cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/5] cxf git commit: Support the ability to store BASE-64 encoded (encryption) bytes in message attachments
Date Thu, 09 Jul 2015 16:43:20 GMT
Support the ability to store BASE-64 encoded (encryption) bytes in message attachments

Conflicts:
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/22937bb5
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/22937bb5
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/22937bb5

Branch: refs/heads/3.0.x-fixes
Commit: 22937bb5827175d8f64e3db28bbeab3c816ca89d
Parents: c780d3a
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Jul 9 17:09:12 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Jul 9 17:11:28 2015 +0100

----------------------------------------------------------------------
 .../cxf/ws/security/SecurityConstants.java      | 18 +++++
 .../policyhandlers/AbstractBindingBuilder.java  | 46 +++++++++++++
 .../AsymmetricBindingHandler.java               | 17 +++++
 .../policyhandlers/SymmetricBindingHandler.java |  4 ++
 .../cxf/systest/ws/mtom/MTOMSecurityTest.java   | 51 +++++++++++++-
 .../cxf/systest/ws/mtom/DoubleItMtom.wsdl       | 71 ++++++++++++++++++++
 .../org/apache/cxf/systest/ws/mtom/client.xml   | 43 +++++++++++-
 .../org/apache/cxf/systest/ws/mtom/server.xml   | 38 +++++++++++
 8 files changed, 285 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/22937bb5/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index 0516853..885a9b8 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -244,8 +244,21 @@ public final class SecurityConstants {
      * SAML Token contains Audience Restriction URIs, one of them must match either the
      * request URL or the Service QName. The default is "true".
      */
+<<<<<<< HEAD
     public static final String AUDIENCE_RESTRICTION_VALIDATION = "ws-security.validate.audience-restriction";
     
+=======
+    public static final String ENABLE_SAML_ONE_TIME_USE_CACHE = "ws-security.enable.saml.cache";
+    
+    /**
+     * Whether to store bytes (CipherData or BinarySecurityToken) in an attachment. The default
is 
+     * true if MTOM is enabled. Set it to false to BASE-64 encode the bytes and "inlined"
them in 
+     * the message instead. Setting this to true is more efficient, as it means that the
BASE-64 
+     * encoding step can be skipped. This only applies to the DOM WS-Security stack.
+     */
+    public static final String STORE_BYTES_IN_ATTACHMENT = "ws-security.store.bytes.in.attachment";
+
+>>>>>>> f399b92... Support the ability to store BASE-64 encoded (encryption)
bytes in message attachments
     //
     // Non-boolean WS-Security Configuration parameters
     //
@@ -650,8 +663,13 @@ public final class SecurityConstants {
             CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
             DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, 
             KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, STS_TOKEN_IMMINENT_EXPIRY_VALUE,
+<<<<<<< HEAD
             KERBEROS_REQUEST_CREDENTIAL_DELEGATION, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL,
             AUDIENCE_RESTRICTION_VALIDATION
+=======
+            KERBEROS_REQUEST_CREDENTIAL_DELEGATION, POLICY_VALIDATOR_MAP,
+            STORE_BYTES_IN_ATTACHMENT
+>>>>>>> f399b92... Support the ability to store BASE-64 encoded (encryption)
bytes in message attachments
         }));
         ALL_PROPERTIES = Collections.unmodifiableSet(s);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/22937bb5/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index 98de4de..0a3734c 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -50,7 +50,11 @@ import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
+<<<<<<< HEAD
 import org.apache.cxf.Bus;
+=======
+import org.apache.cxf.attachment.AttachmentUtil;
+>>>>>>> f399b92... Support the ability to store BASE-64 encoded (encryption)
bytes in message attachments
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.binding.soap.saaj.SAAJUtils;
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
@@ -111,6 +115,7 @@ import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
 import org.apache.wss4j.policy.model.AbstractBinding;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
+import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding.ProtectionOrder;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
 import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
@@ -168,6 +173,12 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
     protected Element bstElement;
     protected Element lastEncryptedKeyElement;
     
+<<<<<<< HEAD
+=======
+    protected final CallbackLookup callbackLookup;
+    protected boolean storeBytesInAttachment;
+    
+>>>>>>> f399b92... Support the ability to store BASE-64 encoded (encryption)
bytes in message attachments
     private Element lastSupportingTokenElement;
     private Element lastDerivedKeyElement;
     
@@ -189,6 +200,32 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         this.secHeader = secHeader;
         this.saaj = saaj;
         message.getExchange().put(WSHandlerConstants.SEND_SIGV, signatures);
+<<<<<<< HEAD
+=======
+        
+        boolean storeBytes = 
+            MessageUtils.getContextualBoolean(
+                message, SecurityConstants.STORE_BYTES_IN_ATTACHMENT, true
+            );
+        if (storeBytes && AttachmentUtil.isMtomEnabled(message)) {
+            storeBytesInAttachment = true;
+            if (binding instanceof AbstractSymmetricAsymmetricBinding
+                && (ProtectionOrder.EncryptBeforeSigning 
+                    == ((AbstractSymmetricAsymmetricBinding)binding).getProtectionOrder())
+                    || ((AbstractSymmetricAsymmetricBinding)binding).isProtectTokens()) {
+                LOG.fine("Disabling SecurityConstants.STORE_BYTES_IN_ATTACHMENT due to "
+                         + "EncryptBeforeSigning or ProtectTokens policy.");
+                storeBytesInAttachment = false;
+            }
+        }
+        
+        Element soapBody = SAAJUtils.getBody(saaj);
+        if (soapBody != null) {
+            callbackLookup = new CXFCallbackLookup(soapBody.getOwnerDocument(), soapBody);
+        } else {
+            callbackLookup = null;
+        }
+>>>>>>> f399b92... Support the ability to store BASE-64 encoded (encryption)
bytes in message attachments
     }
     
     protected void insertAfter(Element child, Element sib) {
@@ -1382,7 +1419,15 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
     }
     
     protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token) throws WSSecurityException
{
+<<<<<<< HEAD
         WSSecEncryptedKey encrKey = new WSSecEncryptedKey(wssConfig);
+=======
+        WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
+        encrKey.setIdAllocator(wssConfig.getIdAllocator());
+        encrKey.setCallbackLookup(callbackLookup);
+        encrKey.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+        encrKey.setStoreBytesInAttachment(storeBytesInAttachment);
+>>>>>>> f399b92... Support the ability to store BASE-64 encoded (encryption)
bytes in message attachments
         Crypto crypto = getEncryptionCrypto();
         message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto);
         setKeyIdentifierType(encrKey, token);
@@ -1668,6 +1713,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
     ) throws WSSecurityException {
         WSSecSignature sig = new WSSecSignature(wssConfig);
         sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+        sig.setStoreBytesInAttachment(storeBytesInAttachment);
         checkForX509PkiPath(sig, token);
         if (token instanceof IssuedToken || token instanceof SamlToken) {
             assertPolicy(token);

http://git-wip-us.apache.org/repos/asf/cxf/blob/22937bb5/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
index 82f99de..c41580f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
@@ -453,7 +453,15 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder
{
             AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
             if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
                 try {
+<<<<<<< HEAD
                     WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(wssConfig);
+=======
+                    WSSecDKEncrypt dkEncr = new WSSecDKEncrypt();
+                    dkEncr.setIdAllocator(wssConfig.getIdAllocator());
+                    dkEncr.setCallbackLookup(callbackLookup);
+                    dkEncr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+                    dkEncr.setStoreBytesInAttachment(storeBytesInAttachment);
+>>>>>>> f399b92... Support the ability to store BASE-64 encoded (encryption)
bytes in message attachments
                     if (recToken.getToken().getVersion() == SPConstants.SPVersion.SP11) {
                         dkEncr.setWscVersion(ConversationConstants.VERSION_05_02);
                     }
@@ -483,6 +491,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
                 try {
                     WSSecEncrypt encr = new WSSecEncrypt(wssConfig);
                     encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+                    encr.setStoreBytesInAttachment(storeBytesInAttachment);
                     
                     encr.setDocument(saaj.getSOAPPart());
                     Crypto crypto = getEncryptionCrypto();
@@ -615,7 +624,15 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder
{
             // Set up the encrypted key to use
             setupEncryptedKey(wrapper, sigToken);
             
+<<<<<<< HEAD
             WSSecDKSign dkSign = new WSSecDKSign(wssConfig);
+=======
+            WSSecDKSign dkSign = new WSSecDKSign();
+            dkSign.setIdAllocator(wssConfig.getIdAllocator());
+            dkSign.setCallbackLookup(callbackLookup);
+            dkSign.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+            dkSign.setStoreBytesInAttachment(storeBytesInAttachment);
+>>>>>>> f399b92... Support the ability to store BASE-64 encoded (encryption)
bytes in message attachments
             if (wrapper.getToken().getVersion() == SPConstants.SPVersion.SP11) {
                 dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
             }

http://git-wip-us.apache.org/repos/asf/cxf/blob/22937bb5/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index 0b70426..451e2d2 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -399,6 +399,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
         try {
             WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(wssConfig);
             dkEncr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+            dkEncr.setStoreBytesInAttachment(storeBytesInAttachment);
             if (recToken.getToken().getVersion() == SPConstants.SPVersion.SP11) {
                 dkEncr.setWscVersion(ConversationConstants.VERSION_05_02);
             }
@@ -512,6 +513,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
                 try {
                     WSSecEncrypt encr = new WSSecEncrypt(wssConfig);
                     encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+                    encr.setStoreBytesInAttachment(storeBytesInAttachment);
                     String encrTokId = encrTok.getId();
                     if (attached) {
                         encrTokId = encrTok.getWsuId();
@@ -627,6 +629,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
         Document doc = saaj.getSOAPPart();
         WSSecDKSign dkSign = new WSSecDKSign(wssConfig);
         dkSign.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+        dkSign.setStoreBytesInAttachment(storeBytesInAttachment);
         if (policyAbstractTokenWrapper.getToken().getVersion() == SPConstants.SPVersion.SP11)
{
             dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
         }
@@ -754,6 +757,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
         } else {
             WSSecSignature sig = new WSSecSignature(wssConfig);
             sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+            sig.setStoreBytesInAttachment(storeBytesInAttachment);
             // If a EncryptedKeyToken is used, set the correct value type to
             // be used in the wsse:Reference in ds:KeyInfo
             int type = included ? WSConstants.CUSTOM_SYMM_SIGNING 

http://git-wip-us.apache.org/repos/asf/cxf/blob/22937bb5/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java
index 162e7b3..3c79a43 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/mtom/MTOMSecurityTest.java
@@ -119,8 +119,7 @@ public class MTOMSecurityTest extends AbstractBusClientServerTestBase
{
     // Here we moving encrypted bytes to attachments instead, and referencing them via xop:Include
     // This avoids the BASE-64 encoding/decoding step when the raw bytes are included in
the SOAP Envelope
     @org.junit.Test
-    @org.junit.Ignore
-    public void testEncryptedDataInAttachment() throws Exception {
+    public void testAsymmetricBytesInAttachment() throws Exception {
 
         SpringBusFactory bf = new SpringBusFactory();
         URL busFile = MTOMSecurityTest.class.getResource("client.xml");
@@ -142,4 +141,52 @@ public class MTOMSecurityTest extends AbstractBusClientServerTestBase
{
         ((java.io.Closeable)port).close();
         bus.shutdown(true);
     }
+    
+    @org.junit.Test
+    public void testSymmetricBytesInAttachment() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = MTOMSecurityTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL wsdl = MTOMSecurityTest.class.getResource("DoubleItMtom.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItSymmetricPort");
+        DoubleItPortType port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(port, PORT);
+        
+        int result = port.doubleIt(25);
+        assertEquals(result, 50);
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+    
+    @org.junit.Test
+    public void testActionBytesInAttachment() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = MTOMSecurityTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL wsdl = MTOMSecurityTest.class.getResource("DoubleItMtom.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItActionPort");
+        DoubleItPortType port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(port, PORT);
+        
+        int result = port.doubleIt(25);
+        assertEquals(result, 50);
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/22937bb5/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl
index c50a8ae..57bc5e9 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl
@@ -52,6 +52,39 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
+    <wsdl:binding name="DoubleItSymmetricBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItSymmetricPolicy"/>
+        <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction=""/>
+            <wsdl:input>
+                <soap:body use="literal"/>
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal"/>
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault"/>
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
+    <wsdl:binding name="DoubleItActionBinding" type="tns:DoubleItPortType">
+        <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction=""/>
+            <wsdl:input>
+                <soap:body use="literal"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault"/>
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
     
     <wsdl:service name="DoubleItService">
         <wsdl:port name="DoubleItSignedMTOMInlinePort" binding="tns:DoubleItNoSecurityBinding">
@@ -63,6 +96,12 @@
         <wsdl:port name="DoubleItAsymmetricPort" binding="tns:DoubleItAsymmetricBinding">
             <soap:address location="http://localhost:9001/DoubleItX509Asymmetric"/>
         </wsdl:port>
+        <wsdl:port name="DoubleItSymmetricPort" binding="tns:DoubleItSymmetricBinding">
+            <soap:address location="http://localhost:9001/DoubleItX509Symmetric"/>
+        </wsdl:port>
+        <wsdl:port name="DoubleItActionPort" binding="tns:DoubleItActionBinding">
+            <soap:address location="http://localhost:9001/DoubleItX509Action"/>
+        </wsdl:port>
     </wsdl:service>
     
     <wsp:Policy wsu:Id="DoubleItAsymmetricPolicy">
@@ -106,6 +145,38 @@
         </wsp:ExactlyOne>
     </wsp:Policy>
     
+    <wsp:Policy wsu:Id="DoubleItSymmetricPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:SymmetricBinding>
+                    <wsp:Policy>
+                        <sp:ProtectionToken>
+                            <wsp:Policy>
+                                <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                                    <wsp:Policy>
+                                        <sp:WssX509V3Token10/>
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:ProtectionToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax/>
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp/>
+                        <sp:OnlySignEntireHeadersAndBody/>
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128/>
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:SymmetricBinding>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
+    
     <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
         <wsp:ExactlyOne>
             <wsp:All>

http://git-wip-us.apache.org/repos/asf/cxf/blob/22937bb5/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/client.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/client.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/client.xml
index b668025..003c64e 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/client.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/client.xml
@@ -83,7 +83,7 @@
         </jaxws:properties>
     </jaxws:client>
     
-     <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricPort"
createdFromAPI="true">
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricPort"
createdFromAPI="true">
         <jaxws:properties>
             <entry key="security.encryption.properties" value="bob.properties"/>
             <entry key="security.encryption.username" value="bob"/>
@@ -94,4 +94,45 @@
         </jaxws:properties>
     </jaxws:client>
     
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricPort"
createdFromAPI="true">
+        <jaxws:properties>
+            <entry key="security.encryption.properties" value="bob.properties"/>
+            <entry key="security.encryption.username" value="bob"/>
+            <entry key="mtom-enabled" value="true"/>
+        </jaxws:properties>
+    </jaxws:client>
+    
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItActionPort"
createdFromAPI="true">
+        <jaxws:outInterceptors>
+            <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
+                <constructor-arg>
+                    <map>
+                        <entry key="action" value="Signature Timestamp"/>
+                        <entry key="signatureUser" value="alice"/>
+                        <entry key="signaturePropFile" value="alice.properties"/>
+                        <entry key="signatureKeyIdentifier" value="DirectReference"/>
+                        <entry key="signatureParts" 
+                               value="{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{}{http://schemas.xmlsoap.org/soap/envelope/}Body;"/>
+                        <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+                        <entry key="storeBytesInAttachment" value="true"/>
+                    </map>
+                </constructor-arg>
+            </bean>
+        </jaxws:outInterceptors>
+        <jaxws:inInterceptors>
+            <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
+                <constructor-arg>
+                    <map>
+                        <entry key="action" value="Signature"/>
+                        <entry key="signatureVerificationPropFile" value="alice.properties"/>
+                    </map>
+                </constructor-arg>
+            </bean>
+        </jaxws:inInterceptors>
+        <jaxws:properties>
+            <entry key="mtom-enabled" value="true"/>
+        </jaxws:properties>
+    </jaxws:client>
+    
+    
 </beans>

http://git-wip-us.apache.org/repos/asf/cxf/blob/22937bb5/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/server.xml
index aa034e0..98051fb 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/mtom/server.xml
@@ -103,4 +103,42 @@
         </jaxws:properties>
     </jaxws:endpoint>
     
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Symmetric"
address="http://localhost:${testutil.ports.mtom.Server}/DoubleItX509Symmetric" serviceName="s:DoubleItService"
endpointName="s:DoubleItSymmetricPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl">
+        <jaxws:properties>
+            <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="security.signature.properties" value="bob.properties"/>
+            <entry key="mtom-enabled" value="true"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    
+     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Action" address="http://localhost:${testutil.ports.mtom.Server}/DoubleItX509Action"
serviceName="s:DoubleItService" endpointName="s:DoubleItActionPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/mtom/DoubleItMtom.wsdl">
+        <jaxws:outInterceptors>
+            <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
+                <constructor-arg>
+                    <map>
+                        <entry key="action" value="Signature"/>
+                        <entry key="signatureUser" value="bob"/>
+                        <entry key="signaturePropFile" value="bob.properties"/>
+                        <entry key="signatureKeyIdentifier" value="DirectReference"/>
+                        <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+                        <entry key="storeBytesInAttachment" value="true"/>
+                    </map>
+                </constructor-arg>
+            </bean>
+        </jaxws:outInterceptors>
+        <jaxws:inInterceptors>
+            <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
+                <constructor-arg>
+                    <map>
+                        <entry key="action" value="Signature Timestamp"/>
+                        <entry key="signatureVerificationPropFile" value="bob.properties"/>
+                    </map>
+                </constructor-arg>
+            </bean>
+        </jaxws:inInterceptors>
+        <jaxws:properties>
+            <entry key="mtom-enabled" value="true"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    
 </beans>


Mime
View raw message