Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1311833 - in /cxf/trunk:
 rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/
 rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/
 services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/re...
Date: Tue, 10 Apr 2012 16:20:55 -0000
To: commits@cxf.apache.org
From: coheigea@apache.org
Message-Id: <20120410162055.DDC68238896F@eris.apache.org>

Author: coheigea
Date: Tue Apr 10 16:20:54 2012
New Revision: 1311833

URL: http://svn.apache.org/viewvc?rev=1311833&view=rev
Log:
[CXF-4158] - Added some initial system tests for renewing SAML tokens & did some reshuffling in the STSClient

Added:
    cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/
    cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewUnitTest.java
    cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/STSServer.java
    cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/Server.java
    cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/
    cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client-unit.xml
    cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts.xml
    cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/ws-trust-1.4-service.wsdl
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java?rev=1311833&r1=1311832&r2=1311833&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java Tue Apr 10 16:20:54 2012
@@ -68,7 +68,7 @@ class SecureConversationOutInterceptor e
                 if (tok == null) {
                     tok = issueToken(message, aim, itok);
                 } else {
-                    renewToken(message, aim, tok, itok);
+                    tok = renewToken(message, aim, tok, itok);
                 }
                 if (tok != null) {
                     for (AssertionInfo ai : ais) {
@@ -91,12 +91,12 @@ class SecureConversationOutInterceptor e
     }
     
     
-    private void renewToken(SoapMessage message,
+    private SecurityToken renewToken(SoapMessage message,
                             AssertionInfoMap aim, 
                             SecurityToken tok,
                             SecureConversationToken itok) {
         if (!tok.isExpired()) {
-            return;
+            return tok;
         }
         
         STSClient client = STSUtils.getClient(message, "sct");
@@ -107,7 +107,7 @@ class SecureConversationOutInterceptor e
             maps = (AddressingProperties)message
                 .get("javax.xml.ws.addressing.context");
         } else if (maps.getAction().getValue().endsWith("Renew")) {
-            return;
+            return tok;
         }
         synchronized (client) {
             try {
@@ -122,7 +122,7 @@ class SecureConversationOutInterceptor e
                 if (maps != null) {
                     client.setAddressingNamespace(maps.getNamespaceURI());
                 }
-                client.renewSecurityToken(tok);
+                return client.renewSecurityToken(tok);
             } catch (RuntimeException e) {
                 throw e;
             } catch (Exception e) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java?rev=1311833&r1=1311832&r2=1311833&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java Tue Apr 10 16:20:54 2012
@@ -685,11 +685,7 @@ public class STSClient implements Config
         if (target != null) {
             writer.writeStartElement("wst", "RenewTarget", namespace);
             client.getRequestContext().put(SecurityConstants.TOKEN, target);
-            Element el = target.getUnattachedReference();
-            if (el == null) {
-                el = target.getAttachedReference();
-            }
-            StaxUtils.copy(el, writer);
+            StaxUtils.copy(target.getToken(), writer);
             writer.writeEndElement();
         }
         
@@ -852,12 +848,79 @@ public class STSClient implements Config
         return (Element)nd;
     }
 
-    public void renewSecurityToken(SecurityToken tok) throws Exception {
-        String action = null;
+    public SecurityToken renewSecurityToken(SecurityToken tok) throws Exception {
+        createClient();
+        BindingOperationInfo boi = findOperation("/RST/Renew");
+
+        client.getRequestContext().putAll(ctx);
         if (isSecureConv) {
-            action = namespace + "/RST/SCT/Renew";
+            client.getRequestContext().put(SoapBindingConstants.SOAP_ACTION, namespace + "/RST/SCT/Renew");
+        } else {
+            client.getRequestContext().put(SoapBindingConstants.SOAP_ACTION, namespace + "/RST/Renew");
+        }
+
+        W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
+        writer.writeStartElement("wst", "RequestSecurityToken", namespace);
+        writer.writeNamespace("wst", namespace);
+        if (context != null) {
+            writer.writeAttribute(null, "Context", context);
+        }
+        
+        String sptt = null;
+        if (template != null) {
+            if (this.useSecondaryParameters()) {
+                writer.writeStartElement("wst", "SecondaryParameters", namespace);
+            }
+            
+            Element tl = DOMUtils.getFirstElement(template);
+            while (tl != null) {
+                StaxUtils.copy(tl, writer);
+                if ("TokenType".equals(tl.getLocalName())) {
+                    sptt = DOMUtils.getContent(tl);
+                }
+                tl = DOMUtils.getNextElement(tl);
+            }
+            
+            if (this.useSecondaryParameters()) {
+                writer.writeEndElement();
+            }
+        }
+        
+        if (isSpnego) {
+            tokenType = STSUtils.getTokenTypeSCT(namespace);
         }
-        requestSecurityToken(tok.getIssuerAddress(), action, "/Renew", tok);
+
+        addRequestType("/Renew", writer);
+        if (enableAppliesTo) {
+            addAppliesTo(writer, tok.getIssuerAddress());
+        }
+        
+        if (sptt == null) {
+            addTokenType(writer);
+        }
+        if (isSecureConv || enableLifetime) {
+            addLifetime(writer);
+        }
+
+        writer.writeStartElement("wst", "RenewTarget", namespace);
+        client.getRequestContext().put(SecurityConstants.TOKEN, tok);
+        StaxUtils.copy(tok.getToken(), writer);
+        writer.writeEndElement();
+        
+        writer.writeEndElement();
+
+        Object obj[] = client.invoke(boi, new DOMSource(writer.getDocument().getDocumentElement()));
+
+        SecurityToken token = createSecurityToken(getDocumentElement((DOMSource)obj[0]), null);
+        if (token.getTokenType() == null) {
+            if (sptt != null) {
+                token.setTokenType(sptt);
+            } else if (tokenType != null) {
+                token.setTokenType(tokenType);
+            }
+        }
+        return token;
+        
     }
 
     protected PrimitiveAssertion getAddressingAssertion() {

Added: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewUnitTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewUnitTest.java?rev=1311833&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewUnitTest.java (added)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/SAMLRenewUnitTest.java Tue Apr 10 16:20:54 2012
@@ -0,0 +1,234 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.renew;
+
+import java.net.URL;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.systest.sts.common.SecurityTestUtil;
+import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.cxf.ws.security.trust.STSClient;
+import org.apache.ws.security.WSConstants;
+import org.junit.BeforeClass;
+
+/**
+ * In this test case, a CXF client requests a SAML Token from an STS and then tries to renew it.
+ */
+public class SAMLRenewUnitTest extends AbstractBusClientServerTestBase {
+    
+    static final String STSPORT = allocatePort(STSServer.class);
+    
+    @BeforeClass
+    public static void startServers() throws Exception {
+        assertTrue(
+                   "Server failed to launch",
+                   // run the server in the same process
+                   // set this to false to fork
+                   launchServer(STSServer.class, true)
+        );
+    }
+    
+    @org.junit.AfterClass
+    public static void cleanup() {
+        SecurityTestUtil.cleanup();
+    }
+
+    @org.junit.Test
+    public void testRenewSAML1Token() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SAMLRenewUnitTest.class.getResource("cxf-client-unit.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        String wsdlLocation = 
+            "https://localhost:" + STSPORT + "/SecurityTokenService/Transport?wsdl";
+        
+        // Request the token
+        SecurityToken token = requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML_TOKEN_TYPE, 5);
+        assertNotNull(token);
+        // Sleep to expire the token
+        Thread.sleep(5000);
+        
+        // Renew the token
+        SecurityToken renewedToken = renewSecurityToken(bus, wsdlLocation, token);
+        assertFalse(token.equals(renewedToken));
+        
+        // Try to validate old token -> fail.
+        try {
+            validateSecurityToken(bus, wsdlLocation, token);
+            fail("Failure expected on trying to renew the old token");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Validate the renewed token
+        validateSecurityToken(bus, wsdlLocation, renewedToken);
+    }
+    
+    @org.junit.Test
+    public void testRenewSAML2Token() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SAMLRenewUnitTest.class.getResource("cxf-client-unit.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        String wsdlLocation = 
+            "https://localhost:" + STSPORT + "/SecurityTokenService/Transport?wsdl";
+        
+        // Request the token
+        SecurityToken token = requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML2_TOKEN_TYPE, 5);
+        assertNotNull(token);
+        // Sleep to expire the token
+        Thread.sleep(5000);
+        
+        // Renew the token
+        SecurityToken renewedToken = renewSecurityToken(bus, wsdlLocation, token);
+        assertFalse(token.equals(renewedToken));
+        
+        // Try to validate old token -> fail.
+        try {
+            validateSecurityToken(bus, wsdlLocation, token);
+            fail("Failure expected on trying to renew the old token");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        // Validate the renewed token
+        validateSecurityToken(bus, wsdlLocation, renewedToken);
+    }
+    
+    @org.junit.Test
+    public void testRenewValidSAML1Token() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SAMLRenewUnitTest.class.getResource("cxf-client-unit.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        String wsdlLocation = 
+            "https://localhost:" + STSPORT + "/SecurityTokenService/Transport?wsdl";
+        
+        // Request the token
+        SecurityToken token = requestSecurityToken(bus, wsdlLocation, WSConstants.WSS_SAML_TOKEN_TYPE, 300);
+        assertNotNull(token);
+        
+        // Validate the token
+        List<SecurityToken> validatedTokens = validateSecurityToken(bus, wsdlLocation, token);
+        assertFalse(validatedTokens.isEmpty());
+        assertTrue(validatedTokens.get(0).equals(token));
+
+        // Renew the token - this should fail as the STS will reject an attempt to renew a valid token
+        // unless it has been configured otherwise
+        try {
+            renewSecurityToken(bus, wsdlLocation, token);
+            fail("Failure expected on trying to renew a valid token");
+        } catch (Exception ex) {
+            // expected
+        }
+    }
+    
+    private SecurityToken requestSecurityToken(
+        Bus bus, String wsdlLocation, String tokenType, int ttl
+    ) throws Exception {
+        STSClient stsClient = new STSClient(bus);
+        stsClient.setWsdlLocation(wsdlLocation);
+        stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService");
+        stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port");
+        stsClient.setTokenType(tokenType);
+        stsClient.setKeyType("http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer");
+
+        Map<String, Object> properties = new HashMap<String, Object>();
+        properties.put(SecurityConstants.USERNAME, "alice");
+        properties.put(
+            SecurityConstants.CALLBACK_HANDLER, 
+            "org.apache.cxf.systest.sts.common.CommonCallbackHandler"
+        );
+        properties.put(SecurityConstants.STS_TOKEN_PROPERTIES, "serviceKeystore.properties");
+        
+        stsClient.setTtl(ttl);
+        stsClient.setEnableLifetime(true);
+
+        stsClient.setProperties(properties);
+        stsClient.setRequiresEntropy(true);
+        stsClient.setKeySize(128);
+        stsClient.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
+
+        return stsClient.requestSecurityToken("https://localhost:8081/doubleit/services/doubleittransport");
+    }
+    
+    private List<SecurityToken> validateSecurityToken(
+        Bus bus, String wsdlLocation, SecurityToken securityToken
+    ) throws Exception {
+        STSClient stsClient = new STSClient(bus);
+        stsClient.setWsdlLocation(wsdlLocation);
+        stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService");
+        stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port");
+
+        Map<String, Object> properties = new HashMap<String, Object>();
+        properties.put(SecurityConstants.USERNAME, "alice");
+        properties.put(
+            SecurityConstants.CALLBACK_HANDLER, 
+            "org.apache.cxf.systest.sts.common.CommonCallbackHandler"
+        );
+        properties.put(SecurityConstants.STS_TOKEN_PROPERTIES, "serviceKeystore.properties");
+
+        stsClient.setProperties(properties);
+        stsClient.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
+
+        return stsClient.validateSecurityToken(securityToken);
+    }
+    
+    private SecurityToken renewSecurityToken(
+        Bus bus, String wsdlLocation, SecurityToken securityToken
+    ) throws Exception {
+        STSClient stsClient = new STSClient(bus);
+        stsClient.setWsdlLocation(wsdlLocation);
+        stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService");
+        stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port");
+
+        Map<String, Object> properties = new HashMap<String, Object>();
+        properties.put(SecurityConstants.USERNAME, "alice");
+        properties.put(
+            SecurityConstants.CALLBACK_HANDLER, 
+            "org.apache.cxf.systest.sts.common.CommonCallbackHandler"
+        );
+        properties.put(SecurityConstants.STS_TOKEN_PROPERTIES, "serviceKeystore.properties");
+
+        stsClient.setEnableAppliesTo(false);
+        // Request a token with a TTL of 60 minutes
+        stsClient.setTtl(60 * 60);
+        stsClient.setEnableLifetime(true);
+        stsClient.setProperties(properties);
+        stsClient.setAddressingNamespace("http://www.w3.org/2005/08/addressing");
+        
+        return stsClient.renewSecurityToken(securityToken);
+    }
+    
+}

Added: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/STSServer.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/STSServer.java?rev=1311833&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/STSServer.java (added)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/STSServer.java Tue Apr 10 16:20:54 2012
@@ -0,0 +1,50 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.renew;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class STSServer extends AbstractBusTestServerBase {
+
+    public STSServer() {
+
+    }
+
+    protected void run()  {
+        URL busFile = STSServer.class.getResource("cxf-sts.xml");
+        Bus busLocal = new SpringBusFactory().createBus(busFile);
+        BusFactory.setDefaultBus(busLocal);
+        setBus(busLocal);
+
+        try {
+            new STSServer();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+    
+    public static void main(String args[]) {
+        new STSServer().run();
+    }
+}

Added: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/Server.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/Server.java?rev=1311833&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/Server.java (added)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/renew/Server.java Tue Apr 10 16:20:54 2012
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.renew;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class Server extends AbstractBusTestServerBase {
+
+    public Server() {
+
+    }
+
+    protected void run()  {
+        URL busFile = Server.class.getResource("cxf-service.xml");
+        Bus busLocal = new SpringBusFactory().createBus(busFile);
+        BusFactory.setDefaultBus(busLocal);
+        setBus(busLocal);
+
+        try {
+            new Server();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}

Added: cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client-unit.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client-unit.xml?rev=1311833&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client-unit.xml (added)
+++ cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-client-unit.xml Tue Apr 10 16:20:54 2012
@@ -0,0 +1,52 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+   xmlns:jaxws="http://cxf.apache.org/jaxws"
+   xmlns:cxf="http://cxf.apache.org/core"
+   xmlns:http="http://cxf.apache.org/transports/http/configuration"
+   xmlns:sec="http://cxf.apache.org/configuration/security"
+   xsi:schemaLocation="
+http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
+http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
+http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
+http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd">
+
+    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+    
+    <cxf:bus>
+        <cxf:features>
+            <cxf:logging/>
+        </cxf:features>
+    </cxf:bus>
+    
+   <http:conduit name="https://localhost:.*">
+      <http:tlsClientParameters disableCNCheck="true">
+        <sec:trustManagers>
+          <sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/>
+        </sec:trustManagers>
+        <sec:keyManagers keyPassword="ckpass">
+           <sec:keyStore type="jks" password="cspass" resource="clientstore.jks"/>
+        </sec:keyManagers>
+      </http:tlsClientParameters>
+   </http:conduit>
+   
+</beans>
+

Added: cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts.xml?rev=1311833&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts.xml (added)
+++ cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/cxf-sts.xml Tue Apr 10 16:20:54 2012
@@ -0,0 +1,192 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+  xmlns:cxf="http://cxf.apache.org/core"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xmlns:sec="http://cxf.apache.org/configuration/security"
+  xmlns:http="http://cxf.apache.org/transports/http/configuration"
+  xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
+  xmlns:jaxws="http://cxf.apache.org/jaxws"
+  xmlns:util="http://www.springframework.org/schema/util"
+  xsi:schemaLocation="
+            http://cxf.apache.org/core
+            http://cxf.apache.org/schemas/core.xsd
+            http://cxf.apache.org/configuration/security
+            http://cxf.apache.org/schemas/configuration/security.xsd
+            http://cxf.apache.org/jaxws
+            http://cxf.apache.org/schemas/jaxws.xsd
+            http://cxf.apache.org/transports/http/configuration
+            http://cxf.apache.org/schemas/configuration/http-conf.xsd
+            http://cxf.apache.org/transports/http-jetty/configuration
+            http://cxf.apache.org/schemas/configuration/http-jetty.xsd
+            http://www.springframework.org/schema/beans
+            http://www.springframework.org/schema/beans/spring-beans.xsd
+            http://www.springframework.org/schema/util
+            http://www.springframework.org/schema/util/spring-util-2.0.xsd">
+    
+    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+    
+    <cxf:bus>
+        <cxf:features>
+            <cxf:logging/>
+        </cxf:features>
+    </cxf:bus>
+
+	<bean id="transportSTSProviderBean"
+		class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider">
+		<property name="issueOperation" ref="transportIssueDelegate" />
+		<property name="validateOperation" ref="transportValidateDelegate" />
+		<property name="renewOperation" ref="transportRenewDelegate" />
+	</bean>
+
+	<bean id="transportIssueDelegate" class="org.apache.cxf.sts.operation.TokenIssueOperation">
+		<property name="tokenProviders" ref="transportTokenProviders" />
+		<property name="services" ref="transportService" />
+		<property name="stsProperties" ref="transportSTSProperties" />
+		<property name="claimsManager" ref="claimsManager" />
+		<property name="tokenStore" ref="defaultTokenStore" />
+	</bean>
+
+	<bean id="transportValidateDelegate" class="org.apache.cxf.sts.operation.TokenValidateOperation">
+		<property name="tokenProviders" ref="transportTokenProviders" />
+		<property name="tokenValidators" ref="transportTokenValidators" />
+		<property name="stsProperties" ref="transportSTSProperties" />
+		<property name="tokenStore" ref="defaultTokenStore" />
+	</bean>
+	
+	<bean id="transportRenewDelegate" class="org.apache.cxf.sts.operation.TokenRenewOperation">
+        <property name="tokenRenewers" ref="transportTokenRenewers" />
+        <property name="tokenValidators" ref="transportTokenValidators" />
+        <property name="stsProperties" ref="transportSTSProperties" />
+        <property name="tokenStore" ref="defaultTokenStore" />
+    </bean>
+
+	<bean id="defaultTokenStore" class="org.apache.cxf.sts.cache.DefaultInMemoryTokenStore">
+	</bean>
+
+	<util:list id="transportTokenProviders">
+		<ref bean="transportSamlTokenProvider" />
+	</util:list>
+
+	<util:list id="transportTokenValidators">
+		<ref bean="transportSamlTokenValidator" />
+	</util:list>
+	
+	<util:list id="transportTokenRenewers">
+        <ref bean="transportSamlTokenRenewer" />
+    </util:list>
+
+	<bean id="transportSamlTokenProvider" class="org.apache.cxf.sts.token.provider.SAMLTokenProvider">
+		<property name="attributeStatementProviders" ref="attributeStatementProvidersList" />
+		<property name="conditionsProvider" ref="SAMLConditionsProvider"/>
+	</bean>
+
+	<util:list id="attributeStatementProvidersList">
+		<ref bean="defaultAttributeProvider" />
+		<ref bean="customAttributeProvider" />
+	</util:list>
+
+	<bean id="defaultAttributeProvider"
+		class="org.apache.cxf.sts.token.provider.DefaultAttributeStatementProvider">
+	</bean>
+	
+	<bean id="customAttributeProvider"
+		class="org.apache.cxf.systest.sts.deployment.CustomAttributeStatementProvider">
+	</bean>
+
+	<bean id="claimsManager" class="org.apache.cxf.sts.claims.ClaimsManager">
+		<property name="claimHandlers" ref="claimHandlerList" />
+	</bean>
+
+	<util:list id="claimHandlerList">
+		<ref bean="customClaimsHandler" />
+	</util:list>
+
+	<bean id="customClaimsHandler"
+		class="org.apache.cxf.systest.sts.deployment.CustomClaimsHandler">
+	</bean>
+
+	<bean id="transportX509TokenValidator" class="org.apache.cxf.sts.token.validator.X509TokenValidator">
+	</bean>
+
+	<bean id="transportSamlTokenValidator" class="org.apache.cxf.sts.token.validator.SAMLTokenValidator">
+	</bean>
+	
+	<bean id="transportSamlTokenRenewer" class="org.apache.cxf.sts.token.renewer.SAMLTokenRenewer">
+	    <property name="verifyProofOfPossession" value="false"/>
+	    <property name="conditionsProvider" ref="SAMLConditionsProvider"/>
+    </bean>
+    
+    <bean id="SAMLConditionsProvider" class="org.apache.cxf.sts.token.provider.DefaultConditionsProvider">
+        <property name="acceptClientLifetime" value="true"/>
+    </bean>
+
+	<bean id="transportService" class="org.apache.cxf.sts.service.StaticService">
+		<property name="endpoints" ref="transportEndpoints" />
+	</bean>
+
+	<util:list id="transportEndpoints">
+		<value>https://localhost:(\d)*/doubleit/services/doubleittransport.*
+		</value>
+	</util:list>
+
+	<bean id="transportSTSProperties" class="org.apache.cxf.sts.StaticSTSProperties">
+		<property name="signaturePropertiesFile" value="stsKeystore.properties" />
+		<property name="signatureUsername" value="mystskey" />
+		<property name="callbackHandlerClass"
+			value="org.apache.cxf.systest.sts.common.CommonCallbackHandler" />
+		<property name="encryptionPropertiesFile" value="stsKeystore.properties" />
+		<property name="issuer" value="DoubleItSTSIssuer" />
+		<property name="encryptionUsername" value="myservicekey" />
+	</bean>
+
+	<jaxws:endpoint id="localSTS" implementor="#transportSTSProviderBean"
+		address="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/Transport"
+		wsdlLocation="src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl"
+		xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+		depends-on="ClientAuthHttpsSettings" serviceName="ns1:SecurityTokenService"
+		endpointName="ns1:Transport_Port">
+	</jaxws:endpoint>
+
+	<httpj:engine-factory id="ClientAuthHttpsSettings"
+		bus="cxf">
+		<httpj:engine port="${testutil.ports.STSServer}">
+			<httpj:tlsServerParameters>
+				<sec:trustManagers>
+					<sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" />
+				</sec:trustManagers>
+				<sec:keyManagers keyPassword="stskpass">
+					<sec:keyStore type="jks" password="stsspass" resource="stsstore.jks" />
+				</sec:keyManagers>
+				<sec:cipherSuitesFilter>
+					<sec:include>.*_EXPORT_.*</sec:include>
+					<sec:include>.*_EXPORT1024_.*</sec:include>
+					<sec:include>.*_WITH_DES_.*</sec:include>
+					<sec:include>.*_WITH_AES_.*</sec:include>
+					<sec:include>.*_WITH_NULL_.*</sec:include>
+					<sec:exclude>.*_DH_anon_.*</sec:exclude>
+				</sec:cipherSuitesFilter>
+				<sec:clientAuthentication want="true"
+					required="true" />
+			</httpj:tlsServerParameters>
+		</httpj:engine>
+	</httpj:engine-factory>
+   
+</beans>
+

Added: cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/ws-trust-1.4-service.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/ws-trust-1.4-service.wsdl?rev=1311833&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/ws-trust-1.4-service.wsdl (added)
+++ cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/renew/ws-trust-1.4-service.wsdl Tue Apr 10 16:20:54 2012
@@ -0,0 +1,432 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<wsdl:definitions
+        targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+        xmlns:tns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+        xmlns:wstrust="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+        xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+        xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
+        xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
+        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+        xmlns:wsp="http://www.w3.org/ns/ws-policy"
+        xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
+    xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
+    xmlns:xs="http://www.w3.org/2001/XMLSchema"
+    xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
+    >
+
+  <wsdl:types>
+    <xs:schema elementFormDefault="qualified" targetNamespace='http://docs.oasis-open.org/ws-sx/ws-trust/200512'>
+
+      <xs:element name='RequestSecurityToken' type='wst:AbstractRequestSecurityTokenType' />
+      <xs:element name='RequestSecurityTokenResponse' type='wst:AbstractRequestSecurityTokenType' />
+
+      <xs:complexType name='AbstractRequestSecurityTokenType' >
+        <xs:sequence>
+          <xs:any namespace='##any' processContents='lax' minOccurs='0' maxOccurs='unbounded' />
+        </xs:sequence>
+        <xs:attribute name='Context' type='xs:anyURI' use='optional' />
+        <xs:anyAttribute namespace='##other' processContents='lax' />
+      </xs:complexType>
+      <xs:element name='RequestSecurityTokenCollection' type='wst:RequestSecurityTokenCollectionType' />
+      <xs:complexType name='RequestSecurityTokenCollectionType' >
+        <xs:sequence>
+          <xs:element name='RequestSecurityToken' type='wst:AbstractRequestSecurityTokenType' minOccurs='2' maxOccurs='unbounded'/>
+        </xs:sequence>
+      </xs:complexType>
+
+      <xs:element name='RequestSecurityTokenResponseCollection' type='wst:RequestSecurityTokenResponseCollectionType' />
+      <xs:complexType name='RequestSecurityTokenResponseCollectionType' >
+        <xs:sequence>
+          <xs:element ref='wst:RequestSecurityTokenResponse' minOccurs='1' maxOccurs='unbounded' />
+        </xs:sequence>
+        <xs:anyAttribute namespace='##other' processContents='lax' />
+      </xs:complexType>
+
+    </xs:schema>
+  </wsdl:types>
+
+  <!-- WS-Trust defines the following GEDs -->
+  <wsdl:message name="RequestSecurityTokenMsg">
+    <wsdl:part name="request" element="wst:RequestSecurityToken" />
+  </wsdl:message>
+  <wsdl:message name="RequestSecurityTokenResponseMsg">
+    <wsdl:part name="response"
+            element="wst:RequestSecurityTokenResponse" />
+  </wsdl:message>
+  <wsdl:message name="RequestSecurityTokenCollectionMsg">
+    <wsdl:part name="requestCollection"
+            element="wst:RequestSecurityTokenCollection"/>
+  </wsdl:message>
+  <wsdl:message name="RequestSecurityTokenResponseCollectionMsg">
+    <wsdl:part name="responseCollection"
+            element="wst:RequestSecurityTokenResponseCollection"/>
+  </wsdl:message>
+
+  <!-- This portType an example of a Requestor (or other) endpoint that 
+         Accepts SOAP-based challenges from a Security Token Service -->
+  <wsdl:portType name="WSSecurityRequestor">
+    <wsdl:operation name="Challenge">
+      <wsdl:input message="tns:RequestSecurityTokenResponseMsg"/>
+      <wsdl:output message="tns:RequestSecurityTokenResponseMsg"/>
+    </wsdl:operation>
+  </wsdl:portType>
+
+  <!-- This portType is an example of an STS supporting full protocol -->
+  <wsdl:portType name="STS">
+    <wsdl:operation name="Cancel">
+      <wsdl:input wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel" message="tns:RequestSecurityTokenMsg"/>
+      <wsdl:output wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal" message="tns:RequestSecurityTokenResponseMsg"/>
+    </wsdl:operation>
+    <wsdl:operation name="Issue">
+      <wsdl:input wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" message="tns:RequestSecurityTokenMsg"/>
+      <wsdl:output wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal" message="tns:RequestSecurityTokenResponseCollectionMsg"/>
+    </wsdl:operation>
+    <wsdl:operation name="Renew">
+      <wsdl:input wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew" message="tns:RequestSecurityTokenMsg"/>
+      <wsdl:output wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal" message="tns:RequestSecurityTokenResponseMsg"/>
+    </wsdl:operation>
+    <wsdl:operation name="Validate">
+      <wsdl:input wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate" message="tns:RequestSecurityTokenMsg"/>
+      <wsdl:output wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal" message="tns:RequestSecurityTokenResponseMsg"/>
+    </wsdl:operation>
+    <wsdl:operation name="KeyExchangeToken">
+      <wsdl:input wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KET" message="tns:RequestSecurityTokenMsg"/>
+      <wsdl:output wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/KETFinal" message="tns:RequestSecurityTokenResponseMsg"/>
+    </wsdl:operation>
+    <wsdl:operation name="RequestCollection">
+      <wsdl:input message="tns:RequestSecurityTokenCollectionMsg"/>
+      <wsdl:output message="tns:RequestSecurityTokenResponseCollectionMsg"/>
+    </wsdl:operation>
+  </wsdl:portType>
+
+  <!-- This portType is an example of an endpoint that accepts 
+         Unsolicited RequestSecurityTokenResponse messages -->
+  <wsdl:portType name="SecurityTokenResponseService">
+    <wsdl:operation name="RequestSecurityTokenResponse">
+      <wsdl:input message="tns:RequestSecurityTokenResponseMsg"/>
+    </wsdl:operation>
+  </wsdl:portType>
+  
+  <wsdl:binding name="Transport_Binding" type="wstrust:STS">
+    <wsp:PolicyReference URI="#Transport_policy" />
+  	<soap:binding style="document"
+  		transport="http://schemas.xmlsoap.org/soap/http" />
+  	<wsdl:operation name="Issue">
+  		<soap:operation
+  			soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" />
+  		<wsdl:input>
+  		    <wsp:PolicyReference
+               URI="#Input_policy" />
+  			<soap:body use="literal" />
+  		</wsdl:input>
+  		<wsdl:output>
+  		    <wsp:PolicyReference
+               URI="#Output_policy" />
+  			<soap:body use="literal" />
+  		</wsdl:output>
+  	</wsdl:operation>
+  	<wsdl:operation name="Validate">
+  		<soap:operation
+  			soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate" />
+  		<wsdl:input>
+  		    <wsp:PolicyReference
+               URI="#Input_policy" />
+  			<soap:body use="literal" />
+  		</wsdl:input>
+  		<wsdl:output>
+  		    <wsp:PolicyReference
+               URI="#Output_policy" />
+  			<soap:body use="literal" />
+  		</wsdl:output>
+  	</wsdl:operation>
+  	<wsdl:operation name="Cancel">
+  		<soap:operation
+  			soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel" />
+  		<wsdl:input>
+  			<soap:body use="literal" />
+  		</wsdl:input>
+  		<wsdl:output>
+  			<soap:body use="literal" />
+  		</wsdl:output>
+  	</wsdl:operation>
+  	<wsdl:operation name="Renew">
+  		<soap:operation
+  			soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew" />
+  		<wsdl:input>
+  			<soap:body use="literal" />
+  		</wsdl:input>
+  		<wsdl:output>
+  			<soap:body use="literal" />
+  		</wsdl:output>
+  	</wsdl:operation>
+  	<wsdl:operation name="KeyExchangeToken">
+  		<soap:operation
+  			soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken" />
+  		<wsdl:input>
+  			<soap:body use="literal" />
+  		</wsdl:input>
+  		<wsdl:output>
+  			<soap:body use="literal" />
+  		</wsdl:output>
+  	</wsdl:operation>
+  	<wsdl:operation name="RequestCollection">
+  		<soap:operation
+  			soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection" />
+  		<wsdl:input>
+  			<soap:body use="literal" />
+  		</wsdl:input>
+  		<wsdl:output>
+  			<soap:body use="literal" />
+  		</wsdl:output>
+  	</wsdl:operation>
+  </wsdl:binding>
+  
+  <wsdl:binding name="Transport_Soap12_Binding" type="wstrust:STS">
+    <wsp:PolicyReference URI="#Transport_policy" />
+    <soap12:binding style="document"
+        transport="http://schemas.xmlsoap.org/soap/http" />
+    <wsdl:operation name="Issue">
+        <soap12:operation
+            soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" />
+        <wsdl:input>
+            <wsp:PolicyReference
+               URI="#Input_policy" />
+            <soap12:body use="literal" />
+        </wsdl:input>
+        <wsdl:output>
+            <wsp:PolicyReference
+               URI="#Output_policy" />
+            <soap12:body use="literal" />
+        </wsdl:output>
+    </wsdl:operation>
+    <wsdl:operation name="Validate">
+        <soap12:operation
+            soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate" />
+        <wsdl:input>
+            <wsp:PolicyReference
+               URI="#Input_policy" />
+            <soap12:body use="literal" />
+        </wsdl:input>
+        <wsdl:output>
+            <wsp:PolicyReference
+               URI="#Output_policy" />
+            <soap12:body use="literal" />
+        </wsdl:output>
+    </wsdl:operation>
+  </wsdl:binding>
+  
+  <wsdl:binding name="Transport_Kerberos_Binding" type="wstrust:STS">
+    <wsp:PolicyReference URI="#Transport_Kerberos_policy" />
+    <soap:binding style="document"
+        transport="http://schemas.xmlsoap.org/soap/http" />
+    <wsdl:operation name="Issue">
+        <soap:operation
+            soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" />
+        <wsdl:input>
+            <wsp:PolicyReference
+               URI="#Input_policy" />
+            <soap:body use="literal" />
+        </wsdl:input>
+        <wsdl:output>
+            <wsp:PolicyReference
+               URI="#Output_policy" />
+            <soap:body use="literal" />
+        </wsdl:output>
+    </wsdl:operation>
+    <wsdl:operation name="Validate">
+        <soap:operation
+            soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate" />
+        <wsdl:input>
+            <wsp:PolicyReference
+               URI="#Input_policy" />
+            <soap:body use="literal" />
+        </wsdl:input>
+        <wsdl:output>
+            <wsp:PolicyReference
+               URI="#Output_policy" />
+            <soap:body use="literal" />
+        </wsdl:output>
+    </wsdl:operation>
+  </wsdl:binding>
+  
+  <wsdl:service name="SecurityTokenService">
+      <wsdl:port name="Transport_Port" binding="tns:Transport_Binding">
+         <soap:address location="https://localhost:8084/SecurityTokenService/Transport" />
+      </wsdl:port>
+      <wsdl:port name="Transport_Soap12_Port" binding="tns:Transport_Soap12_Binding">
+         <soap12:address location="https://localhost:8084/SecurityTokenService/TransportSoap12" />
+      </wsdl:port>
+      <wsdl:port name="Transport_Kerberos_Port" binding="tns:Transport_Kerberos_Binding">
+         <soap:address location="https://localhost:8084/SecurityTokenService/Kerberos" />
+      </wsdl:port>
+  </wsdl:service>
+  
+  <wsp:Policy wsu:Id="Transport_policy">
+      <wsp:ExactlyOne>
+         <wsp:All>
+            <wsap10:UsingAddressing/>
+            <sp:TransportBinding
+               xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+               <wsp:Policy>
+                  <sp:TransportToken>
+                     <wsp:Policy>
+                        <sp:HttpsToken>
+                            <wsp:Policy>
+                                <sp:RequireClientCertificate />
+                            </wsp:Policy>
+                        </sp:HttpsToken>
+                     </wsp:Policy>
+                  </sp:TransportToken>
+                  <sp:AlgorithmSuite>
+                     <wsp:Policy>
+                        <sp:TripleDesRsa15 />
+                     </wsp:Policy>
+                  </sp:AlgorithmSuite>
+                  <sp:Layout>
+                     <wsp:Policy>
+                        <sp:Lax />
+                     </wsp:Policy>
+                  </sp:Layout>
+                  <sp:IncludeTimestamp />
+               </wsp:Policy>
+            </sp:TransportBinding>
+            <sp:Wss11
+               xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+               <wsp:Policy>
+                  <sp:MustSupportRefKeyIdentifier />
+                  <sp:MustSupportRefIssuerSerial />
+                  <sp:MustSupportRefThumbprint />
+                  <sp:MustSupportRefEncryptedKey />
+               </wsp:Policy>
+            </sp:Wss11>
+            <sp:Trust13
+               xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+               <wsp:Policy>
+                  <sp:MustSupportIssuedTokens />
+                  <sp:RequireClientEntropy />
+                  <sp:RequireServerEntropy />
+               </wsp:Policy>
+            </sp:Trust13>
+         </wsp:All>
+      </wsp:ExactlyOne>
+   </wsp:Policy>
+   
+   <wsp:Policy wsu:Id="Transport_Kerberos_policy">
+      <wsp:ExactlyOne>
+         <wsp:All>
+            <wsap10:UsingAddressing/>
+            <sp:TransportBinding
+               xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+               <wsp:Policy>
+                  <sp:TransportToken>
+                     <wsp:Policy>
+                        <sp:HttpsToken>
+                            <wsp:Policy>
+                                <sp:RequireClientCertificate />
+                            </wsp:Policy>
+                        </sp:HttpsToken>
+                     </wsp:Policy>
+                  </sp:TransportToken>
+                  <sp:AlgorithmSuite>
+                     <wsp:Policy>
+                        <sp:TripleDesRsa15 />
+                     </wsp:Policy>
+                  </sp:AlgorithmSuite>
+                  <sp:Layout>
+                     <wsp:Policy>
+                        <sp:Lax />
+                     </wsp:Policy>
+                  </sp:Layout>
+                  <sp:IncludeTimestamp />
+               </wsp:Policy>
+            </sp:TransportBinding>
+            <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                <wsp:Policy>
+                    <sp:KerberosToken
+                        sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Once">
+                        <wsp:Policy>
+                            <sp:WssGssKerberosV5ApReqToken11/>
+                        </wsp:Policy>
+                    </sp:KerberosToken>
+                </wsp:Policy>
+            </sp:SupportingTokens>
+            <sp:Wss11
+               xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+               <wsp:Policy>
+                  <sp:MustSupportRefKeyIdentifier />
+                  <sp:MustSupportRefIssuerSerial />
+                  <sp:MustSupportRefThumbprint />
+                  <sp:MustSupportRefEncryptedKey />
+               </wsp:Policy>
+            </sp:Wss11>
+            <sp:Trust13
+               xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+               <wsp:Policy>
+                  <sp:MustSupportIssuedTokens />
+                  <sp:RequireClientEntropy />
+                  <sp:RequireServerEntropy />
+               </wsp:Policy>
+            </sp:Trust13>
+         </wsp:All>
+      </wsp:ExactlyOne>
+   </wsp:Policy>
+   
+   <wsp:Policy wsu:Id="Input_policy">
+      <wsp:ExactlyOne>
+         <wsp:All>
+            <sp:SignedParts
+               xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+               <sp:Body />
+               <sp:Header Name="To"
+                  Namespace="http://www.w3.org/2005/08/addressing" />
+               <sp:Header Name="From"
+                  Namespace="http://www.w3.org/2005/08/addressing" />
+               <sp:Header Name="FaultTo"
+                  Namespace="http://www.w3.org/2005/08/addressing" />
+               <sp:Header Name="ReplyTo"
+                  Namespace="http://www.w3.org/2005/08/addressing" />
+               <sp:Header Name="MessageID"
+                  Namespace="http://www.w3.org/2005/08/addressing" />
+               <sp:Header Name="RelatesTo"
+                  Namespace="http://www.w3.org/2005/08/addressing" />
+               <sp:Header Name="Action"
+                  Namespace="http://www.w3.org/2005/08/addressing" />
+            </sp:SignedParts>
+            <sp:EncryptedParts
+               xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+               <sp:Body />
+            </sp:EncryptedParts>
+         </wsp:All>
+      </wsp:ExactlyOne>
+   </wsp:Policy>
+   
+   <wsp:Policy wsu:Id="Output_policy">
+      <wsp:ExactlyOne>
+         <wsp:All>
+            <sp:SignedParts
+               xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+               <sp:Body />
+               <sp:Header Name="To"
+                  Namespace="http://www.w3.org/2005/08/addressing" />
+               <sp:Header Name="From"
+                  Namespace="http://www.w3.org/2005/08/addressing" />
+               <sp:Header Name="FaultTo"
+                  Namespace="http://www.w3.org/2005/08/addressing" />
+               <sp:Header Name="ReplyTo"
+                  Namespace="http://www.w3.org/2005/08/addressing" />
+               <sp:Header Name="MessageID"
+                  Namespace="http://www.w3.org/2005/08/addressing" />
+               <sp:Header Name="RelatesTo"
+                  Namespace="http://www.w3.org/2005/08/addressing" />
+               <sp:Header Name="Action"
+                  Namespace="http://www.w3.org/2005/08/addressing" />
+            </sp:SignedParts>
+            <sp:EncryptedParts
+               xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+               <sp:Body />
+            </sp:EncryptedParts>
+         </wsp:All>
+      </wsp:ExactlyOne>
+   </wsp:Policy>
+
+</wsdl:definitions>