cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1353931 - in /cxf/branches/2.5.x-fixes: parent/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ systests/ws-security-examples/src/test/resources/org/apache/cxf/systest...
Date Tue, 26 Jun 2012 10:51:50 GMT
Author: coheigea
Date: Tue Jun 26 10:51:47 2012
New Revision: 1353931

URL: http://svn.apache.org/viewvc?rev=1353931&view=rev
Log:
Merged revisions 1353909 via  git cherry-pick from
https://svn.apache.org/repos/asf/cxf/trunk

........
  r1353909 | coheigea | 2012-06-26 10:58:16 +0100 (Tue, 26 Jun 2012) | 2 lines

  Add support for subject cert contraints when validating chain trust on WS-Security signatures

........


Conflicts:

	rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
	systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml

Added:
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/client/cxfca.properties
Modified:
    cxf/branches/2.5.x-fixes/parent/pom.xml
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
    cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
    cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/server/server.xml
    cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/secconv/server/server.xml
    cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server/server.xml
    cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/x509/server/server.xml
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/server/server.xml
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server-derived.xml
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server.xml
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
    cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml

Modified: cxf/branches/2.5.x-fixes/parent/pom.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/parent/pom.xml?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/parent/pom.xml (original)
+++ cxf/branches/2.5.x-fixes/parent/pom.xml Tue Jun 26 10:51:47 2012
@@ -102,7 +102,7 @@
         <cxf.jibx.version>1.2.4.5</cxf.jibx.version>
         <cxf.axiom.version>1.2.10</cxf.axiom.version>
         <cxf.jettison.version>1.3.1</cxf.jettison.version>
-        <cxf.wss4j.version>1.6.6</cxf.wss4j.version>
+        <cxf.wss4j.version>1.6.7-SNAPSHOT</cxf.wss4j.version>
         <cxf.joda.time.version>1.6.2</cxf.joda.time.version>
         <cxf.opensaml.version>2.5.1</cxf.opensaml.version>
         <cxf.opensamlws.version>1.4.2-1</cxf.opensamlws.version>

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
Tue Jun 26 10:51:47 2012
@@ -186,6 +186,15 @@ public final class SecurityConstants {
     public static final String DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS =
         "ws-security.sts.disable-wsmex-call-using-epr-address";
     
+    /**
+     * This configuration tag is a comma separated String of regular expressions which
+     * will be applied to the subject DN of the certificate used for signature
+     * validation, after trust verification of the certificate chain associated with the

+     * certificate. These constraints are not used when the certificate is contained in
+     * the keystore (direct trust).
+     */
+    public static final String SUBJECT_CERT_CONSTRAINTS = "ws-security.subject.cert.constraints";
+    
     public static final Set<String> ALL_PROPERTIES;
     
     static {
@@ -203,7 +212,8 @@ public final class SecurityConstants {
             KERBEROS_JAAS_CONTEXT_NAME, KERBEROS_SPN, SPNEGO_CLIENT_ACTION,
             ENABLE_NONCE_CACHE, NONCE_CACHE_INSTANCE, ENABLE_TIMESTAMP_CACHE,
             TIMESTAMP_CACHE_INSTANCE, CACHE_CONFIG_FILE,
-            SAML_ROLE_ATTRIBUTENAME, DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS
+            SAML_ROLE_ATTRIBUTENAME, DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS,
+            SUBJECT_CERT_CONSTRAINTS
         }));
         ALL_PROPERTIES = Collections.unmodifiableSet(s);
     }

Modified: cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
(original)
+++ cxf/branches/2.5.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
Tue Jun 26 10:51:47 2012
@@ -168,6 +168,11 @@ public abstract class AbstractWSS4JInter
         if (futureTTL != null) {
             msg.setContextualProperty(WSHandlerConstants.TTL_FUTURE_TIMESTAMP, futureTTL);
         }
+        String certConstraints = 
+            (String)msg.getContextualProperty(SecurityConstants.SUBJECT_CERT_CONSTRAINTS);
+        if (certConstraints != null) {
+            msg.setContextualProperty(WSHandlerConstants.SIG_SUBJECT_CERT_CONSTRAINTS, certConstraints);
+        }
     }
 
     @Override

Modified: cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/server/server.xml?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/server/server.xml
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/server/server.xml
Tue Jun 26 10:51:47 2012
@@ -79,6 +79,7 @@
        depends-on="tls-settings">
        <jaxws:properties>
            <entry key="ws-security.signature.properties" value="bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
     </jaxws:endpoint>
     
@@ -95,6 +96,7 @@
                   value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
            <entry key="ws-security.signature.properties" value="bob.properties"/> 
            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
     </jaxws:endpoint>
     
@@ -111,6 +113,7 @@
                   value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
            <entry key="ws-security.signature.properties" value="bob.properties"/> 
            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
     </jaxws:endpoint>
     
@@ -127,6 +130,7 @@
                   value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
            <entry key="ws-security.signature.properties" value="bob.properties"/> 
            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
     </jaxws:endpoint>
     
@@ -154,6 +158,7 @@
        depends-on="tls-settings">
        <jaxws:properties>
            <entry key="ws-security.signature.properties" value="bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
     </jaxws:endpoint>
     
@@ -173,6 +178,7 @@
            <entry key="ws-security.encryption.properties" value="bob.properties"/>

            <entry key="ws-security.signature.properties" value="alice.properties"/>

            <entry key="ws-security.encryption.username" value="alice"/>
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
     </jaxws:endpoint>
     
@@ -189,6 +195,7 @@
                   value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
            <entry key="ws-security.signature.username" value="bob"/> 
            <entry key="ws-security.signature.properties" value="bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
     </jaxws:endpoint>
     

Modified: cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/secconv/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/secconv/server/server.xml?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/secconv/server/server.xml
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/secconv/server/server.xml
Tue Jun 26 10:51:47 2012
@@ -56,6 +56,7 @@
                   value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
            <entry key="ws-security.signature.properties.sct" value="bob.properties"/>

            <entry key="ws-security.encryption.username.sct" value="useReqSigCert"/>
+           <entry key="ws-security.subject.cert.constraints.sct" value=".*O=apache.org.*"/>
        </jaxws:properties> 
     </jaxws:endpoint>
     

Modified: cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server/server.xml?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server/server.xml
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/server/server.xml
Tue Jun 26 10:51:47 2012
@@ -113,6 +113,7 @@
                   value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
            <entry key="ws-security.signature.properties" value="bob.properties"/> 
            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
     </jaxws:endpoint>
     
@@ -143,6 +144,7 @@
            <entry key="ws-security.callback-handler" 
                   value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
            <entry key="ws-security.signature.properties" value="bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
     </jaxws:endpoint>
     

Modified: cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/x509/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/x509/server/server.xml?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/x509/server/server.xml
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/x509/server/server.xml
Tue Jun 26 10:51:47 2012
@@ -56,6 +56,7 @@
                   value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
            <entry key="ws-security.signature.properties" value="bob.properties"/> 
            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
     </jaxws:endpoint>
     
@@ -72,6 +73,7 @@
                   value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
            <entry key="ws-security.signature.properties" value="bob.properties"/> 
            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
     </jaxws:endpoint>
     
@@ -88,6 +90,7 @@
                   value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
            <entry key="ws-security.signature.username" value="bob"/> 
            <entry key="ws-security.signature.properties" value="bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
     </jaxws:endpoint>
     
@@ -107,6 +110,7 @@
            <entry key="ws-security.encryption.properties" value="bob.properties"/>

            <entry key="ws-security.signature.properties" value="alice.properties"/>

            <entry key="ws-security.encryption.username" value="alice"/>
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
     </jaxws:endpoint>
     

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
Tue Jun 26 10:51:47 2012
@@ -489,6 +489,44 @@ public class X509TokenTest extends Abstr
     }
     
     @org.junit.Test
+    public void testTransportSupportingSignedCertConstraints() throws Exception {
+        if (!unrestrictedPoliciesInstalled) {
+            return;
+        }
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItTransportSupportingSignedCertConstraintsPort");
+        DoubleItPortType x509Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(x509Port, PORT2);
+        
+        ((BindingProvider)x509Port).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
+                "org/apache/cxf/systest/ws/wssec10/client/bob.properties");
+        ((BindingProvider)x509Port).getRequestContext().put(SecurityConstants.SIGNATURE_USERNAME,
"bob");
+        
+        try {
+            x509Port.doubleIt(25);
+            fail("Failure expected on bob");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        ((BindingProvider)x509Port).getRequestContext().put(SecurityConstants.SIGNATURE_PROPERTIES,
+            "org/apache/cxf/systest/ws/wssec10/client/alice.properties");
+        ((BindingProvider)x509Port).getRequestContext().put(SecurityConstants.SIGNATURE_USERNAME,
"alice");
+    
+        x509Port.doubleIt(25);
+    }
+    
+    @org.junit.Test
     public void testTransportKVT() throws Exception {
         if (!unrestrictedPoliciesInstalled) {
             return;

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/server/server.xml?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/server/server.xml
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/server/server.xml
Tue Jun 26 10:51:47 2012
@@ -58,6 +58,7 @@
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
           <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -77,6 +78,7 @@
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
           <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -96,6 +98,7 @@
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
           <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/policy/server/server.xml
Tue Jun 26 10:51:47 2012
@@ -80,6 +80,7 @@
 			<entry key="ws-security.signature.properties"
 				value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
 			<entry key="ws-security.encryption.username" value="useReqSigCert" />
+			<entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
 		</jaxws:properties>
 		<jaxws:features>
             <p:policies>
@@ -101,6 +102,7 @@
             <entry key="ws-security.signature.properties"
                 value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
             <entry key="ws-security.encryption.username" value="useReqSigCert" />
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
         </jaxws:properties>
         <jaxws:features>
             <p:policies>
@@ -122,6 +124,7 @@
             <entry key="ws-security.signature.properties"
                 value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
             <entry key="ws-security.encryption.username" value="useReqSigCert" />
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
         </jaxws:properties>
         <jaxws:features>
             <p:policies>
@@ -144,6 +147,7 @@
        <jaxws:properties>
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
        <jaxws:features>
             <p:policies>
@@ -167,6 +171,7 @@
        <jaxws:properties>
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
           <entry key="ws-security.callback-handler"
                 value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" />
        </jaxws:properties> 

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
Tue Jun 26 10:51:47 2012
@@ -119,6 +119,7 @@
                   value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
            <entry key="ws-security.saml2.validator" 
                   value="org.apache.cxf.systest.ws.saml.server.CustomSaml2Validator"/>
@@ -140,6 +141,7 @@
                   value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -158,6 +160,7 @@
                   value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -176,6 +179,7 @@
                   value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -194,6 +198,7 @@
                   value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -214,6 +219,7 @@
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
            <entry key="ws-security.saml2.validator" 
                   value="org.apache.cxf.systest.ws.saml.server.CustomSaml2Validator"/>
        </jaxws:properties> 
@@ -234,6 +240,7 @@
                   value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -254,6 +261,7 @@
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
            <entry key="ws-security.saml2.validator" 
                   value="org.apache.cxf.systest.ws.saml.server.CustomSaml2Validator"/>
        </jaxws:properties> 
@@ -276,6 +284,7 @@
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -294,6 +303,7 @@
                   value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -312,6 +322,7 @@
                   value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
        <jaxws:features>
          <p:policies>

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server-derived.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server-derived.xml?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server-derived.xml
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server-derived.xml
Tue Jun 26 10:51:47 2012
@@ -122,6 +122,7 @@
                   value="org.apache.cxf.systest.ws.wssec10.server.UTPasswordCallback"/>
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint>
@@ -140,6 +141,7 @@
                   value="org.apache.cxf.systest.ws.wssec10.server.UTPasswordCallback"/>
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint>
@@ -158,6 +160,7 @@
                   value="org.apache.cxf.systest.ws.wssec10.server.UTPasswordCallback"/>
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint>

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/ut/server/server.xml
Tue Jun 26 10:51:47 2012
@@ -153,6 +153,7 @@
                   value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/server/bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -172,6 +173,7 @@
                   value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback"/>
            <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/server/bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 

Added: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/client/cxfca.properties
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/client/cxfca.properties?rev=1353931&view=auto
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/client/cxfca.properties
(added)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/client/cxfca.properties
Tue Jun 26 10:51:47 2012
@@ -0,0 +1,23 @@
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=password
+org.apache.ws.security.crypto.merlin.keystore.alias=cxfca
+org.apache.ws.security.crypto.merlin.keystore.file=org/apache/cxf/systest/ws/wssec10/certs/cxfca.jks
+
+

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server.xml?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server.xml
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server.xml
Tue Jun 26 10:51:47 2012
@@ -120,6 +120,7 @@
             <entry key="ws-security.username" value="Alice"/>
             <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/ws/wssec10/server/bob.properties"/>
             <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
             <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.wssec10.server.KeystorePasswordCallback"/>
         </jaxws:properties> 
 
@@ -141,6 +142,7 @@
             <entry key="ws-security.username" value="Alice"/>
             <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/ws/wssec10/server/bob.properties"/>
             <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
             <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.wssec10.server.KeystorePasswordCallback"/>
         </jaxws:properties> 
 

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/wssec10/server/server_restricted.xml
Tue Jun 26 10:51:47 2012
@@ -122,6 +122,7 @@
             <entry key="ws-security.username" value="Alice"/>
             <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/ws/wssec10/server/bob.properties"/>
             <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
             <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.wssec10.server.KeystorePasswordCallback"/>
         </jaxws:properties> 
 
@@ -143,6 +144,7 @@
             <entry key="ws-security.username" value="Alice"/>
             <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/ws/wssec10/server/bob.properties"/>
             <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
             <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.wssec10.server.KeystorePasswordCallback"/>
         </jaxws:properties> 
 

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
Tue Jun 26 10:51:47 2012
@@ -343,6 +343,11 @@
                    binding="tns:DoubleItTransportSupportingSignedBinding">
             <soap:address location="https://localhost:9002/DoubleItX509TransportSupportingSigned"
/>
         </wsdl:port>
+        <wsdl:port name="DoubleItTransportSupportingSignedCertConstraintsPort" 
+                   binding="tns:DoubleItTransportSupportingSignedBinding">
+            <soap:address 
+                  location="https://localhost:9002/DoubleItX509TransportSupportingSignedCertConstraints"
/>
+        </wsdl:port>
         <wsdl:port name="DoubleItTransportKVTPort" 
                    binding="tns:DoubleItTransportKVTBinding">
             <soap:address location="https://localhost:9002/DoubleItX509TransportKVT" />

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
Tue Jun 26 10:51:47 2012
@@ -222,6 +222,14 @@
        </jaxws:properties>
     </jaxws:client>
     
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSupportingSignedCertConstraintsPort"

+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+       </jaxws:properties>
+    </jaxws:client>
+    
     <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportKVTPort"

                   createdFromAPI="true">
        <jaxws:properties>

Modified: cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1353931&r1=1353930&r2=1353931&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
(original)
+++ cxf/branches/2.5.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
Tue Jun 26 10:51:47 2012
@@ -156,6 +156,7 @@
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
           <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -175,6 +176,7 @@
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
           <entry key="ws-security.enable.timestamp.cache" value="true"/>
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -193,6 +195,7 @@
                   value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -233,6 +236,7 @@
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
           <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -268,6 +272,7 @@
        <jaxws:properties>
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -285,6 +290,7 @@
        <jaxws:properties>
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -302,6 +308,7 @@
        <jaxws:properties>
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -319,6 +326,7 @@
        <jaxws:properties>
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint>
@@ -336,6 +344,7 @@
        <jaxws:properties>
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 
@@ -353,6 +362,25 @@
        <jaxws:properties>
           <entry key="ws-security.signature.properties" 
                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
+    <jaxws:endpoint 
+       id="TransportSupportingSignedCertConstraints"
+       address="https://localhost:${testutil.ports.Server.2}/DoubleItX509TransportSupportingSignedCertConstraints"

+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItTransportSupportingSignedCertConstraintsPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl"
+       depends-on="tls-settings">
+        
+       <jaxws:properties>
+          <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/cxfca.properties"/>

+          <entry key="ws-security.subject.cert.constraints" value=".*CN=alice.*"/>
        </jaxws:properties> 
      
     </jaxws:endpoint> 



Mime
View raw message