cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: [CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)
Date Thu, 17 Apr 2014 13:08:00 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 253f87685 -> 6d2723015


[CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6d272301
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6d272301
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6d272301

Branch: refs/heads/master
Commit: 6d272301503bf6e74866b3e6f5c024c1447e0e2a
Parents: 253f876
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Apr 17 14:07:20 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Apr 17 14:07:20 2014 +0100

----------------------------------------------------------------------
 .../saml/Saml2AudienceRestrictionValidator.java | 92 ++++++++++++++++++++
 .../cxf/systest/ws/saml/SamlTokenTest.java      | 59 +++++++++++++
 .../StaxSaml2AudienceRestrictionValidator.java  | 82 +++++++++++++++++
 .../cxf/systest/ws/saml/DoubleItSaml.wsdl       |  3 +
 .../org/apache/cxf/systest/ws/saml/server.xml   | 20 ++++-
 .../apache/cxf/systest/ws/saml/stax-server.xml  | 21 ++++-
 6 files changed, 275 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/6d272301/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/Saml2AudienceRestrictionValidator.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/Saml2AudienceRestrictionValidator.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/Saml2AudienceRestrictionValidator.java
new file mode 100644
index 0000000..add4394
--- /dev/null
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/Saml2AudienceRestrictionValidator.java
@@ -0,0 +1,92 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.ws.saml;
+
+import java.util.List;
+
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.validate.Credential;
+import org.apache.wss4j.dom.validate.SamlAssertionValidator;
+import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.core.Audience;
+import org.opensaml.saml2.core.AudienceRestriction;
+import org.opensaml.saml2.core.Conditions;
+
+/**
+ * This class checks that the Audiences received as part of AudienceRestrictions match a
set 
+ * list of endpoints.
+ */
+public class Saml2AudienceRestrictionValidator extends SamlAssertionValidator {
+    
+    private List<String> endpointAddresses;
+    
+    @Override
+    public Credential validate(Credential credential, RequestData data) throws WSSecurityException
{
+        Credential validatedCredential = super.validate(credential, data);
+        SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
+        
+        Assertion saml2Assertion = assertion.getSaml2();
+        if (saml2Assertion == null) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+        }
+        
+        return validatedCredential;
+    }
+    
+    @Override
+    public void checkConditions(SamlAssertionWrapper samlAssertion) throws WSSecurityException
{
+        super.checkConditions(samlAssertion);
+        
+        if (endpointAddresses == null || endpointAddresses.isEmpty()) {
+            return;
+        }
+        
+        Conditions conditions = samlAssertion.getSaml2().getConditions();
+        if (conditions != null && conditions.getAudienceRestrictions() != null) {
+            boolean foundAddress = false;
+            for (AudienceRestriction audienceRestriction : conditions.getAudienceRestrictions())
{
+                List<Audience> audiences = audienceRestriction.getAudiences();
+                if (audiences != null) {
+                    for (Audience audience : audiences) {
+                        String audienceURI = audience.getAudienceURI();
+                        if (endpointAddresses.contains(audienceURI)) {
+                            foundAddress = true;
+                            break;
+                        }
+                    }
+                }
+            }
+            
+            if (!foundAddress) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+            }
+        }
+    }
+
+    public List<String> getEndpointAddresses() {
+        return endpointAddresses;
+    }
+
+    public void setEndpointAddresses(List<String> endpointAddresses) {
+        this.endpointAddresses = endpointAddresses;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/6d272301/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
index b9b8c29..8291675 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
@@ -20,8 +20,11 @@
 package org.apache.cxf.systest.ws.saml;
 
 import java.net.URL;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
 
 import javax.xml.namespace.QName;
 import javax.xml.ws.BindingProvider;
@@ -39,6 +42,7 @@ import org.apache.cxf.systest.ws.saml.client.SamlRoleCallbackHandler;
 import org.apache.cxf.systest.ws.ut.SecurityHeaderCacheInterceptor;
 import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.wss4j.common.saml.bean.AudienceRestrictionBean;
 import org.apache.wss4j.common.saml.bean.ConditionsBean;
 import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
 import org.apache.wss4j.common.saml.builder.SAML1Constants;
@@ -996,4 +1000,59 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
         bus.shutdown(true);
     }
     
+    @org.junit.Test
+    public void testAudienceRestriction() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SamlTokenTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
+        DoubleItPortType saml2Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        String portNumber = PORT2;
+        if (STAX_PORT.equals(test.getPort())) {
+            portNumber = STAX_PORT2;
+        }
+        updateAddressPort(saml2Port, portNumber);
+
+        // Create a SAML Token with an AudienceRestrictionCondition
+        ConditionsBean conditions = new ConditionsBean();
+        List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<AudienceRestrictionBean>();
+        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
+        audienceRestriction.setAudienceURIs(Collections.singletonList(
+            "https://localhost:" + portNumber + "/DoubleItSaml2Transport2"));
+        audienceRestrictions.add(audienceRestriction);
+        conditions.setAudienceRestrictions(audienceRestrictions);
+        
+        SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+        callbackHandler.setConditions(conditions);
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", callbackHandler
+        );
+        
+        saml2Port.doubleIt(25);
+        
+        try {
+            // Now use an "unknown" audience restriction
+            audienceRestriction = new AudienceRestrictionBean();
+            audienceRestriction.setAudienceURIs(Collections.singletonList(
+                "https://localhost:" + portNumber + "/DoubleItSaml2Transport2unknown"));
+            audienceRestrictions.clear();
+            audienceRestrictions.add(audienceRestriction);
+            conditions.setAudienceRestrictions(audienceRestrictions);
+            callbackHandler.setConditions(conditions);
+            
+            saml2Port.doubleIt(25);
+            fail("Failure expected on unknown AudienceRestriction");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            // expected
+        }
+    }
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/6d272301/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSaml2AudienceRestrictionValidator.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSaml2AudienceRestrictionValidator.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSaml2AudienceRestrictionValidator.java
new file mode 100644
index 0000000..778c068
--- /dev/null
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSaml2AudienceRestrictionValidator.java
@@ -0,0 +1,82 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.ws.saml;
+
+import java.util.List;
+
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.stax.validate.SamlTokenValidatorImpl;
+import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.core.Audience;
+import org.opensaml.saml2.core.AudienceRestriction;
+import org.opensaml.saml2.core.Conditions;
+
+/**
+ * This class checks that the Audiences received as part of AudienceRestrictions match a
set 
+ * list of endpoints.
+ */
+public class StaxSaml2AudienceRestrictionValidator extends SamlTokenValidatorImpl {
+    
+    private List<String> endpointAddresses;
+    
+    @Override
+    public void checkConditions(SamlAssertionWrapper samlAssertion) throws WSSecurityException
{
+        super.checkConditions(samlAssertion);
+        
+        Assertion saml2Assertion = samlAssertion.getSaml2();
+        if (saml2Assertion == null) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+        }
+        
+        if (endpointAddresses == null || endpointAddresses.isEmpty()) {
+            return;
+        }
+        
+        Conditions conditions = samlAssertion.getSaml2().getConditions();
+        if (conditions != null && conditions.getAudienceRestrictions() != null) {
+            boolean foundAddress = false;
+            for (AudienceRestriction audienceRestriction : conditions.getAudienceRestrictions())
{
+                List<Audience> audiences = audienceRestriction.getAudiences();
+                if (audiences != null) {
+                    for (Audience audience : audiences) {
+                        String audienceURI = audience.getAudienceURI();
+                        if (endpointAddresses.contains(audienceURI)) {
+                            foundAddress = true;
+                            break;
+                        }
+                    }
+                }
+            }
+            
+            if (!foundAddress) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+            }
+        }
+    }
+
+    public List<String> getEndpointAddresses() {
+        return endpointAddresses;
+    }
+
+    public void setEndpointAddresses(List<String> endpointAddresses) {
+        this.endpointAddresses = endpointAddresses;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/6d272301/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
index 080f78b..755e2e1 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
@@ -380,6 +380,9 @@
         <wsdl:port name="DoubleItSaml2TransportPort" binding="tns:DoubleItSaml2TransportBinding">
             <soap:address location="https://localhost:9009/DoubleItSaml2Transport"/>
         </wsdl:port>
+        <wsdl:port name="DoubleItSaml2TransportPort2" binding="tns:DoubleItSaml2TransportBinding">
+            <soap:address location="https://localhost:9009/DoubleItSaml2Transport2"/>
+        </wsdl:port>
     </wsdl:service>
     <wsp:Policy wsu:Id="DoubleItSaml1TransportPolicy">
         <wsp:ExactlyOne>

http://git-wip-us.apache.org/repos/asf/cxf/blob/6d272301/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
index ed1315c..97a6bfa 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
@@ -17,7 +17,7 @@
  specific language governing permissions and limitations
  under the License.
 -->
-<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xsi:schemaLocation="
        http://www.springframework.org/schema/beans                     http://www.springframework.org/schema/beans/spring-beans.xsd
        http://cxf.apache.org/jaxws                                     http://cxf.apache.org/schemas/jaxws.xsd
        http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd         http://cxf.apache.org/policy
http://cxf.apache.org/schemas/policy.xsd         http://cxf.apache.org/transports/http/configuration
            http://cxf.apache.org/schemas/configuration/http-conf.xsd         http://cxf.apa
 che.org/transports/http-jetty/configuration       http://cxf.apache.org/schemas/configuration/http-jetty.xsd
        http://cxf.apache.org/configuration/security                    http://cxf.apache.org/schemas/configuration/security.xsd
    ">
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util" xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:cxf="http://cxf.apache.org/core"
xmlns:p="http://cxf.apache.org/policy" xsi:schemaLocation="         http://www.springframework.org/schema/beans
                    http://www.springframework.org/schema/beans/spring-beans.xsd         http://cxf.apache.org/jaxws
                                    http://cxf.apache.org/schemas/jaxws.xsd         http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd         http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd
        http://cxf.apache.org/transports/http/configuration             http://cxf.apache.org/sc
 hemas/configuration/http-conf.xsd         http://cxf.apache.org/transports/http-jetty/configuration
      http://cxf.apache.org/schemas/configuration/http-jetty.xsd         http://cxf.apache.org/configuration/security
     http://cxf.apache.org/schemas/configuration/security.xsd  http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-2.0.xsd   ">
     <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
     <cxf:bus>
         <cxf:features>
@@ -258,4 +258,22 @@
             <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
         </jaxws:properties>
     </jaxws:endpoint>
+    
+    <bean id="audienceRestrictionValidator" class="org.apache.cxf.systest.ws.saml.Saml2AudienceRestrictionValidator">
+        <property name="endpointAddresses">
+            <list>
+                <value>https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2</value>
+                <value>https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport2</value>
+            </list>
+        </property>
+    </bean>
+            
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken2"
address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2" serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+            <entry key="ws-security.saml2.validator" value-ref="audienceRestrictionValidator"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
 </beans>

http://git-wip-us.apache.org/repos/asf/cxf/blob/6d272301/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
index 4fb7310..0750c09 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
@@ -17,7 +17,7 @@
  specific language governing permissions and limitations
  under the License.
 -->
-<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xsi:schemaLocation="
        http://www.springframework.org/schema/beans                     http://www.springframework.org/schema/beans/spring-beans.xsd
        http://cxf.apache.org/jaxws                                     http://cxf.apache.org/schemas/jaxws.xsd
        http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd         http://cxf.apache.org/policy
http://cxf.apache.org/schemas/policy.xsd         http://cxf.apache.org/transports/http/configuration
            http://cxf.apache.org/schemas/configuration/http-conf.xsd         http://cxf.apa
 che.org/transports/http-jetty/configuration       http://cxf.apache.org/schemas/configuration/http-jetty.xsd
        http://cxf.apache.org/configuration/security                    http://cxf.apache.org/schemas/configuration/security.xsd
    ">
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util" xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:cxf="http://cxf.apache.org/core"
xmlns:p="http://cxf.apache.org/policy" xsi:schemaLocation="         http://www.springframework.org/schema/beans
                    http://www.springframework.org/schema/beans/spring-beans.xsd         http://cxf.apache.org/jaxws
                                    http://cxf.apache.org/schemas/jaxws.xsd         http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd         http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd
        http://cxf.apache.org/transports/http/configuration             http://cxf.apache.org/sc
 hemas/configuration/http-conf.xsd         http://cxf.apache.org/transports/http-jetty/configuration
      http://cxf.apache.org/schemas/configuration/http-jetty.xsd         http://cxf.apache.org/configuration/security
                   http://cxf.apache.org/schemas/configuration/security.xsd   http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-2.0.xsd  ">
     <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
     <cxf:bus>
         <cxf:features>
@@ -284,4 +284,23 @@
             <entry key="ws-security.enable.streaming" value="true"/>
         </jaxws:properties>
     </jaxws:endpoint>
+    
+    <bean id="audienceRestrictionValidator" class="org.apache.cxf.systest.ws.saml.StaxSaml2AudienceRestrictionValidator">
+        <property name="endpointAddresses">
+            <list>
+                <value>https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2</value>
+                <value>https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport2</value>
+            </list>
+        </property>
+    </bean>
+    
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken2"
address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport2" serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+            <entry key="ws-security.enable.streaming" value="true"/>
+            <entry key="ws-security.saml2.validator" value-ref="audienceRestrictionValidator"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
 </beans>


Mime
View raw message