cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1525026 - in /cxf/branches/2.7.x-fixes: parent/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/w...
Date Fri, 20 Sep 2013 15:03:26 GMT
Author: coheigea
Date: Fri Sep 20 15:03:26 2013
New Revision: 1525026

URL: http://svn.apache.org/r1525026
Log:
[CXF-4442] - Process OneTimeUse element of SAML assertion


Conflicts:
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
	systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
	systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java

Modified:
    cxf/branches/2.7.x-fixes/parent/pom.xml
    cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
    cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
    cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
    cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
    cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
    cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml

Modified: cxf/branches/2.7.x-fixes/parent/pom.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/parent/pom.xml?rev=1525026&r1=1525025&r2=1525026&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/parent/pom.xml (original)
+++ cxf/branches/2.7.x-fixes/parent/pom.xml Fri Sep 20 15:03:26 2013
@@ -156,7 +156,7 @@
         <cxf.woodstox.core.version>4.2.0</cxf.woodstox.core.version>
         <cxf.woodstox.stax2-api.version>3.1.1</cxf.woodstox.stax2-api.version>
         <cxf.wsdl4j.version>1.6.3</cxf.wsdl4j.version>
-        <cxf.wss4j.version>1.6.12</cxf.wss4j.version>
+        <cxf.wss4j.version>1.6.13-SNAPSHOT</cxf.wss4j.version>
         <cxf.xerces.version>2.11.0</cxf.xerces.version>
         <cxf.xmlbeans.version>2.6.0</cxf.xmlbeans.version>
         <cxf.xmlschema.version>2.0.3</cxf.xmlschema.version>

Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?rev=1525026&r1=1525025&r2=1525026&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
Fri Sep 20 15:03:26 2013
@@ -186,6 +186,15 @@ public final class SecurityConstants {
     public static final String ENABLE_TIMESTAMP_CACHE = "ws-security.enable.timestamp.cache";
     
     /**
+     * Whether to cache SAML2 Token Identifiers, if the token contains a "OneTimeUse" Condition.
+     * The default value is "true" for message recipients, and "false" for message initiators.
+     * Set it to true to cache for both cases. Set this to "false" to not cache SAML2 Token
Identifiers.
+     * Note that caching only applies when either a "SamlToken" policy is in effect, or
+     * else that a SAML action has been configured for the non-security-policy case.
+     */
+    public static final String ENABLE_SAML_ONE_TIME_USE_CACHE = "ws-security.enable.saml.cache";
+    
+    /**
      * Whether to validate the SubjectConfirmation requirements of a received SAML Token
      * (sender-vouches or holder-of-key). The default is true.
      */
@@ -264,6 +273,13 @@ public final class SecurityConstants {
         "ws-security.timestamp.cache.instance";
     
     /**
+     * This holds a reference to a ReplayCache instance used to cache SAML2 Token Identifiers,
when
+     * the token has a "OneTimeUse" Condition. The default instance that is used is the EHCacheReplayCache.
+     */
+    public static final String SAML_ONE_TIME_USE_CACHE_INSTANCE = 
+        "ws-security.saml.cache.instance";
+    
+    /**
      * Set this property to point to a configuration file for the underlying caching implementation.
      * The default configuration file that is used is cxf-ehcache.xml in this module.
      */
@@ -493,7 +509,7 @@ public final class SecurityConstants {
             DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, STS_TOKEN_CRYPTO,
             STS_TOKEN_PROPERTIES, STS_TOKEN_USERNAME, STS_TOKEN_ACT_AS, STS_TOKEN_ON_BEHALF_OF,
             TOKEN, TOKEN_ID, SUBJECT_ROLE_CLASSIFIER, SUBJECT_ROLE_CLASSIFIER_TYPE, MUST_UNDERSTAND,
-            ASYMMETRIC_SIGNATURE_ALGORITHM
+            ASYMMETRIC_SIGNATURE_ALGORITHM, ENABLE_SAML_ONE_TIME_USE_CACHE, SAML_ONE_TIME_USE_CACHE_INSTANCE
         }));
         ALL_PROPERTIES = Collections.unmodifiableSet(s);
     }

Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1525026&r1=1525025&r2=1525026&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
Fri Sep 20 15:03:26 2013
@@ -59,6 +59,7 @@ import org.apache.cxf.ws.security.wss4j.
 import org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValidator;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.handler.WSHandlerConstants;
 import org.apache.ws.security.handler.WSHandlerResult;
 import org.apache.ws.security.message.token.BinarySecurity;
@@ -157,7 +158,7 @@ public class IssuedTokenInterceptorProvi
                         boolean cacheIssuedToken = 
                             MessageUtils.getContextualBoolean(
                                 message, SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT,
true
-                            );
+                            ) && !isOneTimeUse(tok);
                         if (cacheIssuedToken) {
                             message.getExchange().get(Endpoint.class).put(SecurityConstants.TOKEN,
tok);
                             message.getExchange().put(SecurityConstants.TOKEN, tok);
@@ -193,6 +194,27 @@ public class IssuedTokenInterceptorProvi
             return (Trust13)ais.iterator().next().getAssertion();
         }
         
+        // Check to see if the received token is a SAML2 Token with "OneTimeUse" set. If
so,
+        // it should not be cached on the endpoint, but only on the message.
+        private boolean isOneTimeUse(SecurityToken issuedToken) {
+            Element token = issuedToken.getToken();
+            if (token != null && "Assertion".equals(token.getLocalName())
+                && WSConstants.SAML2_NS.equals(token.getNamespaceURI())) {
+                try {
+                    AssertionWrapper assertion = new AssertionWrapper(token);
+                    
+                    if (assertion.getSaml2().getConditions() != null
+                        && assertion.getSaml2().getConditions().getOneTimeUse() !=
null) {
+                        return true;
+                    }
+                } catch (WSSecurityException ex) {
+                    throw new Fault(ex);
+                }
+            }
+            
+            return false;
+        }
+        
         private SecurityToken retrieveCachedToken(Message message) {
             boolean cacheIssuedToken = 
                 MessageUtils.getContextualBoolean(

Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1525026&r1=1525025&r2=1525026&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Fri Sep 20 15:03:26 2013
@@ -313,6 +313,23 @@ public class PolicyBasedWSS4JInIntercept
         return false;
     }
     
+    /**
+     * Is a SAML Cache required, i.e. are we expecting a SAML Token 
+     */
+    @Override
+    protected boolean isSamlCacheRequired(int doAction, SoapMessage msg) {
+        AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
+        if (aim != null) {
+            Collection<AssertionInfo> ais = aim.get(SP12Constants.SAML_TOKEN);
+            
+            if (ais != null && !ais.isEmpty()) {
+                return true;
+            }
+        }
+        
+        return false;
+    }
+    
     private void checkUsernameToken(
         AssertionInfoMap aim, SoapMessage message
     ) throws WSSecurityException {

Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1525026&r1=1525025&r2=1525026&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Fri Sep 20 15:03:26 2013
@@ -249,21 +249,7 @@ public class WSS4JInInterceptor extends 
             }
             
             // Configure replay caching
-            if (isNonceCacheRequired(doAction, msg)) {
-                ReplayCache nonceCache = 
-                    getReplayCache(
-                        msg, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE
-                    );
-                reqData.setNonceReplayCache(nonceCache);
-            }
-            
-            if (isTimestampCacheRequired(doAction, msg)) {
-                ReplayCache timestampCache = 
-                    getReplayCache(
-                        msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE
-                    );
-                reqData.setTimestampReplayCache(timestampCache);
-            }
+            configureReplayCaches(reqData, doAction, msg);
             
             /*
              * Get and check the Signature specific parameters first because
@@ -437,6 +423,34 @@ public class WSS4JInInterceptor extends 
         }
     }
     
+    protected void configureReplayCaches(RequestData reqData, int doAction, SoapMessage msg)

+        throws WSSecurityException {
+        if (isNonceCacheRequired(doAction, msg)) {
+            ReplayCache nonceCache = 
+                getReplayCache(
+                    msg, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE
+                );
+            reqData.setNonceReplayCache(nonceCache);
+        }
+        
+        if (isTimestampCacheRequired(doAction, msg)) {
+            ReplayCache timestampCache = 
+                getReplayCache(
+                    msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE
+                );
+            reqData.setTimestampReplayCache(timestampCache);
+        }
+        
+        if (isSamlCacheRequired(doAction, msg)) {
+            ReplayCache samlCache = 
+                getReplayCache(
+                    msg, SecurityConstants.ENABLE_SAML_ONE_TIME_USE_CACHE, 
+                    SecurityConstants.SAML_ONE_TIME_USE_CACHE_INSTANCE
+                );
+            reqData.setSamlOneTimeUseReplayCache(samlCache);
+        }
+    }
+    
     /**
      * Is a Nonce Cache required, i.e. are we expecting a UsernameToken 
      */
@@ -459,6 +473,17 @@ public class WSS4JInInterceptor extends 
     }
     
     /**
+     * Is a SAML Cache required, i.e. are we expecting a SAML Token 
+     */
+    protected boolean isSamlCacheRequired(int doAction, SoapMessage msg) {
+        if ((doAction & WSConstants.ST_UNSIGNED) == WSConstants.ST_UNSIGNED
+            || (doAction & WSConstants.ST_SIGNED) == WSConstants.ST_SIGNED) {
+            return true;
+        }
+        return false;
+    }
+    
+    /**
      * Set a WSS4J AlgorithmSuite object on the RequestData context, to restrict the
      * algorithms that are allowed for encryption, signature, etc.
      */

Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java?rev=1525026&r1=1525025&r2=1525026&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
(original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
Fri Sep 20 15:03:26 2013
@@ -27,13 +27,17 @@ import javax.xml.ws.Service;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.endpoint.Client;
+import org.apache.cxf.frontend.ClientProxy;
 import org.apache.cxf.systest.ws.common.SecurityTestUtil;
 import org.apache.cxf.systest.ws.saml.client.SamlCallbackHandler;
 import org.apache.cxf.systest.ws.saml.client.SamlElementCallbackHandler;
 import org.apache.cxf.systest.ws.saml.client.SamlRoleCallbackHandler;
 import org.apache.cxf.systest.ws.saml.server.Server;
+import org.apache.cxf.systest.ws.ut.SecurityHeaderCacheInterceptor;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.ws.security.saml.ext.bean.ConditionsBean;
 import org.apache.ws.security.saml.ext.bean.KeyInfoBean.CERT_IDENTIFIER;
 import org.apache.ws.security.saml.ext.builder.SAML2Constants;
 import org.example.contract.doubleit.DoubleItPortType;
@@ -752,5 +756,66 @@ public class SamlTokenTest extends Abstr
         ((java.io.Closeable)saml2Port).close();
         bus.shutdown(true);
     }
-    
+   
+    @org.junit.Test
+    public void testSaml2Replay() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SamlTokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort");
+        DoubleItPortType saml2Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(saml2Port, PORT2);
+
+        // Create a SAML Token with no "OneTimeUse" Condition
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", new SamlCallbackHandler()
+        );
+        
+        Client cxfClient = ClientProxy.getClient(saml2Port);
+        SecurityHeaderCacheInterceptor cacheInterceptor =
+            new SecurityHeaderCacheInterceptor();
+        cxfClient.getOutInterceptors().add(cacheInterceptor);
+        
+        // Make two invocations...should succeed
+        saml2Port.doubleIt(25);
+        saml2Port.doubleIt(25);
+        
+        // Now create a SAML Token with a "OneTimeUse" Condition
+        ConditionsBean conditions = new ConditionsBean();
+        conditions.setTokenPeriodMinutes(5);
+        conditions.setOneTimeUse(true);
+            
+        SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+        callbackHandler.setConditions(conditions);
+        
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", callbackHandler
+        );
+        
+        cxfClient.getOutInterceptors().remove(cacheInterceptor);
+        cacheInterceptor = new SecurityHeaderCacheInterceptor();
+        cxfClient.getOutInterceptors().add(cacheInterceptor);
+        
+        // Make two invocations...should fail on the second one
+        saml2Port.doubleIt(25);
+        
+        try {
+            saml2Port.doubleIt(25);
+            fail("Failure expected on a replayed SAML Assertion");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            String error = "A replay attack has been detected";
+            assertTrue(ex.getMessage().contains(error));
+        }
+        
+        ((java.io.Closeable)saml2Port).close();
+        bus.shutdown(true);
+    }
 }

Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java?rev=1525026&r1=1525025&r2=1525026&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
(original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlCallbackHandler.java
Fri Sep 20 15:03:26 2013
@@ -33,6 +33,7 @@ import org.apache.ws.security.components
 import org.apache.ws.security.saml.ext.SAMLCallback;
 import org.apache.ws.security.saml.ext.bean.AttributeBean;
 import org.apache.ws.security.saml.ext.bean.AttributeStatementBean;
+import org.apache.ws.security.saml.ext.bean.ConditionsBean;
 import org.apache.ws.security.saml.ext.bean.KeyInfoBean;
 import org.apache.ws.security.saml.ext.bean.KeyInfoBean.CERT_IDENTIFIER;
 import org.apache.ws.security.saml.ext.bean.SubjectBean;
@@ -47,6 +48,7 @@ public class SamlCallbackHandler impleme
     private boolean saml2 = true;
     private String confirmationMethod = SAML2Constants.CONF_SENDER_VOUCHES;
     private CERT_IDENTIFIER keyInfoIdentifier = CERT_IDENTIFIER.X509_CERT;
+    private ConditionsBean conditions;
     
     public SamlCallbackHandler() {
         //
@@ -73,6 +75,10 @@ public class SamlCallbackHandler impleme
                 } else {
                     callback.setSamlVersion(SAMLVersion.VERSION_11);
                 }
+                if (conditions != null) {
+                    callback.setConditions(conditions);
+                }
+
                 callback.setIssuer("sts");
                 String subjectName = "uid=sts-client,o=mock-sts.com";
                 String subjectQualifier = "www.mock-sts.com";
@@ -128,5 +134,13 @@ public class SamlCallbackHandler impleme
         
         return keyInfo;
     }
+
+    public ConditionsBean getConditions() {
+        return conditions;
+    }
+
+    public void setConditions(ConditionsBean conditions) {
+        this.conditions = conditions;
+    }
     
 }

Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl?rev=1525026&r1=1525025&r2=1525026&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
(original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
Fri Sep 20 15:03:26 2013
@@ -310,6 +310,23 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
+    <wsdl:binding name="DoubleItSaml2TransportBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItSaml2TransportPolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
 
     <wsdl:service name="DoubleItService">
         <wsdl:port name="DoubleItSaml1TransportPort" binding="tns:DoubleItSaml1TransportBinding">
@@ -377,6 +394,9 @@
                    binding="tns:DoubleItSaml2SymmetricBinding">
             <soap:address location="http://localhost:9001/DoubleItSaml2PEP" />
         </wsdl:port>
+        <wsdl:port name="DoubleItSaml2TransportPort" binding="tns:DoubleItSaml2TransportBinding">
+            <soap:address location="https://localhost:9009/DoubleItSaml2Transport" />
+        </wsdl:port>
     </wsdl:service>
 
     <wsp:Policy wsu:Id="DoubleItSaml1TransportPolicy">
@@ -1011,6 +1031,43 @@
             </wsp:All>
         </wsp:ExactlyOne>
     </wsp:Policy>
+    <wsp:Policy wsu:Id="DoubleItSaml2TransportPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:TransportBinding>
+                    <wsp:Policy>
+                        <sp:TransportToken>
+                            <wsp:Policy>
+                                <sp:HttpsToken>
+                                    <wsp:Policy/>
+                                </sp:HttpsToken>
+                            </wsp:Policy>
+                        </sp:TransportToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax />
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128 />
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:TransportBinding>
+                <sp:SupportingTokens>
+                    <wsp:Policy>
+                        <sp:SamlToken
+                            sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                            <wsp:Policy>
+                                <sp:WssSamlV20Token11/>
+                            </wsp:Policy>
+                        </sp:SamlToken>
+                    </wsp:Policy>
+                </sp:SupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
    
     <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
       <wsp:ExactlyOne>

Modified: cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml?rev=1525026&r1=1525025&r2=1525026&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
(original)
+++ cxf/branches/2.7.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
Fri Sep 20 15:03:26 2013
@@ -480,4 +480,24 @@
        </jaxws:inInterceptors>
     </jaxws:endpoint> 
     
+    <jaxws:endpoint 
+       id="Saml2TransportToken"
+       address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItSaml2TransportPort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"
+       depends-on="tls-settings">
+        
+       <jaxws:properties>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
 </beans>



Mime
View raw message