cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1202339 - in /cxf/branches/2.4.x-fixes: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/ws...
Date Tue, 15 Nov 2011 18:00:35 GMT
Author: coheigea
Date: Tue Nov 15 18:00:35 2011
New Revision: 1202339

URL: http://svn.apache.org/viewvc?rev=1202339&view=rev
Log:
Added support for EndorsingEncryptedSupportingToken policy validation + added some systests.

Added:
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
Modified:
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
    cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1202339&r1=1202338&r2=1202339&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Tue Nov 15 18:00:35 2011
@@ -73,6 +73,7 @@ import org.apache.cxf.ws.security.wss4j.
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EncryptedTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingEncryptedTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
@@ -595,10 +596,14 @@ public class PolicyBasedWSS4JInIntercept
         encryptedValidator.setValidateUsernameToken(utWithCallbacks);
         encryptedValidator.validatePolicy(aim);
         
+        EndorsingEncryptedTokenPolicyValidator endorsingEncryptedValidator = 
+            new EndorsingEncryptedTokenPolicyValidator(msg, results, signedResults);
+        endorsingEncryptedValidator.setValidateUsernameToken(utWithCallbacks);
+        endorsingEncryptedValidator.validatePolicy(aim);
+        
         //REVISIT - probably can verify some of these like if UT is encrypted and/or signed,
etc...
         assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS);
         if (hasEndorsement || isRequestor(msg)) {
-            assertPolicy(aim, SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
             assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
         }
         super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks);

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1202339&r1=1202338&r2=1202339&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
Tue Nov 15 18:00:35 2011
@@ -119,7 +119,6 @@ public class TransportBindingHandler ext
     }
     
     public void handleBinding() {
-        Collection<AssertionInfo> ais;
         WSSecTimestamp timestamp = createTimestamp();
         handleLayout(timestamp);
         
@@ -141,124 +140,179 @@ public class TransportBindingHandler ext
                             addEncryptedKeyElement(cloneElement(el));
                         } 
                     }
+                    
+                    handleNonEndorsingSupportingTokens();
+                    handleEndorsingSupportingTokens();
                 }
-                
-                List<byte[]> signatureValues = new ArrayList<byte[]>();
-
-                ais = aim.get(SP12Constants.SIGNED_SUPPORTING_TOKENS);
-                if (ais != null) {
-                    for (AssertionInfo ai : ais) {
-                        SupportingToken sgndSuppTokens = (SupportingToken)ai.getAssertion();
-                        if (sgndSuppTokens != null) {
-                            addSignedSupportingTokens(sgndSuppTokens);
-                        }
-                        ai.setAsserted(true);
-                    }
+            } else {
+                addSignatureConfirmation(null);
+            }
+        } catch (Exception e) {
+            throw new Fault(e);
+        }
+    }
+    
+    /**
+     * Handle the non-endorsing supporting tokens
+     */
+    private void handleNonEndorsingSupportingTokens() throws Exception {
+        Collection<AssertionInfo> ais;
+        
+        ais = aim.get(SP12Constants.SIGNED_SUPPORTING_TOKENS);
+        if (ais != null) {
+            for (AssertionInfo ai : ais) {
+                SupportingToken sgndSuppTokens = (SupportingToken)ai.getAssertion();
+                if (sgndSuppTokens != null) {
+                    addSignedSupportingTokens(sgndSuppTokens);
                 }
-                ais = aim.get(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
-                if (ais != null) {
-                    SupportingToken sgndSuppTokens = null;
-                    for (AssertionInfo ai : ais) {
-                        sgndSuppTokens = (SupportingToken)ai.getAssertion();
-                        ai.setAsserted(true);
-                    }
-                    if (sgndSuppTokens != null) {
-                        SignedEncryptedParts signdParts = sgndSuppTokens.getSignedParts();
-
-                        for (Token token : sgndSuppTokens.getTokens()) {
-                            if (token instanceof IssuedToken
-                                || token instanceof SecureConversationToken
-                                || token instanceof SecurityContextToken
-                                || token instanceof KeyValueToken
-                                || token instanceof KerberosToken) {
-                                addSig(signatureValues, doIssuedTokenSignature(token, signdParts,
-                                                                               sgndSuppTokens,
-                                                                               null));
-                            } else if (token instanceof X509Token
-                                || token instanceof KeyValueToken) {
-                                addSig(signatureValues, doX509TokenSignature(token,
-                                                                             signdParts,
-                                                                             sgndSuppTokens));
-                            }
-                        }
-                    }
+                ai.setAsserted(true);
+            }
+        }
+        
+        ais = aim.get(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+        if (ais != null) {
+            for (AssertionInfo ai : ais) {
+                SupportingToken sgndSuppTokens = (SupportingToken)ai.getAssertion();
+                if (sgndSuppTokens != null) {
+                    addSignedSupportingTokens(sgndSuppTokens);
                 }
-                ais = aim.get(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
-                if (ais != null) {
-                    for (AssertionInfo ai : ais) {
-                        SupportingToken sgndSuppTokens = (SupportingToken)ai.getAssertion();
-                        if (sgndSuppTokens != null) {
-                            addSignedSupportingTokens(sgndSuppTokens);
-                        }
-                        ai.setAsserted(true);
-                    }
+                ai.setAsserted(true);
+            }
+        }
+        
+        ais = aim.get(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
+        if (ais != null) {
+            for (AssertionInfo ai : ais) {
+                SupportingToken encrSuppTokens = (SupportingToken)ai.getAssertion();
+                if (encrSuppTokens != null) {
+                    addSignedSupportingTokens(encrSuppTokens);
                 }
-                
-                ais = aim.get(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
-                if (ais != null) {
-                    for (AssertionInfo ai : ais) {
-                        SupportingToken encrSuppTokens = (SupportingToken)ai.getAssertion();
-                        if (encrSuppTokens != null) {
-                            addSignedSupportingTokens(encrSuppTokens);
-                        }
-                        ai.setAsserted(true);
+                ai.setAsserted(true);
+            }
+        }
+        
+        ais = aim.get(SP12Constants.SUPPORTING_TOKENS);
+        if (ais != null) {
+            for (AssertionInfo ai : ais) {
+                SupportingToken suppTokens = (SupportingToken)ai.getAssertion();
+                if (suppTokens != null && suppTokens.getTokens() != null 
+                    && suppTokens.getTokens().size() > 0) {
+                    handleSupportingTokens(suppTokens, false);
+                }
+                ai.setAsserted(true);
+            }
+        }
+    }
+    
+    /**
+     * Handle the endorsing supporting tokens
+     */
+    private void handleEndorsingSupportingTokens() throws Exception {
+        Collection<AssertionInfo> ais;
+        List<byte[]> signatureValues = new ArrayList<byte[]>();
+        
+        ais = aim.get(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+        if (ais != null) {
+            SupportingToken sgndSuppTokens = null;
+            for (AssertionInfo ai : ais) {
+                sgndSuppTokens = (SupportingToken)ai.getAssertion();
+                ai.setAsserted(true);
+            }
+            if (sgndSuppTokens != null) {
+                SignedEncryptedParts signdParts = sgndSuppTokens.getSignedParts();
+
+                for (Token token : sgndSuppTokens.getTokens()) {
+                    if (token instanceof IssuedToken
+                        || token instanceof SecureConversationToken
+                        || token instanceof SecurityContextToken
+                        || token instanceof KeyValueToken
+                        || token instanceof KerberosToken) {
+                        addSig(signatureValues, doIssuedTokenSignature(token, signdParts,
+                                                                       sgndSuppTokens,
+                                                                       null));
+                    } else if (token instanceof X509Token
+                        || token instanceof KeyValueToken) {
+                        addSig(signatureValues, doX509TokenSignature(token,
+                                                                     signdParts,
+                                                                     sgndSuppTokens));
                     }
                 }
-                
-                ais = aim.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
-                if (ais != null) {
-                    SupportingToken endSuppTokens = null;
-                    for (AssertionInfo ai : ais) {
-                        endSuppTokens = (SupportingToken)ai.getAssertion();
-                        ai.setAsserted(true);
-                    } 
-                    
-                    if (endSuppTokens != null) {
-                        for (Token token : endSuppTokens.getTokens()) {
-                            if (token instanceof IssuedToken
-                                || token instanceof SecureConversationToken
-                                || token instanceof SecurityContextToken
-                                || token instanceof KerberosToken) {
-                                addSig(signatureValues, doIssuedTokenSignature(token, 
-                                                                               endSuppTokens
-                                                                                   .getSignedParts(),

-                                                                               endSuppTokens,
-                                                                               null));
-                            } else if (token instanceof X509Token
-                                || token instanceof KeyValueToken) {
-                                addSig(signatureValues, doX509TokenSignature(token, 
-                                                                             endSuppTokens.getSignedParts(),

-                                                                             endSuppTokens));
-                            } else if (token instanceof SamlToken) {
-                                AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
-                                assertionWrapper.toDOM(saaj.getSOAPPart());
-                                storeAssertionAsSecurityToken(assertionWrapper);
-                                addSig(signatureValues, doIssuedTokenSignature(token, 
-                                                                               endSuppTokens
-                                                                               .getSignedParts(),

-                                                                               endSuppTokens,
-                                                                               null));
-                            }
-                        }
+            }
+        }
+        
+        ais = aim.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
+        if (ais != null) {
+            SupportingToken endSuppTokens = null;
+            for (AssertionInfo ai : ais) {
+                endSuppTokens = (SupportingToken)ai.getAssertion();
+                ai.setAsserted(true);
+            } 
+            
+            if (endSuppTokens != null) {
+                for (Token token : endSuppTokens.getTokens()) {
+                    if (token instanceof IssuedToken
+                        || token instanceof SecureConversationToken
+                        || token instanceof SecurityContextToken
+                        || token instanceof KerberosToken) {
+                        addSig(signatureValues, doIssuedTokenSignature(token, 
+                                                                       endSuppTokens
+                                                                           .getSignedParts(),

+                                                                       endSuppTokens,
+                                                                       null));
+                    } else if (token instanceof X509Token
+                        || token instanceof KeyValueToken) {
+                        addSig(signatureValues, doX509TokenSignature(token, 
+                                                                     endSuppTokens.getSignedParts(),

+                                                                     endSuppTokens));
+                    } else if (token instanceof SamlToken) {
+                        AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
+                        assertionWrapper.toDOM(saaj.getSOAPPart());
+                        storeAssertionAsSecurityToken(assertionWrapper);
+                        addSig(signatureValues, doIssuedTokenSignature(token, 
+                                                                       endSuppTokens
+                                                                       .getSignedParts(),

+                                                                       endSuppTokens,
+                                                                       null));
                     }
                 }
-                ais = aim.get(SP12Constants.SUPPORTING_TOKENS);
-                if (ais != null) {
-                    for (AssertionInfo ai : ais) {
-                        SupportingToken suppTokens = (SupportingToken)ai.getAssertion();
-                        if (suppTokens != null && suppTokens.getTokens() != null

-                            && suppTokens.getTokens().size() > 0) {
-                            handleSupportingTokens(suppTokens, false);
-                        }
-                        ai.setAsserted(true);
+            }
+        }
+        ais = aim.get(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+        if (ais != null) {
+            SupportingToken endSuppTokens = null;
+            for (AssertionInfo ai : ais) {
+                endSuppTokens = (SupportingToken)ai.getAssertion();
+                ai.setAsserted(true);
+            } 
+            
+            if (endSuppTokens != null) {
+                for (Token token : endSuppTokens.getTokens()) {
+                    if (token instanceof IssuedToken
+                        || token instanceof SecureConversationToken
+                        || token instanceof SecurityContextToken
+                        || token instanceof KerberosToken) {
+                        addSig(signatureValues, doIssuedTokenSignature(token, 
+                                                                       endSuppTokens
+                                                                           .getSignedParts(),

+                                                                       endSuppTokens,
+                                                                       null));
+                    } else if (token instanceof X509Token
+                        || token instanceof KeyValueToken) {
+                        addSig(signatureValues, doX509TokenSignature(token, 
+                                                                     endSuppTokens.getSignedParts(),

+                                                                     endSuppTokens));
+                    } else if (token instanceof SamlToken) {
+                        AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
+                        assertionWrapper.toDOM(saaj.getSOAPPart());
+                        storeAssertionAsSecurityToken(assertionWrapper);
+                        addSig(signatureValues, doIssuedTokenSignature(token, 
+                                                                       endSuppTokens
+                                                                       .getSignedParts(),

+                                                                       endSuppTokens,
+                                                                       null));
                     }
                 }
-
-            } else {
-                addSignatureConfirmation(null);
             }
-        } catch (Exception e) {
-            throw new Fault(e);
         }
     }
     

Added: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java?rev=1202339&view=auto
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
(added)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
Tue Nov 15 18:00:35 2011
@@ -0,0 +1,112 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.IssuedToken;
+import org.apache.cxf.ws.security.policy.model.KerberosToken;
+import org.apache.cxf.ws.security.policy.model.SamlToken;
+import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
+import org.apache.cxf.ws.security.policy.model.SupportingToken;
+import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.security.policy.model.X509Token;
+import org.apache.ws.security.WSSecurityEngineResult;
+
+/**
+ * Validate an EndorsingEncryptedSupportingToken policy. 
+ */
+public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator
{
+    
+    public EndorsingEncryptedTokenPolicyValidator(
+        Message message,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
+        super(message, results, signedResults);
+    }
+    
+    public boolean validatePolicy(
+        AssertionInfoMap aim
+    ) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+        if (ais == null || ais.isEmpty()) {                       
+            return true;
+        }
+
+        for (AssertionInfo ai : ais) {
+            SupportingToken binding = (SupportingToken)ai.getAssertion();
+            if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENDORSING_ENCRYPTED 
+                != binding.getTokenType()) {
+                continue;
+            }
+            ai.setAsserted(true);
+            setEndorsed(true);
+            setEncrypted(true);
+
+            List<Token> tokens = binding.getTokens();
+            for (Token token : tokens) {
+                if (!isTokenRequired(token, message)) {
+                    continue;
+                }
+                
+                boolean derived = token.isDerivedKeys();
+                setDerived(derived);
+                boolean processingFailed = false;
+                if (token instanceof KerberosToken) {
+                    if (!processKerberosTokens()) {
+                        processingFailed = true;
+                    }
+                } else if (token instanceof X509Token) {
+                    if (!processX509Tokens()) {
+                        processingFailed = true;
+                    }
+                } else if (token instanceof SecurityContextToken) {
+                    if (!processSCTokens()) {
+                        processingFailed = true;
+                    }
+                } else if (token instanceof SamlToken) {
+                    if (!processSAMLTokens()) {
+                        processingFailed = true;
+                    }
+                } else if (!(token instanceof IssuedToken)) {
+                    processingFailed = true;
+                }
+                
+                if (processingFailed) {
+                    ai.setNotAsserted(
+                        "The received token does not match the endorsing encrypted "
+                        + "supporting token requirement"
+                    );
+                    return false;
+                }
+            }
+        }
+        
+        return true;
+    }
+    
+}

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1202339&r1=1202338&r2=1202339&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
Tue Nov 15 18:00:35 2011
@@ -384,6 +384,31 @@ public class SamlTokenTest extends Abstr
     }
     
     
+    @org.junit.Test
+    public void testSaml2EndorsingEncryptedOverTransport() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SamlTokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        DoubleItService service = new DoubleItService();
+        
+        DoubleItPortType saml2Port = service.getDoubleItSaml2EndorsingEncryptedTransportPort();
+        updateAddressPort(saml2Port, PORT2);
+        
+        SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", callbackHandler
+        );
+
+        BigInteger result = saml2Port.doubleIt(BigInteger.valueOf(25));
+        assertTrue(result.equals(BigInteger.valueOf(50)));
+    }
+    
     private boolean checkUnrestrictedPoliciesInstalled() {
         try {
             byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1202339&r1=1202338&r2=1202339&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
Tue Nov 15 18:00:35 2011
@@ -207,6 +207,25 @@ public class X509TokenTest extends Abstr
         x509Port.doubleIt(BigInteger.valueOf(25));
     }
     
+    @org.junit.Test
+    public void testTransportEndorsingEncrypted() throws Exception {
+        if (!unrestrictedPoliciesInstalled) {
+            return;
+        }
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        DoubleItService service = new DoubleItService();
+        DoubleItPortType x509Port = service.getDoubleItTransportEndorsingEncryptedPort();
+        updateAddressPort(x509Port, PORT2);
+        x509Port.doubleIt(BigInteger.valueOf(25));
+    }
+    
     private boolean checkUnrestrictedPoliciesInstalled() {
         try {
             byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml?rev=1202339&r1=1202338&r2=1202339&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client/client.xml
Tue Nov 15 18:00:35 2011
@@ -160,4 +160,16 @@
        </jaxws:properties>
     </jaxws:client> 
     
+    <jaxws:client name="{http://WSSec/saml}DoubleItSaml2EndorsingEncryptedTransportPort"

+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+           <entry key="ws-security.signature.username" value="alice"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>

+           <entry key="ws-security.self-sign-saml-assertion" value="true"/>
+       </jaxws:properties>
+    </jaxws:client>  
+    
 </beans>

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml?rev=1202339&r1=1202338&r2=1202339&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
Tue Nov 15 18:00:35 2011
@@ -255,4 +255,22 @@
      
     </jaxws:endpoint> 
     
+    <jaxws:endpoint 
+       id="Saml2EndorsingEncryptedOverTransport"
+       address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2EndorsingEncryptedTransport"

+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItSaml2EndorsingEncryptedTransportPort"
+       xmlns:s="http://WSSec/saml"
+       implementor="org.apache.cxf.systest.ws.saml.server.DoubleItImpl"
+       wsdlLocation="wsdl_systest_wssec/saml/DoubleItSaml.wsdl">
+        
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>

+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
 </beans>

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml?rev=1202339&r1=1202338&r2=1202339&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
Tue Nov 15 18:00:35 2011
@@ -125,6 +125,17 @@
        </jaxws:properties>
     </jaxws:client>
     
+    <jaxws:client name="{http://WSSec/x509}DoubleItTransportEndorsingEncryptedPort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>

+           <entry key="ws-security.signature.username" value="alice"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+       </jaxws:properties>
+    </jaxws:client>
+    
     <http:conduit name="https://localhost:.*">
         <http:tlsClientParameters disableCNCheck="true">
             <sec:trustManagers>

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1202339&r1=1202338&r2=1202339&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
Tue Nov 15 18:00:35 2011
@@ -217,4 +217,21 @@
      
     </jaxws:endpoint> 
     
+    <jaxws:endpoint 
+       id="TransportEndorsingEncrypted"
+       address="https://localhost:${testutil.ports.Server.2}/DoubleItX509TransportEndorsingEncrypted"

+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItTransportEndorsingEncryptedPort"
+       xmlns:s="http://WSSec/x509"
+       implementor="org.apache.cxf.systest.ws.x509.server.DoubleItImpl"
+       wsdlLocation="wsdl_systest_wssec/x509/DoubleItX509.wsdl"
+       depends-on="tls-settings">
+        
+       <jaxws:properties>
+          <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>

+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
 </beans>

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl?rev=1202339&r1=1202338&r2=1202339&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/saml/DoubleItSaml.wsdl
Tue Nov 15 18:00:35 2011
@@ -263,6 +263,25 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
+    <wsdl:binding name="DoubleItSaml2EndorsingEncryptedTransportBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItSaml2EndorsingEncryptedTransportPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
 
     <wsdl:service name="DoubleItService">
         <wsdl:port name="DoubleItSaml1TransportPort" binding="tns:DoubleItSaml1TransportBinding">
@@ -302,6 +321,10 @@
                    binding="tns:DoubleItSaml2AsymmetricEncryptedBinding">
             <soap:address location="http://localhost:9001/DoubleItSaml2AsymmetricEncrypted"
/>
         </wsdl:port>
+        <wsdl:port name="DoubleItSaml2EndorsingEncryptedTransportPort" 
+                   binding="tns:DoubleItSaml2EndorsingEncryptedTransportBinding">
+            <soap:address location="https://localhost:9009/DoubleItSaml2EndorsingEncryptedTransport"
/>
+        </wsdl:port>
     </wsdl:service>
 
     <wsp:Policy wsu:Id="DoubleItSaml1TransportPolicy">
@@ -798,6 +821,42 @@
          </wsp:All>
       </wsp:ExactlyOne>
     </wsp:Policy>
+    <wsp:Policy wsu:Id="DoubleItSaml2EndorsingEncryptedTransportPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:TransportBinding>
+                    <wsp:Policy>
+                        <sp:TransportToken>
+                            <wsp:Policy>
+                                <sp:HttpsToken RequireClientCertificate="false" />
+                            </wsp:Policy>
+                        </sp:TransportToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp />
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:TransportBinding>
+                <sp:EndorsingEncryptedSupportingTokens>
+                    <wsp:Policy>
+                        <sp:SamlToken
+                            sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                            <wsp:Policy>
+                                <sp:WssSamlV20Token11/>
+                            </wsp:Policy>
+                        </sp:SamlToken>
+                    </wsp:Policy>
+                </sp:EndorsingEncryptedSupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
    
     <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
       <wsp:ExactlyOne>

Modified: cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl?rev=1202339&r1=1202338&r2=1202339&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl
(original)
+++ cxf/branches/2.4.x-fixes/systests/ws-security/src/test/resources/wsdl_systest_wssec/x509/DoubleItX509.wsdl
Tue Nov 15 18:00:35 2011
@@ -225,6 +225,25 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
+    <wsdl:binding name="DoubleItTransportEndorsingEncryptedBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItTransportEndorsingEncryptedPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
     
     <wsdl:service name="DoubleItService">
         <wsdl:port name="DoubleItKeyIdentifierPort" binding="tns:DoubleItKeyIdentifierBinding">
@@ -256,6 +275,10 @@
                    binding="tns:DoubleItTransportSignedEndorsingBinding">
             <soap:address location="https://localhost:9002/DoubleItX509TransportSignedEndorsing"
/>
         </wsdl:port>
+        <wsdl:port name="DoubleItTransportEndorsingEncryptedPort" 
+                   binding="tns:DoubleItTransportEndorsingEncryptedBinding">
+            <soap:address location="https://localhost:9002/DoubleItX509TransportEndorsingEncrypted"
/>
+        </wsdl:port>
     </wsdl:service>
 
     <wsp:Policy wsu:Id="DoubleItKeyIdentifierPolicy">
@@ -560,6 +583,44 @@
         </wsp:ExactlyOne>
     </wsp:Policy>
     
+    <wsp:Policy wsu:Id="DoubleItTransportEndorsingEncryptedPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:TransportBinding>
+                    <wsp:Policy>
+                        <sp:TransportToken>
+                            <wsp:Policy>
+                                <sp:HttpsToken RequireClientCertificate="false" />
+                            </wsp:Policy>
+                        </sp:TransportToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp />
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:TransportBinding>
+                <sp:EndorsingEncryptedSupportingTokens>
+                   <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                    </wsp:Policy>
+                </sp:EndorsingEncryptedSupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
+    
+    
     <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
       <wsp:ExactlyOne>
          <wsp:All>



Mime
View raw message