You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/01/24 19:54:46 UTC
[cxf] branch master updated (f7adbdf -> 543f7db)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git.
from f7adbdf CXF-7619 - Support deprecated 1.5 WS-Policy URI in the STS
new 68f2489 Upgrading to WSS4J SNAPSHOT
new 543f7db CXF-5051 - ProtectTokens assertion is not respected for SAML tokens
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
parent/pom.xml | 2 +-
.../policyhandlers/AsymmetricBindingHandler.java | 11 ++-
.../sts/symmetric/SymmetricBindingTest.java | 34 +++++++++
.../apache/cxf/systest/sts/symmetric/DoubleIt.wsdl | 85 ++++++++++++++++++++++
.../cxf/systest/sts/symmetric/cxf-client.xml | 5 ++
.../cxf/systest/sts/symmetric/cxf-service.xml | 7 ++
.../cxf/systest/sts/symmetric/cxf-stax-service.xml | 8 ++
.../apache/cxf/systest/ws/saml/SamlTokenTest.java | 39 ++++++++++
.../apache/cxf/systest/ws/saml/DoubleItSaml.wsdl | 70 ++++++++++++++++++
.../org/apache/cxf/systest/ws/saml/client.xml | 9 +++
.../org/apache/cxf/systest/ws/saml/server.xml | 10 +++
.../org/apache/cxf/systest/ws/saml/stax-server.xml | 12 +++
12 files changed, 288 insertions(+), 4 deletions(-)
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.
[cxf] 02/02: CXF-5051 - ProtectTokens assertion is not respected
for SAML tokens
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 543f7dbc29211e055ec810293dea6140f5812a6b
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Jan 24 17:47:44 2018 +0000
CXF-5051 - ProtectTokens assertion is not respected for SAML tokens
---
.../policyhandlers/AsymmetricBindingHandler.java | 11 ++-
.../sts/symmetric/SymmetricBindingTest.java | 34 +++++++++
.../apache/cxf/systest/sts/symmetric/DoubleIt.wsdl | 85 ++++++++++++++++++++++
.../cxf/systest/sts/symmetric/cxf-client.xml | 5 ++
.../cxf/systest/sts/symmetric/cxf-service.xml | 7 ++
.../cxf/systest/sts/symmetric/cxf-stax-service.xml | 8 ++
.../apache/cxf/systest/ws/saml/SamlTokenTest.java | 39 ++++++++++
.../apache/cxf/systest/ws/saml/DoubleItSaml.wsdl | 70 ++++++++++++++++++
.../org/apache/cxf/systest/ws/saml/client.xml | 9 +++
.../org/apache/cxf/systest/ws/saml/server.xml | 10 +++
.../org/apache/cxf/systest/ws/saml/stax-server.xml | 12 +++
11 files changed, 287 insertions(+), 3 deletions(-)
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
index 788afdb..ec3dba5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
@@ -720,17 +720,22 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
} else {
WSSecSignature sig = getSignatureBuilder(sigToken, attached, false);
- // This action must occur before sig.prependBSTElementToHeader
if (abinding.isProtectTokens()) {
assertPolicy(
new QName(abinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
- if (sig.getBSTTokenId() != null) {
+ if (sig.getCustomTokenId() != null
+ && (sigToken instanceof SamlToken || sigToken instanceof IssuedToken)) {
+ WSEncryptionPart samlPart =
+ new WSEncryptionPart(sig.getCustomTokenId());
+ sigParts.add(samlPart);
+ } else if (sig.getBSTTokenId() != null) {
+ // This action must occur before sig.prependBSTElementToHeader
WSEncryptionPart bstPart =
new WSEncryptionPart(sig.getBSTTokenId());
bstPart.setElement(sig.getBinarySecurityTokenElement());
sigParts.add(bstPart);
+ sig.prependBSTElementToHeader();
}
- sig.prependBSTElementToHeader();
}
List<Reference> referenceList = sig.addReferencesToSign(sigParts);
diff --git a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/SymmetricBindingTest.java b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/SymmetricBindingTest.java
index de4e47e..4b6af41 100644
--- a/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/SymmetricBindingTest.java
+++ b/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/SymmetricBindingTest.java
@@ -194,6 +194,40 @@ public class SymmetricBindingTest extends AbstractBusClientServerTestBase {
}
@org.junit.Test
+ public void testUsernameTokenSAML2ProtectTokens() throws Exception {
+
+ if (test.isStreaming()) {
+ // We don't support ProtectTokens + the streaming clients.
+ return;
+ }
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = SymmetricBindingTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ BusFactory.setDefaultBus(bus);
+ BusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = SymmetricBindingTest.class.getResource("DoubleIt.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItSymmetricSAML2ProtectTokensPort");
+ DoubleItPortType symmetricSaml2Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(symmetricSaml2Port, test.getPort());
+
+ TokenTestUtils.updateSTSPort((BindingProvider)symmetricSaml2Port, test.getStsPort());
+
+ if (test.isStreaming()) {
+ SecurityTestUtil.enableStreaming(symmetricSaml2Port);
+ }
+
+ doubleIt(symmetricSaml2Port, 30);
+ TokenTestUtils.verifyToken(symmetricSaml2Port);
+
+ ((java.io.Closeable)symmetricSaml2Port).close();
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
public void testUsernameTokenSAML1Encrypted() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
URL busFile = SymmetricBindingTest.class.getResource("cxf-client.xml");
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/DoubleIt.wsdl b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/DoubleIt.wsdl
index 1dacca8..272c2d8 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/DoubleIt.wsdl
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/DoubleIt.wsdl
@@ -47,6 +47,19 @@
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItSymmetricSAML2ProtectTokensBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItSymmetricBindingSAML2ProtectTokensPolicy"/>
+ <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction=""/>
+ <wsdl:input>
+ <soap:body use="literal"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal"/>
+ </wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:binding name="DoubleItSymmetricSAML2SecureConversationBinding" type="tns:DoubleItPortType">
<wsp:PolicyReference URI="#DoubleItSymmetricBindingSecureConversationSAML2Policy"/>
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
@@ -69,6 +82,9 @@
<wsdl:port name="DoubleItSymmetricSAML2Port" binding="tns:DoubleItSymmetricSAML2Binding">
<soap:address location="http://localhost:8082/doubleit/services/doubleitsymmetricsaml2"/>
</wsdl:port>
+ <wsdl:port name="DoubleItSymmetricSAML2ProtectTokensPort" binding="tns:DoubleItSymmetricSAML2ProtectTokensBinding">
+ <soap:address location="http://localhost:8082/doubleit/services/doubleitsymmetricsaml2protecttokens"/>
+ </wsdl:port>
<wsdl:port name="DoubleItSymmetricSAML2SecureConversationPort" binding="tns:DoubleItSymmetricSAML2SecureConversationBinding">
<soap:address location="http://localhost:8082/doubleit/services/doubleitsymmetricsaml2SecureConversation"/>
</wsdl:port>
@@ -211,6 +227,75 @@
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItSymmetricBindingSAML2ProtectTokensPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsam:Addressing wsp:Optional="false">
+ <wsp:Policy/>
+ </wsam:Addressing>
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ <sp:SymmetricBinding>
+ <wsp:Policy>
+ <sp:ProtectionToken>
+ <wsp:Policy>
+ <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <sp:RequestSecurityTokenTemplate>
+ <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
+ <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</t:KeyType>
+ <t:KeySize>128</t:KeySize>
+ </sp:RequestSecurityTokenTemplate>
+ <wsp:Policy>
+ <sp:RequireInternalReference/>
+ </wsp:Policy>
+ <sp:Issuer>
+ <wsaw:Address>http://localhost:8080/SecurityTokenService/UT
+ </wsaw:Address>
+ <wsaw:Metadata>
+ <wsx:Metadata>
+ <wsx:MetadataSection>
+ <wsx:MetadataReference>
+ <wsaw:Address>http://localhost:8080/SecurityTokenService/UT/mex
+ </wsaw:Address>
+ </wsx:MetadataReference>
+ </wsx:MetadataSection>
+ </wsx:Metadata>
+ </wsaw:Metadata>
+ </sp:Issuer>
+ </sp:IssuedToken>
+ </wsp:Policy>
+ </sp:ProtectionToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ <sp:ProtectTokens/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:SymmetricBinding>
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial/>
+ <sp:MustSupportRefThumbprint/>
+ <sp:MustSupportRefEncryptedKey/>
+ </wsp:Policy>
+ </sp:Wss11>
+ <sp:Trust13>
+ <wsp:Policy>
+ <sp:MustSupportIssuedTokens/>
+ <sp:RequireClientEntropy/>
+ <sp:RequireServerEntropy/>
+ </wsp:Policy>
+ </sp:Trust13>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
<wsp:Policy wsu:Id="DoubleItSymmetricBindingSecureConversationSAML2Policy">
<wsp:ExactlyOne>
<wsp:All>
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/cxf-client.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/cxf-client.xml
index 8d28e98..74b34d6 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/cxf-client.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/cxf-client.xml
@@ -48,6 +48,11 @@
<entry key="security.sts.client" value-ref="stsClient"/>
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricSAML2ProtectTokensPort" createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="security.sts.client" value-ref="stsClient"/>
+ </jaxws:properties>
+ </jaxws:client>
<jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricSAML1EncryptedPort" createdFromAPI="true">
<jaxws:properties>
<entry key="security.sts.client">
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/cxf-service.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/cxf-service.xml
index 43ecd1f..41a77da 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/cxf-service.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/cxf-service.xml
@@ -33,6 +33,13 @@
<entry key="ws-security.is-bsp-compliant" value="false"/>
</jaxws:properties>
</jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleitsymmetricsaml2protecttokens" implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItSymmetricSAML2ProtectTokensPort" serviceName="s:DoubleItService" address="http://localhost:${testutil.ports.symmetric.Server}/doubleit/services/doubleitsymmetricsaml2protecttokens" wsdlLocation="org/apache/cxf/systest/sts/symmetric/DoubleIt.wsdl">
+ <jaxws:properties>
+ <entry key="security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+ <entry key="security.signature.properties" value="serviceKeystore.properties"/>
+ <entry key="ws-security.is-bsp-compliant" value="false"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleitsymmetricsaml1encrypted" implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItSymmetricSAML1EncryptedPort" serviceName="s:DoubleItService" address="http://localhost:${testutil.ports.symmetric.Server}/doubleit/services/doubleitsymmetricsaml1encrypted" wsdlLocation="org/apache/cxf/systest/sts/symmetric/DoubleIt.wsdl">
<jaxws:properties>
<entry key="security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
diff --git a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/cxf-stax-service.xml b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/cxf-stax-service.xml
index 22f65c5..ab6d752 100644
--- a/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/cxf-stax-service.xml
+++ b/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/cxf-stax-service.xml
@@ -35,6 +35,14 @@
<entry key="ws-security.enable.streaming" value="true"/>
</jaxws:properties>
</jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleitsymmetricsaml2protecttokens" implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItSymmetricSAML2ProtectTokensPort" serviceName="s:DoubleItService" address="http://localhost:${testutil.ports.symmetric.StaxServer}/doubleit/services/doubleitsymmetricsaml2protecttokens" wsdlLocation="org/apache/cxf/systest/sts/symmetric/DoubleIt.wsdl">
+ <jaxws:properties>
+ <entry key="security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
+ <entry key="security.signature.properties" value="serviceKeystore.properties"/>
+ <entry key="ws-security.is-bsp-compliant" value="false"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="doubleitsymmetricsaml1encrypted" implementor="org.apache.cxf.systest.sts.common.DoubleItPortTypeImpl" endpointName="s:DoubleItSymmetricSAML1EncryptedPort" serviceName="s:DoubleItService" address="http://localhost:${testutil.ports.symmetric.StaxServer}/doubleit/services/doubleitsymmetricsaml1encrypted" wsdlLocation="org/apache/cxf/systest/sts/symmetric/DoubleIt.wsdl">
<jaxws:properties>
<entry key="security.callback-handler" value="org.apache.cxf.systest.sts.common.CommonCallbackHandler"/>
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
index f70d37c..bf26404 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/SamlTokenTest.java
@@ -568,6 +568,44 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
}
@org.junit.Test
+ public void testAsymmetricSamlInitiatorProtectTokens() throws Exception {
+
+ // We don't support ProtectTokens + streaming clients
+ if (test.isStreaming()) {
+ return;
+ }
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = SamlTokenTest.class.getResource("client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ BusFactory.setDefaultBus(bus);
+ BusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = SamlTokenTest.class.getResource("DoubleItSaml.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricSamlInitiatorProtectTokensPort");
+ DoubleItPortType saml2Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(saml2Port, test.getPort());
+
+ if (test.isStreaming()) {
+ SecurityTestUtil.enableStreaming(saml2Port);
+ }
+
+ SamlCallbackHandler callbackHandler = new SamlCallbackHandler(true, true);
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
+ ((BindingProvider)saml2Port).getRequestContext().put(
+ SecurityConstants.SAML_CALLBACK_HANDLER, callbackHandler
+ );
+ int result = saml2Port.doubleIt(25);
+ assertTrue(result == 50);
+
+ ((java.io.Closeable)saml2Port).close();
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
public void testSaml2OverSymmetricSignedElements() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
@@ -1205,4 +1243,5 @@ public class SamlTokenTest extends AbstractBusClientServerTestBase {
((java.io.Closeable)saml2Port).close();
bus.shutdown(true);
}
+
}
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
index 099d828..706f8a07 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl
@@ -215,6 +215,24 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItAsymmetricSamlInitiatorProtectTokensBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItAsymmetricSamlInitiatorProtectTokensPolicy"/>
+ <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction=""/>
+ <wsdl:input>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal"/>
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault"/>
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:binding name="DoubleItSaml2AsymmetricSignedEncryptedBinding" type="tns:DoubleItPortType">
<wsp:PolicyReference URI="#DoubleItSaml2AsymmetricSignedEncryptedPolicy"/>
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
@@ -355,6 +373,9 @@
<wsdl:port name="DoubleItAsymmetricSamlInitiatorPort" binding="tns:DoubleItAsymmetricSamlInitiatorBinding">
<soap:address location="http://localhost:9001/DoubleItAsymmetricSamlInitiator"/>
</wsdl:port>
+ <wsdl:port name="DoubleItAsymmetricSamlInitiatorProtectTokensPort" binding="tns:DoubleItAsymmetricSamlInitiatorProtectTokensBinding">
+ <soap:address location="http://localhost:9001/DoubleItAsymmetricSamlInitiatorProtectTokens"/>
+ </wsdl:port>
<wsdl:port name="DoubleItSaml2SymmetricSignedElementsPort" binding="tns:DoubleItSaml2SymmetricSignedElementsBinding">
<soap:address location="http://localhost:9001/DoubleItSaml2SymmetricSignedElements"/>
</wsdl:port>
@@ -850,6 +871,55 @@
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItAsymmetricSamlInitiatorProtectTokensPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssSamlV20Token11/>
+ </wsp:Policy>
+ </sp:SamlToken>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+ <wsp:Policy>
+ <sp:WssX509V3Token10/>
+ <sp:RequireIssuerSerialReference/>
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ <sp:ProtectTokens/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ <sp:Wss11>
+ <wsp:Policy>
+ <sp:MustSupportRefIssuerSerial/>
+ <sp:MustSupportRefThumbprint/>
+ <sp:MustSupportRefEncryptedKey/>
+ </wsp:Policy>
+ </sp:Wss11>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
<wsp:Policy wsu:Id="DoubleItSaml2AsymmetricSignedEncryptedPolicy">
<wsp:ExactlyOne>
<wsp:All>
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client.xml
index 4581f39..3c0a1ba 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/client.xml
@@ -114,6 +114,15 @@
<entry key="security.signature.username" value="alice"/>
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricSamlInitiatorProtectTokensPort" createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="security.encryption.properties" value="bob.properties"/>
+ <entry key="security.encryption.username" value="bob"/>
+ <entry key="security.signature.properties" value="alice.properties"/>
+ <entry key="security.signature.username" value="alice"/>
+ </jaxws:properties>
+ </jaxws:client>
<jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSaml2SymmetricSignedElementsPort" createdFromAPI="true">
<jaxws:properties>
<entry key="security.encryption.properties" value="bob.properties"/>
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
index e2152e3..4cdad77 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server.xml
@@ -132,6 +132,16 @@
<entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
</jaxws:properties>
</jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="AsymmetricSamlInitiatorProtectTokensPort" address="http://localhost:${testutil.ports.saml.Server}/DoubleItAsymmetricSamlInitiatorProtectTokens" serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricSamlInitiatorProtectTokensPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="security.username" value="bob"/>
+ <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="security.signature.properties" value="bob.properties"/>
+ <entry key="security.encryption.username" value="useReqSigCert"/>
+ <entry key="security.subject.cert.constraints" value=".*O=apache.org.*"/>
+ <entry key="ws-security.saml2.validator" value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricSignedElements" address="http://localhost:${testutil.ports.saml.Server}/DoubleItSaml2SymmetricSignedElements" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricSignedElementsPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
<jaxws:properties>
<entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
index cde7510..104dc9e 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/stax-server.xml
@@ -147,6 +147,18 @@
<entry key="ws-security.enable.streaming" value="true"/>
</jaxws:properties>
</jaxws:endpoint>
+ <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="AsymmetricSamlInitiatorProtectTokensPort" address="http://localhost:${testutil.ports.saml.StaxServer}/DoubleItAsymmetricSamlInitiatorProtectTokens" serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricSamlInitiatorProtectTokensPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
+ <jaxws:properties>
+ <entry key="security.username" value="bob"/>
+ <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+ <entry key="security.signature.properties" value="bob.properties"/>
+ <entry key="security.encryption.username" value="useReqSigCert"/>
+ <entry key="security.subject.cert.constraints" value=".*O=apache.org.*"/>
+ <!--<entry key="ws-security.saml2.validator"
+ value="org.apache.cxf.systest.ws.saml.CustomSaml2Validator"/>-->
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
<jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Saml2TokenOverSymmetricSignedElements" address="http://localhost:${testutil.ports.saml.StaxServer}/DoubleItSaml2SymmetricSignedElements" serviceName="s:DoubleItService" endpointName="s:DoubleItSaml2SymmetricSignedElementsPort" implementor="org.apache.cxf.systest.ws.common.DoubleItPortTypeImpl" wsdlLocation="org/apache/cxf/systest/ws/saml/DoubleItSaml.wsdl">
<jaxws:properties>
<entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.
[cxf] 01/02: Upgrading to WSS4J SNAPSHOT
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 68f2489c40fc50ef14c7d69e78c0cbae82308cb0
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Jan 24 17:47:37 2018 +0000
Upgrading to WSS4J SNAPSHOT
---
parent/pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/parent/pom.xml b/parent/pom.xml
index 3f8463b..9b9af34 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -166,7 +166,7 @@
<cxf.woodstox.core.version>5.0.3</cxf.woodstox.core.version>
<cxf.woodstox.stax2-api.version>3.1.4</cxf.woodstox.stax2-api.version>
<cxf.wsdl4j.version>1.6.3</cxf.wsdl4j.version>
- <cxf.wss4j.version>2.2.0</cxf.wss4j.version>
+ <cxf.wss4j.version>2.2.1-SNAPSHOT</cxf.wss4j.version>
<cxf.xbean.version>3.5</cxf.xbean.version>
<cxf.xerces.version>2.11.0</cxf.xerces.version>
<cxf.xmlbeans.version>2.6.0</cxf.xmlbeans.version>
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.