cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1341084 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ services/sts/systests/advanced/src/test/java/org/apach...
Date Mon, 21 May 2012 15:55:04 GMT
Author: coheigea
Date: Mon May 21 15:55:04 2012
New Revision: 1341084

URL: http://svn.apache.org/viewvc?rev=1341084&view=rev
Log:
[CXF-4330] - Enforce that received IssuedTokens contain the required claims

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java
    cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleItWrongClaims.wsdl
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
    cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java
    cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsValidator.java
    cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java?rev=1341084&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java
Mon May 21 15:55:04 2012
@@ -0,0 +1,44 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import org.w3c.dom.Element;
+
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+/**
+ * Validate a WS-SecurityPolicy Claims policy.
+ */
+public interface ClaimsPolicyValidator {
+    
+    /**
+     * Validate a particular Claims policy against a received SAML Assertion. 
+     * Return true if the policy is valid.
+     */
+    boolean validatePolicy(
+        Element claimsPolicy,
+        AssertionWrapper assertion
+    );
+    
+    /**
+     * Return the dialect that this ClaimsPolicyValidator can parse
+     */
+    String getDialect();
+}

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java?rev=1341084&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java
Mon May 21 15:55:04 2012
@@ -0,0 +1,135 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.net.URI;
+import java.util.List;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+/**
+ * Validate a WS-SecurityPolicy Claims policy for the 
+ * "http://schemas.xmlsoap.org/ws/2005/05/identity" namespace.
+ */
+public class DefaultClaimsPolicyValidator implements ClaimsPolicyValidator {
+    
+    private static final String DEFAULT_CLAIMS_NAMESPACE = 
+        "http://schemas.xmlsoap.org/ws/2005/05/identity";
+    
+    /**
+     * Validate a particular Claims policy against a received SAML Assertion. 
+     * Return true if the policy is valid.
+     */
+    public boolean validatePolicy(
+        Element claimsPolicy,
+        AssertionWrapper assertion
+    ) {
+        if (claimsPolicy == null) {
+            return false;
+        }
+        
+        String dialect = claimsPolicy.getAttributeNS(null, "Dialect");
+        if (!DEFAULT_CLAIMS_NAMESPACE.equals(dialect)) {
+            return false;
+        }
+        
+        Element claimType = DOMUtils.getFirstElement(claimsPolicy);
+        while (claimType != null) {
+            if ("ClaimType".equals(claimType.getLocalName())) {
+                String claimTypeUri = claimType.getAttributeNS(null, "Uri");
+                String claimTypeOptional = claimType.getAttributeNS(null, "Optional");
+                
+                if (("".equals(claimTypeOptional) || !Boolean.parseBoolean(claimTypeOptional))
+                    && !findClaimInAssertion(assertion, URI.create(claimTypeUri)))
{
+                    return false;
+                }
+            }
+            
+            claimType = DOMUtils.getNextElement(claimType);
+        }
+        
+        return true;
+    }
+    
+    /**
+     * Return the dialect that this ClaimsPolicyValidator can parse
+     */
+    public String getDialect() {
+        return DEFAULT_CLAIMS_NAMESPACE;
+    }
+    
+    private boolean findClaimInAssertion(AssertionWrapper assertion, URI claimURI) {
+        if (assertion.getSaml1() != null) {
+            return findClaimInAssertion(assertion.getSaml1(), claimURI);
+        } else if (assertion.getSaml2() != null) {
+            return findClaimInAssertion(assertion.getSaml2(), claimURI);
+        }
+        return false;
+    }
+    
+    private boolean findClaimInAssertion(org.opensaml.saml2.core.Assertion assertion, URI
claimURI) {
+        List<org.opensaml.saml2.core.AttributeStatement> attributeStatements = 
+            assertion.getAttributeStatements();
+        if (attributeStatements == null || attributeStatements.isEmpty()) {
+            return false;
+        }
+        
+        for (org.opensaml.saml2.core.AttributeStatement statement : attributeStatements)
{
+            
+            List<org.opensaml.saml2.core.Attribute> attributes = statement.getAttributes();
+            for (org.opensaml.saml2.core.Attribute attribute : attributes) {
+                
+                URI attributeNamespace = URI.create(attribute.getNameFormat());
+                String desiredRole = attributeNamespace.relativize(claimURI).toString();
+                if (attribute.getName().equals(desiredRole)
+                    && attribute.getAttributeValues() != null && !attribute.getAttributeValues().isEmpty())
{
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+    
+    private boolean findClaimInAssertion(org.opensaml.saml1.core.Assertion assertion, URI
claimURI) {
+        List<org.opensaml.saml1.core.AttributeStatement> attributeStatements = 
+            assertion.getAttributeStatements();
+        if (attributeStatements == null || attributeStatements.isEmpty()) {
+            return false;
+        }
+        
+        for (org.opensaml.saml1.core.AttributeStatement statement : attributeStatements)
{
+            
+            List<org.opensaml.saml1.core.Attribute> attributes = statement.getAttributes();
+            for (org.opensaml.saml1.core.Attribute attribute : attributes) {
+                
+                URI attributeNamespace = URI.create(attribute.getAttributeNamespace());
+                String desiredRole = attributeNamespace.relativize(claimURI).toString();
+                if (attribute.getAttributeName().equals(desiredRole)
+                    && attribute.getAttributeValues() != null && !attribute.getAttributeValues().isEmpty())
{
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+}

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java?rev=1341084&r1=1341083&r2=1341084&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
Mon May 21 15:55:04 2012
@@ -46,6 +46,7 @@ public class IssuedTokenPolicyValidator 
     
     private List<WSSecurityEngineResult> signedResults;
     private Message message;
+    private ClaimsPolicyValidator claimsValidator = new DefaultClaimsPolicyValidator();
 
     public IssuedTokenPolicyValidator(
         List<WSSecurityEngineResult> signedResults,
@@ -157,6 +158,12 @@ public class IssuedTokenPolicyValidator 
                         return false;
                     }
                 }
+            } else if ("Claims".equals(child.getLocalName())) {
+                String dialect = child.getAttributeNS(null, "Dialect");
+                if (claimsValidator.getDialect().equals(dialect)
+                    && !claimsValidator.validatePolicy(child, assertionWrapper))
{
+                    return false;
+                }
             }
             child = DOMUtils.getNextElement(child);
         }
@@ -180,5 +187,6 @@ public class IssuedTokenPolicyValidator 
         }
         return true;
     }
+    
    
 }

Modified: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java?rev=1341084&r1=1341083&r2=1341084&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java
(original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsTest.java
Mon May 21 15:55:04 2012
@@ -92,6 +92,33 @@ public class ClaimsTest extends Abstract
     }
     
     @org.junit.Test
+    public void testSaml1WrongClaims() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = ClaimsTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = ClaimsTest.class.getResource("DoubleItWrongClaims.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML1ClaimsPort");
+        DoubleItPortType transportClaimsPort = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportClaimsPort, PORT);
+        
+        try {
+            doubleIt(transportClaimsPort, 25);
+            fail("Expected Exception");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        bus.shutdown(true);
+    }
+    
+    @org.junit.Test
     public void testSaml1ClaimsWrongRole() throws Exception {
 
         SpringBusFactory bf = new SpringBusFactory();
@@ -140,6 +167,34 @@ public class ClaimsTest extends Abstract
         bus.shutdown(true);
     }
     
+    @org.junit.Test
+    public void testSaml2WrongClaims() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = ClaimsTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = ClaimsTest.class.getResource("DoubleItWrongClaims.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2ClaimsPort");
+        DoubleItPortType transportClaimsPort = 
+            service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportClaimsPort, PORT);
+        
+        try {
+            doubleIt(transportClaimsPort, 25);
+            fail("Expected Exception");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        
+        bus.shutdown(true);
+    }
+    
     private static void doubleIt(DoubleItPortType port, int numToDouble) {
         int resp = port.doubleIt(numToDouble);
         assertEquals(numToDouble * 2 , resp);

Modified: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsValidator.java?rev=1341084&r1=1341083&r2=1341084&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsValidator.java
(original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/claims/ClaimsValidator.java
Mon May 21 15:55:04 2012
@@ -31,7 +31,9 @@ import org.opensaml.xml.XMLObject;
 
 /**
  * This class validates a SAML Assertion and checks that it has an "AuthenticatedRole" attribute
- * corresponding to "admin-user".
+ * corresponding to "admin-user". Note that it only throws an error if the role has the wrong
+ * value, not if the role doesn't exist. This is because the WS-SecurityPolicy validation
will
+ * check to make sure that the correct defined Claims have been met in the token.
  */
 public class ClaimsValidator extends SamlAssertionValidator {
     
@@ -72,13 +74,13 @@ public class ClaimsValidator extends Sam
                 for (XMLObject attributeValue : attribute.getAttributeValues()) {
                     Element attributeValueElement = attributeValue.getDOM();
                     String text = attributeValueElement.getTextContent();
-                    if ("admin-user".equals(text)) {
-                        return true;
+                    if (!"admin-user".equals(text)) {
+                        return false;
                     }
                 }
             }
         }
-        return false;
+        return true;
     }
     
     private boolean handleSAML2Assertion(
@@ -99,13 +101,13 @@ public class ClaimsValidator extends Sam
                 for (XMLObject attributeValue : attribute.getAttributeValues()) {
                     Element attributeValueElement = attributeValue.getDOM();
                     String text = attributeValueElement.getTextContent();
-                    if ("admin-user".equals(text)) {
-                        return true;
+                    if (!"admin-user".equals(text)) {
+                        return false;
                     }
                 }
             }
         }
-        return false;
+        return true;
     }
 
 }

Modified: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java?rev=1341084&r1=1341083&r2=1341084&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java
(original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/deployment/CustomClaimsHandler.java
Mon May 21 15:55:04 2012
@@ -36,6 +36,8 @@ public class CustomClaimsHandler impleme
 
     public static final URI ROLE = 
             URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role");  
+    public static final URI GIVEN_NAME = 
+        URI.create("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname");  
     
     public ClaimCollection retrieveClaimValues(
             RequestClaimCollection claims, ClaimsParameters parameters) {
@@ -45,9 +47,15 @@ public class CustomClaimsHandler impleme
             for (RequestClaim requestClaim : claims) {
                 Claim claim = new Claim();
                 claim.setClaimType(requestClaim.getClaimType());
-                claim.setIssuer("Test Issuer");
-                claim.setOriginalIssuer("Original Issuer");
-                claim.setValue("admin-user");
+                if (ROLE.equals(requestClaim.getClaimType())) {
+                    claim.setIssuer("Test Issuer");
+                    claim.setOriginalIssuer("Original Issuer");
+                    claim.setValue("admin-user");
+                } else if (GIVEN_NAME.equals(requestClaim.getClaimType())) {
+                    claim.setIssuer("Test Issuer");
+                    claim.setOriginalIssuer("Original Issuer");
+                    claim.setValue(parameters.getPrincipal().getName());
+                }
                 claimCollection.add(claim);
             }
             return claimCollection;
@@ -58,6 +66,7 @@ public class CustomClaimsHandler impleme
     public List<URI> getSupportedClaimTypes() {
         List<URI> list = new ArrayList<URI>();
         list.add(ROLE);
+        list.add(GIVEN_NAME);
         return list;
     }
 

Added: cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleItWrongClaims.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleItWrongClaims.wsdl?rev=1341084&view=auto
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleItWrongClaims.wsdl
(added)
+++ cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/claims/DoubleItWrongClaims.wsdl
Mon May 21 15:55:04 2012
@@ -0,0 +1,287 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<wsdl:definitions name="DoubleIt"
+	xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+	xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:di="http://www.example.org/schema/DoubleIt"
+	xmlns:tns="http://www.example.org/contract/DoubleIt" xmlns:wsp="http://www.w3.org/ns/ws-policy"
+	xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+	xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
+	xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsaw="http://www.w3.org/2005/08/addressing"
+	xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" targetNamespace="http://www.example.org/contract/DoubleIt">
+
+    <wsdl:import location="src/test/resources/DoubleItLogical.wsdl" 
+                 namespace="http://www.example.org/contract/DoubleIt"/>
+
+	<wsdl:binding name="DoubleItTransportSAML1ClaimsBinding" type="tns:DoubleItPortType">
+		<wsp:PolicyReference URI="#DoubleItBindingTransportSAML1ClaimsPolicy" />
+		<soap:binding style="document"
+			transport="http://schemas.xmlsoap.org/soap/http" />
+		<wsdl:operation name="DoubleIt">
+			<soap:operation soapAction="" />
+			<wsdl:input>
+				<soap:body use="literal" />
+				<wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy" />
+			</wsdl:input>
+			<wsdl:output>
+				<soap:body use="literal" />
+				<wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy" />
+			</wsdl:output>
+		</wsdl:operation>
+	</wsdl:binding>
+	
+	<wsdl:binding name="DoubleItTransportSAML2ClaimsBinding" type="tns:DoubleItPortType">
+		<wsp:PolicyReference URI="#DoubleItBindingTransportSAML2ClaimsPolicy" />
+		<soap:binding style="document"
+			transport="http://schemas.xmlsoap.org/soap/http" />
+		<wsdl:operation name="DoubleIt">
+			<soap:operation soapAction="" />
+			<wsdl:input>
+				<soap:body use="literal" />
+				<wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy" />
+			</wsdl:input>
+			<wsdl:output>
+				<soap:body use="literal" />
+				<wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy" />
+			</wsdl:output>
+		</wsdl:operation>
+	</wsdl:binding>
+
+	<wsdl:service name="DoubleItService">
+		<wsdl:port name="DoubleItTransportSAML1ClaimsPort" 
+		           binding="tns:DoubleItTransportSAML1ClaimsBinding">
+			<soap:address
+				location="https://localhost:8081/doubleit/services/doubleittransportsaml1claims" />
+		</wsdl:port>
+		<wsdl:port name="DoubleItTransportSAML2ClaimsPort" 
+		           binding="tns:DoubleItTransportSAML2ClaimsBinding">
+			<soap:address
+				location="https://localhost:8081/doubleit/services/doubleittransportsaml2claims" />
+		</wsdl:port>
+	</wsdl:service>
+	
+	<wsp:Policy wsu:Id="DoubleItBindingTransportSAML1ClaimsPolicy">
+		<wsp:ExactlyOne>
+			<wsp:All>
+				<wsam:Addressing wsp:Optional="false">
+					<wsp:Policy />
+				</wsam:Addressing>
+				<sp:TransportBinding
+					xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+					<wsp:Policy>
+						<sp:TransportToken>
+							<wsp:Policy>
+								<sp:IssuedToken
+									sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+									<sp:RequestSecurityTokenTemplate>
+										<t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType>
+										<t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
+										<t:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
+                                              xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">
+                                           <ic:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"/>
+                                        </t:Claims>
+									</sp:RequestSecurityTokenTemplate>
+									<wsp:Policy>
+										<sp:RequireInternalReference />
+									</wsp:Policy>
+									<sp:Issuer>
+										<wsaw:Address>http://localhost:8080/SecurityTokenService/UT
+										</wsaw:Address>
+										<wsaw:Metadata>
+											<wsx:Metadata>
+												<wsx:MetadataSection>
+													<wsx:MetadataReference>
+														<wsaw:Address>http://localhost:8080/SecurityTokenService/UT/mex
+														</wsaw:Address>
+													</wsx:MetadataReference>
+												</wsx:MetadataSection>
+											</wsx:Metadata>
+										</wsaw:Metadata>
+									</sp:Issuer>
+								</sp:IssuedToken>
+								<sp:HttpsToken>
+                                                                    <wsp:Policy/>
+                                                                </sp:HttpsToken>
+							</wsp:Policy>
+						</sp:TransportToken>
+						<sp:AlgorithmSuite>
+							<wsp:Policy>
+								<sp:TripleDesRsa15 />
+							</wsp:Policy>
+						</sp:AlgorithmSuite>
+						<sp:Layout>
+							<wsp:Policy>
+								<sp:Lax />
+							</wsp:Policy>
+						</sp:Layout>
+						<sp:IncludeTimestamp />
+					</wsp:Policy>
+				</sp:TransportBinding>
+				<sp:Wss11>
+					<wsp:Policy>
+						<sp:MustSupportRefIssuerSerial />
+						<sp:MustSupportRefThumbprint />
+						<sp:MustSupportRefEncryptedKey />
+					</wsp:Policy>
+				</sp:Wss11>
+				<sp:Trust13>
+					<wsp:Policy>
+						<sp:MustSupportIssuedTokens />
+						<sp:RequireClientEntropy />
+						<sp:RequireServerEntropy />
+					</wsp:Policy>
+				</sp:Trust13>
+			</wsp:All>
+		</wsp:ExactlyOne>
+	</wsp:Policy>
+	
+	<wsp:Policy wsu:Id="DoubleItBindingTransportSAML2ClaimsPolicy">
+		<wsp:ExactlyOne>
+			<wsp:All>
+				<wsam:Addressing wsp:Optional="false">
+					<wsp:Policy />
+				</wsam:Addressing>
+				<sp:TransportBinding
+					xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+					<wsp:Policy>
+						<sp:TransportToken>
+							<wsp:Policy>
+								<sp:HttpsToken>
+                                                                    <wsp:Policy/>
+                                                                </sp:HttpsToken>
+							</wsp:Policy>
+						</sp:TransportToken>
+						<sp:AlgorithmSuite>
+							<wsp:Policy>
+								<sp:TripleDesRsa15 />
+							</wsp:Policy>
+						</sp:AlgorithmSuite>
+						<sp:Layout>
+							<wsp:Policy>
+								<sp:Lax />
+							</wsp:Policy>
+						</sp:Layout>
+						<sp:IncludeTimestamp />
+					</wsp:Policy>
+				</sp:TransportBinding>
+				<sp:SupportingTokens
+					xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+					<wsp:Policy>
+					    <sp:IssuedToken
+						    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+							<sp:RequestSecurityTokenTemplate>
+								<t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
+								<t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
+								<t:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
+                                       xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">
+                                     <ic:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"/>
+                                </t:Claims>
+							</sp:RequestSecurityTokenTemplate>
+							<wsp:Policy>
+								<sp:RequireInternalReference />
+							</wsp:Policy>
+							<sp:Issuer>
+								<wsaw:Address>http://localhost:8080/SecurityTokenService/UT
+								</wsaw:Address>
+								<wsaw:Metadata>
+									<wsx:Metadata>
+										<wsx:MetadataSection>
+											<wsx:MetadataReference>
+												<wsaw:Address>http://localhost:8080/SecurityTokenService/UT/mex
+												</wsaw:Address>
+											</wsx:MetadataReference>
+										</wsx:MetadataSection>
+									</wsx:Metadata>
+								</wsaw:Metadata>
+							</sp:Issuer>
+						</sp:IssuedToken>
+					</wsp:Policy>
+			    </sp:SupportingTokens>
+				<sp:Wss11>
+					<wsp:Policy>
+						<sp:MustSupportRefIssuerSerial />
+						<sp:MustSupportRefThumbprint />
+						<sp:MustSupportRefEncryptedKey />
+					</wsp:Policy>
+				</sp:Wss11>
+				<sp:Trust13>
+					<wsp:Policy>
+						<sp:MustSupportIssuedTokens />
+						<sp:RequireClientEntropy />
+						<sp:RequireServerEntropy />
+					</wsp:Policy>
+				</sp:Trust13>
+			</wsp:All>
+		</wsp:ExactlyOne>
+	</wsp:Policy>
+	
+	<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
+		<wsp:ExactlyOne>
+			<wsp:All>
+				<sp:EncryptedParts>
+					<sp:Body />
+				</sp:EncryptedParts>
+				<sp:SignedParts>
+					<sp:Body />
+					<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
+					<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
+					<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
+					<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
+					<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
+					<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
+					<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
+					<sp:Header Name="AckRequested"
+						Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
+					<sp:Header Name="SequenceAcknowledgement"
+						Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
+					<sp:Header Name="Sequence"
+						Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
+					<sp:Header Name="CreateSequence"
+						Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
+				</sp:SignedParts>
+			</wsp:All>
+		</wsp:ExactlyOne>
+	</wsp:Policy>
+	<wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy">
+		<wsp:ExactlyOne>
+			<wsp:All>
+				<sp:EncryptedParts>
+					<sp:Body />
+				</sp:EncryptedParts>
+				<sp:SignedParts>
+					<sp:Body />
+					<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
+					<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
+					<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
+					<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
+					<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
+					<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
+					<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
+					<sp:Header Name="AckRequested"
+						Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
+					<sp:Header Name="SequenceAcknowledgement"
+						Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
+					<sp:Header Name="Sequence"
+						Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
+					<sp:Header Name="CreateSequence"
+						Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702" />
+				</sp:SignedParts>
+			</wsp:All>
+		</wsp:ExactlyOne>
+	</wsp:Policy>
+</wsdl:definitions>



Mime
View raw message