cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [4/4] cxf git commit: CXF-7088 - SignedEncryptedSupportingTokens in WS-Policy and SAML not encrypted being accepted
Date Fri, 14 Oct 2016 17:23:47 GMT
CXF-7088 - SignedEncryptedSupportingTokens in WS-Policy and SAML not encrypted being accepted

# Conflicts:
#	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
#	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
#	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
#	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
#	rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d473c6c9
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d473c6c9
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d473c6c9

Branch: refs/heads/3.0.x-fixes
Commit: d473c6c97cb5ae6cba347048397e24d43edb30d4
Parents: e802824
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Oct 14 17:22:27 2016 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Oct 14 18:23:39 2016 +0100

----------------------------------------------------------------------
 .../AbstractSupportingTokenPolicyValidator.java | 15 ++++-
 .../EncryptedTokenPolicyValidator.java          | 10 +++
 .../EndorsingEncryptedTokenPolicyValidator.java | 20 ++++++
 .../SignedEncryptedTokenPolicyValidator.java    | 20 ++++++
 ...dEndorsingEncryptedTokenPolicyValidator.java | 20 ++++++
 services/sts/systests/pom.xml                   |  2 +-
 .../systest/ws/tokens/SupportingTokenTest.java  | 62 ++++++++++++++++++
 .../apache/cxf/systest/ws/tokens/TLSServer.java | 47 ++++++++++++++
 .../cxf/systest/ws/tokens/DoubleItTokens.wsdl   |  6 ++
 .../apache/cxf/systest/ws/tokens/tls-client.xml | 66 +++++++++++++++++++
 .../apache/cxf/systest/ws/tokens/tls-server.xml | 67 ++++++++++++++++++++
 11 files changed, 332 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/d473c6c9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
index a6419dd..3dfbead 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
@@ -93,7 +93,12 @@ public abstract class AbstractSupportingTokenPolicyValidator
     private EncryptedElements encryptedElements;
     private SignedParts signedParts;
     private EncryptedParts encryptedParts;
-
+    private boolean enforceEncryptedTokens = true;
+    
+    protected abstract boolean isSigned();
+    protected abstract boolean isEncrypted();
+    protected abstract boolean isEndorsing();
+    
     /**
      * Set the list of UsernameToken results
      */
@@ -508,7 +513,7 @@ public abstract class AbstractSupportingTokenPolicyValidator
      * Return true if a list of tokens were encrypted, false otherwise.
      */
     private boolean areTokensEncrypted(List<WSSecurityEngineResult> tokens) {
-        if (!isTLSInUse()) {
+        if (enforceEncryptedTokens) {
             for (WSSecurityEngineResult wser : tokens) {
                 Element tokenElement = (Element)wser.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
                 if (tokenElement == null || !isTokenEncrypted(tokenElement)) {
@@ -922,5 +927,11 @@ public abstract class AbstractSupportingTokenPolicyValidator
             }    
         }
     }
+    public boolean isEnforceEncryptedTokens() {
+        return enforceEncryptedTokens;
+    }
+    public void setEnforceEncryptedTokens(boolean enforceEncryptedTokens) {
+        this.enforceEncryptedTokens = enforceEncryptedTokens;
+    }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d473c6c9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
index 2ebb47c..1452bee 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
@@ -26,6 +26,8 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
+import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.IssuedToken;
@@ -68,6 +70,14 @@ public class EncryptedTokenPolicyValidator extends AbstractSupportingTokenPolicy
     }
     
     private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
+        // Tokens must be encrypted even if TLS is used unless we have a TransportBinding
policy available
+        if (isTLSInUse(parameters.getMessage())) {
+            AssertionInfo transportAi = 
+                PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(),

+                                                         SPConstants.TRANSPORT_BINDING);
+            super.setEnforceEncryptedTokens(transportAi == null);
+        }
+        
         for (AssertionInfo ai : ais) {
             SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);

http://git-wip-us.apache.org/repos/asf/cxf/blob/d473c6c9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
index cb490ba..a131429 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
@@ -24,8 +24,13 @@ import java.util.List;
 
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
+<<<<<<< HEAD
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
+=======
+import org.apache.cxf.ws.security.policy.PolicyUtils;
+import org.apache.wss4j.policy.SP12Constants;
+>>>>>>> 011725e... CXF-7088 - SignedEncryptedSupportingTokens in WS-Policy
and SAML not encrypted being accepted
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
@@ -49,6 +54,7 @@ public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTo
         setEncrypted(true);
     }
     
+<<<<<<< HEAD
     public boolean validatePolicy(
         AssertionInfoMap aim, 
         Message message,
@@ -71,6 +77,20 @@ public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTo
     }
     
     private void parsePolicies(AssertionInfoMap aim, Collection<AssertionInfo> ais,
Message message) {
+=======
+    /**
+     * Validate policies.
+     */
+    public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo>
ais) {
+        // Tokens must be encrypted even if TLS is used unless we have a TransportBinding
policy available
+        if (isTLSInUse(parameters.getMessage())) {
+            AssertionInfo transportAi = 
+                PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(),

+                                                         SPConstants.TRANSPORT_BINDING);
+            super.setEnforceEncryptedTokens(transportAi == null);
+        }
+        
+>>>>>>> 011725e... CXF-7088 - SignedEncryptedSupportingTokens in WS-Policy
and SAML not encrypted being accepted
         for (AssertionInfo ai : ais) {
             SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);

http://git-wip-us.apache.org/repos/asf/cxf/blob/d473c6c9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
index c40bae3..32d6b37 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
@@ -24,8 +24,13 @@ import java.util.List;
 
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
+<<<<<<< HEAD
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
+=======
+import org.apache.cxf.ws.security.policy.PolicyUtils;
+import org.apache.wss4j.policy.SP12Constants;
+>>>>>>> 011725e... CXF-7088 - SignedEncryptedSupportingTokens in WS-Policy
and SAML not encrypted being accepted
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.IssuedToken;
@@ -48,6 +53,7 @@ public class SignedEncryptedTokenPolicyValidator extends AbstractSupportingToken
         setEncrypted(true);
     }
     
+<<<<<<< HEAD
     public boolean validatePolicy(
         AssertionInfoMap aim, 
         Message message,
@@ -70,6 +76,20 @@ public class SignedEncryptedTokenPolicyValidator extends AbstractSupportingToken
     }
     
     private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
+=======
+    /**
+     * Validate policies. 
+     */
+    public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo>
ais) {
+        // Tokens must be encrypted even if TLS is used unless we have a TransportBinding
policy available
+        if (isTLSInUse(parameters.getMessage())) {
+            AssertionInfo transportAi = 
+                PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(),

+                                                         SPConstants.TRANSPORT_BINDING);
+            super.setEnforceEncryptedTokens(transportAi == null);
+        }
+        
+>>>>>>> 011725e... CXF-7088 - SignedEncryptedSupportingTokens in WS-Policy
and SAML not encrypted being accepted
         for (AssertionInfo ai : ais) {
             SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);

http://git-wip-us.apache.org/repos/asf/cxf/blob/d473c6c9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
index da0640b..3242dbf 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
@@ -24,8 +24,13 @@ import java.util.List;
 
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
+<<<<<<< HEAD
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
+=======
+import org.apache.cxf.ws.security.policy.PolicyUtils;
+import org.apache.wss4j.policy.SP12Constants;
+>>>>>>> 011725e... CXF-7088 - SignedEncryptedSupportingTokens in WS-Policy
and SAML not encrypted being accepted
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
@@ -50,6 +55,7 @@ public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSuppor
         setEncrypted(true);
     }
     
+<<<<<<< HEAD
     public boolean validatePolicy(
         AssertionInfoMap aim, 
         Message message,
@@ -72,6 +78,20 @@ public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSuppor
     }
     
     private void parsePolicies(AssertionInfoMap aim, Collection<AssertionInfo> ais,
Message message) {
+=======
+    /**
+     * Validate policies.
+     */
+    public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo>
ais) {
+        // Tokens must be encrypted even if TLS is used unless we have a TransportBinding
policy available
+        if (isTLSInUse(parameters.getMessage())) {
+            AssertionInfo transportAi = 
+                PolicyUtils.getFirstAssertionByLocalname(parameters.getAssertionInfoMap(),

+                                                         SPConstants.TRANSPORT_BINDING);
+            super.setEnforceEncryptedTokens(transportAi == null);
+        }
+        
+>>>>>>> 011725e... CXF-7088 - SignedEncryptedSupportingTokens in WS-Policy
and SAML not encrypted being accepted
         for (AssertionInfo ai : ais) {
             SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);

http://git-wip-us.apache.org/repos/asf/cxf/blob/d473c6c9/services/sts/systests/pom.xml
----------------------------------------------------------------------
diff --git a/services/sts/systests/pom.xml b/services/sts/systests/pom.xml
index cfc9275..b2c8d1c 100644
--- a/services/sts/systests/pom.xml
+++ b/services/sts/systests/pom.xml
@@ -34,6 +34,6 @@
         <module>advanced</module>
         <module>sts-osgi</module>
         <module>sts-features</module>
-        <module>sts-itests</module>
+<!--        <module>sts-itests</module>-->
     </modules>
 </project>

http://git-wip-us.apache.org/repos/asf/cxf/blob/d473c6c9/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/SupportingTokenTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/SupportingTokenTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/SupportingTokenTest.java
index 791a5f2..b2ceb48 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/SupportingTokenTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/SupportingTokenTest.java
@@ -43,6 +43,7 @@ import org.junit.runners.Parameterized.Parameters;
 @RunWith(value = org.junit.runners.Parameterized.class)
 public class SupportingTokenTest extends AbstractBusClientServerTestBase {
     static final String PORT = allocatePort(Server.class);
+    static final String TLS_PORT = allocatePort(TLSServer.class);
     static final String STAX_PORT = allocatePort(StaxServer.class);
     
     private static final String NAMESPACE = "http://www.example.org/contract/DoubleIt";
@@ -66,6 +67,12 @@ public class SupportingTokenTest extends AbstractBusClientServerTestBase
{
                    "Server failed to launch",
                    // run the server in the same process
                    // set this to false to fork
+                   launchServer(TLSServer.class, true)
+               );
+        assertTrue(
+                   "Server failed to launch",
+                   // run the server in the same process
+                   // set this to false to fork
                    launchServer(StaxServer.class, true)
         );
     }
@@ -215,6 +222,61 @@ public class SupportingTokenTest extends AbstractBusClientServerTestBase
{
     }
     
     @org.junit.Test
+    public void testEncryptedSupportingOverTLS() throws Exception {
+
+        if (STAX_PORT.equals(test.getPort())) {
+            return;
+        }
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = SupportingTokenTest.class.getResource("tls-client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = SupportingTokenTest.class.getResource("DoubleItTokens.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+       
+        // Successful invocation
+        QName portQName = new QName(NAMESPACE, "DoubleItEncryptedSupportingPort4");
+        DoubleItPortType port = service.getPort(portQName, DoubleItPortType.class);
+        
+        if (PORT.equals(test.getPort())) {
+            updateAddressPort(port, TLS_PORT);
+        }
+        
+        if (test.isStreaming()) {
+            SecurityTestUtil.enableStreaming(port);
+        }
+        
+        port.doubleIt(25);
+        
+        // This should fail, as the client is not encrypting the UsernameToken
+        portQName = new QName(NAMESPACE, "DoubleItEncryptedSupportingPort5");
+        port = service.getPort(portQName, DoubleItPortType.class);
+        
+        if (PORT.equals(test.getPort())) {
+            updateAddressPort(port, TLS_PORT);
+        }
+        
+        if (test.isStreaming()) {
+            SecurityTestUtil.enableStreaming(port);
+        }
+        
+        try {
+            port.doubleIt(25);
+            fail("Failure expected on not encrypting the UsernameToken");
+        } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+            String error = "The received token does not match the encrypted supporting token
requirement";
+            assertTrue(ex.getMessage().contains(error)
+                       || ex.getMessage().contains("UsernameToken not satisfied"));
+        }
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+    
+    @org.junit.Test
     public void testSignedEncryptedSupporting() throws Exception {
 
         SpringBusFactory bf = new SpringBusFactory();

http://git-wip-us.apache.org/repos/asf/cxf/blob/d473c6c9/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/TLSServer.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/TLSServer.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/TLSServer.java
new file mode 100644
index 0000000..9630477
--- /dev/null
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/TLSServer.java
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.systest.ws.tokens;
+
+import java.net.URL;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.testutil.common.AbstractBusTestServerBase;
+
+public class TLSServer extends AbstractBusTestServerBase {
+
+    public TLSServer() {
+
+    }
+
+    protected void run()  {
+        URL busFile = TLSServer.class.getResource("tls-server.xml");
+        Bus busLocal = new SpringBusFactory().createBus(busFile);
+        BusFactory.setDefaultBus(busLocal);
+        setBus(busLocal);
+
+        try {
+            new TLSServer();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/d473c6c9/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl
index c9a9217..bc2c01f 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl
@@ -71,6 +71,12 @@
         <wsdl:port name="DoubleItEncryptedSupportingPort3" binding="tns:DoubleItStandardBinding">
             <soap:address location="http://localhost:9010/DoubleItEncryptedSupporting3"/>
         </wsdl:port>
+        <wsdl:port name="DoubleItEncryptedSupportingPort4" binding="tns:DoubleItStandardBinding">
+            <soap:address location="https://localhost:9010/DoubleItEncryptedSupporting4"/>
+        </wsdl:port>
+        <wsdl:port name="DoubleItEncryptedSupportingPort5" binding="tns:DoubleItStandardBinding">
+            <soap:address location="https://localhost:9010/DoubleItEncryptedSupporting5"/>
+        </wsdl:port>
         <wsdl:port name="DoubleItSignedEncryptedSupportingPort" binding="tns:DoubleItStandardBinding">
             <soap:address location="http://localhost:9010/DoubleItSignedEncryptedSupporting"/>
         </wsdl:port>

http://git-wip-us.apache.org/repos/asf/cxf/blob/d473c6c9/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-client.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-client.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-client.xml
new file mode 100644
index 0000000..7016412
--- /dev/null
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-client.xml
@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xmlns:sec="http://cxf.apache.org/configuration/security"
xsi:schemaLocation="           http://www.springframework.org/schema/beans           http://www.springframework.org/schema/beans/spring-beans.xsd
          http://cxf.apache.org/jaxws                           http://cxf.apache.org/schemas/jaxws.xsd
          http://cxf.apache.org/transports/http/configuration   http://cxf.apache.org/schemas/configuration/http-conf.xsd
          http://cxf.apache.org/configuration/security          http://cxf.apache.org/schemas/configuration/security.xsd
          http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd           http://cxf.apache.org/policy
http://cxf.apache.org/schemas/poli
 cy.xsd           http://www.w3.org/ns/ws-policy  http://www.w3.org/2007/02/ws-policy.xsd">
+    <cxf:bus>
+        <cxf:features>
+            <p:policies/>
+            <cxf:logging/>
+        </cxf:features>
+    </cxf:bus>
+    <http:conduit name="https://localhost:.*">
+        <http:tlsClientParameters disableCNCheck="true">
+            <sec:trustManagers>
+                <sec:keyStore type="jks" password="password" resource="keys/Truststore.jks"/>
+            </sec:trustManagers>
+        </http:tlsClientParameters>
+    </http:conduit>
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItEncryptedSupportingPort4"
createdFromAPI="true">
+        <jaxws:properties>
+            <entry key="security.username" value="Alice"/>
+            <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+            <entry key="security.encryption.properties" value="bob.properties"/>
+            <entry key="security.encryption.username" value="bob"/>
+            <entry key="security.signature.properties" value="alice.properties"/>
+            <entry key="security.signature.username" value="alice"/>
+            <entry key="ws-security.username-token.always.encrypted" value="false"/>
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/tokens/encrypted-supp-token-policy.xml"/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:client>
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItEncryptedSupportingPort5"
createdFromAPI="true">
+        <jaxws:properties>
+            <entry key="security.username" value="Alice"/>
+            <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+            <entry key="security.encryption.properties" value="bob.properties"/>
+            <entry key="security.encryption.username" value="bob"/>
+            <entry key="security.signature.properties" value="alice.properties"/>
+            <entry key="security.signature.username" value="alice"/>
+            <entry key="ws-security.username-token.always.encrypted" value="false"/>
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/tokens/supp-token-policy.xml"/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:client>
+</beans>

http://git-wip-us.apache.org/repos/asf/cxf/blob/d473c6c9/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-server.xml
new file mode 100644
index 0000000..9b2266d
--- /dev/null
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/tls-server.xml
@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xsi:schemaLocation="
        http://www.springframework.org/schema/beans                     http://www.springframework.org/schema/beans/spring-beans.xsd
        http://cxf.apache.org/jaxws                                     http://cxf.apache.org/schemas/jaxws.xsd
        http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd         http://cxf.apache.org/policy
http://cxf.apache.org/schemas/policy.xsd         http://cxf.apache.org/transports/http/configuration
            http://cxf.apache.org/schemas/configuration/http-conf.xsd         http://cxf.apa
 che.org/transports/http-jetty/configuration       http://cxf.apache.org/schemas/configuration/http-jetty.xsd
        http://cxf.apache.org/configuration/security                    http://cxf.apache.org/schemas/configuration/security.xsd
        http://www.w3.org/ns/ws-policy                                  http://www.w3.org/2007/02/ws-policy.xsd
    ">
+    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+    <cxf:bus>
+        <cxf:features>
+            <p:policies/>
+            <cxf:logging/>
+        </cxf:features>
+    </cxf:bus>
+    <httpj:engine-factory id="tls-settings">
+        <httpj:engine port="${testutil.ports.tokens.TLSServer}">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPassword="password">
+                    <sec:keyStore type="jks" password="password" resource="keys/Bethal.jks"/>
+                </sec:keyManagers>
+                <sec:trustManagers>
+                    <sec:keyStore type="jks" password="password" resource="keys/Truststore.jks"/>
+                </sec:trustManagers>
+                <sec:clientAuthentication want="true" required="false"/>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="EncryptedSupportingTokens4"
address="https://localhost:${testutil.ports.tokens.TLSServer}/DoubleItEncryptedSupporting4"
serviceName="s:DoubleItService" endpointName="s:DoubleItEncryptedSupportingPort4" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+            <entry key="security.signature.properties" value="bob.properties"/>
+            <entry key="security.encryption.username" value="useReqSigCert"/>
+            <entry key="security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/tokens/encrypted-supp-token-policy.xml"/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="EncryptedSupportingTokens5"
address="https://localhost:${testutil.ports.tokens.TLSServer}/DoubleItEncryptedSupporting5"
serviceName="s:DoubleItService" endpointName="s:DoubleItEncryptedSupportingPort5" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/tokens/DoubleItTokens.wsdl" depends-on="tls-settings">
+        <jaxws:properties>
+            <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.UTPasswordCallback"/>
+            <entry key="security.signature.properties" value="bob.properties"/>
+            <entry key="security.encryption.username" value="useReqSigCert"/>
+            <entry key="security.subject.cert.constraints" value=".*O=apache.org.*"/>
+        </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/tokens/encrypted-supp-token-policy.xml"/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:endpoint>
+</beans>


Mime
View raw message