Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1338220 - in /cxf/branches/2.5.x-fixes:
 rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
 rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/
 systests/ws-security/src/test/java/org/apache/cxf/systes...
Date: Mon, 14 May 2012 14:30:38 -0000
To: commits@cxf.apache.org
From: coheigea@apache.org
Message-Id: <20120514143039.CCAD22388860@eris.apache.org>

Author: coheigea
Date: Mon May 14 14:30:37 2012
New Revision: 1338220

URL: http://svn.apache.org/viewvc?rev=1338220&view=rev
Log:
Merged revisions 1338219 via  git cherry-pick from
https://svn.apache.org/repos/asf/cxf/trunk

........
  r1338219 | coheigea | 2012-05-14 15:27:05 +0100 (Mon, 14 May 2012) | 2 lines

  Improved SupportingToken policy validation

........

Added:
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
      - copied, changed from r1338130, cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
Modified:
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/policy/PolicyAlternativeTest.java
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/client/client.xml
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Mon May 14 14:30:37 2012
@@ -69,6 +69,7 @@ import org.apache.cxf.ws.security.wss4j.
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.BindingPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.ConcreteSupportingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EncryptedTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingEncryptedTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
@@ -562,9 +563,6 @@ public class PolicyBasedWSS4JInIntercept
             LOG.fine("Incoming request failed supporting token policy validation");
         }
         
-        // The supporting tokens are already validated
-        assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS);
-        
         // relatively irrelevant stuff from a verification standpoint
         assertPolicy(aim, SP12Constants.LAYOUT);
         assertPolicy(aim, SP12Constants.WSS10);
@@ -703,7 +701,13 @@ public class PolicyBasedWSS4JInIntercept
         
         boolean check = true;
         
-        SupportingTokenPolicyValidator validator = new SignedTokenPolicyValidator();
+        SupportingTokenPolicyValidator validator = new ConcreteSupportingTokenPolicyValidator();
+        validator.setUsernameTokenResults(utResults, utWithCallbacks);
+        validator.setSAMLTokenResults(samlResults);
+        validator.setTimestampElement(timestamp);
+        check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults);
+        
+        validator = new SignedTokenPolicyValidator();
         validator.setUsernameTokenResults(utResults, utWithCallbacks);
         validator.setSAMLTokenResults(samlResults);
         validator.setTimestampElement(timestamp);

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -23,14 +23,30 @@ import java.security.cert.X509Certificat
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Map;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 import javax.xml.namespace.QName;
+import javax.xml.soap.SOAPException;
+import javax.xml.soap.SOAPMessage;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
 
 import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.helpers.MapNamespaceContext;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.security.transport.TLSSessionInfo;
+import org.apache.cxf.ws.security.policy.model.Header;
+import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
+import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDataRef;
 import org.apache.ws.security.WSSecurityEngine;
@@ -48,6 +64,8 @@ import org.apache.ws.security.saml.ext.A
 public abstract class AbstractSupportingTokenPolicyValidator 
     extends AbstractTokenPolicyValidator implements SupportingTokenPolicyValidator {
     
+    private static final Logger LOG = LogUtils.getL7dLogger(AbstractSupportingTokenPolicyValidator.class);
+    
     private Message message;
     private List<WSSecurityEngineResult> results;
     private List<WSSecurityEngineResult> signedResults;
@@ -59,7 +77,11 @@ public abstract class AbstractSupporting
     private boolean signed;
     private boolean encrypted;
     private boolean derived;
-    private boolean endorsed;
+    private boolean endorsed; 
+    private SignedEncryptedElements signedElements;
+    private SignedEncryptedElements encryptedElements;
+    private SignedEncryptedParts signedParts;
+    private SignedEncryptedParts encryptedParts;
 
     /**
      * Set the list of UsernameToken results
@@ -130,7 +152,7 @@ public abstract class AbstractSupporting
         tokenResults.addAll(utResults);
         List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
         for (WSSecurityEngineResult wser : utResults) {
-            if (endorsed && derived) {
+            if (derived) {
                 byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                 WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
                 if (dktResult != null) {
@@ -150,9 +172,10 @@ public abstract class AbstractSupporting
             return false;
         }
         tokenResults.addAll(dktResults);
-        if (endorsed && !checkEndorsed(tokenResults)) {
+        if ((endorsed && !checkEndorsed(tokenResults)) || !validateSignedEncryptedPolicies(tokenResults)) {
             return false;
         }
+        
         return true;
     }
     
@@ -174,6 +197,11 @@ public abstract class AbstractSupporting
         if (endorsed && !checkEndorsed(samlResults)) {
             return false;
         }
+        
+        if (!validateSignedEncryptedPolicies(samlResults)) {
+            return false;
+        }
+        
         return true;
     }
     
@@ -190,7 +218,7 @@ public abstract class AbstractSupporting
                 BinarySecurity binarySecurity = 
                     (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
                 if (binarySecurity instanceof KerberosSecurity) {
-                    if (endorsed && derived) {
+                    if (derived) {
                         byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                         WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
                         if (dktResult != null) {
@@ -216,6 +244,11 @@ public abstract class AbstractSupporting
         if (endorsed && !checkEndorsed(tokenResults)) {
             return false;
         }
+        
+        if (!validateSignedEncryptedPolicies(tokenResults)) {
+            return false;
+        }
+        
         return true;
     }
     
@@ -233,7 +266,7 @@ public abstract class AbstractSupporting
                     (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
                 if (binarySecurity instanceof X509Security
                     || binarySecurity instanceof PKIPathSecurity) {
-                    if (endorsed && derived) {
+                    if (derived) {
                         WSSecurityEngineResult resultToStore = processX509DerivedTokenResult(wser);
                         if (resultToStore != null) {
                             dktResults.add(resultToStore);
@@ -258,6 +291,35 @@ public abstract class AbstractSupporting
         if (endorsed && !checkEndorsed(tokenResults)) {
             return false;
         }
+        
+        if (!validateSignedEncryptedPolicies(tokenResults)) {
+            return false;
+        }
+        
+        return true;
+    }
+    
+    /**
+     * Validate (SignedParts|SignedElements|EncryptedParts|EncryptedElements) policies of this
+     * SupportingToken.
+     */
+    private boolean validateSignedEncryptedPolicies(List<WSSecurityEngineResult> tokenResults) {
+        if (!validateSignedEncryptedParts(signedParts, false, signedResults, tokenResults)) {
+            return false;
+        }
+        
+        if (!validateSignedEncryptedParts(encryptedParts, true, encryptedResults, tokenResults)) {
+            return false;
+        }
+        
+        if (!validateSignedEncryptedElements(signedElements, false, signedResults, tokenResults)) {
+            return false;
+        }
+        
+        if (!validateSignedEncryptedElements(encryptedElements, false, encryptedResults, tokenResults)) {
+            return false;
+        }
+        
         return true;
     }
     
@@ -271,7 +333,7 @@ public abstract class AbstractSupporting
         for (WSSecurityEngineResult wser : results) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.SCT) {
-                if (endorsed && derived) {
+                if (derived) {
                     byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                     WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
                     if (dktResult != null) {
@@ -296,6 +358,11 @@ public abstract class AbstractSupporting
         if (endorsed && !checkEndorsed(tokenResults)) {
             return false;
         }
+        
+        if (!validateSignedEncryptedPolicies(tokenResults)) {
+            return false;
+        }
+        
         return true;
     }
     
@@ -417,7 +484,7 @@ public abstract class AbstractSupporting
             if (sl != null) {
                 for (WSDataRef dataRef : sl) {
                     if (timestamp == dataRef.getProtectedElement()
-                        && checkSignature(signedResult, tokenResults)) {
+                        && checkSignatureOrEncryptionResult(signedResult, tokenResults)) {
                         return true;
                     }
                 }
@@ -441,7 +508,7 @@ public abstract class AbstractSupporting
                 for (WSDataRef dataRef : sl) {
                     QName signedQName = dataRef.getName();
                     if (WSSecurityEngine.SIGNATURE.equals(signedQName)
-                        && checkSignature(signedResult, tokenResults)) {
+                        && checkSignatureOrEncryptionResult(signedResult, tokenResults)) {
                         return true;
                     }
                 }
@@ -451,20 +518,20 @@ public abstract class AbstractSupporting
     }
     
     /**
-     * Check that a WSSecurityEngineResult corresponding to a signature uses the same 
-     * signing credential as one of the tokens.
-     * @param signatureResult a WSSecurityEngineResult corresponding to a signature
+     * Check that a WSSecurityEngineResult corresponding to a signature or encryption uses the same 
+     * signing/encrypting credential as one of the tokens.
+     * @param signatureResult a WSSecurityEngineResult corresponding to a signature or encryption
      * @param tokenResult A list of WSSecurityEngineResults corresponding to tokens
      * @return 
      */
-    private boolean checkSignature(
-        WSSecurityEngineResult signatureResult,
+    private boolean checkSignatureOrEncryptionResult(
+        WSSecurityEngineResult result,
         List<WSSecurityEngineResult> tokenResult
     ) {
-        // See what was used to sign this result
+        // See what was used to sign/encrypt this result
         X509Certificate cert = 
-            (X509Certificate)signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
-        byte[] secret = (byte[])signatureResult.get(WSSecurityEngineResult.TAG_SECRET);
+            (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+        byte[] secret = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
         
         // Now see if the same credential exists in the tokenResult list
         for (WSSecurityEngineResult token : tokenResult) {
@@ -510,6 +577,165 @@ public abstract class AbstractSupporting
     }
     
     /**
+     * Validate the SignedParts or EncryptedParts policies
+     */
+    private boolean validateSignedEncryptedParts(
+        SignedEncryptedParts parts,
+        boolean content,
+        List<WSSecurityEngineResult> protResults,
+        List<WSSecurityEngineResult> tokenResults
+    ) {
+        if (parts == null) {
+            return true;
+        }
+        
+        if (parts.isBody()) {
+            SOAPMessage soapMessage = message.getContent(SOAPMessage.class);
+            Element soapBody = null;
+            try {
+                soapBody = soapMessage.getSOAPBody();
+            } catch (SOAPException ex) {
+                LOG.log(Level.FINE, ex.getMessage(), ex);
+                return false;
+            }
+            
+            if (!checkProtectionResult(soapBody, content, protResults, tokenResults)) {
+                return false;
+            }
+        }
+        
+        for (Header h : parts.getHeaders()) {
+            SOAPMessage soapMessage = message.getContent(SOAPMessage.class);
+            Element soapHeader = null;
+            try {
+                soapHeader = soapMessage.getSOAPHeader();
+            } catch (SOAPException ex) {
+                LOG.log(Level.FINE, ex.getMessage(), ex);
+                return false;
+            }
+            
+            final List<Element> elements;
+            if (h.getName() == null) {
+                elements = DOMUtils.getChildrenWithNamespace(soapHeader, h.getNamespace());
+            } else {
+                elements = DOMUtils.getChildrenWithName(soapHeader, h.getNamespace(), h.getName());
+            }
+            
+            for (Element el : elements) {
+                if (!checkProtectionResult(el, false, protResults, tokenResults)) {
+                    return false;
+                }
+            }
+        }
+        
+        return true;
+    }
+    
+    /**
+     * Check that an Element is signed or encrypted by one of the token results
+     */
+    private boolean checkProtectionResult(
+        Element elementToProtect,
+        boolean content,
+        List<WSSecurityEngineResult> protResults,
+        List<WSSecurityEngineResult> tokenResults
+    ) {
+        for (WSSecurityEngineResult result : protResults) {
+            List<WSDataRef> dataRefs = 
+                CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+            if (dataRefs != null) {
+                for (WSDataRef dataRef : dataRefs) {
+                    if (elementToProtect == dataRef.getProtectedElement()
+                        && content == dataRef.isContent()
+                        && checkSignatureOrEncryptionResult(result, tokenResults)) {
+                        return true;
+                    }
+                }
+            }
+        }
+        return false;
+    }
+    
+    /**
+     * Validate SignedElements or EncryptedElements policies
+     */
+    private boolean validateSignedEncryptedElements(
+        SignedEncryptedElements elements,
+        boolean content,
+        List<WSSecurityEngineResult> protResults,
+        List<WSSecurityEngineResult> tokenResults
+    ) {
+        if (elements == null) {
+            return true;
+        }
+        
+        Map<String, String> namespaces = elements.getDeclaredNamespaces();
+        List<String> xpaths = elements.getXPathExpressions();
+        
+        if (xpaths != null) {
+            SOAPMessage soapMessage = message.getContent(SOAPMessage.class);
+            Element soapEnvelope = soapMessage.getSOAPPart().getDocumentElement();
+            
+            for (String xPath : xpaths) {
+                if (!checkXPathResult(soapEnvelope, xPath, namespaces, protResults, tokenResults)) {
+                    return false;
+                }
+            }
+        }
+        
+        return true;
+    }
+    
+    /**
+     * Check a particular XPath result
+     */
+    private boolean checkXPathResult(
+        Element soapEnvelope,
+        String xPath,
+        Map<String, String> namespaces,
+        List<WSSecurityEngineResult> protResults,
+        List<WSSecurityEngineResult> tokenResults
+    ) {
+        // XPathFactory and XPath are not thread-safe so we must recreate them
+        // each request.
+        final XPathFactory factory = XPathFactory.newInstance();
+        final XPath xpath = factory.newXPath();
+        
+        if (namespaces != null) {
+            xpath.setNamespaceContext(new MapNamespaceContext(namespaces));
+        }
+        
+        // For each XPath
+        for (String xpathString : Arrays.asList(xPath)) {
+            // Get the matching nodes
+            NodeList list;
+            try {
+                list = (NodeList)xpath.evaluate(
+                        xpathString, 
+                        soapEnvelope,
+                        XPathConstants.NODESET);
+            } catch (XPathExpressionException e) {
+                LOG.log(Level.FINE, e.getMessage(), e);
+                return false;
+            }
+            
+            // If we found nodes then we need to do the check.
+            if (list.getLength() != 0) {
+                // For each matching element, check for a ref that
+                // covers it.
+                for (int x = 0; x < list.getLength(); x++) {
+                    final Element el = (Element)list.item(x);
+                    
+                    if (!checkProtectionResult(el, false, protResults, tokenResults)) {
+                        return false;
+                    }
+                }
+            }
+        }
+        return true;
+    }
+    
+    /**
      * Return true if a token was signed, false otherwise.
      */
     private boolean isTokenSigned(Element token) {
@@ -543,5 +769,33 @@ public abstract class AbstractSupporting
         }
         return false;
     }
+
+    public void setUtResults(List<WSSecurityEngineResult> utResults) {
+        this.utResults = utResults;
+    }
+
+    public void setValidateUsernameToken(boolean validateUsernameToken) {
+        this.validateUsernameToken = validateUsernameToken;
+    }
+
+    public void setTimestamp(Element timestamp) {
+        this.timestamp = timestamp;
+    }
+
+    public void setSignedElements(SignedEncryptedElements signedElements) {
+        this.signedElements = signedElements;
+    }
+
+    public void setEncryptedElements(SignedEncryptedElements encryptedElements) {
+        this.encryptedElements = encryptedElements;
+    }
+
+    public void setSignedParts(SignedEncryptedParts signedParts) {
+        this.signedParts = signedParts;
+    }
+
+    public void setEncryptedParts(SignedEncryptedParts encryptedParts) {
+        this.encryptedParts = encryptedParts;
+    }
     
 }

Copied: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java (from r1338130, cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java)
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java?p2=cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java&p1=cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java&r1=1338130&r2=1338220&rev=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -38,12 +38,12 @@ import org.apache.cxf.ws.security.policy
 import org.apache.ws.security.WSSecurityEngineResult;
 
 /**
- * Validate SignedSupportingToken policies.
+ * Validate SupportingToken policies.
  */
-public class SignedTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
+public class ConcreteSupportingTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
     
-    public SignedTokenPolicyValidator() {
-        setSigned(true);
+    public ConcreteSupportingTokenPolicyValidator() {
+        setSigned(false);
     }
     
     public boolean validatePolicy(
@@ -53,7 +53,7 @@ public class SignedTokenPolicyValidator 
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_SUPPORTING_TOKENS);
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.SUPPORTING_TOKENS);
         if (ais == null || ais.isEmpty()) {                       
             return true;
         }
@@ -65,11 +65,16 @@ public class SignedTokenPolicyValidator 
         
         for (AssertionInfo ai : ais) {
             SupportingToken binding = (SupportingToken)ai.getAssertion();
-            if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED != binding.getTokenType()) {
+            if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SUPPORTING != binding.getTokenType()) {
                 continue;
             }
             ai.setAsserted(true);
             
+            setSignedParts(binding.getSignedParts());
+            setEncryptedParts(binding.getEncryptedParts());
+            setSignedElements(binding.getSignedElements());
+            setEncryptedElements(binding.getEncryptedElements());
+            
             List<Token> tokens = binding.getTokens();
             for (Token token : tokens) {
                 if (!isTokenRequired(token, message)) {
@@ -103,7 +108,7 @@ public class SignedTokenPolicyValidator 
                 
                 if (processingFailed) {
                     ai.setNotAsserted(
-                        "The received token does not match the signed supporting token requirement"
+                        "The received token does not match the supporting token requirement"
                     );
                     return false;
                 }

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -69,6 +69,11 @@ public class EncryptedTokenPolicyValidat
                 continue;
             }
             ai.setAsserted(true);
+            
+            setSignedParts(binding.getSignedParts());
+            setEncryptedParts(binding.getEncryptedParts());
+            setSignedElements(binding.getSignedElements());
+            setEncryptedElements(binding.getEncryptedElements());
 
             List<Token> tokens = binding.getTokens();
             for (Token token : tokens) {

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -71,6 +71,11 @@ public class EndorsingEncryptedTokenPoli
                 continue;
             }
             ai.setAsserted(true);
+            
+            setSignedParts(binding.getSignedParts());
+            setEncryptedParts(binding.getEncryptedParts());
+            setSignedElements(binding.getSignedElements());
+            setEncryptedElements(binding.getEncryptedElements());
 
             List<Token> tokens = binding.getTokens();
             for (Token token : tokens) {

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -70,7 +70,12 @@ public class EndorsingTokenPolicyValidat
                 continue;
             }
             ai.setAsserted(true);
-
+            
+            setSignedParts(binding.getSignedParts());
+            setEncryptedParts(binding.getEncryptedParts());
+            setSignedElements(binding.getSignedElements());
+            setEncryptedElements(binding.getEncryptedElements());
+            
             List<Token> tokens = binding.getTokens();
             for (Token token : tokens) {
                 if (!isTokenRequired(token, message)) {

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -70,6 +70,11 @@ public class SignedEncryptedTokenPolicyV
                 continue;
             }
             ai.setAsserted(true);
+            
+            setSignedParts(binding.getSignedParts());
+            setEncryptedParts(binding.getEncryptedParts());
+            setSignedElements(binding.getSignedElements());
+            setEncryptedElements(binding.getEncryptedElements());
 
             List<Token> tokens = binding.getTokens();
             for (Token token : tokens) {

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -72,6 +72,11 @@ public class SignedEndorsingEncryptedTok
                 continue;
             }
             ai.setAsserted(true);
+            
+            setSignedParts(binding.getSignedParts());
+            setEncryptedParts(binding.getEncryptedParts());
+            setSignedElements(binding.getSignedElements());
+            setEncryptedElements(binding.getEncryptedElements());
 
             List<Token> tokens = binding.getTokens();
             for (Token token : tokens) {

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -70,6 +70,11 @@ public class SignedEndorsingTokenPolicyV
                 continue;
             }
             ai.setAsserted(true);
+            
+            setSignedParts(binding.getSignedParts());
+            setEncryptedParts(binding.getEncryptedParts());
+            setSignedElements(binding.getSignedElements());
+            setEncryptedElements(binding.getEncryptedElements());
 
             List<Token> tokens = binding.getTokens();
             for (Token token : tokens) {

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java (original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java Mon May 14 14:30:37 2012
@@ -70,6 +70,11 @@ public class SignedTokenPolicyValidator 
             }
             ai.setAsserted(true);
             
+            setSignedParts(binding.getSignedParts());
+            setEncryptedParts(binding.getEncryptedParts());
+            setSignedElements(binding.getSignedElements());
+            setEncryptedElements(binding.getEncryptedElements());
+            
             List<Token> tokens = binding.getTokens();
             for (Token token : tokens) {
                 if (!isTokenRequired(token, message)) {

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/policy/PolicyAlternativeTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/policy/PolicyAlternativeTest.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/policy/PolicyAlternativeTest.java (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/policy/PolicyAlternativeTest.java Mon May 14 14:30:37 2012
@@ -79,7 +79,7 @@ public class PolicyAlternativeTest exten
         QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricPort");
         DoubleItPortType utPort = 
                 service.getPort(portQName, DoubleItPortType.class);
-        updateAddressPort(utPort, PORT2);
+        updateAddressPort(utPort, PORT);
         
         utPort.doubleIt(25);
         
@@ -104,7 +104,7 @@ public class PolicyAlternativeTest exten
         QName portQName = new QName(NAMESPACE, "DoubleItNoSecurityPort");
         DoubleItPortType utPort = 
                 service.getPort(portQName, DoubleItPortType.class);
-        updateAddressPort(utPort, PORT2);
+        updateAddressPort(utPort, PORT);
         
         try {
             utPort.doubleIt(25);
@@ -134,11 +134,70 @@ public class PolicyAlternativeTest exten
         QName portQName = new QName(NAMESPACE, "DoubleItUsernameTokenPort");
         DoubleItPortType utPort = 
                 service.getPort(portQName, DoubleItPortType.class);
-        updateAddressPort(utPort, PORT2);
+        updateAddressPort(utPort, PORT);
         
         utPort.doubleIt(25);
         
         bus.shutdown(true);
     }
     
+    /**
+     * The client uses a Transport binding policy with a Endorsing Supporting X509 Token. The client does
+     * not sign part of the WSA header though and so the invocation should fail.
+     */
+    @org.junit.Test
+    public void testTransportSupportingSigned() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = PolicyAlternativeTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = PolicyAlternativeTest.class.getResource("DoubleItPolicy.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportSupportingSignedPort");
+        DoubleItPortType transportPort = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportPort, PORT2);
+
+        try {
+            transportPort.doubleIt(25);
+            fail("Failure expected on not signing a wsa header");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            // expected
+        }
+    }
+    
+    /**
+     * The client uses a Transport binding policy with a Endorsing Supporting X509 Token as well as a 
+     * Signed Endorsing UsernameToken. Here the client is trying to trick the Service Provider as 
+     * the UsernameToken signs the wsa:To Header, not the X.509 Token.
+     */
+    @org.junit.Test
+    public void testTransportUTSupportingSigned() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = PolicyAlternativeTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = PolicyAlternativeTest.class.getResource("DoubleItPolicy.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportUTSupportingSignedPort");
+        DoubleItPortType transportPort = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(transportPort, PORT2);
+
+        try {
+            transportPort.doubleIt(25);
+            fail("Failure expected on not signing a wsa header");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            // expected
+        }
+    }
+    
 }

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java Mon May 14 14:30:37 2012
@@ -466,6 +466,28 @@ public class X509TokenTest extends Abstr
         bus.shutdown(true);
     }
     
+    @org.junit.Test
+    public void testTransportSupportingSigned() throws Exception {
+        if (!unrestrictedPoliciesInstalled) {
+            return;
+        }
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportSupportingSignedPort");
+        DoubleItPortType x509Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(x509Port, PORT2);
+        x509Port.doubleIt(25);
+    }
+    
     private boolean checkUnrestrictedPoliciesInstalled() {
         try {
             byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl Mon May 14 14:30:37 2012
@@ -57,6 +57,12 @@
         <wsdl:port name="DoubleItNoSecurityPort" binding="tns:DoubleItInlinePolicyBinding">
             <soap:address location="http://localhost:9010/DoubleItNoSecurity" />
         </wsdl:port>
+        <wsdl:port name="DoubleItTransportSupportingSignedPort" binding="tns:DoubleItInlinePolicyBinding">
+            <soap:address location="https://localhost:9011/DoubleItTransportSupportingSigned" />
+        </wsdl:port>
+        <wsdl:port name="DoubleItTransportUTSupportingSignedPort" binding="tns:DoubleItInlinePolicyBinding">
+            <soap:address location="https://localhost:9011/DoubleItTransportUTSupportingSigned" />
+        </wsdl:port>
     </wsdl:service>
 
 </wsdl:definitions>

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/client/client.xml?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/client/client.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/client/client.xml Mon May 14 14:30:37 2012
@@ -98,8 +98,51 @@
         </jaxws:features>
     </jaxws:client>
     
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSupportingSignedPort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+           <entry key="ws-security.signature.username" value="alice"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+       </jaxws:properties>
+       <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" 
+                                     URI="#DoubleItTransportSupportingSignedPolicy" />
+            </p:policies>
+        </jaxws:features>
+    </jaxws:client>
+    
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportUTSupportingSignedPort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.username" value="alice"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+           <entry key="ws-security.signature.username" value="alice"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+       </jaxws:properties>
+       <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" 
+                                     URI="#DoubleItTransportUTSupportingSignedPolicy" />
+            </p:policies>
+        </jaxws:features>
+    </jaxws:client>
+    
+    <http:conduit name="https://localhost:.*">
+        <http:tlsClientParameters disableCNCheck="true">
+            <sec:trustManagers>
+                <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
+            </sec:trustManagers>
+        </http:tlsClientParameters>
+    </http:conduit>  
+    
 	
-	<wsp:Policy wsu:Id="UsernameToken"
+    <wsp:Policy wsu:Id="UsernameToken"
         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
         xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
         <wsp:ExactlyOne>
@@ -164,4 +207,107 @@
         </wsp:ExactlyOne>
     </wsp:Policy>
     
+    <wsp:Policy wsu:Id="DoubleItTransportSupportingSignedPolicy"
+        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+        xmlns:wsp="http://www.w3.org/ns/ws-policy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
+                <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                    <wsp:Policy>
+                        <sp:TransportToken>
+                            <wsp:Policy>
+                                <sp:HttpsToken>
+                                    <wsp:Policy/>
+                                </sp:HttpsToken>
+                            </wsp:Policy>
+                        </sp:TransportToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp />
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:TransportBinding>
+                <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                   <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                        <sp:SignedParts>
+                            <sp:Body/>
+                            <!-- <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> -->
+                        </sp:SignedParts>
+                    </wsp:Policy>
+                </sp:EndorsingSupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
+    
+    <wsp:Policy wsu:Id="DoubleItTransportUTSupportingSignedPolicy"
+        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+        xmlns:wsp="http://www.w3.org/ns/ws-policy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
+                <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                    <wsp:Policy>
+                        <sp:TransportToken>
+                            <wsp:Policy>
+                                <sp:HttpsToken>
+                                    <wsp:Policy/>
+                                </sp:HttpsToken>
+                            </wsp:Policy>
+                        </sp:TransportToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp />
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:TransportBinding>
+                <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"  >
+                   <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                        <sp:SignedParts>
+                            <sp:Body/>
+                        </sp:SignedParts>
+                    </wsp:Policy>
+                </sp:EndorsingSupportingTokens>
+                <sp:SignedEndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                   <wsp:Policy>
+                        <sp:UsernameToken
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                           <wsp:Policy/>
+                        </sp:UsernameToken>
+                        <sp:SignedParts>
+                            <sp:Body/>
+                            <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
+                        </sp:SignedParts>
+                    </wsp:Policy>
+                </sp:SignedEndorsingSupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
+    
 </beans>

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml Mon May 14 14:30:37 2012
@@ -44,8 +44,32 @@
         </cxf:features>
     </cxf:bus>
     
+    <!-- -->
+    <!-- Any services listening on port 9009 must use the following -->
+    <!-- Transport Layer Security (TLS) settings -->
+    <!-- -->
+    <httpj:engine-factory id="tls-settings">
+        <httpj:engine port="${testutil.ports.Server.2}">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+                    <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/>
+                </sec:keyManagers>
+                <sec:cipherSuitesFilter>
+                    <sec:include>.*_EXPORT_.*</sec:include>
+                    <sec:include>.*_EXPORT1024_.*</sec:include>
+                    <sec:include>.*_WITH_DES_.*</sec:include>
+                    <sec:include>.*_WITH_AES_.*</sec:include>
+                    <sec:include>.*_WITH_NULL_.*</sec:include>
+                    <sec:exclude>.*_DH_anon_.*</sec:exclude>
+                </sec:cipherSuitesFilter>
+                <sec:clientAuthentication want="true" required="false"/>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    
+    
 	<jaxws:endpoint id="AsymmetricEndpoint"
-		address="http://localhost:${testutil.ports.Server.2}/DoubleItAsymmetric"
+		address="http://localhost:${testutil.ports.Server}/DoubleItAsymmetric"
 		serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricPort"
 		xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
 		wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl">
@@ -68,7 +92,7 @@
 	</jaxws:endpoint>
 
     <jaxws:endpoint id="NoSecurityEndpoint"
-        address="http://localhost:${testutil.ports.Server.2}/DoubleItNoSecurity"
+        address="http://localhost:${testutil.ports.Server}/DoubleItNoSecurity"
         serviceName="s:DoubleItService" endpointName="s:DoubleItNoSecurityPort"
         xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
         wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl">
@@ -91,7 +115,7 @@
     </jaxws:endpoint>
     
     <jaxws:endpoint id="UsernameTokenEndpoint"
-        address="http://localhost:${testutil.ports.Server.2}/DoubleItUsernameToken"
+        address="http://localhost:${testutil.ports.Server}/DoubleItUsernameToken"
         serviceName="s:DoubleItService" endpointName="s:DoubleItUsernameTokenPort"
         xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
         wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl">
@@ -112,6 +136,54 @@
         </jaxws:features>
 
     </jaxws:endpoint>
+    
+    <jaxws:endpoint 
+       id="TransportSupportingSigned"
+       address="https://localhost:${testutil.ports.Server.2}/DoubleItTransportSupportingSigned" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItTransportSupportingSignedPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl"
+       depends-on="tls-settings">
+        
+       <jaxws:properties>
+          <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+       </jaxws:properties> 
+       <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" 
+                                     URI="#DoubleItTransportSupportingSignedPolicy" />
+            </p:policies>
+        </jaxws:features>
+     
+    </jaxws:endpoint> 
+    
+    <jaxws:endpoint 
+       id="TransportUTSupportingSigned"
+       address="https://localhost:${testutil.ports.Server.2}/DoubleItTransportUTSupportingSigned" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItTransportUTSupportingSignedPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/policy/DoubleItPolicy.wsdl"
+       depends-on="tls-settings">
+        
+       <jaxws:properties>
+          <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+          <entry key="ws-security.callback-handler"
+                value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" />
+       </jaxws:properties> 
+       <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" 
+                                     URI="#DoubleItTransportSupportingSignedPolicy" />
+            </p:policies>
+        </jaxws:features>
+     
+    </jaxws:endpoint> 
 
 
 	<wsp:Policy wsu:Id="Combined"
@@ -189,6 +261,52 @@
 		</wsp:ExactlyOne>
 	</wsp:Policy>
 	
+	<wsp:Policy wsu:Id="DoubleItTransportSupportingSignedPolicy"
+	    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+        xmlns:wsp="http://www.w3.org/ns/ws-policy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
+                <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                    <wsp:Policy>
+                        <sp:TransportToken>
+                            <wsp:Policy>
+                                <sp:HttpsToken>
+                                    <wsp:Policy/>
+                                </sp:HttpsToken>
+                            </wsp:Policy>
+                        </sp:TransportToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp />
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:TransportBinding>
+                <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"  >
+                   <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                        <sp:SignedParts>
+                            <sp:Body/>
+                            <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
+                        </sp:SignedParts>
+                    </wsp:Policy>
+                </sp:EndorsingSupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
+	
 
     
 </beans>

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl Mon May 14 14:30:37 2012
@@ -258,6 +258,23 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
+    <wsdl:binding name="DoubleItTransportSupportingSignedBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItTransportSupportingSignedPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
     
     <wsdl:service name="DoubleItService">
         <wsdl:port name="DoubleItKeyIdentifierPort" binding="tns:DoubleItKeyIdentifierBinding">
@@ -305,6 +322,10 @@
                    binding="tns:DoubleItTransportSignedEndorsingEncryptedBinding">
             <soap:address location="https://localhost:9002/DoubleItX509TransportSignedEndorsingEncrypted" />
         </wsdl:port>
+        <wsdl:port name="DoubleItTransportSupportingSignedPort" 
+                   binding="tns:DoubleItTransportSupportingSignedBinding">
+            <soap:address location="https://localhost:9002/DoubleItX509TransportSupportingSigned" />
+        </wsdl:port>
     </wsdl:service>
 
     <wsp:Policy wsu:Id="DoubleItKeyIdentifierPolicy">
@@ -778,6 +799,55 @@
         </wsp:ExactlyOne>
     </wsp:Policy>
     
+    <wsp:Policy wsu:Id="DoubleItTransportSupportingSignedPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
+                <sp:TransportBinding>
+                    <wsp:Policy>
+                        <sp:TransportToken>
+                            <wsp:Policy>
+                                <sp:HttpsToken>
+                                    <wsp:Policy/>
+                                </sp:HttpsToken>
+                            </wsp:Policy>
+                        </sp:TransportToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp />
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:TransportBinding>
+                <sp:EndorsingSupportingTokens>
+                   <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                        <sp:SignedParts>
+                            <sp:Body/>
+                            <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
+                        </sp:SignedParts>
+                        <!--
+                        <sp:SignedElements>
+                            <sp:XPath>//ReplyTo</sp:XPath>
+                        </sp:SignedElements>
+                        -->
+                    </wsp:Policy>
+                </sp:EndorsingSupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
+    
     
     <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
       <wsp:ExactlyOne>

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml Mon May 14 14:30:37 2012
@@ -211,6 +211,17 @@
        </jaxws:properties>
     </jaxws:client>
     
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSupportingSignedPort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+           <entry key="ws-security.signature.username" value="alice"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+       </jaxws:properties>
+    </jaxws:client>
+    
     <http:conduit name="https://localhost:.*">
         <http:tlsClientParameters disableCNCheck="true">
             <sec:trustManagers>

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1338220&r1=1338219&r2=1338220&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml Mon May 14 14:30:37 2012
@@ -348,4 +348,21 @@
      
     </jaxws:endpoint> 
     
+    <jaxws:endpoint 
+       id="TransportSupportingSigned"
+       address="https://localhost:${testutil.ports.Server.2}/DoubleItX509TransportSupportingSigned" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItTransportSupportingSignedPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl"
+       depends-on="tls-settings">
+        
+       <jaxws:properties>
+          <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
 </beans>