cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/3] cxf git commit: [CXF-5525] - Adding a JAX-WS property to disable client cert verification policy check + tests
Date Thu, 02 Mar 2017 18:21:34 GMT
[CXF-5525] - Adding a JAX-WS property to disable client cert verification policy check + tests

# Conflicts:
#	rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
#	rt/transports/http/src/main/java/org/apache/cxf/transport/http/MessageTrustDecider.java
#	rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
#	systests/ws-security/src/test/java/org/apache/cxf/systest/ws/https/HttpsTokenTest.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a371f7cf
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a371f7cf
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a371f7cf

Branch: refs/heads/3.1.x-fixes
Commit: a371f7cf76e86b91dd6c8025e2882d4715568bb5
Parents: 963a541
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Mar 2 18:17:05 2017 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Mar 2 18:20:06 2017 +0000

----------------------------------------------------------------------
 .../apache/cxf/transport/http/HTTPConduit.java  |  7 ++-
 .../cxf/transport/http/MessageTrustDecider.java | 13 ++++++
 .../cxf/ws/security/SecurityConstants.java      | 11 ++++-
 .../HttpsTokenInterceptorProvider.java          | 38 ++++++++++++----
 .../cxf/systest/ws/https/HttpsTokenTest.java    | 47 ++++++++++++++++++++
 .../cxf/systest/ws/https/DoubleItHttps.wsdl     |  6 +++
 .../org/apache/cxf/systest/ws/https/client.xml  | 26 +++++++++++
 .../org/apache/cxf/systest/ws/https/server.xml  | 14 ++++++
 .../apache/cxf/systest/ws/https/stax-server.xml | 20 +++++++++
 9 files changed, 169 insertions(+), 13 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/a371f7cf/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
index e896461..51daa38 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HTTPConduit.java
@@ -1762,10 +1762,9 @@ public abstract class HTTPConduit
                     // already connected.
                     HttpsURLConnectionInfo info = getHttpsURLConnectionInfo();
                     if (trustDecider != null) {
-                        trustDecider.establishTrust(
-                                conduitName, 
-                            info,
-                            outMessage);
+                        trustDecider.establishTrust(conduitName,
+                                                    info,
+                                                    outMessage);
                         if (LOG.isLoggable(Level.FINE)) {
                             LOG.log(Level.FINE, "Trust Decider "
                                 + trustDecider.getLogicalName()

http://git-wip-us.apache.org/repos/asf/cxf/blob/a371f7cf/rt/transports/http/src/main/java/org/apache/cxf/transport/http/MessageTrustDecider.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/MessageTrustDecider.java
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/MessageTrustDecider.java
index c9c2f1e..923b5e5 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/MessageTrustDecider.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/MessageTrustDecider.java
@@ -29,9 +29,15 @@ import org.apache.cxf.message.Message;
  * java.net.URLConnection implementations. 
  * 
  * The HttpURLConnection will be set up and connected, but no data
+<<<<<<< HEAD
  * yet sent (at least according to the JDK 1.5 default implemenation), 
  * and in the case of an HttpsURLConnection (again with caveat on
  * particular java.net.HttpsURLConnection implemenation), the TLS handshake 
+=======
+ * yet sent (at least according to the JDK 1.5 default implementation),
+ * and in the case of an HttpsURLConnection (again with caveat on
+ * particular java.net.HttpsURLConnection implementation), the TLS handshake
+>>>>>>> 0252de5... [CXF-5525] - Adding a JAX-WS property to disable
client cert verification policy check + tests
  * will be completed and certain TLS artifacts will be available.
  * <p>
  * Each MessageTrustDecider has a "logical" name that may be used in logging
@@ -88,10 +94,17 @@ public abstract class MessageTrustDecider {
      * <P>
      * The HTTPConduit calls this message on every redirect, however, it is
      * impossible to tell where it has been redirected from.
+<<<<<<< HEAD
      * 
      * TODO: What are the exising Message Properties at the point of this call?
      * 
      * @param conduitName    This parameter contains the logical name 
+=======
+     *
+     * TODO: What are the existing Message Properties at the point of this call?
+     *
+     * @param conduitName    This parameter contains the logical name
+>>>>>>> 0252de5... [CXF-5525] - Adding a JAX-WS property to disable
client cert verification policy check + tests
      *                       for the conduit that this trust decider
      *                       is being called from.
      *                       

http://git-wip-us.apache.org/repos/asf/cxf/blob/a371f7cf/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index 649532f..0d17cf6 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -145,6 +145,14 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security
      * Signatures using WSConstants.C14N_EXCL_OMIT_COMMENTS. Default is "true".
      */
     public static final String ADD_INCLUSIVE_PREFIXES = "ws-security.add.inclusive.prefixes";
+    
+    /**
+     * Whether to disable the enforcement of the WS-SecurityPolicy 'RequireClientCertificate'
policy. 
+     * Default is "false". Some servers may not do client certificate verification at the
start of the SSL 
+     * handshake, and therefore the client certs may not be available to the WS-Security
layer for policy 
+     * verification at that time.
+     */
+    public static final String DISABLE_REQ_CLIENT_CERT_CHECK = "ws-security.disable.require.client.cert.check";
 
     //
     // Non-boolean WS-Security Configuration parameters
@@ -416,7 +424,8 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security
             CACHE_IDENTIFIER, DELEGATED_CREDENTIAL, KERBEROS_USE_CREDENTIAL_DELEGATION, 
             KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, KERBEROS_REQUEST_CREDENTIAL_DELEGATION,

             POLICY_VALIDATOR_MAP, STORE_BYTES_IN_ATTACHMENT, USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM,
-            SYMMETRIC_SIGNATURE_ALGORITHM, SECURITY_CONTEXT_CREATOR, SECURITY_TOKEN_LIFETIME
+            SYMMETRIC_SIGNATURE_ALGORITHM, SECURITY_CONTEXT_CREATOR, SECURITY_TOKEN_LIFETIME,
+            DISABLE_REQ_CLIENT_CERT_CHECK
         }));
         for (String commonProperty : COMMON_PROPERTIES) {
             s.add(commonProperty);

http://git-wip-us.apache.org/repos/asf/cxf/blob/a371f7cf/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
index a89da9b..537c8c5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
@@ -36,6 +36,7 @@ import org.apache.cxf.configuration.security.AuthorizationPolicy;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.phase.AbstractPhaseInterceptor;
 import org.apache.cxf.phase.Phase;
 import org.apache.cxf.security.SecurityContext;
@@ -48,6 +49,7 @@ import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.policy.PolicyException;
+import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor;
 import org.apache.wss4j.policy.SP11Constants;
@@ -121,15 +123,30 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
                 if ("https".equals(scheme)) {
                     if (token.getAuthenticationType() 
                         == HttpsToken.AuthenticationType.RequireClientCertificate) {
-                        final MessageTrustDecider orig = message.get(MessageTrustDecider.class);
-                        MessageTrustDecider trust = new MessageTrustDecider() {
-                            public void establishTrust(String conduitName,
-                                                       URLConnectionInfo connectionInfo,
-                                                       Message message)
-                                throws UntrustedURLConnectionIOException {
-                                if (orig != null) {
-                                    orig.establishTrust(conduitName, connectionInfo, message);
+                        boolean disableClientCertCheck =
+                            MessageUtils.getContextualBoolean(message, 
+                                                              SecurityConstants.DISABLE_REQ_CLIENT_CERT_CHECK,

+                                                              false);
+                        if (!disableClientCertCheck) {
+                            final MessageTrustDecider orig = message.get(MessageTrustDecider.class);
+                            MessageTrustDecider trust = new MessageTrustDecider() {
+                                public void establishTrust(String conduitName,
+                                                           URLConnectionInfo connectionInfo,
+                                                           Message message)
+                                    throws UntrustedURLConnectionIOException {
+                                    if (orig != null) {
+                                        orig.establishTrust(conduitName, connectionInfo,
message);
+                                    }
+                                    HttpsURLConnectionInfo info = (HttpsURLConnectionInfo)connectionInfo;
+                                    if (info.getLocalCertificates() == null
+                                        || info.getLocalCertificates().length == 0) {
+                                        throw new UntrustedURLConnectionIOException(
+                                            "RequireClientCertificate is set, "
+                                            + "but no local certificates were negotiated.
 Is"
+                                            + " the server set to ask for client authorization?");
+                                    }
                                 }
+<<<<<<< HEAD
                                 HttpsURLConnectionInfo info = (HttpsURLConnectionInfo)connectionInfo;
                                 if (info.getLocalCertificates() == null 
                                     || info.getLocalCertificates().length == 0) {
@@ -141,6 +158,11 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
                             }
                         };
                         message.put(MessageTrustDecider.class, trust);
+=======
+                            };
+                            message.put(MessageTrustDecider.class, trust);
+                        }
+>>>>>>> 0252de5... [CXF-5525] - Adding a JAX-WS property to disable
client cert verification policy check + tests
                         PolicyUtils.assertPolicy(aim, new QName(token.getName().getNamespaceURI(),
                                                                 SPConstants.REQUIRE_CLIENT_CERTIFICATE));
                     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a371f7cf/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/https/HttpsTokenTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/https/HttpsTokenTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/https/HttpsTokenTest.java
index 5762ea9..b0a1bca 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/https/HttpsTokenTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/https/HttpsTokenTest.java
@@ -131,6 +131,53 @@ public class HttpsTokenTest extends AbstractBusClientServerTestBase {
         bus.shutdown(true);
     }
     
+<<<<<<< HEAD
+=======
+    @org.junit.Test
+    public void testNoClientCertRequirement() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = HttpsTokenTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = HttpsTokenTest.class.getResource("DoubleItHttps.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItNoClientCertRequirementPort");
+        DoubleItPortType port =
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(port, test.getPort());
+
+        if (test.isStreaming()) {
+            SecurityTestUtil.enableStreaming(port);
+        }
+
+        try {
+            port.doubleIt(25);
+            fail("(Policy) Failure expected on not using a client cert");
+        } catch (Exception ex) {
+            // expected
+        }
+     
+        // This should work, as we're disable the RequireClientCertificate check via a
+        // JAX-WS property
+        portQName = new QName(NAMESPACE, "DoubleItNoClientCertRequirementPort2");
+        port = service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(port, test.getPort());
+
+        if (test.isStreaming()) {
+            SecurityTestUtil.enableStreaming(port);
+        }
+
+        port.doubleIt(25);
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
+
+>>>>>>> 0252de5... [CXF-5525] - Adding a JAX-WS property to disable
client cert verification policy check + tests
     @org.junit.Test
     public void testBasicAuth() throws Exception {
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/a371f7cf/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/DoubleItHttps.wsdl
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/DoubleItHttps.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/DoubleItHttps.wsdl
index 3db601c..9def79d 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/DoubleItHttps.wsdl
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/DoubleItHttps.wsdl
@@ -41,6 +41,12 @@
         <wsdl:port name="DoubleItRequireClientCertPort2" binding="tns:DoubleItInlinePolicyBinding">
             <soap:address location="https://localhost:9009/DoubleItRequireClientCert2"/>
         </wsdl:port>
+        <wsdl:port name="DoubleItNoClientCertRequirementPort" binding="tns:DoubleItInlinePolicyBinding">
+            <soap:address location="https://localhost:9009/DoubleItNoClientCertRequirement"/>
+        </wsdl:port>
+        <wsdl:port name="DoubleItNoClientCertRequirementPort2" binding="tns:DoubleItInlinePolicyBinding">
+            <soap:address location="https://localhost:9009/DoubleItNoClientCertRequirement2"/>
+        </wsdl:port>
         <wsdl:port name="DoubleItBasicAuthPort" binding="tns:DoubleItInlinePolicyBinding">
             <soap:address location="https://localhost:9009/DoubleItBasicAuth"/>
         </wsdl:port>

http://git-wip-us.apache.org/repos/asf/cxf/blob/a371f7cf/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/client.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/client.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/client.xml
index 5ccb4b7..0ad3351 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/client.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/client.xml
@@ -34,6 +34,13 @@
             </sec:trustManagers>
         </http:tlsClientParameters>
     </http:conduit>
+    <http:conduit name="https://localhost:.*/DoubleItNoClientCertRequirement.*">
+        <http:tlsClientParameters disableCNCheck="true">
+            <sec:trustManagers>
+                <sec:keyStore type="jks" password="password" resource="keys/Truststore.jks"/>
+            </sec:trustManagers>
+        </http:tlsClientParameters>
+    </http:conduit>
     <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItRequireClientCertPort"
createdFromAPI="true">
         <jaxws:properties>
        </jaxws:properties>
@@ -59,6 +66,25 @@
             </p:policies>
         </jaxws:features>
     </jaxws:client>
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItNoClientCertRequirementPort"
createdFromAPI="true">
+        <jaxws:properties>
+       </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/https/req-client-cert-policy.xml"/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:client>
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItNoClientCertRequirementPort2"
createdFromAPI="true">
+        <jaxws:properties>
+            <entry key="ws-security.disable.require.client.cert.check" value="true"/>
+       </jaxws:properties>
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/https/req-client-cert-policy.xml"/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:client>
     <http:conduit name="https://localhost:.*/DoubleItBasicAuth">
         <http:tlsClientParameters disableCNCheck="true">
             <sec:trustManagers>

http://git-wip-us.apache.org/repos/asf/cxf/blob/a371f7cf/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/server.xml
index f2a13b8..e7838d3 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/server.xml
@@ -56,6 +56,20 @@
             </p:policies>
         </jaxws:features>
     </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="NoClientCertRequirement"
address="https://localhost:${testutil.ports.https.Server}/DoubleItNoClientCertRequirement"
serviceName="s:DoubleItService" endpointName="s:DoubleItNoClientCertRequirementPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/https/DoubleItHttps.wsdl" depends-on="tls-settings">
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/https/clean-policy.xml"/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="NoClientCertRequirement2"
address="https://localhost:${testutil.ports.https.Server}/DoubleItNoClientCertRequirement2"
serviceName="s:DoubleItService" endpointName="s:DoubleItNoClientCertRequirementPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/https/DoubleItHttps.wsdl" depends-on="tls-settings">
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/https/clean-policy.xml"/>
+            </p:policies>
+        </jaxws:features>
+    </jaxws:endpoint>
     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="BasicAuth"
address="https://localhost:${testutil.ports.https.Server}/DoubleItBasicAuth" serviceName="s:DoubleItService"
endpointName="s:DoubleItBasicAuthPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/https/DoubleItHttps.wsdl" depends-on="tls-settings">
         <jaxws:features>
             <p:policies>

http://git-wip-us.apache.org/repos/asf/cxf/blob/a371f7cf/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/stax-server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/stax-server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/stax-server.xml
index 5e27236..4a361e7 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/stax-server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/https/stax-server.xml
@@ -62,6 +62,26 @@
             <entry key="ws-security.enable.streaming" value="true"/>
         </jaxws:properties>
     </jaxws:endpoint>
+       <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="NoClientCertRequirement"
address="https://localhost:${testutil.ports.https.StaxServer}/DoubleItNoClientCertRequirement"
serviceName="s:DoubleItService" endpointName="s:DoubleItNoClientCertRequirementPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/https/DoubleItHttps.wsdl" depends-on="tls-settings">
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/https/clean-policy.xml"/>
+            </p:policies>
+        </jaxws:features>
+        <jaxws:properties>
+            <entry key="ws-security.enable.streaming" value="true"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="NoClientCertRequirement2"
address="https://localhost:${testutil.ports.https.StaxServer}/DoubleItNoClientCertRequirement2"
serviceName="s:DoubleItService" endpointName="s:DoubleItNoClientCertRequirementPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/https/DoubleItHttps.wsdl" depends-on="tls-settings">
+        <jaxws:features>
+            <p:policies>
+                <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/https/clean-policy.xml"/>
+            </p:policies>
+        </jaxws:features>
+        <jaxws:properties>
+            <entry key="ws-security.enable.streaming" value="true"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
     <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="BasicAuth"
address="https://localhost:${testutil.ports.https.StaxServer}/DoubleItBasicAuth" serviceName="s:DoubleItService"
endpointName="s:DoubleItBasicAuthPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/https/DoubleItHttps.wsdl" depends-on="tls-settings">
         <jaxws:features>
             <p:policies>


Mime
View raw message