cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [3/3] cxf git commit: Fixing last commit
Date Fri, 16 Jan 2015 17:01:14 GMT
Fixing last commit


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b416a783
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b416a783
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b416a783

Branch: refs/heads/2.7.x-fixes
Commit: b416a7830913a34c487e5526cd769a7d89532bd6
Parents: 4115b59
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Jan 16 17:00:59 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Jan 16 17:00:59 2015 +0000

----------------------------------------------------------------------
 .../ws/security/wss4j/WSS4JInInterceptor.java   |   2 +-
 .../security/wss4j/WSS4JStaxInInterceptor.java  | 480 -------------------
 .../cxf/systest/ws/saml/SamlTokenTest.java      |  81 +---
 .../org/apache/cxf/systest/ws/saml/server.xml   | 270 -----------
 .../cxf/systest/ws/saml/server/server.xml       |  20 +-
 .../apache/cxf/systest/ws/saml/stax-server.xml  | 298 ------------
 6 files changed, 22 insertions(+), 1129 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/b416a783/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index 860a09f..c790c7a 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -345,7 +345,7 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
         boolean enableAudienceRestriction = 
             MessageUtils.getContextualBoolean(msg, 
                                               SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION, 
-                                              true);
+                                              false);
         if (enableAudienceRestriction) {
             List<String> audiences = new ArrayList<String>();
             if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/b416a783/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
deleted file mode 100644
index eb034a1..0000000
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
+++ /dev/null
@@ -1,480 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.ws.security.wss4j;
-
-import java.io.IOException;
-import java.security.Provider;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
-import java.util.logging.Logger;
-
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import javax.xml.stream.XMLStreamException;
-import javax.xml.stream.XMLStreamReader;
-import javax.xml.stream.util.StreamReaderDelegate;
-
-import org.apache.cxf.binding.soap.SoapFault;
-import org.apache.cxf.binding.soap.SoapMessage;
-import org.apache.cxf.binding.soap.SoapVersion;
-import org.apache.cxf.common.classloader.ClassLoaderUtils;
-import org.apache.cxf.common.i18n.Message;
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.interceptor.Fault;
-import org.apache.cxf.interceptor.StaxInInterceptor;
-import org.apache.cxf.message.MessageUtils;
-import org.apache.cxf.phase.Phase;
-import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.apache.cxf.ws.security.tokenstore.TokenStore;
-import org.apache.wss4j.common.ConfigurationConstants;
-import org.apache.wss4j.common.WSSPolicyException;
-import org.apache.wss4j.common.cache.ReplayCache;
-import org.apache.wss4j.common.crypto.Crypto;
-import org.apache.wss4j.common.crypto.ThreadLocalSecurityProvider;
-import org.apache.wss4j.common.ext.WSPasswordCallback;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.stax.ConfigurationConverter;
-import org.apache.wss4j.stax.WSSec;
-import org.apache.wss4j.stax.ext.InboundWSSec;
-import org.apache.wss4j.stax.ext.WSSConstants;
-import org.apache.wss4j.stax.ext.WSSSecurityProperties;
-import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
-import org.apache.wss4j.stax.validate.Validator;
-import org.apache.xml.security.exceptions.XMLSecurityException;
-import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
-import org.apache.xml.security.stax.securityEvent.SecurityEvent;
-import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
-import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
-
-public class WSS4JStaxInInterceptor extends AbstractWSS4JStaxInterceptor {
-    
-    public static final String SECURITY_PROCESSED = WSS4JStaxInInterceptor.class.getName() + ".DONE";
-    
-    private static final Logger LOG = LogUtils.getL7dLogger(WSS4JStaxInInterceptor.class);
-    
-    public WSS4JStaxInInterceptor(WSSSecurityProperties securityProperties) {
-        super(securityProperties);
-        setPhase(Phase.POST_STREAM);
-        getAfter().add(StaxInInterceptor.class.getName());
-    }
-    
-    public WSS4JStaxInInterceptor(Map<String, Object> props) {
-        super(props);
-        setPhase(Phase.POST_STREAM);
-        getAfter().add(StaxInInterceptor.class.getName());
-    }
-    
-    public WSS4JStaxInInterceptor() {
-        super();
-        setPhase(Phase.POST_STREAM);
-        getAfter().add(StaxInInterceptor.class.getName());
-    }
-
-    public final boolean isGET(SoapMessage message) {
-        String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
-        return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null;
-    }
-    
-    @Override
-    public void handleMessage(SoapMessage soapMessage) throws Fault {
-        
-        if (soapMessage.containsKey(SECURITY_PROCESSED) || isGET(soapMessage)) {
-            return;
-        }
-
-        XMLStreamReader originalXmlStreamReader = soapMessage.getContent(XMLStreamReader.class);
-        XMLStreamReader newXmlStreamReader;
-
-        soapMessage.getInterceptorChain().add(new StaxSecurityContextInInterceptor());
-        
-        try {
-            @SuppressWarnings("unchecked")
-            List<SecurityEvent> requestSecurityEvents = 
-                (List<SecurityEvent>) soapMessage.getExchange().get(SecurityEvent.class.getName() + ".out");
-            
-            WSSSecurityProperties secProps = createSecurityProperties();
-            translateProperties(soapMessage, secProps);
-            configureCallbackHandler(soapMessage, secProps);
-            configureProperties(soapMessage, secProps);
-            
-            if (secProps.getActions() != null && secProps.getActions().size() > 0) {
-                soapMessage.getInterceptorChain().add(new StaxActionInInterceptor(secProps.getActions()));
-            }
-            
-            if (secProps.getAttachmentCallbackHandler() == null) {
-                secProps.setAttachmentCallbackHandler(new AttachmentCallbackHandler(soapMessage));
-            }
-            
-            final TokenStoreCallbackHandler callbackHandler = 
-                new TokenStoreCallbackHandler(
-                    secProps.getCallbackHandler(), WSS4JUtils.getTokenStore(soapMessage)
-                );
-            secProps.setCallbackHandler(callbackHandler);
-
-            setTokenValidators(secProps, soapMessage);
-            secProps.setMsgContext(soapMessage);
-            
-            final List<SecurityEventListener> securityEventListeners = 
-                configureSecurityEventListeners(soapMessage, secProps);
-            
-            final InboundWSSec inboundWSSec = 
-                WSSec.getInboundWSSec(secProps, MessageUtils.isRequestor(soapMessage));
-            
-            newXmlStreamReader = 
-                inboundWSSec.processInMessage(originalXmlStreamReader, requestSecurityEvents, securityEventListeners);
-            final Object provider = soapMessage.getExchange().get(Provider.class);
-            if (provider != null && ThreadLocalSecurityProvider.isInstalled()) {
-                newXmlStreamReader = new StreamReaderDelegate(newXmlStreamReader) {
-                    @Override
-                    public int next() throws XMLStreamException {
-                        try {
-                            ThreadLocalSecurityProvider.setProvider((Provider)provider);
-                            return super.next();
-                        } finally {
-                            ThreadLocalSecurityProvider.unsetProvider();
-                        }
-                    }
-                };
-            }
-            soapMessage.setContent(XMLStreamReader.class, newXmlStreamReader);
-
-            // Warning: The exceptions which can occur here are not security relevant exceptions
-            // but configuration-errors. To catch security relevant exceptions you have to catch 
-            // them e.g.in the FaultOutInterceptor. Why? Because we do streaming security. This 
-            // interceptor doesn't handle the ws-security stuff but just setup the relevant stuff
-            // for it. Exceptions will be thrown as a wrapped XMLStreamException during further
-            // processing in the WS-Stack.
-            soapMessage.put(SECURITY_PROCESSED, Boolean.TRUE);
-        } catch (WSSecurityException e) {
-            throw createSoapFault(soapMessage.getVersion(), e);
-        } catch (XMLSecurityException e) {
-            throw new SoapFault(new Message("STAX_EX", LOG), e, soapMessage.getVersion().getSender());
-        } catch (WSSPolicyException e) {
-            throw new SoapFault(e.getMessage(), e, soapMessage.getVersion().getSender());
-        } catch (XMLStreamException e) {
-            throw new SoapFault(new Message("STAX_EX", LOG), e, soapMessage.getVersion().getSender());
-        }
-    }
-    
-    protected List<SecurityEventListener> configureSecurityEventListeners(
-        SoapMessage msg, WSSSecurityProperties securityProperties
-    ) throws WSSPolicyException {
-        final List<SecurityEvent> incomingSecurityEventList = new LinkedList<SecurityEvent>();
-        msg.getExchange().put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList);
-        msg.put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList);
-        
-        final SecurityEventListener securityEventListener = new SecurityEventListener() {
-            @Override
-            public void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException {
-                if (securityEvent.getSecurityEventType() == WSSecurityEventConstants.Timestamp
-                    || securityEvent.getSecurityEventType() == WSSecurityEventConstants.SignatureValue
-                    || securityEvent instanceof TokenSecurityEvent
-                    || securityEvent instanceof AbstractSecuredElementSecurityEvent) {
-                    // Store events required for the security context setup, or the crypto coverage checker
-                    incomingSecurityEventList.add(securityEvent);
-                }
-            }
-        };
-        
-        return Collections.singletonList(securityEventListener);
-    }
-    
-    protected void configureProperties(
-        SoapMessage msg, WSSSecurityProperties securityProperties
-    ) throws XMLSecurityException {
-        
-        // Configure replay caching
-        ReplayCache nonceCache = null;
-        if (isNonceCacheRequired(msg, securityProperties)) {
-            nonceCache = WSS4JUtils.getReplayCache(
-                msg, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE
-            );
-        }
-        if (nonceCache == null) {
-            securityProperties.setEnableNonceReplayCache(false);
-            securityProperties.setNonceReplayCache(null);
-        } else {
-            securityProperties.setEnableNonceReplayCache(true);
-            securityProperties.setNonceReplayCache(nonceCache);
-        }
-        
-        ReplayCache timestampCache = null;
-        if (isTimestampCacheRequired(msg, securityProperties)) {
-            timestampCache = WSS4JUtils.getReplayCache(
-                msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE
-            );
-        }
-        if (timestampCache == null) {
-            securityProperties.setEnableTimestampReplayCache(false);
-            securityProperties.setTimestampReplayCache(null);
-        } else {
-            securityProperties.setEnableTimestampReplayCache(true);
-            securityProperties.setTimestampReplayCache(timestampCache);
-        }
-        
-        ReplayCache samlCache = null;
-        if (isSamlCacheRequired(msg, securityProperties)) {
-            samlCache = WSS4JUtils.getReplayCache(
-                msg, SecurityConstants.ENABLE_SAML_ONE_TIME_USE_CACHE, 
-                SecurityConstants.SAML_ONE_TIME_USE_CACHE_INSTANCE
-            );
-        }
-        if (samlCache == null) {
-            securityProperties.setEnableSamlOneTimeUseReplayCache(false);
-            securityProperties.setSamlOneTimeUseReplayCache(null);
-        } else {
-            securityProperties.setEnableSamlOneTimeUseReplayCache(true);
-            securityProperties.setSamlOneTimeUseReplayCache(samlCache);
-        }
-        
-        boolean enableRevocation = 
-            MessageUtils.isTrue(msg.getContextualProperty(SecurityConstants.ENABLE_REVOCATION));
-        securityProperties.setEnableRevocation(enableRevocation);
-        
-        // Crypto loading only applies for Map
-        Map<String, Object> config = getProperties();
-        if (config != null && !config.isEmpty()) {
-            Crypto sigVerCrypto = 
-                loadCrypto(
-                    msg,
-                    ConfigurationConstants.SIG_VER_PROP_FILE,
-                    ConfigurationConstants.SIG_VER_PROP_REF_ID,
-                    securityProperties
-                );
-            if (sigVerCrypto == null) {
-                // Fall back to using the Signature properties for verification
-                sigVerCrypto = 
-                    loadCrypto(
-                        msg,
-                        ConfigurationConstants.SIG_PROP_FILE,
-                        ConfigurationConstants.SIG_PROP_REF_ID,
-                        securityProperties
-                    );
-            }
-            if (sigVerCrypto != null) {
-                config.put(ConfigurationConstants.SIG_VER_PROP_REF_ID, "RefId-" + sigVerCrypto.hashCode());
-                config.put("RefId-" + sigVerCrypto.hashCode(), sigVerCrypto);
-            }
-            
-            Crypto decCrypto = 
-                loadCrypto(
-                    msg,
-                    ConfigurationConstants.DEC_PROP_FILE,
-                    ConfigurationConstants.DEC_PROP_REF_ID,
-                    securityProperties
-                );
-            if (decCrypto != null) {
-                config.put(ConfigurationConstants.DEC_PROP_REF_ID, "RefId-" + decCrypto.hashCode());
-                config.put("RefId-" + decCrypto.hashCode(), decCrypto);
-            }
-            ConfigurationConverter.parseCrypto(config, securityProperties);
-        }
-        
-        // Add Audience Restrictions for SAML
-        configureAudienceRestriction(msg, securityProperties);
-    }
-    
-    private void configureAudienceRestriction(SoapMessage msg, WSSSecurityProperties securityProperties) {
-        // Add Audience Restrictions for SAML
-        boolean enableAudienceRestriction = 
-            MessageUtils.getContextualBoolean(msg, 
-                                              SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION, 
-                                              true);
-        if (enableAudienceRestriction) {
-            List<String> audiences = new ArrayList<String>();
-            if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) {
-                audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL));
-            }
-            if (msg.getContextualProperty("javax.xml.ws.wsdl.service") != null) {
-                audiences.add(msg.getContextualProperty("javax.xml.ws.wsdl.service").toString());
-            }
-            securityProperties.setAudienceRestrictions(audiences);
-        }
-    }
-    
-    /**
-     * Is a Nonce Cache required, i.e. are we expecting a UsernameToken 
-     */
-    protected boolean isNonceCacheRequired(SoapMessage msg, WSSSecurityProperties securityProperties) {
-        
-        if (securityProperties != null && securityProperties.getActions() != null) {
-            for (WSSConstants.Action action : securityProperties.getActions()) {
-                if (action == WSSConstants.USERNAMETOKEN) {
-                    return true;
-                }
-            }
-        }
-        
-        return false;
-    }
-    
-    /**
-     * Is a Timestamp cache required, i.e. are we expecting a Timestamp 
-     */
-    protected boolean isTimestampCacheRequired(
-        SoapMessage msg, WSSSecurityProperties securityProperties
-    ) {
-        
-        if (securityProperties != null && securityProperties.getActions() != null) {
-            for (WSSConstants.Action action : securityProperties.getActions()) {
-                if (action == WSSConstants.TIMESTAMP) {
-                    return true;
-                }
-            }
-        }
-        
-        return false;
-    }
-    
-    /**
-     * Is a SAML Cache required, i.e. are we expecting a SAML Token 
-     */
-    protected boolean isSamlCacheRequired(SoapMessage msg, WSSSecurityProperties securityProperties) {
-        
-        if (securityProperties != null && securityProperties.getActions() != null) {
-            for (WSSConstants.Action action : securityProperties.getActions()) {
-                if (action == WSSConstants.SAML_TOKEN_UNSIGNED 
-                    || action == WSSConstants.SAML_TOKEN_SIGNED) {
-                    return true;
-                }
-            }
-        }
-        
-        return false;
-    }
-    
-    /**
-     * Create a SoapFault from a WSSecurityException, following the SOAP Message Security
-     * 1.1 specification, chapter 12 "Error Handling".
-     * 
-     * When the Soap version is 1.1 then set the Fault/Code/Value from the fault code
-     * specified in the WSSecurityException (if it exists).
-     * 
-     * Otherwise set the Fault/Code/Value to env:Sender and the Fault/Code/Subcode/Value
-     * as the fault code from the WSSecurityException.
-     */
-    private SoapFault 
-    createSoapFault(SoapVersion version, WSSecurityException e) {
-        SoapFault fault;
-        javax.xml.namespace.QName faultCode = e.getFaultCode();
-        if (version.getVersion() == 1.1 && faultCode != null) {
-            fault = new SoapFault(e.getMessage(), e, faultCode);
-        } else {
-            fault = new SoapFault(e.getMessage(), e, version.getSender());
-            if (version.getVersion() != 1.1 && faultCode != null) {
-                fault.setSubCode(faultCode);
-            }
-        }
-        return fault;
-    }
-    
-    private void setTokenValidators(
-        WSSSecurityProperties properties, SoapMessage message
-    ) throws WSSecurityException {
-        Validator validator = loadValidator(SecurityConstants.SAML1_TOKEN_VALIDATOR, message);
-        if (validator != null) {
-            properties.addValidator(WSSConstants.TAG_saml_Assertion, validator);
-        }
-        validator = loadValidator(SecurityConstants.SAML2_TOKEN_VALIDATOR, message);
-        if (validator != null) {
-            properties.addValidator(WSSConstants.TAG_saml2_Assertion, validator);
-        }
-        validator = loadValidator(SecurityConstants.USERNAME_TOKEN_VALIDATOR, message);
-        if (validator != null) {
-            properties.addValidator(WSSConstants.TAG_wsse_UsernameToken, validator);
-        }
-        validator = loadValidator(SecurityConstants.SIGNATURE_TOKEN_VALIDATOR, message);
-        if (validator != null) {
-            properties.addValidator(WSSConstants.TAG_dsig_Signature, validator);
-        }
-        validator = loadValidator(SecurityConstants.TIMESTAMP_TOKEN_VALIDATOR, message);
-        if (validator != null) {
-            properties.addValidator(WSSConstants.TAG_wsu_Timestamp, validator);
-        }
-        validator = loadValidator(SecurityConstants.BST_TOKEN_VALIDATOR, message);
-        if (validator != null) {
-            properties.addValidator(WSSConstants.TAG_wsse_BinarySecurityToken, validator);
-        }
-        validator = loadValidator(SecurityConstants.SCT_TOKEN_VALIDATOR, message);
-        if (validator != null) {
-            properties.addValidator(WSSConstants.TAG_wsc0502_SecurityContextToken, validator);
-            properties.addValidator(WSSConstants.TAG_wsc0512_SecurityContextToken, validator);
-        }
-    }
-    
-    private Validator loadValidator(String validatorKey, SoapMessage message) throws WSSecurityException {
-        Object o = message.getContextualProperty(validatorKey);
-        if (o == null) {
-            return null;
-        }
-        try {
-            if (o instanceof Validator) {
-                return (Validator)o;
-            } else if (o instanceof Class) {
-                return (Validator)((Class<?>)o).newInstance();
-            } else if (o instanceof String) {
-                return (Validator)ClassLoaderUtils.loadClass(o.toString(),
-                                                             WSS4JStaxInInterceptor.class)
-                                                             .newInstance();
-            } else {
-                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, 
-                                                  "Cannot load Validator: " + o);
-            }
-        } catch (RuntimeException t) {
-            throw t;
-        } catch (Exception ex) {
-            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
-        }
-    }
-
-    private class TokenStoreCallbackHandler implements CallbackHandler {
-        private CallbackHandler internal;
-        private TokenStore store;
-        public TokenStoreCallbackHandler(CallbackHandler in, TokenStore st) {
-            internal = in;
-            store = st;
-        }
-        
-        public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
-            for (int i = 0; i < callbacks.length; i++) {
-                if (callbacks[i] instanceof WSPasswordCallback) {
-                    WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
-                    
-                    String id = pc.getIdentifier();
-                    SecurityToken tok = store.getToken(id);
-                    if (tok != null && !tok.isExpired()) {
-                        pc.setKey(tok.getSecret());
-                        pc.setKey(tok.getKey());
-                        pc.setCustomToken(tok.getToken());
-                        return;
-                    }
-                }
-            }
-            if (internal != null) {
-                internal.handle(callbacks);
-            }
-        }
-        
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/b416a783/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
index 72ca7d6..d633410 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
@@ -868,17 +868,8 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
         QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
         DoubleItPortType saml2Port = 
                 service.getPort(portQName, DoubleItPortType.class);
-<<<<<<< HEAD
         updateAddressPort(saml2Port, PORT2);
 
-=======
-        String portNumber = PORT2;
-        if (STAX_PORT.equals(test.getPort())) {
-            portNumber = STAX_PORT2;
-        }
-        updateAddressPort(saml2Port, portNumber);
-        
->>>>>>> ff2987d... [CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)
         // Create a SAML Token with an AudienceRestrictionCondition
         ConditionsBean conditions = new ConditionsBean();
         List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<AudienceRestrictionBean>();
@@ -897,7 +888,6 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
         saml2Port.doubleIt(25);
         
         try {
-            // Now use an "unknown" audience restriction
             audienceRestriction = new AudienceRestrictionBean();
             audienceRestriction.setAudienceURIs(Collections.singletonList(
                 "https://localhost:" + PORT2 + "/DoubleItSaml2Transport2unknown"));
@@ -906,6 +896,14 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
             conditions.setAudienceRestrictions(audienceRestrictions);
             callbackHandler.setConditions(conditions);
             
+            portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort3");
+            saml2Port = service.getPort(portQName, DoubleItPortType.class);
+            updateAddressPort(saml2Port, PORT2);
+            
+            ((BindingProvider)saml2Port).getRequestContext().put(
+                "ws-security.saml-callback-handler", callbackHandler
+            );
+            
             saml2Port.doubleIt(25);
             fail("Failure expected on unknown AudienceRestriction");
         } catch (javax.xml.ws.soap.SOAPFaultException ex) {
@@ -917,7 +915,7 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
     public void testAudienceRestrictionServiceName() throws Exception {
 
         SpringBusFactory bf = new SpringBusFactory();
-        URL busFile = SamlTokenTest.class.getResource("client.xml");
+        URL busFile = SamlTokenTest.class.getResource("client/client.xml");
 
         Bus bus = bf.createBus(busFile.toString());
         SpringBusFactory.setDefaultBus(bus);
@@ -928,11 +926,7 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
         QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
         DoubleItPortType saml2Port = 
                 service.getPort(portQName, DoubleItPortType.class);
-        String portNumber = PORT2;
-        if (STAX_PORT.equals(test.getPort())) {
-            portNumber = STAX_PORT2;
-        }
-        updateAddressPort(saml2Port, portNumber);
+        updateAddressPort(saml2Port, PORT2);
         
         // Create a SAML Token with an AudienceRestrictionCondition
         ConditionsBean conditions = new ConditionsBean();
@@ -952,59 +946,4 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
         saml2Port.doubleIt(25);
     }
     
-    @org.junit.Test
-    public void testDisableAudienceRestrictionValidation() throws Exception {
-
-        SpringBusFactory bf = new SpringBusFactory();
-        URL busFile = SamlTokenTest.class.getResource("client.xml");
-
-        Bus bus = bf.createBus(busFile.toString());
-        SpringBusFactory.setDefaultBus(bus);
-        SpringBusFactory.setThreadDefaultBus(bus);
-
-        URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
-        Service service = Service.create(wsdl, SERVICE_QNAME);
-        QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
-        DoubleItPortType saml2Port = 
-                service.getPort(portQName, DoubleItPortType.class);
-        String portNumber = PORT2;
-        if (STAX_PORT.equals(test.getPort())) {
-            portNumber = STAX_PORT2;
-        }
-        updateAddressPort(saml2Port, portNumber);
-        
-        // Create a SAML Token with an AudienceRestrictionCondition
-        ConditionsBean conditions = new ConditionsBean();
-        List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<AudienceRestrictionBean>();
-        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
-        audienceRestriction.setAudienceURIs(Collections.singletonList(
-            service.getServiceName().toString() + ".xyz"));
-        audienceRestrictions.add(audienceRestriction);
-        conditions.setAudienceRestrictions(audienceRestrictions);
-        
-        SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
-        callbackHandler.setConditions(conditions);
-        ((BindingProvider)saml2Port).getRequestContext().put(
-            "ws-security.saml-callback-handler", callbackHandler
-        );
-        
-        // It should fail with validation enabled
-        try {
-            saml2Port.doubleIt(25);
-            fail("Failure expected on unknown AudienceRestriction");
-        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
-            // expected
-        }
-        
-        // It should pass with validation disabled
-        portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort3");
-        saml2Port = service.getPort(portQName, DoubleItPortType.class);
-        updateAddressPort(saml2Port, portNumber);
-        
-        ((BindingProvider)saml2Port).getRequestContext().put(
-            "ws-security.saml-callback-handler", callbackHandler
-        );
-        saml2Port.doubleIt(25);
-    }
-    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/b416a783/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
deleted file mode 100644
index 14a803a..0000000
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
+++ /dev/null
@@ -1,270 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
- 
- http://www.apache.org/licenses/LICENSE-2.0
- 
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xsi:schemaLocation="         http://www.springframework.org/schema/beans                     http://www.springframework.org/schema/beans/spring-beans.xsd         http://cxf.apache.org/jaxws                                     http://cxf.apache.org/schemas/jaxws.xsd         http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd         http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd         http://cxf.apache.org/transports/http/configuration             http://cxf.apache.org/sc
 hemas/configuration/http-conf.xsd         http://cxf.apache.org/transports/http-jetty/configuration       http://cxf.apache.org/schemas/configuration/http-jetty.xsd         http://cxf.apache.org/configuration/security      http://cxf.apache.org/schemas/configuration/security.xsd  http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd   ">
-    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
-    <cxf:bus>
-        <cxf:features>
-            <p:policies/>
-            <cxf:logging/>
-        </cxf:features>
-    </cxf:bus>
-    <!-- -->
-    <!-- Any services listening on port 9009 must use the following -->
-    <!-- Transport Layer Security (TLS) settings -->
-    <!-- -->
-    <httpj:engine-factory id="tls-settings">
-        <httpj:engine port="${testutil.ports.Server.2}">
-            <httpj:tlsServerParameters>
-                <sec:keyManagers keyPassword="password">
-                    <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/>
-                </sec:keyManagers>
-                <sec:trustManagers>
-                    <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
-                </sec:trustManagers>
-                <sec:clientAuthentication want="true" required="true"/>
-            </httpj:tlsServerParameters>
-        </httpj:engine>
-    </httpj:engine-factory>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1TokenOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Transport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-       </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1TokenOverTransport2" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-       </jaxws:properties>
-        <jaxws:features>
-            <p:policies>
-                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/saml/saml1-tls-policy.xml"/>
-            </p:policies>
-        </jaxws:features>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SupportingToken" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Supporting" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SupportingPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetric" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Symmetric" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetric" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Asymmetric" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.username" value="bob"/>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
-            <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetric2" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Asymmetric2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.username" value="bob"/>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
-            <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
-        </jaxws:properties>
-        <jaxws:features>
-            <p:policies>
-                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/saml/saml2-asym-policy.xml"/>
-            </p:policies>
-        </jaxws:features>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SelfSignedTokenOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1SelfSignedTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SelfSignedTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SelfSignedTokenOverTransportSP11" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1SelfSignedTransportSP11" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SelfSignedTransportSP11Port" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2EndorsingTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingOverTransportSP11" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2EndorsingTransportSP11" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingTransportSP11Port" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="AsymmetricSamlInitiatorPort" address="http://localhost:${testutil.ports.Server}/DoubleItAsymmetricSamlInitiator" serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricSamlInitiatorPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.username" value="bob"/>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricSignedElements" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2SymmetricSignedElements" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricSignedElementsPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricSignedEncrypted" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2AsymmetricSignedEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.username" value="bob"/>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricSignedEncryptedEncryptBeforeSigning" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigning" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigningPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.username" value="bob"/>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricEncrypted" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2AsymmetricEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.username" value="bob"/>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingEncryptedOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2EndorsingEncryptedTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingEncryptedTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="InlinePolicy" address="https://localhost:${testutil.ports.Server.2}/DoubleItSamlInlinePolicy" serviceName="s:DoubleItService" endpointName="s:DoubleItInlinePolicyPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-        </jaxws:properties>
-        <jaxws:features>
-            <p:policies>
-                <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy">
-                    <wsp:ExactlyOne>
-                        <wsp:All>
-                            <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" wsu:Id="SamlToken">
-                                <wsp:ExactlyOne>
-                                    <wsp:All>
-                                        <sp:TransportBinding>
-                                            <wsp:Policy>
-                                                <sp:TransportToken>
-                                                    <wsp:Policy>
-                                                        <sp:HttpsToken>
-                                                            <wsp:Policy/>
-                                                        </sp:HttpsToken>
-                                                    </wsp:Policy>
-                                                </sp:TransportToken>
-                                                <sp:Layout>
-                                                    <wsp:Policy>
-                                                        <sp:Lax/>
-                                                    </wsp:Policy>
-                                                </sp:Layout>
-                                                <sp:IncludeTimestamp/>
-                                                <sp:AlgorithmSuite>
-                                                    <wsp:Policy>
-                                                        <sp:Basic128/>
-                                                    </wsp:Policy>
-                                                </sp:AlgorithmSuite>
-                                            </wsp:Policy>
-                                        </sp:TransportBinding>
-                                        <sp:SupportingTokens>
-                                            <wsp:Policy>
-                                                <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
-                                                    <wsp:Policy>
-                                                        <sp:WssSamlV11Token11/>
-                                                    </wsp:Policy>
-                                                </sp:SamlToken>
-                                            </wsp:Policy>
-                                        </sp:SupportingTokens>
-                                    </wsp:All>
-                                </wsp:ExactlyOne>
-                            </wsp:Policy>
-                        </wsp:All>
-                    </wsp:ExactlyOne>
-                </wsp:Policy>
-            </p:policies>
-        </jaxws:features>
-    </jaxws:endpoint>
-    <bean class="org.apache.cxf.systest.ws.saml.PolicyDecisionPointMockImpl" id="MockPDP" />
-    <bean class="org.apache.cxf.rt.security.xacml.XACMLAuthorizingInterceptor" id="XACMLInterceptor">
-        <constructor-arg ref="MockPDP"/>
-    </bean>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricPEP" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2PEP" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2PEPPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
-        </jaxws:properties>
-        <jaxws:inInterceptors>
-            <ref bean="XACMLInterceptor"/>
-        </jaxws:inInterceptors>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken2" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken3" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport3" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort3" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.validate.audience-restriction" value="false"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-</beans>

http://git-wip-us.apache.org/repos/asf/cxf/blob/b416a783/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
index 3fedf31..7a145bd 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml
@@ -502,14 +502,6 @@
      
     </jaxws:endpoint> 
     
-    <bean id="audienceRestrictionValidator" class="org.apache.cxf.systest.ws.saml.Saml2AudienceRestrictionValidator">
-        <property name="endpointAddresses">
-            <list>
-                <value>https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2</value>
-            </list>
-        </property>
-    </bean>
-            
     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken2" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
         <jaxws:properties>
             <entry key="ws-security.callback-handler"
@@ -517,7 +509,17 @@
             <entry key="ws-security.signature.properties" 
                    value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
             <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.saml2.validator" value-ref="audienceRestrictionValidator"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken3" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport3" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort3" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" 
+                   value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" 
+                   value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+            <entry key="ws-security.validate.audience-restriction" value="true"/>
         </jaxws:properties>
     </jaxws:endpoint>
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/b416a783/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
deleted file mode 100644
index ce0eb3f..0000000
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
+++ /dev/null
@@ -1,298 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
- 
- http://www.apache.org/licenses/LICENSE-2.0
- 
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xsi:schemaLocation="         http://www.springframework.org/schema/beans                     http://www.springframework.org/schema/beans/spring-beans.xsd         http://cxf.apache.org/jaxws                                     http://cxf.apache.org/schemas/jaxws.xsd         http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd         http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd         http://cxf.apache.org/transports/http/configuration             http://cxf.apache.org/sc
 hemas/configuration/http-conf.xsd         http://cxf.apache.org/transports/http-jetty/configuration       http://cxf.apache.org/schemas/configuration/http-jetty.xsd         http://cxf.apache.org/configuration/security                    http://cxf.apache.org/schemas/configuration/security.xsd   http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd  ">
-    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
-    <cxf:bus>
-        <cxf:features>
-            <p:policies/>
-            <cxf:logging/>
-        </cxf:features>
-    </cxf:bus>
-    <!-- -->
-    <!-- Any services listening on port 9009 must use the following -->
-    <!-- Transport Layer Security (TLS) settings -->
-    <!-- -->
-    <httpj:engine-factory id="tls-settings">
-        <httpj:engine port="${testutil.ports.StaxServer.2}">
-            <httpj:tlsServerParameters>
-                <sec:keyManagers keyPassword="password">
-                    <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/>
-                </sec:keyManagers>
-                <sec:trustManagers>
-                    <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/>
-                </sec:trustManagers>
-                <sec:clientAuthentication want="true" required="true"/>
-            </httpj:tlsServerParameters>
-        </httpj:engine>
-    </httpj:engine-factory>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1TokenOverTransport" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1Transport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1TokenOverTransport2" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-        <jaxws:features>
-            <p:policies>
-                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/saml/saml1-tls-policy.xml"/>
-            </p:policies>
-        </jaxws:features>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SupportingToken" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1Supporting" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SupportingPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetric" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2Symmetric" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <!--<entry key="ws-security.saml2.validator" 
-                  value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>-->
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetric" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2Asymmetric" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.username" value="bob"/>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
-            <!--<entry key="ws-security.saml2.validator" 
-                  value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>-->
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetric2" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2Asymmetric2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.username" value="bob"/>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
-            <!--<entry key="ws-security.saml2.validator" 
-                  value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>-->
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-        <jaxws:features>
-            <p:policies>
-                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/saml/saml2-asym-policy.xml"/>
-            </p:policies>
-        </jaxws:features>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SelfSignedTokenOverTransport" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1SelfSignedTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SelfSignedTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SelfSignedTokenOverTransportSP11" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1SelfSignedTransportSP11" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SelfSignedTransportSP11Port" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingOverTransport" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2EndorsingTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingOverTransportSP11" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2EndorsingTransportSP11" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingTransportSP11Port" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="AsymmetricSamlInitiatorPort" address="http://localhost:${testutil.ports.StaxServer}/DoubleItAsymmetricSamlInitiator" serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricSamlInitiatorPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.username" value="bob"/>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <!--<entry key="ws-security.saml2.validator" 
-                  value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>-->
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricSignedElements" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2SymmetricSignedElements" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricSignedElementsPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricSignedEncrypted" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2AsymmetricSignedEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.username" value="bob"/>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <!--<entry key="ws-security.saml2.validator" 
-                  value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>-->
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricSignedEncryptedEncryptBeforeSigning" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigning" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigningPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.username" value="bob"/>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <!--<entry key="ws-security.saml2.validator" 
-                  value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>-->
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricEncrypted" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2AsymmetricEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.username" value="bob"/>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.encryption.username" value="useReqSigCert"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingEncryptedOverTransport" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2EndorsingEncryptedTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingEncryptedTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="InlinePolicy" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSamlInlinePolicy" serviceName="s:DoubleItService" endpointName="s:DoubleItInlinePolicyPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-        <jaxws:features>
-            <p:policies>
-                <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy">
-                    <wsp:ExactlyOne>
-                        <wsp:All>
-                            <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" wsu:Id="SamlToken">
-                                <wsp:ExactlyOne>
-                                    <wsp:All>
-                                        <sp:TransportBinding>
-                                            <wsp:Policy>
-                                                <sp:TransportToken>
-                                                    <wsp:Policy>
-                                                        <sp:HttpsToken>
-                                                            <wsp:Policy/>
-                                                        </sp:HttpsToken>
-                                                    </wsp:Policy>
-                                                </sp:TransportToken>
-                                                <sp:Layout>
-                                                    <wsp:Policy>
-                                                        <sp:Lax/>
-                                                    </wsp:Policy>
-                                                </sp:Layout>
-                                                <sp:IncludeTimestamp/>
-                                                <sp:AlgorithmSuite>
-                                                    <wsp:Policy>
-                                                        <sp:Basic128/>
-                                                    </wsp:Policy>
-                                                </sp:AlgorithmSuite>
-                                            </wsp:Policy>
-                                        </sp:TransportBinding>
-                                        <sp:SupportingTokens>
-                                            <wsp:Policy>
-                                                <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
-                                                    <wsp:Policy>
-                                                        <sp:WssSamlV11Token11/>
-                                                    </wsp:Policy>
-                                                </sp:SamlToken>
-                                            </wsp:Policy>
-                                        </sp:SupportingTokens>
-                                    </wsp:All>
-                                </wsp:ExactlyOne>
-                            </wsp:Policy>
-                        </wsp:All>
-                    </wsp:ExactlyOne>
-                </wsp:Policy>
-            </p:policies>
-        </jaxws:features>
-    </jaxws:endpoint>
-    <bean class="org.apache.cxf.systest.ws.saml.PolicyDecisionPointMockImpl" id="MockPDP" />
-    <bean class="org.apache.cxf.rt.security.xacml.XACMLAuthorizingInterceptor" id="XACMLInterceptor">
-        <constructor-arg ref="MockPDP"/>
-    </bean>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricPEP" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2PEP" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2PEPPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <!--<entry key="ws-security.saml2.validator" 
-                  value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>-->
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-        <jaxws:inInterceptors>
-            <ref bean="XACMLInterceptor"/>
-        </jaxws:inInterceptors>
-    </jaxws:endpoint>
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken2" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.enable.streaming" value="true"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-    
-    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken3" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport3" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort3" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
-        <jaxws:properties>
-            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
-            <entry key="ws-security.signature.properties" value="bob.properties"/>
-            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.enable.streaming" value="true"/>
-            <entry key="ws-security.validate.audience-restriction" value="false"/>
-        </jaxws:properties>
-    </jaxws:endpoint>
-</beans>


Mime
View raw message