cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/2] cxf git commit: [CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)
Date Fri, 16 Jan 2015 15:43:58 GMT
[CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP)


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/abafca6d
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/abafca6d
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/abafca6d

Branch: refs/heads/master
Commit: abafca6d4a4f48e4affdc67f368a1ab33cdd79e0
Parents: 6359c93
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Jan 16 14:58:30 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Jan 16 15:43:48 2015 +0000

----------------------------------------------------------------------
 .../cxf/ws/security/SecurityConstants.java      | 10 +-
 .../ws/security/wss4j/WSS4JInInterceptor.java   | 20 ++++
 .../security/wss4j/WSS4JStaxInInterceptor.java  | 22 +++++
 .../saml/Saml2AudienceRestrictionValidator.java | 92 -------------------
 .../cxf/systest/ws/saml/SamlTokenTest.java      | 96 +++++++++++++++++++-
 .../StaxSaml2AudienceRestrictionValidator.java  | 82 -----------------
 .../cxf/systest/ws/saml/DoubleItSaml.wsdl       |  3 +
 .../org/apache/cxf/systest/ws/saml/server.xml   | 19 ++--
 .../apache/cxf/systest/ws/saml/stax-server.xml  | 20 ++--
 9 files changed, 168 insertions(+), 196 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index b5b32b3..daedbb0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -229,6 +229,13 @@ public final class SecurityConstants {
      */
     public static final String SC_FROM_JAAS_SUBJECT = "ws-security.sc.jaas-subject";
     
+    /**
+     * Enable SAML AudienceRestriction validation. If this is set to "true", then IF the
+     * SAML Token contains Audience Restriction URIs, one of them must match either the
+     * request URL or the Service QName. The default is "true".
+     */
+    public static final String AUDIENCE_RESTRICTION_VALIDATION = "ws-security.validate.audience-restriction";
+    
     //
     // Non-boolean WS-Security Configuration parameters
     //
@@ -633,7 +640,8 @@ public final class SecurityConstants {
             CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
             DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, 
             KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, STS_TOKEN_IMMINENT_EXPIRY_VALUE,
-            KERBEROS_REQUEST_CREDENTIAL_DELEGATION, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL
+            KERBEROS_REQUEST_CREDENTIAL_DELEGATION, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL,
+            AUDIENCE_RESTRICTION_VALIDATION
         }));
         ALL_PROPERTIES = Collections.unmodifiableSet(s);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index 4fec350..2ab48ea 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -216,6 +216,8 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
         }
         reqData.setWssConfig(config);
         
+        // Add Audience Restrictions for SAML
+        configureAudienceRestriction(msg, reqData);
                 
         SOAPMessage doc = getSOAPMessage(msg);
         
@@ -339,6 +341,24 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
             reqData = null;
         }
     }
+    
+    private void configureAudienceRestriction(SoapMessage msg, RequestData reqData) {
+        // Add Audience Restrictions for SAML
+        boolean enableAudienceRestriction = 
+            MessageUtils.getContextualBoolean(msg, 
+                                              SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION,

+                                              true);
+        if (enableAudienceRestriction) {
+            List<String> audiences = new ArrayList<String>();
+            if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) !=
null) {
+                audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL));
+            }
+            if (msg.getContextualProperty("javax.xml.ws.wsdl.service") != null) {
+                audiences.add(msg.getContextualProperty("javax.xml.ws.wsdl.service").toString());
+            }
+            reqData.setAudienceRestrictions(audiences);
+        }
+    }
 
     private void checkActions(
         SoapMessage msg, 

http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
index 19e4240..eb034a1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
@@ -20,6 +20,7 @@ package org.apache.cxf.ws.security.wss4j;
 
 import java.io.IOException;
 import java.security.Provider;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
@@ -289,6 +290,27 @@ public class WSS4JStaxInInterceptor extends AbstractWSS4JStaxInterceptor
{
             }
             ConfigurationConverter.parseCrypto(config, securityProperties);
         }
+        
+        // Add Audience Restrictions for SAML
+        configureAudienceRestriction(msg, securityProperties);
+    }
+    
+    private void configureAudienceRestriction(SoapMessage msg, WSSSecurityProperties securityProperties)
{
+        // Add Audience Restrictions for SAML
+        boolean enableAudienceRestriction = 
+            MessageUtils.getContextualBoolean(msg, 
+                                              SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION,

+                                              true);
+        if (enableAudienceRestriction) {
+            List<String> audiences = new ArrayList<String>();
+            if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) !=
null) {
+                audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL));
+            }
+            if (msg.getContextualProperty("javax.xml.ws.wsdl.service") != null) {
+                audiences.add(msg.getContextualProperty("javax.xml.ws.wsdl.service").toString());
+            }
+            securityProperties.setAudienceRestrictions(audiences);
+        }
     }
     
     /**

http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/Saml2AudienceRestrictionValidator.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/Saml2AudienceRestrictionValidator.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/Saml2AudienceRestrictionValidator.java
deleted file mode 100644
index add4394..0000000
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/Saml2AudienceRestrictionValidator.java
+++ /dev/null
@@ -1,92 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.systest.ws.saml;
-
-import java.util.List;
-
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.apache.wss4j.dom.handler.RequestData;
-import org.apache.wss4j.dom.validate.Credential;
-import org.apache.wss4j.dom.validate.SamlAssertionValidator;
-import org.opensaml.saml2.core.Assertion;
-import org.opensaml.saml2.core.Audience;
-import org.opensaml.saml2.core.AudienceRestriction;
-import org.opensaml.saml2.core.Conditions;
-
-/**
- * This class checks that the Audiences received as part of AudienceRestrictions match a
set 
- * list of endpoints.
- */
-public class Saml2AudienceRestrictionValidator extends SamlAssertionValidator {
-    
-    private List<String> endpointAddresses;
-    
-    @Override
-    public Credential validate(Credential credential, RequestData data) throws WSSecurityException
{
-        Credential validatedCredential = super.validate(credential, data);
-        SamlAssertionWrapper assertion = validatedCredential.getSamlAssertion();
-        
-        Assertion saml2Assertion = assertion.getSaml2();
-        if (saml2Assertion == null) {
-            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-        }
-        
-        return validatedCredential;
-    }
-    
-    @Override
-    public void checkConditions(SamlAssertionWrapper samlAssertion) throws WSSecurityException
{
-        super.checkConditions(samlAssertion);
-        
-        if (endpointAddresses == null || endpointAddresses.isEmpty()) {
-            return;
-        }
-        
-        Conditions conditions = samlAssertion.getSaml2().getConditions();
-        if (conditions != null && conditions.getAudienceRestrictions() != null) {
-            boolean foundAddress = false;
-            for (AudienceRestriction audienceRestriction : conditions.getAudienceRestrictions())
{
-                List<Audience> audiences = audienceRestriction.getAudiences();
-                if (audiences != null) {
-                    for (Audience audience : audiences) {
-                        String audienceURI = audience.getAudienceURI();
-                        if (endpointAddresses.contains(audienceURI)) {
-                            foundAddress = true;
-                            break;
-                        }
-                    }
-                }
-            }
-            
-            if (!foundAddress) {
-                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-            }
-        }
-    }
-
-    public List<String> getEndpointAddresses() {
-        return endpointAddresses;
-    }
-
-    public void setEndpointAddresses(List<String> endpointAddresses) {
-        this.endpointAddresses = endpointAddresses;
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
index f8d2227..e014f0a 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
@@ -1024,7 +1024,7 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
             portNumber = STAX_PORT2;
         }
         updateAddressPort(saml2Port, portNumber);
-
+        
         // Create a SAML Token with an AudienceRestrictionCondition
         ConditionsBean conditions = new ConditionsBean();
         List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<AudienceRestrictionBean>();
@@ -1059,4 +1059,98 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase
{
         }
     }
     
+    @org.junit.Test
+    public void testAudienceRestrictionServiceName() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SamlTokenTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
+        DoubleItPortType saml2Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        String portNumber = PORT2;
+        if (STAX_PORT.equals(test.getPort())) {
+            portNumber = STAX_PORT2;
+        }
+        updateAddressPort(saml2Port, portNumber);
+        
+        // Create a SAML Token with an AudienceRestrictionCondition
+        ConditionsBean conditions = new ConditionsBean();
+        List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<AudienceRestrictionBean>();
+        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
+        audienceRestriction.setAudienceURIs(Collections.singletonList(
+            service.getServiceName().toString()));
+        audienceRestrictions.add(audienceRestriction);
+        conditions.setAudienceRestrictions(audienceRestrictions);
+        
+        SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+        callbackHandler.setConditions(conditions);
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", callbackHandler
+        );
+        
+        saml2Port.doubleIt(25);
+    }
+    
+    @org.junit.Test
+    public void testDisableAudienceRestrictionValidation() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SamlTokenTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2");
+        DoubleItPortType saml2Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        String portNumber = PORT2;
+        if (STAX_PORT.equals(test.getPort())) {
+            portNumber = STAX_PORT2;
+        }
+        updateAddressPort(saml2Port, portNumber);
+        
+        // Create a SAML Token with an AudienceRestrictionCondition
+        ConditionsBean conditions = new ConditionsBean();
+        List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<AudienceRestrictionBean>();
+        AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean();
+        audienceRestriction.setAudienceURIs(Collections.singletonList(
+            service.getServiceName().toString() + ".xyz"));
+        audienceRestrictions.add(audienceRestriction);
+        conditions.setAudienceRestrictions(audienceRestrictions);
+        
+        SamlCallbackHandler callbackHandler = new SamlCallbackHandler();
+        callbackHandler.setConditions(conditions);
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", callbackHandler
+        );
+        
+        // It should fail with validation enabled
+        try {
+            saml2Port.doubleIt(25);
+            fail("Failure expected on unknown AudienceRestriction");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            // expected
+        }
+        
+        // It should pass with validation disabled
+        portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort3");
+        saml2Port = service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(saml2Port, portNumber);
+        
+        ((BindingProvider)saml2Port).getRequestContext().put(
+            "ws-security.saml-callback-handler", callbackHandler
+        );
+        saml2Port.doubleIt(25);
+    }
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSaml2AudienceRestrictionValidator.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSaml2AudienceRestrictionValidator.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSaml2AudienceRestrictionValidator.java
deleted file mode 100644
index 778c068..0000000
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/StaxSaml2AudienceRestrictionValidator.java
+++ /dev/null
@@ -1,82 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.systest.ws.saml;
-
-import java.util.List;
-
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.apache.wss4j.stax.validate.SamlTokenValidatorImpl;
-import org.opensaml.saml2.core.Assertion;
-import org.opensaml.saml2.core.Audience;
-import org.opensaml.saml2.core.AudienceRestriction;
-import org.opensaml.saml2.core.Conditions;
-
-/**
- * This class checks that the Audiences received as part of AudienceRestrictions match a
set 
- * list of endpoints.
- */
-public class StaxSaml2AudienceRestrictionValidator extends SamlTokenValidatorImpl {
-    
-    private List<String> endpointAddresses;
-    
-    @Override
-    public void checkConditions(SamlAssertionWrapper samlAssertion) throws WSSecurityException
{
-        super.checkConditions(samlAssertion);
-        
-        Assertion saml2Assertion = samlAssertion.getSaml2();
-        if (saml2Assertion == null) {
-            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-        }
-        
-        if (endpointAddresses == null || endpointAddresses.isEmpty()) {
-            return;
-        }
-        
-        Conditions conditions = samlAssertion.getSaml2().getConditions();
-        if (conditions != null && conditions.getAudienceRestrictions() != null) {
-            boolean foundAddress = false;
-            for (AudienceRestriction audienceRestriction : conditions.getAudienceRestrictions())
{
-                List<Audience> audiences = audienceRestriction.getAudiences();
-                if (audiences != null) {
-                    for (Audience audience : audiences) {
-                        String audienceURI = audience.getAudienceURI();
-                        if (endpointAddresses.contains(audienceURI)) {
-                            foundAddress = true;
-                            break;
-                        }
-                    }
-                }
-            }
-            
-            if (!foundAddress) {
-                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-            }
-        }
-    }
-
-    public List<String> getEndpointAddresses() {
-        return endpointAddresses;
-    }
-
-    public void setEndpointAddresses(List<String> endpointAddresses) {
-        this.endpointAddresses = endpointAddresses;
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
index 09ce8b8..ea0d132 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
@@ -383,6 +383,9 @@
         <wsdl:port name="DoubleItSaml2TransportPort2" binding="tns:DoubleItSaml2TransportBinding">
             <soap:address location="https://localhost:9009/DoubleItSaml2Transport2"/>
         </wsdl:port>
+        <wsdl:port name="DoubleItSaml2TransportPort3" binding="tns:DoubleItSaml2TransportBinding">
+            <soap:address location="https://localhost:9009/DoubleItSaml2Transport3"/>
+        </wsdl:port>
     </wsdl:service>
     <wsp:Policy wsu:Id="DoubleItSaml1TransportPolicy">
         <wsp:ExactlyOne>

http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
index 2f69dc2..14a803a 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
@@ -251,21 +251,20 @@
         </jaxws:properties>
     </jaxws:endpoint>
     
-    <bean id="audienceRestrictionValidator" class="org.apache.cxf.systest.ws.saml.Saml2AudienceRestrictionValidator">
-        <property name="endpointAddresses">
-            <list>
-                <value>https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2</value>
-                <value>https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport2</value>
-            </list>
-        </property>
-    </bean>
-            
     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken2"
address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2" serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
         <jaxws:properties>
             <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
             <entry key="ws-security.signature.properties" value="bob.properties"/>
             <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
-            <entry key="ws-security.saml2.validator" value-ref="audienceRestrictionValidator"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken3"
address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport3" serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2TransportPort3" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+            <entry key="ws-security.validate.audience-restriction" value="false"/>
         </jaxws:properties>
     </jaxws:endpoint>
 </beans>

http://git-wip-us.apache.org/repos/asf/cxf/blob/abafca6d/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
index 3ba931b..ce0eb3f 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
@@ -277,22 +277,22 @@
         </jaxws:properties>
     </jaxws:endpoint>
     
-    <bean id="audienceRestrictionValidator" class="org.apache.cxf.systest.ws.saml.StaxSaml2AudienceRestrictionValidator">
-        <property name="endpointAddresses">
-            <list>
-                <value>https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2</value>
-                <value>https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport2</value>
-            </list>
-        </property>
-    </bean>
-    
     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken2"
address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport2" serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
         <jaxws:properties>
             <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
             <entry key="ws-security.signature.properties" value="bob.properties"/>
             <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
             <entry key="ws-security.enable.streaming" value="true"/>
-            <entry key="ws-security.saml2.validator" value-ref="audienceRestrictionValidator"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken3"
address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport3" serviceName="s:DoubleItService"
endpointName="s:DoubleItSaml2TransportPort3" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl"
wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+            <entry key="ws-security.enable.streaming" value="true"/>
+            <entry key="ws-security.validate.audience-restriction" value="false"/>
         </jaxws:properties>
     </jaxws:endpoint>
 </beans>


Mime
View raw message