cxf git commit: [CXF-6736] Passing the code request state directly to some functions
Repository: cxf Updated Branches: refs/heads/master 0222768ba -> 39c772a07 [CXF-6736] Passing the code request state directly to some functions Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/39c772a0 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/39c772a0 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/39c772a0 Branch: refs/heads/master Commit: 39c772a0764b323f98ab58e00345f4fca924c425 Parents: 0222768 Author: Sergey BeryozkinAuthored: Mon Jan 11 12:51:30 2016 + Committer: Sergey Beryozkin Committed: Mon Jan 11 12:51:30 2016 + -- .../oauth2/client/ClientCodeRequestFilter.java | 14 +--- .../oidc/rp/OidcClientCodeRequestFilter.java| 35 2 files changed, 22 insertions(+), 27 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/39c772a0/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java index c02688c..0b950c7 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java @@ -131,7 +131,8 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { } private Response createCodeResponse(ContainerRequestContext rc, UriInfo ui) { -MultivaluedMap redirectState = createRedirectState(rc, ui); +MultivaluedMap codeRequestState = toCodeRequestState(rc, ui); +MultivaluedMap redirectState = createRedirectState(rc, ui, codeRequestState); String theState = redirectState != null ? redirectState.getFirst(OAuthConstants.STATE) : null; String redirectScope = redirectState != null ? redirectState.getFirst(OAuthConstants.SCOPE) : null; String theScope = redirectScope != null ? redirectScope : scopes; @@ -142,7 +143,7 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { theScope); setFormPostResponseMode(ub, redirectState); setCodeVerifier(ub, redirectState); -setAdditionalCodeRequestParams(ub, redirectState); +setAdditionalCodeRequestParams(ub, redirectState, codeRequestState); URI uri = ub.build(); return Response.seeOther(uri).build(); } @@ -165,7 +166,9 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { } } -protected void setAdditionalCodeRequestParams(UriBuilder ub, MultivaluedMap redirectState) { +protected void setAdditionalCodeRequestParams(UriBuilder ub, + MultivaluedMap redirectState, + MultivaluedMap codeRequestState) { } private URI getAbsoluteRedirectUri(UriInfo ui) { @@ -222,12 +225,13 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { JAXRSUtils.getCurrentMessage().setContent(ClientTokenContext.class, request); } -protected MultivaluedMap createRedirectState(ContainerRequestContext rc, UriInfo ui) { +protected MultivaluedMap createRedirectState(ContainerRequestContext rc, + UriInfo ui, + MultivaluedMap codeRequestState) { if (clientStateManager == null) { return new MetadataMap (); } String codeVerifier = null; -MultivaluedMap codeRequestState = toCodeRequestState(rc, ui); if (codeVerifierTransformer != null) { codeVerifier = Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(32)); codeRequestState.putSingle(OAuthConstants.AUTHORIZATION_CODE_VERIFIER, http://git-wip-us.apache.org/repos/asf/cxf/blob/39c772a0/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java -- diff --git
cxf git commit: [CXF-6736] Passing the code request state directly to some functions
Repository: cxf Updated Branches: refs/heads/3.1.x-fixes b4bfa886e -> f79eaf42d [CXF-6736] Passing the code request state directly to some functions Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f79eaf42 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f79eaf42 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f79eaf42 Branch: refs/heads/3.1.x-fixes Commit: f79eaf42d4640f668077db35b1ced230034c44d9 Parents: b4bfa88 Author: Sergey BeryozkinAuthored: Mon Jan 11 12:51:30 2016 + Committer: Sergey Beryozkin Committed: Mon Jan 11 12:52:58 2016 + -- .../oauth2/client/ClientCodeRequestFilter.java | 14 +--- .../oidc/rp/OidcClientCodeRequestFilter.java| 35 2 files changed, 22 insertions(+), 27 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/f79eaf42/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java -- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java index 2845ba6..b47bce7 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java @@ -131,7 +131,8 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { } private Response createCodeResponse(ContainerRequestContext rc, UriInfo ui) { -MultivaluedMap redirectState = createRedirectState(rc, ui); +MultivaluedMap codeRequestState = toCodeRequestState(rc, ui); +MultivaluedMap redirectState = createRedirectState(rc, ui, codeRequestState); String theState = redirectState != null ? redirectState.getFirst(OAuthConstants.STATE) : null; String redirectScope = redirectState != null ? redirectState.getFirst(OAuthConstants.SCOPE) : null; String theScope = redirectScope != null ? redirectScope : scopes; @@ -142,7 +143,7 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { theScope); setFormPostResponseMode(ub, redirectState); setCodeVerifier(ub, redirectState); -setAdditionalCodeRequestParams(ub, redirectState); +setAdditionalCodeRequestParams(ub, redirectState, codeRequestState); URI uri = ub.build(); return Response.seeOther(uri).build(); } @@ -165,7 +166,9 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { } } -protected void setAdditionalCodeRequestParams(UriBuilder ub, MultivaluedMap redirectState) { +protected void setAdditionalCodeRequestParams(UriBuilder ub, + MultivaluedMap redirectState, + MultivaluedMap codeRequestState) { } private URI getAbsoluteRedirectUri(UriInfo ui) { @@ -222,12 +225,13 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter { JAXRSUtils.getCurrentMessage().setContent(ClientTokenContext.class, request); } -protected MultivaluedMap createRedirectState(ContainerRequestContext rc, UriInfo ui) { +protected MultivaluedMap createRedirectState(ContainerRequestContext rc, + UriInfo ui, + MultivaluedMap codeRequestState) { if (clientStateManager == null) { return null; } String codeVerifier = null; -MultivaluedMap codeRequestState = toCodeRequestState(rc, ui); if (codeVerifierTransformer != null) { codeVerifier = Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(32)); codeRequestState.putSingle(OAuthConstants.AUTHORIZATION_CODE_VERIFIER, http://git-wip-us.apache.org/repos/asf/cxf/blob/f79eaf42/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java -- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
cxf git commit: Recording .gitmergeinfo Changes
Repository: cxf Updated Branches: refs/heads/3.0.x-fixes d1acc8cfa -> 25f1d6d7f Recording .gitmergeinfo Changes Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/25f1d6d7 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/25f1d6d7 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/25f1d6d7 Branch: refs/heads/3.0.x-fixes Commit: 25f1d6d7ff6ce0c2202c827b9067f354b2af834a Parents: d1acc8c Author: Colm O hEigeartaighAuthored: Mon Jan 11 14:16:43 2016 + Committer: Colm O hEigeartaigh Committed: Mon Jan 11 14:16:43 2016 + -- .gitmergeinfo | 1 + 1 file changed, 1 insertion(+) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/25f1d6d7/.gitmergeinfo -- diff --git a/.gitmergeinfo b/.gitmergeinfo index f5d8014..a3af64b 100644 --- a/.gitmergeinfo +++ b/.gitmergeinfo @@ -386,6 +386,7 @@ B a3e1065d4c2a600f63585a6c892e636f5740cf73 B a4222c930f7d69608f826c14e4bc7bc9f670097c B a4315cb442fa31960cbd47f11e95e81b4a71441d B a493fc41c1bdd5d282dac7fec57db9d01987af21 +B a564aea127fa0a385c06b1c7f9f391b68d0f9c50 B a5aff3e7a43274b3d47cda706aaf8108bd7a9b07 B a5f8a4dd4d9ecbfc1f8a1a8e5bcb4af17f561cc5 B a602c9df3e2e09855410f0e75af9b108620b7794
cxf git commit: Enabling some tests following WSS4J fix
Repository: cxf Updated Branches: refs/heads/master 39c772a07 -> 9a9e0a8a3 Enabling some tests following WSS4J fix Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/9a9e0a8a Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/9a9e0a8a Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/9a9e0a8a Branch: refs/heads/master Commit: 9a9e0a8a37608195c4ef6fbf386728d13d025d2d Parents: 39c772a Author: Colm O hEigeartaighAuthored: Mon Jan 11 12:12:55 2016 + Committer: Colm O hEigeartaigh Committed: Mon Jan 11 13:57:58 2016 + -- .../apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/9a9e0a8a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java -- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java index cb4627c..8afe278 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java @@ -180,7 +180,7 @@ public class AsymmetricBindingTest extends AbstractBusClientServerTestBase { @org.junit.Test public void testUsernameTokenSAML2KeyValue() throws Exception { // TODO -if (test.isStreaming() || STAX_PORT.equals(test.getPort())) { +if (STAX_PORT.equals(test.getPort())) { return; }
[1/2] cxf git commit: Recording .gitmergeinfo Changes
Repository: cxf Updated Branches: refs/heads/3.1.x-fixes f79eaf42d -> 2caad0c68 Recording .gitmergeinfo Changes Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2caad0c6 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2caad0c6 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2caad0c6 Branch: refs/heads/3.1.x-fixes Commit: 2caad0c68309fc3f2ccd8aa4795e489c674eab7f Parents: ac120f4 Author: Colm O hEigeartaighAuthored: Mon Jan 11 13:58:11 2016 + Committer: Colm O hEigeartaigh Committed: Mon Jan 11 13:58:11 2016 + -- .gitmergeinfo | 1 + 1 file changed, 1 insertion(+) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/2caad0c6/.gitmergeinfo -- diff --git a/.gitmergeinfo b/.gitmergeinfo index 436297c..a6177bd 100644 --- a/.gitmergeinfo +++ b/.gitmergeinfo @@ -17,3 +17,4 @@ B f94e1dd9b2a8d27ec5a27bfb7c026e3ae2350e39 B fb30f8bffc85fcc3208fcc0e1eda4b54a89b5d37 M 0222768baf6b60742c4a8332308edf2be0f4a2e4 M 8583a24ac541dc373503d7a6c59cd90890acdae3 +M 9a9e0a8a37608195c4ef6fbf386728d13d025d2d
[2/2] cxf git commit: Enabling some tests following WSS4J fix
Enabling some tests following WSS4J fix Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ac120f4f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ac120f4f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ac120f4f Branch: refs/heads/3.1.x-fixes Commit: ac120f4fcea28162721fbdf4bd8a6a9e071cd540 Parents: f79eaf4 Author: Colm O hEigeartaighAuthored: Mon Jan 11 12:12:55 2016 + Committer: Colm O hEigeartaigh Committed: Mon Jan 11 13:58:11 2016 + -- .../apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/ac120f4f/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java -- diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java index 68eaec5..42aa986 100644 --- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java +++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java @@ -182,7 +182,7 @@ public class AsymmetricBindingTest extends AbstractBusClientServerTestBase { @org.junit.Ignore public void testUsernameTokenSAML2KeyValue() throws Exception { // TODO -if (test.isStreaming() || STAX_PORT.equals(test.getPort())) { +if (STAX_PORT.equals(test.getPort())) { return; }
cxf git commit: Recording .gitmergeinfo Changes
Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 6cdfe4bab -> d1acc8cfa Recording .gitmergeinfo Changes Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d1acc8cf Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d1acc8cf Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d1acc8cf Branch: refs/heads/3.0.x-fixes Commit: d1acc8cfabb62670c24d879407778f0ca0e193ff Parents: 6cdfe4b Author: Colm O hEigeartaighAuthored: Mon Jan 11 14:03:11 2016 + Committer: Colm O hEigeartaigh Committed: Mon Jan 11 14:03:11 2016 + -- .gitmergeinfo | 2 ++ 1 file changed, 2 insertions(+) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/d1acc8cf/.gitmergeinfo -- diff --git a/.gitmergeinfo b/.gitmergeinfo index 4b39755..f5d8014 100644 --- a/.gitmergeinfo +++ b/.gitmergeinfo @@ -90,6 +90,7 @@ B 2a2ed67576b525f9708fcb8bd9e8387a277a1f4f B 2a5d201be1b85344585094d0f044e9bf1b605fac B 2afb9d3cacb299bea854d1ff4824e4c981a41d6a B 2ba77327488a8446e6a92af137f644eaf3b06e2e +B 2caad0c68309fc3f2ccd8aa4795e489c674eab7f B 2cb99eed19d1a8f097c4ae54967c6e45a7c03d67 B 2cfa9011aaada9fe68bd0d9aad7ec86991ede43c B 2d3592e667e0ed5c2345b8fe1ae248a6b0fb1b43 @@ -402,6 +403,7 @@ B aac1196c9e2ad02b596e24cc6f18cdb7ec30a21d B ab05845f33e5744f9ed9c2b3569a1001c269f923 B ab3817f5068d88c60dc15ce52504435f9b715c1b B ab4eaac0be87291b7f053d144dc8fbf9d98634c3 +B ac120f4fcea28162721fbdf4bd8a6a9e071cd540 B ac33a5b83e2c487a4e7c08c6c15539e64ceea24e B ad1822e1bdcd842c8f9fdb2f5833e73202455086 B ad5763ef8ea1ff3c8ddea2c3a6fabdaae6acddd6
cxf git commit: Re-enabling test
Repository: cxf Updated Branches: refs/heads/master 9a9e0a8a3 -> 98aee1f31 Re-enabling test Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/98aee1f3 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/98aee1f3 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/98aee1f3 Branch: refs/heads/master Commit: 98aee1f3196a6b86dcccbc8f1b0124fd9c532d60 Parents: 9a9e0a8 Author: Colm O hEigeartaighAuthored: Mon Jan 11 14:09:09 2016 + Committer: Colm O hEigeartaigh Committed: Mon Jan 11 14:09:09 2016 + -- .../org/apache/cxf/systest/http_jetty/EngineLifecycleTest.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/98aee1f3/systests/transports/src/test/java/org/apache/cxf/systest/http_jetty/EngineLifecycleTest.java -- diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/http_jetty/EngineLifecycleTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/http_jetty/EngineLifecycleTest.java index ae45f51..2c3c099 100644 --- a/systests/transports/src/test/java/org/apache/cxf/systest/http_jetty/EngineLifecycleTest.java +++ b/systests/transports/src/test/java/org/apache/cxf/systest/http_jetty/EngineLifecycleTest.java @@ -58,9 +58,7 @@ import org.springframework.core.io.Resource; /** * This class tests starting up and shutting down the embedded server when there * is extra jetty configuration. - * This test is ignored by default as it is continually failing on Jenkins. */ -@org.junit.Ignore public class EngineLifecycleTest extends Assert { private static final String PORT1 = TestUtil.getPortNumber(EngineLifecycleTest.class, 1); private static final String PORT2 = TestUtil.getPortNumber(EngineLifecycleTest.class, 2); @@ -184,7 +182,7 @@ public class EngineLifecycleTest extends Assert { private void verifyNoServer(String port) { try { -Socket socket = new Socket(InetAddress.getLocalHost(), Integer.parseInt(port)); +Socket socket = new Socket(InetAddress.getLoopbackAddress().getHostName(), Integer.parseInt(port)); socket.close(); } catch (UnknownHostException e) { fail("Unknown host for local address");
cxf git commit: Re-enabling test
Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 2caad0c68 -> a564aea12 Re-enabling test Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a564aea1 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a564aea1 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a564aea1 Branch: refs/heads/3.1.x-fixes Commit: a564aea127fa0a385c06b1c7f9f391b68d0f9c50 Parents: 2caad0c Author: Colm O hEigeartaighAuthored: Mon Jan 11 14:09:09 2016 + Committer: Colm O hEigeartaigh Committed: Mon Jan 11 14:10:28 2016 + -- .../org/apache/cxf/systest/http_jetty/EngineLifecycleTest.java | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/a564aea1/systests/transports/src/test/java/org/apache/cxf/systest/http_jetty/EngineLifecycleTest.java -- diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/http_jetty/EngineLifecycleTest.java b/systests/transports/src/test/java/org/apache/cxf/systest/http_jetty/EngineLifecycleTest.java index ae45f51..2c3c099 100644 --- a/systests/transports/src/test/java/org/apache/cxf/systest/http_jetty/EngineLifecycleTest.java +++ b/systests/transports/src/test/java/org/apache/cxf/systest/http_jetty/EngineLifecycleTest.java @@ -58,9 +58,7 @@ import org.springframework.core.io.Resource; /** * This class tests starting up and shutting down the embedded server when there * is extra jetty configuration. - * This test is ignored by default as it is continually failing on Jenkins. */ -@org.junit.Ignore public class EngineLifecycleTest extends Assert { private static final String PORT1 = TestUtil.getPortNumber(EngineLifecycleTest.class, 1); private static final String PORT2 = TestUtil.getPortNumber(EngineLifecycleTest.class, 2); @@ -184,7 +182,7 @@ public class EngineLifecycleTest extends Assert { private void verifyNoServer(String port) { try { -Socket socket = new Socket(InetAddress.getLocalHost(), Integer.parseInt(port)); +Socket socket = new Socket(InetAddress.getLoopbackAddress().getHostName(), Integer.parseInt(port)); socket.close(); } catch (UnknownHostException e) { fail("Unknown host for local address");
cxf git commit: [CXF-6735] - Add a configuration option to disable the STR Transform
Repository: cxf Updated Branches: refs/heads/3.1.x-fixes a564aea12 -> 621e9cc86 [CXF-6735] - Add a configuration option to disable the STR Transform Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/621e9cc8 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/621e9cc8 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/621e9cc8 Branch: refs/heads/3.1.x-fixes Commit: 621e9cc86027ff94330c13b8bcf28c95466cf6c9 Parents: a564aea Author: Colm O hEigeartaighAuthored: Mon Jan 11 16:49:38 2016 + Committer: Colm O hEigeartaigh Committed: Mon Jan 11 16:54:39 2016 + -- .../cxf/ws/security/SecurityConstants.java | 7 +++ .../policyhandlers/AbstractBindingBuilder.java | 45 +--- .../X509SymmetricBindingTest.java | 38 + 3 files changed, 75 insertions(+), 15 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/621e9cc8/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java -- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java index c88a4ec..f9ebaba 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java @@ -132,6 +132,13 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security */ public static final String USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM = "ws-security.swa.encryption.attachment.transform.content"; + +/** + * Whether to use the STR (Security Token Reference) Transform when (externally) signing a SAML Token. + * The default is true. Some frameworks cannot handle processing the SecurityTokenReference is created, + * hence set this configuration option to "false" in this case. + */ +public static final String USE_STR_TRANSFORM = "ws-security.use.str.transform"; // // Non-boolean WS-Security Configuration parameters http://git-wip-us.apache.org/repos/asf/cxf/blob/621e9cc8/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java -- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java index 815cb8f..4d2f2c5 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java @@ -610,6 +610,11 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle protected void addSignatureParts(List tokenList, List sigParts) { +boolean useSTRTransform = +MessageUtils.getContextualBoolean( +message, SecurityConstants.USE_STR_TRANSFORM, true +); + for (SupportingToken supportingToken : tokenList) { Object tempTok = supportingToken.getTokenImplementation(); @@ -647,14 +652,19 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle Document doc = assertionWrapper.getElement().getOwnerDocument(); boolean saml1 = assertionWrapper.getSaml1() != null; -// TODO We only support using a KeyIdentifier for the moment -SecurityTokenReference secRef = -createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false); -Element clone = cloneElement(secRef.getElement()); -addSupportingElement(clone); -part = new WSEncryptionPart("STRTransform", null, "Element"); -part.setId(secRef.getID()); -part.setElement(clone); +if (useSTRTransform) { +// TODO We only support using a KeyIdentifier for the moment +SecurityTokenReference secRef = +createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false); +Element clone = cloneElement(secRef.getElement()); +addSupportingElement(clone); +part = new WSEncryptionPart("STRTransform", null, "Element"); +part.setId(secRef.getID()); +part.setElement(clone); +} else { +
[1/2] cxf git commit: Recording .gitmergeinfo Changes
Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 25f1d6d7f -> 50ec664ed Recording .gitmergeinfo Changes Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/50ec664e Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/50ec664e Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/50ec664e Branch: refs/heads/3.0.x-fixes Commit: 50ec664ed2790588a10e048fabf7bbfb7e5f859b Parents: 4636266 Author: Colm O hEigeartaighAuthored: Mon Jan 11 16:58:45 2016 + Committer: Colm O hEigeartaigh Committed: Mon Jan 11 16:58:45 2016 + -- .gitmergeinfo | 1 + 1 file changed, 1 insertion(+) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/50ec664e/.gitmergeinfo -- diff --git a/.gitmergeinfo b/.gitmergeinfo index a3af64b..4fad3d9 100644 --- a/.gitmergeinfo +++ b/.gitmergeinfo @@ -705,6 +705,7 @@ M 5e97d1e29e85d80f0679748cc4df0d8e0647ee16 M 5fbe7b49b88deff15f755c15f5a4c421943acc4f M 6106f469f5ae311edf2f7de12038822bc03dc073 M 6129ec5f6735a986660a2d05c6b3b0c9230610d9 +M 621e9cc86027ff94330c13b8bcf28c95466cf6c9 M 6292346fb110f0517b791f91d03fd2515d575388 M 62d70e977895ae06494730d4f4f04282f0bbeb9e M 64368a5ddad507fa5d7016cbd07f3e9b5b5fd594
[2/2] cxf git commit: [CXF-6735] - Add a configuration option to disable the STR Transform
[CXF-6735] - Add a configuration option to disable the STR Transform Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/46362669 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/46362669 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/46362669 Branch: refs/heads/3.0.x-fixes Commit: 463626698e399b36555a9ca35240f278bfb40153 Parents: 25f1d6d Author: Colm O hEigeartaighAuthored: Mon Jan 11 16:49:38 2016 + Committer: Colm O hEigeartaigh Committed: Mon Jan 11 16:58:45 2016 + -- .../cxf/ws/security/SecurityConstants.java | 7 +++ .../policyhandlers/AbstractBindingBuilder.java | 45 +--- .../X509SymmetricBindingTest.java | 38 + 3 files changed, 75 insertions(+), 15 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/46362669/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java -- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java index 286eccb..383369c 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java @@ -264,6 +264,13 @@ public final class SecurityConstants { */ public static final String USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM = "ws-security.swa.encryption.attachment.transform.content"; + +/** + * Whether to use the STR (Security Token Reference) Transform when (externally) signing a SAML Token. + * The default is true. Some frameworks cannot handle processing the SecurityTokenReference is created, + * hence set this configuration option to "false" in this case. + */ +public static final String USE_STR_TRANSFORM = "ws-security.use.str.transform"; // // Non-boolean WS-Security Configuration parameters http://git-wip-us.apache.org/repos/asf/cxf/blob/46362669/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java -- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java index 2712d60..4d33fc7 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java @@ -605,6 +605,11 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle protected void addSignatureParts(List tokenList, List sigParts) { +boolean useSTRTransform = +MessageUtils.getContextualBoolean( +message, SecurityConstants.USE_STR_TRANSFORM, true +); + for (SupportingToken supportingToken : tokenList) { Object tempTok = supportingToken.getTokenImplementation(); @@ -642,14 +647,19 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle Document doc = assertionWrapper.getElement().getOwnerDocument(); boolean saml1 = assertionWrapper.getSaml1() != null; -// TODO We only support using a KeyIdentifier for the moment -SecurityTokenReference secRef = -createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false); -Element clone = cloneElement(secRef.getElement()); -addSupportingElement(clone); -part = new WSEncryptionPart("STRTransform", null, "Element"); -part.setId(secRef.getID()); -part.setElement(clone); +if (useSTRTransform) { +// TODO We only support using a KeyIdentifier for the moment +SecurityTokenReference secRef = +createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false); +Element clone = cloneElement(secRef.getElement()); +addSupportingElement(clone); +part = new WSEncryptionPart("STRTransform", null, "Element"); +part.setId(secRef.getID()); +part.setElement(clone); +} else { +part = new WSEncryptionPart(assertionWrapper.getId()); +
cxf-fediz git commit: Adding a test
Repository: cxf-fediz Updated Branches: refs/heads/master 256a8599b -> db74b690c Adding a test Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/db74b690 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/db74b690 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/db74b690 Branch: refs/heads/master Commit: db74b690ce3421efa81a0ecd1919e64e937741f8 Parents: 256a859 Author: Colm O hEigeartaighAuthored: Mon Jan 11 16:19:47 2016 + Committer: Colm O hEigeartaigh Committed: Mon Jan 11 16:19:47 2016 + -- .../core/federation/FederationResponseTest.java | 35 .../src/test/resources/fediz_test_config.xml| 31 + 2 files changed, 66 insertions(+) -- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/db74b690/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java -- diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java index 125a2ec..d6d97f8 100644 --- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java +++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java @@ -1572,6 +1572,41 @@ public class FederationResponseTest { } } +@org.junit.Test +public void testUnableToFindTruststore() throws Exception { +SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); +callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR); +callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER); +callbackHandler.setIssuer(TEST_RSTR_ISSUER); +callbackHandler.setSubjectName(TEST_USER); +ConditionsBean cp = new ConditionsBean(); +AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); +audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE); + cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); +callbackHandler.setConditions(cp); + +SAMLCallback samlCallback = new SAMLCallback(); +SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); +SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); +String rstr = createSamlToken(assertion, "mystskey", true); + +FedizRequest wfReq = new FedizRequest(); +wfReq.setAction(FederationConstants.ACTION_SIGNIN); +wfReq.setResponseToken(rstr); + +configurator = null; +FedizContext config = getFederationConfigurator().getFedizContext("BAD_KEYSTORE"); + +FedizProcessor wfProc = new FederationProcessorImpl(); +try { +wfProc.processRequest(wfReq, config); +fail("Failure expected on being unable to find the truststore"); +} catch (ProcessingException ex) { +ex.printStackTrace(); +// expected +} +} + private String encryptAndSignToken( SamlAssertionWrapper assertion ) throws Exception { http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/db74b690/plugins/core/src/test/resources/fediz_test_config.xml -- diff --git a/plugins/core/src/test/resources/fediz_test_config.xml b/plugins/core/src/test/resources/fediz_test_config.xml index 0feb9b9..82d1a3a 100644 --- a/plugins/core/src/test/resources/fediz_test_config.xml +++ b/plugins/core/src/test/resources/fediz_test_config.xml @@ -345,4 +345,35 @@ + + + http://host_one:port/url + + + + + + + + + + + 1000 + http://www.w3.org/2001/XMLSchema-instance; + xsi:type="federationProtocolType" version="1.2"> + target realm + http://url_to_the_issuer + ; + http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role + + 1 + reply value + REQUEST + + + + + +
cxf-fediz git commit: Adding a test
Repository: cxf-fediz Updated Branches: refs/heads/1.2.x-fixes f4d00969f -> 270f25a77 Adding a test Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/270f25a7 Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/270f25a7 Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/270f25a7 Branch: refs/heads/1.2.x-fixes Commit: 270f25a77983d6cd1413842120c19853a4e2d15d Parents: f4d0096 Author: Colm O hEigeartaighAuthored: Mon Jan 11 16:19:47 2016 + Committer: Colm O hEigeartaigh Committed: Mon Jan 11 16:21:03 2016 + -- .../core/federation/FederationResponseTest.java | 35 .../src/test/resources/fediz_test_config.xml| 31 + 2 files changed, 66 insertions(+) -- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/270f25a7/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java -- diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java index c833d0e..3ce3553 100644 --- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java +++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationResponseTest.java @@ -1572,6 +1572,41 @@ public class FederationResponseTest { } } +@org.junit.Test +public void testUnableToFindTruststore() throws Exception { +SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); +callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR); +callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER); +callbackHandler.setIssuer(TEST_RSTR_ISSUER); +callbackHandler.setSubjectName(TEST_USER); +ConditionsBean cp = new ConditionsBean(); +AudienceRestrictionBean audienceRestriction = new AudienceRestrictionBean(); +audienceRestriction.getAudienceURIs().add(TEST_AUDIENCE); + cp.setAudienceRestrictions(Collections.singletonList(audienceRestriction)); +callbackHandler.setConditions(cp); + +SAMLCallback samlCallback = new SAMLCallback(); +SAMLUtil.doSAMLCallback(callbackHandler, samlCallback); +SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback); +String rstr = createSamlToken(assertion, "mystskey", true); + +FedizRequest wfReq = new FedizRequest(); +wfReq.setAction(FederationConstants.ACTION_SIGNIN); +wfReq.setResponseToken(rstr); + +configurator = null; +FedizContext config = getFederationConfigurator().getFedizContext("BAD_KEYSTORE"); + +FedizProcessor wfProc = new FederationProcessorImpl(); +try { +wfProc.processRequest(wfReq, config); +fail("Failure expected on being unable to find the truststore"); +} catch (ProcessingException ex) { +ex.printStackTrace(); +// expected +} +} + private String encryptAndSignToken( SamlAssertionWrapper assertion ) throws Exception { http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/270f25a7/plugins/core/src/test/resources/fediz_test_config.xml -- diff --git a/plugins/core/src/test/resources/fediz_test_config.xml b/plugins/core/src/test/resources/fediz_test_config.xml index 0feb9b9..82d1a3a 100644 --- a/plugins/core/src/test/resources/fediz_test_config.xml +++ b/plugins/core/src/test/resources/fediz_test_config.xml @@ -345,4 +345,35 @@ + + + http://host_one:port/url + + + + + + + + + + + 1000 + http://www.w3.org/2001/XMLSchema-instance; + xsi:type="federationProtocolType" version="1.2"> + target realm + http://url_to_the_issuer + ; + http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role + + 1 + reply value + REQUEST + + + + + +
cxf git commit: [CXF-6735] - Add a configuration option to disable the STR Transform
Repository: cxf Updated Branches: refs/heads/master 98aee1f31 -> 171c91631 [CXF-6735] - Add a configuration option to disable the STR Transform Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/171c9163 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/171c9163 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/171c9163 Branch: refs/heads/master Commit: 171c916311d4e1a051993465afbb11c2a3e17dac Parents: 98aee1f Author: Colm O hEigeartaighAuthored: Mon Jan 11 16:49:38 2016 + Committer: Colm O hEigeartaigh Committed: Mon Jan 11 16:49:38 2016 + -- .../cxf/ws/security/SecurityConstants.java | 7 +++ .../policyhandlers/AbstractBindingBuilder.java | 45 +--- .../X509SymmetricBindingTest.java | 38 + 3 files changed, 75 insertions(+), 15 deletions(-) -- http://git-wip-us.apache.org/repos/asf/cxf/blob/171c9163/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java -- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java index c88a4ec..f9ebaba 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java @@ -132,6 +132,13 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security */ public static final String USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM = "ws-security.swa.encryption.attachment.transform.content"; + +/** + * Whether to use the STR (Security Token Reference) Transform when (externally) signing a SAML Token. + * The default is true. Some frameworks cannot handle processing the SecurityTokenReference is created, + * hence set this configuration option to "false" in this case. + */ +public static final String USE_STR_TRANSFORM = "ws-security.use.str.transform"; // // Non-boolean WS-Security Configuration parameters http://git-wip-us.apache.org/repos/asf/cxf/blob/171c9163/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java -- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java index 815cb8f..4d2f2c5 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java @@ -610,6 +610,11 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle protected void addSignatureParts(List tokenList, List sigParts) { +boolean useSTRTransform = +MessageUtils.getContextualBoolean( +message, SecurityConstants.USE_STR_TRANSFORM, true +); + for (SupportingToken supportingToken : tokenList) { Object tempTok = supportingToken.getTokenImplementation(); @@ -647,14 +652,19 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle Document doc = assertionWrapper.getElement().getOwnerDocument(); boolean saml1 = assertionWrapper.getSaml1() != null; -// TODO We only support using a KeyIdentifier for the moment -SecurityTokenReference secRef = -createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false); -Element clone = cloneElement(secRef.getElement()); -addSupportingElement(clone); -part = new WSEncryptionPart("STRTransform", null, "Element"); -part.setId(secRef.getID()); -part.setElement(clone); +if (useSTRTransform) { +// TODO We only support using a KeyIdentifier for the moment +SecurityTokenReference secRef = +createSTRForSamlAssertion(doc, assertionWrapper.getId(), saml1, false); +Element clone = cloneElement(secRef.getElement()); +addSupportingElement(clone); +part = new WSEncryptionPart("STRTransform", null, "Element"); +part.setId(secRef.getID()); +part.setElement(clone); +} else { +
svn commit: r977497 - in /websites/production/cxf/content: cache/docs.pageCache docs/ws-securitypolicy.html
Author: buildbot Date: Mon Jan 11 17:47:35 2016 New Revision: 977497 Log: Production update by buildbot for cxf Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/ws-securitypolicy.html Modified: websites/production/cxf/content/cache/docs.pageCache == Binary files - no diff available. Modified: websites/production/cxf/content/docs/ws-securitypolicy.html == --- websites/production/cxf/content/docs/ws-securitypolicy.html (original) +++ websites/production/cxf/content/docs/ws-securitypolicy.html Mon Jan 11 17:47:35 2016 @@ -117,7 +117,7 @@ Apache CXF -- WS-SecurityPolicy -WS-SecurityPolicyCXF 2.2 introduced support for using http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/ws-securitypolicy.html; rel="nofollow">WS-SecurityPolicy to configure WSS4J instead of the custom configuration documented on the WS-Security page. However, all of the "background" material on the WS-Security page still applies and is important to know. WS-SecurityPolicy just provides an easier and more standards based way to configure and control the security requirements. With the security requirements documented in the WSDL as WS-Policy fragments, other tools such as .NET can easily know how to configure themselves to inter-operate with CXF services.CXF supports WS-SecurityPolicy versions 1.1 and later. It does not support WS-SecurityPolicy 1.0.Backwards compatibility configuration noteFrom Apache CXF 3.1.0, some of the WS-Security based configuration tags have been changed to just start with "security-". This is so that they can be shared with the JAX-RS XML Security component. Apart from the prefix change, the tags are exactly the same. Older "ws-security-" values continue to be accepted in CXF 3.1.0. See the Security Configuration page for information on the new shared configuration tags.Enabling WS-SecurityPolicyIn CXF 2.2, if the cxf-rt-ws-policy and cxf-rt-ws-security modules are available on the classpath, the WS-SecurityPolicy stuff is automatically enabled. Since the entire security runtime is policy driven, the only requirement is t hat the policy engine and security policies be available.If you are using the full "bundle" jar, all the security and policy stuff is already included.Policy descriptionWith WS-SecurityPolicy, the binding and/or operation in the wsdl references a WS-Policy fragment that describes the basic security requirements for interacting with that service. The http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/ws-securitypolicy.html; rel="nofollow">WS-SecurityPolicy specification allows for specifying things like asymmetric/symmetric keys, using transports (https) for encryption, which parts/headers to encrypt or sign, whether to sign then encrypt or encrypt then sign, whether to include timestamps, whether to use derived keys, etc... Basically, it describes what actions are necessary to securely interact with the service described in th e WSDL.However, the WS-SecurityPolicy fragment does not include "everything" that is required for a runtime to be able to able to create the messages. It does not describe things such as locations of key stores, user names and passwords, etc... Those need to be configured in at runtime to augment the WS-SecurityPolicy fragment.Configuring the extra propertiesThere are several extra properties that may need to be set to provide the additional bits of information to the runtime. Note that you should check that a particular property is supported in the version of CXF you are using. First, see the Security Configuration page for information on the configuration tags that are shared with the JAX-RS XML Security component. Here are configuration tags that only apply to the WS-SecurityPolicy layer, and hence all start with "ws-security" (as opposed to the commo n tags which now start with "security-").Boolean WS-Security configuration tags, e.g. the value should be "true" or "false".constantdefaultdefinitionws-security.validate.tokentrueWhether to validate the password of a received UsernameToken or not.ws-security.username-token.always.encryptedtr ueWhether to always encrypt UsernameTokens that are defined as a SupportingToken. This should not be set to false in a production environment, as it exposes the password (or the digest of the password) on the wire.ws-security.is-bsp-complianttrueWhether to ensure compliance with the Basic Security Profile (BSP) 1.1 or not.ws-security.self-sign-saml-assertionfalseWhether to self-sign a SAML Assertion or not. If this is set to true, then an enveloped signature will be generated when the SAML Assertion is constructed. Only applies up to CXF 2.7.x.ws-security.enable.nonce.cache(varies)Whether to cache UsernameToken nonces. See