Return-Path: 
 <commits-return-36145-apmail-cxf-commits-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-commits-archive@www.apache.org
Delivered-To: apmail-cxf-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 69FEA17AA2
	for <apmail-cxf-commits-archive@www.apache.org>;
 Tue,  7 Apr 2015 10:05:47 +0000 (UTC)
Received: (qmail 67890 invoked by uid 500); 7 Apr 2015 10:05:47 -0000
Delivered-To: apmail-cxf-commits-archive@cxf.apache.org
Received: (qmail 67829 invoked by uid 500); 7 Apr 2015 10:05:47 -0000
Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cxf.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cxf.apache.org>
List-Post: <mailto:commits@cxf.apache.org>
List-Id: <commits.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list commits@cxf.apache.org
Received: (qmail 67695 invoked by uid 99); 7 Apr 2015 10:05:47 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org)
 (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 07 Apr 2015 10:05:47 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at
 git1-us-west.apache.org, from userid 33)
	id 1117FE0AD2; Tue,  7 Apr 2015 10:05:47 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: coheigea@apache.org
To: commits@cxf.apache.org
Date: Tue, 07 Apr 2015 10:05:48 -0000
Message-Id: <8022020280f040c8b7ecce613fcd11bd@git.apache.org>
In-Reply-To: <8a3e86c5d3fa44ee9ce8132fcc099364@git.apache.org>
References: <8a3e86c5d3fa44ee9ce8132fcc099364@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: [2/3] cxf git commit: [CXF-6333] - Support Inclusive C14N via
 security policy

[CXF-6333] - Support Inclusive C14N via security policy

Conflicts:
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7738d59a
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7738d59a
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7738d59a

Branch: refs/heads/3.0.x-fixes
Commit: 7738d59aff4841dcfd09d51010633610fdec39cc
Parents: 55600a7
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Apr 7 10:08:59 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Apr 7 10:15:09 2015 +0100

----------------------------------------------------------------------
 .../security/policy/WSSecurityPolicyLoader.java |  3 +
 .../wss4j/AlgorithmSuiteTranslater.java         |  1 +
 .../policyhandlers/AbstractBindingBuilder.java  |  3 +-
 .../AbstractStaxBindingHandler.java             |  2 +
 .../AsymmetricBindingHandler.java               |  4 +-
 .../StaxTransportBindingHandler.java            |  6 ++
 .../policyhandlers/SymmetricBindingHandler.java |  2 +
 .../AlgorithmSuitePolicyValidator.java          |  9 +++
 .../systest/ws/algsuite/AlgorithmSuiteTest.java | 52 +++++++++++++++
 .../systest/ws/algsuite/DoubleItAlgSuite.wsdl   |  6 ++
 .../apache/cxf/systest/ws/algsuite/client.xml   | 67 ++++++++++++++++++++
 .../apache/cxf/systest/ws/algsuite/server.xml   | 65 +++++++++++++++++++
 .../cxf/systest/ws/algsuite/stax-server.xml     | 67 ++++++++++++++++++++
 13 files changed, 284 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/7738d59a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
index 4d67ee4..8b05935 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
@@ -265,6 +265,9 @@ public final class WSSecurityPolicyLoader implements PolicyInterceptorProviderLo
             SP13Constants.SCOPE_POLICY_15,
             SP13Constants.MUST_SUPPORT_INTERACTIVE_CHALLENGE,
             
+            // AlgorithmSuite misc
+            new QName(SP11Constants.SP_NS, SPConstants.INCLUSIVE_C14N),
+            new QName(SP12Constants.SP_NS, SPConstants.INCLUSIVE_C14N),
         });
         final Map<QName, Assertion> assertions = new HashMap<QName, Assertion>();
         for (QName q : others) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/7738d59a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
index aef7915..372dd89 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
@@ -136,6 +136,7 @@ public final class AlgorithmSuiteTranslater {
     
             algorithmSuite.addTransformAlgorithm(cxfAlgorithmSuite.getC14n().getValue());
             algorithmSuite.addTransformAlgorithm(SPConstants.STRT10);
+            algorithmSuite.addTransformAlgorithm(WSConstants.C14N_EXCL_OMIT_COMMENTS);
             algorithmSuite.addTransformAlgorithm(WSConstants.NS_XMLDSIG_ENVELOPED_SIGNATURE);
             algorithmSuite.addTransformAlgorithm(WSConstants.SWA_ATTACHMENT_CONTENT_SIG_TRANS);
             algorithmSuite.addTransformAlgorithm(WSConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS);

http://git-wip-us.apache.org/repos/asf/cxf/blob/7738d59a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index bb8f9bf..fec27e8 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -1923,6 +1923,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
 
         //Set the algo info
         dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
+        dkSign.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
         AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
         dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
         if (tok.getSHA1() != null) {
@@ -2010,8 +2011,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         
         sig.setCustomTokenId(sigTokId);
         sig.setSecretKey(tok.getSecret());
-        sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
         sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
+        sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
         sig.prepare(doc, getSignatureCrypto(null), secHeader);
 
         sig.setParts(sigParts);

http://git-wip-us.apache.org/repos/asf/cxf/blob/7738d59a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
index 5f80221..05c4c97 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
@@ -545,6 +545,8 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
             properties.setSignatureAlgorithm(
                        binding.getAlgorithmSuite().getAsymmetricSignature());
         }
+        properties.setSignatureCanonicalizationAlgorithm(
+                       binding.getAlgorithmSuite().getC14n().getValue());
         String sigUser = (String)message.getContextualProperty(userNameKey);
         if (sigUser == null) {
             sigUser = (String)message.getContextualProperty(SecurityConstants.USERNAME);

http://git-wip-us.apache.org/repos/asf/cxf/blob/7738d59a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
index 8329647..9acaee6 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
@@ -622,8 +622,8 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
             dkSign.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
 
             // Set the algo info
-            dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite()
-                    .getSymmetricSignature());
+            dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite().getSymmetricSignature());
+            dkSign.setSigCanonicalization(abinding.getAlgorithmSuite().getC14n().getValue());
             AlgorithmSuiteType algType = abinding.getAlgorithmSuite().getAlgorithmSuiteType();
             dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
             dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"

http://git-wip-us.apache.org/repos/asf/cxf/blob/7738d59a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
index f932698..46fa53e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
@@ -326,6 +326,8 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
             properties.setIncludeSignatureToken(true);
             properties.setSignatureAlgorithm(
                 tbinding.getAlgorithmSuite().getSymmetricSignature());
+            properties.setSignatureCanonicalizationAlgorithm(
+                tbinding.getAlgorithmSuite().getC14n().getValue());
             AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
             properties.setSignatureDigestAlgorithm(algType.getDigest());
         } else if (token instanceof X509Token || token instanceof KeyValueToken) {
@@ -337,6 +339,8 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
             WSSSecurityProperties properties = getProperties();
             properties.setSignatureAlgorithm(
                        tbinding.getAlgorithmSuite().getAsymmetricSignature());
+            properties.setSignatureCanonicalizationAlgorithm(
+                       tbinding.getAlgorithmSuite().getC14n().getValue());
             AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
             properties.setSignatureDigestAlgorithm(algType.getDigest());
         } else if (token instanceof UsernameToken) {
@@ -351,6 +355,8 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
             
             properties.setSignatureAlgorithm(
                        tbinding.getAlgorithmSuite().getSymmetricSignature());
+            properties.setSignatureCanonicalizationAlgorithm(
+                       tbinding.getAlgorithmSuite().getC14n().getValue());
             AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
             properties.setSignatureDigestAlgorithm(algType.getDigest());
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/7738d59a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index ff072c0..a46fb30 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -674,6 +674,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
 
         //Set the algo info
         dkSign.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
+        dkSign.setSigCanonicalization(sbinding.getAlgorithmSuite().getC14n().getValue());
         AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
         dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
         if (tok.getSHA1() != null) {
@@ -830,6 +831,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
             sig.setCustomTokenId(sigTokId);
             sig.setSecretKey(tok.getSecret());
             sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
+            sig.setSigCanonicalization(sbinding.getAlgorithmSuite().getC14n().getValue());
             Crypto crypto = null;
             if (sbinding.getProtectionToken() != null) {
                 crypto = getEncryptionCrypto(sbinding.getProtectionToken());

http://git-wip-us.apache.org/repos/asf/cxf/blob/7738d59a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
index 533489d..7bdeb0f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
@@ -34,7 +34,11 @@ import org.w3c.dom.Element;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
+<<<<<<< HEAD
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+=======
+import org.apache.cxf.ws.security.policy.PolicyUtils;
+>>>>>>> dbc4a26... [CXF-6333] - Support Inclusive C14N via security policy
 import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDataRef;
@@ -85,6 +89,10 @@ public class AlgorithmSuitePolicyValidator extends AbstractTokenPolicyValidator
                         algSuiteAi.setAsserted(true);
                     }
                 }
+                
+                PolicyUtils.assertPolicy(parameters.getAssertionInfoMap(), 
+                                         new QName(algorithmSuite.getName().getNamespaceURI(), 
+                                                   algorithmSuite.getC14n().name()));
             } else if (!valid && ai.isAsserted()) {
                 ai.setNotAsserted("Error in validating AlgorithmSuite policy");
             }
@@ -173,6 +181,7 @@ public class AlgorithmSuitePolicyValidator extends AbstractTokenPolicyValidator
             }
             for (String transformAlgorithm : transformAlgorithms) {
                 if (!(algorithmPolicy.getC14n().getValue().equals(transformAlgorithm)
+                    || WSConstants.C14N_EXCL_OMIT_COMMENTS.equals(transformAlgorithm)
                     || STRTransform.TRANSFORM_URI.equals(transformAlgorithm)
                     || WSConstants.SWA_ATTACHMENT_CONTENT_SIG_TRANS.equals(transformAlgorithm)
                     || WSConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS.equals(transformAlgorithm))) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/7738d59a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/algsuite/AlgorithmSuiteTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/algsuite/AlgorithmSuiteTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/algsuite/AlgorithmSuiteTest.java
index 2796af4..1580c22 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/algsuite/AlgorithmSuiteTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/algsuite/AlgorithmSuiteTest.java
@@ -258,4 +258,56 @@ public class AlgorithmSuiteTest extends AbstractBusClientServerTestBase {
         bus.shutdown(true);
     }
     
+    @org.junit.Test
+    public void testInclusiveC14NPolicy() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = AlgorithmSuiteTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = AlgorithmSuiteTest.class.getResource("DoubleItAlgSuite.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSymmetric128InclusivePort");
+        
+        DoubleItPortType port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(port, PORT);
+        
+        // This should succeed as the client + server policies match
+        // DOM
+        port.doubleIt(25);
+        
+        // Streaming
+        SecurityTestUtil.enableStreaming(port);
+        port.doubleIt(25);
+        
+        portQName = new QName(NAMESPACE, "DoubleItSymmetric128InclusivePort2");
+        port = service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(port, PORT);
+        
+        // This should fail as the client uses Exclusive C14N for the signature c14n method
+        // + the server uses Inclusive C14n
+        try {
+            // DOM
+            port.doubleIt(25);
+            fail("Failure expected on Exclusive C14n");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        try {
+            // Streaming
+            SecurityTestUtil.enableStreaming(port);
+            port.doubleIt(25);
+            fail("Failure expected on Exclusive C14n");
+        } catch (Exception ex) {
+            // expected
+        }
+        
+        bus.shutdown(true);
+    }
+    
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf/blob/7738d59a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl
index 297586b..b5f3bee 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl
@@ -44,6 +44,12 @@
         <wsdl:port name="DoubleItSymmetric128Port3" binding="tns:DoubleItInlinePolicyBinding">
             <soap:address location="http://localhost:9010/DoubleItSymmetric128no3"/>
         </wsdl:port>
+        <wsdl:port name="DoubleItSymmetric128InclusivePort" binding="tns:DoubleItInlinePolicyBinding">
+            <soap:address location="http://localhost:9010/DoubleItSymmetric128Inclusive"/>
+        </wsdl:port>
+        <wsdl:port name="DoubleItSymmetric128InclusivePort2" binding="tns:DoubleItInlinePolicyBinding">
+            <soap:address location="http://localhost:9010/DoubleItSymmetric128Inclusive2"/>
+        </wsdl:port>
         <wsdl:port name="DoubleItSymmetricCombinedPort" binding="tns:DoubleItInlinePolicyBinding">
             <soap:address location="http://localhost:9010/DoubleItSymmetricCombined"/>
         </wsdl:port>

http://git-wip-us.apache.org/repos/asf/cxf/blob/7738d59a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/client.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/client.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/client.xml
index 02960d2..a5f4036 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/client.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/client.xml
@@ -63,6 +63,34 @@
             </p:policies>
         </jaxws:features>
     </jaxws:client>
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetric128InclusivePort" createdFromAPI="true">
+        <jaxws:properties>
+            <entry key="ws-security.username" value="Alice"/>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+            <entry key="ws-security.encryption.properties" value="bob.properties"/>
+            <entry key="ws-security.encryption.username" value="bob"/>
+            <entry key="ws-security.is-bsp-compliant" value="false"/>
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#DoubleItSymmetric128InclusivePolicy"/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:client>
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetric128InclusivePort2" createdFromAPI="true">
+        <jaxws:properties>
+            <entry key="ws-security.username" value="Alice"/>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+            <entry key="ws-security.encryption.properties" value="bob.properties"/>
+            <entry key="ws-security.encryption.username" value="bob"/>
+            <entry key="ws-security.is-bsp-compliant" value="false"/>
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#DoubleItSymmetric128Policy"/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:client>
     <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricCombinedPort" createdFromAPI="true">
         <jaxws:properties>
             <entry key="ws-security.username" value="Alice"/>
@@ -269,4 +297,43 @@
             </wsp:All>
         </wsp:ExactlyOne>
     </wsp:Policy>
+    <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" wsu:Id="DoubleItSymmetric128InclusivePolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:SymmetricBinding>
+                    <wsp:Policy>
+                        <sp:ProtectionToken>
+                            <wsp:Policy>
+                                <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                                    <wsp:Policy>
+                                        <sp:WssX509V3Token10/>
+                                        <sp:RequireKeyIdentifierReference/>
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:ProtectionToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax/>
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp/>
+                        <sp:OnlySignEntireHeadersAndBody/>
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128/>
+                                <sp:InclusiveC14N/>
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:SymmetricBinding>
+                <sp:EncryptedParts>
+                    <sp:Body/>
+                </sp:EncryptedParts>
+                <sp:SignedParts>
+                    <sp:Body/>
+                </sp:SignedParts>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
 </beans>

http://git-wip-us.apache.org/repos/asf/cxf/blob/7738d59a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/server.xml
index 064eed0..a8f7e27 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/server.xml
@@ -61,6 +61,32 @@
             </p:policies>
         </jaxws:features>
     </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Symmetric128InclusiveEndpoint" address="http://localhost:${testutil.ports.Server}/DoubleItSymmetric128Inclusive" serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetric128InclusivePort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+            <entry key="ws-security.is-bsp-compliant" value="false"/>
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#DoubleItSymmetric128InclusivePolicy"/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Symmetric128InclusiveEndpoint2" address="http://localhost:${testutil.ports.Server}/DoubleItSymmetric128Inclusive2" serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetric128InclusivePort2" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+            <entry key="ws-security.is-bsp-compliant" value="false"/>
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#DoubleItSymmetric128InclusivePolicy"/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:endpoint>
     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="SymmetricEndpointCombined" address="http://localhost:${testutil.ports.Server}/DoubleItSymmetricCombined" serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetricCombinedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl">
         <jaxws:properties>
             <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
@@ -184,6 +210,45 @@
             </wsp:All>
         </wsp:ExactlyOne>
     </wsp:Policy>
+    <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" wsu:Id="DoubleItSymmetric128InclusivePolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:SymmetricBinding>
+                    <wsp:Policy>
+                        <sp:ProtectionToken>
+                            <wsp:Policy>
+                                <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                                    <wsp:Policy>
+                                        <sp:WssX509V3Token10/>
+                                        <sp:RequireKeyIdentifierReference/>
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:ProtectionToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax/>
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp/>
+                        <sp:OnlySignEntireHeadersAndBody/>
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128/>
+                                <sp:InclusiveC14N/>
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:SymmetricBinding>
+                <sp:EncryptedParts>
+                    <sp:Body/>
+                </sp:EncryptedParts>
+                <sp:SignedParts>
+                    <sp:Body/>
+                </sp:SignedParts>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
     <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" wsu:Id="Combined">
         <wsp:ExactlyOne>
             <wsp:All>

http://git-wip-us.apache.org/repos/asf/cxf/blob/7738d59a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/stax-server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/stax-server.xml
index 1536714..271d1fc 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/stax-server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/algsuite/stax-server.xml
@@ -64,6 +64,34 @@
             </p:policies>
         </jaxws:features>
     </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Symmetric128InclusiveEndpoint" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSymmetric128Inclusive" serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetric128InclusivePort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+            <entry key="ws-security.enable.streaming" value="true"/>
+            <entry key="ws-security.is-bsp-compliant" value="false"/>
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#DoubleItSymmetric128InclusivePolicy"/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Symmetric128InclusiveEndpoint2" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSymmetric128Inclusive2" serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetric128InclusivePort2" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/algsuite/DoubleItAlgSuite.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+            <entry key="ws-security.enable.streaming" value="true"/>
+            <entry key="ws-security.is-bsp-compliant" value="false"/>
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="#DoubleItSymmetric128InclusivePolicy"/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:endpoint>
     <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" wsu:Id="DoubleItSymmetric128Policy">
         <wsp:ExactlyOne>
             <wsp:All>
@@ -102,4 +130,43 @@
             </wsp:All>
         </wsp:ExactlyOne>
     </wsp:Policy>
+    <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" wsu:Id="DoubleItSymmetric128InclusivePolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:SymmetricBinding>
+                    <wsp:Policy>
+                        <sp:ProtectionToken>
+                            <wsp:Policy>
+                                <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                                    <wsp:Policy>
+                                        <sp:WssX509V3Token10/>
+                                        <sp:RequireKeyIdentifierReference/>
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:ProtectionToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax/>
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp/>
+                        <sp:OnlySignEntireHeadersAndBody/>
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128/>
+                                <sp:InclusiveC14N/>
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:SymmetricBinding>
+                <sp:EncryptedParts>
+                    <sp:Body/>
+                </sp:EncryptedParts>
+                <sp:SignedParts>
+                    <sp:Body/>
+                </sp:SignedParts>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
 </beans>