cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1487503 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/ rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/ services/s...
Date Wed, 29 May 2013 14:39:15 GMT
Author: coheigea
Date: Wed May 29 14:39:15 2013
New Revision: 1487503

URL: http://svn.apache.org/r1487503
Log:
Added support for streaming derived keys, EncryptBeforeSigning + EncryptSignature policies + tests

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractSecurityTest.java
    cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java
    cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java
    cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/common/SecurityTestUtil.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/SecurityTestUtil.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/StaxX509TokenTest.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/stax-server.xml

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java Wed May 29 14:39:15 2013
@@ -174,11 +174,21 @@ public class WSS4JStaxInInterceptor exte
             WSS4JUtils.getReplayCache(
                 msg, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE
             );
-        if (nonceCache != null) {
-            if (securityProperties != null) {
-                securityProperties.setNonceReplayCache(nonceCache);
+        if (nonceCache == null) {
+            if (config != null) {
+                config.put(ConfigurationConstants.ENABLE_NONCE_CACHE, "false");
+                config.remove(ConfigurationConstants.NONCE_CACHE_INSTANCE);
             } else {
+                securityProperties.setEnableNonceReplayCache(false);
+                securityProperties.setNonceReplayCache(null);
+            }
+        } else {
+            if (config != null) {
+                config.put(ConfigurationConstants.ENABLE_NONCE_CACHE, "true");
                 config.put(ConfigurationConstants.NONCE_CACHE_INSTANCE, nonceCache);
+            } else {
+                securityProperties.setEnableNonceReplayCache(true);
+                securityProperties.setNonceReplayCache(nonceCache);
             }
         }
         
@@ -186,11 +196,21 @@ public class WSS4JStaxInInterceptor exte
             WSS4JUtils.getReplayCache(
                 msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE
             );
-        if (timestampCache != null) {
-            if (securityProperties != null) {
-                securityProperties.setTimestampReplayCache(timestampCache);
+        if (timestampCache == null) {
+            if (config != null) {
+                config.put(ConfigurationConstants.ENABLE_TIMESTAMP_CACHE, "false");
+                config.remove(ConfigurationConstants.TIMESTAMP_CACHE_INSTANCE);
             } else {
+                securityProperties.setEnableTimestampReplayCache(false);
+                securityProperties.setTimestampReplayCache(null);
+            }
+        } else {
+            if (config != null) {
+                config.put(ConfigurationConstants.ENABLE_TIMESTAMP_CACHE, "true");
                 config.put(ConfigurationConstants.TIMESTAMP_CACHE_INSTANCE, timestampCache);
+            } else {
+                securityProperties.setEnableTimestampReplayCache(true);
+                securityProperties.setTimestampReplayCache(timestampCache);
             }
         }
         

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java Wed May 29 14:39:15 2013
@@ -499,7 +499,7 @@ public abstract class AbstractStaxBindin
     protected Map<AbstractToken, SecurePart> handleSupportingTokens(
         Collection<Assertion> tokens, 
         boolean endorse
-    ) throws WSSecurityException {
+    ) throws Exception {
         Map<AbstractToken, SecurePart> ret = new HashMap<AbstractToken, SecurePart>();
         if (tokens != null) {
             for (Assertion pa : tokens) {
@@ -514,7 +514,7 @@ public abstract class AbstractStaxBindin
     protected Map<AbstractToken, SecurePart> handleSupportingTokens(
         SupportingTokens suppTokens,
         boolean endorse
-    ) throws WSSecurityException {
+    ) throws Exception {
         return handleSupportingTokens(suppTokens, endorse, new HashMap<AbstractToken, SecurePart>());
     }
                                                             
@@ -522,7 +522,7 @@ public abstract class AbstractStaxBindin
         SupportingTokens suppTokens, 
         boolean endorse,
         Map<AbstractToken, SecurePart> ret
-    ) throws WSSecurityException {
+    ) throws Exception {
         if (suppTokens == null) {
             return ret;
         }
@@ -622,21 +622,9 @@ public abstract class AbstractStaxBindin
 
     protected void handleUsernameTokenSupportingToken(
          UsernameToken token, boolean endorse, boolean encryptedToken, Map<AbstractToken, SecurePart> ret
-    ) throws WSSecurityException {
+    ) throws Exception {
         if (endorse) {
-            /* TODO
-            WSSecUsernameToken utBuilder = addDKUsernameToken(token, true);
-            if (utBuilder != null) {
-                utBuilder.prepare(saaj.getSOAPPart());
-                addSupportingElement(utBuilder.getUsernameTokenElement());
-                ret.put(token, utBuilder);
-                if (encryptedToken) {
-                    WSEncryptionPart part = new WSEncryptionPart(utBuilder.getId(), "Element");
-                    part.setElement(utBuilder.getUsernameTokenElement());
-                    encryptedTokensList.add(part);
-                }
-            }
-            */
+            throw new Exception("Endorsing UsernameTokens are not supported in the streaming code");
         } else {
             SecurePart securePart = addUsernameToken(token);
             if (securePart != null) {
@@ -668,7 +656,7 @@ public abstract class AbstractStaxBindin
         return null;
     } 
     
-    protected void addSupportingTokens() throws WSSecurityException {
+    protected void addSupportingTokens() throws Exception {
         
         Collection<Assertion> sgndSuppTokens = 
             findAndAssertPolicy(SP12Constants.SIGNED_SUPPORTING_TOKENS);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java Wed May 29 14:39:15 2013
@@ -38,6 +38,7 @@ import org.apache.wss4j.common.ext.WSSec
 import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
 import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
 import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
 import org.apache.wss4j.policy.model.AbstractTokenWrapper;
 import org.apache.wss4j.policy.model.AlgorithmSuite;
 import org.apache.wss4j.policy.model.AsymmetricBinding;
@@ -69,7 +70,7 @@ public class StaxAsymmetricBindingHandle
         
         if (abinding.getProtectionOrder() 
             == AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
-            // doEncryptBeforeSign();
+            doEncryptBeforeSign();
         } else {
             doSignBeforeEncrypt();
         }
@@ -138,20 +139,14 @@ public class StaxAsymmetricBindingHandle
             }
             
             List<SecurePart> enc = getEncryptedParts();
-            /*
+            
             //Check for signature protection
             if (abinding.isEncryptSignature()) {
-                if (mainSigId != null) {
-                    WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element");
-                    sigPart.setElement(bottomUpElement);
-                    enc.add(sigPart);
-                }
-                if (sigConfList != null && !sigConfList.isEmpty()) {
-                    enc.addAll(sigConfList);
-                }
-                policyAsserted(SPConstants.ENCRYPT_SIGNATURE);
+                SecurePart part = 
+                    new SecurePart(new QName(WSSConstants.NS_DSIG, "Signature"), Modifier.Element);
+                enc.add(part);
             }
-            */
+            
             //Do encryption
             AbstractTokenWrapper encToken;
             if (isRequestor()) {
@@ -174,98 +169,98 @@ public class StaxAsymmetricBindingHandle
             throw new Fault(e);
         }
     }
-/*
+
     private void doEncryptBeforeSign() {
-        AbstractTokenWrapper wrapper;
-        AbstractToken encryptionToken = null;
-        if (isRequestor()) {
-            wrapper = abinding.getRecipientEncryptionToken();
-            if (wrapper == null) {
-                wrapper = abinding.getRecipientToken();
-            }            
-        } else {
-            wrapper = abinding.getInitiatorEncryptionToken();
-            if (wrapper == null) {
-                wrapper = abinding.getInitiatorToken();
-            }
-        }
-        encryptionToken = wrapper.getToken();
-        
-        AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
-        if (initiatorWrapper == null) {
-            initiatorWrapper = abinding.getInitiatorToken();
-        }
-        boolean attached = false;
-        if (initiatorWrapper != null) {
-            AbstractToken initiatorToken = initiatorWrapper.getToken();
-            if (initiatorToken instanceof IssuedToken) {
-                SecurityToken secToken = getSecurityToken();
-                if (secToken == null) {
-                    policyNotAsserted(initiatorToken, "Security token is not found or expired");
-                    return;
-                } else {
-                    policyAsserted(initiatorToken);
-                    
-                    if (includeToken(initiatorToken.getIncludeTokenType())) {
-                        Element el = secToken.getToken();
-                        this.addEncryptedKeyElement(cloneElement(el));
-                        attached = true;
-                    } 
+        try {
+            AbstractTokenWrapper wrapper;
+            AbstractToken encryptionToken = null;
+            if (isRequestor()) {
+                wrapper = abinding.getRecipientEncryptionToken();
+                if (wrapper == null) {
+                    wrapper = abinding.getRecipientToken();
+                }            
+            } else {
+                wrapper = abinding.getInitiatorEncryptionToken();
+                if (wrapper == null) {
+                    wrapper = abinding.getInitiatorToken();
                 }
-            } else if (initiatorToken instanceof SamlToken) {
-                try {
-                    SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken)initiatorToken);
-                    if (assertionWrapper != null) {
+            }
+            encryptionToken = wrapper.getToken();
+            
+            AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
+            if (initiatorWrapper == null) {
+                initiatorWrapper = abinding.getInitiatorToken();
+            }
+            
+            boolean attached = false;
+            /*
+            if (initiatorWrapper != null) {
+                AbstractToken initiatorToken = initiatorWrapper.getToken();
+                if (initiatorToken instanceof IssuedToken) {
+                    SecurityToken secToken = getSecurityToken();
+                    if (secToken == null) {
+                        policyNotAsserted(initiatorToken, "Security token is not found or expired");
+                        return;
+                    } else {
+                        policyAsserted(initiatorToken);
+                        
                         if (includeToken(initiatorToken.getIncludeTokenType())) {
-                            addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
-                            storeAssertionAsSecurityToken(assertionWrapper);
+                            Element el = secToken.getToken();
+                            this.addEncryptedKeyElement(cloneElement(el));
+                            attached = true;
+                        } 
+                    }
+                } else if (initiatorToken instanceof SamlToken) {
+                    try {
+                        SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken)initiatorToken);
+                        if (assertionWrapper != null) {
+                            if (includeToken(initiatorToken.getIncludeTokenType())) {
+                                addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
+                                storeAssertionAsSecurityToken(assertionWrapper);
+                            }
+                            policyAsserted(initiatorToken);
                         }
-                        policyAsserted(initiatorToken);
+                    } catch (Exception e) {
+                        String reason = e.getMessage();
+                        LOG.log(Level.FINE, "Encrypt before sign failed due to : " + reason);
+                        throw new Fault(e);
                     }
-                } catch (Exception e) {
-                    String reason = e.getMessage();
-                    LOG.log(Level.FINE, "Encrypt before sign failed due to : " + reason);
-                    throw new Fault(e);
                 }
             }
-        }
-        
-        List<WSEncryptionPart> encrParts = null;
-        List<WSEncryptionPart> sigParts = null;
-        try {
-            encrParts = getEncryptedParts();
-            //Signed parts are determined before encryption because encrypted signed  headers
-            //will not be included otherwise
-            sigParts = getSignedParts();
-        } catch (SOAPException ex) {
-            throw new Fault(ex);
-        }
-        
-        //if (encryptionToken == null && encrParts.size() > 0) {
-            //REVISIT - no token to encrypt with  
-        //}
-        
-        if (encryptionToken != null && encrParts.size() > 0) {
-            WSSecBase encrBase = doEncryption(wrapper, encrParts, true);
-            handleEncryptedSignedHeaders(encrParts, sigParts);
-            
-            if (timestampEl != null) {
-                WSEncryptionPart timestampPart = 
-                    convertToEncryptionPart(timestampEl.getElement());
-                sigParts.add(timestampPart);
-            }
+            */
             
-            if (isRequestor()) {
-                try {
-                    addSupportingTokens(sigParts);
-                } catch (WSSecurityException ex) {
-                    policyNotAsserted(encryptionToken, ex);
-                }
-            } else {
-                addSignatureConfirmation(sigParts);
+            List<SecurePart> encrParts = null;
+            List<SecurePart> sigParts = null;
+            try {
+                encrParts = getEncryptedParts();
+                //Signed parts are determined before encryption because encrypted signed headers
+                //will not be included otherwise
+                sigParts = getSignedParts();
+            } catch (SOAPException ex) {
+                throw new Fault(ex);
             }
             
-            try {
+            if (encryptionToken != null && encrParts.size() > 0) {
+                //Check for signature protection
+                if (abinding.isEncryptSignature()) {
+                    SecurePart part = 
+                        new SecurePart(new QName(WSSConstants.NS_DSIG, "Signature"), Modifier.Element);
+                    encrParts.add(part);
+                }
+                
+                doEncryption(wrapper, encrParts, true);
+                if (timestampAdded) {
+                    SecurePart part = 
+                        new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
+                    sigParts.add(part);
+                }
+                
+                if (isRequestor()) {
+                    addSupportingTokens();
+                } else {
+                    addSignatureConfirmation(sigParts);
+                }
+                
                 if ((sigParts.size() > 0) && initiatorWrapper != null && isRequestor()) {
                     doSignature(initiatorWrapper, sigParts, attached);
                 } else if (!isRequestor()) {
@@ -277,68 +272,18 @@ public class StaxAsymmetricBindingHandle
                         doSignature(recipientSignatureToken, sigParts, attached);
                     }
                 }
-            } catch (WSSecurityException ex) {
-                throw new Fault(ex);
-            } catch (SOAPException ex) {
-                throw new Fault(ex);
-            }
-
-            if (isRequestor()) {
-                doEndorse();
+    
+                //if (isRequestor()) {
+                //    doEndorse();
+                //}
             }
-            
-            checkForSignatureProtection(encryptionToken, encrBase);
+        } catch (Exception e) {
+            String reason = e.getMessage();
+            LOG.log(Level.WARNING, "Encrypt before signing failed due to : " + reason);
+            throw new Fault(e);
         }
     }
-    
-    private void checkForSignatureProtection(AbstractToken encryptionToken, WSSecBase encrBase) {
-        // Check for signature protection
-        if (abinding.isEncryptSignature()) {
-            policyAsserted(SPConstants.ENCRYPT_SIGNATURE);
-            List<WSEncryptionPart> secondEncrParts = new ArrayList<WSEncryptionPart>();
 
-            // Now encrypt the signature using the above token
-            if (mainSigId != null) {
-                WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element");
-                sigPart.setElement(bottomUpElement);
-                secondEncrParts.add(sigPart);
-            }
-            
-            if (sigConfList != null && !sigConfList.isEmpty()) {
-                secondEncrParts.addAll(sigConfList);
-            }
-            
-            if (isRequestor()) {
-                secondEncrParts.addAll(encryptedTokensList);
-            }
-
-            if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys && !secondEncrParts.isEmpty()
-                && encrBase instanceof WSSecDKEncrypt) {
-                try {
-                    Element secondRefList 
-                        = ((WSSecDKEncrypt)encrBase).encryptForExternalRef(null, secondEncrParts);
-                    ((WSSecDKEncrypt)encrBase).addExternalRefElement(secondRefList, secHeader);
-
-                } catch (WSSecurityException ex) {
-                    throw new Fault(ex);
-                }
-            } else if (!secondEncrParts.isEmpty() && encrBase instanceof WSSecEncrypt) {
-                try {
-                    // Encrypt, get hold of the ref list and add it
-                    Element secondRefList = saaj.getSOAPPart()
-                        .createElementNS(WSConstants.ENC_NS,
-                                         WSConstants.ENC_PREFIX + ":ReferenceList");
-                    this.insertBeforeBottomUp(secondRefList);
-                    ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts);
-                    
-                } catch (WSSecurityException ex) {
-                    throw new Fault(ex);
-                }
-            }
-        }        
-    }
-    */
-    
     private void doEncryption(AbstractTokenWrapper recToken,
                                     List<SecurePart> encrParts,
                                     boolean externalRef) throws SOAPException {
@@ -349,13 +294,16 @@ public class StaxAsymmetricBindingHandle
             
             // Action
             Map<String, Object> config = getProperties();
+            String actionToPerform = ConfigurationConstants.ENCRYPT;
+            if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+                actionToPerform = ConfigurationConstants.ENCRYPT_DERIVED;
+            }
+            
             if (config.containsKey(ConfigurationConstants.ACTION)) {
                 String action = (String)config.get(ConfigurationConstants.ACTION);
-                config.put(ConfigurationConstants.ACTION, 
-                           action + " " + ConfigurationConstants.ENCRYPT);
+                config.put(ConfigurationConstants.ACTION, action + " " + actionToPerform);
             } else {
-                config.put(ConfigurationConstants.ACTION, 
-                           ConfigurationConstants.ENCRYPT);
+                config.put(ConfigurationConstants.ACTION, actionToPerform);
             }
             
             String parts = "";
@@ -375,34 +323,7 @@ public class StaxAsymmetricBindingHandle
             }
             
             config.put(ConfigurationConstants.ENCRYPTION_PARTS, parts);
-            
-            /*
-            if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
-                try {
-                    WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(wssConfig);
-                    
-                    if (encrKey == null) {
-                        setupEncryptedKey(recToken, encrToken);
-                    }
-                    
-                    dkEncr.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
-                    dkEncr.setParts(encrParts);
-                    dkEncr.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
-                            + WSConstants.ENC_KEY_VALUE_TYPE);
-                    AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
-                    dkEncr.setSymmetricEncAlgorithm(algType.getEncryption());
-                    dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8);
-                    dkEncr.prepare(saaj.getSOAPPart());
-                    
-                    addDerivedKeyElement(dkEncr.getdktElement());
-                    Element refList = dkEncr.encryptForExternalRef(null, encrParts);
-                    insertBeforeBottomUp(refList);
-                    return dkEncr;
-                } catch (Exception e) {
-                    policyNotAsserted(recToken, e);
-                }
-            } else {
-             */
+    
             config.put(ConfigurationConstants.ENC_KEY_ID, 
                        getKeyIdentifierType(recToken, encrToken));
 
@@ -423,13 +344,16 @@ public class StaxAsymmetricBindingHandle
         
         // Action
         Map<String, Object> config = getProperties();
+        String actionToPerform = ConfigurationConstants.SIGNATURE;
+        if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+            actionToPerform = ConfigurationConstants.SIGNATURE_DERIVED;
+        }
+        
         if (config.containsKey(ConfigurationConstants.ACTION)) {
             String action = (String)config.get(ConfigurationConstants.ACTION);
-            config.put(ConfigurationConstants.ACTION, 
-                       action + " " + ConfigurationConstants.SIGNATURE);
+            config.put(ConfigurationConstants.ACTION, action + " " + actionToPerform);
         } else {
-            config.put(ConfigurationConstants.ACTION, 
-                       ConfigurationConstants.SIGNATURE);
+            config.put(ConfigurationConstants.ACTION, actionToPerform);
         }
         
         String parts = "";
@@ -457,62 +381,10 @@ public class StaxAsymmetricBindingHandle
         
         configureSignature(wrapper, sigToken, false);
         
-        /*
         if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
-            // Set up the encrypted key to use
-            setupEncryptedKey(wrapper, sigToken);
-            
-            WSSecDKSign dkSign = new WSSecDKSign(wssConfig);
-            dkSign.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
-
-            // Set the algo info
-            dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite()
-                    .getSymmetricSignature());
-            AlgorithmSuiteType algType = abinding.getAlgorithmSuite().getAlgorithmSuiteType();
-            dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
-            dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
-                    + WSConstants.ENC_KEY_VALUE_TYPE);
-            
-            try {
-                dkSign.prepare(saaj.getSOAPPart(), secHeader);
-
-                if (abinding.isProtectTokens()) {
-                    policyAsserted(SPConstants.PROTECT_TOKENS);
-                    if (bstElement != null) {
-                        WSEncryptionPart bstPart = 
-                            new WSEncryptionPart(bstElement.getAttributeNS(WSConstants.WSU_NS, "Id"));
-                        bstPart.setElement(bstElement);
-                        sigParts.add(bstPart);
-                    } else {
-                        WSEncryptionPart ekPart = 
-                            new WSEncryptionPart(encrKey.getId());
-                        ekPart.setElement(encrKey.getEncryptedKeyElement());
-                        sigParts.add(ekPart);
-                    }
-                }
-
-                dkSign.setParts(sigParts);
-
-                List<Reference> referenceList = dkSign.addReferencesToSign(sigParts, secHeader);
-
-                // Add elements to header
-                addDerivedKeyElement(dkSign.getdktElement());
-                
-                //Do signature
-                if (bottomUpElement == null) {
-                    dkSign.computeSignature(referenceList, false, null);
-                } else {
-                    dkSign.computeSignature(referenceList, true, bottomUpElement);
-                }
-                bottomUpElement = dkSign.getSignatureElement();
-                signatures.add(dkSign.getSignatureValue());
-                
-                mainSigId = dkSign.getSignatureId();
-            } catch (Exception ex) {
-                throw new Fault(ex);
-            }
-        } else {
-        */
+            config.put(ConfigurationConstants.SIG_ALGO, 
+                   abinding.getAlgorithmSuite().getSymmetricSignature());
+        }
     }
 
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java Wed May 29 14:39:15 2013
@@ -34,6 +34,7 @@ import org.apache.cxf.ws.policy.Assertio
 import org.apache.wss4j.common.ConfigurationConstants;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
 import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
 import org.apache.wss4j.policy.model.Header;
 import org.apache.wss4j.policy.model.IssuedToken;
@@ -153,7 +154,7 @@ public class StaxTransportBindingHandler
             } else if (token instanceof SamlToken) {
                 addSamlToken((SamlToken)token, false, false);
             } else {
-                //REVISIT - not supported for signed.  Exception?
+                throw new Exception(token.getName() + " is not supported in the streaming code");
             }
         }
         
@@ -245,23 +246,9 @@ public class StaxTransportBindingHandler
                        tbinding.getAlgorithmSuite().getAsymmetricSignature());
             AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
             config.put(ConfigurationConstants.SIG_DIGEST_ALGO, algType.getDigest());
-        } /*TODO else if (token instanceof UsernameToken) {
-            // Create a UsernameToken object for derived keys and store the security token
-            WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken)token, true);
-            String id = usernameToken.getId();
-            byte[] secret = usernameToken.getDerivedKey();
-
-            Date created = new Date();
-            Date expires = new Date();
-            expires.setTime(created.getTime() + 300000);
-            SecurityToken tempTok = 
-                new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
-            tempTok.setSecret(secret);
-            getTokenStore().add(tempTok);
-            message.setContextualProperty(SecurityConstants.TOKEN_ID, tempTok.getId());
-            
-            addSig(doIssuedTokenSignature(token, wrapper));
-        }*/
+        } else if (token instanceof UsernameToken) {
+            throw new Exception("Endorsing UsernameTokens are not supported in the streaming code");
+        }
     }
     
     private void doX509TokenSignature(AbstractToken token, SupportingTokens wrapper) 
@@ -271,46 +258,23 @@ public class StaxTransportBindingHandler
         
         // Action
         Map<String, Object> config = getProperties();
+        String actionToPerform = ConfigurationConstants.SIGNATURE;
+        if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+            actionToPerform = ConfigurationConstants.SIGNATURE_DERIVED;
+        }
+        
         if (config.containsKey(ConfigurationConstants.ACTION)) {
             String action = (String)config.get(ConfigurationConstants.ACTION);
-            config.put(ConfigurationConstants.ACTION, 
-                       action + " " + ConfigurationConstants.SIGNATURE);
+            config.put(ConfigurationConstants.ACTION, action + " " + actionToPerform);
         } else {
-            config.put(ConfigurationConstants.ACTION, 
-                       ConfigurationConstants.SIGNATURE);
+            config.put(ConfigurationConstants.ACTION, actionToPerform);
         }
         
-        /*TODO if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
-            WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(wrapper, token);
-            
-            Element bstElem = encrKey.getBinarySecurityTokenElement();
-            if (bstElem != null) {
-                addTopDownElement(bstElem);
-            }
-            encrKey.appendToHeader(secHeader);
-            
-            WSSecDKSign dkSig = new WSSecDKSign(wssConfig);
-            
-            dkSig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
-            dkSig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
-            AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
-            dkSig.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
-            
-            dkSig.setExternalKey(encrKey.getEphemeralKey(), encrKey.getId());
-            
-            dkSig.prepare(doc, secHeader);
-            
-            dkSig.setParts(sigParts);
-            List<Reference> referenceList = dkSig.addReferencesToSign(sigParts, secHeader);
-            
-            //Do signature
-            dkSig.appendDKElementToHeader(secHeader);
-            dkSig.computeSignature(referenceList, false, null);
-            
-            return dkSig.getSignatureValue();
-        } else {*/
         configureSignature(wrapper, token, false);
-        // }
+        if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+            config.put(ConfigurationConstants.SIG_ALGO, 
+                   tbinding.getAlgorithmSuite().getSymmetricSignature());
+        }
     }
     
     /**

Modified: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractSecurityTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractSecurityTest.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractSecurityTest.java (original)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractSecurityTest.java Wed May 29 14:39:15 2013
@@ -124,7 +124,9 @@ public abstract class AbstractSecurityTe
             if (tmpFiles != null) {
                 for (File tmpFile : tmpFiles) {
                     if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache.instance")
-                            || tmpFile.getName().startsWith("ws-security.timestamp.cache.instance"))) {
+                            || tmpFile.getName().startsWith("wss4j-nonce-cache")
+                            || tmpFile.getName().startsWith("ws-security.timestamp.cache.instance")
+                            || tmpFile.getName().startsWith("wss4j-timestamp-cache"))) {
                         tmpFile.delete();
                     }
                 }

Modified: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java (original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java Wed May 29 14:39:15 2013
@@ -35,8 +35,10 @@ public final class SecurityTestUtil {
             File[] tmpFiles = new File(tmpDir).listFiles();
             if (tmpFiles != null) {
                 for (File tmpFile : tmpFiles) {
-                    if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache.instance")
-                            || tmpFile.getName().startsWith("ws-security.timestamp.cache.instance"))) {
+                    if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache")
+                        || tmpFile.getName().startsWith("wss4j-nonce-cache")
+                        || tmpFile.getName().startsWith("ws-security.timestamp.cache")
+                        || tmpFile.getName().startsWith("wss4j-timestamp-cache"))) {
                         tmpFile.delete();
                     }
                 }

Modified: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java (original)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java Wed May 29 14:39:15 2013
@@ -35,8 +35,10 @@ public final class SecurityTestUtil {
             File[] tmpFiles = new File(tmpDir).listFiles();
             if (tmpFiles != null) {
                 for (File tmpFile : tmpFiles) {
-                    if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache.instance")
-                            || tmpFile.getName().startsWith("ws-security.timestamp.cache.instance"))) {
+                    if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache")
+                        || tmpFile.getName().startsWith("wss4j-nonce-cache")
+                        || tmpFile.getName().startsWith("ws-security.timestamp.cache")
+                        || tmpFile.getName().startsWith("wss4j-timestamp-cache"))) {
                         tmpFile.delete();
                     }
                 }

Modified: cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/common/SecurityTestUtil.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/common/SecurityTestUtil.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/common/SecurityTestUtil.java (original)
+++ cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/common/SecurityTestUtil.java Wed May 29 14:39:15 2013
@@ -35,8 +35,10 @@ public final class SecurityTestUtil {
             File[] tmpFiles = new File(tmpDir).listFiles();
             if (tmpFiles != null) {
                 for (File tmpFile : tmpFiles) {
-                    if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache.instance")
-                            || tmpFile.getName().startsWith("ws-security.timestamp.cache.instance"))) {
+                    if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache")
+                        || tmpFile.getName().startsWith("wss4j-nonce-cache")
+                        || tmpFile.getName().startsWith("ws-security.timestamp.cache")
+                        || tmpFile.getName().startsWith("wss4j-timestamp-cache"))) {
                         tmpFile.delete();
                     }
                 }

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/SecurityTestUtil.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/SecurityTestUtil.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/SecurityTestUtil.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/SecurityTestUtil.java Wed May 29 14:39:15 2013
@@ -43,8 +43,10 @@ public final class SecurityTestUtil {
             File[] tmpFiles = new File(tmpDir).listFiles();
             if (tmpFiles != null) {
                 for (File tmpFile : tmpFiles) {
-                    if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache.instance")
-                            || tmpFile.getName().startsWith("ws-security.timestamp.cache.instance"))) {
+                    if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache")
+                            || tmpFile.getName().startsWith("wss4j-nonce-cache")
+                            || tmpFile.getName().startsWith("ws-security.timestamp.cache")
+                            || tmpFile.getName().startsWith("wss4j-timestamp-cache"))) {
                         tmpFile.delete();
                     }
                 }

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/StaxX509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/StaxX509TokenTest.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/StaxX509TokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/StaxX509TokenTest.java Wed May 29 14:39:15 2013
@@ -247,7 +247,6 @@ public class StaxX509TokenTest extends A
         bus.shutdown(true);
     }
     
-    
     // TODO See WSS-449
     @org.junit.Test
     @org.junit.Ignore
@@ -278,6 +277,63 @@ public class StaxX509TokenTest extends A
         bus.shutdown(true);
     }
     
+    @org.junit.Test
+    public void testAsymmetricEncryptBeforeSigning() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = StaxX509TokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = StaxX509TokenTest.class.getResource("DoubleItX509.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricEncryptBeforeSigningPort");
+        DoubleItPortType x509Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(x509Port, PORT);
+        
+        // DOM
+        x509Port.doubleIt(25);
+        
+        // Streaming
+        SecurityTestUtil.enableStreaming(x509Port);
+        x509Port.doubleIt(25);
+        
+        ((java.io.Closeable)x509Port).close();
+        bus.shutdown(true);
+    }
+    
+    @org.junit.Test
+    public void testAsymmetricEncryptSignature() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = StaxX509TokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = StaxX509TokenTest.class.getResource("DoubleItX509.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricEncryptSignaturePort");
+        DoubleItPortType x509Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(x509Port, PORT);
+        
+        // DOM
+        x509Port.doubleIt(25);
+        
+        // Streaming
+        // TODO See WSS-450
+        // SecurityTestUtil.enableStreaming(x509Port);
+        // x509Port.doubleIt(25);
+        
+        ((java.io.Closeable)x509Port).close();
+        bus.shutdown(true);
+    }
+    
     // TODO - See WSS-442
     @org.junit.Test
     @org.junit.Ignore
@@ -330,7 +386,6 @@ public class StaxX509TokenTest extends A
         bus.shutdown(true);
     }
     */
-    
     @org.junit.Test
     public void testTransportEndorsing() throws Exception {
 

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java Wed May 29 14:39:15 2013
@@ -274,6 +274,62 @@ public class X509TokenTest extends Abstr
     }
     
     @org.junit.Test
+    public void testAsymmetricEncryptBeforeSigning() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricEncryptBeforeSigningPort");
+        DoubleItPortType x509Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(x509Port, PORT);
+        
+        // DOM
+        x509Port.doubleIt(25);
+        
+        // Streaming
+        SecurityTestUtil.enableStreaming(x509Port);
+        x509Port.doubleIt(25);
+        
+        ((java.io.Closeable)x509Port).close();
+        bus.shutdown(true);
+    }
+    
+    @org.junit.Test
+    public void testAsymmetricEncryptSignature() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricEncryptSignaturePort");
+        DoubleItPortType x509Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(x509Port, PORT);
+        
+        // DOM
+        x509Port.doubleIt(25);
+        
+        // Streaming
+        SecurityTestUtil.enableStreaming(x509Port);
+        x509Port.doubleIt(25);
+        
+        ((java.io.Closeable)x509Port).close();
+        bus.shutdown(true);
+    }
+    
+    @org.junit.Test
     public void testAsymmetricProtectTokens() throws Exception {
 
         SpringBusFactory bf = new SpringBusFactory();
@@ -464,9 +520,7 @@ public class X509TokenTest extends Abstr
         bus.shutdown(true);
     }
     
-    // TODO Failing due to a caching issue
     @org.junit.Test
-    @org.junit.Ignore
     public void testAsymmetricSignature() throws Exception {
 
         SpringBusFactory bf = new SpringBusFactory();
@@ -494,9 +548,7 @@ public class X509TokenTest extends Abstr
         bus.shutdown(true);
     }
     
-    // TODO Failing due to a caching issue
     @org.junit.Test
-    @org.junit.Ignore
     public void testAsymmetricSignatureSP11() throws Exception {
 
         SpringBusFactory bf = new SpringBusFactory();

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl Wed May 29 14:39:15 2013
@@ -144,6 +144,44 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
+    <wsdl:binding name="DoubleItAsymmetricEncryptBeforeSigningBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItAsymmetricEncryptBeforeSigningPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
+    <wsdl:binding name="DoubleItAsymmetricEncryptSignatureBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItAsymmetricEncryptSignaturePolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
     <wsdl:binding name="DoubleItAsymmetricProtectTokensBinding" type="tns:DoubleItPortType">
         <wsp:PolicyReference URI="#DoubleItAsymmetricProtectTokensPolicy" />
         <soap:binding style="document"
@@ -350,6 +388,14 @@
                    binding="tns:DoubleItAsymmetricThumbprintBinding">
             <soap:address location="http://localhost:9001/DoubleItX509AsymmetricThumbprint" />
         </wsdl:port>
+        <wsdl:port name="DoubleItAsymmetricEncryptBeforeSigningPort" 
+                   binding="tns:DoubleItAsymmetricEncryptBeforeSigningBinding">
+            <soap:address location="http://localhost:9001/DoubleItX509AsymmetricEncryptBeforeSigning" />
+        </wsdl:port>
+        <wsdl:port name="DoubleItAsymmetricEncryptSignaturePort" 
+                   binding="tns:DoubleItAsymmetricEncryptSignatureBinding">
+            <soap:address location="http://localhost:9001/DoubleItX509AsymmetricEncryptSignature" />
+        </wsdl:port>
         <wsdl:port name="DoubleItAsymmetricProtectTokensPort" 
                    binding="tns:DoubleItAsymmetricProtectTokensBinding">
             <soap:address location="http://localhost:9001/DoubleItX509AsymmetricProtect" />
@@ -606,6 +652,94 @@
       </wsp:ExactlyOne>
     </wsp:Policy>
     
+    <wsp:Policy wsu:Id="DoubleItAsymmetricEncryptBeforeSigningPolicy">
+      <wsp:ExactlyOne>
+         <wsp:All>
+            <sp:AsymmetricBinding>
+               <wsp:Policy>
+                  <sp:InitiatorToken>
+                     <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                     </wsp:Policy>
+                  </sp:InitiatorToken>
+                  <sp:RecipientToken>
+                     <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                     </wsp:Policy>
+                  </sp:RecipientToken>
+                  <sp:Layout>
+                     <wsp:Policy>
+                        <sp:Lax/>
+                     </wsp:Policy>
+                  </sp:Layout>
+                  <sp:IncludeTimestamp/>
+                  <sp:OnlySignEntireHeadersAndBody/>
+                  <sp:EncryptBeforeSigning/>
+                  <sp:AlgorithmSuite>
+                     <wsp:Policy>
+                        <sp:Basic128/>
+                     </wsp:Policy>
+                  </sp:AlgorithmSuite>
+               </wsp:Policy>
+            </sp:AsymmetricBinding>
+         </wsp:All>
+      </wsp:ExactlyOne>
+    </wsp:Policy>
+    
+    <wsp:Policy wsu:Id="DoubleItAsymmetricEncryptSignaturePolicy">
+      <wsp:ExactlyOne>
+         <wsp:All>
+            <sp:AsymmetricBinding>
+               <wsp:Policy>
+                  <sp:InitiatorToken>
+                     <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                     </wsp:Policy>
+                  </sp:InitiatorToken>
+                  <sp:RecipientToken>
+                     <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                     </wsp:Policy>
+                  </sp:RecipientToken>
+                  <sp:Layout>
+                     <wsp:Policy>
+                        <sp:Lax/>
+                     </wsp:Policy>
+                  </sp:Layout>
+                  <sp:IncludeTimestamp/>
+                  <sp:OnlySignEntireHeadersAndBody/>
+                  <sp:EncryptSignature/>
+                  <sp:AlgorithmSuite>
+                     <wsp:Policy>
+                        <sp:Basic128/>
+                     </wsp:Policy>
+                  </sp:AlgorithmSuite>
+               </wsp:Policy>
+            </sp:AsymmetricBinding>
+         </wsp:All>
+      </wsp:ExactlyOne>
+    </wsp:Policy>
+    
     <wsp:Policy wsu:Id="DoubleItAsymmetricProtectTokensPolicy">
       <wsp:ExactlyOne>
          <wsp:All>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml Wed May 29 14:39:15 2013
@@ -112,6 +112,34 @@
        </jaxws:properties>
     </jaxws:client>
     
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricEncryptBeforeSigningPort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.encryption.username" value="bob"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+           <entry key="ws-security.signature.username" value="alice"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+       </jaxws:properties>
+    </jaxws:client>
+    
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricEncryptSignaturePort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.encryption.username" value="bob"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+           <entry key="ws-security.signature.username" value="alice"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+       </jaxws:properties>
+    </jaxws:client>
+    
     <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricSignaturePort" 
                   createdFromAPI="true">
        <jaxws:properties>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml Wed May 29 14:39:15 2013
@@ -207,6 +207,46 @@
     </jaxws:endpoint> 
     
     <jaxws:endpoint 
+       id="AsymmetricEncryptBeforeSigning"
+       address="http://localhost:${testutil.ports.Server}/DoubleItX509AsymmetricEncryptBeforeSigning" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItAsymmetricEncryptBeforeSigningPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
+        
+       <jaxws:properties>
+          <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+          <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+          <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
+    <jaxws:endpoint 
+       id="AsymmetricEncryptSignature"
+       address="http://localhost:${testutil.ports.Server}/DoubleItX509AsymmetricEncryptSignature" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItAsymmetricEncryptSignaturePort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
+        
+       <jaxws:properties>
+          <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+          <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+          <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
+    <jaxws:endpoint 
        id="AsymmetricSignature"
        address="http://localhost:${testutil.ports.Server}/DoubleItX509AsymmetricSignature" 
        serviceName="s:DoubleItService"

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/stax-server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/stax-server.xml?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/stax-server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/stax-server.xml Wed May 29 14:39:15 2013
@@ -214,6 +214,48 @@
     </jaxws:endpoint> 
     
     <jaxws:endpoint 
+       id="AsymmetricEncryptBeforeSigning"
+       address="http://localhost:${testutil.ports.StaxServer}/DoubleItX509AsymmetricEncryptBeforeSigning" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItAsymmetricEncryptBeforeSigningPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
+        
+       <jaxws:properties>
+          <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+          <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+          <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+          <entry key="ws-security.enable.streaming" value="true"/>
+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
+    <jaxws:endpoint 
+       id="AsymmetricEncryptSignature"
+       address="http://localhost:${testutil.ports.StaxServer}/DoubleItX509AsymmetricEncryptSignature" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItAsymmetricEncryptSignaturePort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
+        
+       <jaxws:properties>
+          <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+          <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+          <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+          <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+          <entry key="ws-security.enable.streaming" value="true"/>
+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
+    <jaxws:endpoint 
        id="AsymmetricSignature"
        address="http://localhost:${testutil.ports.StaxServer}/DoubleItX509AsymmetricSignature" 
        serviceName="s:DoubleItService"



Mime
View raw message