cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/3] git commit: [CXF-5609] - Won't pass verification of explicit WSS Policy AsymmetricBinding -> Layout -> Policy -> Lax
Date Thu, 13 Mar 2014 15:42:20 GMT
[CXF-5609] - Won't pass verification of explicit WSS Policy AsymmetricBinding -> Layout
-> Policy -> Lax


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2c0d2a84
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2c0d2a84
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2c0d2a84

Branch: refs/heads/master
Commit: 2c0d2a841135f4ae2bcf50920122a8045824d063
Parents: 6276add
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Mar 13 14:52:10 2014 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Mar 13 15:42:11 2014 +0000

----------------------------------------------------------------------
 .../wss4j/PolicyBasedWSS4JInInterceptor.java    | 10 +++
 .../AbstractBindingPolicyValidator.java         | 31 --------
 .../AlgorithmSuitePolicyValidator.java          | 57 ++++++++++++---
 .../policyvalidators/LayoutPolicyValidator.java | 74 +++++++++++++++-----
 .../TransportBindingPolicyValidator.java        | 33 ---------
 .../cxf/systest/ws/x509/DoubleItX509.wsdl       | 10 +--
 6 files changed, 121 insertions(+), 94 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2c0d2a84/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index b13199b..bd37481 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -61,12 +61,14 @@ import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.BindingPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.ConcreteSupportingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EncryptedTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingEncryptedTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.LayoutPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEncryptedTokenPolicyValidator;
@@ -889,6 +891,14 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor
{
                 aim, msg, soapBody, results, signedResults, encryptedResults
             );
         
+        // Check AlgorithmSuite + Layout that might not be tied to a binding
+        AlgorithmSuitePolicyValidator algorithmSuiteValidator = new AlgorithmSuitePolicyValidator();
+        check &= 
+            algorithmSuiteValidator.validatePolicy(aim, msg, soapBody, results, signedResults);
+        
+        LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator();
+        check &= layoutValidator.validatePolicy(aim, msg, soapBody, results, signedResults);
+        
         return check;
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/2c0d2a84/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
index 106546a..cbc0e69 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
@@ -56,7 +56,6 @@ import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
 import org.apache.wss4j.policy.model.AbstractTokenWrapper;
 import org.apache.wss4j.policy.model.EncryptionToken;
-import org.apache.wss4j.policy.model.Layout;
 import org.apache.wss4j.policy.model.ProtectionToken;
 import org.apache.wss4j.policy.model.SignatureToken;
 import org.apache.wss4j.policy.model.X509Token;
@@ -163,21 +162,6 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
         List<WSSecurityEngineResult> signedResults,
         Message message
     ) {
-        // Check the AlgorithmSuite
-        AlgorithmSuitePolicyValidator algorithmValidator = new AlgorithmSuitePolicyValidator(results);
-        if (!algorithmValidator.validatePolicy(ai, binding.getAlgorithmSuite())) {
-            return false;
-        }
-        assertPolicy(aim, binding.getAlgorithmSuite());
-        String namespace = binding.getAlgorithmSuite().getAlgorithmSuiteType().getNamespace();
-        String name = binding.getAlgorithmSuite().getAlgorithmSuiteType().getName();
-        Collection<AssertionInfo> algSuiteAis = aim.get(new QName(namespace, name));
-        if (algSuiteAis != null) {
-            for (AssertionInfo algSuiteAi : algSuiteAis) {
-                algSuiteAi.setAsserted(true);
-            }
-        }
-        
         // Check the IncludeTimestamp
         if (!validateTimestamp(binding.isIncludeTimestamp(), false, results, signedResults,
message)) {
             String error = "Received Timestamp does not match the requirements";
@@ -186,21 +170,6 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
         }
         assertPolicy(aim, SPConstants.INCLUDE_TIMESTAMP);
         
-        // Check the Layout
-        Layout layout = binding.getLayout();
-        LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator(results, signedResults);
-        if (!layoutValidator.validatePolicy(layout)) {
-            String error = "Layout does not match the requirements";
-            notAssertPolicy(aim, layout, error);
-            ai.setNotAsserted(error);
-            return false;
-        }
-        assertPolicy(aim, layout);
-        assertPolicy(aim, SPConstants.LAYOUT_LAX);
-        assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST);
-        assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST);
-        assertPolicy(aim, SPConstants.LAYOUT_STRICT);
-        
         // Check the EntireHeaderAndBodySignatures property
         if (binding.isOnlySignEntireHeadersAndBody()
             && !validateEntireHeaderAndBodySignatures(signedResults)) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/2c0d2a84/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
index cbbdb5e..533489d 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
@@ -24,43 +24,84 @@ import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.security.interfaces.DSAPublicKey;
 import java.security.interfaces.RSAPublicKey;
+import java.util.Collection;
 import java.util.List;
 
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Element;
+
 import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDataRef;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.transform.STRTransform;
+import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AlgorithmSuite;
 import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
 
 /**
- * Validate a WSSecurityEngineResult corresponding to the processing of a Signature, EncryptedKey
or
+ * Validate results corresponding to the processing of a Signature, EncryptedKey or
  * EncryptedData structure against an AlgorithmSuite policy.
  */
-public class AlgorithmSuitePolicyValidator {
+public class AlgorithmSuitePolicyValidator extends AbstractTokenPolicyValidator {
     
-    private List<WSSecurityEngineResult> results;
+    public boolean validatePolicy(
+        AssertionInfoMap aim,
+        Message message,
+        Element soapBody,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE);
+        if (!ais.isEmpty()) {
+            parsePolicies(aim, ais, message, results);
+        }
 
-    public AlgorithmSuitePolicyValidator(
+        return true;
+    }
+    
+    private void parsePolicies(
+        AssertionInfoMap aim,
+        Collection<AssertionInfo> ais, 
+        Message message,  
         List<WSSecurityEngineResult> results
     ) {
-        this.results = results;
+        for (AssertionInfo ai : ais) {
+            AlgorithmSuite algorithmSuite = (AlgorithmSuite)ai.getAssertion();
+            ai.setAsserted(true);
+            
+            boolean valid = validatePolicy(ai, algorithmSuite, results);
+            if (valid) {
+                String namespace = algorithmSuite.getAlgorithmSuiteType().getNamespace();
+                String name = algorithmSuite.getAlgorithmSuiteType().getName();
+                Collection<AssertionInfo> algSuiteAis = aim.get(new QName(namespace,
name));
+                if (algSuiteAis != null) {
+                    for (AssertionInfo algSuiteAi : algSuiteAis) {
+                        algSuiteAi.setAsserted(true);
+                    }
+                }
+            } else if (!valid && ai.isAsserted()) {
+                ai.setNotAsserted("Error in validating AlgorithmSuite policy");
+            }
+        }
     }
     
     public boolean validatePolicy(
-        AssertionInfo aiBinding, AlgorithmSuite algorithmPolicy
+        AssertionInfo ai, AlgorithmSuite algorithmPolicy, List<WSSecurityEngineResult>
results
     ) {
         boolean success = true;
         for (WSSecurityEngineResult result : results) {
             Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
             if (WSConstants.SIGN == actInt 
-                && !checkSignatureAlgorithms(result, algorithmPolicy, aiBinding))
{
+                && !checkSignatureAlgorithms(result, algorithmPolicy, ai)) {
                 success = false;
             } else if (WSConstants.ENCR == actInt
-                && !checkEncryptionAlgorithms(result, algorithmPolicy, aiBinding))
{
+                && !checkEncryptionAlgorithms(result, algorithmPolicy, ai)) {
                 success = false;
             }
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2c0d2a84/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
index 6e3a02e..9506dae 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
@@ -21,14 +21,17 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
+import java.util.Collection;
 import java.util.List;
 
 import javax.xml.namespace.QName;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
@@ -38,25 +41,58 @@ import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.message.token.BinarySecurity;
 import org.apache.wss4j.dom.message.token.PKIPathSecurity;
 import org.apache.wss4j.dom.message.token.X509Security;
+import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.Layout;
 import org.apache.wss4j.policy.model.Layout.LayoutType;
 
 /**
  * Validate a Layout policy.
  */
-public class LayoutPolicyValidator {
+public class LayoutPolicyValidator extends AbstractTokenPolicyValidator {
     
-    private List<WSSecurityEngineResult> results;
-    private List<WSSecurityEngineResult> signedResults;
+    public boolean validatePolicy(
+        AssertionInfoMap aim,
+        Message message,
+        Element soapBody,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.LAYOUT);
+        if (!ais.isEmpty()) {
+            parsePolicies(aim, ais, message, results, signedResults);
+        }
 
-    public LayoutPolicyValidator(
-        List<WSSecurityEngineResult> results, List<WSSecurityEngineResult> signedResults
+        return true;
+    }
+        
+    private void parsePolicies(
+        AssertionInfoMap aim,
+        Collection<AssertionInfo> ais, 
+        Message message,  
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
     ) {
-        this.results = results;
-        this.signedResults = signedResults;
+        for (AssertionInfo ai : ais) {
+            Layout layout = (Layout)ai.getAssertion();
+            ai.setAsserted(true);
+            
+            if (!validatePolicy(layout, results, signedResults)) {
+                String error = "Layout does not match the requirements";
+                ai.setNotAsserted(error);
+            }
+        }
+        
+        assertPolicy(aim, SPConstants.LAYOUT_LAX);
+        assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST);
+        assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST);
+        assertPolicy(aim, SPConstants.LAYOUT_STRICT);
     }
     
-    public boolean validatePolicy(Layout layout) {
+    public boolean validatePolicy(
+        Layout layout, 
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
         boolean timestampFirst = layout.getLayoutType() == LayoutType.LaxTsFirst;
         boolean timestampLast = layout.getLayoutType() == LayoutType.LaxTsLast;
         boolean strict = layout.getLayoutType() == LayoutType.Strict;
@@ -78,16 +114,19 @@ public class LayoutPolicyValidator {
             if (lastAction.intValue() != WSConstants.TS) {
                 return false;
             }
-        } else if (strict && (!validateStrictSignaturePlacement() 
-            || !validateStrictSignatureTokenPlacement()
-            || !checkSignatureIsSignedPlacement())) {
+        } else if (strict && (!validateStrictSignaturePlacement(results, signedResults)

+            || !validateStrictSignatureTokenPlacement(results)
+            || !checkSignatureIsSignedPlacement(signedResults))) {
             return false;
         }
         
         return true;
     }
     
-    private boolean validateStrictSignaturePlacement() {
+    private boolean validateStrictSignaturePlacement(
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
         // Go through each Signature and check any security header token is before the Signature
         for (WSSecurityEngineResult signedResult : signedResults) {
             List<WSDataRef> sl = 
@@ -125,13 +164,13 @@ public class LayoutPolicyValidator {
         return true;
     }
     
-    private boolean validateStrictSignatureTokenPlacement() {
+    private boolean validateStrictSignatureTokenPlacement(List<WSSecurityEngineResult>
results) {
         // Go through each Signature and check that the Signing Token appears before the
Signature
         for (int i = 0; i < results.size(); i++) {
             WSSecurityEngineResult result = results.get(i);
             Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt == WSConstants.SIGN) {
-                int correspondingIndex = findCorrespondingTokenIndex(result);
+                int correspondingIndex = findCorrespondingTokenIndex(result, results);
                 if (correspondingIndex > 0 && correspondingIndex < i) {
                     return false;
                 }
@@ -141,7 +180,7 @@ public class LayoutPolicyValidator {
         return true;
     }
     
-    private boolean checkSignatureIsSignedPlacement() {
+    private boolean checkSignatureIsSignedPlacement(List<WSSecurityEngineResult> signedResults)
{
         for (int i = 0; i < signedResults.size(); i++) {
             WSSecurityEngineResult signedResult = signedResults.get(i);
             List<WSDataRef> sl =
@@ -181,7 +220,8 @@ public class LayoutPolicyValidator {
      * to sign the "signatureResult" argument.
      */
     private int findCorrespondingTokenIndex(
-        WSSecurityEngineResult signatureResult
+        WSSecurityEngineResult signatureResult,
+        List<WSSecurityEngineResult> results
     ) {
         // See what was used to sign this result
         X509Certificate cert = 

http://git-wip-us.apache.org/repos/asf/cxf/blob/2c0d2a84/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
index b503a3e..963efca 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
@@ -22,8 +22,6 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 import java.util.Collection;
 import java.util.List;
 
-import javax.xml.namespace.QName;
-
 import org.w3c.dom.Element;
 
 import org.apache.cxf.message.Message;
@@ -35,7 +33,6 @@ import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
-import org.apache.wss4j.policy.model.Layout;
 import org.apache.wss4j.policy.model.TransportBinding;
 
 /**
@@ -89,21 +86,6 @@ public class TransportBindingPolicyValidator extends AbstractBindingPolicyValida
                 assertPolicy(aim, binding.getTransportToken());
             }
             
-            // Check the AlgorithmSuite
-            AlgorithmSuitePolicyValidator algorithmValidator = new AlgorithmSuitePolicyValidator(results);
-            if (!algorithmValidator.validatePolicy(ai, binding.getAlgorithmSuite())) {
-                continue;
-            }
-            assertPolicy(aim, binding.getAlgorithmSuite());
-            String namespace = binding.getAlgorithmSuite().getVersion().getNamespace();
-            String name = binding.getAlgorithmSuite().getAlgorithmSuiteType().getName();
-            Collection<AssertionInfo> algSuiteAis = aim.get(new QName(namespace, name));
-            if (algSuiteAis != null) {
-                for (AssertionInfo algSuiteAi : algSuiteAis) {
-                    algSuiteAi.setAsserted(true);
-                }
-            }
-            
             // Check the IncludeTimestamp
             if (!validateTimestamp(binding.isIncludeTimestamp(), true, results, signedResults,
message)) {
                 String error = "Received Timestamp does not match the requirements";
@@ -111,21 +93,6 @@ public class TransportBindingPolicyValidator extends AbstractBindingPolicyValida
                 continue;
             }
             assertPolicy(aim, SPConstants.INCLUDE_TIMESTAMP);
-            
-            // Check the Layout
-            Layout layout = binding.getLayout();
-            LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator(results, signedResults);
-            if (!layoutValidator.validatePolicy(layout)) {
-                String error = "Layout does not match the requirements";
-                notAssertPolicy(aim, binding.getLayout(), error);
-                ai.setNotAsserted(error);
-                continue;
-            }
-            assertPolicy(aim, binding.getLayout());
-            assertPolicy(aim, SPConstants.LAYOUT_LAX);
-            assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST);
-            assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST);
-            assertPolicy(aim, SPConstants.LAYOUT_STRICT);
         }
 
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2c0d2a84/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
index 1c94065..2e170ff 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
@@ -1138,11 +1138,6 @@
                                 </sp:X509Token>
                             </wsp:Policy>
                         </sp:RecipientToken>
-                        <sp:Layout>
-                            <wsp:Policy>
-                                <sp:Lax/>
-                            </wsp:Policy>
-                        </sp:Layout>
                         <sp:IncludeTimestamp/>
                         <sp:OnlySignEntireHeadersAndBody/>
                         <sp:AlgorithmSuite>
@@ -1152,6 +1147,11 @@
                         </sp:AlgorithmSuite>
                     </wsp:Policy>
                 </sp:AsymmetricBinding>
+                <sp:Layout>
+                    <wsp:Policy>
+                        <sp:Lax/>
+                    </wsp:Policy>
+                </sp:Layout>
             </wsp:All>
         </wsp:ExactlyOne>
     </wsp:Policy>


Mime
View raw message