Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1458789 - in /cxf/branches/wss4j2.0-port:
 rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/
 systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/
 systests/ws-security/src/test...
Date: Wed, 20 Mar 2013 12:33:24 -0000
To: commits@cxf.apache.org
From: coheigea@apache.org
Message-Id: <20130320123324.781FB23889D7@eris.apache.org>

Author: coheigea
Date: Wed Mar 20 12:33:23 2013
New Revision: 1458789

URL: http://svn.apache.org/r1458789
Log:
Added a @Ignore'd test and some (not-used) functionality to validate ProtectTokens policies


Conflicts:
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java

Added:
    cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/protect-tokens-policy.xml
Modified:
    cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
    cxf/branches/wss4j2.0-port/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlTokenTest.java
    cxf/branches/wss4j2.0-port/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java
    cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl
    cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml
    cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml

Modified: cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java?rev=1458789&r1=1458788&r2=1458789&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java (original)
+++ cxf/branches/wss4j2.0-port/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java Wed Mar 20 12:33:23 2013
@@ -19,6 +19,8 @@
 
 package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -35,10 +37,16 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.neethi.Assertion;
+
+import org.apache.wss4j.common.saml.SAMLKeyInfo;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDataRef;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.message.token.PKIPathSecurity;
 import org.apache.wss4j.dom.message.token.Timestamp;
+import org.apache.wss4j.dom.message.token.X509Security;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
@@ -244,6 +252,14 @@ public abstract class AbstractBindingPol
         assertPolicy(aim, SPConstants.ENCRYPT_SIGNATURE);
         assertPolicy(aim, SPConstants.PROTECT_TOKENS);
         
+        /*
+        // Check ProtectTokens
+        if (binding.isTokenProtection() && !isTokenProtected(results, signedResults)) {
+            ai.setNotAsserted("The token protection property is not valid");
+            return false;
+        }
+        */
+        
         return true;
     }
     
@@ -354,6 +370,99 @@ public abstract class AbstractBindingPol
     }
     
     /**
+     * Check whether the token protection policy is followed. In other words, check that the
+     * signature token was itself signed.
+     */
+    protected boolean isTokenProtected(
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
+        for (int i = 0; i < signedResults.size(); i++) {
+            WSSecurityEngineResult result = signedResults.get(i);
+            
+            // Get the Token result that was used for the signature
+            WSSecurityEngineResult tokenResult = 
+                findCorrespondingToken(result, results);
+            if (tokenResult == null) {
+                return false;
+            }
+            
+            // Now go through what was signed and see if the token itself was signed
+            List<WSDataRef> sl =
+                CastUtils.cast((List<?>)result.get(
+                    WSSecurityEngineResult.TAG_DATA_REF_URIS
+                ));
+            boolean found = false;
+            if (sl != null) {
+                for (WSDataRef dataRef : sl) {
+                    Element referenceElement = dataRef.getProtectedElement();
+                    if (referenceElement != null
+                        && referenceElement.equals(tokenResult.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT))) {
+                        found = true;
+                    }
+                }
+            }
+            if (!found) {
+                return false;
+            }
+
+        }
+        return true;
+    }
+    
+    /**
+     * Find the token corresponding to either the X509Certificate or PublicKey used to sign
+     * the "signatureResult" argument.
+     */
+    private WSSecurityEngineResult findCorrespondingToken(
+        WSSecurityEngineResult signatureResult,
+        List<WSSecurityEngineResult> results
+    ) {
+        // See what was used to sign this result
+        X509Certificate cert = 
+            (X509Certificate)signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+        PublicKey publicKey = 
+            (PublicKey)signatureResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+        
+        for (WSSecurityEngineResult token : results) {
+            Integer actInt = (Integer)token.get(WSSecurityEngineResult.TAG_ACTION);
+            if (actInt == WSConstants.SIGN) {
+                continue;
+            }
+            
+            BinarySecurity binarySecurity = 
+                (BinarySecurity)token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+            PublicKey foundPublicKey = 
+                (PublicKey)token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+            if (binarySecurity instanceof X509Security
+                || binarySecurity instanceof PKIPathSecurity) {
+                X509Certificate foundCert = 
+                    (X509Certificate)token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+                if (foundCert.equals(cert)) {
+                    return token;
+                }
+            } else if (actInt.intValue() == WSConstants.ST_SIGNED
+                || actInt.intValue() == WSConstants.ST_UNSIGNED) {
+                SamlAssertionWrapper assertionWrapper = 
+                    (SamlAssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+                SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
+                if (samlKeyInfo != null) {
+                    X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
+                    PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
+                    if ((cert != null && subjectCerts != null 
+                        && cert.equals(subjectCerts[0]))
+                        || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) {
+                        return token;
+                    }
+                }
+            } else if (publicKey != null && publicKey.equals(foundPublicKey)) {
+                return token;
+            } 
+        }
+        return null;
+    }
+    
+    /**
      * Check whether the primary Signature (and all SignatureConfirmation) elements were encrypted
      */
     protected boolean isSignatureEncrypted(List<WSSecurityEngineResult> results) {

Modified: cxf/branches/wss4j2.0-port/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlTokenTest.java?rev=1458789&r1=1458788&r2=1458789&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlTokenTest.java (original)
+++ cxf/branches/wss4j2.0-port/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlTokenTest.java Wed Mar 20 12:33:23 2013
@@ -100,7 +100,6 @@ public class SamlTokenTest extends Abstr
     
     /**
      * 2.3.1.2 (WSS1.0) SAML1.1 Assertion (Sender Vouches) over SSL
-     */
     @org.junit.Test
     public void testTLSSenderVouches() throws Exception {
 
@@ -126,7 +125,6 @@ public class SamlTokenTest extends Abstr
     
     /**
      * 2.3.1.3 (WSS1.0) SAML1.1 Assertion (HK) over SSL
-     */
     @org.junit.Test
     public void testTLSHOKSignedEndorsing() throws Exception {
 
@@ -152,7 +150,6 @@ public class SamlTokenTest extends Abstr
     
     /**
      * 2.3.1.4 (WSS1.0) SAML1.1 Sender Vouches with X.509 Certificates, Sign, Optional Encrypt
-     */
     @org.junit.Test
     public void testAsymmetricSigned() throws Exception {
 
@@ -178,7 +175,6 @@ public class SamlTokenTest extends Abstr
     
     /**
      * 2.3.1.5 (WSS1.0) SAML1.1 Holder of Key, Sign, Optional Encrypt
-     */
     @org.junit.Test
     public void testAsymmetricInitiator() throws Exception {
 
@@ -205,7 +201,6 @@ public class SamlTokenTest extends Abstr
     
     /**
      * 2.3.2.1 (WSS1.1) SAML 2.0 Bearer
-     */
     @org.junit.Test
     public void testAsymmetricSaml2Bearer() throws Exception {
 
@@ -231,7 +226,6 @@ public class SamlTokenTest extends Abstr
     
     /**
      * 2.3.2.2 (WSS1.1) SAML2.0 Sender Vouches over SSL
-     */
     @org.junit.Test
     public void testTLSSenderVouchesSaml2() throws Exception {
 
@@ -257,7 +251,6 @@ public class SamlTokenTest extends Abstr
     
     /**
      * 2.3.2.3 (WSS1.1) SAML2.0 HoK over SSL
-     */
     @org.junit.Test
     public void testTLSHOKSignedEndorsingSaml2() throws Exception {
 
@@ -283,7 +276,6 @@ public class SamlTokenTest extends Abstr
     
     /**
      * 2.3.2.4 (WSS1.1) SAML1.1/2.0 Sender Vouches with X.509 Certificate, Sign, Encrypt
-     */
     @org.junit.Test
     public void testSymmetricSV() throws Exception {
 
@@ -309,7 +301,6 @@ public class SamlTokenTest extends Abstr
     
     /**
      * 2.3.2.5 (WSS1.1) SAML1.1/2.0 Holder of Key, Sign, Encrypt
-     */
     @org.junit.Test
     public void testSymmetricIssuedToken() throws Exception {
 
@@ -333,6 +324,7 @@ public class SamlTokenTest extends Abstr
         ((java.io.Closeable)samlPort).close();
         bus.shutdown(true);
     }
+    */
     
     private static void updateSTSPort(BindingProvider p, String port) {
         STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT);

Modified: cxf/branches/wss4j2.0-port/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java?rev=1458789&r1=1458788&r2=1458789&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java (original)
+++ cxf/branches/wss4j2.0-port/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java Wed Mar 20 12:33:23 2013
@@ -314,4 +314,43 @@ public class BindingPropertiesTest exten
         bus.shutdown(true);
     }
     
+    // TODO
+    @org.junit.Test
+    @org.junit.Ignore
+    public void testTokenProtection() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = BindingPropertiesTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = BindingPropertiesTest.class.getResource("DoubleItBindings.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+       
+        // Successful invocation
+        QName portQName = new QName(NAMESPACE, "DoubleItTokenProtectionPort");
+        DoubleItPortType port = service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(port, PORT);
+        port.doubleIt(25);
+        
+        // This should fail, as the property is not enabled
+        portQName = new QName(NAMESPACE, "DoubleItTokenProtectionPort2");
+        port = service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(port, PORT);
+        
+        try {
+            port.doubleIt(25);
+            fail("Failure expected on not protecting the token");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            // String error = "Layout does not match the requirements";
+            // assertTrue(ex.getMessage().contains(error));
+            System.out.println("EX: " + ex.getMessage());
+        }
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+    
 }

Modified: cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl?rev=1458789&r1=1458788&r2=1458789&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl (original)
+++ cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl Wed Mar 20 12:33:23 2013
@@ -110,6 +110,12 @@
         <wsdl:port name="DoubleItTimestampLastPort2" binding="tns:DoubleItStandardBinding">
             <soap:address location="http://localhost:9010/DoubleItTimestampLast2" />
         </wsdl:port>
+        <wsdl:port name="DoubleItTokenProtectionPort" binding="tns:DoubleItStandardBinding">
+            <soap:address location="http://localhost:9010/DoubleItTokenProtection" />
+        </wsdl:port>
+        <wsdl:port name="DoubleItTokenProtectionPort2" binding="tns:DoubleItStandardBinding">
+            <soap:address location="http://localhost:9010/DoubleItTokenProtection2" />
+        </wsdl:port>
     </wsdl:service>
     
     <wsp:Policy wsu:Id="SignBodyChildPolicy">

Modified: cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml?rev=1458789&r1=1458788&r2=1458789&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml (original)
+++ cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml Wed Mar 20 12:33:23 2013
@@ -347,5 +347,49 @@
             </p:policies>
         </jaxws:features>
     </jaxws:client>
+    
+    <jaxws:client
+        name="{http://www.example.org/contract/DoubleIt}DoubleItTokenProtectionPort"
+        createdFromAPI="true">
+        <jaxws:properties>
+            <entry key="ws-security.username" value="Alice" />
+            <entry key="ws-security.callback-handler"
+                value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" />
+            <entry key="ws-security.encryption.properties"
+                value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
+            <entry key="ws-security.encryption.username" value="bob" />
+            <entry key="ws-security.signature.properties"
+                value="org/apache/cxf/systest/ws/wssec10/client/alice.properties" />
+            <entry key="ws-security.signature.username" value="alice" />
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" 
+                    URI="classpath:/org/apache/cxf/systest/ws/bindings/protect-tokens-policy.xml" />
+            </p:policies>
+        </jaxws:features>
+    </jaxws:client>
+    
+    <jaxws:client
+        name="{http://www.example.org/contract/DoubleIt}DoubleItTokenProtectionPort2"
+        createdFromAPI="true">
+        <jaxws:properties>
+            <entry key="ws-security.username" value="Alice" />
+            <entry key="ws-security.callback-handler"
+                value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" />
+            <entry key="ws-security.encryption.properties"
+                value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
+            <entry key="ws-security.encryption.username" value="bob" />
+            <entry key="ws-security.signature.properties"
+                value="org/apache/cxf/systest/ws/wssec10/client/alice.properties" />
+            <entry key="ws-security.signature.username" value="alice" />
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" 
+                    URI="classpath:/org/apache/cxf/systest/ws/bindings/clean-policy.xml" />
+            </p:policies>
+        </jaxws:features>
+    </jaxws:client>
 	
 </beans>

Added: cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/protect-tokens-policy.xml
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/protect-tokens-policy.xml?rev=1458789&view=auto
==============================================================================
--- cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/protect-tokens-policy.xml (added)
+++ cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/protect-tokens-policy.xml Wed Mar 20 12:33:23 2013
@@ -0,0 +1,45 @@
+<wsp:Policy wsu:Id="EncryptSignaturePolicy"
+        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+        xmlns:wsp="http://www.w3.org/ns/ws-policy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:AsymmetricBinding
+                    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                    <wsp:Policy>
+                        <sp:InitiatorToken>
+                            <wsp:Policy>
+                                <sp:X509Token
+                                    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                                    <wsp:Policy>
+                                        <sp:WssX509V3Token10 />
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:InitiatorToken>
+                        <sp:RecipientToken>
+                            <wsp:Policy>
+                                <sp:X509Token
+                                    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                                    <wsp:Policy>
+                                        <sp:WssX509V3Token10 />
+                                        <sp:RequireIssuerSerialReference />
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:RecipientToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:ProtectTokens />
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:AsymmetricBinding>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
\ No newline at end of file

Modified: cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml?rev=1458789&r1=1458788&r2=1458789&view=diff
==============================================================================
--- cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml (original)
+++ cxf/branches/wss4j2.0-port/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml Wed Mar 20 12:33:23 2013
@@ -366,5 +366,52 @@
 
     </jaxws:endpoint>
     
+    <jaxws:endpoint id="TokenProtectionEndpoint"
+        address="http://localhost:${testutil.ports.Server}/DoubleItTokenProtection"
+        serviceName="s:DoubleItService" endpointName="s:DoubleItTokenProtectionPort"
+        xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+        wsdlLocation="org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl">
+
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler"
+                value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" />
+            <entry key="ws-security.signature.properties"
+                value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
+            <entry key="ws-security.encryption.username" value="useReqSigCert" />
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" 
+                    URI="classpath:/org/apache/cxf/systest/ws/bindings/protect-tokens-policy.xml" />
+            </p:policies>
+        </jaxws:features>
+
+    </jaxws:endpoint>
+    
+    <jaxws:endpoint id="TokenProtectionEndpoint2"
+        address="http://localhost:${testutil.ports.Server}/DoubleItTokenProtection2"
+        serviceName="s:DoubleItService" endpointName="s:DoubleItTokenProtectionPort2"
+        xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+        wsdlLocation="org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl">
+
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler"
+                value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" />
+            <entry key="ws-security.signature.properties"
+                value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
+            <entry key="ws-security.encryption.username" value="useReqSigCert" />
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" 
+                    URI="classpath:/org/apache/cxf/systest/ws/bindings/protect-tokens-policy.xml" />
+            </p:policies>
+        </jaxws:features>
+
+    </jaxws:endpoint>
+    
+    
     
 </beans>