boolean processSAMLTokens(boolean signed, boolean endorsed, boolean derived) {
+    protected boolean processSAMLTokens() {
         List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
         WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, tokenResults);
         WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, tokenResults);
@@ -122,14 +150,23 @@ public abstract class AbstractSupporting
             return false;
         }
         
-        return areTokensSigned(tokenResults);
+        if (signed && !areTokensSigned(tokenResults)) {
+            return false;
+        }
+        if (encrypted && !areTokensEncrypted(tokenResults)) {
+            return false;
+        }
+        if (endorsed && !checkEndorsed(tokenResults)) {
+            return false;
+        }
+        return true;
     }
     
     
     /**
      * Process Kerberos Tokens.
      */
-    protected boolean processKerberosTokens(boolean signed, boolean endorsed, boolean derived) {
+    protected boolean processKerberosTokens() {
         List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
         List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
         for (WSSecurityEngineResult wser : results) {
@@ -157,6 +194,9 @@ public abstract class AbstractSupporting
         if (signed && !areTokensSigned(tokenResults)) {
             return false;
         }
+        if (encrypted && !areTokensEncrypted(tokenResults)) {
+            return false;
+        }
         tokenResults.addAll(dktResults);
         if (endorsed && !checkEndorsed(tokenResults)) {
             return false;
@@ -168,7 +208,7 @@ public abstract class AbstractSupporting
     /**
      * Process X509 Tokens.
      */
-    protected boolean processX509Tokens(boolean signed, boolean endorsed, boolean derived) {
+    protected boolean processX509Tokens() {
         List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
         List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
         for (WSSecurityEngineResult wser : results) {
@@ -196,6 +236,9 @@ public abstract class AbstractSupporting
         if (signed && !areTokensSigned(tokenResults)) {
             return false;
         }
+        if (encrypted && !areTokensEncrypted(tokenResults)) {
+            return false;
+        }
         tokenResults.addAll(dktResults);
         if (endorsed && !checkEndorsed(tokenResults)) {
             return false;
@@ -207,7 +250,7 @@ public abstract class AbstractSupporting
     /**
      * Process Security Context Tokens.
      */
-    protected boolean processSCTokens(boolean signed, boolean endorsed, boolean derived) {
+    protected boolean processSCTokens() {
         List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
         List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
         for (WSSecurityEngineResult wser : results) {
@@ -231,6 +274,9 @@ public abstract class AbstractSupporting
         if (signed && !areTokensSigned(tokenResults)) {
             return false;
         }
+        if (encrypted && !areTokensEncrypted(tokenResults)) {
+            return false;
+        }
         tokenResults.addAll(dktResults);
         if (endorsed && !checkEndorsed(tokenResults)) {
             return false;
@@ -320,6 +366,22 @@ public abstract class AbstractSupporting
     }
     
     /**
+     * Return true if a list of tokens were encrypted, false otherwise.
+     */
+    private boolean areTokensEncrypted(List<WSSecurityEngineResult> tokens) {
+        if (tls) {
+            return true;
+        }
+        for (WSSecurityEngineResult wser : tokens) {
+            Element tokenElement = (Element)wser.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+            if (!isTokenEncrypted(tokenElement)) {
+                return false;
+            }
+        }
+        return true;
+    }
+    
+    /**
      * Return true if the Timestamp is signed by one of the token results
      * @param tokenResults A list of WSSecurityEngineResults corresponding to tokens
      * @return true if the Timestamp is signed
@@ -384,6 +446,7 @@ public abstract class AbstractSupporting
         
         // Now see if the same credential exists in the tokenResult list
         for (WSSecurityEngineResult token : tokenResult) {
+            Integer actInt = (Integer)token.get(WSSecurityEngineResult.TAG_ACTION);
             BinarySecurity binarySecurity = 
                 (BinarySecurity)token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
             if (binarySecurity instanceof X509Security
@@ -393,6 +456,21 @@ public abstract class AbstractSupporting
                 if (foundCert.equals(cert)) {
                     return true;
                 }
+            } else if (actInt.intValue() == WSConstants.ST_SIGNED
+                || actInt.intValue() == WSConstants.ST_UNSIGNED) {
+                AssertionWrapper assertionWrapper = 
+                    (AssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+                SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
+                if (samlKeyInfo != null) {
+                    X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
+                    byte[] subjectSecretKey = samlKeyInfo.getSecret();
+                    if (cert != null && subjectCerts != null && cert.equals(subjectCerts[0])) {
+                        return true;
+                    }
+                    if (subjectSecretKey != null && Arrays.equals(subjectSecretKey, secret)) {
+                        return true;
+                    }
+                }
             } else {
                 byte[] foundSecret = (byte[])token.get(WSSecurityEngineResult.TAG_SECRET);
                 if (foundSecret != null && Arrays.equals(foundSecret, secret)) {
@@ -425,4 +503,20 @@ public abstract class AbstractSupporting
         return false;
     }
     
+    /**
+     * Return true if a token was encrypted, false otherwise.
+     */
+    private boolean isTokenEncrypted(Element token) {
+        for (WSSecurityEngineResult signedResult : encryptedResults) {
+            List<WSDataRef> dataRefs = 
+                CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+            for (WSDataRef dataRef : dataRefs) {
+                if (token == dataRef.getProtectedElement()) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+    
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java Fri Nov 11 13:42:53 2011
@@ -29,6 +29,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.SPConstants;
 import org.apache.cxf.ws.security.policy.model.IssuedToken;
 import org.apache.cxf.ws.security.policy.model.KerberosToken;
+import org.apache.cxf.ws.security.policy.model.SamlToken;
 import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
 import org.apache.cxf.ws.security.policy.model.SupportingToken;
 import org.apache.cxf.ws.security.policy.model.Token;
@@ -62,6 +63,7 @@ public class EndorsingTokenPolicyValidat
                 continue;
             }
             ai.setAsserted(true);
+            setEndorsed(true);
 
             List<Token> tokens = binding.getTokens();
             for (Token token : tokens) {
@@ -70,17 +72,22 @@ public class EndorsingTokenPolicyValidat
                 }
                 
                 boolean derived = token.isDerivedKeys();
+                setDerived(derived);
                 boolean processingFailed = false;
                 if (token instanceof KerberosToken) {
-                    if (!processKerberosTokens(false, true, derived)) {
+                    if (!processKerberosTokens()) {
                         processingFailed = true;
                     }
                 } else if (token instanceof X509Token) {
-                    if (!processX509Tokens(false, true, derived)) {
+                    if (!processX509Tokens()) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SecurityContextToken) {
-                    if (!processSCTokens(false, true, derived)) {
+                    if (!processSCTokens()) {
+                        processingFailed = true;
+                    }
+                } else if (token instanceof SamlToken) {
+                    if (!processSAMLTokens()) {
                         processingFailed = true;
                     }
                 } else if (!(token instanceof IssuedToken)) {

Copied: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java (from r1200419, cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java)
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java?p2=cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java&p1=cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java&r1=1200419&r2=1200881&rev=1200881&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java Fri Nov 11 13:42:53 2011
@@ -38,11 +38,11 @@ import org.apache.cxf.ws.security.policy
 import org.apache.ws.security.WSSecurityEngineResult;
 
 /**
- * Validate SignedSupportingToken policies.
+ * Validate a SignedEncryptedSupportingToken policy. 
  */
-public class SignedTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
+public class SignedEncryptedTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
     
-    public SignedTokenPolicyValidator(
+    public SignedEncryptedTokenPolicyValidator(
         Message message,
         List<WSSecurityEngineResult> results,
         List<WSSecurityEngineResult> signedResults
@@ -53,18 +53,20 @@ public class SignedTokenPolicyValidator 
     public boolean validatePolicy(
         AssertionInfoMap aim
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_SUPPORTING_TOKENS);
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
         if (ais == null || ais.isEmpty()) {                       
             return true;
         }
-        
+
         for (AssertionInfo ai : ais) {
             SupportingToken binding = (SupportingToken)ai.getAssertion();
-            if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED != binding.getTokenType()) {
+            if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED_ENCRYPTED != binding.getTokenType()) {
                 continue;
             }
             ai.setAsserted(true);
-            
+            setSigned(true);
+            setEncrypted(true);
+
             List<Token> tokens = binding.getTokens();
             for (Token token : tokens) {
                 if (!isTokenRequired(token, message)) {
@@ -73,23 +75,23 @@ public class SignedTokenPolicyValidator 
                 
                 boolean processingFailed = false;
                 if (token instanceof UsernameToken) {
-                    if (!processUsernameTokens(true, false, false)) {
-                        processingFailed = true;
-                    }
-                } else if (token instanceof SamlToken) {
-                    if (!processSAMLTokens(true, false, false)) {
+                    if (!processUsernameTokens()) {
                         processingFailed = true;
                     }
                 } else if (token instanceof KerberosToken) {
-                    if (!processKerberosTokens(true, false, false)) {
+                    if (!processKerberosTokens()) {
                         processingFailed = true;
                     }
                 } else if (token instanceof X509Token) {
-                    if (!processX509Tokens(true, false, false)) {
+                    if (!processX509Tokens()) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SecurityContextToken) {
-                    if (!processSCTokens(true, false, false)) {
+                    if (!processSCTokens()) {
+                        processingFailed = true;
+                    }
+                } else if (token instanceof SamlToken) {
+                    if (!processSAMLTokens()) {
                         processingFailed = true;
                     }
                 } else if (!(token instanceof IssuedToken)) {
@@ -98,12 +100,11 @@ public class SignedTokenPolicyValidator 
                 
                 if (processingFailed) {
                     ai.setNotAsserted(
-                        "The received token does not match the signed supporting token requirement"
+                        "The received token does not match the signed encrypted supporting token requirement"
                     );
                     return false;
                 }
             }
-
         }
         
         return true;

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java Fri Nov 11 13:42:53 2011
@@ -62,6 +62,8 @@ public class SignedEndorsingTokenPolicyV
                 continue;
             }
             ai.setAsserted(true);
+            setSigned(true);
+            setEndorsed(true);
 
             List<Token> tokens = binding.getTokens();
             for (Token token : tokens) {
@@ -70,17 +72,18 @@ public class SignedEndorsingTokenPolicyV
                 }
                 
                 boolean derived = token.isDerivedKeys();
+                setDerived(derived);
                 boolean processingFailed = false;
                 if (token instanceof KerberosToken) {
-                    if (!processKerberosTokens(true, true, derived)) {
+                    if (!processKerberosTokens()) {
                         processingFailed = true;
                     }
                 } else if (token instanceof X509Token) {
-                    if (!processX509Tokens(true, true, derived)) {
+                    if (!processX509Tokens()) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SecurityContextToken) {
-                    if (!processSCTokens(true, true, derived)) {
+                    if (!processSCTokens()) {
                         processingFailed = true;
                     }
                 } else if (!(token instanceof IssuedToken)) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java Fri Nov 11 13:42:53 2011
@@ -64,6 +64,7 @@ public class SignedTokenPolicyValidator 
                 continue;
             }
             ai.setAsserted(true);
+            setSigned(true);
             
             List<Token> tokens = binding.getTokens();
             for (Token token : tokens) {
@@ -73,23 +74,23 @@ public class SignedTokenPolicyValidator 
                 
                 boolean processingFailed = false;
                 if (token instanceof UsernameToken) {
-                    if (!processUsernameTokens(true, false, false)) {
+                    if (!processUsernameTokens()) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SamlToken) {
-                    if (!processSAMLTokens(true, false, false)) {
+                    if (!processSAMLTokens()) {
                         processingFailed = true;
                     }
                 } else if (token instanceof KerberosToken) {
-                    if (!processKerberosTokens(true, false, false)) {
+                    if (!processKerberosTokens()) {
                         processingFailed = true;
                     }
                 } else if (token instanceof X509Token) {
-                    if (!processX509Tokens(true, false, false)) {
+                    if (!processX509Tokens()) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SecurityContextToken) {
-                    if (!processSCTokens(true, false, false)) {
+                    if (!processSCTokens()) {
                         processingFailed = true;
                     }
                 } else if (!(token instanceof IssuedToken)) {

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/kerberos/KerberosTokenTest.java Fri Nov 11 13:42:53 2011
@@ -256,6 +256,31 @@ public class KerberosTokenTest extends A
         assertTrue(result.equals(BigInteger.valueOf(50)));
     }
     
+    @org.junit.Test
+    @org.junit.Ignore
+    public void testKerberosOverAsymmetricSignedEncrypted() throws Exception {
+        
+        if (!unrestrictedPoliciesInstalled) {
+            return;
+        }
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = KerberosTokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        DoubleItService service = new DoubleItService();
+        
+        DoubleItPortType kerberosPort = service.getDoubleItKerberosAsymmetricSignedEncryptedPort();
+        updateAddressPort(kerberosPort, PORT);
+        
+        BigInteger result = kerberosPort.doubleIt(BigInteger.valueOf(25));
+        assertTrue(result.equals(BigInteger.valueOf(50)));
+    }
+    
+    
     private boolean checkUnrestrictedPoliciesInstalled() {
         try {
             byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java Fri Nov 11 13:42:53 2011
@@ -305,7 +305,6 @@ public class SamlTokenTest extends Abstr
     }
     
     @org.junit.Test
-    @org.junit.Ignore
     public void testSaml2EndorsingOverTransport() throws Exception {
 
         SpringBusFactory bf = new SpringBusFactory();
@@ -317,14 +316,16 @@ public class SamlTokenTest extends Abstr
 
         DoubleItService service = new DoubleItService();
         
-        DoubleItPortType saml1Port = service.getDoubleItSaml2EndorsingTransportPort();
-        updateAddressPort(saml1Port, PORT2);
+        DoubleItPortType saml2Port = service.getDoubleItSaml2EndorsingTransportPort();
+        updateAddressPort(saml2Port, PORT2);
         
-        ((BindingProvider)saml1Port).getRequestContext().put(
-            "ws-security.saml-callback-handler", new SamlCallbackHandler()
+        SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", callbackHandler
         );
 
-        BigInteger result = saml1Port.doubleIt(BigInteger.valueOf(25));
+        BigInteger result = saml2Port.doubleIt(BigInteger.valueOf(25));
         assertTrue(result.equals(BigInteger.valueOf(50)));
     }
     

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenTest.java Fri Nov 11 13:42:53 2011
@@ -136,4 +136,21 @@ public class UsernameTokenTest extends A
         utPort.doubleIt(BigInteger.valueOf(25));
     }
     
+    @org.junit.Test
+    public void testSignedEncrypted() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = UsernameTokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        DoubleItService service = new DoubleItService();
+        
+        DoubleItPortType utPort = service.getDoubleItSignedEncryptedPort();
+        updateAddressPort(utPort, PORT);
+        utPort.doubleIt(BigInteger.valueOf(25));
+    }
+    
 }

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/client/client.xml Fri Nov 11 13:42:53 2011
@@ -205,4 +205,25 @@
        </jaxws:properties>
     </jaxws:client>
     
+    <jaxws:client name="{http://WSSec/kerberos}DoubleItKerberosAsymmetricSignedEncryptedPort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.encryption.username" value="bob"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+           <entry key="ws-security.signature.username" value="alice"/> 
+           <entry key="ws-security.kerberos.client">
+               <bean class="org.apache.cxf.ws.security.kerberos.KerberosClient">
+                   <constructor-arg ref="cxf"/>
+                   <property name="contextName" value="alice"/>
+                   <property name="serviceName" value="bob@service.ws.apache.org"/>
+               </bean>            
+           </entry> 
+       </jaxws:properties>
+    </jaxws:client>
+    
 </beans>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/kerberos/server/server.xml Fri Nov 11 13:42:53 2011
@@ -239,7 +239,7 @@
      
     </jaxws:endpoint>  
     
-     <jaxws:endpoint 
+    <jaxws:endpoint 
        id="KerberosOverAsymmetricSignedEndorsing"
        address="http://localhost:${testutil.ports.Server}/DoubleItKerberosAsymmetricSignedEndorsing" 
        serviceName="s:DoubleItService"
@@ -263,4 +263,28 @@
      
     </jaxws:endpoint>
     
+    <jaxws:endpoint 
+       id="KerberosOverAsymmetricSignedEncrypted"
+       address="http://localhost:${testutil.ports.Server}/DoubleItKerberosAsymmetricSignedEncrypted" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItKerberosAsymmetricSignedEncryptedPort"
+       xmlns:s="http://WSSec/kerberos"
+       implementor="org.apache.cxf.systest.ws.kerberos.server.DoubleItImpl"
+       wsdlLocation="wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl">
+        
+       <jaxws:properties>
+           <entry key="ws-security.username" value="bob"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+           <entry key="ws-security.encryption.username" value="alice"/>
+           <entry key="ws-security.bst.validator" value-ref="kerberosValidator"/>
+           <entry key="ws-security.is-bsp-compliant" value="false"/>
+       </jaxws:properties> 
+     
+    </jaxws:endpoint>
+    
 </beans>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml Fri Nov 11 13:42:53 2011
@@ -104,6 +104,7 @@
            <entry key="ws-security.signature.username" value="alice"/>
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+           <entry key="ws-security.self-sign-saml-assertion" value="true"/>
        </jaxws:properties>
     </jaxws:client>  
    

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client.xml Fri Nov 11 13:42:53 2011
@@ -98,4 +98,17 @@
        </jaxws:properties>
     </jaxws:client>
     
+     
+    <jaxws:client name="{http://WSSec/ut}DoubleItSignedEncryptedPort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.username" value="Alice"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+           <entry key="ws-security.signature.username" value="alice"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+       </jaxws:properties>
+    </jaxws:client>
+    
 </beans>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml Fri Nov 11 13:42:53 2011
@@ -159,4 +159,23 @@
      
     </jaxws:endpoint> 
     
+    <jaxws:endpoint 
+       id="SignedEncrypted"
+       address="https://localhost:${testutil.ports.Server}/DoubleItUTSignedEncrypted" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItSignedEncryptedPort"
+       xmlns:s="http://WSSec/ut"
+       implementor="org.apache.cxf.systest.ws.saml.server.DoubleItImpl"
+       wsdlLocation="wsdl_systest_wssec/ut/DoubleItUt.wsdl"
+       depends-on="tls-settings">
+        
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
 </beans>

Modified: cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/kerberos/DoubleItKerberos.wsdl Fri Nov 11 13:42:53 2011
@@ -254,6 +254,26 @@
         </wsdl:operation>
     </wsdl:binding>
     
+    <wsdl:binding name="DoubleItKerberosAsymmetricSignedEncryptedBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItKerberosAsymmetricSignedEncryptedPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
+    
     <wsdl:service name="DoubleItService">
         <wsdl:port name="DoubleItKerberosTransportPort" binding="tns:DoubleItKerberosTransportBinding">
             <soap:address location="https://localhost:9009/DoubleItKerberosTransport" />
@@ -290,6 +310,10 @@
                    binding="tns:DoubleItKerberosAsymmetricSignedEndorsingBinding">
             <soap:address location="http://localhost:9001/DoubleItKerberosAsymmetricSignedEndorsing" />
         </wsdl:port>
+        <wsdl:port name="DoubleItKerberosAsymmetricSignedEncryptedPort"
+                   binding="tns:DoubleItKerberosAsymmetricSignedEncryptedBinding">
+            <soap:address location="http://localhost:9001/DoubleItKerberosAsymmetricSignedEncrypted" />
+        </wsdl:port>
     </wsdl:service>
 
     <wsp:Policy wsu:Id="DoubleItKerberosTransportPolicy">
@@ -735,6 +759,68 @@
       </wsp:ExactlyOne>
     </wsp:Policy>
     
+     <wsp:Policy wsu:Id="DoubleItKerberosAsymmetricSignedEncryptedPolicy">
+       <wsp:ExactlyOne>
+         <wsp:All>
+            <sp:AsymmetricBinding>
+               <wsp:Policy>
+                  <sp:InitiatorToken>
+                     <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                              <sp:RequireIssuerSerialReference />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                     </wsp:Policy>
+                  </sp:InitiatorToken>
+                  <sp:RecipientToken>
+                     <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                              <sp:RequireIssuerSerialReference />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                     </wsp:Policy>
+                  </sp:RecipientToken>
+                  <sp:Layout>
+                     <wsp:Policy>
+                        <sp:Lax/>
+                     </wsp:Policy>
+                  </sp:Layout>
+                  <sp:IncludeTimestamp/>
+                  <sp:OnlySignEntireHeadersAndBody/>
+                  <sp:AlgorithmSuite>
+                     <wsp:Policy>
+                        <sp:Basic128/>
+                     </wsp:Policy>
+                  </sp:AlgorithmSuite>
+               </wsp:Policy>
+            </sp:AsymmetricBinding>
+            <sp:Wss11>
+               <wsp:Policy>
+                  <sp:MustSupportRefIssuerSerial/>
+                  <sp:MustSupportRefThumbprint/>
+                  <sp:MustSupportRefEncryptedKey/>
+               </wsp:Policy>
+            </sp:Wss11>
+            <sp:SignedEncryptedSupportingTokens>
+               <wsp:Policy>
+                  <sp:KerberosToken
+                      sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Once">
+                      <wsp:Policy>
+                          <sp:WssGssKerberosV5ApReqToken11/>
+                      </wsp:Policy>
+                  </sp:KerberosToken>
+              </wsp:Policy>
+            </sp:SignedEncryptedSupportingTokens>
+         </wsp:All>
+      </wsp:ExactlyOne>
+    </wsp:Policy>
+    
     <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
       <wsp:ExactlyOne>
          <wsp:All>

Modified: cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/ut/DoubleItUt.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/ut/DoubleItUt.wsdl?rev=1200881&r1=1200880&r2=1200881&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/ut/DoubleItUt.wsdl (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/wsdl_systest_wssec/ut/DoubleItUt.wsdl Fri Nov 11 13:42:53 2011
@@ -168,6 +168,25 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
+    <wsdl:binding name="DoubleItSignedEncryptedBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItSignedEncryptedPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
     
     <wsdl:service name="DoubleItService">
         <wsdl:port name="DoubleItPlaintextPort" binding="tns:DoubleItPlaintextBinding">
@@ -185,6 +204,9 @@
         <wsdl:port name="DoubleItSignedEndorsingPort" binding="tns:DoubleItSignedEndorsingBinding">
             <soap:address location="https://localhost:9009/DoubleItUTSignedEndorsing" />
         </wsdl:port>
+        <wsdl:port name="DoubleItSignedEncryptedPort" binding="tns:DoubleItSignedEncryptedBinding">
+            <soap:address location="https://localhost:9009/DoubleItUTSignedEncrypted" />
+        </wsdl:port>
     </wsdl:service>
 
     <wsp:Policy wsu:Id="DoubleItPlaintextPolicy">
@@ -385,6 +407,43 @@
             </wsp:All>
         </wsp:ExactlyOne>
     </wsp:Policy>
+    
+    <wsp:Policy wsu:Id="DoubleItSignedEncryptedPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:TransportBinding>
+                    <wsp:Policy>
+                        <sp:TransportToken>
+                            <wsp:Policy>
+                                <sp:HttpsToken RequireClientCertificate="false" />
+                            </wsp:Policy>
+                        </sp:TransportToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp />
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:TransportBinding>
+                <sp:SignedEncryptedSupportingTokens>
+                    <wsp:Policy>
+                        <sp:UsernameToken
+                            sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                            <wsp:Policy>
+                                <sp:WssUsernameToken10/>
+                            </wsp:Policy>
+                        </sp:UsernameToken>
+                    </wsp:Policy>
+                </sp:SignedEncryptedSupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
 
     <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
       <wsp:ExactlyOne>



Mime
View raw message