Fixing last commit
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b416a783 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b416a783 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b416a783 Branch: refs/heads/2.7.x-fixes Commit: b416a7830913a34c487e5526cd769a7d89532bd6 Parents: 4115b59 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Fri Jan 16 17:00:59 2015 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Fri Jan 16 17:00:59 2015 +0000 ---------------------------------------------------------------------- .../ws/security/wss4j/WSS4JInInterceptor.java | 2 +- .../security/wss4j/WSS4JStaxInInterceptor.java | 480 ------------------- .../cxf/systest/ws/saml/SamlTokenTest.java | 81 +--- .../org/apache/cxf/systest/ws/saml/server.xml | 270 ----------- .../cxf/systest/ws/saml/server/server.xml | 20 +- .../apache/cxf/systest/ws/saml/stax-server.xml | 298 ------------ 6 files changed, 22 insertions(+), 1129 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/b416a783/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java index 860a09f..c790c7a 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java @@ -345,7 +345,7 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor { boolean enableAudienceRestriction = MessageUtils.getContextualBoolean(msg, SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION, - true); + false); if (enableAudienceRestriction) { List<String> audiences = new ArrayList<String>(); if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) { http://git-wip-us.apache.org/repos/asf/cxf/blob/b416a783/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java deleted file mode 100644 index eb034a1..0000000 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java +++ /dev/null @@ -1,480 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.ws.security.wss4j; - -import java.io.IOException; -import java.security.Provider; -import java.util.ArrayList; -import java.util.Collections; -import java.util.LinkedList; -import java.util.List; -import java.util.Map; -import java.util.logging.Logger; - -import javax.security.auth.callback.Callback; -import javax.security.auth.callback.CallbackHandler; -import javax.security.auth.callback.UnsupportedCallbackException; -import javax.xml.stream.XMLStreamException; -import javax.xml.stream.XMLStreamReader; -import javax.xml.stream.util.StreamReaderDelegate; - -import org.apache.cxf.binding.soap.SoapFault; -import org.apache.cxf.binding.soap.SoapMessage; -import org.apache.cxf.binding.soap.SoapVersion; -import org.apache.cxf.common.classloader.ClassLoaderUtils; -import org.apache.cxf.common.i18n.Message; -import org.apache.cxf.common.logging.LogUtils; -import org.apache.cxf.interceptor.Fault; -import org.apache.cxf.interceptor.StaxInInterceptor; -import org.apache.cxf.message.MessageUtils; -import org.apache.cxf.phase.Phase; -import org.apache.cxf.ws.security.SecurityConstants; -import org.apache.cxf.ws.security.tokenstore.SecurityToken; -import org.apache.cxf.ws.security.tokenstore.TokenStore; -import org.apache.wss4j.common.ConfigurationConstants; -import org.apache.wss4j.common.WSSPolicyException; -import org.apache.wss4j.common.cache.ReplayCache; -import org.apache.wss4j.common.crypto.Crypto; -import org.apache.wss4j.common.crypto.ThreadLocalSecurityProvider; -import org.apache.wss4j.common.ext.WSPasswordCallback; -import org.apache.wss4j.common.ext.WSSecurityException; -import org.apache.wss4j.stax.ConfigurationConverter; -import org.apache.wss4j.stax.WSSec; -import org.apache.wss4j.stax.ext.InboundWSSec; -import org.apache.wss4j.stax.ext.WSSConstants; -import org.apache.wss4j.stax.ext.WSSSecurityProperties; -import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants; -import org.apache.wss4j.stax.validate.Validator; -import org.apache.xml.security.exceptions.XMLSecurityException; -import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent; -import org.apache.xml.security.stax.securityEvent.SecurityEvent; -import org.apache.xml.security.stax.securityEvent.SecurityEventListener; -import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent; - -public class WSS4JStaxInInterceptor extends AbstractWSS4JStaxInterceptor { - - public static final String SECURITY_PROCESSED = WSS4JStaxInInterceptor.class.getName() + ".DONE"; - - private static final Logger LOG = LogUtils.getL7dLogger(WSS4JStaxInInterceptor.class); - - public WSS4JStaxInInterceptor(WSSSecurityProperties securityProperties) { - super(securityProperties); - setPhase(Phase.POST_STREAM); - getAfter().add(StaxInInterceptor.class.getName()); - } - - public WSS4JStaxInInterceptor(Map<String, Object> props) { - super(props); - setPhase(Phase.POST_STREAM); - getAfter().add(StaxInInterceptor.class.getName()); - } - - public WSS4JStaxInInterceptor() { - super(); - setPhase(Phase.POST_STREAM); - getAfter().add(StaxInInterceptor.class.getName()); - } - - public final boolean isGET(SoapMessage message) { - String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD); - return "GET".equals(method) && message.getContent(XMLStreamReader.class) == null; - } - - @Override - public void handleMessage(SoapMessage soapMessage) throws Fault { - - if (soapMessage.containsKey(SECURITY_PROCESSED) || isGET(soapMessage)) { - return; - } - - XMLStreamReader originalXmlStreamReader = soapMessage.getContent(XMLStreamReader.class); - XMLStreamReader newXmlStreamReader; - - soapMessage.getInterceptorChain().add(new StaxSecurityContextInInterceptor()); - - try { - @SuppressWarnings("unchecked") - List<SecurityEvent> requestSecurityEvents = - (List<SecurityEvent>) soapMessage.getExchange().get(SecurityEvent.class.getName() + ".out"); - - WSSSecurityProperties secProps = createSecurityProperties(); - translateProperties(soapMessage, secProps); - configureCallbackHandler(soapMessage, secProps); - configureProperties(soapMessage, secProps); - - if (secProps.getActions() != null && secProps.getActions().size() > 0) { - soapMessage.getInterceptorChain().add(new StaxActionInInterceptor(secProps.getActions())); - } - - if (secProps.getAttachmentCallbackHandler() == null) { - secProps.setAttachmentCallbackHandler(new AttachmentCallbackHandler(soapMessage)); - } - - final TokenStoreCallbackHandler callbackHandler = - new TokenStoreCallbackHandler( - secProps.getCallbackHandler(), WSS4JUtils.getTokenStore(soapMessage) - ); - secProps.setCallbackHandler(callbackHandler); - - setTokenValidators(secProps, soapMessage); - secProps.setMsgContext(soapMessage); - - final List<SecurityEventListener> securityEventListeners = - configureSecurityEventListeners(soapMessage, secProps); - - final InboundWSSec inboundWSSec = - WSSec.getInboundWSSec(secProps, MessageUtils.isRequestor(soapMessage)); - - newXmlStreamReader = - inboundWSSec.processInMessage(originalXmlStreamReader, requestSecurityEvents, securityEventListeners); - final Object provider = soapMessage.getExchange().get(Provider.class); - if (provider != null && ThreadLocalSecurityProvider.isInstalled()) { - newXmlStreamReader = new StreamReaderDelegate(newXmlStreamReader) { - @Override - public int next() throws XMLStreamException { - try { - ThreadLocalSecurityProvider.setProvider((Provider)provider); - return super.next(); - } finally { - ThreadLocalSecurityProvider.unsetProvider(); - } - } - }; - } - soapMessage.setContent(XMLStreamReader.class, newXmlStreamReader); - - // Warning: The exceptions which can occur here are not security relevant exceptions - // but configuration-errors. To catch security relevant exceptions you have to catch - // them e.g.in the FaultOutInterceptor. Why? Because we do streaming security. This - // interceptor doesn't handle the ws-security stuff but just setup the relevant stuff - // for it. Exceptions will be thrown as a wrapped XMLStreamException during further - // processing in the WS-Stack. - soapMessage.put(SECURITY_PROCESSED, Boolean.TRUE); - } catch (WSSecurityException e) { - throw createSoapFault(soapMessage.getVersion(), e); - } catch (XMLSecurityException e) { - throw new SoapFault(new Message("STAX_EX", LOG), e, soapMessage.getVersion().getSender()); - } catch (WSSPolicyException e) { - throw new SoapFault(e.getMessage(), e, soapMessage.getVersion().getSender()); - } catch (XMLStreamException e) { - throw new SoapFault(new Message("STAX_EX", LOG), e, soapMessage.getVersion().getSender()); - } - } - - protected List<SecurityEventListener> configureSecurityEventListeners( - SoapMessage msg, WSSSecurityProperties securityProperties - ) throws WSSPolicyException { - final List<SecurityEvent> incomingSecurityEventList = new LinkedList<SecurityEvent>(); - msg.getExchange().put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList); - msg.put(SecurityEvent.class.getName() + ".in", incomingSecurityEventList); - - final SecurityEventListener securityEventListener = new SecurityEventListener() { - @Override - public void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException { - if (securityEvent.getSecurityEventType() == WSSecurityEventConstants.Timestamp - || securityEvent.getSecurityEventType() == WSSecurityEventConstants.SignatureValue - || securityEvent instanceof TokenSecurityEvent - || securityEvent instanceof AbstractSecuredElementSecurityEvent) { - // Store events required for the security context setup, or the crypto coverage checker - incomingSecurityEventList.add(securityEvent); - } - } - }; - - return Collections.singletonList(securityEventListener); - } - - protected void configureProperties( - SoapMessage msg, WSSSecurityProperties securityProperties - ) throws XMLSecurityException { - - // Configure replay caching - ReplayCache nonceCache = null; - if (isNonceCacheRequired(msg, securityProperties)) { - nonceCache = WSS4JUtils.getReplayCache( - msg, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE - ); - } - if (nonceCache == null) { - securityProperties.setEnableNonceReplayCache(false); - securityProperties.setNonceReplayCache(null); - } else { - securityProperties.setEnableNonceReplayCache(true); - securityProperties.setNonceReplayCache(nonceCache); - } - - ReplayCache timestampCache = null; - if (isTimestampCacheRequired(msg, securityProperties)) { - timestampCache = WSS4JUtils.getReplayCache( - msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE - ); - } - if (timestampCache == null) { - securityProperties.setEnableTimestampReplayCache(false); - securityProperties.setTimestampReplayCache(null); - } else { - securityProperties.setEnableTimestampReplayCache(true); - securityProperties.setTimestampReplayCache(timestampCache); - } - - ReplayCache samlCache = null; - if (isSamlCacheRequired(msg, securityProperties)) { - samlCache = WSS4JUtils.getReplayCache( - msg, SecurityConstants.ENABLE_SAML_ONE_TIME_USE_CACHE, - SecurityConstants.SAML_ONE_TIME_USE_CACHE_INSTANCE - ); - } - if (samlCache == null) { - securityProperties.setEnableSamlOneTimeUseReplayCache(false); - securityProperties.setSamlOneTimeUseReplayCache(null); - } else { - securityProperties.setEnableSamlOneTimeUseReplayCache(true); - securityProperties.setSamlOneTimeUseReplayCache(samlCache); - } - - boolean enableRevocation = - MessageUtils.isTrue(msg.getContextualProperty(SecurityConstants.ENABLE_REVOCATION)); - securityProperties.setEnableRevocation(enableRevocation); - - // Crypto loading only applies for Map - Map<String, Object> config = getProperties(); - if (config != null && !config.isEmpty()) { - Crypto sigVerCrypto = - loadCrypto( - msg, - ConfigurationConstants.SIG_VER_PROP_FILE, - ConfigurationConstants.SIG_VER_PROP_REF_ID, - securityProperties - ); - if (sigVerCrypto == null) { - // Fall back to using the Signature properties for verification - sigVerCrypto = - loadCrypto( - msg, - ConfigurationConstants.SIG_PROP_FILE, - ConfigurationConstants.SIG_PROP_REF_ID, - securityProperties - ); - } - if (sigVerCrypto != null) { - config.put(ConfigurationConstants.SIG_VER_PROP_REF_ID, "RefId-" + sigVerCrypto.hashCode()); - config.put("RefId-" + sigVerCrypto.hashCode(), sigVerCrypto); - } - - Crypto decCrypto = - loadCrypto( - msg, - ConfigurationConstants.DEC_PROP_FILE, - ConfigurationConstants.DEC_PROP_REF_ID, - securityProperties - ); - if (decCrypto != null) { - config.put(ConfigurationConstants.DEC_PROP_REF_ID, "RefId-" + decCrypto.hashCode()); - config.put("RefId-" + decCrypto.hashCode(), decCrypto); - } - ConfigurationConverter.parseCrypto(config, securityProperties); - } - - // Add Audience Restrictions for SAML - configureAudienceRestriction(msg, securityProperties); - } - - private void configureAudienceRestriction(SoapMessage msg, WSSSecurityProperties securityProperties) { - // Add Audience Restrictions for SAML - boolean enableAudienceRestriction = - MessageUtils.getContextualBoolean(msg, - SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION, - true); - if (enableAudienceRestriction) { - List<String> audiences = new ArrayList<String>(); - if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) { - audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL)); - } - if (msg.getContextualProperty("javax.xml.ws.wsdl.service") != null) { - audiences.add(msg.getContextualProperty("javax.xml.ws.wsdl.service").toString()); - } - securityProperties.setAudienceRestrictions(audiences); - } - } - - /** - * Is a Nonce Cache required, i.e. are we expecting a UsernameToken - */ - protected boolean isNonceCacheRequired(SoapMessage msg, WSSSecurityProperties securityProperties) { - - if (securityProperties != null && securityProperties.getActions() != null) { - for (WSSConstants.Action action : securityProperties.getActions()) { - if (action == WSSConstants.USERNAMETOKEN) { - return true; - } - } - } - - return false; - } - - /** - * Is a Timestamp cache required, i.e. are we expecting a Timestamp - */ - protected boolean isTimestampCacheRequired( - SoapMessage msg, WSSSecurityProperties securityProperties - ) { - - if (securityProperties != null && securityProperties.getActions() != null) { - for (WSSConstants.Action action : securityProperties.getActions()) { - if (action == WSSConstants.TIMESTAMP) { - return true; - } - } - } - - return false; - } - - /** - * Is a SAML Cache required, i.e. are we expecting a SAML Token - */ - protected boolean isSamlCacheRequired(SoapMessage msg, WSSSecurityProperties securityProperties) { - - if (securityProperties != null && securityProperties.getActions() != null) { - for (WSSConstants.Action action : securityProperties.getActions()) { - if (action == WSSConstants.SAML_TOKEN_UNSIGNED - || action == WSSConstants.SAML_TOKEN_SIGNED) { - return true; - } - } - } - - return false; - } - - /** - * Create a SoapFault from a WSSecurityException, following the SOAP Message Security - * 1.1 specification, chapter 12 "Error Handling". - * - * When the Soap version is 1.1 then set the Fault/Code/Value from the fault code - * specified in the WSSecurityException (if it exists). - * - * Otherwise set the Fault/Code/Value to env:Sender and the Fault/Code/Subcode/Value - * as the fault code from the WSSecurityException. - */ - private SoapFault - createSoapFault(SoapVersion version, WSSecurityException e) { - SoapFault fault; - javax.xml.namespace.QName faultCode = e.getFaultCode(); - if (version.getVersion() == 1.1 && faultCode != null) { - fault = new SoapFault(e.getMessage(), e, faultCode); - } else { - fault = new SoapFault(e.getMessage(), e, version.getSender()); - if (version.getVersion() != 1.1 && faultCode != null) { - fault.setSubCode(faultCode); - } - } - return fault; - } - - private void setTokenValidators( - WSSSecurityProperties properties, SoapMessage message - ) throws WSSecurityException { - Validator validator = loadValidator(SecurityConstants.SAML1_TOKEN_VALIDATOR, message); - if (validator != null) { - properties.addValidator(WSSConstants.TAG_saml_Assertion, validator); - } - validator = loadValidator(SecurityConstants.SAML2_TOKEN_VALIDATOR, message); - if (validator != null) { - properties.addValidator(WSSConstants.TAG_saml2_Assertion, validator); - } - validator = loadValidator(SecurityConstants.USERNAME_TOKEN_VALIDATOR, message); - if (validator != null) { - properties.addValidator(WSSConstants.TAG_wsse_UsernameToken, validator); - } - validator = loadValidator(SecurityConstants.SIGNATURE_TOKEN_VALIDATOR, message); - if (validator != null) { - properties.addValidator(WSSConstants.TAG_dsig_Signature, validator); - } - validator = loadValidator(SecurityConstants.TIMESTAMP_TOKEN_VALIDATOR, message); - if (validator != null) { - properties.addValidator(WSSConstants.TAG_wsu_Timestamp, validator); - } - validator = loadValidator(SecurityConstants.BST_TOKEN_VALIDATOR, message); - if (validator != null) { - properties.addValidator(WSSConstants.TAG_wsse_BinarySecurityToken, validator); - } - validator = loadValidator(SecurityConstants.SCT_TOKEN_VALIDATOR, message); - if (validator != null) { - properties.addValidator(WSSConstants.TAG_wsc0502_SecurityContextToken, validator); - properties.addValidator(WSSConstants.TAG_wsc0512_SecurityContextToken, validator); - } - } - - private Validator loadValidator(String validatorKey, SoapMessage message) throws WSSecurityException { - Object o = message.getContextualProperty(validatorKey); - if (o == null) { - return null; - } - try { - if (o instanceof Validator) { - return (Validator)o; - } else if (o instanceof Class) { - return (Validator)((Class<?>)o).newInstance(); - } else if (o instanceof String) { - return (Validator)ClassLoaderUtils.loadClass(o.toString(), - WSS4JStaxInInterceptor.class) - .newInstance(); - } else { - throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, - "Cannot load Validator: " + o); - } - } catch (RuntimeException t) { - throw t; - } catch (Exception ex) { - throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex); - } - } - - private class TokenStoreCallbackHandler implements CallbackHandler { - private CallbackHandler internal; - private TokenStore store; - public TokenStoreCallbackHandler(CallbackHandler in, TokenStore st) { - internal = in; - store = st; - } - - public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { - for (int i = 0; i < callbacks.length; i++) { - if (callbacks[i] instanceof WSPasswordCallback) { - WSPasswordCallback pc = (WSPasswordCallback)callbacks[i]; - - String id = pc.getIdentifier(); - SecurityToken tok = store.getToken(id); - if (tok != null && !tok.isExpired()) { - pc.setKey(tok.getSecret()); - pc.setKey(tok.getKey()); - pc.setCustomToken(tok.getToken()); - return; - } - } - } - if (internal != null) { - internal.handle(callbacks); - } - } - - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/b416a783/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java index 72ca7d6..d633410 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java @@ -868,17 +868,8 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase { QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2"); DoubleItPortType saml2Port = service.getPort(portQName, DoubleItPortType.class); -<<<<<<< HEAD updateAddressPort(saml2Port, PORT2); -======= - String portNumber = PORT2; - if (STAX_PORT.equals(test.getPort())) { - portNumber = STAX_PORT2; - } - updateAddressPort(saml2Port, portNumber); - ->>>>>>> ff2987d... [CXF-5674] - CXF Support in "Audience Restriction" of SAML 2 (SOAP) // Create a SAML Token with an AudienceRestrictionCondition ConditionsBean conditions = new ConditionsBean(); List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<AudienceRestrictionBean>(); @@ -897,7 +888,6 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase { saml2Port.doubleIt(25); try { - // Now use an "unknown" audience restriction audienceRestriction = new AudienceRestrictionBean(); audienceRestriction.setAudienceURIs(Collections.singletonList( "https://localhost:" + PORT2 + "/DoubleItSaml2Transport2unknown")); @@ -906,6 +896,14 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase { conditions.setAudienceRestrictions(audienceRestrictions); callbackHandler.setConditions(conditions); + portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort3"); + saml2Port = service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(saml2Port, PORT2); + + ((BindingProvider)saml2Port).getRequestContext().put( + "ws-security.saml-callback-handler", callbackHandler + ); + saml2Port.doubleIt(25); fail("Failure expected on unknown AudienceRestriction"); } catch (javax.xml.ws.soap.SOAPFaultException ex) { @@ -917,7 +915,7 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase { public void testAudienceRestrictionServiceName() throws Exception { SpringBusFactory bf = new SpringBusFactory(); - URL busFile = SamlTokenTest.class.getResource("client.xml"); + URL busFile = SamlTokenTest.class.getResource("client/client.xml"); Bus bus = bf.createBus(busFile.toString()); SpringBusFactory.setDefaultBus(bus); @@ -928,11 +926,7 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase { QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2"); DoubleItPortType saml2Port = service.getPort(portQName, DoubleItPortType.class); - String portNumber = PORT2; - if (STAX_PORT.equals(test.getPort())) { - portNumber = STAX_PORT2; - } - updateAddressPort(saml2Port, portNumber); + updateAddressPort(saml2Port, PORT2); // Create a SAML Token with an AudienceRestrictionCondition ConditionsBean conditions = new ConditionsBean(); @@ -952,59 +946,4 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase { saml2Port.doubleIt(25); } - @org.junit.Test - public void testDisableAudienceRestrictionValidation() throws Exception { - - SpringBusFactory bf = new SpringBusFactory(); - URL busFile = SamlTokenTest.class.getResource("client.xml"); - - Bus bus = bf.createBus(busFile.toString()); - SpringBusFactory.setDefaultBus(bus); - SpringBusFactory.setThreadDefaultBus(bus); - - URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl"); - Service service = Service.create(wsdl, SERVICE_QNAME); - QName portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort2"); - DoubleItPortType saml2Port = - service.getPort(portQName, DoubleItPortType.class); - String portNumber = PORT2; - if (STAX_PORT.equals(test.getPort())) { - portNumber = STAX_PORT2; - } - updateAddressPort(saml2Port, portNumber); - - // Create a SAML Token with an AudienceRestrictionCondition - ConditionsBean conditions = new ConditionsBean(); - List<AudienceRestrictionBean> audienceRestrictions = new ArrayList<AudienceRestrictionBean>(); - AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); - audienceRestriction.setAudienceURIs(Collections.singletonList( - service.getServiceName().toString() + ".xyz")); - audienceRestrictions.add(audienceRestriction); - conditions.setAudienceRestrictions(audienceRestrictions); - - SamlCallbackHandler callbackHandler = new SamlCallbackHandler(); - callbackHandler.setConditions(conditions); - ((BindingProvider)saml2Port).getRequestContext().put( - "ws-security.saml-callback-handler", callbackHandler - ); - - // It should fail with validation enabled - try { - saml2Port.doubleIt(25); - fail("Failure expected on unknown AudienceRestriction"); - } catch (javax.xml.ws.soap.SOAPFaultException ex) { - // expected - } - - // It should pass with validation disabled - portQName = new QName(NAMESPACE, "DoubleItSaml2TransportPort3"); - saml2Port = service.getPort(portQName, DoubleItPortType.class); - updateAddressPort(saml2Port, portNumber); - - ((BindingProvider)saml2Port).getRequestContext().put( - "ws-security.saml-callback-handler", callbackHandler - ); - saml2Port.doubleIt(25); - } - } http://git-wip-us.apache.org/repos/asf/cxf/blob/b416a783/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml deleted file mode 100644 index 14a803a..0000000 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml +++ /dev/null @@ -1,270 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. ---> -<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/sc hemas/configuration/http-conf.xsd http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd "> - <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> - <cxf:bus> - <cxf:features> - <p:policies/> - <cxf:logging/> - </cxf:features> - </cxf:bus> - <!-- --> - <!-- Any services listening on port 9009 must use the following --> - <!-- Transport Layer Security (TLS) settings --> - <!-- --> - <httpj:engine-factory id="tls-settings"> - <httpj:engine port="${testutil.ports.Server.2}"> - <httpj:tlsServerParameters> - <sec:keyManagers keyPassword="password"> - <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/> - </sec:keyManagers> - <sec:trustManagers> - <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/> - </sec:trustManagers> - <sec:clientAuthentication want="true" required="true"/> - </httpj:tlsServerParameters> - </httpj:engine> - </httpj:engine-factory> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1TokenOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Transport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1TokenOverTransport2" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - </jaxws:properties> - <jaxws:features> - <p:policies> - <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/saml/saml1-tls-policy.xml"/> - </p:policies> - </jaxws:features> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SupportingToken" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1Supporting" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SupportingPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetric" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Symmetric" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetric" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Asymmetric" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.username" value="bob"/> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.encryption.username" value="useReqSigCert"/> - <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetric2" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2Asymmetric2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.username" value="bob"/> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.encryption.username" value="useReqSigCert"/> - <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/> - </jaxws:properties> - <jaxws:features> - <p:policies> - <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/saml/saml2-asym-policy.xml"/> - </p:policies> - </jaxws:features> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SelfSignedTokenOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1SelfSignedTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SelfSignedTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SelfSignedTokenOverTransportSP11" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml1SelfSignedTransportSP11" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SelfSignedTransportSP11Port" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2EndorsingTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingOverTransportSP11" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2EndorsingTransportSP11" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingTransportSP11Port" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="AsymmetricSamlInitiatorPort" address="http://localhost:${testutil.ports.Server}/DoubleItAsymmetricSamlInitiator" serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricSamlInitiatorPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.username" value="bob"/> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.encryption.username" value="useReqSigCert"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricSignedElements" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2SymmetricSignedElements" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricSignedElementsPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricSignedEncrypted" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2AsymmetricSignedEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.username" value="bob"/> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.encryption.username" value="useReqSigCert"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricSignedEncryptedEncryptBeforeSigning" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigning" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigningPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.username" value="bob"/> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.encryption.username" value="useReqSigCert"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricEncrypted" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2AsymmetricEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.username" value="bob"/> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.encryption.username" value="useReqSigCert"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingEncryptedOverTransport" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2EndorsingEncryptedTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingEncryptedTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="InlinePolicy" address="https://localhost:${testutil.ports.Server.2}/DoubleItSamlInlinePolicy" serviceName="s:DoubleItService" endpointName="s:DoubleItInlinePolicyPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - </jaxws:properties> - <jaxws:features> - <p:policies> - <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"> - <wsp:ExactlyOne> - <wsp:All> - <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" wsu:Id="SamlToken"> - <wsp:ExactlyOne> - <wsp:All> - <sp:TransportBinding> - <wsp:Policy> - <sp:TransportToken> - <wsp:Policy> - <sp:HttpsToken> - <wsp:Policy/> - </sp:HttpsToken> - </wsp:Policy> - </sp:TransportToken> - <sp:Layout> - <wsp:Policy> - <sp:Lax/> - </wsp:Policy> - </sp:Layout> - <sp:IncludeTimestamp/> - <sp:AlgorithmSuite> - <wsp:Policy> - <sp:Basic128/> - </wsp:Policy> - </sp:AlgorithmSuite> - </wsp:Policy> - </sp:TransportBinding> - <sp:SupportingTokens> - <wsp:Policy> - <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> - <wsp:Policy> - <sp:WssSamlV11Token11/> - </wsp:Policy> - </sp:SamlToken> - </wsp:Policy> - </sp:SupportingTokens> - </wsp:All> - </wsp:ExactlyOne> - </wsp:Policy> - </wsp:All> - </wsp:ExactlyOne> - </wsp:Policy> - </p:policies> - </jaxws:features> - </jaxws:endpoint> - <bean class="org.apache.cxf.systest.ws.saml.PolicyDecisionPointMockImpl" id="MockPDP" /> - <bean class="org.apache.cxf.rt.security.xacml.XACMLAuthorizingInterceptor" id="XACMLInterceptor"> - <constructor-arg ref="MockPDP"/> - </bean> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricPEP" address="http://localhost:${testutil.ports.Server}/DoubleItSaml2PEP" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2PEPPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/> - </jaxws:properties> - <jaxws:inInterceptors> - <ref bean="XACMLInterceptor"/> - </jaxws:inInterceptors> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - </jaxws:properties> - </jaxws:endpoint> - - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken2" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - </jaxws:properties> - </jaxws:endpoint> - - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken3" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport3" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort3" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.validate.audience-restriction" value="false"/> - </jaxws:properties> - </jaxws:endpoint> -</beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/b416a783/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml index 3fedf31..7a145bd 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml @@ -502,14 +502,6 @@ </jaxws:endpoint> - <bean id="audienceRestrictionValidator" class="org.apache.cxf.systest.ws.saml.Saml2AudienceRestrictionValidator"> - <property name="endpointAddresses"> - <list> - <value>https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2</value> - </list> - </property> - </bean> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken2" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> <jaxws:properties> <entry key="ws-security.callback-handler" @@ -517,7 +509,17 @@ <entry key="ws-security.signature.properties" value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.saml2.validator" value-ref="audienceRestrictionValidator"/> + </jaxws:properties> + </jaxws:endpoint> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken3" address="https://localhost:${testutil.ports.Server.2}/DoubleItSaml2Transport3" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort3" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> + <jaxws:properties> + <entry key="ws-security.callback-handler" + value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/> + <entry key="ws-security.signature.properties" + value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> + <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.validate.audience-restriction" value="true"/> </jaxws:properties> </jaxws:endpoint> http://git-wip-us.apache.org/repos/asf/cxf/blob/b416a783/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml deleted file mode 100644 index ce0eb3f..0000000 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml +++ /dev/null @@ -1,298 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!-- - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. ---> -<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration" xmlns:sec="http://cxf.apache.org/configuration/security" xmlns:cxf="http://cxf.apache.org/core" xmlns:p="http://cxf.apache.org/policy" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/sc hemas/configuration/http-conf.xsd http://cxf.apache.org/transports/http-jetty/configuration http://cxf.apache.org/schemas/configuration/http-jetty.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd "> - <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/> - <cxf:bus> - <cxf:features> - <p:policies/> - <cxf:logging/> - </cxf:features> - </cxf:bus> - <!-- --> - <!-- Any services listening on port 9009 must use the following --> - <!-- Transport Layer Security (TLS) settings --> - <!-- --> - <httpj:engine-factory id="tls-settings"> - <httpj:engine port="${testutil.ports.StaxServer.2}"> - <httpj:tlsServerParameters> - <sec:keyManagers keyPassword="password"> - <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Bethal.jks"/> - </sec:keyManagers> - <sec:trustManagers> - <sec:keyStore type="jks" password="password" resource="org/apache/cxf/systest/ws/security/Truststore.jks"/> - </sec:trustManagers> - <sec:clientAuthentication want="true" required="true"/> - </httpj:tlsServerParameters> - </httpj:engine> - </httpj:engine-factory> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1TokenOverTransport" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1Transport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1TokenOverTransport2" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - <jaxws:features> - <p:policies> - <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/saml/saml1-tls-policy.xml"/> - </p:policies> - </jaxws:features> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SupportingToken" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1Supporting" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SupportingPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetric" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2Symmetric" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <!--<entry key="ws-security.saml2.validator" - value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>--> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetric" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2Asymmetric" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.username" value="bob"/> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.encryption.username" value="useReqSigCert"/> - <!--<entry key="ws-security.saml2.validator" - value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>--> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetric2" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2Asymmetric2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.username" value="bob"/> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.encryption.username" value="useReqSigCert"/> - <!--<entry key="ws-security.saml2.validator" - value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>--> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - <jaxws:features> - <p:policies> - <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy" URI="classpath:/org/apache/cxf/systest/ws/saml/saml2-asym-policy.xml"/> - </p:policies> - </jaxws:features> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SelfSignedTokenOverTransport" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1SelfSignedTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SelfSignedTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml1SelfSignedTokenOverTransportSP11" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml1SelfSignedTransportSP11" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml1SelfSignedTransportSP11Port" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingOverTransport" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2EndorsingTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingOverTransportSP11" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2EndorsingTransportSP11" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingTransportSP11Port" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="AsymmetricSamlInitiatorPort" address="http://localhost:${testutil.ports.StaxServer}/DoubleItAsymmetricSamlInitiator" serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricSamlInitiatorPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.username" value="bob"/> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.encryption.username" value="useReqSigCert"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <!--<entry key="ws-security.saml2.validator" - value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>--> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricSignedElements" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2SymmetricSignedElements" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricSignedElementsPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricSignedEncrypted" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2AsymmetricSignedEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.username" value="bob"/> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.encryption.username" value="useReqSigCert"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <!--<entry key="ws-security.saml2.validator" - value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>--> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricSignedEncryptedEncryptBeforeSigning" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigning" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricSignedEncryptedEncryptBeforeSigningPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.username" value="bob"/> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.encryption.username" value="useReqSigCert"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <!--<entry key="ws-security.saml2.validator" - value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>--> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverAsymmetricEncrypted" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2AsymmetricEncrypted" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2AsymmetricEncryptedPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.username" value="bob"/> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.encryption.username" value="useReqSigCert"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2EndorsingEncryptedOverTransport" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2EndorsingEncryptedTransport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2EndorsingEncryptedTransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="InlinePolicy" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSamlInlinePolicy" serviceName="s:DoubleItService" endpointName="s:DoubleItInlinePolicyPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - <jaxws:features> - <p:policies> - <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"> - <wsp:ExactlyOne> - <wsp:All> - <wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" wsu:Id="SamlToken"> - <wsp:ExactlyOne> - <wsp:All> - <sp:TransportBinding> - <wsp:Policy> - <sp:TransportToken> - <wsp:Policy> - <sp:HttpsToken> - <wsp:Policy/> - </sp:HttpsToken> - </wsp:Policy> - </sp:TransportToken> - <sp:Layout> - <wsp:Policy> - <sp:Lax/> - </wsp:Policy> - </sp:Layout> - <sp:IncludeTimestamp/> - <sp:AlgorithmSuite> - <wsp:Policy> - <sp:Basic128/> - </wsp:Policy> - </sp:AlgorithmSuite> - </wsp:Policy> - </sp:TransportBinding> - <sp:SupportingTokens> - <wsp:Policy> - <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> - <wsp:Policy> - <sp:WssSamlV11Token11/> - </wsp:Policy> - </sp:SamlToken> - </wsp:Policy> - </sp:SupportingTokens> - </wsp:All> - </wsp:ExactlyOne> - </wsp:Policy> - </wsp:All> - </wsp:ExactlyOne> - </wsp:Policy> - </p:policies> - </jaxws:features> - </jaxws:endpoint> - <bean class="org.apache.cxf.systest.ws.saml.PolicyDecisionPointMockImpl" id="MockPDP" /> - <bean class="org.apache.cxf.rt.security.xacml.XACMLAuthorizingInterceptor" id="XACMLInterceptor"> - <constructor-arg ref="MockPDP"/> - </bean> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricPEP" address="http://localhost:${testutil.ports.StaxServer}/DoubleItSaml2PEP" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2PEPPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <!--<entry key="ws-security.saml2.validator" - value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>--> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - <jaxws:inInterceptors> - <ref bean="XACMLInterceptor"/> - </jaxws:inInterceptors> - </jaxws:endpoint> - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - </jaxws:endpoint> - - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken2" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport2" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort2" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.enable.streaming" value="true"/> - </jaxws:properties> - </jaxws:endpoint> - - <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TransportToken3" address="https://localhost:${testutil.ports.StaxServer.2}/DoubleItSaml2Transport3" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2TransportPort3" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl" depends-on="tls-settings"> - <jaxws:properties> - <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> - <entry key="ws-security.signature.properties" value="bob.properties"/> - <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/> - <entry key="ws-security.enable.streaming" value="true"/> - <entry key="ws-security.validate.audience-restriction" value="false"/> - </jaxws:properties> - </jaxws:endpoint> -</beans>