Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1291192 - in /cxf/branches/2.5.x-fixes:
 rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
 rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/
 systests/ws-security/src/test/java/org/ap...
Date: Mon, 20 Feb 2012 11:01:43 -0000
To: commits@cxf.apache.org
From: coheigea@apache.org
Message-Id: <20120220110143.CC10723888CD@eris.apache.org>

Author: coheigea
Date: Mon Feb 20 11:01:42 2012
New Revision: 1291192

URL: http://svn.apache.org/viewvc?rev=1291192&view=rev
Log:
[CXF-2864] - Support UsernameToken derived keys

Modified:
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenDerivedTest.java
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/UTPasswordCallback.java
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUtDerived.wsdl
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client-derived.xml
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server-derived.xml
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1291192&r1=1291191&r2=1291192&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Mon Feb 20 11:01:42 2012
@@ -25,6 +25,7 @@ import java.net.URL;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -473,23 +474,9 @@ public abstract class AbstractBindingBui
         }
         for (Token token : suppTokens.getTokens()) {
             if (token instanceof UsernameToken) {
-                WSSecUsernameToken utBuilder = addUsernameToken((UsernameToken)token);
-                if (utBuilder != null) {
-                    utBuilder.prepare(saaj.getSOAPPart());
-                    addSupportingElement(utBuilder.getUsernameTokenElement());
-                    ret.put(token, utBuilder);
-                    //WebLogic and WCF always encrypt these
-                    //See:  http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html
-                    //encryptedTokensIdList.add(utBuilder.getId());
-                    if (suppTokens.isEncryptedToken()
-                        || MessageUtils.getContextualBoolean(message, 
-                                                             SecurityConstants.ALWAYS_ENCRYPT_UT,
-                                                             true)) {
-                        WSEncryptionPart part = new WSEncryptionPart(utBuilder.getId(), "Element");
-                        part.setElement(utBuilder.getUsernameTokenElement());
-                        encryptedTokensList.add(part);
-                    }
-                }
+                handleUsernameTokenSupportingToken(
+                    (UsernameToken)token, endorse, suppTokens.isEncryptedToken(), ret
+                );
             } else if (isRequestor() 
                 && (token instanceof IssuedToken
                     || token instanceof SecureConversationToken
@@ -595,6 +582,42 @@ public abstract class AbstractBindingBui
         return ret;
     }
     
+    protected void handleUsernameTokenSupportingToken(
+        UsernameToken token, boolean endorse, boolean encryptedToken, Map<Token, Object> ret
+    ) throws WSSecurityException {
+        if (endorse) {
+            WSSecUsernameToken utBuilder = addDKUsernameToken(token, true);
+            if (utBuilder != null) {
+                utBuilder.prepare(saaj.getSOAPPart());
+                addSupportingElement(utBuilder.getUsernameTokenElement());
+                ret.put(token, utBuilder);
+                if (encryptedToken) {
+                    WSEncryptionPart part = new WSEncryptionPart(utBuilder.getId(), "Element");
+                    part.setElement(utBuilder.getUsernameTokenElement());
+                    encryptedTokensList.add(part);
+                }
+            }
+        } else {
+            WSSecUsernameToken utBuilder = addUsernameToken(token);
+            if (utBuilder != null) {
+                utBuilder.prepare(saaj.getSOAPPart());
+                addSupportingElement(utBuilder.getUsernameTokenElement());
+                ret.put(token, utBuilder);
+                //WebLogic and WCF always encrypt these
+                //See:  http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html
+                //encryptedTokensIdList.add(utBuilder.getId());
+                if (encryptedToken
+                    || MessageUtils.getContextualBoolean(message, 
+                                                         SecurityConstants.ALWAYS_ENCRYPT_UT,
+                                                         true)) {
+                    WSEncryptionPart part = new WSEncryptionPart(utBuilder.getId(), "Element");
+                    part.setElement(utBuilder.getUsernameTokenElement());
+                    encryptedTokensList.add(part);
+                }
+            }
+        }
+    }
+    
     protected Element cloneElement(Element el) {
         return (Element)secHeader.getSecurityHeader().getOwnerDocument().importNode(el, true);
     }
@@ -1790,6 +1813,34 @@ public abstract class AbstractBindingBui
                     // TODO Auto-generated catch block
                     e.printStackTrace();
                 }
+            } else if (tempTok instanceof WSSecUsernameToken) {
+                WSSecUsernameToken utBuilder = (WSSecUsernameToken)tempTok;
+                String id = utBuilder.getId();
+
+                Date created = new Date();
+                Date expires = new Date();
+                expires.setTime(created.getTime() + 300000);
+                SecurityToken secToken = 
+                    new SecurityToken(id, utBuilder.getUsernameTokenElement(), created, expires);
+                
+                if (isTokenProtection) {
+                    sigParts.add(new WSEncryptionPart(secToken.getId()));
+                }
+                
+                try {
+                    byte[] secret = utBuilder.getDerivedKey();
+                    secToken.setSecret(secret);
+                    
+                    if (ent.getKey().isDerivedKeys()) {
+                        doSymmSignatureDerived(ent.getKey(), secToken, sigParts, isTokenProtection);
+                    } else {
+                        doSymmSignature(ent.getKey(), secToken, sigParts, isTokenProtection);
+                    }
+                } catch (Exception e) {
+                    // TODO Auto-generated catch block
+                    e.printStackTrace();
+                }
+                
             }
         } 
     }
@@ -1846,7 +1897,9 @@ public abstract class AbstractBindingBui
             //Set the value type of the reference
             dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
                 + WSConstants.ENC_KEY_VALUE_TYPE);
-        }
+        } else if (policyToken instanceof UsernameToken) {
+            dkSign.setCustomValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
+        } 
         
         dkSign.prepare(doc, secHeader);
         
@@ -1904,6 +1957,8 @@ public abstract class AbstractBindingBui
                 sig.setCustomTokenValueType(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
             } else if (tokenType != null) {
                 sig.setCustomTokenValueType(tokenType);
+            } else if (policyToken instanceof UsernameToken) {
+                sig.setCustomTokenValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
             } else {
                 sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
             }

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1291192&r1=1291191&r2=1291192&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java Mon Feb 20 11:01:42 2012
@@ -61,7 +61,6 @@ import org.apache.ws.security.WSSecurity
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.conversation.ConversationConstants;
 import org.apache.ws.security.conversation.ConversationException;
-import org.apache.ws.security.handler.RequestData;
 import org.apache.ws.security.handler.WSHandlerConstants;
 import org.apache.ws.security.handler.WSHandlerResult;
 import org.apache.ws.security.message.WSSecBase;
@@ -932,15 +931,8 @@ public class SymmetricBindingHandler ext
                     expires.setTime(created.getTime() + 300000);
                     SecurityToken tempTok = new SecurityToken(utID, created, expires);
                     
-                    org.apache.ws.security.message.token.UsernameToken usernameToken = 
-                        (org.apache.ws.security.message.token.UsernameToken)wser.get(
-                            WSSecurityEngineResult.TAG_USERNAME_TOKEN
-                        );
-                    
-                    RequestData data = new RequestData();
-                    data.setCallbackHandler(getCallbackHandler());
-                    usernameToken.setRawPassword(data);
-                    tempTok.setSecret(usernameToken.getDerivedKey());
+                    byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
+                    tempTok.setSecret(secret);
                     tokenStore.add(tempTok);
 
                     return utID;

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1291192&r1=1291191&r2=1291192&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Mon Feb 20 11:01:42 2012
@@ -21,6 +21,7 @@ package org.apache.cxf.ws.security.wss4j
 
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Date;
 import java.util.List;
 
 import javax.xml.crypto.dsig.Reference;
@@ -295,6 +296,25 @@ public class TransportBindingHandler ext
                 signatureValues, 
                 doIssuedTokenSignature(token, signdParts, wrapper)
             );
+        } else if (token instanceof UsernameToken) {
+            // Create a UsernameToken object for derived keys and store the security token
+            WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken)token, true);
+            String id = usernameToken.getId();
+            byte[] secret = usernameToken.getDerivedKey();
+
+            Date created = new Date();
+            Date expires = new Date();
+            expires.setTime(created.getTime() + 300000);
+            SecurityToken tempTok = 
+                new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
+            tempTok.setSecret(secret);
+            getTokenStore().add(tempTok);
+            message.setContextualProperty(SecurityConstants.TOKEN, tempTok);
+            
+            addSig(
+                signatureValues, 
+                doIssuedTokenSignature(token, signdParts, wrapper)
+            );
         }
     }
     
@@ -448,6 +468,10 @@ public class TransportBindingHandler ext
         } else {
             dkSign.setExternalKey(secTok.getSecret(), secTok.getId());
         }
+        
+        if (token instanceof UsernameToken) {
+            dkSign.setCustomValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
+        } 
 
         // Set the algo info
         dkSign.setSignatureAlgorithm(algorithmSuite.getSymmetricSignature());
@@ -491,8 +515,13 @@ public class TransportBindingHandler ext
                 new SecurityTokenReference(cloneElement(ref), false);
             sig.setSecurityTokenReference(secRef);
             sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
-        } else if (secTok.getTokenType() == null) {
+        } else if (token instanceof UsernameToken) {
             sig.setCustomTokenId(secTok.getId());
+            sig.setCustomTokenValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
+            int type = tokenIncluded ? WSConstants.CUSTOM_SYMM_SIGNING 
+                    : WSConstants.CUSTOM_SYMM_SIGNING_DIRECT;
+            sig.setKeyIdentifierType(type);
+        } else if (secTok.getTokenType() == null) {
             sig.setCustomTokenValueType(WSConstants.WSS_SAML_KI_VALUE_TYPE);
             sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
         } else {

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java?rev=1291192&r1=1291191&r2=1291192&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java Mon Feb 20 11:01:42 2012
@@ -119,20 +119,38 @@ public abstract class AbstractSupporting
     }
     
     /**
-     * Process UsernameTokens. Only SignedSupportingTokens are currently enforced.
+     * Process UsernameTokens.
      */
     protected boolean processUsernameTokens() {
         if (!validateUsernameToken) {
             return true;
         }
-        if (utResults.isEmpty()) {
+        
+        List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
+        tokenResults.addAll(utResults);
+        List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
+        for (WSSecurityEngineResult wser : utResults) {
+            if (endorsed && derived) {
+                byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
+                WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
+                if (dktResult != null) {
+                    dktResults.add(dktResult);
+                }
+            }
+        }
+        
+        if (tokenResults.isEmpty()) {
             return false;
         }
         
-        if (signed && !areTokensSigned(utResults)) {
+        if (signed && !areTokensSigned(tokenResults)) {
             return false;
         }
-        if (encrypted && !areTokensEncrypted(utResults)) {
+        if (encrypted && !areTokensEncrypted(tokenResults)) {
+            return false;
+        }
+        tokenResults.addAll(dktResults);
+        if (endorsed && !checkEndorsed(tokenResults)) {
             return false;
         }
         return true;
@@ -140,7 +158,7 @@ public abstract class AbstractSupporting
     
     
     /**
-     * Process SAML Tokens. Only SignedSupportingTokens are currently enforced.
+     * Process SAML Tokens. Only signed results are supported.
      */
     protected boolean processSAMLTokens() {
         if (samlResults.isEmpty()) {
@@ -514,6 +532,9 @@ public abstract class AbstractSupporting
         for (WSSecurityEngineResult signedResult : encryptedResults) {
             List<WSDataRef> dataRefs = 
                 CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+            if (dataRefs == null) {
+                return false;
+            }
             for (WSDataRef dataRef : dataRefs) {
                 if (token == dataRef.getProtectedElement()) {
                     return true;

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java?rev=1291192&r1=1291191&r2=1291192&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java Mon Feb 20 11:01:42 2012
@@ -33,6 +33,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
 import org.apache.cxf.ws.security.policy.model.SupportingToken;
 import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.security.policy.model.UsernameToken;
 import org.apache.cxf.ws.security.policy.model.X509Token;
 import org.apache.ws.security.WSSecurityEngineResult;
 
@@ -88,6 +89,10 @@ public class EndorsingEncryptedTokenPoli
                     if (!processX509Tokens()) {
                         processingFailed = true;
                     }
+                } else if (token instanceof UsernameToken) {
+                    if (!processUsernameTokens()) {
+                        processingFailed = true;
+                    }
                 } else if (token instanceof SecurityContextToken) {
                     if (!processSCTokens()) {
                         processingFailed = true;

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java?rev=1291192&r1=1291191&r2=1291192&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java Mon Feb 20 11:01:42 2012
@@ -33,6 +33,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
 import org.apache.cxf.ws.security.policy.model.SupportingToken;
 import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.security.policy.model.UsernameToken;
 import org.apache.cxf.ws.security.policy.model.X509Token;
 import org.apache.ws.security.WSSecurityEngineResult;
 
@@ -87,6 +88,10 @@ public class EndorsingTokenPolicyValidat
                     if (!processX509Tokens()) {
                         processingFailed = true;
                     }
+                } else if (token instanceof UsernameToken) {
+                    if (!processUsernameTokens()) {
+                        processingFailed = true;
+                    }
                 } else if (token instanceof SecurityContextToken) {
                     if (!processSCTokens()) {
                         processingFailed = true;

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java?rev=1291192&r1=1291191&r2=1291192&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java Mon Feb 20 11:01:42 2012
@@ -33,6 +33,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
 import org.apache.cxf.ws.security.policy.model.SupportingToken;
 import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.security.policy.model.UsernameToken;
 import org.apache.cxf.ws.security.policy.model.X509Token;
 import org.apache.ws.security.WSSecurityEngineResult;
 
@@ -93,6 +94,10 @@ public class SignedEndorsingEncryptedTok
                     if (!processX509Tokens()) {
                         processingFailed = true;
                     }
+                } else if (token instanceof UsernameToken) {
+                    if (!processUsernameTokens()) {
+                        processingFailed = true;
+                    }
                 } else if (token instanceof SecurityContextToken) {
                     if (!processSCTokens()) {
                         processingFailed = true;

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java?rev=1291192&r1=1291191&r2=1291192&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java Mon Feb 20 11:01:42 2012
@@ -33,6 +33,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
 import org.apache.cxf.ws.security.policy.model.SupportingToken;
 import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.security.policy.model.UsernameToken;
 import org.apache.cxf.ws.security.policy.model.X509Token;
 import org.apache.ws.security.WSSecurityEngineResult;
 
@@ -91,6 +92,10 @@ public class SignedEndorsingTokenPolicyV
                     if (!processX509Tokens()) {
                         processingFailed = true;
                     }
+                } else if (token instanceof UsernameToken) {
+                    if (!processUsernameTokens()) {
+                        processingFailed = true;
+                    }
                 } else if (token instanceof SecurityContextToken) {
                     if (!processSCTokens()) {
                         processingFailed = true;

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenDerivedTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenDerivedTest.java?rev=1291192&r1=1291191&r2=1291192&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenDerivedTest.java (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/ut/UsernameTokenDerivedTest.java Mon Feb 20 11:01:42 2012
@@ -38,6 +38,7 @@ import org.junit.BeforeClass;
  */
 public class UsernameTokenDerivedTest extends AbstractBusClientServerTestBase {
     static final String PORT = allocatePort(ServerDerived.class);
+    static final String PORT2 = allocatePort(ServerDerived.class, 2);
     
     private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt";
     private static final QName SERVICE_QNAME = new QName(NAMESPACE, "DoubleItService");
@@ -103,10 +104,8 @@ public class UsernameTokenDerivedTest ex
     /**
      * Here the key derived from a UsernameToken is used as a protection token for the 
      * symmetric binding, and used to encrypt the SOAP Body.
-     * TODO - Re-enable when WSS4J 1.6.5 is picked up
      */
     @org.junit.Test
-    @org.junit.Ignore
     public void testSymmetricProtectionEncryptionToken() throws Exception {
 
         SpringBusFactory bf = new SpringBusFactory();
@@ -126,4 +125,100 @@ public class UsernameTokenDerivedTest ex
         utPort.doubleIt(25);
     }
     
+    /**
+     * Here the key derived from a UsernameToken is used to sign the Timestamp over the Transport
+     * binding.
+     */
+    @org.junit.Test
+    public void testTransportEndorsing() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = UsernameTokenDerivedTest.class.getResource("client/client-derived.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = UsernameTokenDerivedTest.class.getResource("DoubleItUtDerived.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportEndorsingPort");
+        DoubleItPortType utPort = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(utPort, PORT2);
+        
+        utPort.doubleIt(25);
+    }
+    
+    /**
+     * Here the key derived from a UsernameToken is used to sign the message signature over the
+     * Symmetric binding. The UsernameToken is signed.
+     */
+    @org.junit.Test
+    public void testSymmetricSignedEndorsing() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = UsernameTokenDerivedTest.class.getResource("client/client-derived.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = UsernameTokenDerivedTest.class.getResource("DoubleItUtDerived.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSymmetricSignedEndorsingPort");
+        DoubleItPortType utPort = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(utPort, PORT);
+        
+        utPort.doubleIt(25);
+    }
+    
+    /**
+     * Here the key derived from a UsernameToken is used to sign the message signature over the
+     * Symmetric binding. The UsernameToken is encrypted.
+     */
+    @org.junit.Test
+    public void testSymmetricEndorsingEncrypted() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = UsernameTokenDerivedTest.class.getResource("client/client-derived.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = UsernameTokenDerivedTest.class.getResource("DoubleItUtDerived.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSymmetricEndorsingEncryptedPort");
+        DoubleItPortType utPort = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(utPort, PORT);
+        
+        utPort.doubleIt(25);
+    }
+    
+    /**
+     * Here the key derived from a UsernameToken is used to sign the message signature over the
+     * Symmetric binding. The UsernameToken is encrypted and signed.
+     */
+    @org.junit.Test
+    public void testSymmetricSignedEndorsingEncrypted() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = UsernameTokenDerivedTest.class.getResource("client/client-derived.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = UsernameTokenDerivedTest.class.getResource("DoubleItUtDerived.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSymmetricSignedEndorsingEncryptedPort");
+        DoubleItPortType utPort = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(utPort, PORT);
+        
+        utPort.doubleIt(25);
+    }
+    
 }

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/UTPasswordCallback.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/UTPasswordCallback.java?rev=1291192&r1=1291191&r2=1291192&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/UTPasswordCallback.java (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/UTPasswordCallback.java Mon Feb 20 11:01:42 2012
@@ -41,6 +41,7 @@ public class UTPasswordCallback implemen
         passwords.put("Frank", "invalid-password");
         //for MS clients
         passwords.put("abcd", "dcba");
+        passwords.put("bob", "password");
     }
 
     /**

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUtDerived.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUtDerived.wsdl?rev=1291192&r1=1291191&r2=1291192&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUtDerived.wsdl (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/DoubleItUtDerived.wsdl Mon Feb 20 11:01:42 2012
@@ -50,7 +50,7 @@
         </wsdl:operation>
     </wsdl:binding>
     
-     <wsdl:binding name="DoubleItSymmetricProtectionSigDKBinding" type="tns:DoubleItPortType">
+    <wsdl:binding name="DoubleItSymmetricProtectionSigDKBinding" type="tns:DoubleItPortType">
         <wsp:PolicyReference URI="#DoubleItSymmetricProtectionDKPolicy" />
         <soap:binding style="document"
             transport="http://schemas.xmlsoap.org/soap/http" />
@@ -90,6 +90,86 @@
         </wsdl:operation>
     </wsdl:binding>
     
+    <wsdl:binding name="DoubleItTransportEndorsingBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItTransportEndorsingPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Signature_Encryption_Policy"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Signature_Encryption_Policy"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
+    
+    <wsdl:binding name="DoubleItSymmetricSignedEndorsingBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItSymmetricSignedEndorsingPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Signature_Encryption_Policy"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Signature_Encryption_Policy"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
+    
+    <wsdl:binding name="DoubleItSymmetricEndorsingEncryptedBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItSymmetricEndorsingEncryptedPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Signature_Encryption_Policy"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Signature_Encryption_Policy"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
+    
+    <wsdl:binding name="DoubleItSymmetricSignedEndorsingEncryptedBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItSymmetricSignedEndorsingEncryptedPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Signature_Encryption_Policy"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Signature_Encryption_Policy"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
+    
     <wsdl:service name="DoubleItService">
         <wsdl:port name="DoubleItSymmetricProtectionSigPort" 
                    binding="tns:DoubleItSymmetricProtectionSigBinding">
@@ -103,6 +183,22 @@
                    binding="tns:DoubleItSymmetricProtectionEncBinding">
             <soap:address location="http://localhost:9009/DoubleItUTDerivedSymmetricProtectionEnc" />
         </wsdl:port>
+        <wsdl:port name="DoubleItTransportEndorsingPort" 
+                   binding="tns:DoubleItTransportEndorsingBinding">
+            <soap:address location="https://localhost:9010/DoubleItUTDerivedTransportEndorsing" />
+        </wsdl:port>
+        <wsdl:port name="DoubleItSymmetricSignedEndorsingPort" 
+                   binding="tns:DoubleItSymmetricSignedEndorsingBinding">
+            <soap:address location="http://localhost:9009/DoubleItUTDerivedSymmetricSignedEndorsing" />
+        </wsdl:port>
+        <wsdl:port name="DoubleItSymmetricEndorsingEncryptedPort" 
+                   binding="tns:DoubleItSymmetricEndorsingEncryptedBinding">
+            <soap:address location="http://localhost:9009/DoubleItUTDerivedSymmetricEndorsingEncrypted" />
+        </wsdl:port>
+        <wsdl:port name="DoubleItSymmetricSignedEndorsingEncryptedPort" 
+                   binding="tns:DoubleItSymmetricSignedEndorsingEncryptedBinding">
+            <soap:address location="http://localhost:9009/DoubleItUTDerivedSymmetricSignedEndorsingEncrypted" />
+        </wsdl:port>
     </wsdl:service>
 
     <wsp:Policy wsu:Id="DoubleItSymmetricProtectionPolicy">
@@ -204,6 +300,178 @@
         </wsp:ExactlyOne>
     </wsp:Policy>
     
+    <wsp:Policy wsu:Id="DoubleItTransportEndorsingPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:TransportBinding>
+                    <wsp:Policy>
+                        <sp:TransportToken>
+                            <wsp:Policy>
+                                <sp:HttpsToken>
+                                    <wsp:Policy/>
+                                </sp:HttpsToken>
+                            </wsp:Policy>
+                        </sp:TransportToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp />
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:TransportBinding>
+                <sp:EndorsingSupportingTokens>
+                   <wsp:Policy>
+                        <sp:UsernameToken
+                             sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                             <wsp:Policy>
+                                <sp:WssUsernameToken10/>
+                                <!-- <sp:RequireDerivedKeys/> -->
+                             </wsp:Policy>
+                        </sp:UsernameToken>
+                    </wsp:Policy>
+                </sp:EndorsingSupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
+    
+    <wsp:Policy wsu:Id="DoubleItSymmetricSignedEndorsingPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:SymmetricBinding>
+                  <wsp:Policy>
+                    <sp:ProtectionToken>
+                       <wsp:Policy>
+                          <sp:X509Token
+                             sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                             <wsp:Policy>
+                                <sp:WssX509V3Token10 />
+                             </wsp:Policy>
+                          </sp:X509Token>
+                       </wsp:Policy>
+                    </sp:ProtectionToken>
+                    <sp:Layout>
+                       <wsp:Policy>
+                          <sp:Lax/>
+                       </wsp:Policy>
+                    </sp:Layout>
+                    <sp:IncludeTimestamp/>
+                    <sp:OnlySignEntireHeadersAndBody/>
+                    <sp:AlgorithmSuite>
+                       <wsp:Policy>
+                          <sp:Basic128/>
+                       </wsp:Policy>
+                    </sp:AlgorithmSuite>
+                 </wsp:Policy>
+              </sp:SymmetricBinding>
+              <sp:SignedEndorsingSupportingTokens>
+                  <wsp:Policy>
+                       <sp:UsernameToken
+                            sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                            <wsp:Policy>
+                               <sp:WssUsernameToken10/>
+                               <!-- <sp:RequireDerivedKeys/> -->
+                            </wsp:Policy>
+                       </sp:UsernameToken>
+                   </wsp:Policy>
+              </sp:SignedEndorsingSupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
+    
+    <wsp:Policy wsu:Id="DoubleItSymmetricEndorsingEncryptedPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:SymmetricBinding>
+                  <wsp:Policy>
+                    <sp:ProtectionToken>
+                       <wsp:Policy>
+                          <sp:X509Token
+                             sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                             <wsp:Policy>
+                                <sp:WssX509V3Token10 />
+                             </wsp:Policy>
+                          </sp:X509Token>
+                       </wsp:Policy>
+                    </sp:ProtectionToken>
+                    <sp:Layout>
+                       <wsp:Policy>
+                          <sp:Lax/>
+                       </wsp:Policy>
+                    </sp:Layout>
+                    <sp:IncludeTimestamp/>
+                    <sp:OnlySignEntireHeadersAndBody/>
+                    <sp:AlgorithmSuite>
+                       <wsp:Policy>
+                          <sp:Basic128/>
+                       </wsp:Policy>
+                    </sp:AlgorithmSuite>
+                 </wsp:Policy>
+              </sp:SymmetricBinding>
+              <sp:EndorsingEncryptedSupportingTokens>
+                  <wsp:Policy>
+                       <sp:UsernameToken
+                            sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                            <wsp:Policy>
+                               <sp:WssUsernameToken10/>
+                               <!-- <sp:RequireDerivedKeys/> -->
+                            </wsp:Policy>
+                       </sp:UsernameToken>
+                   </wsp:Policy>
+              </sp:EndorsingEncryptedSupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
+    
+    <wsp:Policy wsu:Id="DoubleItSymmetricSignedEndorsingEncryptedPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:SymmetricBinding>
+                  <wsp:Policy>
+                    <sp:ProtectionToken>
+                       <wsp:Policy>
+                          <sp:X509Token
+                             sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                             <wsp:Policy>
+                                <sp:WssX509V3Token10 />
+                             </wsp:Policy>
+                          </sp:X509Token>
+                       </wsp:Policy>
+                    </sp:ProtectionToken>
+                    <sp:Layout>
+                       <wsp:Policy>
+                          <sp:Lax/>
+                       </wsp:Policy>
+                    </sp:Layout>
+                    <sp:IncludeTimestamp/>
+                    <sp:OnlySignEntireHeadersAndBody/>
+                    <sp:AlgorithmSuite>
+                       <wsp:Policy>
+                          <sp:Basic128/>
+                       </wsp:Policy>
+                    </sp:AlgorithmSuite>
+                 </wsp:Policy>
+              </sp:SymmetricBinding>
+              <sp:SignedEndorsingEncryptedSupportingTokens>
+                  <wsp:Policy>
+                       <sp:UsernameToken
+                            sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                            <wsp:Policy>
+                               <sp:WssUsernameToken10/>
+                               <!-- <sp:RequireDerivedKeys/> -->
+                            </wsp:Policy>
+                       </sp:UsernameToken>
+                   </wsp:Policy>
+              </sp:SignedEndorsingEncryptedSupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
+    
     <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Signature_Policy">
       <wsp:ExactlyOne>
          <wsp:All>
@@ -223,5 +491,18 @@
          </wsp:All>
       </wsp:ExactlyOne>
    </wsp:Policy>
+   
+   <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Signature_Encryption_Policy">
+      <wsp:ExactlyOne>
+         <wsp:All>
+            <sp:SignedParts>
+               <sp:Body/>
+            </sp:SignedParts>
+            <sp:EncryptedParts>
+               <sp:Body/>
+            </sp:EncryptedParts>
+         </wsp:All>
+      </wsp:ExactlyOne>
+   </wsp:Policy>
     
 </wsdl:definitions>

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client-derived.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client-derived.xml?rev=1291192&r1=1291191&r2=1291192&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client-derived.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/client/client-derived.xml Mon Feb 20 11:01:42 2012
@@ -66,4 +66,57 @@
        </jaxws:properties>
     </jaxws:client>
     
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportEndorsingPort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.username" value="Alice"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+       </jaxws:properties>
+    </jaxws:client>
+    
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricSignedEndorsingPort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.username" value="Alice"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.encryption.username" value="bob"/>
+       </jaxws:properties>
+    </jaxws:client>
+    
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricEndorsingEncryptedPort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.username" value="Alice"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.encryption.username" value="bob"/>
+       </jaxws:properties>
+    </jaxws:client>
+    
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricSignedEndorsingEncryptedPort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.username" value="Alice"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.encryption.username" value="bob"/>
+       </jaxws:properties>
+    </jaxws:client>
+    
+    <http:conduit name="https://localhost:.*">
+        <http:tlsClientParameters disableCNCheck="true">
+            <sec:trustManagers>
+                <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
+            </sec:trustManagers>
+        </http:tlsClientParameters>
+    </http:conduit>  
+    
 </beans>

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server-derived.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server-derived.xml?rev=1291192&r1=1291191&r2=1291192&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server-derived.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server-derived.xml Mon Feb 20 11:01:42 2012
@@ -75,7 +75,7 @@
      
     </jaxws:endpoint> 
     
-     <jaxws:endpoint 
+    <jaxws:endpoint 
        id="SymmetricEncryption"
        address="http://localhost:${testutil.ports.ServerDerived}/DoubleItUTDerivedSymmetricProtectionEnc" 
        serviceName="s:DoubleItService"
@@ -89,6 +89,101 @@
                   value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
        </jaxws:properties> 
      
-    </jaxws:endpoint> 
+    </jaxws:endpoint>
+    
+    <jaxws:endpoint 
+       id="TransportEndorsing"
+       address="https://localhost:${testutil.ports.ServerDerived.2}/DoubleItUTDerivedTransportEndorsing" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItTransportEndorsingPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
+       depends-on="tls-settings"
+       wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtDerived.wsdl">
+        
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
+       </jaxws:properties> 
+     
+    </jaxws:endpoint>
+    
+    <jaxws:endpoint 
+       id="SymmetricSignedEndorsing"
+       address="http://localhost:${testutil.ports.ServerDerived}/DoubleItUTDerivedSymmetricSignedEndorsing" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItSymmetricSignedEndorsingPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtDerived.wsdl">
+        
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.server.UTPasswordCallback"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+       </jaxws:properties> 
+     
+    </jaxws:endpoint>
+    
+    <jaxws:endpoint 
+       id="SymmetricEndorsingEncrypted"
+       address="http://localhost:${testutil.ports.ServerDerived}/DoubleItUTDerivedSymmetricEndorsingEncrypted" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItSymmetricEndorsingEncryptedPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtDerived.wsdl">
+        
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.server.UTPasswordCallback"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+       </jaxws:properties> 
+     
+    </jaxws:endpoint>
+    
+    <jaxws:endpoint 
+       id="SymmetricSignedEndorsingEncrypted"
+       address="http://localhost:${testutil.ports.ServerDerived}/DoubleItUTDerivedSymmetricSignedEndorsingEncrypted" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItSymmetricSignedEndorsingEncryptedPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/ut/DoubleItUtDerived.wsdl">
+        
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.server.UTPasswordCallback"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+       </jaxws:properties> 
+     
+    </jaxws:endpoint>
+    
+    
+    <!-- -->
+    <!-- Any services listening on port X must use the following -->
+    <!-- Transport Layer Security (TLS) settings -->
+    <!-- -->
+    <httpj:engine-factory id="tls-settings">
+        <httpj:engine port="${testutil.ports.ServerDerived.2}">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+                    <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/>
+                </sec:keyManagers>
+                <sec:cipherSuitesFilter>
+                    <sec:include>.*_EXPORT_.*</sec:include>
+                    <sec:include>.*_EXPORT1024_.*</sec:include>
+                    <sec:include>.*_WITH_DES_.*</sec:include>
+                    <sec:include>.*_WITH_AES_.*</sec:include>
+                    <sec:include>.*_WITH_NULL_.*</sec:include>
+                    <sec:exclude>.*_DH_anon_.*</sec:exclude>
+                </sec:cipherSuitesFilter>
+                <sec:clientAuthentication want="true" required="false"/>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
     
 </beans>

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1291192&r1=1291191&r2=1291192&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml Mon Feb 20 11:01:42 2012
@@ -43,7 +43,7 @@
         </cxf:features>
     </cxf:bus>
     
-      <!-- -->
+    <!-- -->
     <!-- Any services listening on port 9009 must use the following -->
     <!-- Transport Layer Security (TLS) settings -->
     <!-- -->