cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1524997 - in /cxf/trunk: rt/ws/security/src/main/java/org/apache/cxf/ws/security/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ systests/ws-secur...
Date Fri, 20 Sep 2013 13:25:45 GMT
Author: coheigea
Date: Fri Sep 20 13:25:44 2013
New Revision: 1524997

URL: http://svn.apache.org/r1524997
Log:
[CXF-4442] - Process OneTimeUse element of SAML assertion

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1524997&r1=1524996&r2=1524997&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
Fri Sep 20 13:25:44 2013
@@ -186,6 +186,15 @@ public final class SecurityConstants {
     public static final String ENABLE_TIMESTAMP_CACHE = "ws-security.enable.timestamp.cache";
     
     /**
+     * Whether to cache SAML2 Token Identifiers, if the token contains a "OneTimeUse" Condition.
+     * The default value is "true" for message recipients, and "false" for message initiators.
+     * Set it to true to cache for both cases. Set this to "false" to not cache SAML2 Token
Identifiers.
+     * Note that caching only applies when either a "SamlToken" policy is in effect, or
+     * else that a SAML action has been configured for the non-security-policy case.
+     */
+    public static final String ENABLE_SAML_ONE_TIME_USE_CACHE = "ws-security.enable.saml.cache";
+    
+    /**
      * Whether to validate the SubjectConfirmation requirements of a received SAML Token
      * (sender-vouches or holder-of-key). The default is true.
      */
@@ -271,6 +280,13 @@ public final class SecurityConstants {
         "ws-security.timestamp.cache.instance";
     
     /**
+     * This holds a reference to a ReplayCache instance used to cache SAML2 Token Identifiers,
when
+     * the token has a "OneTimeUse" Condition. The default instance that is used is the EHCacheReplayCache.
+     */
+    public static final String SAML_ONE_TIME_USE_CACHE_INSTANCE = 
+        "ws-security.saml.cache.instance";
+    
+    /**
      * Set this property to point to a configuration file for the underlying caching implementation.
      * The default configuration file that is used is cxf-ehcache.xml in this module.
      */
@@ -513,7 +529,8 @@ public final class SecurityConstants {
             DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, STS_TOKEN_CRYPTO,
             STS_TOKEN_PROPERTIES, STS_TOKEN_USERNAME, STS_TOKEN_ACT_AS, STS_TOKEN_ON_BEHALF_OF,
             TOKEN, TOKEN_ID, SUBJECT_ROLE_CLASSIFIER, SUBJECT_ROLE_CLASSIFIER_TYPE, MUST_UNDERSTAND,
-            ASYMMETRIC_SIGNATURE_ALGORITHM, PASSWORD_ENCRYPTOR_INSTANCE
+            ASYMMETRIC_SIGNATURE_ALGORITHM, PASSWORD_ENCRYPTOR_INSTANCE, ENABLE_SAML_ONE_TIME_USE_CACHE,
+            SAML_ONE_TIME_USE_CACHE_INSTANCE
         }));
         ALL_PROPERTIES = Collections.unmodifiableSet(s);
     }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1524997&r1=1524996&r2=1524997&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
Fri Sep 20 13:25:44 2013
@@ -53,6 +53,7 @@ import org.apache.cxf.ws.security.wss4j.
 import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxOutInterceptor;
 import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValidator;
+import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
@@ -167,7 +168,7 @@ public class IssuedTokenInterceptorProvi
                         boolean cacheIssuedToken = 
                             MessageUtils.getContextualBoolean(
                                 message, SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT,
true
-                            );
+                            ) && !isOneTimeUse(tok);
                         if (cacheIssuedToken) {
                             message.getExchange().get(Endpoint.class).put(SecurityConstants.TOKEN,
tok);
                             message.getExchange().put(SecurityConstants.TOKEN, tok);
@@ -205,6 +206,27 @@ public class IssuedTokenInterceptorProvi
             return (Trust13)ais.iterator().next().getAssertion();
         }
         
+        // Check to see if the received token is a SAML2 Token with "OneTimeUse" set. If
so,
+        // it should not be cached on the endpoint, but only on the message.
+        private boolean isOneTimeUse(SecurityToken issuedToken) {
+            Element token = issuedToken.getToken();
+            if (token != null && "Assertion".equals(token.getLocalName())
+                && WSConstants.SAML2_NS.equals(token.getNamespaceURI())) {
+                try {
+                    SamlAssertionWrapper assertion = new SamlAssertionWrapper(token);
+                    
+                    if (assertion.getSaml2().getConditions() != null
+                        && assertion.getSaml2().getConditions().getOneTimeUse() !=
null) {
+                        return true;
+                    }
+                } catch (WSSecurityException ex) {
+                    throw new Fault(ex);
+                }
+            }
+            
+            return false;
+        }
+        
         private SecurityToken retrieveCachedToken(Message message) {
             boolean cacheIssuedToken = 
                 MessageUtils.getContextualBoolean(

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1524997&r1=1524996&r2=1524997&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Fri Sep 20 13:25:44 2013
@@ -358,6 +358,24 @@ public class PolicyBasedWSS4JInIntercept
         return false;
     }
     
+    /**
+     * Is a SAML Cache required, i.e. are we expecting a SAML Token 
+     */
+    @Override
+    protected boolean isSamlCacheRequired(int doAction, SoapMessage msg) {
+        AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
+        if (aim != null) {
+            Collection<AssertionInfo> ais = 
+                getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+            
+            if (!ais.isEmpty()) {
+                return true;
+            }
+        }
+        
+        return false;
+    }
+    
     private void checkUsernameToken(
         AssertionInfoMap aim, SoapMessage message
     ) throws WSSecurityException {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1524997&r1=1524996&r2=1524997&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Fri Sep 20 13:25:44 2013
@@ -234,29 +234,7 @@ public class WSS4JInInterceptor extends 
             }
 
             // Configure replay caching
-            reqData.setEnableNonceReplayCache(false);
-            if (isNonceCacheRequired(doAction, msg)) {
-                ReplayCache nonceCache = 
-                    getReplayCache(
-                        msg, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE
-                    );
-                reqData.setNonceReplayCache(nonceCache);
-                if (nonceCache != null) {
-                    reqData.setEnableNonceReplayCache(true);
-                }
-            }
-            
-            reqData.setEnableTimestampReplayCache(false);
-            if (isTimestampCacheRequired(doAction, msg)) {
-                ReplayCache timestampCache = 
-                    getReplayCache(
-                        msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE
-                    );
-                reqData.setTimestampReplayCache(timestampCache);
-                if (timestampCache != null) {
-                    reqData.setEnableTimestampReplayCache(true);
-                }
-            }
+            configureReplayCaches(reqData, doAction, msg);
             
             TLSSessionInfo tlsInfo = msg.get(TLSSessionInfo.class);
             if (tlsInfo != null) {
@@ -425,6 +403,46 @@ public class WSS4JInInterceptor extends 
         }
     }
     
+    protected void configureReplayCaches(RequestData reqData, int doAction, SoapMessage msg)

+        throws WSSecurityException {
+        reqData.setEnableNonceReplayCache(false);
+        if (isNonceCacheRequired(doAction, msg)) {
+            ReplayCache nonceCache = 
+                getReplayCache(
+                    msg, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE
+                );
+            reqData.setNonceReplayCache(nonceCache);
+            if (nonceCache != null) {
+                reqData.setEnableNonceReplayCache(true);
+            }
+        }
+        
+        reqData.setEnableTimestampReplayCache(false);
+        if (isTimestampCacheRequired(doAction, msg)) {
+            ReplayCache timestampCache = 
+                getReplayCache(
+                    msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE
+                );
+            reqData.setTimestampReplayCache(timestampCache);
+            if (timestampCache != null) {
+                reqData.setEnableTimestampReplayCache(true);
+            }
+        }
+        
+        reqData.setEnableSamlOneTimeUseReplayCache(false);
+        if (isSamlCacheRequired(doAction, msg)) {
+            ReplayCache samlCache = 
+                getReplayCache(
+                    msg, SecurityConstants.ENABLE_SAML_ONE_TIME_USE_CACHE, 
+                    SecurityConstants.SAML_ONE_TIME_USE_CACHE_INSTANCE
+                );
+            reqData.setSamlOneTimeUseReplayCache(samlCache);
+            if (samlCache != null) {
+                reqData.setEnableSamlOneTimeUseReplayCache(true);
+            }
+        }
+    }
+    
     /**
      * Is a Nonce Cache required, i.e. are we expecting a UsernameToken 
      */
@@ -447,6 +465,17 @@ public class WSS4JInInterceptor extends 
     }
     
     /**
+     * Is a SAML Cache required, i.e. are we expecting a SAML Token 
+     */
+    protected boolean isSamlCacheRequired(int doAction, SoapMessage msg) {
+        if ((doAction & WSConstants.ST_UNSIGNED) == WSConstants.ST_UNSIGNED
+            || (doAction & WSConstants.ST_SIGNED) == WSConstants.ST_SIGNED) {
+            return true;
+        }
+        return false;
+    }
+    
+    /**
      * Set a WSS4J AlgorithmSuite object on the RequestData context, to restrict the
      * algorithms that are allowed for encryption, signature, etc.
      */

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1524997&r1=1524996&r2=1524997&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
(original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
Fri Sep 20 13:25:44 2013
@@ -27,12 +27,16 @@ import javax.xml.ws.Service;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
 import org.apache.cxf.systest.ws.common.SecurityTestUtil;
 import org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler;
 import org.apache.cxf.systest.ws.saml.client.SamlElementCallbackHandler;
 import org.apache.cxf.systest.ws.saml.client.SamlRoleCallbackHandler;
+import org.apache.cxf.systest.ws.ut.SecurityHeaderCacheInterceptor;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.wss4j.common.saml.bean.ConditionsBean;
 import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
 import org.apache.wss4j.common.saml.builder.SAML2Constants;
 import org.example.contract.doubleit.DoubleItPortType;
@@ -1246,5 +1250,66 @@ public class SamlTokenTest extends Abstr
         ((java.io.Closeable)saml2Port).close();
         bus.shutdown(true);
     }
-    
+   
+    @org.junit.Test
+    public void testSaml2Replay() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SamlTokenTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort");
+        DoubleItPortType saml2Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(saml2Port, PORT2);
+
+        // Create a SAML Token with no "OneTimeUse" Condition
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", new SamlCallbackHandler()
+        );
+        
+        Client cxfClient = ClientProxy.getClient(saml2Port);
+        SecurityHeaderCacheInterceptor cacheInterceptor =
+            new SecurityHeaderCacheInterceptor();
+        cxfClient.getOutInterceptors().add(cacheInterceptor);
+        
+        // Make two invocations...should succeed
+        saml2Port.doubleIt(25);
+        saml2Port.doubleIt(25);
+        
+        // Now create a SAML Token with a "OneTimeUse" Condition
+        ConditionsBean conditions = new ConditionsBean();
+        conditions.setTokenPeriodMinutes(5);
+        conditions.setOneTimeUse(true);
+            
+        SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+        callbackHandler.setConditions(conditions);
+        
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", callbackHandler
+        );
+        
+        cxfClient.getOutInterceptors().remove(cacheInterceptor);
+        cacheInterceptor = new SecurityHeaderCacheInterceptor();
+        cxfClient.getOutInterceptors().add(cacheInterceptor);
+        
+        // Make two invocations...should fail on the second one
+        saml2Port.doubleIt(25);
+        
+        try {
+            saml2Port.doubleIt(25);
+            fail("Failure expected on a replayed SAML Assertion");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            String error = "A replay attack has been detected";
+            assertTrue(ex.getMessage().contains(error));
+        }
+        
+        ((java.io.Closeable)saml2Port).close();
+        bus.shutdown(true);
+    }
 }

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java?rev=1524997&r1=1524996&r2=1524997&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
(original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
Fri Sep 20 13:25:44 2013
@@ -34,6 +34,7 @@ import org.apache.wss4j.common.ext.WSSec
 import org.apache.wss4j.common.saml.SAMLCallback;
 import org.apache.wss4j.common.saml.bean.AttributeBean;
 import org.apache.wss4j.common.saml.bean.AttributeStatementBean;
+import org.apache.wss4j.common.saml.bean.ConditionsBean;
 import org.apache.wss4j.common.saml.bean.KeyInfoBean;
 import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
 import org.apache.wss4j.common.saml.bean.SubjectBean;
@@ -49,6 +50,7 @@ public class SamlCallbackHandler impleme
     private String confirmationMethod = SAML2Constants.CONF_SENDER_VOUCHES;
     private CERT_IDENTIFIER keyInfoIdentifier = CERT_IDENTIFIER.X509_CERT;
     private boolean signAssertion;
+    private ConditionsBean conditions;
     
     public SamlCallbackHandler() {
         //
@@ -80,6 +82,10 @@ public class SamlCallbackHandler impleme
                 } else {
                     callback.setSamlVersion(SAMLVersion.VERSION_11);
                 }
+                if (conditions != null) {
+                    callback.setConditions(conditions);
+                }
+
                 callback.setIssuer("sts");
                 String subjectName = "uid=sts-client,o=mock-sts.com";
                 String subjectQualifier = "www.mock-sts.com";
@@ -154,5 +160,13 @@ public class SamlCallbackHandler impleme
     public void setSignAssertion(boolean signAssertion) {
         this.signAssertion = signAssertion;
     }
+
+    public ConditionsBean getConditions() {
+        return conditions;
+    }
+
+    public void setConditions(ConditionsBean conditions) {
+        this.conditions = conditions;
+    }
     
 }

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl?rev=1524997&r1=1524996&r2=1524997&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
Fri Sep 20 13:25:44 2013
@@ -310,6 +310,23 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
+    <wsdl:binding name="DoubleItSaml2TransportBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItSaml2TransportPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
 
     <wsdl:service name="DoubleItService">
         <wsdl:port name="DoubleItSaml1TransportPort" binding="tns:DoubleItSaml1TransportBinding">
@@ -377,6 +394,9 @@
                    binding="tns:DoubleItSaml2SymmetricBinding">
             <soap:address location="http://localhost:9001/DoubleItSaml2PEP" />
         </wsdl:port>
+        <wsdl:port name="DoubleItSaml2TransportPort" binding="tns:DoubleItSaml2TransportBinding">
+            <soap:address location="https://localhost:9009/DoubleItSaml2Transport" />
+        </wsdl:port>
     </wsdl:service>
 
     <wsp:Policy wsu:Id="DoubleItSaml1TransportPolicy">
@@ -1008,6 +1028,43 @@
             </wsp:All>
         </wsp:ExactlyOne>
     </wsp:Policy>
+    <wsp:Policy wsu:Id="DoubleItSaml2TransportPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:TransportBinding>
+                    <wsp:Policy>
+                        <sp:TransportToken>
+                            <wsp:Policy>
+                                <sp:HttpsToken>
+                                    <wsp:Policy/>
+                                </sp:HttpsToken>
+                            </wsp:Policy>
+                        </sp:TransportToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:TransportBinding>
+                <sp:SupportingTokens>
+                    <wsp:Policy>
+                        <sp:SamlToken
+                            sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                            <wsp:Policy>
+                                <sp:WssSamlV20Token11/>
+                            </wsp:Policy>
+                        </sp:SamlToken>
+                    </wsp:Policy>
+                </sp:SupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
    
     <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
       <wsp:ExactlyOne>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml?rev=1524997&r1=1524996&r2=1524997&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
(original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
Fri Sep 20 13:25:44 2013
@@ -465,4 +465,23 @@
        </jaxws:inInterceptors>
     </jaxws:endpoint> 
     
+    <jaxws:endpoint 
+       id="Saml2TransportToken"
+       address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItSaml2TransportPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
+       depends-on="tls-settings">
+        
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+           <entry key="ws-security.signature.properties" value="bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
 </beans>



Mime
View raw message