You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/05/20 14:51:02 UTC
svn commit: r1484454 - in /cxf/branches/2.6.x-fixes:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/
systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/
systests/ws-security/src/test/resources/org/apac...
Author: coheigea
Date: Mon May 20 12:51:01 2013
New Revision: 1484454
URL: http://svn.apache.org/r1484454
Log:
Merged revisions 1484452 via git cherry-pick from
https://svn.apache.org/repos/asf/cxf/branches/2.7.x-fixes
........
r1484452 | coheigea | 2013-05-20 13:46:01 +0100 (Mon, 20 May 2013) | 10 lines
Merged revisions 1484426 via git cherry-pick from
https://svn.apache.org/repos/asf/cxf/trunk
........
r1484426 | coheigea | 2013-05-20 11:59:30 +0100 (Mon, 20 May 2013) | 2 lines
[CXF-5025] - Support WS-SecurityPolicy "Strict" Layout validation
........
........
Added:
cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/strict-policy.xml
Modified:
cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java
cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl
cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml
cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml
Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java?rev=1484454&r1=1484453&r2=1484454&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java (original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java Mon May 20 12:51:01 2013
@@ -148,36 +148,6 @@ public abstract class AbstractBindingPol
}
/**
- * Validate the layout assertion. It just checks the LaxTsFirst and LaxTsLast properties
- */
- protected boolean validateLayout(
- boolean laxTimestampFirst,
- boolean laxTimestampLast,
- List<WSSecurityEngineResult> results
- ) {
- if (laxTimestampFirst) {
- if (results.isEmpty()) {
- return false;
- }
- Integer firstAction = (Integer)results.get(results.size() - 1).get(WSSecurityEngineResult.TAG_ACTION);
- if (firstAction.intValue() != WSConstants.TS) {
- return false;
- }
- } else if (laxTimestampLast) {
- if (results.isEmpty()) {
- return false;
- }
- Integer lastAction =
- (Integer)results.get(0).get(WSSecurityEngineResult.TAG_ACTION);
- if (lastAction.intValue() != WSConstants.TS) {
- return false;
- }
- }
- return true;
-
- }
-
- /**
* Check various properties set in the policy of the binding
*/
protected boolean checkProperties(
@@ -205,9 +175,8 @@ public abstract class AbstractBindingPol
// Check the Layout
Layout layout = binding.getLayout();
- boolean timestampFirst = layout.getValue() == SPConstants.Layout.LaxTsFirst;
- boolean timestampLast = layout.getValue() == SPConstants.Layout.LaxTsLast;
- if (!validateLayout(timestampFirst, timestampLast, results)) {
+ LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator(results, signedResults);
+ if (!layoutValidator.validatePolicy(layout)) {
String error = "Layout does not match the requirements";
notAssertPolicy(aim, layout, error);
ai.setNotAsserted(error);
Added: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java?rev=1484454&view=auto
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java (added)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java Mon May 20 12:51:01 2013
@@ -0,0 +1,230 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.Layout;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDataRef;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.message.token.BinarySecurity;
+import org.apache.ws.security.message.token.PKIPathSecurity;
+import org.apache.ws.security.message.token.X509Security;
+import org.apache.ws.security.saml.SAMLKeyInfo;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+/**
+ * Validate a Layout policy.
+ */
+public class LayoutPolicyValidator {
+
+ private List<WSSecurityEngineResult> results;
+ private List<WSSecurityEngineResult> signedResults;
+
+ public LayoutPolicyValidator(
+ List<WSSecurityEngineResult> results, List<WSSecurityEngineResult> signedResults
+ ) {
+ this.results = results;
+ this.signedResults = signedResults;
+ }
+
+ public boolean validatePolicy(Layout layout) {
+ boolean timestampFirst = layout.getValue() == SPConstants.Layout.LaxTsFirst;
+ boolean timestampLast = layout.getValue() == SPConstants.Layout.LaxTsLast;
+ boolean strict = layout.getValue() == SPConstants.Layout.Strict;
+
+ if (timestampFirst) {
+ if (results.isEmpty()) {
+ return false;
+ }
+ Integer firstAction = (Integer)results.get(results.size() - 1).get(WSSecurityEngineResult.TAG_ACTION);
+ if (firstAction.intValue() != WSConstants.TS) {
+ return false;
+ }
+ } else if (timestampLast) {
+ if (results.isEmpty()) {
+ return false;
+ }
+ Integer lastAction =
+ (Integer)results.get(0).get(WSSecurityEngineResult.TAG_ACTION);
+ if (lastAction.intValue() != WSConstants.TS) {
+ return false;
+ }
+ } else if (strict && (!validateStrictSignaturePlacement()
+ || !validateStrictSignatureTokenPlacement()
+ || !checkSignatureIsSignedPlacement())) {
+ return false;
+ }
+
+ return true;
+ }
+
+ private boolean validateStrictSignaturePlacement() {
+ // Go through each Signature and check any security header token is before the Signature
+ for (WSSecurityEngineResult signedResult : signedResults) {
+ List<WSDataRef> sl =
+ CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+ if (sl == null) {
+ continue;
+ }
+
+ for (WSDataRef r : sl) {
+ String xpath = r.getXpath();
+ if (xpath != null) {
+ String[] nodes = StringUtils.split(xpath, "/");
+ // envelope/Header/wsse:Security/header
+ if (nodes.length == 5) {
+ Element protectedElement = r.getProtectedElement();
+ boolean tokenFound = false;
+ // Results are stored in reverse order
+ for (WSSecurityEngineResult result : results) {
+ Element resultElement =
+ (Element)result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+ if (resultElement == protectedElement) {
+ tokenFound = true;
+ }
+ if (tokenFound && result == signedResult) {
+ return false;
+ } else if (resultElement != null && result == signedResult) {
+ break;
+ }
+ }
+ }
+ }
+ }
+ }
+
+ return true;
+ }
+
+ private boolean validateStrictSignatureTokenPlacement() {
+ // Go through each Signature and check that the Signing Token appears before the Signature
+ for (int i = 0; i < results.size(); i++) {
+ WSSecurityEngineResult result = results.get(i);
+ Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt == WSConstants.SIGN) {
+ int correspondingIndex = findCorrespondingTokenIndex(result);
+ if (correspondingIndex > 0 && correspondingIndex < i) {
+ return false;
+ }
+ }
+ }
+
+ return true;
+ }
+
+ private boolean checkSignatureIsSignedPlacement() {
+ for (int i = 0; i < signedResults.size(); i++) {
+ WSSecurityEngineResult signedResult = signedResults.get(i);
+ List<WSDataRef> sl =
+ CastUtils.cast((List<?>)signedResult.get(
+ WSSecurityEngineResult.TAG_DATA_REF_URIS
+ ));
+ if (sl != null && sl.size() >= 1) {
+ for (WSDataRef dataRef : sl) {
+ QName signedQName = dataRef.getName();
+ if (WSSecurityEngine.SIGNATURE.equals(signedQName)) {
+ Element protectedElement = dataRef.getProtectedElement();
+ boolean endorsingSigFound = false;
+ // Results are stored in reverse order
+ for (WSSecurityEngineResult result : signedResults) {
+ if (result == signedResult) {
+ endorsingSigFound = true;
+ }
+ Element resultElement =
+ (Element)result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+ if (resultElement == protectedElement) {
+ if (endorsingSigFound) {
+ break;
+ } else {
+ return false;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ return true;
+ }
+
+ /**
+ * Find the index of the token corresponding to either the X509Certificate or PublicKey used
+ * to sign the "signatureResult" argument.
+ */
+ private int findCorrespondingTokenIndex(
+ WSSecurityEngineResult signatureResult
+ ) {
+ // See what was used to sign this result
+ X509Certificate cert =
+ (X509Certificate)signatureResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ PublicKey publicKey =
+ (PublicKey)signatureResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+
+ for (int i = 0; i < results.size(); i++) {
+ WSSecurityEngineResult token = results.get(i);
+ Integer actInt = (Integer)token.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt == WSConstants.SIGN) {
+ continue;
+ }
+
+ BinarySecurity binarySecurity =
+ (BinarySecurity)token.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+ PublicKey foundPublicKey =
+ (PublicKey)token.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+ if (binarySecurity instanceof X509Security
+ || binarySecurity instanceof PKIPathSecurity) {
+ X509Certificate foundCert =
+ (X509Certificate)token.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ if (foundCert.equals(cert)) {
+ return i;
+ }
+ } else if (actInt.intValue() == WSConstants.ST_SIGNED
+ || actInt.intValue() == WSConstants.ST_UNSIGNED) {
+ AssertionWrapper assertionWrapper =
+ (AssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
+ if (samlKeyInfo != null) {
+ X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
+ PublicKey subjectPublicKey = samlKeyInfo.getPublicKey();
+ if ((cert != null && subjectCerts != null
+ && cert.equals(subjectCerts[0]))
+ || (subjectPublicKey != null && subjectPublicKey.equals(publicKey))) {
+ return i;
+ }
+ }
+ } else if (publicKey != null && publicKey.equals(foundPublicKey)) {
+ return i;
+ }
+ }
+ return -1;
+ }
+}
Modified: cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java?rev=1484454&r1=1484453&r2=1484454&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java (original)
+++ cxf/branches/2.6.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java Mon May 20 12:51:01 2013
@@ -30,7 +30,6 @@ import org.apache.cxf.security.transport
import org.apache.cxf.ws.policy.AssertionInfo;
import org.apache.cxf.ws.policy.AssertionInfoMap;
import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
import org.apache.cxf.ws.security.policy.model.Layout;
import org.apache.cxf.ws.security.policy.model.TransportBinding;
import org.apache.ws.security.WSSecurityEngineResult;
@@ -87,9 +86,8 @@ public class TransportBindingPolicyValid
// Check the Layout
Layout layout = binding.getLayout();
- boolean timestampFirst = layout.getValue() == SPConstants.Layout.LaxTsFirst;
- boolean timestampLast = layout.getValue() == SPConstants.Layout.LaxTsLast;
- if (!validateLayout(timestampFirst, timestampLast, results)) {
+ LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator(results, signedResults);
+ if (!layoutValidator.validatePolicy(layout)) {
String error = "Layout does not match the requirements";
notAssertPolicy(aim, layout, error);
ai.setNotAsserted(error);
Modified: cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java?rev=1484454&r1=1484453&r2=1484454&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java (original)
+++ cxf/branches/2.6.x-fixes/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/bindings/BindingPropertiesTest.java Mon May 20 12:51:01 2013
@@ -314,6 +314,42 @@ public class BindingPropertiesTest exten
bus.shutdown(true);
}
+ @org.junit.Test
+ public void testStrict() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = BindingPropertiesTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = BindingPropertiesTest.class.getResource("DoubleItBindings.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+
+ // Successful invocation
+ QName portQName = new QName(NAMESPACE, "DoubleItStrictPort");
+ DoubleItPortType port = service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(port, PORT);
+ port.doubleIt(25);
+
+ // This should fail, as the client is sending the timestamp last
+ portQName = new QName(NAMESPACE, "DoubleItStrictPort2");
+ port = service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(port, PORT);
+
+ try {
+ port.doubleIt(25);
+ fail("Failure expected on sending the timestamp last");
+ } catch (javax.xml.ws.soap.SOAPFaultException ex) {
+ String error = "Layout does not match the requirements";
+ assertTrue(ex.getMessage().contains(error));
+ }
+
+ ((java.io.Closeable)port).close();
+ bus.shutdown(true);
+ }
+
// TODO
@org.junit.Test
@org.junit.Ignore
Modified: cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl?rev=1484454&r1=1484453&r2=1484454&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl (original)
+++ cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl Mon May 20 12:51:01 2013
@@ -122,6 +122,12 @@
<wsdl:port name="DoubleItSignatureConfirmationPort2" binding="tns:DoubleItStandardBinding">
<soap:address location="http://localhost:9010/DoubleItSignatureConfirmation2" />
</wsdl:port>
+ <wsdl:port name="DoubleItStrictPort" binding="tns:DoubleItStandardBinding">
+ <soap:address location="http://localhost:9010/DoubleItStrict" />
+ </wsdl:port>
+ <wsdl:port name="DoubleItStrictPort2" binding="tns:DoubleItStandardBinding">
+ <soap:address location="http://localhost:9010/DoubleItStrict2" />
+ </wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="SignBodyChildPolicy">
Modified: cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml?rev=1484454&r1=1484453&r2=1484454&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml (original)
+++ cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/client/client.xml Mon May 20 12:51:01 2013
@@ -349,6 +349,50 @@
</jaxws:client>
<jaxws:client
+ name="{http://www.example.org/contract/DoubleIt}DoubleItStrictPort"
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="Alice" />
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" />
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
+ <entry key="ws-security.encryption.username" value="bob" />
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties" />
+ <entry key="ws-security.signature.username" value="alice" />
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ URI="classpath:/org/apache/cxf/systest/ws/bindings/strict-policy.xml" />
+ </p:policies>
+ </jaxws:features>
+ </jaxws:client>
+
+ <jaxws:client
+ name="{http://www.example.org/contract/DoubleIt}DoubleItStrictPort2"
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.username" value="Alice" />
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" />
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
+ <entry key="ws-security.encryption.username" value="bob" />
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties" />
+ <entry key="ws-security.signature.username" value="alice" />
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ URI="classpath:/org/apache/cxf/systest/ws/bindings/ts-last-policy.xml" />
+ </p:policies>
+ </jaxws:features>
+ </jaxws:client>
+
+ <jaxws:client
name="{http://www.example.org/contract/DoubleIt}DoubleItTokenProtectionPort"
createdFromAPI="true">
<jaxws:properties>
Modified: cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml?rev=1484454&r1=1484453&r2=1484454&view=diff
==============================================================================
--- cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml (original)
+++ cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/server/server.xml Mon May 20 12:51:01 2013
@@ -366,6 +366,52 @@
</jaxws:endpoint>
+ <jaxws:endpoint id="StrictEndpoint"
+ address="http://localhost:${testutil.ports.Server}/DoubleItStrict"
+ serviceName="s:DoubleItService" endpointName="s:DoubleItStrictPort"
+ xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl">
+
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" />
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
+ <entry key="ws-security.encryption.username" value="useReqSigCert" />
+ <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ URI="classpath:/org/apache/cxf/systest/ws/bindings/strict-policy.xml" />
+ </p:policies>
+ </jaxws:features>
+
+ </jaxws:endpoint>
+
+ <jaxws:endpoint id="StrictEndpoint2"
+ address="http://localhost:${testutil.ports.Server}/DoubleItStrict2"
+ serviceName="s:DoubleItService" endpointName="s:DoubleItStrictPort2"
+ xmlns:s="http://www.example.org/contract/DoubleIt" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/bindings/DoubleItBindings.wsdl">
+
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.UTPasswordCallback" />
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties" />
+ <entry key="ws-security.encryption.username" value="useReqSigCert" />
+ <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+ </jaxws:properties>
+ <jaxws:features>
+ <p:policies>
+ <wsp:PolicyReference xmlns:wsp="http://www.w3.org/ns/ws-policy"
+ URI="classpath:/org/apache/cxf/systest/ws/bindings/strict-policy.xml" />
+ </p:policies>
+ </jaxws:features>
+
+ </jaxws:endpoint>
+
<jaxws:endpoint id="TokenProtectionEndpoint"
address="http://localhost:${testutil.ports.Server}/DoubleItTokenProtection"
serviceName="s:DoubleItService" endpointName="s:DoubleItTokenProtectionPort"
Added: cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/strict-policy.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/strict-policy.xml?rev=1484454&view=auto
==============================================================================
--- cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/strict-policy.xml (added)
+++ cxf/branches/2.6.x-fixes/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/bindings/strict-policy.xml Mon May 20 12:51:01 2013
@@ -0,0 +1,45 @@
+<wsp:Policy wsu:Id="CleanPolicy"
+ xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+ xmlns:wsp="http://www.w3.org/ns/ws-policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ <sp:RequireIssuerSerialReference />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Strict />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
\ No newline at end of file