cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [4/4] cxf git commit: Move STS SecurityConstants to common class
Date Fri, 28 Aug 2015 12:46:57 GMT
Move STS SecurityConstants to common class


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/91c7b090
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/91c7b090
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/91c7b090

Branch: refs/heads/master
Commit: 91c7b09005e8d32187283828ac348235b725e3e3
Parents: 3c0681f
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Aug 28 12:03:01 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Aug 28 13:46:47 2015 +0100

----------------------------------------------------------------------
 .../cxf/rt/security/SecurityConstants.java      | 149 ++++++++++++++++-
 .../cxf/rt/security/utils/SecurityUtils.java    |  17 ++
 .../cxf/ws/security/SecurityConstants.java      | 159 +------------------
 .../ws/security/trust/AbstractSTSClient.java    |  30 +++-
 .../ws/security/trust/STSTokenRetriever.java    |  30 ++--
 .../apache/cxf/ws/security/trust/STSUtils.java  |  24 +--
 .../sts/asymmetric/AsymmetricBindingTest.java   |   3 +
 .../cxf/systest/sts/common/TokenTestUtils.java  |   9 ++
 .../IntermediaryCachingPortTypeImpl.java        |   3 +
 .../IntermediaryPortTypeImpl.java               |   3 +
 .../UsernameActAsCachingTest.java               |   6 +
 .../UsernameOnBehalfOfCachingTest.java          |   6 +
 12 files changed, 249 insertions(+), 190 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
index 345c7da..acc671d 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
@@ -192,6 +192,148 @@ public class SecurityConstants {
      */
     public static final String SUBJECT_CERT_CONSTRAINTS = "security.subject.cert.constraints";
     
+    //
+    // STS Client Configuration tags
+    //
+    
+    /**
+     * A reference to the STSClient class used to communicate with the STS.
+     */
+    public static final String STS_CLIENT = "security.sts.client";
+    
+    /**
+     * The "AppliesTo" address to send to the STS. The default is the endpoint address of
the 
+     * service provider.
+     */
+    public static final String STS_APPLIES_TO = "security.sts.applies-to";
+    
+    /**
+     * Whether to write out an X509Certificate structure in UseKey/KeyInfo, or whether to
write
+     * out a KeyValue structure. The default value is "false".
+     */
+    public static final String STS_TOKEN_USE_CERT_FOR_KEYINFO = "security.sts.token.usecert";
+    
+    /**
+     * Whether to cancel a token when using SecureConversation after successful invocation.
The
+     * default is "false".
+     */
+    public static final String STS_TOKEN_DO_CANCEL = "security.sts.token.do.cancel";
+    
+    /**
+     * Whether to fall back to calling "issue" after failing to renew an expired token. Some
+     * STSs do not support the renew binding, and so we should just issue a new token after
expiry.
+     * The default is true.
+     */
+    public static final String STS_ISSUE_AFTER_FAILED_RENEW = "security.issue.after.failed.renew";
+    
+    /**
+     * Set this to "false" to not cache a SecurityToken per proxy object in the 
+     * IssuedTokenInterceptorProvider. This should be done if a token is being retrieved
+     * from an STS in an intermediary. The default value is "true".
+     */
+    public static final String CACHE_ISSUED_TOKEN_IN_ENDPOINT = 
+        "security.cache.issued.token.in.endpoint";
+    
+    /**
+     * Whether to avoid STS client trying send WS-MetadataExchange call using
+     * STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info.
+     * The default value is "false".
+     */
+    public static final String DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS =
+        "security.sts.disable-wsmex-call-using-epr-address";
+    
+    /**
+     * Whether to prefer to use WS-MEX over a STSClient's location/wsdlLocation properties
+     * when making an STS RequestSecurityToken call. This can be set to true for the scenario
+     * of making a WS-MEX call to an initial STS, and using the returned token to make another
+     * call to an STS (which is configured using the STSClient configuration). Default is

+     * "false".
+     */
+    public static final String PREFER_WSMEX_OVER_STS_CLIENT_CONFIG = 
+        "security.sts.prefer-wsmex";
+    
+    /**
+     * Switch STS client to send Soap 1.2 messages
+     */
+    public static final String STS_CLIENT_SOAP12_BINDING =
+        "security.sts.client-soap12-binding";
+
+    /**
+     * 
+     * A Crypto object to be used for the STS. If this is not defined then the 
+     * {@link STS_TOKEN_PROPERTIES} is used instead.
+     * 
+     * WCF's trust server sometimes will encrypt the token in the response IN ADDITION TO
+     * the full security on the message. These properties control the way the STS client
+     * will decrypt the EncryptedData elements in the response.
+     * 
+     * These are also used by the STSClient to send/process any RSA/DSAKeyValue tokens 
+     * used if the KeyType is "PublicKey" 
+     */
+    public static final String STS_TOKEN_CRYPTO = "security.sts.token.crypto";
+    
+    /**
+     * The Crypto property configuration to use for the STS, if {@link STS_TOKEN_CRYPTO}
is not
+     * set instead.
+     * The value of this tag must be either:
+     * a) A Java Properties object that contains the Crypto configuration.
+     * b) The path of the Crypto property file that contains the Crypto configuration.
+     * c) A URL that points to the Crypto property file that contains the Crypto configuration.
+     */
+    public static final String STS_TOKEN_PROPERTIES = "security.sts.token.properties";
+    
+    /**
+     * The alias name in the keystore to get the user's public key to send to the STS for
the
+     * PublicKey KeyType case.
+     */
+    public static final String STS_TOKEN_USERNAME = "security.sts.token.username";
+    
+    /**
+     * The token to be sent to the STS in an "ActAs" field. It can be either:
+     * a) A String (which must be an XML statement like "<wst:OnBehalfOf xmlns:wst=...>...</wst:OnBehalfOf>")
+     * b) A DOM Element
+     * c) A CallbackHandler object to use to obtain the token
+     * 
+     * In the case of a CallbackHandler, it must be able to handle a 
+     * org.apache.cxf.ws.security.trust.delegation.DelegationCallback Object, which contains
a 
+     * reference to the current Message. The CallbackHandler implementation is required to
set 
+     * the token Element to be sent in the request on the Callback.
+     * 
+     * Some examples that can be reused are:
+     * org.apache.cxf.ws.security.trust.delegation.ReceivedTokenCallbackHandler
+     * org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler
+     */
+    public static final String STS_TOKEN_ACT_AS = "security.sts.token.act-as";
+    
+    /**
+     * The token to be sent to the STS in an "OnBehalfOf" field. It can be either:
+     * a) A String (which must be an XML statement like "<wst:OnBehalfOf xmlns:wst=...>...</wst:OnBehalfOf>")
+     * b) A DOM Element
+     * c) A CallbackHandler object to use to obtain the token
+     * 
+     * In the case of a CallbackHandler, it must be able to handle a 
+     * org.apache.cxf.ws.security.trust.delegation.DelegationCallback Object, which contains
a 
+     * reference to the current Message. The CallbackHandler implementation is required to
set 
+     * the token Element to be sent in the request on the Callback.
+     * 
+     * Some examples that can be reused are:
+     * org.apache.cxf.ws.security.trust.delegation.ReceivedTokenCallbackHandler
+     * org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler
+     */
+    public static final String STS_TOKEN_ON_BEHALF_OF = "security.sts.token.on-behalf-of";
+
+    /**
+     * This is the value in seconds within which a token is considered to be expired by the
+     * client. When a cached token (from a STS) is retrieved by the client, it is considered
+     * to be expired if it will expire in a time less than the value specified by this tag.
+     * This prevents token expiry when the message is en route / being processed by the
+     * service. When the token is found to be expired then it will be renewed via the STS.
+     * 
+     * The default value is 10 (seconds). Specify 0 to avoid this check.
+     */
+    public static final String STS_TOKEN_IMMINENT_EXPIRY_VALUE =
+        "security.sts.token.imminent-expiry-value";
+    
     public static final Set<String> COMMON_PROPERTIES;
     
     static {
@@ -201,7 +343,12 @@ public class SecurityConstants {
             SIGNATURE_CRYPTO, ENCRYPT_PROPERTIES, ENCRYPT_CRYPTO, ENCRYPT_CERT,
             ENABLE_REVOCATION, SUBJECT_CERT_CONSTRAINTS, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL,
             AUDIENCE_RESTRICTION_VALIDATION, SAML_ROLE_ATTRIBUTENAME, 
-            ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, SC_FROM_JAAS_SUBJECT
+            ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL, SC_FROM_JAAS_SUBJECT,
+            STS_TOKEN_USE_CERT_FOR_KEYINFO, STS_TOKEN_DO_CANCEL, CACHE_ISSUED_TOKEN_IN_ENDPOINT,
+            DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, STS_TOKEN_CRYPTO,
+            STS_TOKEN_PROPERTIES, STS_TOKEN_USERNAME, STS_TOKEN_ACT_AS, STS_TOKEN_ON_BEHALF_OF,
+            STS_CLIENT, STS_APPLIES_TO, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
+            STS_TOKEN_IMMINENT_EXPIRY_VALUE
         }));
         COMMON_PROPERTIES = Collections.unmodifiableSet(s);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
b/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
index a1cefcd..046b7c5 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
@@ -31,6 +31,7 @@ import javax.security.auth.callback.CallbackHandler;
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
 import org.apache.cxf.common.classloader.ClassLoaderUtils.ClassLoaderHolder;
 import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.util.PropertyUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.PhaseInterceptorChain;
 import org.apache.cxf.resource.ResourceManager;
@@ -172,4 +173,20 @@ public final class SecurityUtils {
         }
         return message.getContextualProperty("ws-" + property);
     }
+    
+    /**
+     * Get the security property boolean for the given property. It also checks for the older
"ws-"* property
+     * values. If none is configured, then the defaultValue parameter is returned.
+     */
+    public static boolean getSecurityPropertyBoolean(String property, Message message, boolean
defaultValue) {
+        Object value = message.getContextualProperty(property);
+        if (value == null) {
+            value = message.getContextualProperty("ws-" + property);
+        }
+        
+        if (value != null) {
+            return PropertyUtils.isTrue(value);
+        }
+        return defaultValue;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index 74eedeb..7d6fcdb 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -316,148 +316,6 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security
     public static final String POLICY_VALIDATOR_MAP = "ws-security.policy.validator.map";
     
     //
-    // STS Client Configuration tags
-    //
-    
-    /**
-     * A reference to the STSClient class used to communicate with the STS.
-     */
-    public static final String STS_CLIENT = "ws-security.sts.client";
-    
-    /**
-     * The "AppliesTo" address to send to the STS. The default is the endpoint address of
the 
-     * service provider.
-     */
-    public static final String STS_APPLIES_TO = "ws-security.sts.applies-to";
-    
-    /**
-     * Whether to write out an X509Certificate structure in UseKey/KeyInfo, or whether to
write
-     * out a KeyValue structure. The default value is "false".
-     */
-    public static final String STS_TOKEN_USE_CERT_FOR_KEYINFO = "ws-security.sts.token.usecert";
-    
-    /**
-     * Whether to cancel a token when using SecureConversation after successful invocation.
The
-     * default is "false".
-     */
-    public static final String STS_TOKEN_DO_CANCEL = "ws-security.sts.token.do.cancel";
-    
-    /**
-     * Whether to fall back to calling "issue" after failing to renew an expired token. Some
-     * STSs do not support the renew binding, and so we should just issue a new token after
expiry.
-     * The default is true.
-     */
-    public static final String STS_ISSUE_AFTER_FAILED_RENEW = "ws-security.issue.after.failed.renew";
-    
-    /**
-     * Set this to "false" to not cache a SecurityToken per proxy object in the 
-     * IssuedTokenInterceptorProvider. This should be done if a token is being retrieved
-     * from an STS in an intermediary. The default value is "true".
-     */
-    public static final String CACHE_ISSUED_TOKEN_IN_ENDPOINT = 
-        "ws-security.cache.issued.token.in.endpoint";
-    
-    /**
-     * Whether to avoid STS client trying send WS-MetadataExchange call using
-     * STS EPR WSA address when the endpoint contract contains no WS-MetadataExchange info.
-     * The default value is "false".
-     */
-    public static final String DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS =
-        "ws-security.sts.disable-wsmex-call-using-epr-address";
-    
-    /**
-     * Whether to prefer to use WS-MEX over a STSClient's location/wsdlLocation properties
-     * when making an STS RequestSecurityToken call. This can be set to true for the scenario
-     * of making a WS-MEX call to an initial STS, and using the returned token to make another
-     * call to an STS (which is configured using the STSClient configuration). Default is

-     * "false".
-     */
-    public static final String PREFER_WSMEX_OVER_STS_CLIENT_CONFIG = 
-        "ws-security.sts.prefer-wsmex";
-    
-    /**
-     * Switch STS client to send Soap 1.2 messages
-     */
-    public static final String STS_CLIENT_SOAP12_BINDING =
-        "ws-security.sts.client-soap12-binding";
-
-    /**
-     * 
-     * A Crypto object to be used for the STS. If this is not defined then the 
-     * {@link STS_TOKEN_PROPERTIES} is used instead.
-     * 
-     * WCF's trust server sometimes will encrypt the token in the response IN ADDITION TO
-     * the full security on the message. These properties control the way the STS client
-     * will decrypt the EncryptedData elements in the response.
-     * 
-     * These are also used by the STSClient to send/process any RSA/DSAKeyValue tokens 
-     * used if the KeyType is "PublicKey" 
-     */
-    public static final String STS_TOKEN_CRYPTO = "ws-security.sts.token.crypto";
-    
-    /**
-     * The Crypto property configuration to use for the STS, if {@link STS_TOKEN_CRYPTO}
is not
-     * set instead.
-     * The value of this tag must be either:
-     * a) A Java Properties object that contains the Crypto configuration.
-     * b) The path of the Crypto property file that contains the Crypto configuration.
-     * c) A URL that points to the Crypto property file that contains the Crypto configuration.
-     */
-    public static final String STS_TOKEN_PROPERTIES = "ws-security.sts.token.properties";
-    
-    /**
-     * The alias name in the keystore to get the user's public key to send to the STS for
the
-     * PublicKey KeyType case.
-     */
-    public static final String STS_TOKEN_USERNAME = "ws-security.sts.token.username";
-    
-    /**
-     * The token to be sent to the STS in an "ActAs" field. It can be either:
-     * a) A String (which must be an XML statement like "<wst:OnBehalfOf xmlns:wst=...>...</wst:OnBehalfOf>")
-     * b) A DOM Element
-     * c) A CallbackHandler object to use to obtain the token
-     * 
-     * In the case of a CallbackHandler, it must be able to handle a 
-     * org.apache.cxf.ws.security.trust.delegation.DelegationCallback Object, which contains
a 
-     * reference to the current Message. The CallbackHandler implementation is required to
set 
-     * the token Element to be sent in the request on the Callback.
-     * 
-     * Some examples that can be reused are:
-     * org.apache.cxf.ws.security.trust.delegation.ReceivedTokenCallbackHandler
-     * org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler
-     */
-    public static final String STS_TOKEN_ACT_AS = "ws-security.sts.token.act-as";
-    
-    /**
-     * The token to be sent to the STS in an "OnBehalfOf" field. It can be either:
-     * a) A String (which must be an XML statement like "<wst:OnBehalfOf xmlns:wst=...>...</wst:OnBehalfOf>")
-     * b) A DOM Element
-     * c) A CallbackHandler object to use to obtain the token
-     * 
-     * In the case of a CallbackHandler, it must be able to handle a 
-     * org.apache.cxf.ws.security.trust.delegation.DelegationCallback Object, which contains
a 
-     * reference to the current Message. The CallbackHandler implementation is required to
set 
-     * the token Element to be sent in the request on the Callback.
-     * 
-     * Some examples that can be reused are:
-     * org.apache.cxf.ws.security.trust.delegation.ReceivedTokenCallbackHandler
-     * org.apache.cxf.ws.security.trust.delegation.WSSUsernameCallbackHandler
-     */
-    public static final String STS_TOKEN_ON_BEHALF_OF = "ws-security.sts.token.on-behalf-of";
-
-    /**
-     * This is the value in seconds within which a token is considered to be expired by the
-     * client. When a cached token (from a STS) is retrieved by the client, it is considered
-     * to be expired if it will expire in a time less than the value specified by this tag.
-     * This prevents token expiry when the message is en route / being processed by the
-     * service. When the token is found to be expired then it will be renewed via the STS.
-     * 
-     * The default value is 10 (seconds). Specify 0 to avoid this check.
-     */
-    public static final String STS_TOKEN_IMMINENT_EXPIRY_VALUE =
-        "ws-security.sts.token.imminent-expiry-value";
-    
-    //
     // Kerberos Configuration tags
     //
     
@@ -517,18 +375,13 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security
             NONCE_CACHE_INSTANCE, TIMESTAMP_CACHE_INSTANCE, CACHE_CONFIG_FILE, 
             TOKEN_STORE_CACHE_INSTANCE, USERNAME_TOKEN_VALIDATOR, SAML1_TOKEN_VALIDATOR,

             SAML2_TOKEN_VALIDATOR, TIMESTAMP_TOKEN_VALIDATOR, SIGNATURE_TOKEN_VALIDATOR,

-            BST_TOKEN_VALIDATOR, SCT_TOKEN_VALIDATOR, STS_CLIENT, STS_APPLIES_TO, 
-            STS_TOKEN_USE_CERT_FOR_KEYINFO, STS_TOKEN_DO_CANCEL, CACHE_ISSUED_TOKEN_IN_ENDPOINT,
-            DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS, STS_TOKEN_CRYPTO,
-            STS_TOKEN_PROPERTIES, STS_TOKEN_USERNAME, STS_TOKEN_ACT_AS, STS_TOKEN_ON_BEHALF_OF,
-            TOKEN, TOKEN_ID, SUBJECT_ROLE_CLASSIFIER, SUBJECT_ROLE_CLASSIFIER_TYPE, MUST_UNDERSTAND,
-            ASYMMETRIC_SIGNATURE_ALGORITHM, PASSWORD_ENCRYPTOR_INSTANCE, ENABLE_SAML_ONE_TIME_USE_CACHE,
+            BST_TOKEN_VALIDATOR, SCT_TOKEN_VALIDATOR, TOKEN, TOKEN_ID, SUBJECT_ROLE_CLASSIFIER,

+            SUBJECT_ROLE_CLASSIFIER_TYPE, MUST_UNDERSTAND, ASYMMETRIC_SIGNATURE_ALGORITHM,

+            PASSWORD_ENCRYPTOR_INSTANCE, ENABLE_SAML_ONE_TIME_USE_CACHE,
             SAML_ONE_TIME_USE_CACHE_INSTANCE, ENABLE_STREAMING_SECURITY, RETURN_SECURITY_ERROR,
-            CACHE_IDENTIFIER, CACHE_ISSUED_TOKEN_IN_ENDPOINT, PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
-            DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, 
-            KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, STS_TOKEN_IMMINENT_EXPIRY_VALUE,
-            KERBEROS_REQUEST_CREDENTIAL_DELEGATION, POLICY_VALIDATOR_MAP,
-            STORE_BYTES_IN_ATTACHMENT, USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM
+            CACHE_IDENTIFIER, DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, 
+            KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, KERBEROS_REQUEST_CREDENTIAL_DELEGATION,

+            POLICY_VALIDATOR_MAP, STORE_BYTES_IN_ATTACHMENT, USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM
         }));
         for (String commonProperty : COMMON_PROPERTIES) {
             s.add(commonProperty);

http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
index 4cc4a13..a5310a0 100755
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
@@ -1554,9 +1554,6 @@ public abstract class AbstractSTSClient implements Configurable, InterceptorProv
 
     protected CallbackHandler createHandler() {
         Object o = getProperty(SecurityConstants.CALLBACK_HANDLER);
-        if (o == null) {
-            o = getProperty("ws-" + SecurityConstants.CALLBACK_HANDLER);
-        }
         try {
             return SecurityUtils.getCallbackHandler(o);
         } catch (Exception e) {
@@ -1565,19 +1562,36 @@ public abstract class AbstractSTSClient implements Configurable, InterceptorProv
     }
 
     protected Object getProperty(String s) {
-        Object o = ctx.get(s);
+        String key = s;
+        
+        Object o = ctx.get(key);
+        if (o == null) {
+            o = client.getEndpoint().getEndpointInfo().getProperty(key);
+        }
+        if (o == null) {
+            o = client.getEndpoint().getEndpointInfo().getBinding().getProperty(key);
+        }
         if (o == null) {
-            o = client.getEndpoint().getEndpointInfo().getProperty(s);
+            o = client.getEndpoint().getService().get(key);
         }
+        
+        key = "ws-" + s;
         if (o == null) {
-            o = client.getEndpoint().getEndpointInfo().getBinding().getProperty(s);
+            o = ctx.get(key);
         }
         if (o == null) {
-            o = client.getEndpoint().getService().get(s);
+            o = client.getEndpoint().getEndpointInfo().getProperty(key);
         }
+        if (o == null) {
+            o = client.getEndpoint().getEndpointInfo().getBinding().getProperty(key);
+        }
+        if (o == null) {
+            o = client.getEndpoint().getService().get(key);
+        }
+        
         return o;
     }
-
+    
     protected Crypto createCrypto(boolean decrypt) throws IOException, WSSecurityException
{
         Crypto crypto = (Crypto)getProperty(SecurityConstants.STS_TOKEN_CRYPTO + (decrypt
? ".decrypt" : ""));
         if (crypto != null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java
index c9e5dc0..1e60888 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenRetriever.java
@@ -29,7 +29,7 @@ import org.w3c.dom.Element;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rt.security.utils.SecurityUtils;
 import org.apache.cxf.ws.addressing.AddressingProperties;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
@@ -61,9 +61,8 @@ public final class STSTokenRetriever {
         }
 
         boolean cacheIssuedToken =
-            MessageUtils.getContextualBoolean(
+            SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT,
                                               message,
-                                              SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT,
                                               true)
                 && !isOneTimeUse(tok);
         if (cacheIssuedToken) {
@@ -86,9 +85,8 @@ public final class STSTokenRetriever {
 
     private static SecurityToken retrieveCachedToken(Message message) {
         boolean cacheIssuedToken =
-            MessageUtils.getContextualBoolean(
+            SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT,
                                               message,
-                                              SecurityConstants.CACHE_ISSUED_TOKEN_IN_ENDPOINT,
                                               true);
         SecurityToken tok = null;
         if (cacheIssuedToken) {
@@ -124,19 +122,19 @@ public final class STSTokenRetriever {
             try {
                 // Transpose ActAs/OnBehalfOf info from original request to the STS client.
                 Object token =
-                    message.getContextualProperty(SecurityConstants.STS_TOKEN_ACT_AS);
+                    SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_TOKEN_ACT_AS,
message);
                 if (token != null) {
                     client.setActAs(token);
                 }
                 token =
-                    message.getContextualProperty(SecurityConstants.STS_TOKEN_ON_BEHALF_OF);
+                    SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_TOKEN_ON_BEHALF_OF,
message);
                 if (token != null) {
                     client.setOnBehalfOf(token);
                 }
                 Map<String, Object> ctx = client.getRequestContext();
                 mapSecurityProps(message, ctx);
 
-                Object o = message.getContextualProperty(SecurityConstants.STS_APPLIES_TO);
+                Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_APPLIES_TO,
message);
                 String appliesTo = o == null ? null : o.toString();
                 appliesTo = appliesTo == null
                     ? message.getContextualProperty(Message.ENDPOINT_ADDRESS).toString()
@@ -177,8 +175,8 @@ public final class STSTokenRetriever {
                                      SecurityToken tok,
                                      TokenRequestParams params) {
         String imminentExpiryValue =
-            (String)message
-                .getContextualProperty(SecurityConstants.STS_TOKEN_IMMINENT_EXPIRY_VALUE);
+            (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_TOKEN_IMMINENT_EXPIRY_VALUE,

+                                                           message);
         long imminentExpiry = 10L;
         if (imminentExpiryValue != null) {
             imminentExpiry = Long.parseLong(imminentExpiryValue);
@@ -229,10 +227,8 @@ public final class STSTokenRetriever {
             } catch (RuntimeException ex) {
                 LOG.log(Level.WARNING, "Error renewing a token", ex);
                 boolean issueAfterFailedRenew =
-                    MessageUtils
-                        .getContextualBoolean(
-                                              message,
-                                              SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW,
true);
+                    SecurityUtils.getSecurityPropertyBoolean(
+                                              SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW,
message, true);
                 if (issueAfterFailedRenew) {
                     // Perhaps the STS does not support renewing, so try to issue a new token
                     return issueToken(message, params);
@@ -242,10 +238,8 @@ public final class STSTokenRetriever {
             } catch (Exception ex) {
                 LOG.log(Level.WARNING, "Error renewing a token", ex);
                 boolean issueAfterFailedRenew =
-                    MessageUtils
-                        .getContextualBoolean(
-                                              message,
-                                              SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW,
true);
+                    SecurityUtils.getSecurityPropertyBoolean(
+                                              SecurityConstants.STS_ISSUE_AFTER_FAILED_RENEW,
message, true);
                 if (issueAfterFailedRenew) {
                     // Perhaps the STS does not support renewing, so try to issue a new token
                     return issueToken(message, params);

http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
index 0411140..55d56f4 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
@@ -35,7 +35,7 @@ import org.apache.cxf.endpoint.EndpointException;
 import org.apache.cxf.endpoint.EndpointImpl;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rt.security.utils.SecurityUtils;
 import org.apache.cxf.service.Service;
 import org.apache.cxf.service.ServiceImpl;
 import org.apache.cxf.service.model.BindingInfo;
@@ -103,8 +103,8 @@ public final class STSUtils {
     public static STSClient getClientWithIssuer(Message message, String type, Element issuer)
{
         
         // Retrieve or create the STSClient
-        STSClient client = (STSClient)message
-            .getContextualProperty(SecurityConstants.STS_CLIENT);
+        STSClient client = 
+            (STSClient)SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_CLIENT,
message);
         if (client == null) {
             client = createSTSClient(message, type);
             Bus bus = message.getExchange().getBus();
@@ -130,13 +130,15 @@ public final class STSUtils {
             
             String mexLocation = findMEXLocation(epr);
             // Configure via WS-MEX
+            
             if (mexLocation != null
-                && MessageUtils.getContextualBoolean(message, 
-                                                     SecurityConstants.PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
+                && SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.PREFER_WSMEX_OVER_STS_CLIENT_CONFIG,
+                                                     message, 
                                                      false)) {
                 // WS-MEX call. So now either get the WS-MEX specific STSClient or else create
one
-                STSClient wsMexClient = (STSClient)message
-                    .getContextualProperty(SecurityConstants.STS_CLIENT + ".wsmex");
+                STSClient wsMexClient = 
+                    (STSClient)SecurityUtils.getSecurityPropertyValue(SecurityConstants.STS_CLIENT
+ ".wsmex", 
+                                                                      message);
                 if (wsMexClient == null) {
                     wsMexClient = createSTSClient(message, type);
                 }
@@ -145,8 +147,8 @@ public final class STSUtils {
             } else if (configureViaEPR(client, epr)) {
                 // Only use WS-MEX here if the pre-configured STSClient has no location/wsdllocation
                 boolean useEPRWSAAddrAsMEXLocation = 
-                    !Boolean.valueOf((String)message.getContextualProperty(
-                        SecurityConstants.DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS));
+                    !Boolean.valueOf((String)SecurityUtils.getSecurityPropertyValue(
+                        SecurityConstants.DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS,
message));
                 
                 client.configureViaEPR(epr, useEPRWSAAddrAsMEXLocation);
                 return client;
@@ -170,7 +172,9 @@ public final class STSUtils {
         Endpoint ep = message.getExchange().getEndpoint();
         client.setEndpointName(ep.getEndpointInfo().getName().toString() + type);
         client.setBeanName(ep.getEndpointInfo().getName().toString() + type);
-        if (MessageUtils.getContextualBoolean(message, SecurityConstants.STS_CLIENT_SOAP12_BINDING,
false)) {
+        if (SecurityUtils.getSecurityPropertyBoolean(SecurityConstants.STS_CLIENT_SOAP12_BINDING,

+                                                     message, 
+                                                     false)) {
             client.setSoap12();
         }
         

http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java
index 9c885b9..540d010 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java
@@ -205,6 +205,9 @@ public class AsymmetricBindingTest extends AbstractBusClientServerTestBase
{
         BindingProvider bindingProvider = (BindingProvider)asymmetricSaml1EncryptedPort;
         STSClient stsClient = 
             (STSClient)bindingProvider.getRequestContext().get(SecurityConstants.STS_CLIENT);
+        if (stsClient == null) {
+            stsClient = (STSClient)bindingProvider.getRequestContext().get("ws-" + SecurityConstants.STS_CLIENT);
+        }
         Crypto crypto = CryptoFactory.getInstance("clientKeystore.properties");
         CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
         cryptoType.setAlias("myclientkey");

http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java
index cffc087..85e59c1 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/TokenTestUtils.java
@@ -52,6 +52,9 @@ public final class TokenTestUtils {
         org.apache.cxf.ws.security.tokenstore.SecurityToken tok = store.getToken(id);
         assertNotNull(tok);
         STSClient sts = (STSClient)ep.get(SecurityConstants.STS_CLIENT);
+        if (sts == null) {
+            sts  = (STSClient)ep.get("ws-" + SecurityConstants.STS_CLIENT);
+        }
         
         List<SecurityToken> validTokens = sts.validateSecurityToken(tok);
         assertTrue(validTokens != null && !validTokens.isEmpty());
@@ -75,6 +78,9 @@ public final class TokenTestUtils {
     
     public static void updateSTSPort(BindingProvider p, String port) {
         STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT);
+        if (stsClient == null) {
+            stsClient = (STSClient)p.getRequestContext().get("ws-" + SecurityConstants.STS_CLIENT);
+        }
         if (stsClient != null) {
             String location = stsClient.getWsdlLocation();
             if (location != null && location.contains("8080")) {
@@ -84,6 +90,9 @@ public final class TokenTestUtils {
             }
         }
         stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT + ".sct");
+        if (stsClient == null) {
+            stsClient = (STSClient)p.getRequestContext().get("ws-" + SecurityConstants.STS_CLIENT
+ ".sct");
+        }
         if (stsClient != null) {
             String location = stsClient.getWsdlLocation();
             if (location.contains("8080")) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryCachingPortTypeImpl.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryCachingPortTypeImpl.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryCachingPortTypeImpl.java
index a0e36ef..add6aeb 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryCachingPortTypeImpl.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryCachingPortTypeImpl.java
@@ -69,6 +69,9 @@ public class IntermediaryCachingPortTypeImpl extends AbstractBusClientServerTest
             if ("standalone".equals(System.getProperty("sts.deployment"))) {
                 Map<String, Object> context = ((BindingProvider)transportPort).getRequestContext();
                 STSClient stsClient = (STSClient)context.get(SecurityConstants.STS_CLIENT);
+                if (stsClient == null) {
+                    stsClient = (STSClient)context.get("ws-" + SecurityConstants.STS_CLIENT);
+                }
                 if (stsClient != null) {
                     String location = stsClient.getWsdlLocation();
                     if (location.contains("8080")) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryPortTypeImpl.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryPortTypeImpl.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryPortTypeImpl.java
index 1c17594..32b4799 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryPortTypeImpl.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/intermediary_transformation/IntermediaryPortTypeImpl.java
@@ -68,6 +68,9 @@ public class IntermediaryPortTypeImpl extends AbstractBusClientServerTestBase
im
         if ("standalone".equals(System.getProperty("sts.deployment"))) {
             Map<String, Object> context = ((BindingProvider)transportPort).getRequestContext();
             STSClient stsClient = (STSClient)context.get(SecurityConstants.STS_CLIENT);
+            if (stsClient == null) {
+                stsClient = (STSClient)context.get("ws-" + SecurityConstants.STS_CLIENT);
+            }
             if (stsClient != null) {
                 String location = stsClient.getWsdlLocation();
                 if (location.contains("8080")) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/UsernameActAsCachingTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/UsernameActAsCachingTest.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/UsernameActAsCachingTest.java
index 94260c7..c66eea4 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/UsernameActAsCachingTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_actas/UsernameActAsCachingTest.java
@@ -381,6 +381,9 @@ public class UsernameActAsCachingTest extends AbstractBusClientServerTestBase
{
         // Disable appliesTo
         BindingProvider p = (BindingProvider)port;
         STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT);
+        if (stsClient == null) {
+            stsClient = (STSClient)p.getRequestContext().get("ws-" + SecurityConstants.STS_CLIENT);
+        }
         stsClient.setEnableAppliesTo(false);
         doubleIt(port, 25);
         
@@ -407,6 +410,9 @@ public class UsernameActAsCachingTest extends AbstractBusClientServerTestBase
{
     
     private void clearSTSClient(BindingProvider p) throws BusException, EndpointException
{
         STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT);
+        if (stsClient == null) {
+            stsClient = (STSClient)p.getRequestContext().get("ws-" + SecurityConstants.STS_CLIENT);
+        }
         stsClient.getClient().destroy();
         stsClient.setWsdlLocation(null);
         stsClient.setLocation(null);

http://git-wip-us.apache.org/repos/asf/cxf/blob/91c7b090/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/UsernameOnBehalfOfCachingTest.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/UsernameOnBehalfOfCachingTest.java
b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/UsernameOnBehalfOfCachingTest.java
index 644f348..555c5a2 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/UsernameOnBehalfOfCachingTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/username_onbehalfof/UsernameOnBehalfOfCachingTest.java
@@ -381,6 +381,9 @@ public class UsernameOnBehalfOfCachingTest extends AbstractBusClientServerTestBa
         // Disable appliesTo
         BindingProvider p = (BindingProvider)port;
         STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT);
+        if (stsClient == null) {
+            stsClient = (STSClient)p.getRequestContext().get("ws-" + SecurityConstants.STS_CLIENT);
+        }
         stsClient.setEnableAppliesTo(false);
         doubleIt(port, 25);
         
@@ -407,6 +410,9 @@ public class UsernameOnBehalfOfCachingTest extends AbstractBusClientServerTestBa
     
     private void clearSTSClient(BindingProvider p) throws BusException, EndpointException
{
         STSClient stsClient = (STSClient)p.getRequestContext().get(SecurityConstants.STS_CLIENT);
+        if (stsClient == null) {
+            stsClient = (STSClient)p.getRequestContext().get("ws-" + SecurityConstants.STS_CLIENT);
+        }
         stsClient.getClient().destroy();
         stsClient.setWsdlLocation(null);
         stsClient.setLocation(null);


Mime
View raw message