cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/3] cxf git commit: [CXF-6327] - Invalid Policy exception for EndorsingSupportingTokens with more than one token assertions
Date Wed, 15 Apr 2015 13:48:58 GMT
[CXF-6327] - Invalid Policy exception for EndorsingSupportingTokens with more than one token
assertions

Conflicts:
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7f001482
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7f001482
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7f001482

Branch: refs/heads/3.0.x-fixes
Commit: 7f0014828b9201e0f32a7ebe3bd02ef3ccfb760b
Parents: 97682e6
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Apr 15 13:41:13 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Apr 15 13:43:18 2015 +0100

----------------------------------------------------------------------
 .../policyhandlers/AbstractBindingBuilder.java  | 65 ++++++++++++--------
 .../AbstractStaxBindingHandler.java             |  9 ++-
 .../AsymmetricBindingHandler.java               | 15 ++---
 .../StaxAsymmetricBindingHandler.java           |  4 +-
 .../StaxSymmetricBindingHandler.java            |  4 +-
 .../StaxTransportBindingHandler.java            |  4 +-
 .../policyhandlers/SymmetricBindingHandler.java | 11 ++--
 .../policyhandlers/TransportBindingHandler.java | 17 +++--
 .../sts/transport/TransportBindingTest.java     |  7 ++-
 .../cxf/systest/sts/transport/DoubleIt.wsdl     |  3 +-
 .../cxf/systest/sts/transport/cxf-service.xml   |  3 +-
 .../systest/sts/transport/cxf-stax-service.xml  |  3 +-
 12 files changed, 85 insertions(+), 60 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index fec27e8..a996944 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -113,7 +113,6 @@ import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
-import org.apache.wss4j.policy.model.AbstractTokenWrapper;
 import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
 import org.apache.wss4j.policy.model.AsymmetricBinding;
 import org.apache.wss4j.policy.model.Attachments;
@@ -492,7 +491,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
 
             } else if (token instanceof X509Token) {
                 //We have to use a cert. Prepare X509 signature
-                WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse);
+                WSSecSignature sig = getSignatureBuilder(token, false, endorse);
+                assertPolicy(suppTokens);
                 Element bstElem = sig.getBinarySecurityTokenElement();
                 if (bstElem != null) {
                     if (lastEncryptedKeyElement != null) {
@@ -513,7 +513,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
                 }
                 ret.add(new SupportingToken(token, sig, getSignedParts(suppTokens)));
             } else if (token instanceof KeyValueToken) {
-                WSSecSignature sig = getSignatureBuilder(suppTokens, token, endorse);
+                WSSecSignature sig = getSignatureBuilder(token, false, endorse);
+                assertPolicy(suppTokens);
                 if (suppTokens.isEncryptedToken()) {
                     WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
                     encryptedTokensList.add(part);
@@ -860,7 +861,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             }
             Crypto crypto = samlCallback.getIssuerCrypto();
             if (crypto == null) {
-                crypto = getSignatureCrypto(null);
+                crypto = getSignatureCrypto();
             }
             
             assertion.signAssertion(
@@ -1372,12 +1373,21 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         return null;
     }
     
+<<<<<<< HEAD
     protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractTokenWrapper wrapper, 
                                                        AbstractToken token) throws WSSecurityException
{
         WSSecEncryptedKey encrKey = new WSSecEncryptedKey(wssConfig);
         Crypto crypto = getEncryptionCrypto(wrapper);
+=======
+    protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token) throws WSSecurityException
{
+        WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
+        encrKey.setIdAllocator(wssConfig.getIdAllocator());
+        encrKey.setCallbackLookup(callbackLookup);
+        Crypto crypto = getEncryptionCrypto();
+>>>>>>> aaad96f... [CXF-6327] - Invalid Policy exception for EndorsingSupportingTokens
with more than one token assertions
         message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto);
-        setKeyIdentifierType(encrKey, wrapper, token);
+        setKeyIdentifierType(encrKey, token);
+        
         boolean alsoIncludeToken = false;
         // Find out do we also need to include the token as per the Inclusion requirement
         if (token instanceof X509Token 
@@ -1386,7 +1396,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             alsoIncludeToken = true;
         }
         
-        String encrUser = setEncryptionUser(encrKey, wrapper, false, crypto);
+        String encrUser = setEncryptionUser(encrKey, token, false, crypto);
         
         AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
         encrKey.setSymmetricEncAlgorithm(algType.getEncryption());
@@ -1421,17 +1431,28 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         return certs[0];
     }
     
-    public Crypto getSignatureCrypto(AbstractTokenWrapper wrapper) throws WSSecurityException
{
-        return getCrypto(wrapper, SecurityConstants.SIGNATURE_CRYPTO,
-                         SecurityConstants.SIGNATURE_PROPERTIES);
+    public Crypto getSignatureCrypto() throws WSSecurityException {
+        return getCrypto(SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES);
     }
 
+<<<<<<< HEAD
 
     public Crypto getEncryptionCrypto(AbstractTokenWrapper wrapper) throws WSSecurityException
{
         Crypto crypto = getCrypto(wrapper, SecurityConstants.ENCRYPT_CRYPTO,
                                   SecurityConstants.ENCRYPT_PROPERTIES);
         boolean enableRevocation = MessageUtils.isTrue(
                                        message.getContextualProperty(SecurityConstants.ENABLE_REVOCATION));
+=======
+    public Crypto getEncryptionCrypto() throws WSSecurityException {
+        Crypto crypto = 
+            getCrypto(SecurityConstants.ENCRYPT_CRYPTO, SecurityConstants.ENCRYPT_PROPERTIES);
+        boolean enableRevocation = false;
+        String enableRevStr = 
+            (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENABLE_REVOCATION,
message);
+        if (enableRevStr != null) {
+            enableRevocation = Boolean.parseBoolean(enableRevStr);
+        }
+>>>>>>> aaad96f... [CXF-6327] - Invalid Policy exception for EndorsingSupportingTokens
with more than one token assertions
         if (enableRevocation && crypto != null) {
             CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
             String encrUser = (String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME);
@@ -1452,8 +1473,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
 
     }
     
-    public Crypto getCrypto(
-        AbstractTokenWrapper wrapper, 
+    protected Crypto getCrypto(
         String cryptoKey, 
         String propKey
     ) throws WSSecurityException {
@@ -1503,7 +1523,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         return null;
     }
     
-    public void setKeyIdentifierType(WSSecBase secBase, AbstractTokenWrapper wrapper, AbstractToken
token) {
+    public void setKeyIdentifierType(WSSecBase secBase, AbstractToken token) {
         boolean tokenTypeSet = false;
         
         if (token instanceof X509Token) {
@@ -1524,7 +1544,6 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         }
         
         assertPolicy(token);
-        assertPolicy(wrapper);
         
         if (!tokenTypeSet) {
             boolean requestor = isRequestor();
@@ -1551,7 +1570,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         }
     }
     
-    public String setEncryptionUser(WSSecEncryptedKey encrKeyBuilder, AbstractTokenWrapper
token,
+    public String setEncryptionUser(WSSecEncryptedKey encrKeyBuilder, AbstractToken token,
                                   boolean sign, Crypto crypto) {
         // Check for prepared certificate property
         X509Certificate encrCert = (X509Certificate)message.getContextualProperty(SecurityConstants.ENCRYPT_CERT);
@@ -1659,20 +1678,13 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
     }
     
     protected WSSecSignature getSignatureBuilder(
-        AbstractTokenWrapper wrapper, AbstractToken token, boolean endorse
-    ) throws WSSecurityException {
-        return getSignatureBuilder(wrapper, token, false, endorse);
-    }
-    
-    protected WSSecSignature getSignatureBuilder(
-        AbstractTokenWrapper wrapper, AbstractToken token, boolean attached, boolean endorse
+        AbstractToken token, boolean attached, boolean endorse
     ) throws WSSecurityException {
         WSSecSignature sig = new WSSecSignature(wssConfig);
         sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
         checkForX509PkiPath(sig, token);
         if (token instanceof IssuedToken || token instanceof SamlToken) {
             assertPolicy(token);
-            assertPolicy(wrapper);
             SecurityToken securityToken = getSecurityToken();
             String tokenType = securityToken.getTokenType();
             
@@ -1720,7 +1732,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             
             sig.setCustomTokenId(sigTokId);
         } else {
-            setKeyIdentifierType(sig, wrapper, token);
+            setKeyIdentifierType(sig, token);
             // Find out do we also need to include the token as per the Inclusion requirement
             if (token instanceof X509Token 
                 && token.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER
@@ -1738,13 +1750,12 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             userNameKey = SecurityConstants.ENCRYPT_USERNAME;
         }
 
-        Crypto crypto = encryptCrypto ? getEncryptionCrypto(wrapper) 
-            : getSignatureCrypto(wrapper);
+        Crypto crypto = encryptCrypto ? getEncryptionCrypto() : getSignatureCrypto();
         
         if (endorse && crypto == null && binding instanceof SymmetricBinding)
{
             type = "encryption";
             userNameKey = SecurityConstants.ENCRYPT_USERNAME;
-            crypto = getEncryptionCrypto(wrapper);
+            crypto = getEncryptionCrypto();
         }
         
         if (!endorse) {
@@ -2013,7 +2024,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         sig.setSecretKey(tok.getSecret());
         sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
         sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
-        sig.prepare(doc, getSignatureCrypto(null), secHeader);
+        sig.prepare(doc, getSignatureCrypto(), secHeader);
 
         sig.setParts(sigParts);
         List<Reference> referenceList = sig.addReferencesToSign(sigParts, secHeader);

http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
index 05c4c97..fb12cbe 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
@@ -57,7 +57,6 @@ import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
 import org.apache.wss4j.policy.model.AbstractBinding;
 import org.apache.wss4j.policy.model.AbstractToken;
-import org.apache.wss4j.policy.model.AbstractTokenWrapper;
 import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
 import org.apache.wss4j.policy.model.Attachments;
 import org.apache.wss4j.policy.model.ContentEncryptedElements;
@@ -509,7 +508,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
     }
 
     protected void configureSignature(
-        AbstractTokenWrapper wrapper, AbstractToken token, boolean attached
+        AbstractToken token, boolean attached
     ) throws WSSecurityException {
         
         if (token instanceof X509Token) {
@@ -521,7 +520,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
             }
         }
         
-        properties.setSignatureKeyIdentifier(getKeyIdentifierType(wrapper, token));
+        properties.setSignatureKeyIdentifier(getKeyIdentifierType(token));
 
         // Find out do we also need to include the token as per the Inclusion requirement
         WSSecurityTokenConstants.KeyIdentifier keyIdentifier = properties.getSignatureKeyIdentifier();
@@ -562,7 +561,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
     }
     
     protected WSSecurityTokenConstants.KeyIdentifier getKeyIdentifierType(
-        AbstractTokenWrapper wrapper, AbstractToken token
+        AbstractToken token
     ) {
         WSSecurityTokenConstants.KeyIdentifier identifier = null;
         if (token instanceof X509Token) {
@@ -679,7 +678,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
                 }
             } else if (token instanceof X509Token || token instanceof KeyValueToken) {
                 assertToken(token);
-                configureSignature(suppTokens, token, false);
+                configureSignature(token, false);
                 if (suppTokens.isEncryptedToken()) {
                     SecurePart part = 
                         new SecurePart(WSSConstants.TAG_wsse_BinarySecurityToken, Modifier.Element);

http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
index 9acaee6..83c3b50 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
@@ -483,7 +483,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
                     encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
                     
                     encr.setDocument(saaj.getSOAPPart());
-                    Crypto crypto = getEncryptionCrypto(recToken);
+                    Crypto crypto = getEncryptionCrypto();
                     
                     SecurityToken securityToken = getSecurityToken();
                     if (!isRequestor() && securityToken != null 
@@ -500,10 +500,10 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder
{
                             encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                             encr.setCustomEKTokenId(securityToken.getId());
                         } else {
-                            setKeyIdentifierType(encr, recToken, encrToken);
+                            setKeyIdentifierType(encr, encrToken);
                         }
                     } else {
-                        setKeyIdentifierType(encr, recToken, encrToken);
+                        setKeyIdentifierType(encr, encrToken);
                     }
                     //
                     // Using a stored cert is only suitable for the Issued Token case, where
@@ -513,7 +513,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
                         && securityToken.getX509Certificate() != null) {
                         encr.setUseThisCert(securityToken.getX509Certificate());
                     } else {
-                        setEncryptionUser(encr, recToken, false, crypto);
+                        setEncryptionUser(encr, encrToken, false, crypto);
                     }
                     if (!encr.isCertSet() && crypto == null) {
                         policyNotAsserted(recToken, "Missing security configuration. "
@@ -605,7 +605,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
         if (sigParts.isEmpty()) {
             // Add the BST to the security header if required
             if (!attached && isTokenRequired(sigToken.getIncludeTokenType())) {
-                WSSecSignature sig = getSignatureBuilder(wrapper, sigToken, attached, false);
+                WSSecSignature sig = getSignatureBuilder(sigToken, attached, false);
                 sig.appendBSTElementToHeader(secHeader);
             } 
             return;
@@ -670,7 +670,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
                 throw new Fault(ex);
             }
         } else {
-            WSSecSignature sig = getSignatureBuilder(wrapper, sigToken, attached, false);
+            WSSecSignature sig = getSignatureBuilder(sigToken, attached, false);
                       
             // This action must occur before sig.prependBSTElementToHeader
             if (abinding.isProtectTokens()) {
@@ -784,7 +784,8 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
     private void createEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken token)
         throws WSSecurityException {
         //Set up the encrypted key to use
-        encrKey = this.getEncryptedKeyBuilder(wrapper, token);
+        encrKey = this.getEncryptedKeyBuilder(token);
+        assertPolicy(wrapper);
         Element bstElem = encrKey.getBinarySecurityTokenElement();
         if (bstElem != null) {
             // If a BST is available then use it

http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
index 2d1ebb1..843ffd2 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
@@ -356,7 +356,7 @@ public class StaxAsymmetricBindingHandler extends AbstractStaxBindingHandler
{
             properties.addAction(actionToPerform);
             
             properties.getEncryptionSecureParts().addAll(encrParts);
-            properties.setEncryptionKeyIdentifier(getKeyIdentifierType(recToken, encrToken));
+            properties.setEncryptionKeyIdentifier(getKeyIdentifierType(encrToken));
             
             // Find out do we also need to include the token as per the Inclusion requirement
             WSSecurityTokenConstants.KeyIdentifier keyIdentifier = properties.getEncryptionKeyIdentifier();
@@ -424,7 +424,7 @@ public class StaxAsymmetricBindingHandler extends AbstractStaxBindingHandler
{
         properties.getSignatureSecureParts().addAll(sigParts);
         
         AbstractToken sigToken = wrapper.getToken();
-        configureSignature(wrapper, sigToken, false);
+        configureSignature(sigToken, false);
         
         if (abinding.isProtectTokens() && (sigToken instanceof X509Token)
             && sigToken.getIncludeTokenType() != IncludeTokenType.INCLUDE_TOKEN_NEVER)
{

http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
index 4b41380..d5a3084 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
@@ -423,7 +423,7 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler
{
             properties.addAction(actionToPerform);
 
             if (isRequestor()) {
-                properties.setEncryptionKeyIdentifier(getKeyIdentifierType(recToken, encrToken));
+                properties.setEncryptionKeyIdentifier(getKeyIdentifierType(encrToken));
                 properties.setDerivedKeyKeyIdentifier(
                     WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference);
             } else if (recToken.getToken() instanceof KerberosToken && !isRequestor())
{
@@ -538,7 +538,7 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler
{
             properties.addSignaturePart(securePart);
         }
         
-        configureSignature(wrapper, sigToken, false);
+        configureSignature(sigToken, false);
         
         if (policyToken instanceof X509Token) {
             properties.setIncludeSignatureToken(false);

http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
index 46fa53e..decb8c3 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
@@ -348,7 +348,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler
{
         } else if (token instanceof KerberosToken) {
             WSSSecurityProperties properties = getProperties();
             properties.addAction(WSSConstants.SIGNATURE);
-            configureSignature(wrapper, token, false);
+            configureSignature(token, false);
             
             addKerberosToken((KerberosToken)token, false, true, false);
             signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
@@ -375,7 +375,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler
{
         }
         properties.addAction(actionToPerform);
         
-        configureSignature(wrapper, token, false);
+        configureSignature(token, false);
         if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
             properties.setSignatureAlgorithm(
                    tbinding.getAlgorithmSuite().getSymmetricSignature());

http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index a46fb30..6bc2528 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -534,10 +534,10 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder
{
                     }
                     encr.setEncKeyId(encrTokId);
                     encr.setEphemeralKey(encrTok.getSecret());
-                    Crypto crypto = getEncryptionCrypto(recToken);
+                    Crypto crypto = getEncryptionCrypto();
                     if (crypto != null) {
                         this.message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO,
crypto);
-                        setEncryptionUser(encr, recToken, false, crypto);
+                        setEncryptionUser(encr, encrToken, false, crypto);
                     }
                     
                     encr.setDocument(saaj.getSOAPPart());
@@ -834,9 +834,9 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
             sig.setSigCanonicalization(sbinding.getAlgorithmSuite().getC14n().getValue());
             Crypto crypto = null;
             if (sbinding.getProtectionToken() != null) {
-                crypto = getEncryptionCrypto(sbinding.getProtectionToken());
+                crypto = getEncryptionCrypto();
             } else {
-                crypto = getSignatureCrypto(policyAbstractTokenWrapper);
+                crypto = getSignatureCrypto();
             }
             this.message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, crypto);
             sig.prepare(saaj.getSOAPPart(), crypto, secHeader);
@@ -857,7 +857,8 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
     }
 
     private String setupEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken sigToken)
throws WSSecurityException {
-        WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(wrapper, sigToken);
+        WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken);
+        assertPolicy(wrapper);
         String id = encrKey.getId();
         byte[] secret = encrKey.getEphemeralKey();
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
index 113e507..c35d202 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
@@ -355,7 +355,8 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
             signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
         
         if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
-            WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(wrapper, token);
+            WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token);
+            assertPolicy(wrapper);
             
             Element bstElem = encrKey.getBinarySecurityTokenElement();
             if (bstElem != null) {
@@ -363,8 +364,15 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
             }
             encrKey.appendToHeader(secHeader);
             
+<<<<<<< HEAD
             WSSecDKSign dkSig = new WSSecDKSign(wssConfig);
             if (wrapper.getToken().getVersion() == SPConstants.SPVersion.SP11) {
+=======
+            WSSecDKSign dkSig = new WSSecDKSign();
+            dkSig.setIdAllocator(wssConfig.getIdAllocator());
+            dkSig.setCallbackLookup(callbackLookup);
+            if (token.getVersion() == SPConstants.SPVersion.SP11) {
+>>>>>>> aaad96f... [CXF-6327] - Invalid Policy exception for EndorsingSupportingTokens
with more than one token assertions
                 dkSig.setWscVersion(ConversationConstants.VERSION_05_02);
             }
             
@@ -386,7 +394,8 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
             
             return dkSig.getSignatureValue();
         } else {
-            WSSecSignature sig = getSignatureBuilder(wrapper, token, false);
+            WSSecSignature sig = getSignatureBuilder(token, false, false);
+            assertPolicy(wrapper);
             if (sig != null) {
                 sig.prependBSTElementToHeader(secHeader);
             
@@ -552,7 +561,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
 
             crypto = secTok.getCrypto();
             if (crypto == null) {
-                crypto = getSignatureCrypto(wrapper);
+                crypto = getSignatureCrypto();
             }
             if (crypto == null) {
                 LOG.fine("No signature Crypto properties are available");
@@ -574,7 +583,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
             sig.setUserInfo(uname, password);
             sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
         } else {
-            crypto = getSignatureCrypto(wrapper);
+            crypto = getSignatureCrypto();
             sig.setSecretKey(secTok.getSecret());
             sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
index ba23de9..6a91247 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
@@ -378,10 +378,13 @@ public class TransportBindingTest extends AbstractBusClientServerTestBase
{
         bus.shutdown(true);
     }
     
-    // TODO Not supported for now
     @org.junit.Test
-    @org.junit.Ignore
     public void testSAML2EndorsingX509() throws Exception {
+        
+        // Only works for DOM (clients)
+        if (test.isStreaming()) {
+            return;
+        }
 
         SpringBusFactory bf = new SpringBusFactory();
         URL busFile = TransportBindingTest.class.getResource("cxf-client.xml");

http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
index d08b102..fe0e803 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
@@ -349,10 +349,9 @@
                                 </wsaw:Metadata>
                             </sp:Issuer>
                         </sp:IssuedToken>
-                        <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                        <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                             <wsp:Policy>
                                 <sp:WssX509V3Token10/>
-                                <sp:RequireIssuerSerialReference/>
                             </wsp:Policy>
                         </sp:X509Token>
                     </wsp:Policy>

http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml
b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml
index a5dbcc4..3fbf5a2 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml
@@ -48,7 +48,8 @@
     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleittransportsaml2x509"
implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItTransportSAML2X509EndorsingPort"
serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.Server}/doubleit/services/doubleittransportsaml2x509endorsing"
wsdlLocation="org/apache/cxf/systest/sts/transport/DoubleIt.wsdl">
         <jaxws:properties>
             <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
-            <entry key="ws-security.signature.properties" value="serviceKeystore.properties"/>
+            <entry key="ws-security.signature.properties" value="stsKeystore.properties"/>
+            <entry key="ws-security.enable.timestamp.cache" value="false"/>
         </jaxws:properties>
     </jaxws:endpoint>
     <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">

http://git-wip-us.apache.org/repos/asf/cxf/blob/7f001482/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml
b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml
index f9d7a0c..6aa03e8 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml
@@ -51,9 +51,10 @@
     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleittransportsaml2x509endorsing"
implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItTransportSAML2X509EndorsingPort"
serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.StaxServer}/doubleit/services/doubleittransportsaml2x509endorsing"
wsdlLocation="org/apache/cxf/systest/sts/transport/DoubleIt.wsdl">
         <jaxws:properties>
             <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
-            <entry key="ws-security.signature.properties" value="serviceKeystore.properties"/>
+            <entry key="ws-security.signature.properties" value="stsKeystore.properties"/>
             <entry key="ws-security.is-bsp-compliant" value="false"/>
             <entry key="ws-security.enable.streaming" value="true"/>
+            <entry key="ws-security.enable.timestamp.cache" value="false"/>
         </jaxws:properties>
     </jaxws:endpoint>
     <httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">


Mime
View raw message