cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From owu...@apache.org
Subject svn commit: r1499202 - in /cxf/branches/2.7.x-fixes: rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/ services/sts/sts-core/src/main/java/org/apache/cxf/sts/ services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/...
Date Wed, 03 Jul 2013 04:16:06 GMT
Author: owulff
Date: Wed Jul  3 04:16:05 2013
New Revision: 1499202

URL: http://svn.apache.org/r1499202
Log:
[CXF-3883] Support for identity mapping as part of issue token process

Added:
    cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/CustomIdentityMapper.java
    cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SAMLRealmCNCodec.java
    cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/UriRealmParser.java
Modified:
    cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
    cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSPropertiesMBean.java
    cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/StaticSTSProperties.java
    cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
    cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/issueunit/IssueUnitTest.java
    cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml
    cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl

Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1499202&r1=1499201&r2=1499202&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Wed Jul  3 04:16:05 2013
@@ -904,12 +904,26 @@ public abstract class AbstractBindingBui
                 }
             }
         }
-        
+                
         //
         // Get the SAML CallbackHandler
         //
         Object o = message.getContextualProperty(SecurityConstants.SAML_CALLBACK_HANDLER);
-    
+        
+        if (o == null && message.getContextualProperty(SecurityConstants.TOKEN) != null) {
+            SecurityToken securityToken = (SecurityToken)message.getContextualProperty(SecurityConstants.TOKEN);
+            Element tokenElement = (Element)securityToken.getToken();
+            String namespace = tokenElement.getNamespaceURI();
+            String localname = tokenElement.getLocalName();
+            if ((token.isUseSamlVersion11Profile10() || token.isUseSamlVersion11Profile11())
+                    && WSConstants.SAML_NS.equals(namespace) && "Assertion".equals(localname)) {
+                return new AssertionWrapper(tokenElement);
+            } else if (token.isUseSamlVersion20Profile11()
+                    && WSConstants.SAML2_NS.equals(namespace) && "Assertion".equals(localname)) {
+                return new AssertionWrapper(tokenElement);
+            }
+        }
+        
         CallbackHandler handler = null;
         if (o instanceof CallbackHandler) {
             handler = (CallbackHandler)o;

Modified: cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSPropertiesMBean.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSPropertiesMBean.java?rev=1499202&r1=1499201&r2=1499202&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSPropertiesMBean.java (original)
+++ cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSPropertiesMBean.java Wed Jul  3 04:16:05 2013
@@ -26,6 +26,7 @@ import javax.security.auth.callback.Call
 import org.apache.cxf.sts.service.EncryptionProperties;
 import org.apache.cxf.sts.token.realm.Relationship;
 import org.apache.cxf.sts.token.realm.RelationshipResolver;
+import org.apache.cxf.sts.token.realm.SAMLRealmCodec;
 import org.apache.cxf.ws.security.sts.provider.STSException;
 import org.apache.ws.security.components.crypto.Crypto;
 
@@ -181,4 +182,17 @@ public interface STSPropertiesMBean {
      */    
     RelationshipResolver getRelationshipResolver();
     
+    
+    /**
+     * Get the SAML Realm Codec object to use.
+     * @return the SAMLRealmCodec object to use.
+     */
+    SAMLRealmCodec getSamlRealmCodec();
+    
+    /**
+     * Set the SAML Realm Codec object to use.
+     * @param samlRealmCodec the SAMLRealmCodec object to use.
+     */
+    void setSamlRealmCodec(SAMLRealmCodec samlRealmCodec);
+    
 }

Modified: cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/StaticSTSProperties.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/StaticSTSProperties.java?rev=1499202&r1=1499201&r2=1499202&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/StaticSTSProperties.java (original)
+++ cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/StaticSTSProperties.java Wed Jul  3 04:16:05 2013
@@ -35,6 +35,7 @@ import org.apache.cxf.resource.ResourceM
 import org.apache.cxf.sts.service.EncryptionProperties;
 import org.apache.cxf.sts.token.realm.Relationship;
 import org.apache.cxf.sts.token.realm.RelationshipResolver;
+import org.apache.cxf.sts.token.realm.SAMLRealmCodec;
 import org.apache.cxf.ws.security.sts.provider.STSException;
 import org.apache.ws.security.WSSConfig;
 import org.apache.ws.security.WSSecurityException;
@@ -63,6 +64,9 @@ public class StaticSTSProperties impleme
     private IdentityMapper identityMapper;
     private List<Relationship> relationships;
     private RelationshipResolver relationshipResolver;
+    private SAMLRealmCodec samlRealmCodec;
+
+
 
     /**
      * Load the CallbackHandler, Crypto objects, if necessary.
@@ -388,4 +392,12 @@ public class StaticSTSProperties impleme
         return relationshipResolver;      
     }
     
+    public SAMLRealmCodec getSamlRealmCodec() {
+        return samlRealmCodec;
+    }
+
+    public void setSamlRealmCodec(SAMLRealmCodec samlRealmCodec) {
+        this.samlRealmCodec = samlRealmCodec;
+    }
+    
 }

Modified: cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java?rev=1499202&r1=1499201&r2=1499202&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java (original)
+++ cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java Wed Jul  3 04:16:05 2013
@@ -19,14 +19,18 @@
 
 package org.apache.cxf.sts.operation;
 
+import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
 import javax.xml.bind.JAXBElement;
 import javax.xml.ws.WebServiceContext;
+import javax.xml.ws.handler.MessageContext;
 
 import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.sts.QNameConstants;
 import org.apache.cxf.sts.claims.RequestClaimCollection;
 import org.apache.cxf.sts.event.STSIssueFailureEvent;
@@ -55,7 +59,12 @@ import org.apache.cxf.ws.security.sts.pr
 import org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType;
 import org.apache.cxf.ws.security.sts.provider.operation.IssueOperation;
 import org.apache.cxf.ws.security.sts.provider.operation.IssueSingleOperation;
+import org.apache.ws.security.SAMLTokenPrincipal;
+import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
 import org.springframework.context.ApplicationEvent;
 
 /**
@@ -112,6 +121,29 @@ public class TokenIssueOperation extends
     
             TokenRequirements tokenRequirements = requestParser.getTokenRequirements();
             String tokenType = tokenRequirements.getTokenType();
+            
+            
+            if (stsProperties.getSamlRealmCodec() != null) {
+                AssertionWrapper assertion = fetchSAMLAssertionFromWSSecuritySAMLToken(context);
+                
+                if (assertion != null) {
+                    String wssecRealm = stsProperties.getSamlRealmCodec().getRealmFromToken(assertion);
+                    SAMLTokenPrincipal samlPrincipal = new SAMLTokenPrincipal(assertion);
+                    if (LOG.isLoggable(Level.FINE)) {
+                        LOG.fine("SAML token realm of user '" + samlPrincipal.getName() + "' is " + wssecRealm);
+                    }
+                    
+                    ReceivedToken wssecToken = new ReceivedToken(assertion.getElement());
+                    wssecToken.setState(STATE.VALID);
+                    TokenValidatorResponse tokenResponse = new TokenValidatorResponse();
+                    tokenResponse.setPrincipal(samlPrincipal);
+                    tokenResponse.setToken(wssecToken);
+                    tokenResponse.setTokenRealm(wssecRealm);
+                    tokenResponse.setAdditionalProperties(new HashMap<String, Object>());
+                    processValidToken(providerParameters, wssecToken, tokenResponse);
+                    providerParameters.setPrincipal(wssecToken.getPrincipal());
+                }
+            }
     
     
             // Validate OnBehalfOf token if present
@@ -345,5 +377,37 @@ public class TokenIssueOperation extends
                 QNameConstants.WS_TRUST_FACTORY.createBinarySecret(binarySecretType);
         return binarySecret;
     }
+    
+    /**
+     * Method to fetch SAML assertion from the WS-Security header
+     */
+    
+    private static AssertionWrapper fetchSAMLAssertionFromWSSecuritySAMLToken(
+        WebServiceContext wsContext
+    ) {
+        
+        MessageContext messageContext = wsContext.getMessageContext();
+        final List<WSHandlerResult> handlerResults = 
+            CastUtils.cast((List<?>) messageContext.get(WSHandlerConstants.RECV_RESULTS));
+        
+        if (handlerResults != null && handlerResults.size() > 0) {
+            WSHandlerResult handlerResult = handlerResults.get(0);
+            List<WSSecurityEngineResult> engineResults = handlerResult.getResults();
+            
+            for (WSSecurityEngineResult engineResult : engineResults) {
+                /*
+                Integer actInt = (Integer)engineResult.get(WSSecurityEngineResult.TAG_ACTION);
+                String id = (String)engineResult.get(WSSecurityEngineResult.TAG_ID);
+                Element tokenElement = 
+                    (Element)engineResult.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+                */
+                Object token = engineResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+                if (token instanceof AssertionWrapper) {
+                    return (AssertionWrapper)token;
+                }
+            }
+        }
+        return null;
+    }
 
 }

Added: cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/CustomIdentityMapper.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/CustomIdentityMapper.java?rev=1499202&view=auto
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/CustomIdentityMapper.java (added)
+++ cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/CustomIdentityMapper.java Wed Jul  3 04:16:05 2013
@@ -0,0 +1,49 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.common;
+
+import java.security.Principal;
+
+import org.apache.cxf.sts.IdentityMapper;
+import org.apache.ws.security.CustomTokenPrincipal;
+
+/**
+ * A test implementation of IdentityMapper.
+ */
+public class CustomIdentityMapper implements IdentityMapper {
+
+    /**
+     * Map a principal in the source realm to the target realm
+     * @param sourceRealm the source realm of the Principal
+     * @param sourcePrincipal the principal in the source realm
+     * @param targetRealm the target realm of the Principal
+     * @return the principal in the target realm
+     */
+    public Principal mapPrincipal(String sourceRealm, Principal sourcePrincipal, String targetRealm) {
+        if ("a-issuer".equals(sourceRealm)) {
+            String name = sourcePrincipal.getName().toUpperCase();
+            return new CustomTokenPrincipal(name);
+        } else if ("b-issuer".equals(sourceRealm)) {
+            String name = sourcePrincipal.getName().toLowerCase();
+            return new CustomTokenPrincipal(name);
+        }
+        return null;
+    }
+
+}

Added: cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SAMLRealmCNCodec.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SAMLRealmCNCodec.java?rev=1499202&view=auto
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SAMLRealmCNCodec.java (added)
+++ cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SAMLRealmCNCodec.java Wed Jul  3 04:16:05 2013
@@ -0,0 +1,31 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.common;
+
+import org.apache.cxf.sts.token.realm.SAMLRealmCodec;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+public class SAMLRealmCNCodec implements SAMLRealmCodec {
+
+    @Override
+    public String getRealmFromToken(AssertionWrapper assertion) {
+        return assertion.getIssuerString();
+    }
+}
+

Added: cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/UriRealmParser.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/UriRealmParser.java?rev=1499202&view=auto
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/UriRealmParser.java (added)
+++ cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/UriRealmParser.java Wed Jul  3 04:16:05 2013
@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.common;
+
+import java.util.StringTokenizer;
+
+import javax.xml.ws.WebServiceContext;
+
+import org.apache.cxf.sts.RealmParser;
+import org.apache.cxf.ws.security.sts.provider.STSException;
+
+public class UriRealmParser implements RealmParser {
+
+    @Override
+    public String parseRealm(WebServiceContext context) throws STSException {
+        
+
+        String realm = null;
+        try {
+            String url = (String)context.getMessageContext().get("org.apache.cxf.request.url");
+            
+            StringTokenizer st = new StringTokenizer(url, "/");
+            
+            int count = st.countTokens();
+            if (count <= 4) {
+                return null;
+            }
+            count--;
+            for (int i = 0; i < count; i++) {
+                realm = st.nextToken();
+            }
+        } catch (Exception ex) {
+          // No realm found  
+        }
+        return realm;
+
+    }
+
+}

Modified: cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/issueunit/IssueUnitTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/issueunit/IssueUnitTest.java?rev=1499202&r1=1499201&r2=1499202&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/issueunit/IssueUnitTest.java (original)
+++ cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/issueunit/IssueUnitTest.java Wed Jul  3 04:16:05 2013
@@ -23,8 +23,10 @@ import java.security.cert.X509Certificat
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Properties;
 
 import javax.security.auth.callback.CallbackHandler;
+import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 
@@ -33,15 +35,32 @@ import org.w3c.dom.Element;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.jaxws.context.WebServiceContextImpl;
+import org.apache.cxf.jaxws.context.WrappedMessageContext;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.cxf.sts.STSConstants;
+import org.apache.cxf.sts.StaticSTSProperties;
+import org.apache.cxf.sts.request.KeyRequirements;
+import org.apache.cxf.sts.request.TokenRequirements;
+import org.apache.cxf.sts.service.EncryptionProperties;
+import org.apache.cxf.sts.token.provider.SAMLTokenProvider;
+import org.apache.cxf.sts.token.provider.TokenProviderParameters;
+import org.apache.cxf.sts.token.provider.TokenProviderResponse;
+import org.apache.cxf.sts.token.realm.SAMLRealm;
+import org.apache.cxf.systest.sts.common.CommonCallbackHandler;
 import org.apache.cxf.systest.sts.common.SecurityTestUtil;
 import org.apache.cxf.systest.sts.deployment.STSServer;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.trust.STSClient;
+import org.apache.ws.security.CustomTokenPrincipal;
+import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDocInfo;
 import org.apache.ws.security.WSSConfig;
 import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.components.crypto.CryptoFactory;
 import org.apache.ws.security.components.crypto.CryptoType;
@@ -241,7 +260,7 @@ public class IssueUnitTest extends Abstr
         // Get a token
         SecurityToken token = 
             requestSecurityToken(
-                SAML2_TOKEN_TYPE, BEARER_KEYTYPE, bst.getElement(), bus, DEFAULT_ADDRESS, null
+                SAML2_TOKEN_TYPE, BEARER_KEYTYPE, bst.getElement(), bus, DEFAULT_ADDRESS, null, null, null, null
             );
         assertTrue(SAML2_TOKEN_TYPE.equals(token.getTokenType()));
         assertTrue(token.getToken() != null);
@@ -361,6 +380,75 @@ public class IssueUnitTest extends Abstr
         
         bus.shutdown(true);
     }
+    //CHECKSTYLE:OFF
+    @org.junit.Test
+    public void testSAMLinWSSecToOtherRealm() throws Exception {
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+        CallbackHandler callbackHandler = new CommonCallbackHandler();
+        
+        //Create SAML token
+        Element samlToken = 
+            createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey",
+                    callbackHandler, null, "alice", "a-issuer");
+        
+        String id = null;
+        QName elName = DOMUtils.getElementQName(samlToken);
+        if (elName.equals(new QName(WSConstants.SAML_NS, "Assertion"))
+            && samlToken.hasAttributeNS(null, "AssertionID")) {
+            id = samlToken.getAttributeNS(null, "AssertionID");
+        } else if (elName.equals(new QName(WSConstants.SAML2_NS, "Assertion"))
+            && samlToken.hasAttributeNS(null, "ID")) {
+            id = samlToken.getAttributeNS(null, "ID");
+        }
+        if (id == null) {
+            id = samlToken.getAttributeNS(WSConstants.WSU_NS, "Id");
+        }
+                
+        SecurityToken wstoken = new SecurityToken(id, samlToken, null, null);
+        Map<String, Object> properties = new HashMap<String, Object>();
+        properties.put(SecurityConstants.TOKEN, wstoken);
+        properties.put(SecurityConstants.TOKEN_ID, wstoken.getId());
+        
+        // Get a token
+        
+        SecurityToken token = 
+            requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, null,
+                    bus, DEFAULT_ADDRESS, null, properties, "b-issuer", "Transport_SAML_Port");
+        
+        /*
+        SecurityToken token = 
+                requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, null,
+                        bus, DEFAULT_ADDRESS, null, properties, "b-issuer", null);
+                        */
+        assertTrue(SAML2_TOKEN_TYPE.equals(token.getTokenType()));
+        assertTrue(token.getToken() != null);
+        
+        List<WSSecurityEngineResult> results = processToken(token);
+        assertTrue(results != null && results.size() == 1);
+        AssertionWrapper assertion = 
+            (AssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+        assertTrue(assertion != null);
+        assertTrue(assertion.isSigned());
+        
+        List<String> methods = assertion.getConfirmationMethods();
+        String confirmMethod = null;
+        if (methods != null && methods.size() > 0) {
+            confirmMethod = methods.get(0);
+        }
+        assertTrue(confirmMethod.contains("bearer"));
+        
+        assertTrue("b-issuer".equals(assertion.getIssuerString()));
+        String subjectName = assertion.getSaml2().getSubject().getNameID().getValue();
+        assertTrue("Subject must be ALICE instead of " + subjectName, "ALICE".equals(subjectName));
+        
+    }
     
     private SecurityToken requestSecurityToken(
         String tokenType, 
@@ -368,7 +456,7 @@ public class IssueUnitTest extends Abstr
         Bus bus,
         String endpointAddress
     ) throws Exception {
-        return requestSecurityToken(tokenType, keyType, null, bus, endpointAddress, null);
+        return requestSecurityToken(tokenType, keyType, null, bus, endpointAddress, null, null, null, null);
     }
     
     private SecurityToken requestSecurityToken(
@@ -378,7 +466,7 @@ public class IssueUnitTest extends Abstr
         String endpointAddress,
         String context
     ) throws Exception {
-        return requestSecurityToken(tokenType, keyType, null, bus, endpointAddress, context);
+        return requestSecurityToken(tokenType, keyType, null, bus, endpointAddress, context, null, null, null);
     }
     
     private SecurityToken requestSecurityToken(
@@ -387,23 +475,39 @@ public class IssueUnitTest extends Abstr
         Element supportingToken,
         Bus bus,
         String endpointAddress,
-        String context
+        String context,
+        Map<String, Object> msgProperties,
+        String realmUri,
+        String wsdlPort
     ) throws Exception {
         STSClient stsClient = new STSClient(bus);
         String port = "8443";
         if (standalone) {
             port = STSPORT;
         }
-        stsClient.setWsdlLocation("https://localhost:" + port + "/SecurityTokenService/Transport?wsdl");
+        if (realmUri != null) {
+            stsClient.setWsdlLocation("https://localhost:" + port + "/SecurityTokenService/" + realmUri
+                    + "/Transport?wsdl");
+        } else {
+            stsClient.setWsdlLocation("https://localhost:" + port + "/SecurityTokenService/Transport?wsdl");
+        }
         stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService");
-        stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port");
+        if (wsdlPort != null) {
+            stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}" + wsdlPort);
+        } else {
+            stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port");
+        }
         
-        Map<String, Object> properties = new HashMap<String, Object>();
-        properties.put(SecurityConstants.USERNAME, "alice");
-        properties.put(
-            SecurityConstants.CALLBACK_HANDLER, 
-            "org.apache.cxf.systest.sts.common.CommonCallbackHandler"
-        );
+        
+        Map<String, Object> properties = msgProperties;
+        if (properties == null) {
+            properties = new HashMap<String, Object>();
+            properties.put(SecurityConstants.USERNAME, "alice");
+            properties.put(
+                    SecurityConstants.CALLBACK_HANDLER, 
+                    "org.apache.cxf.systest.sts.common.CommonCallbackHandler"
+            );
+        }
         properties.put(SecurityConstants.IS_BSP_COMPLIANT, "false");
         
         if (PUBLIC_KEY_KEYTYPE.equals(keyType)) {
@@ -482,4 +586,77 @@ public class IssueUnitTest extends Abstr
             token.getToken(), requestData, new WSDocInfo(token.getToken().getOwnerDocument())
         );
     }
+    
+    private Properties getEncryptionProperties() {
+        Properties properties = new Properties();
+        properties.put(
+                "org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin"
+        );
+        properties.put("org.apache.ws.security.crypto.merlin.keystore.password", "stsspass");
+        properties.put("org.apache.ws.security.crypto.merlin.keystore.file", "stsstore.jks");
+
+        return properties;
+    }
+    
+    /*
+     * Mock up an SAML assertion element
+     */
+    private Element createSAMLAssertion(
+            String tokenType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler,
+            Map<String, SAMLRealm> realms, String user, String issuer
+    ) throws WSSecurityException {
+        SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
+        samlTokenProvider.setRealmMap(realms);
+
+        TokenProviderParameters providerParameters = 
+            createProviderParameters(
+                    tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, signatureUsername,
+                    callbackHandler, user, issuer
+            );
+        if (realms != null) {
+            providerParameters.setRealm("A");
+        }
+        TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
+        assertTrue(providerResponse != null);
+        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
+
+        return providerResponse.getToken();
+    }
+
+    private TokenProviderParameters createProviderParameters(
+            String tokenType, String keyType, Crypto crypto, 
+            String signatureUsername, CallbackHandler callbackHandler,
+            String username, String issuer
+    ) throws WSSecurityException {
+        TokenProviderParameters parameters = new TokenProviderParameters();
+
+        TokenRequirements tokenRequirements = new TokenRequirements();
+        tokenRequirements.setTokenType(tokenType);
+        parameters.setTokenRequirements(tokenRequirements);
+
+        KeyRequirements keyRequirements = new KeyRequirements();
+        keyRequirements.setKeyType(keyType);
+        parameters.setKeyRequirements(keyRequirements);
+
+        parameters.setPrincipal(new CustomTokenPrincipal(username));
+        // Mock up message context
+        MessageImpl msg = new MessageImpl();
+        WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
+        WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
+        parameters.setWebServiceContext(webServiceContext);
+
+        parameters.setAppliesToAddress("http://dummy-service.com/dummy");
+
+        // Add STSProperties object
+        StaticSTSProperties stsProperties = new StaticSTSProperties();
+        stsProperties.setSignatureCrypto(crypto);
+        stsProperties.setSignatureUsername(signatureUsername);
+        stsProperties.setCallbackHandler(callbackHandler);
+        stsProperties.setIssuer(issuer);
+        parameters.setStsProperties(stsProperties);
+
+        parameters.setEncryptionProperties(new EncryptionProperties());
+
+        return parameters;
+    }
 }

Modified: cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml?rev=1499202&r1=1499201&r2=1499202&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml (original)
+++ cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml Wed Jul  3 04:16:05 2013
@@ -47,12 +47,40 @@
         </cxf:features>
     </cxf:bus>
 
+	<bean id="transportSTSProviderBean2"
+		class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider">
+		<property name="issueOperation" ref="transportIssueDelegate" />
+		<property name="validateOperation" ref="transportValidateDelegate" />
+	</bean>
+
+	<bean id="transportIssueDelegate" class="org.apache.cxf.sts.operation.TokenIssueOperation">
+		<property name="tokenProviders" ref="transportTokenProviders" />
+		<property name="tokenValidators" ref="transportTokenValidators" />
+		<property name="services" ref="transportService" />
+		<property name="stsProperties" ref="transportSTSProperties" />
+	</bean>
+
+	<bean id="transportValidateDelegate" class="org.apache.cxf.sts.operation.TokenValidateOperation">
+		<property name="tokenValidators" ref="transportTokenValidators" />
+		<property name="stsProperties" ref="transportSTSProperties" />
+	</bean>
+
+	<util:list id="transportTokenValidators">
+		<ref bean="transportSamlTokenValidator" />
+	</util:list>
+
+	<util:list id="transportTokenProviders">
+		<ref bean="transportSamlTokenProvider" />
+	</util:list>
+
+
     <bean id="transportSTSProviderBean"
 	    class="org.apache.cxf.sts.provider.DefaultSecurityTokenServiceProvider">
 	    <property name="services" ref="transportService" />
 		<property name="stsProperties" ref="transportSTSProperties" />
     </bean>
 
+ 
 	<bean id="transportService" class="org.apache.cxf.sts.service.StaticService">
 		<property name="endpoints" ref="transportEndpoints" />
 	</bean>
@@ -61,6 +89,45 @@
 		<value>https://localhost:(\d)*/doubleit/services/doubleittransport.*
 		</value>
 	</util:list>
+	
+	<bean id="transportSamlTokenValidator" class="org.apache.cxf.sts.token.validator.SAMLTokenValidator">
+		<property name="samlRealmCodec" ref="samlRealmCodec" />
+	</bean>
+	
+	<bean id="transportSamlTokenProvider" class="org.apache.cxf.sts.token.provider.SAMLTokenProvider">
+		<property name="realmMap" ref="realms"/>
+	</bean>
+	
+	<bean id="realmA"
+        class="org.apache.cxf.sts.token.realm.SAMLRealm">
+        <property name="issuer" value="a-issuer"/>
+    </bean>
+    
+    <bean id="realmB"
+        class="org.apache.cxf.sts.token.realm.SAMLRealm">
+        <property name="issuer" value="b-issuer"/>
+    </bean>
+	
+	<util:map id="realms">
+        <entry key="a-issuer" value-ref="realmA"/>
+        <entry key="b-issuer" value-ref="realmB"/>
+    </util:map>
+	
+	
+	<bean id="samlRealmCodec" class="org.apache.cxf.systest.sts.common.SAMLRealmCNCodec" />
+	
+	<bean id="customRealmParser" class="org.apache.cxf.systest.sts.common.UriRealmParser" />
+	
+	<bean id="identityMapper" class="org.apache.cxf.systest.sts.common.CustomIdentityMapper" />
+	
+	<util:list id="relationships">
+		<bean class="org.apache.cxf.sts.token.realm.Relationship">
+			<property name="sourceRealm" value="a-issuer" />
+			<property name="targetRealm" value="b-issuer"/>
+			<property name="identityMapper" ref="identityMapper" />
+			<property name="type" value="FederatedIdentity" />
+		</bean>
+	</util:list>
 
 	<bean id="transportSTSProperties" class="org.apache.cxf.sts.StaticSTSProperties">
 		<property name="signaturePropertiesFile" value="stsKeystore.properties" />
@@ -70,6 +137,11 @@
 		<property name="encryptionPropertiesFile" value="stsKeystore.properties" />
 		<property name="issuer" value="DoubleItSTSIssuer" />
 		<property name="encryptionUsername" value="myservicekey" />
+
+		<property name="realmParser" ref="customRealmParser"/>
+
+		<property name="relationships" ref="relationships" />
+		<property name="samlRealmCodec" ref="samlRealmCodec" />
 	</bean>
 
 	<jaxws:endpoint id="transportSTS" implementor="#transportSTSProviderBean"
@@ -83,6 +155,34 @@
 				value="org.apache.cxf.systest.sts.common.CommonCallbackHandler" />
 		</jaxws:properties>
 	</jaxws:endpoint>
+	
+	
+	<jaxws:endpoint id="transportSTS-realmB" implementor="#transportSTSProviderBean2"
+		address="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/b-issuer/Transport"
+		wsdlLocation="src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl"
+		xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+		serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_SAML_Port"
+                depends-on="ClientAuthHttpsSettings">
+		<jaxws:properties>
+			<entry key="ws-security.callback-handler"
+				value="org.apache.cxf.systest.sts.common.CommonCallbackHandler" />
+			<entry key="ws-security.signature.properties" value="stsKeystore.properties"/>
+		</jaxws:properties>
+	</jaxws:endpoint>
+	<!--
+	<jaxws:endpoint id="transportSTS-realmB" implementor="#transportSTSProviderBean2"
+		address="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/b-issuer/Transport"
+		wsdlLocation="src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl"
+		xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+		serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_Port"
+                depends-on="ClientAuthHttpsSettings">
+		<jaxws:properties>
+			<entry key="ws-security.callback-handler"
+				value="org.apache.cxf.systest.sts.common.CommonCallbackHandler" />
+			<entry key="ws-security.signature.properties" value="stsKeystore.properties"/>
+		</jaxws:properties>
+	</jaxws:endpoint>
+	-->	
 
 	<httpj:engine-factory id="ClientAuthHttpsSettings"
 		bus="cxf">

Modified: cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl?rev=1499202&r1=1499201&r2=1499202&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl (original)
+++ cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl Wed Jul  3 04:16:05 2013
@@ -401,6 +401,80 @@
   	</wsdl:operation>
   </wsdl:binding>
   
+  <wsdl:binding name="Transport_SAML_Binding" type="wstrust:STS">
+    <wsp:PolicyReference URI="#Transport_SAML_policy" />
+  	<soap:binding style="document"
+  		transport="http://schemas.xmlsoap.org/soap/http" />
+  	<wsdl:operation name="Issue">
+  		<soap:operation
+  			soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" />
+  		<wsdl:input>
+  		    <wsp:PolicyReference
+               URI="#Input_policy" />
+  			<soap:body use="literal" />
+  		</wsdl:input>
+  		<wsdl:output>
+  		    <wsp:PolicyReference
+               URI="#Output_policy" />
+  			<soap:body use="literal" />
+  		</wsdl:output>
+  	</wsdl:operation>
+  	<wsdl:operation name="Validate">
+  		<soap:operation
+  			soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate" />
+  		<wsdl:input>
+  		    <wsp:PolicyReference
+               URI="#Input_policy" />
+  			<soap:body use="literal" />
+  		</wsdl:input>
+  		<wsdl:output>
+  		    <wsp:PolicyReference
+               URI="#Output_policy" />
+  			<soap:body use="literal" />
+  		</wsdl:output>
+  	</wsdl:operation>
+  	<wsdl:operation name="Cancel">
+  		<soap:operation
+  			soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel" />
+  		<wsdl:input>
+  			<soap:body use="literal" />
+  		</wsdl:input>
+  		<wsdl:output>
+  			<soap:body use="literal" />
+  		</wsdl:output>
+  	</wsdl:operation>
+  	<wsdl:operation name="Renew">
+  		<soap:operation
+  			soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew" />
+  		<wsdl:input>
+  			<soap:body use="literal" />
+  		</wsdl:input>
+  		<wsdl:output>
+  			<soap:body use="literal" />
+  		</wsdl:output>
+  	</wsdl:operation>
+  	<wsdl:operation name="KeyExchangeToken">
+  		<soap:operation
+  			soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken" />
+  		<wsdl:input>
+  			<soap:body use="literal" />
+  		</wsdl:input>
+  		<wsdl:output>
+  			<soap:body use="literal" />
+  		</wsdl:output>
+  	</wsdl:operation>
+  	<wsdl:operation name="RequestCollection">
+  		<soap:operation
+  			soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection" />
+  		<wsdl:input>
+  			<soap:body use="literal" />
+  		</wsdl:input>
+  		<wsdl:output>
+  			<soap:body use="literal" />
+  		</wsdl:output>
+  	</wsdl:operation>
+  </wsdl:binding>
+  
   <wsdl:service name="SecurityTokenService">
       <wsdl:port name="UT_Port" binding="tns:UT_Binding">
          <soap:address location="http://localhost:8080/SecurityTokenService/UT" />
@@ -411,7 +485,10 @@
       <wsdl:port name="Transport_Port" binding="tns:Transport_Binding">
          <soap:address location="https://localhost:8443/SecurityTokenService/Transport" />
       </wsdl:port>
-       <wsdl:port name="UTEncrypted_Port" binding="tns:UTEncrypted_Binding">
+      <wsdl:port name="Transport_SAML_Port" binding="tns:Transport_SAML_Binding">
+         <soap:address location="https://localhost:8443/SecurityTokenService/Transport" />
+      </wsdl:port>       
+      <wsdl:port name="UTEncrypted_Port" binding="tns:UTEncrypted_Binding">
          <soap:address location="http://localhost:8080/SecurityTokenService/UTEncrypted" />
       </wsdl:port>
   </wsdl:service>
@@ -611,66 +688,166 @@
          </wsp:All>
       </wsp:ExactlyOne>
     </wsp:Policy>
-    
+
     <wsp:Policy wsu:Id="Transport_policy">
-      <wsp:ExactlyOne>
-         <wsp:All>
-            <wsap10:UsingAddressing/>
-            <sp:TransportBinding
-               xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
-               <wsp:Policy>
-                  <sp:TransportToken>
-                     <wsp:Policy>
-                        <sp:HttpsToken>
-                            <wsp:Policy/>
-                        </sp:HttpsToken>
-                     </wsp:Policy>
-                  </sp:TransportToken>
-                  <sp:AlgorithmSuite>
-                     <wsp:Policy>
-                        <sp:Basic128 />
-                     </wsp:Policy>
-                  </sp:AlgorithmSuite>
-                  <sp:Layout>
-                     <wsp:Policy>
-                        <sp:Lax />
-                     </wsp:Policy>
-                  </sp:Layout>
-                  <sp:IncludeTimestamp />
-               </wsp:Policy>
-            </sp:TransportBinding>
-            <sp:SignedSupportingTokens
-               xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
-               <wsp:Policy>
-                  <sp:UsernameToken
-                     sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
-                     <wsp:Policy>
-                        <sp:WssUsernameToken10 />
-                     </wsp:Policy>
-                  </sp:UsernameToken>
-               </wsp:Policy>
-            </sp:SignedSupportingTokens>
-            <sp:Wss11
-               xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
-               <wsp:Policy>
-                  <sp:MustSupportRefKeyIdentifier />
-                  <sp:MustSupportRefIssuerSerial />
-                  <sp:MustSupportRefThumbprint />
-                  <sp:MustSupportRefEncryptedKey />
-               </wsp:Policy>
-            </sp:Wss11>
-            <sp:Trust13
-               xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
-               <wsp:Policy>
-                  <sp:MustSupportIssuedTokens />
-                  <sp:RequireClientEntropy />
-                  <sp:RequireServerEntropy />
-               </wsp:Policy>
-            </sp:Trust13>
-         </wsp:All>
-      </wsp:ExactlyOne>
-   </wsp:Policy>
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <wsap10:UsingAddressing />
+                <sp:TransportBinding
+                    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                    <wsp:Policy>
+                        <sp:TransportToken>
+                            <wsp:Policy>
+                                <sp:HttpsToken>
+                                    <wsp:Policy />
+                                </sp:HttpsToken>
+                            </wsp:Policy>
+                        </sp:TransportToken>
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp />
+                    </wsp:Policy>
+                </sp:TransportBinding>
+                <!-- <sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> 
+                    <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> 
+                    <wsp:Policy> <sp:WssUsernameToken10 /> </wsp:Policy> </sp:UsernameToken> 
+                    </wsp:Policy> </sp:SignedSupportingTokens> -->
+                <sp:SignedSupportingTokens
+                    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                    <wsp:Policy>
+                        <wsp:ExactlyOne>
+                            <wsp:All>
+                                <wsp:Policy>
+                                    <sp:UsernameToken
+                                        sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                                        <wsp:Policy>
+                                            <sp:WssUsernameToken10 />
+                                        </wsp:Policy>
+                                    </sp:UsernameToken>
+                                </wsp:Policy>
+                            </wsp:All>
+                            <wsp:All>
+                                <wsp:Policy>
+                                    <sp:SamlToken
+                                        sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                                        <wsp:Policy>
+                                            <sp:WssSamlV20Token11 />
+                                        </wsp:Policy>
+                                    </sp:SamlToken>
+                                </wsp:Policy>
+                            </wsp:All>
+                        </wsp:ExactlyOne>
+                    </wsp:Policy>
+                </sp:SignedSupportingTokens>
+                <sp:Wss11
+                    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                    <wsp:Policy>
+                        <sp:MustSupportRefKeyIdentifier />
+                        <sp:MustSupportRefIssuerSerial />
+                        <sp:MustSupportRefThumbprint />
+                        <sp:MustSupportRefEncryptedKey />
+                    </wsp:Policy>
+                </sp:Wss11>
+                <sp:Trust13
+                    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                    <wsp:Policy>
+                        <sp:MustSupportIssuedTokens />
+                        <sp:RequireClientEntropy />
+                        <sp:RequireServerEntropy />
+                    </wsp:Policy>
+                </sp:Trust13>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
    
+   <wsp:Policy wsu:Id="Transport_SAML_policy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <wsap10:UsingAddressing />
+                <sp:TransportBinding
+                    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                    <wsp:Policy>
+                        <sp:TransportToken>
+                            <wsp:Policy>
+                                <sp:HttpsToken>
+                                    <wsp:Policy />
+                                </sp:HttpsToken>
+                            </wsp:Policy>
+                        </sp:TransportToken>
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp />
+                    </wsp:Policy>
+                </sp:TransportBinding>
+                <!-- <sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> 
+                    <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> 
+                    <wsp:Policy> <sp:WssUsernameToken10 /> </wsp:Policy> </sp:UsernameToken> 
+                    </wsp:Policy> </sp:SignedSupportingTokens> -->
+                <sp:SignedSupportingTokens
+                    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                    <wsp:Policy>
+                        <wsp:ExactlyOne>
+<!--                         
+                            <wsp:All>
+                                <wsp:Policy>
+                                    <sp:UsernameToken
+                                        sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                                        <wsp:Policy>
+                                            <sp:WssUsernameToken10 />
+                                        </wsp:Policy>
+                                    </sp:UsernameToken>
+                                </wsp:Policy>
+                            </wsp:All>
+ -->                            
+                            <wsp:All>
+                                <wsp:Policy>
+                                    <sp:SamlToken
+                                        sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                                        <wsp:Policy>
+                                            <sp:WssSamlV20Token11 />
+                                        </wsp:Policy>
+                                    </sp:SamlToken>
+                                </wsp:Policy>
+                            </wsp:All>
+                        </wsp:ExactlyOne>
+                    </wsp:Policy>
+                </sp:SignedSupportingTokens>
+                <sp:Wss11
+                    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                    <wsp:Policy>
+                        <sp:MustSupportRefKeyIdentifier />
+                        <sp:MustSupportRefIssuerSerial />
+                        <sp:MustSupportRefThumbprint />
+                        <sp:MustSupportRefEncryptedKey />
+                    </wsp:Policy>
+                </sp:Wss11>
+                <sp:Trust13
+                    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+                    <wsp:Policy>
+                        <sp:MustSupportIssuedTokens />
+                        <sp:RequireClientEntropy />
+                        <sp:RequireServerEntropy />
+                    </wsp:Policy>
+                </sp:Trust13>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
    <wsp:Policy wsu:Id="Input_policy">
       <wsp:ExactlyOne>
          <wsp:All>



Mime
View raw message