cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/3] git commit: Some changes to how the security context is populated
Date Thu, 25 Sep 2014 20:22:15 GMT
Some changes to how the security context is populated

Conflicts:
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
	rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomSamlValidator.java
	rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
	systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/CustomSaml2Validator.java
	systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
	systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/87355cf9
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/87355cf9
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/87355cf9

Branch: refs/heads/2.7.x-fixes
Commit: 87355cf911240f7251b9b55e39c4dbe22f88a427
Parents: c18c63b
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Sep 25 19:21:34 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Sep 25 19:54:49 2014 +0100

----------------------------------------------------------------------
 .../ws/security/wss4j/WSS4JInInterceptor.java   | 153 +++++++---
 .../wss4j/saml/CustomSamlValidator.java         |  24 ++
 .../ws/security/wss4j/saml/SamlTokenTest.java   |  82 +++++-
 .../systest/ws/saml/CustomSaml2Validator.java   |  59 ++++
 .../cxf/systest/ws/saml/SamlTokenTest.java      |  17 +-
 .../ws/saml/client/SamlRoleCallbackHandler.java |  19 +-
 .../org/apache/cxf/systest/ws/saml/server.xml   | 279 +++++++++++++++++++
 7 files changed, 579 insertions(+), 54 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/87355cf9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index fe6550d..a5c9964 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -20,6 +20,13 @@ package org.apache.cxf.ws.security.wss4j;
 
 import java.io.IOException;
 import java.security.Principal;
+<<<<<<< HEAD
+=======
+import java.security.Provider;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+>>>>>>> 3e21a02... Some changes to how the security context is populated
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
@@ -45,7 +52,6 @@ import javax.xml.transform.dom.DOMSource;
 
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
-
 import org.apache.cxf.binding.soap.SoapFault;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.binding.soap.SoapVersion;
@@ -71,6 +77,7 @@ import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.policy.interceptors.NegotiationUtils;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
+<<<<<<< HEAD
 import org.apache.ws.security.CustomTokenPrincipal;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
@@ -89,6 +96,26 @@ import org.apache.ws.security.processor.Processor;
 import org.apache.ws.security.util.WSSecurityUtil;
 import org.apache.ws.security.validate.NoOpValidator;
 import org.apache.ws.security.validate.Validator;
+=======
+import org.apache.wss4j.common.cache.ReplayCache;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.ThreadLocalSecurityProvider;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.WSSecurityEngine;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.apache.wss4j.dom.message.token.KerberosSecurity;
+import org.apache.wss4j.dom.processor.Processor;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.dom.validate.NoOpValidator;
+import org.apache.wss4j.dom.validate.Validator;
+>>>>>>> 3e21a02... Some changes to how the security context is populated
 
 /**
  * Performs WS-Security inbound actions.
@@ -272,7 +299,7 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
             List<WSSecurityEngineResult> wsResult = engine.processSecurityHeader(
                 elem, reqData
             );
-
+            
             if (wsResult != null && !wsResult.isEmpty()) { // security header found
                 if (reqData.getWssConfig().isEnableSignatureConfirmation()) {
                     checkSignatureConfirmation(reqData, wsResult);
@@ -522,40 +549,40 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
         }
         WSHandlerResult rResult = new WSHandlerResult(actor, wsResult);
         results.add(0, rResult);
-
+        
         for (int i = wsResult.size() - 1; i >= 0; i--) {
             WSSecurityEngineResult o = wsResult.get(i);
+            
             Integer action = (Integer)o.get(WSSecurityEngineResult.TAG_ACTION);
-            if (action == WSConstants.ENCR) {
-                // Don't try to parse a Principal for the Decryption case
-                continue;
-            }
             final Principal p = (Principal)o.get(WSSecurityEngineResult.TAG_PRINCIPAL);
             final Subject subject = (Subject)o.get(WSSecurityEngineResult.TAG_SUBJECT);
             final boolean useJAASSubject = MessageUtils
                 .getContextualBoolean(msg, SecurityConstants.SC_FROM_JAAS_SUBJECT, true);
-            if ((subject != null) && !(p instanceof KerberosPrincipal) && useJAASSubject) {
-                String roleClassifier = 
-                    (String)msg.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER);
-                if (roleClassifier != null && !"".equals(roleClassifier)) {
-                    String roleClassifierType = 
-                        (String)msg.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER_TYPE);
-                    if (roleClassifierType == null || "".equals(roleClassifierType)) {
-                        roleClassifierType = "prefix";
+            final Object binarySecurity = o.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+            
+            // UsernameToken, Kerberos, Signed SAML token or XML Signature
+            if (action == WSConstants.UT || action == WSConstants.UT_NOPASSWORD
+                || (action == WSConstants.BST && binarySecurity instanceof KerberosSecurity)
+                || action == WSConstants.ST_SIGNED || action == WSConstants.SIGN) {
+                
+                if (action == WSConstants.SIGN) {
+                    // Check we have a public key / certificate for the signing case
+                    PublicKey publickey = 
+                        (PublicKey)o.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+                    X509Certificate cert = 
+                        (X509Certificate)o.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+                    
+                    if (publickey == null && cert == null) {
+                        continue;
                     }
-                    msg.put(
-                        SecurityContext.class, 
-                        new RolePrefixSecurityContextImpl(subject, roleClassifier, roleClassifierType)
-                    );
-                } else {
-                    msg.put(SecurityContext.class, new DefaultSecurityContext(p, subject));
                 }
-                break;
-            } else if (p != null && isSecurityContextPrincipal(p, wsResult)) {
-                msg.put(PRINCIPAL_RESULT, p);
-                if (!utWithCallbacks) {
-                    WSS4JTokenConverter.convertToken(msg, p);
+                SecurityContext context = 
+                    createSecurityContext(msg, subject, p, useJAASSubject, o, utWithCallbacks);
+                if (context != null) {
+                    msg.put(SecurityContext.class, context);
+                    break;
                 }
+<<<<<<< HEAD
                 Object receivedAssertion = null;
                 if (o.get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL) != null) {
                     msg.put(SecurityConstants.DELEGATED_CREDENTIAL, 
@@ -579,28 +606,68 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
                     msg.put(SecurityContext.class, createSecurityContext(p));
                 }
                 break;
+=======
             }
         }
     }
-
-    /**
-     * Checks if a given WSS4J Principal can be represented as a user principal
-     * inside SecurityContext. Example, UsernameToken or PublicKey principals can
-     * be used to facilitate checking the user roles, etc.
-     */
-    protected boolean isSecurityContextPrincipal(Principal p, List<WSSecurityEngineResult> wsResult) {
-        boolean derivedKeyPrincipal = p instanceof WSDerivedKeyTokenPrincipal;
-        if (derivedKeyPrincipal || p instanceof CustomTokenPrincipal) {
-            // If it is a derived key principal or a Custom Token Principal then let it 
-            // be a SecurityContext principal only if no other principals are available.
-            // The principal will still be visible to custom interceptors as part of the 
-            // WSHandlerConstants.RECV_RESULTS value
-            return wsResult.size() > 1 ? false : true;
-        } else {
-            return true;
+    
+    protected SecurityContext createSecurityContext(
+        SoapMessage msg, Subject subject, Principal p, boolean useJAASSubject,
+        WSSecurityEngineResult wsResult, boolean utWithCallbacks
+    ) {
+        if (subject != null && !(p instanceof KerberosPrincipal) && useJAASSubject) {
+            String roleClassifier = 
+                (String)msg.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER);
+            if (roleClassifier != null && !"".equals(roleClassifier)) {
+                String roleClassifierType = 
+                    (String)msg.getContextualProperty(SecurityConstants.SUBJECT_ROLE_CLASSIFIER_TYPE);
+                if (roleClassifierType == null || "".equals(roleClassifierType)) {
+                    roleClassifierType = "prefix";
+                }
+                return new RolePrefixSecurityContextImpl(subject, roleClassifier, roleClassifierType);
+            } else {
+                return new DefaultSecurityContext(p, subject);
+            }
+        } else if (p != null) {
+            msg.put(PRINCIPAL_RESULT, p);
+            if (!utWithCallbacks) {
+                WSS4JTokenConverter.convertToken(msg, p);
+            }
+            Object receivedAssertion = wsResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+            if (receivedAssertion == null) {
+                receivedAssertion = wsResult.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
+            }
+            if (wsResult.get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL) != null) {
+                msg.put(SecurityConstants.DELEGATED_CREDENTIAL, 
+                        wsResult.get(WSSecurityEngineResult.TAG_DELEGATION_CREDENTIAL));
+            }
+            
+            if (receivedAssertion instanceof SamlAssertionWrapper) {
+                String roleAttributeName = (String)msg.getContextualProperty(
+                        SecurityConstants.SAML_ROLE_ATTRIBUTENAME);
+                if (roleAttributeName == null || roleAttributeName.length() == 0) {
+                    roleAttributeName = SAML_ROLE_ATTRIBUTENAME_DEFAULT;
+                }
+                
+                ClaimCollection claims = 
+                    SAMLUtils.getClaims((SamlAssertionWrapper)receivedAssertion);
+                Set<Principal> roles = 
+                    SAMLUtils.parseRolesFromClaims(claims, roleAttributeName, null);
+                
+                SAMLSecurityContext context = 
+                    new SAMLSecurityContext(p, roles, claims);
+                context.setIssuer(SAMLUtils.getIssuer(receivedAssertion));
+                context.setAssertionElement(SAMLUtils.getAssertionElement(receivedAssertion));
+                return context;
+            } else {
+                return createSecurityContext(p);
+>>>>>>> 3e21a02... Some changes to how the security context is populated
+            }
         }
+        
+        return null;
     }
-    
+
     protected void advanceBody(
         SoapMessage msg, Node body
     ) throws SOAPException, XMLStreamException, WSSecurityException {

http://git-wip-us.apache.org/repos/asf/cxf/blob/87355cf9/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomSamlValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomSamlValidator.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomSamlValidator.java
index 9b15b1b..676797c 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomSamlValidator.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomSamlValidator.java
@@ -19,12 +19,23 @@
 
 package org.apache.cxf.ws.security.wss4j.saml;
 
+<<<<<<< HEAD
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.handler.RequestData;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
 import org.apache.ws.security.saml.ext.OpenSAMLUtil;
 import org.apache.ws.security.validate.Credential;
 import org.apache.ws.security.validate.SamlAssertionValidator;
+=======
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.saml.builder.SAML1Constants;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.validate.Credential;
+import org.apache.wss4j.dom.validate.SamlAssertionValidator;
+>>>>>>> 3e21a02... Some changes to how the security context is populated
 
 /**
  * A trivial custom Validator for a SAML Assertion. It makes sure that the issuer is 
@@ -35,6 +46,7 @@ public class CustomSamlValidator extends SamlAssertionValidator {
     
     private boolean requireSAML1Assertion = true;
     private boolean requireSenderVouches = true;
+    private boolean requireBearer;
     
     public void setRequireSAML1Assertion(boolean requireSAML1Assertion) {
         this.requireSAML1Assertion = requireSAML1Assertion;
@@ -44,6 +56,10 @@ public class CustomSamlValidator extends SamlAssertionValidator {
         this.requireSenderVouches = requireSenderVouches;
     }
     
+    public void setRequireBearer(boolean requireBearer) {
+        this.requireBearer = requireBearer;
+    }
+    
     @Override
     public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
         Credential returnedCredential = super.validate(credential, data);
@@ -67,8 +83,16 @@ public class CustomSamlValidator extends SamlAssertionValidator {
             throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
         }
         if (requireSenderVouches && !OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
+<<<<<<< HEAD
             throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
         } else if (!requireSenderVouches 
+=======
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+        } else if (requireBearer && !(SAML2Constants.CONF_BEARER.equals(confirmationMethod)
+            || SAML1Constants.CONF_BEARER.equals(confirmationMethod))) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+        } else if (!requireBearer && !requireSenderVouches 
+>>>>>>> 3e21a02... Some changes to how the security context is populated
             && !OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
             throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/87355cf9/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
index 1e090d4..cee8ddf 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
@@ -388,24 +388,39 @@ public class SamlTokenTest extends AbstractSecurityTest {
     public void testSaml2TokenWithRoles() throws Exception {
         Map<String, Object> outProperties = new HashMap<String, Object>();
         outProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
+<<<<<<< HEAD
         outProperties.put(WSHandlerConstants.SAML_PROP_FILE, "saml_sv.properties");
         
+=======
+        outProperties.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+        outProperties.put(WSHandlerConstants.USER, "alice");
+        outProperties.put("password", "password");
+        outProperties.put(WSHandlerConstants.SIG_PROP_FILE, "alice.properties");
+>>>>>>> 3e21a02... Some changes to how the security context is populated
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
+        callbackHandler.setSignAssertion(true);
         callbackHandler.setStatement(Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        
         outProperties.put(
             WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler
         );
         
         Map<String, Object> inProperties = new HashMap<String, Object>();
-        inProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
+        inProperties.put(
+            WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_SIGNED 
+        );
+        inProperties.put(WSHandlerConstants.SIG_VER_PROP_FILE, "insecurity.properties");
         final Map<QName, Object> customMap = new HashMap<QName, Object>();
         CustomSamlValidator validator = new CustomSamlValidator();
         validator.setRequireSAML1Assertion(false);
+        validator.setRequireSenderVouches(false);
+        validator.setRequireBearer(true);
         customMap.put(WSSecurityEngine.SAML_TOKEN, validator);
         customMap.put(WSSecurityEngine.SAML2_TOKEN, validator);
         inProperties.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);
         
-        
         List<String> xpaths = new ArrayList<String>();
         xpaths.add("//wsse:Security");
         xpaths.add("//wsse:Security/saml2:Assertion");
@@ -423,11 +438,17 @@ public class SamlTokenTest extends AbstractSecurityTest {
         assertTrue(sc.isUserInRole("admin"));
         
         WSSecurityEngineResult actionResult =
+<<<<<<< HEAD
             WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_UNSIGNED);
         AssertionWrapper receivedAssertion = 
             (AssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+=======
+            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_SIGNED);
+        SamlAssertionWrapper receivedAssertion = 
+            (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+>>>>>>> 3e21a02... Some changes to how the security context is populated
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml2() != null);
-        assert !receivedAssertion.isSigned();
+        assertTrue(receivedAssertion.isSigned());
     }
     
     /**
@@ -438,24 +459,39 @@ public class SamlTokenTest extends AbstractSecurityTest {
     public void testSaml2TokenWithRolesSingleValue() throws Exception {
         Map<String, Object> outProperties = new HashMap<String, Object>();
         outProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
+<<<<<<< HEAD
         outProperties.put(WSHandlerConstants.SAML_PROP_FILE, "saml_sv.properties");
         
+=======
+        outProperties.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+        outProperties.put(WSHandlerConstants.USER, "alice");
+        outProperties.put("password", "password");
+        outProperties.put(WSHandlerConstants.SIG_PROP_FILE, "alice.properties");
+>>>>>>> 3e21a02... Some changes to how the security context is populated
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(false);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
+        callbackHandler.setSignAssertion(true);
         callbackHandler.setStatement(Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        
         outProperties.put(
             WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler
         );
         
         Map<String, Object> inProperties = new HashMap<String, Object>();
-        inProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
+        inProperties.put(
+            WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_SIGNED 
+        );
+        inProperties.put(WSHandlerConstants.SIG_VER_PROP_FILE, "insecurity.properties");
         final Map<QName, Object> customMap = new HashMap<QName, Object>();
         CustomSamlValidator validator = new CustomSamlValidator();
         validator.setRequireSAML1Assertion(false);
+        validator.setRequireSenderVouches(false);
+        validator.setRequireBearer(true);
         customMap.put(WSSecurityEngine.SAML_TOKEN, validator);
         customMap.put(WSSecurityEngine.SAML2_TOKEN, validator);
         inProperties.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);
         
-        
         List<String> xpaths = new ArrayList<String>();
         xpaths.add("//wsse:Security");
         xpaths.add("//wsse:Security/saml2:Assertion");
@@ -473,11 +509,17 @@ public class SamlTokenTest extends AbstractSecurityTest {
         assertTrue(sc.isUserInRole("admin"));
         
         WSSecurityEngineResult actionResult =
+<<<<<<< HEAD
             WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_UNSIGNED);
         AssertionWrapper receivedAssertion = 
             (AssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+=======
+            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_SIGNED);
+        SamlAssertionWrapper receivedAssertion = 
+            (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+>>>>>>> 3e21a02... Some changes to how the security context is populated
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml2() != null);
-        assert !receivedAssertion.isSigned();
+        assertTrue(receivedAssertion.isSigned());
     }
     
     /**
@@ -488,23 +530,39 @@ public class SamlTokenTest extends AbstractSecurityTest {
     public void testSaml1TokenWithRoles() throws Exception {
         Map<String, Object> outProperties = new HashMap<String, Object>();
         outProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
+<<<<<<< HEAD
         outProperties.put(WSHandlerConstants.SAML_PROP_FILE, "saml_sv.properties");
         
+=======
+        outProperties.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+        outProperties.put(WSHandlerConstants.USER, "alice");
+        outProperties.put("password", "password");
+        outProperties.put(WSHandlerConstants.SIG_PROP_FILE, "alice.properties");
+>>>>>>> 3e21a02... Some changes to how the security context is populated
         SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
+        callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
+        callbackHandler.setSignAssertion(true);
         callbackHandler.setStatement(Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML1Constants.CONF_BEARER);
+        
         outProperties.put(
             WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler
         );
         
         Map<String, Object> inProperties = new HashMap<String, Object>();
-        inProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
+        inProperties.put(
+            WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_SIGNED 
+        );
+        inProperties.put(WSHandlerConstants.SIG_VER_PROP_FILE, "insecurity.properties");
         final Map<QName, Object> customMap = new HashMap<QName, Object>();
         CustomSamlValidator validator = new CustomSamlValidator();
+        validator.setRequireSAML1Assertion(true);
+        validator.setRequireSenderVouches(false);
+        validator.setRequireBearer(true);
         customMap.put(WSSecurityEngine.SAML_TOKEN, validator);
         customMap.put(WSSecurityEngine.SAML2_TOKEN, validator);
         inProperties.put(WSS4JInInterceptor.VALIDATOR_MAP, customMap);
         
-        
         List<String> xpaths = new ArrayList<String>();
         xpaths.add("//wsse:Security");
         xpaths.add("//wsse:Security/saml1:Assertion");
@@ -522,11 +580,17 @@ public class SamlTokenTest extends AbstractSecurityTest {
         assertTrue(sc.isUserInRole("admin"));
         
         WSSecurityEngineResult actionResult =
+<<<<<<< HEAD
             WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_UNSIGNED);
         AssertionWrapper receivedAssertion = 
             (AssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+=======
+            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_SIGNED);
+        SamlAssertionWrapper receivedAssertion = 
+            (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+>>>>>>> 3e21a02... Some changes to how the security context is populated
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml1() != null);
-        assert !receivedAssertion.isSigned();
+        assertTrue(receivedAssertion.isSigned());
     }
     
     private SoapMessage makeInvocation(

http://git-wip-us.apache.org/repos/asf/cxf/blob/87355cf9/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/CustomSaml2Validator.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/CustomSaml2Validator.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/CustomSaml2Validator.java
new file mode 100644
index 0000000..e5c63fb
--- /dev/null
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/CustomSaml2Validator.java
@@ -0,0 +1,59 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.ws.saml;
+
+import java.util.List;
+
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.validate.Credential;
+import org.apache.wss4j.dom.validate.SamlAssertionValidator;
+import org.opensaml.saml2.core.Assertion;
+import org.opensaml.saml2.core.AttributeStatement;
+
+/**
+ * This class does some trivial validation of a received SAML Assertion. It checks that it is
+ * a SAML 2 Assertion, and checks the issuer name and that it has an Attribute Statement. 
+ */
+public class CustomSaml2Validator extends SamlAssertionValidator {
+    
+    @Override
+    public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
+        Credential validatedCredential = super.validate(credential, data);
+        SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
+        
+        if (!"sts".equals(assertion.getIssuerString())) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+        }
+        
+        Assertion saml2Assertion = assertion.getSaml2();
+        if (saml2Assertion == null) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+        }
+        
+        List<AttributeStatement> attributeStatements = saml2Assertion.getAttributeStatements();
+        if (attributeStatements == null || attributeStatements.isEmpty()) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+        }
+        
+        return validatedCredential;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/87355cf9/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
index e18221b..7fe3be0 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
@@ -274,8 +274,10 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
             assertTrue(ex.getMessage().contains("Wrong SAML Version"));
         }
         
+        SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler();
+        samlCallbackHandler.setSignAssertion(true);
         ((BindingProvider)saml2Port).getRequestContext().put(
-            "ws-security.saml-callback-handler", new SamlCallbackHandler()
+            "ws-security.saml-callback-handler", samlCallbackHandler
         );
         int result = saml2Port.doubleIt(25);
         assertTrue(result == 50);
@@ -495,11 +497,23 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
                 service.getPort(portQName, DoubleItPortType.class);
         updateAddressPort(saml2Port, PORT);
         
+<<<<<<< HEAD
         ((BindingProvider)saml2Port).getRequestContext().put(
             "ws-security.saml-callback-handler", new SamlCallbackHandler()
         );
         int result = saml2Port.doubleIt(25);
         assertTrue(result == 50);
+=======
+        // This test only works for DOM
+        if (!test.isStreaming() && PORT.equals(test.getPort())) {
+            SamlCallbackHandler samlCallbackHandler = new SamlCallbackHandler();
+            ((BindingProvider)saml2Port).getRequestContext().put(
+                "ws-security.saml-callback-handler", samlCallbackHandler
+            );
+            int result = saml2Port.doubleIt(25);
+            assertTrue(result == 50);
+        }
+>>>>>>> 3e21a02... Some changes to how the security context is populated
         
         ((java.io.Closeable)saml2Port).close();
         bus.shutdown(true);
@@ -740,6 +754,7 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
         
         SamlRoleCallbackHandler roleCallbackHandler = 
             new SamlRoleCallbackHandler();
+        roleCallbackHandler.setSignAssertion(true);
         roleCallbackHandler.setRoleName("manager");
         ((BindingProvider)saml2Port).getRequestContext().put(
             "ws-security.saml-callback-handler", roleCallbackHandler

http://git-wip-us.apache.org/repos/asf/cxf/blob/87355cf9/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlRoleCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlRoleCallbackHandler.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlRoleCallbackHandler.java
index 71ee987..37fcf9f 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlRoleCallbackHandler.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlRoleCallbackHandler.java
@@ -47,9 +47,13 @@ public class SamlRoleCallbackHandler implements CallbackHandler {
     private static final String ROLE_URI = 
         "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
     private boolean saml2 = true;
-    private String confirmationMethod = SAML2Constants.CONF_SENDER_VOUCHES;
+    private String confirmationMethod = SAML2Constants.CONF_BEARER;
     private CERT_IDENTIFIER keyInfoIdentifier = CERT_IDENTIFIER.X509_CERT;
     private String roleName;
+    private boolean signAssertion;
+    private String cryptoAlias = "alice";
+    private String cryptoPassword = "password";
+    private String cryptoPropertiesFile = "alice.properties";
     
     public SamlRoleCallbackHandler() {
         //
@@ -122,6 +126,16 @@ public class SamlRoleCallbackHandler implements CallbackHandler {
                 attributeBean.setAttributeValues(Collections.singletonList(roleName));
                 attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
                 callback.setAttributeStatementData(Collections.singletonList(attrBean));
+                
+                try {
+                    Crypto crypto = CryptoFactory.getInstance(cryptoPropertiesFile);
+                    callback.setIssuerCrypto(crypto);
+                    callback.setIssuerKeyName(cryptoAlias);
+                    callback.setIssuerKeyPassword(cryptoPassword);
+                    callback.setSignAssertion(signAssertion);
+                } catch (Exception ex) {
+                    throw new IOException("Problem creating KeyInfo: " +  ex.getMessage());
+                }
             }
         }
     }
@@ -152,4 +166,7 @@ public class SamlRoleCallbackHandler implements CallbackHandler {
         this.roleName = roleName;
     }
     
+    public void setSignAssertion(boolean signAssertion) {
+        this.signAssertion = signAssertion;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/87355cf9/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
new file mode 100644
index 0000000..6027841
--- /dev/null
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
@@ -0,0 +1,279 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xsi:schemaLocation="         http://www.springframework.org/schema/beans                     http://www.springframework.org/schema/beans/spring-beans.xsd         http://cxf.apache.org/jaxws                                     http://cxf.apache.org/schemas/jaxws.xsd         http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd         http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd         http://cxf.apache.org/transports/http/configuration             http://cxf.apache.org/sc
 hemas/configuration/http-conf.xsd         http://cxf.apache.org/transports/http-jetty/configuration       http://cxf.apache.org/schemas/configuration/http-jetty.xsd         http://cxf.apache.org/configuration/security      http://cxf.apache.org/schemas/configuration/security.xsd  http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd   ">
+    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+    <cxf:bus>
+        <cxf:features>
+            <p:policies/>
+            <cxf:logging/>
+        </cxf:features>
+    </cxf:bus>
+    <!-- -->
+    <!-- Any services listening on port 9009 must use the following -->
+    <!-- Transport Layer Security (TLS) settings -->
+    <!-- -->
+    <httpj:engine-factory id="tls-settings">
+        <httpj:engine port="${testutil.ports.Server.2}">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+                    <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/>
+                </sec:keyManagers>
+                <sec:trustManagers>
+                    <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
+                </sec:trustManagers>
+                <sec:cipherSuitesFilter>
+                    <sec:include>.*_EXPORT_.*</sec:include>
+                    <sec:include>.*_EXPORT1024_.*</sec:include>
+                    <sec:include>.*_WITH_DES_.*</sec:include>
+                    <sec:include>.*_WITH_AES_.*</sec:include>
+                    <sec:include>.*_WITH_NULL_.*</sec:include>
+                    <sec:exclude>.*_DH_anon_.*</sec:exclude>
+                </sec:cipherSuitesFilter>
+                <sec:clientAuthentication want="true" required="true"/>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1TokenOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Transport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+       </jaxws:properties>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1TokenOverTransport2" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+       </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/saml/saml1-tls-policy.xml"/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SupportingToken" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Supporting" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SupportingPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetric" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Symmetric" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetric" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Asymmetric" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.username" value="bob"/>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+            <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetric2" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Asymmetric2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.username" value="bob"/>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+            <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/saml/saml2-asym-policy.xml"/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SelfSignedTokenOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1SelfSignedTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SelfSignedTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SelfSignedTokenOverTransportSP11" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1SelfSignedTransportSP11" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SelfSignedTransportSP11Port" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2EndorsingTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingOverTransportSP11" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2EndorsingTransportSP11" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingTransportSP11Port" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="AsymmetricSamlInitiatorPort" address="http://localhost:${testutil.ports.Server}/DoubleItAsymmetricSamlInitiator" serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricSamlInitiatorPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.username" value="bob"/>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+            <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricSignedElements" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2SymmetricSignedElements" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricSignedElementsPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricSignedEncrypted" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2AsymmetricSignedEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.username" value="bob"/>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+            <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricSignedEncryptedEncryptBeforeSigning" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigning" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigningPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.username" value="bob"/>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+            <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricEncrypted" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2AsymmetricEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.username" value="bob"/>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingEncryptedOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2EndorsingEncryptedTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingEncryptedTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="InlinePolicy" address="https://localhost:${testutil.ports.Server.2}/DoubleItSamlInlinePolicy" serviceName="s:DoubleItService" endpointName="s:DoubleItInlinePolicyPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy">
+                    <wsp:ExactlyOne>
+                        <wsp:All>
+                            <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" wsu:Id="SamlToken">
+                                <wsp:ExactlyOne>
+                                    <wsp:All>
+                                        <sp:TransportBinding>
+                                            <wsp:Policy>
+                                                <sp:TransportToken>
+                                                    <wsp:Policy>
+                                                        <sp:HttpsToken>
+                                                            <wsp:Policy/>
+                                                        </sp:HttpsToken>
+                                                    </wsp:Policy>
+                                                </sp:TransportToken>
+                                                <sp:Layout>
+                                                    <wsp:Policy>
+                                                        <sp:Lax/>
+                                                    </wsp:Policy>
+                                                </sp:Layout>
+                                                <sp:IncludeTimestamp/>
+                                                <sp:AlgorithmSuite>
+                                                    <wsp:Policy>
+                                                        <sp:Basic128/>
+                                                    </wsp:Policy>
+                                                </sp:AlgorithmSuite>
+                                            </wsp:Policy>
+                                        </sp:TransportBinding>
+                                        <sp:SupportingTokens>
+                                            <wsp:Policy>
+                                                <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                                                    <wsp:Policy>
+                                                        <sp:WssSamlV11Token11/>
+                                                    </wsp:Policy>
+                                                </sp:SamlToken>
+                                            </wsp:Policy>
+                                        </sp:SupportingTokens>
+                                    </wsp:All>
+                                </wsp:ExactlyOne>
+                            </wsp:Policy>
+                        </wsp:All>
+                    </wsp:ExactlyOne>
+                </wsp:Policy>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:endpoint>
+    <bean class="org.apache.cxf.systest.ws.saml.PolicyDecisionPointMockImpl" id="MockPDP" />
+    <bean class="org.apache.cxf.rt.security.xacml.XACMLAuthorizingInterceptor" id="XACMLInterceptor">
+        <constructor-arg ref="MockPDP"/>
+    </bean>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricPEP" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2PEP" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2PEPPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
+        </jaxws:properties>
+        <jaxws:inInterceptors>
+            <ref bean="XACMLInterceptor"/>
+        </jaxws:inInterceptors>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    
+    <bean id="audienceRestrictionValidator" class="org.apache.cxf.systest.ws.saml.Saml2AudienceRestrictionValidator">
+        <property name="endpointAddresses">
+            <list>
+                <value>https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2</value>
+                <value>https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport2</value>
+            </list>
+        </property>
+    </bean>
+            
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken2" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+            <entry key="ws-security.saml2.validator" value-ref="audienceRestrictionValidator"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+</beans>


Mime
View raw message