cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: Largeish refactor to properly support SignedParts associated with EndorsingSupportingTokens
Date Mon, 28 Jul 2014 14:54:00 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes fbaa6bb27 -> 2e250f690


Largeish refactor to properly support SignedParts associated with EndorsingSupportingTokens


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2e250f69
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2e250f69
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2e250f69

Branch: refs/heads/3.0.x-fixes
Commit: 2e250f6900fee9214e4dff7596e8fcff7440e4b9
Parents: fbaa6bb
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Jul 28 15:43:15 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Jul 28 15:53:50 2014 +0100

----------------------------------------------------------------------
 .../policyhandlers/AbstractBindingBuilder.java  | 92 ++++++++++++++------
 .../AsymmetricBindingHandler.java               | 32 +++----
 .../policyhandlers/SymmetricBindingHandler.java | 17 ++--
 .../AbstractSupportingTokenPolicyValidator.java | 52 ++++++++++-
 .../EndorsingEncryptedTokenPolicyValidator.java |  5 +-
 .../EndorsingTokenPolicyValidator.java          |  5 +-
 ...dEndorsingEncryptedTokenPolicyValidator.java |  5 +-
 .../SignedEndorsingTokenPolicyValidator.java    |  5 +-
 .../cxf/systest/ws/x509/X509TokenTest.java      | 29 ++++++
 .../cxf/systest/ws/x509/DoubleItX509.wsdl       | 72 +++++++++++++++
 .../org/apache/cxf/systest/ws/x509/client.xml   |  9 ++
 .../org/apache/cxf/systest/ws/x509/server.xml   |  8 ++
 .../apache/cxf/systest/ws/x509/stax-server.xml  |  9 ++
 13 files changed, 282 insertions(+), 58 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2e250f69/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index 0a6a075..6aa6142 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -111,6 +111,7 @@ import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
 import org.apache.wss4j.policy.model.AbstractBinding;
+import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
@@ -177,6 +178,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
     
     private Element lastSupportingTokenElement;
     private Element lastDerivedKeyElement;
+    private List<AbstractSecurityAssertion> suppTokenParts = new ArrayList<AbstractSecurityAssertion>();
     
     public AbstractBindingBuilder(
                            WSSConfig config,
@@ -392,7 +394,11 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             for (AssertionInfo assertionInfo : tokensInfos) {
                 if (assertionInfo.getAssertion() instanceof SupportingTokens) {
                     assertionInfo.setAsserted(true);
-                    handleSupportingTokens((SupportingTokens)assertionInfo.getAssertion(),
endorse, ret);
+                    try {
+                        handleSupportingTokens((SupportingTokens)assertionInfo.getAssertion(),
endorse, ret);
+                    } catch (SOAPException ex) {
+                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
ex);
+                    }
                 }
             }
         }
@@ -403,13 +409,15 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         SupportingTokens suppTokens, 
         boolean endorse,
         List<SupportingToken> ret
-    ) throws WSSecurityException {
+    ) throws WSSecurityException, SOAPException {
         if (suppTokens == null) {
             return ret;
         }
         for (AbstractToken token : suppTokens.getTokens()) {
             assertToken(token);
             if (!isTokenRequired(token.getIncludeTokenType())) {
+                // Check for any SignedParts so as *not* to sign them
+                getSignedParts(suppTokens);
                 continue;
             }
             if (token instanceof UsernameToken) {
@@ -442,7 +450,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         
                 if (secToken.getX509Certificate() == null) {  
                     ret.add(
-                        new SupportingToken(token, new WSSecurityTokenHolder(wssConfig, secToken))
+                        new SupportingToken(token, new WSSecurityTokenHolder(wssConfig, secToken),
+                                            getSignedParts(suppTokens))
                     );
                 } else {
                     WSSecSignature sig = new WSSecSignature(wssConfig);                 
  
@@ -482,7 +491,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
                         throw new Fault(e);
                     }
                     
-                    ret.add(new SupportingToken(token, sig));                
+                    ret.add(new SupportingToken(token, sig, getSignedParts(suppTokens)));
               
                 }
 
             } else if (token instanceof X509Token) {
@@ -506,20 +515,20 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
                         encryptedTokensList.add(part);
                     }
                 }
-                ret.add(new SupportingToken(token, sig));
+                ret.add(new SupportingToken(token, sig, getSignedParts(suppTokens)));
             } else if (token instanceof KeyValueToken) {
                 WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse);
                 if (suppTokens.isEncryptedToken()) {
                     WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
                     encryptedTokensList.add(part);
                 }
-                ret.add(new SupportingToken(token, sig));                
+                ret.add(new SupportingToken(token, sig, getSignedParts(suppTokens)));   
            
             } else if (token instanceof SamlToken) {
                 SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
                 if (assertionWrapper != null) {
                     Element assertionElement = assertionWrapper.toDOM(saaj.getSOAPPart());
                     addSupportingElement(assertionElement);
-                    ret.add(new SupportingToken(token, assertionWrapper));
+                    ret.add(new SupportingToken(token, assertionWrapper, getSignedParts(suppTokens)));
                     if (suppTokens.isEncryptedToken()) {
                         WSEncryptionPart part = new WSEncryptionPart(assertionWrapper.getId(),
"Element");
                         part.setElement(assertionElement);
@@ -528,6 +537,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
                 }
             }
         }
+        
         return ret;
     }
     
@@ -539,7 +549,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             if (utBuilder != null) {
                 utBuilder.prepare(saaj.getSOAPPart());
                 addSupportingElement(utBuilder.getUsernameTokenElement());
-                ret.add(new SupportingToken(token, utBuilder));
+                ret.add(new SupportingToken(token, utBuilder, null));
                 if (encryptedToken) {
                     WSEncryptionPart part = new WSEncryptionPart(utBuilder.getId(), "Element");
                     part.setElement(utBuilder.getUsernameTokenElement());
@@ -551,7 +561,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             if (utBuilder != null) {
                 utBuilder.prepare(saaj.getSOAPPart());
                 addSupportingElement(utBuilder.getUsernameTokenElement());
-                ret.add(new SupportingToken(token, utBuilder));
+                ret.add(new SupportingToken(token, utBuilder, null));
                 //WebLogic and WCF always encrypt these
                 //See:  http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html
                 //encryptedTokensIdList.add(utBuilder.getId());
@@ -1066,7 +1076,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
                                    celements == null ? null : celements.getXPaths());
     }    
     
-    public List<WSEncryptionPart> getSignedParts() 
+    public List<WSEncryptionPart> getSignedParts(SupportingTokens supportingToken)

         throws SOAPException {
         
         boolean isSignBody = false;
@@ -1074,20 +1084,38 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         SignedParts parts = null;
         SignedElements elements = null;
         
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(SPConstants.SIGNED_PARTS);
-        if (!ais.isEmpty()) {
-            for (AssertionInfo ai : ais) {
-                parts = (SignedParts)ai.getAssertion();
-                ai.setAsserted(true);
-            }            
-        }
-        
-        ais = getAllAssertionsByLocalname(SPConstants.SIGNED_ELEMENTS);
-        if (!ais.isEmpty()) {
-            for (AssertionInfo ai : ais) {
-                elements = (SignedElements)ai.getAssertion();
-                ai.setAsserted(true);
-            }            
+        if (supportingToken != null && supportingToken.isEndorsing()) {
+            parts = supportingToken.getSignedParts();
+            elements = supportingToken.getSignedElements();
+            // Store them so that the main Signature doesn't sign them
+            if (parts != null) {
+                suppTokenParts.add(parts);
+            }
+            if (elements != null) {
+                suppTokenParts.add(elements);
+            }
+        } else {
+            Collection<AssertionInfo> ais = getAllAssertionsByLocalname(SPConstants.SIGNED_PARTS);
+            if (!ais.isEmpty()) {
+                for (AssertionInfo ai : ais) {
+                    SignedParts signedParts = (SignedParts)ai.getAssertion();
+                    if (!suppTokenParts.contains(signedParts)) {
+                        parts = signedParts;
+                        ai.setAsserted(true);
+                    }
+                }            
+            }
+            
+            ais = getAllAssertionsByLocalname(SPConstants.SIGNED_ELEMENTS);
+            if (!ais.isEmpty()) {
+                for (AssertionInfo ai : ais) {
+                    SignedElements signedElements = (SignedElements)ai.getAssertion();
+                    if (!suppTokenParts.contains(signedElements)) {
+                        elements = signedElements;
+                        ai.setAsserted(true);
+                    }
+                }            
+            }
         }
         
         List<WSEncryptionPart> signedParts = new ArrayList<WSEncryptionPart>();
@@ -1785,6 +1813,12 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             sigPart.setElement(bottomUpElement);
             sigParts.add(sigPart);
             
+            if (supportingToken.getSignedParts() != null) {
+                for (WSEncryptionPart signedPart : supportingToken.getSignedParts()) {
+                    sigParts.add(signedPart);
+                }
+            }
+            
             if (tempTok instanceof WSSecSignature) {
                 WSSecSignature sig = (WSSecSignature)tempTok;
                 if (isTokenProtection && sig.getBSTTokenId() != null) {
@@ -2191,10 +2225,13 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
     static class SupportingToken {
         private final AbstractToken token;
         private final Object tokenImplementation;
+        private final List<WSEncryptionPart> signedParts;
         
-        public SupportingToken(AbstractToken token, Object tokenImplementation) {
+        public SupportingToken(AbstractToken token, Object tokenImplementation,
+                               List<WSEncryptionPart> signedParts) {
             this.token = token;
             this.tokenImplementation = tokenImplementation;
+            this.signedParts = signedParts;
         }
         
         public AbstractToken getToken() {
@@ -2204,5 +2241,10 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         public Object getTokenImplementation() {
             return tokenImplementation;
         }
+
+        public List<WSEncryptionPart> getSignedParts() {
+            return signedParts;
+        }
+
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e250f69/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
index 2182092..9ea8487 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
@@ -308,13 +308,26 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder
{
             assertToken(initiatorToken);
         }
         
+        List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
+        if (timestampEl != null) {
+            WSEncryptionPart timestampPart = 
+                convertToEncryptionPart(timestampEl.getElement());
+            sigParts.add(timestampPart);
+        }
+
+        try {
+            addSupportingTokens(sigParts);
+        } catch (WSSecurityException ex) {
+            LOG.log(Level.FINE, ex.getMessage(), ex);
+            policyNotAsserted(encryptionToken, ex);
+        }
+        
         List<WSEncryptionPart> encrParts = null;
-        List<WSEncryptionPart> sigParts = null;
         try {
             encrParts = getEncryptedParts();
             //Signed parts are determined before encryption because encrypted signed  headers
             //will not be included otherwise
-            sigParts = getSignedParts();
+            sigParts.addAll(this.getSignedParts(null));
         } catch (SOAPException ex) {
             LOG.log(Level.FINE, ex.getMessage(), ex);
             throw new Fault(ex);
@@ -325,19 +338,6 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder
{
             encrBase = doEncryption(wrapper, encrParts, true);
             handleEncryptedSignedHeaders(encrParts, sigParts);
         }
-
-        if (timestampEl != null) {
-            WSEncryptionPart timestampPart = 
-                convertToEncryptionPart(timestampEl.getElement());
-            sigParts.add(timestampPart);
-        }
-
-        try {
-            addSupportingTokens(sigParts);
-        } catch (WSSecurityException ex) {
-            LOG.log(Level.FINE, ex.getMessage(), ex);
-            policyNotAsserted(encryptionToken, ex);
-        }
         
         if (!isRequestor()) {
             addSignatureConfirmation(sigParts);
@@ -597,7 +597,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
         }
         
         AbstractToken sigToken = wrapper.getToken();
-        sigParts.addAll(this.getSignedParts());
+        sigParts.addAll(this.getSignedParts(null));
         if (sigParts.isEmpty()) {
             // Add the BST to the security header if required
             if (!attached && isTokenRequired(sigToken.getIncludeTokenType())) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e250f69/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index a036644..99314f7 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -139,8 +139,6 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
             AbstractTokenWrapper encryptionWrapper = getEncryptionToken();
             assertTokenWrapper(encryptionWrapper);
             AbstractToken encryptionToken = encryptionWrapper.getToken();
-            List<WSEncryptionPart> encrParts = getEncryptedParts();
-            List<WSEncryptionPart> sigParts = getSignedParts();
             
             if (encryptionToken != null) {
                 //The encryption token can be an IssuedToken or a 
@@ -192,17 +190,19 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder
{
                     attached = true;
                 }
                 
-                WSSecBase encr = doEncryption(encryptionWrapper, tok, attached, encrParts,
true);
-                
-                handleEncryptedSignedHeaders(encrParts, sigParts);
-                
+                List<WSEncryptionPart> sigParts = new ArrayList<WSEncryptionPart>();
                 if (timestampEl != null) {
                     WSEncryptionPart timestampPart = 
                         convertToEncryptionPart(timestampEl.getElement());
                     sigParts.add(timestampPart);        
                 }
-                
                 addSupportingTokens(sigParts);
+                sigParts.addAll(this.getSignedParts(null));
+
+                List<WSEncryptionPart> encrParts = getEncryptedParts();
+                WSSecBase encr = doEncryption(encryptionWrapper, tok, attached, encrParts,
true);
+                handleEncryptedSignedHeaders(encrParts, sigParts);
+                
                 if (!isRequestor()) {
                     addSignatureConfirmation(sigParts);
                 }
@@ -327,13 +327,14 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder
{
             }
         
             //Add timestamp
-            List<WSEncryptionPart> sigs = getSignedParts();
+            List<WSEncryptionPart> sigs = new ArrayList<WSEncryptionPart>();
             if (timestampEl != null) {
                 WSEncryptionPart timestampPart = convertToEncryptionPart(timestampEl.getElement());
                 sigs.add(timestampPart);        
             }
 
             addSupportingTokens(sigs);
+            sigs.addAll(getSignedParts(null));
             if (isRequestor()) {
                 if (!sigs.isEmpty()) {
                     signatures.add(doSignature(sigs, sigAbstractTokenWrapper, sigToken, sigTok,
tokIncluded));

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e250f69/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
index 93cb1f6..a6419dd 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
@@ -23,6 +23,7 @@ import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.logging.Level;
@@ -38,13 +39,14 @@ import javax.xml.xpath.XPathFactory;
 
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
-
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.helpers.MapNamespaceContext;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.security.transport.TLSSessionInfo;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
@@ -55,12 +57,17 @@ import org.apache.wss4j.dom.message.token.BinarySecurity;
 import org.apache.wss4j.dom.message.token.KerberosSecurity;
 import org.apache.wss4j.dom.message.token.PKIPathSecurity;
 import org.apache.wss4j.dom.message.token.X509Security;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.EncryptedElements;
 import org.apache.wss4j.policy.model.EncryptedParts;
 import org.apache.wss4j.policy.model.Header;
 import org.apache.wss4j.policy.model.RequiredElements;
 import org.apache.wss4j.policy.model.SignedElements;
 import org.apache.wss4j.policy.model.SignedParts;
+import org.apache.wss4j.policy.model.SupportingTokens;
 
 /**
  * A base class to use to validate various SupportingToken policies.
@@ -873,4 +880,47 @@ public abstract class AbstractSupportingTokenPolicyValidator
         this.encryptedParts = encryptedParts;
     }
     
+    protected void assertSecurePartsIfTokenNotRequired(
+        SupportingTokens supportingToken, AssertionInfoMap aim
+    ) {
+        if (supportingToken.getSignedParts() != null) {
+            assertSecurePartsIfTokenNotRequired(supportingToken.getSignedParts(),
+                                                SPConstants.SIGNED_PARTS, aim);
+        }
+        if (supportingToken.getSignedElements() != null) {
+            assertSecurePartsIfTokenNotRequired(supportingToken.getSignedElements(),
+                                                SPConstants.SIGNED_ELEMENTS, aim);
+        }
+        if (supportingToken.getEncryptedParts() != null) {
+            assertSecurePartsIfTokenNotRequired(supportingToken.getEncryptedParts(),
+                                                SPConstants.ENCRYPTED_PARTS, aim);
+        }
+        if (supportingToken.getEncryptedElements() != null) {
+            assertSecurePartsIfTokenNotRequired(supportingToken.getEncryptedElements(),
+                                                SPConstants.ENCRYPTED_ELEMENTS, aim);
+        }
+    }
+
+    protected void assertSecurePartsIfTokenNotRequired(
+        AbstractSecurityAssertion securedPart, String localName, AssertionInfoMap aim
+    ) {
+        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS,
localName));
+        if (sp11Ais != null && !sp11Ais.isEmpty()) {
+            for (AssertionInfo ai : sp11Ais) {
+                if (ai.getAssertion().equals(securedPart)) {
+                    ai.setAsserted(true);
+                }
+            }    
+        }
+
+        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS,
localName));
+        if (sp12Ais != null && !sp12Ais.isEmpty()) {
+            for (AssertionInfo ai : sp12Ais) {
+                if (ai.getAssertion().equals(securedPart)) {
+                    ai.setAsserted(true);
+                }
+            }    
+        }
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e250f69/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
index bb8b89f..cb490ba 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
@@ -64,13 +64,13 @@ public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTo
             setSignedResults(signedResults);
             setEncryptedResults(encryptedResults);
             
-            parsePolicies(ais, message);
+            parsePolicies(aim, ais, message);
         }
         
         return true;
     }
     
-    private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
+    private void parsePolicies(AssertionInfoMap aim, Collection<AssertionInfo> ais,
Message message) {
         for (AssertionInfo ai : ais) {
             SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
@@ -83,6 +83,7 @@ public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTo
             List<AbstractToken> tokens = binding.getTokens();
             for (AbstractToken token : tokens) {
                 if (!isTokenRequired(token, message)) {
+                    assertSecurePartsIfTokenNotRequired(binding, aim);
                     continue;
                 }
                 

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e250f69/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
index af09a72..50082c3 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
@@ -64,13 +64,13 @@ public class EndorsingTokenPolicyValidator extends AbstractSupportingTokenPolicy
             setSignedResults(signedResults);
             setEncryptedResults(encryptedResults);
             
-            parsePolicies(ais, message);
+            parsePolicies(aim, ais, message);
         }
         
         return true;
     }
     
-    private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
+    private void parsePolicies(AssertionInfoMap aim, Collection<AssertionInfo> ais,
Message message) {
         for (AssertionInfo ai : ais) {
             SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
@@ -83,6 +83,7 @@ public class EndorsingTokenPolicyValidator extends AbstractSupportingTokenPolicy
             List<AbstractToken> tokens = binding.getTokens();
             for (AbstractToken token : tokens) {
                 if (!isTokenRequired(token, message)) {
+                    assertSecurePartsIfTokenNotRequired(binding, aim);
                     continue;
                 }
                 

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e250f69/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
index 8ecc843..da0640b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
@@ -65,13 +65,13 @@ public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSuppor
             setSignedResults(signedResults);
             setEncryptedResults(encryptedResults);
             
-            parsePolicies(ais, message);
+            parsePolicies(aim, ais, message);
         }
         
         return true;
     }
     
-    private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
+    private void parsePolicies(AssertionInfoMap aim, Collection<AssertionInfo> ais,
Message message) {
         for (AssertionInfo ai : ais) {
             SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
@@ -84,6 +84,7 @@ public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSuppor
             List<AbstractToken> tokens = binding.getTokens();
             for (AbstractToken token : tokens) {
                 if (!isTokenRequired(token, message)) {
+                    assertSecurePartsIfTokenNotRequired(binding, aim);
                     continue;
                 }
                 

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e250f69/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
index 9077e7c..5262e7f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
@@ -64,13 +64,13 @@ public class SignedEndorsingTokenPolicyValidator extends AbstractSupportingToken
             setSignedResults(signedResults);
             setEncryptedResults(encryptedResults);
 
-            parsePolicies(ais, message);
+            parsePolicies(aim, ais, message);
         }
         
         return true;
     }
     
-    private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
+    private void parsePolicies(AssertionInfoMap aim, Collection<AssertionInfo> ais,
Message message) {
         for (AssertionInfo ai : ais) {
             SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
@@ -83,6 +83,7 @@ public class SignedEndorsingTokenPolicyValidator extends AbstractSupportingToken
             List<AbstractToken> tokens = binding.getTokens();
             for (AbstractToken token : tokens) {
                 if (!isTokenRequired(token, message)) {
+                    assertSecurePartsIfTokenNotRequired(binding, aim);
                     continue;
                 }
                 

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e250f69/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
index 633116c..ae4ab7f 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
@@ -769,6 +769,35 @@ public class X509TokenTest extends AbstractBusClientServerTestBase {
     }
     
     @org.junit.Test
+    public void testAsymmetricEndorsing() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = X509TokenTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricEndorsingPort");
+        DoubleItPortType x509Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(x509Port, test.getPort());
+        
+        if (test.isStreaming()) {
+            SecurityTestUtil.enableStreaming(x509Port);
+        }
+        
+        if (!test.isStreaming() && !STAX_PORT.equals(test.getPort())) {
+            x509Port.doubleIt(25);
+        }
+        
+        ((java.io.Closeable)x509Port).close();
+        bus.shutdown(true);
+    }
+  
+    @org.junit.Test
     public void testSymmetricUsernameToken() throws Exception {
 
         SpringBusFactory bf = new SpringBusFactory();

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e250f69/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
index 2e170ff..567af07 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
@@ -415,6 +415,22 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
+    <wsdl:binding name="DoubleItAsymmetricEndorsingBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItAsymmetricEndorsingPolicy"/>
+        <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction=""/>
+            <wsdl:input>
+                <soap:body use="literal"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault"/>
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
     <wsdl:binding name="DoubleItSymmetricUsernameTokenBinding" type="tns:DoubleItPortType">
         <wsp:PolicyReference URI="#DoubleItSymmetricUsernameTokenPolicy"/>
         <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
@@ -659,6 +675,9 @@
         <wsdl:port name="DoubleItAsymmetricUsernameTokenPort" binding="tns:DoubleItAsymmetricUsernameTokenBinding">
             <soap:address location="http://localhost:9001/DoubleItX509AsymmetricUsernameToken"/>
         </wsdl:port>
+        <wsdl:port name="DoubleItAsymmetricEndorsingPort" binding="tns:DoubleItAsymmetricEndorsingBinding">
+            <soap:address location="http://localhost:9001/DoubleItX509AsymmetricEndorsing"/>
+        </wsdl:port>
         <wsdl:port name="DoubleItSymmetricUsernameTokenPort" binding="tns:DoubleItSymmetricUsernameTokenBinding">
             <soap:address location="http://localhost:9001/DoubleItX509SymmetricUsernameToken"/>
         </wsdl:port>
@@ -1411,6 +1430,59 @@
             </wsp:All>
         </wsp:ExactlyOne>
     </wsp:Policy>
+    <wsp:Policy wsu:Id="DoubleItAsymmetricEndorsingPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:AsymmetricBinding>
+                    <wsp:Policy>
+                        <sp:InitiatorToken>
+                            <wsp:Policy>
+                                <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                                    <wsp:Policy>
+                                        <sp:WssX509V3Token10/>
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:InitiatorToken>
+                        <sp:RecipientToken>
+                            <wsp:Policy>
+                                <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                                    <wsp:Policy>
+                                        <sp:WssX509V3Token10/>
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:RecipientToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax/>
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp/>
+                        <sp:OnlySignEntireHeadersAndBody/>
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128/>
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:AsymmetricBinding>
+                <sp:EndorsingSupportingTokens>
+                    <wsp:Policy>
+                        <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                            <wsp:Policy>
+                                <sp:RequireThumbprintReference/>
+                                <sp:WssX509V3Token10/>
+                            </wsp:Policy>
+                        </sp:X509Token>
+                        <sp:SignedParts>
+                            <sp:Body/>
+                        </sp:SignedParts>
+                    </wsp:Policy>
+                </sp:EndorsingSupportingTokens>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
     <wsp:Policy wsu:Id="DoubleItSymmetricUsernameTokenPolicy">
         <wsp:ExactlyOne>
             <wsp:All>

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e250f69/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml
index a7a292b..072090d 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml
@@ -230,6 +230,15 @@
             <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
         </jaxws:properties>
     </jaxws:client>
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricEndorsingPort"
createdFromAPI="true">
+        <jaxws:properties>
+            <entry key="ws-security.encryption.properties" value="bob.properties"/>
+            <entry key="ws-security.encryption.username" value="bob"/>
+            <entry key="ws-security.signature.properties" value="alice.properties"/>
+            <entry key="ws-security.signature.username" value="alice"/>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+        </jaxws:properties>
+    </jaxws:client>
     <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricUsernameTokenPort"
createdFromAPI="true">
         <jaxws:properties>
             <entry key="ws-security.encryption.properties" value="bob.properties"/>

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e250f69/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml
index a5b968e..43aa897 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml
@@ -238,6 +238,14 @@
             <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
         </jaxws:properties>
     </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="AsymmetricEndorsing"
address="http://localhost:${testutil.ports.Server}/DoubleItX509AsymmetricEndorsing" serviceName="s:DoubleItService"
endpointName="s:DoubleItAsymmetricEndorsingPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SymmetricUsernameToken"
address="http://localhost:${testutil.ports.Server}/DoubleItX509SymmetricUsernameToken" serviceName="s:DoubleItService"
endpointName="s:DoubleItSymmetricUsernameTokenPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
         <jaxws:properties>
             <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>

http://git-wip-us.apache.org/repos/asf/cxf/blob/2e250f69/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/stax-server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/stax-server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/stax-server.xml
index f068c93..6c88e53 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/stax-server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/stax-server.xml
@@ -263,6 +263,15 @@
             <entry key="ws-security.enable.streaming" value="true"/>
         </jaxws:properties>
     </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="AsymmetricEndorsing"
address="http://localhost:${testutil.ports.StaxServer}/DoubleItX509AsymmetricEndorsing" serviceName="s:DoubleItService"
endpointName="s:DoubleItAsymmetricEndorsingPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+            <entry key="ws-security.enable.streaming" value="true"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SymmetricUsernameToken"
address="http://localhost:${testutil.ports.StaxServer}/DoubleItX509SymmetricUsernameToken"
serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetricUsernameTokenPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
         <jaxws:properties>
             <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>


Mime
View raw message