cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1484426 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/ systests/ws-security/src/test/resources/org/apache/cxf/systest/...
Date Mon, 20 May 2013 10:59:30 GMT
Author: coheigea
Date: Mon May 20 10:59:30 2013
New Revision: 1484426

URL: http://svn.apache.org/r1484426
Log:
[CXF-5025] - Support WS-SecurityPolicy "Strict" Layout validation

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/strict-policy.xml
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java?rev=1484426&r1=1484425&r2=1484426&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
Mon May 20 10:59:30 2013
@@ -147,36 +147,6 @@ public abstract class AbstractBindingPol
     }
     
     /**
-     * Validate the layout assertion. It just checks the LaxTsFirst and LaxTsLast properties
-     */
-    protected boolean validateLayout(
-        boolean laxTimestampFirst,
-        boolean laxTimestampLast,
-        List<WSSecurityEngineResult> results
-    ) {
-        if (laxTimestampFirst) {
-            if (results.isEmpty()) {
-                return false;
-            }
-            Integer firstAction = (Integer)results.get(results.size() - 1).get(WSSecurityEngineResult.TAG_ACTION);
-            if (firstAction.intValue() != WSConstants.TS) {
-                return false;
-            }
-        } else if (laxTimestampLast) {
-            if (results.isEmpty()) {
-                return false;
-            }
-            Integer lastAction = 
-                (Integer)results.get(0).get(WSSecurityEngineResult.TAG_ACTION);
-            if (lastAction.intValue() != WSConstants.TS) {
-                return false;
-            }
-        }
-        return true;
-        
-    }
-    
-    /**
      * Check various properties set in the policy of the binding
      */
     protected boolean checkProperties(
@@ -204,9 +174,8 @@ public abstract class AbstractBindingPol
         
         // Check the Layout
         Layout layout = binding.getLayout();
-        boolean timestampFirst = layout.getValue() == SPConstants.Layout.LaxTsFirst;
-        boolean timestampLast = layout.getValue() == SPConstants.Layout.LaxTsLast;
-        if (!validateLayout(timestampFirst, timestampLast, results)) {
+        LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator(results, signedResults);
+        if (!layoutValidator.validatePolicy(layout)) {
             String error = "Layout does not match the requirements";
             notAssertPolicy(aim, layout, error);
             ai.setNotAsserted(error);

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java?rev=1484426&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
Mon May 20 10:59:30 2013
@@ -0,0 +1,230 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.Layout;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDataRef;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.message.token.BinarySecurity;
+import org.apache.ws.security.message.token.PKIPathSecurity;
+import org.apache.ws.security.message.token.X509Security;
+import org.apache.ws.security.saml.SAMLKeyInfo;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+/**
+ * Validate a Layout policy.
+ */
+public class LayoutPolicyValidator {
+    
+    private List<WSSecurityEngineResult> results;
+    private List<WSSecurityEngineResult> signedResults;
+
+    public LayoutPolicyValidator(
+        List<WSSecurityEngineResult> results, List<WSSecurityEngineResult> signedResults
+    ) {
+        this.results = results;
+        this.signedResults = signedResults;
+    }
+    
+    public boolean validatePolicy(Layout layout) {
+        boolean timestampFirst = layout.getValue() == SPConstants.Layout.LaxTsFirst;
+        boolean timestampLast = layout.getValue() == SPConstants.Layout.LaxTsLast;
+        boolean strict = layout.getValue() == SPConstants.Layout.Strict;
+        
+        if (timestampFirst) {
+            if (results.isEmpty()) {
+                return false;
+            }
+            Integer firstAction = (Integer)results.get(results.size() - 1).get(WSSecurityEngineResult.TAG_ACTION);
+            if (firstAction.intValue() != WSConstants.TS) {
+                return false;
+            }
+        } else if (timestampLast) {
+            if (results.isEmpty()) {
+                return false;
+            }
+            Integer lastAction = 
+                (Integer)results.get(0).get(WSSecurityEngineResult.TAG_ACTION);
+            if (lastAction.intValue() != WSConstants.TS) {
+                return false;
+            }
+        } else if (strict && (!validateStrictSignaturePlacement() 
+            || !validateStrictSignatureTokenPlacement()
+            || !checkSignatureIsSignedPlacement())) {
+            return false;
+        }
+        
+        return true;
+    }
+    
+    private boolean validateStrictSignaturePlacement() {
+        // Go through each Signature and check any security header token is before the Signature
+        for (WSSecurityEngineResult signedResult : signedResults) {
+            List<WSDataRef> sl = 
+                CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+            if (sl == null) {
+                continue;
+            }
+
+            for (WSDataRef r : sl) {
+                String xpath = r.getXpath();
+                if (xpath != null) {
+                    String[] nodes = StringUtils.split(xpath, "/");
+                    // envelope/Header/wsse:Security/header
+                    if (nodes.length == 5) {
+                        Element protectedElement = r.getProtectedElement();
+                        boolean tokenFound = false;
+                        // Results are stored in reverse order
+                        for (WSSecurityEngineResult result : results) {
+                            Element resultElement = 
+                                (Element)result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+                            if (resultElement == protectedElement) {
+                                tokenFound = true;
+                            }
+                            if (tokenFound && result == signedResult) {
+                                return false;
+                            } else if (resultElement != null && result == signedResult)
{
+                                break;
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        return true;
+    }
+    
+    private boolean validateStrictSignatureTokenPlacement() {
+        // Go through each Signature and check that the Signing Token appears before the
Signature
+        for (int i = 0; i < results.size(); i++) {
+            WSSecurityEngineResult result = results.get(i);
+            Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+            if (actInt == WSConstants.SIGN) {
+                int correspondingIndex = findCorrespondingTokenIndex(result);
+                if (correspondingIndex > 0 && correspondingIndex < i) {
+                    return false;
+                }
+            }
+        }
+        
+        return true;
+    }
+    
+    private boolean checkSignatureIsSignedPlacement() {
+        for (int i = 0; i < signedResults.size(); i++) {
+            WSSecurityEngineResult signedResult = signedResults.get(i);
+            List<WSDataRef> sl =
+                CastUtils.cast((List<?>)signedResult.get(
+                    WSSecurityEngineResult.TAG_DATA_REF_URIS
+                ));
+            if (sl != null && sl.size() >= 1) {
+                for (WSDataRef dataRef : sl) {
+                    QName signedQName = dataRef.getName();
+                    if (WSSecurityEngine.SIGNATURE.equals(signedQName)) {
+                        Element protectedElement = dataRef.getProtectedElement();
+                        boolean endorsingSigFound = false;
+                        // Results are stored in reverse order
+                        for (WSSecurityEngineResult result : signedResults) {
+                            if (result == signedResult) {
+                                endorsingSigFound = true;
+                            }
+                            Element resultElement = 
+                                (Element)result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+                            if (resultElement == protectedElement) {
+                                if (endorsingSigFound) {
+                                    break;
+                                } else {
+                                    return false;
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        return true;
+    }
+    
+    /**
+     * Find the index of the token corresponding to either the X509Certificate or PublicKey
used 
+     * to sign the "signatureResult" argument.
+     */
+    private int findCorrespondingTokenIndex(
+        WSSecurityEngineResult signatureResult
+    ) {
+        // See what was used to sign this result
+        X509Certificate cert = 
+            (X509Certificate)signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+        PublicKey publicKey = 
+            (PublicKey)signatureResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+        
+        for (int i = 0; i < results.size(); i++) {
+            WSSecurityEngineResult token = results.get(i);
+            Integer actInt = (Integer)token.get(WSSecurityEngineResult.TAG_ACTION);
+            if (actInt == WSConstants.SIGN) {
+                continue;
+            }
+            
+            BinarySecurity binarySecurity = 
+                (BinarySecurity)token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+            PublicKey foundPublicKey = 
+                (PublicKey)token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+            if (binarySecurity instanceof X509Security
+                || binarySecurity instanceof PKIPathSecurity) {
+                X509Certificate foundCert = 
+                    (X509Certificate)token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+                if (foundCert.equals(cert)) {
+                    return i;
+                }
+            } else if (actInt.intValue() == WSConstants.ST_SIGNED
+                || actInt.intValue() == WSConstants.ST_UNSIGNED) {
+                AssertionWrapper assertionWrapper = 
+                    (AssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+                SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
+                if (samlKeyInfo != null) {
+                    X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
+                    PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
+                    if ((cert != null && subjectCerts != null 
+                        && cert.equals(subjectCerts[0]))
+                        || (subjectPublicKey != null && subjectPublicKey.equals(publicKey)))
{
+                        return i;
+                    }
+                }
+            } else if (publicKey != null && publicKey.equals(foundPublicKey)) {
+                return i;
+            } 
+        }
+        return -1;
+    }
+}

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java?rev=1484426&r1=1484425&r2=1484426&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
Mon May 20 10:59:30 2013
@@ -30,7 +30,6 @@ import org.apache.cxf.security.transport
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
 import org.apache.cxf.ws.security.policy.model.Layout;
 import org.apache.cxf.ws.security.policy.model.TransportBinding;
 import org.apache.ws.security.WSSecurityEngineResult;
@@ -87,9 +86,8 @@ public class TransportBindingPolicyValid
             
             // Check the Layout
             Layout layout = binding.getLayout();
-            boolean timestampFirst = layout.getValue() == SPConstants.Layout.LaxTsFirst;
-            boolean timestampLast = layout.getValue() == SPConstants.Layout.LaxTsLast;
-            if (!validateLayout(timestampFirst, timestampLast, results)) {
+            LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator(results, signedResults);
+            if (!layoutValidator.validatePolicy(layout)) {
                 String error = "Layout does not match the requirements";
                 notAssertPolicy(aim, layout, error);
                 ai.setNotAsserted(error);

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java?rev=1484426&r1=1484425&r2=1484426&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java
(original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java
Mon May 20 10:59:30 2013
@@ -314,6 +314,42 @@ public class BindingPropertiesTest exten
         bus.shutdown(true);
     }
     
+    @org.junit.Test
+    public void testStrict() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = BindingPropertiesTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = BindingPropertiesTest.class.getResource("DoubleItBindings.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+       
+        // Successful invocation
+        QName portQName = new QName(NAMESPACE, "DoubleItStrictPort");
+        DoubleItPortType port = service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(port, PORT);
+        port.doubleIt(25);
+        
+        // This should fail, as the client is sending the timestamp last
+        portQName = new QName(NAMESPACE, "DoubleItStrictPort2");
+        port = service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(port, PORT);
+        
+        try {
+            port.doubleIt(25);
+            fail("Failure expected on sending the timestamp last");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            String error = "Layout does not match the requirements";
+            assertTrue(ex.getMessage().contains(error));
+        }
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+    
     // TODO
     @org.junit.Test
     @org.junit.Ignore

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl?rev=1484426&r1=1484425&r2=1484426&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl
Mon May 20 10:59:30 2013
@@ -122,6 +122,12 @@
         <wsdl:port name="DoubleItSignatureConfirmationPort2" binding="tns:DoubleItStandardBinding">
             <soap:address location="http://localhost:9010/DoubleItSignatureConfirmation2"
/>
         </wsdl:port>
+        <wsdl:port name="DoubleItStrictPort" binding="tns:DoubleItStandardBinding">
+            <soap:address location="http://localhost:9010/DoubleItStrict" />
+        </wsdl:port>
+        <wsdl:port name="DoubleItStrictPort2" binding="tns:DoubleItStandardBinding">
+            <soap:address location="http://localhost:9010/DoubleItStrict2" />
+        </wsdl:port>
     </wsdl:service>
     
     <wsp:Policy wsu:Id="SignBodyChildPolicy">

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml?rev=1484426&r1=1484425&r2=1484426&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml
Mon May 20 10:59:30 2013
@@ -349,6 +349,50 @@
     </jaxws:client>
     
     <jaxws:client
+        name="{http://www.example.org/contract/DoubleIt}DoubleItStrictPort"
+        createdFromAPI="true">
+        <jaxws:properties>
+            <entry key="ws-security.username" value="Alice" />
+            <entry key="ws-security.callback-handler"
+                value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" />
+            <entry key="ws-security.encryption.properties"
+                value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
+            <entry key="ws-security.encryption.username" value="bob" />
+            <entry key="ws-security.signature.properties"
+                value="org/apache/cxf/systest/ws/wssec10/client/alice.properties" />
+            <entry key="ws-security.signature.username" value="alice" />
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" 
+                    URI="classpath:/org/apache/cxf/systest/ws/bindings/strict-policy.xml"
/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:client>
+    
+    <jaxws:client
+        name="{http://www.example.org/contract/DoubleIt}DoubleItStrictPort2"
+        createdFromAPI="true">
+        <jaxws:properties>
+            <entry key="ws-security.username" value="Alice" />
+            <entry key="ws-security.callback-handler"
+                value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" />
+            <entry key="ws-security.encryption.properties"
+                value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
+            <entry key="ws-security.encryption.username" value="bob" />
+            <entry key="ws-security.signature.properties"
+                value="org/apache/cxf/systest/ws/wssec10/client/alice.properties" />
+            <entry key="ws-security.signature.username" value="alice" />
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" 
+                    URI="classpath:/org/apache/cxf/systest/ws/bindings/ts-last-policy.xml"
/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:client>
+    
+    <jaxws:client
         name="{http://www.example.org/contract/DoubleIt}DoubleItTokenProtectionPort"
         createdFromAPI="true">
         <jaxws:properties>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml?rev=1484426&r1=1484425&r2=1484426&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml
Mon May 20 10:59:30 2013
@@ -366,6 +366,52 @@
 
     </jaxws:endpoint>
     
+    <jaxws:endpoint id="StrictEndpoint"
+        address="http://localhost:${testutil.ports.Server}/DoubleItStrict"
+        serviceName="s:DoubleItService" endpointName="s:DoubleItStrictPort"
+        xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+        wsdlLocation="org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl">
+
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler"
+                value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" />
+            <entry key="ws-security.signature.properties"
+                value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
+            <entry key="ws-security.encryption.username" value="useReqSigCert" />
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" 
+                    URI="classpath:/org/apache/cxf/systest/ws/bindings/strict-policy.xml"
/>
+            </p:policies>
+        </jaxws:features>
+
+    </jaxws:endpoint>
+    
+    <jaxws:endpoint id="StrictEndpoint2"
+        address="http://localhost:${testutil.ports.Server}/DoubleItStrict2"
+        serviceName="s:DoubleItService" endpointName="s:DoubleItStrictPort2"
+        xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+        wsdlLocation="org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl">
+
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler"
+                value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" />
+            <entry key="ws-security.signature.properties"
+                value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
+            <entry key="ws-security.encryption.username" value="useReqSigCert" />
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" 
+                    URI="classpath:/org/apache/cxf/systest/ws/bindings/strict-policy.xml"
/>
+            </p:policies>
+        </jaxws:features>
+
+    </jaxws:endpoint>
+    
     <jaxws:endpoint id="TokenProtectionEndpoint"
         address="http://localhost:${testutil.ports.Server}/DoubleItTokenProtection"
         serviceName="s:DoubleItService" endpointName="s:DoubleItTokenProtectionPort"

Added: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/strict-policy.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/strict-policy.xml?rev=1484426&view=auto
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/strict-policy.xml
(added)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/strict-policy.xml
Mon May 20 10:59:30 2013
@@ -0,0 +1,45 @@
+<wsp:Policy wsu:Id="CleanPolicy"
+        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+        xmlns:wsp="http://www.w3.org/ns/ws-policy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:AsymmetricBinding
+                    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                    <wsp:Policy>
+                        <sp:InitiatorToken>
+                            <wsp:Policy>
+                                <sp:X509Token
+                                    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                                    <wsp:Policy>
+                                        <sp:WssX509V3Token10 />
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:InitiatorToken>
+                        <sp:RecipientToken>
+                            <wsp:Policy>
+                                <sp:X509Token
+                                    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                                    <wsp:Policy>
+                                        <sp:WssX509V3Token10 />
+                                        <sp:RequireIssuerSerialReference />
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:RecipientToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Strict />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp />
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:AsymmetricBinding>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
\ No newline at end of file



Mime
View raw message