You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/01/17 12:14:13 UTC
[cxf] branch master updated: CXF-7613 - Support Derived keys policy
validation for EndorsingSupportingTokens
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push:
new ef477b7 CXF-7613 - Support Derived keys policy validation for EndorsingSupportingTokens
ef477b7 is described below
commit ef477b7225535a3182694f4a99a949c7e4ce8803
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Jan 17 11:32:04 2018 +0000
CXF-7613 - Support Derived keys policy validation for EndorsingSupportingTokens
---
.../AbstractBindingPolicyValidator.java | 6 ++
.../AbstractSupportingTokenPolicyValidator.java | 9 +++
.../AsymmetricBindingPolicyValidator.java | 15 +---
.../EndorsingEncryptedTokenPolicyValidator.java | 6 ++
.../EndorsingTokenPolicyValidator.java | 6 ++
...gnedEndorsingEncryptedTokenPolicyValidator.java | 6 ++
.../SignedEndorsingTokenPolicyValidator.java | 6 ++
.../SymmetricBindingPolicyValidator.java | 20 +----
.../sts/transport/TransportBindingTest.java | 38 ++++++++-
.../apache/cxf/systest/sts/transport/DoubleIt.wsdl | 93 +++++++++++++++++++++-
.../cxf/systest/sts/transport/cxf-client.xml | 8 ++
.../cxf/systest/sts/transport/cxf-service.xml | 7 ++
.../cxf/systest/sts/transport/cxf-stax-service.xml | 9 +++
13 files changed, 196 insertions(+), 33 deletions(-)
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
index 7d9a4a5..5e6862f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
@@ -433,4 +433,10 @@ public abstract class AbstractBindingPolicyValidator implements SecurityPolicyVa
return false;
}
+ protected void assertDerivedKeys(AbstractToken token, AssertionInfoMap aim) {
+ DerivedKeys derivedKeys = token.getDerivedKeys();
+ if (derivedKeys != null) {
+ PolicyUtils.assertPolicy(aim, new QName(token.getName().getNamespaceURI(), derivedKeys.name()));
+ }
+ }
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
index 5aa7a7b..854218b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
@@ -48,6 +48,7 @@ import org.apache.cxf.message.Message;
import org.apache.cxf.security.transport.TLSSessionInfo;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
import org.apache.wss4j.common.WSS4JConstants;
import org.apache.wss4j.common.saml.SAMLKeyInfo;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
@@ -62,6 +63,8 @@ import org.apache.wss4j.dom.message.token.KerberosSecurity;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractSecuredParts;
import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
import org.apache.wss4j.policy.model.EncryptedElements;
import org.apache.wss4j.policy.model.EncryptedParts;
import org.apache.wss4j.policy.model.Header;
@@ -894,4 +897,10 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
this.enforceEncryptedTokens = enforceEncryptedTokens;
}
+ protected void assertDerivedKeys(AbstractToken token, AssertionInfoMap aim) {
+ DerivedKeys derivedKeys = token.getDerivedKeys();
+ if (derivedKeys != null) {
+ PolicyUtils.assertPolicy(aim, new QName(token.getName().getNamespaceURI(), derivedKeys.name()));
+ }
+ }
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
index c298710..edcd0cd 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
@@ -33,7 +33,6 @@ import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.model.AbstractToken;
-import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
import org.apache.wss4j.policy.model.AbstractTokenWrapper;
import org.apache.wss4j.policy.model.AsymmetricBinding;
import org.apache.wss4j.policy.model.X509Token;
@@ -156,7 +155,7 @@ public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValid
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
- assertToken(wrapper, aim);
+ assertDerivedKeys(wrapper.getToken(), aim);
return true;
}
@@ -184,19 +183,9 @@ public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValid
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
- assertToken(wrapper, aim);
+ assertDerivedKeys(wrapper.getToken(), aim);
return true;
}
- private void assertToken(AbstractTokenWrapper tokenWrapper, AssertionInfoMap aim) {
- String namespace = tokenWrapper.getName().getNamespaceURI();
-
- AbstractToken token = tokenWrapper.getToken();
- DerivedKeys derivedKeys = token.getDerivedKeys();
- if (derivedKeys != null) {
- PolicyUtils.assertPolicy(aim, new QName(namespace, derivedKeys.name()));
- }
- }
-
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
index 4c9793b..743fd56 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
@@ -26,6 +26,7 @@ import javax.xml.namespace.QName;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.security.policy.PolicyUtils;
+import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -79,6 +80,7 @@ public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTo
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
+ assertDerivedKeys(token, parameters.getAssertionInfoMap());
assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
continue;
}
@@ -122,6 +124,10 @@ public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTo
);
continue;
}
+
+ if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
+ assertDerivedKeys(token, parameters.getAssertionInfoMap());
+ }
}
}
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
index 2e852b3..e013e7b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
@@ -23,6 +23,7 @@ import java.util.Collection;
import java.util.List;
import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -68,6 +69,7 @@ public class EndorsingTokenPolicyValidator extends AbstractSupportingTokenPolicy
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
+ assertDerivedKeys(token, parameters.getAssertionInfoMap());
assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
continue;
}
@@ -110,6 +112,10 @@ public class EndorsingTokenPolicyValidator extends AbstractSupportingTokenPolicy
);
continue;
}
+
+ if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
+ assertDerivedKeys(token, parameters.getAssertionInfoMap());
+ }
}
}
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
index aa59807..2b0e106 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
@@ -26,6 +26,7 @@ import javax.xml.namespace.QName;
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.security.policy.PolicyUtils;
+import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -79,6 +80,7 @@ public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSuppor
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
+ assertDerivedKeys(token, parameters.getAssertionInfoMap());
assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
continue;
}
@@ -122,6 +124,10 @@ public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSuppor
);
continue;
}
+
+ if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
+ assertDerivedKeys(token, parameters.getAssertionInfoMap());
+ }
}
}
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
index 2e13300..b2a642e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
@@ -23,6 +23,7 @@ import java.util.Collection;
import java.util.List;
import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
import org.apache.wss4j.policy.model.AbstractToken;
@@ -68,6 +69,7 @@ public class SignedEndorsingTokenPolicyValidator extends AbstractSupportingToken
List<AbstractToken> tokens = binding.getTokens();
for (AbstractToken token : tokens) {
if (!isTokenRequired(token, parameters.getMessage())) {
+ assertDerivedKeys(token, parameters.getAssertionInfoMap());
assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
continue;
}
@@ -110,6 +112,10 @@ public class SignedEndorsingTokenPolicyValidator extends AbstractSupportingToken
);
continue;
}
+
+ if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT)) {
+ assertDerivedKeys(token, parameters.getAssertionInfoMap());
+ }
}
}
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
index 03d3864..6cb3ea8 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
@@ -22,8 +22,6 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
import java.util.Collection;
import java.util.List;
-import javax.xml.namespace.QName;
-
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.PolicyUtils;
@@ -31,9 +29,6 @@ import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.policy.SP11Constants;
import org.apache.wss4j.policy.SP12Constants;
-import org.apache.wss4j.policy.model.AbstractToken;
-import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
-import org.apache.wss4j.policy.model.AbstractTokenWrapper;
import org.apache.wss4j.policy.model.SymmetricBinding;
/**
@@ -101,7 +96,7 @@ public class SymmetricBindingPolicyValidator extends AbstractBindingPolicyValida
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
- assertToken(binding.getEncryptionToken(), aim);
+ assertDerivedKeys(binding.getEncryptionToken().getToken(), aim);
}
if (binding.getSignatureToken() != null) {
@@ -112,7 +107,7 @@ public class SymmetricBindingPolicyValidator extends AbstractBindingPolicyValida
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
- assertToken(binding.getSignatureToken(), aim);
+ assertDerivedKeys(binding.getSignatureToken().getToken(), aim);
}
if (binding.getProtectionToken() != null) {
@@ -123,19 +118,10 @@ public class SymmetricBindingPolicyValidator extends AbstractBindingPolicyValida
ai.setNotAsserted("Message fails the DerivedKeys requirement");
return false;
}
- assertToken(binding.getProtectionToken(), aim);
+ assertDerivedKeys(binding.getProtectionToken().getToken(), aim);
}
return true;
}
- private void assertToken(AbstractTokenWrapper tokenWrapper, AssertionInfoMap aim) {
- String namespace = tokenWrapper.getName().getNamespaceURI();
-
- AbstractToken token = tokenWrapper.getToken();
- DerivedKeys derivedKeys = token.getDerivedKeys();
- if (derivedKeys != null) {
- PolicyUtils.assertPolicy(aim, new QName(namespace, derivedKeys.name()));
- }
- }
}
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
index 49def3e..e70c460 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/transport/TransportBindingTest.java
@@ -386,7 +386,7 @@ public class TransportBindingTest extends AbstractBusClientServerTestBase {
}
@org.junit.Test
- public void testSAML2EndorsingX509() throws Exception {
+ public void testSAML2X509Endorsing() throws Exception {
// Only works for DOM (clients)
if (test.isStreaming()) {
@@ -420,7 +420,7 @@ public class TransportBindingTest extends AbstractBusClientServerTestBase {
}
@org.junit.Test
- public void testSAML2EndorsingSymmetric() throws Exception {
+ public void testSAML2SymmetricEndorsing() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
URL busFile = TransportBindingTest.class.getResource("cxf-client.xml");
@@ -448,6 +448,40 @@ public class TransportBindingTest extends AbstractBusClientServerTestBase {
bus.shutdown(true);
}
+ @org.junit.Test
+ public void testSAML2SymmetricEndorsingDerived() throws Exception {
+
+ // Only works for DOM (clients)
+ if (test.isStreaming()) {
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = TransportBindingTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ BusFactory.setDefaultBus(bus);
+ BusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = TransportBindingTest.class.getResource("DoubleIt.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2SymmetricEndorsingDerivedPort");
+ DoubleItPortType transportSaml1Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(transportSaml1Port, test.getPort());
+
+ TokenTestUtils.updateSTSPort((BindingProvider)transportSaml1Port, test.getStsPort());
+
+ if (test.isStreaming()) {
+ SecurityTestUtil.enableStreaming(transportSaml1Port);
+ }
+
+ doubleIt(transportSaml1Port, 25);
+
+ ((java.io.Closeable)transportSaml1Port).close();
+ bus.shutdown(true);
+ }
+
private DOMSource createDOMRequest() throws ParserConfigurationException {
// Creating a DOMSource Object for the request
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
index 083f672..4da85f5 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/DoubleIt.wsdl
@@ -94,6 +94,21 @@
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItTransportSAML2SymmetricEndorsingDerivedBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItBindingTransportSAML2SymmetricEndorsingDerivedPolicy"/>
+ <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction=""/>
+ <wsdl:input>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:service name="DoubleItService">
<wsdl:port name="DoubleItTransportSAML1Port" binding="tns:DoubleItTransportSAML1Binding">
<soap:address location="https://localhost:8081/doubleit/services/doubleittransportsaml1"/>
@@ -112,6 +127,10 @@
binding="tns:DoubleItTransportSAML2SymmetricEndorsingBinding">
<soap:address location="https://localhost:8081/doubleit/services/doubleittransportsaml2symmetricendorsing"/>
</wsdl:port>
+ <wsdl:port name="DoubleItTransportSAML2SymmetricEndorsingDerivedPort"
+ binding="tns:DoubleItTransportSAML2SymmetricEndorsingDerivedBinding">
+ <soap:address location="https://localhost:8081/doubleit/services/doubleittransportsaml2symmetricendorsingderived"/>
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="DoubleItBindingTransportSAML1Policy">
<wsp:ExactlyOne>
@@ -429,7 +448,79 @@
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference/>
- <!-- <sp:RequireDerivedKeys/> -->
+ </wsp:Policy>
+ <sp:Issuer>
+ <wsaw:Address>http://localhost:8080/STS/STSUT
+ </wsaw:Address>
+ <wsaw:Metadata>
+ <wsx:Metadata>
+ <wsx:MetadataSection>
+ <wsx:MetadataReference>
+ <wsaw:Address>http://localhost:8080/SecurityTokenService/UT/mex
+ </wsaw:Address>
+ </wsx:MetadataReference>
+ </wsx:MetadataSection>
+ </wsx:Metadata>
+ </wsaw:Metadata>
+ </sp:Issuer>
+ </sp:IssuedToken>
+ </wsp:Policy>
+ </sp:EndorsingSupportingTokens>
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial/>
+ <sp:MustSupportRefThumbprint/>
+ <sp:MustSupportRefEncryptedKey/>
+ </wsp:Policy>
+ </sp:Wss11>
+ <sp:Trust13>
+ <wsp:Policy>
+ <sp:MustSupportIssuedTokens/>
+ <sp:RequireClientEntropy/>
+ <sp:RequireServerEntropy/>
+ </wsp:Policy>
+ </sp:Trust13>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItBindingTransportSAML2SymmetricEndorsingDerivedPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsam:Addressing wsp:Optional="false">
+ <wsp:Policy/>
+ </wsam:Addressing>
+ <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+ <wsp:Policy/>
+ </sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <sp:RequestSecurityTokenTemplate>
+ <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
+ <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</t:KeyType>
+ </sp:RequestSecurityTokenTemplate>
+ <wsp:Policy>
+ <sp:RequireInternalReference/>
+ <sp:RequireDerivedKeys/>
</wsp:Policy>
<sp:Issuer>
<wsaw:Address>http://localhost:8080/STS/STSUT
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-client.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-client.xml
index 1606d31..2bfe892 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-client.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-client.xml
@@ -89,6 +89,14 @@
<entry key="security.sts.client" value-ref="stsClient"/>
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItTransportSAML2SymmetricEndorsingDerivedPort" createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="security.username" value="myclientkey"/>
+ <entry key="security.signature.properties" value="clientKeystore.properties"/>
+ <entry key="security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+ <entry key="security.sts.client" value-ref="stsClient"/>
+ </jaxws:properties>
+ </jaxws:client>
<http:conduit name="https://localhost.*">
<http:tlsClientParameters disableCNCheck="true">
<sec:keyManagers keyPassword="ckpass">
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml
index d2d09da..d0b2075 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-service.xml
@@ -59,6 +59,13 @@
<entry key="ws-security.enable.timestamp.cache" value="false"/>
</jaxws:properties>
</jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleittransportsaml2symmetricderived" implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItTransportSAML2SymmetricEndorsingDerivedPort" serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.transport.Server}/doubleit/services/doubleittransportsaml2symmetricendorsingderived" wsdlLocation="org/apache/cxf/systest/sts/ [...]
+ <jaxws:properties>
+ <entry key="security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+ <entry key="security.signature.properties" value="serviceKeystore.properties"/>
+ <entry key="ws-security.enable.timestamp.cache" value="false"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
<httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
<httpj:engine port="${testutil.ports.transport.Server}">
<httpj:tlsServerParameters>
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml
index 1b3607c..5c01b7f 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-stax-service.xml
@@ -66,6 +66,15 @@
<entry key="ws-security.enable.timestamp.cache" value="false"/>
</jaxws:properties>
</jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleittransportsaml2symmetricendorsingderived" implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItTransportSAML2SymmetricEndorsingDerivedPort" serviceName="s:DoubleItService" depends-on="ClientAuthHttpsSettings" address="https://localhost:${testutil.ports.transport.StaxServer}/doubleit/services/doubleittransportsaml2symmetricendorsingderived" wsdlLocation="org/apache/cxf [...]
+ <jaxws:properties>
+ <entry key="security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+ <entry key="security.signature.properties" value="serviceKeystore.properties"/>
+ <entry key="ws-security.is-bsp-compliant" value="false"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ <entry key="ws-security.enable.timestamp.cache" value="false"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
<httpj:engine-factory id="ClientAuthHttpsSettings" bus="cxf">
<httpj:engine port="${testutil.ports.transport.StaxServer}">
<httpj:tlsServerParameters>
--
To stop receiving notification emails like this one, please contact
['"commits@cxf.apache.org" <co...@cxf.apache.org>'].