You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by ow...@apache.org on 2013/07/03 06:16:06 UTC
svn commit: r1499202 - in /cxf/branches/2.7.x-fixes:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
services/sts/sts-core/src/main/java/org/apache/cxf/sts/
services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/...
Author: owulff
Date: Wed Jul 3 04:16:05 2013
New Revision: 1499202
URL: http://svn.apache.org/r1499202
Log:
[CXF-3883] Support for identity mapping as part of issue token process
Added:
cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/CustomIdentityMapper.java
cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SAMLRealmCNCodec.java
cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/UriRealmParser.java
Modified:
cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSPropertiesMBean.java
cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/StaticSTSProperties.java
cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/issueunit/IssueUnitTest.java
cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml
cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl
Modified: cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java?rev=1499202&r1=1499201&r2=1499202&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java (original)
+++ cxf/branches/2.7.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java Wed Jul 3 04:16:05 2013
@@ -904,12 +904,26 @@ public abstract class AbstractBindingBui
}
}
}
-
+
//
// Get the SAML CallbackHandler
//
Object o = message.getContextualProperty(SecurityConstants.SAML_CALLBACK_HANDLER);
-
+
+ if (o == null && message.getContextualProperty(SecurityConstants.TOKEN) != null) {
+ SecurityToken securityToken = (SecurityToken)message.getContextualProperty(SecurityConstants.TOKEN);
+ Element tokenElement = (Element)securityToken.getToken();
+ String namespace = tokenElement.getNamespaceURI();
+ String localname = tokenElement.getLocalName();
+ if ((token.isUseSamlVersion11Profile10() || token.isUseSamlVersion11Profile11())
+ && WSConstants.SAML_NS.equals(namespace) && "Assertion".equals(localname)) {
+ return new AssertionWrapper(tokenElement);
+ } else if (token.isUseSamlVersion20Profile11()
+ && WSConstants.SAML2_NS.equals(namespace) && "Assertion".equals(localname)) {
+ return new AssertionWrapper(tokenElement);
+ }
+ }
+
CallbackHandler handler = null;
if (o instanceof CallbackHandler) {
handler = (CallbackHandler)o;
Modified: cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSPropertiesMBean.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSPropertiesMBean.java?rev=1499202&r1=1499201&r2=1499202&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSPropertiesMBean.java (original)
+++ cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/STSPropertiesMBean.java Wed Jul 3 04:16:05 2013
@@ -26,6 +26,7 @@ import javax.security.auth.callback.Call
import org.apache.cxf.sts.service.EncryptionProperties;
import org.apache.cxf.sts.token.realm.Relationship;
import org.apache.cxf.sts.token.realm.RelationshipResolver;
+import org.apache.cxf.sts.token.realm.SAMLRealmCodec;
import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.ws.security.components.crypto.Crypto;
@@ -181,4 +182,17 @@ public interface STSPropertiesMBean {
*/
RelationshipResolver getRelationshipResolver();
+
+ /**
+ * Get the SAML Realm Codec object to use.
+ * @return the SAMLRealmCodec object to use.
+ */
+ SAMLRealmCodec getSamlRealmCodec();
+
+ /**
+ * Set the SAML Realm Codec object to use.
+ * @param samlRealmCodec the SAMLRealmCodec object to use.
+ */
+ void setSamlRealmCodec(SAMLRealmCodec samlRealmCodec);
+
}
Modified: cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/StaticSTSProperties.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/StaticSTSProperties.java?rev=1499202&r1=1499201&r2=1499202&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/StaticSTSProperties.java (original)
+++ cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/StaticSTSProperties.java Wed Jul 3 04:16:05 2013
@@ -35,6 +35,7 @@ import org.apache.cxf.resource.ResourceM
import org.apache.cxf.sts.service.EncryptionProperties;
import org.apache.cxf.sts.token.realm.Relationship;
import org.apache.cxf.sts.token.realm.RelationshipResolver;
+import org.apache.cxf.sts.token.realm.SAMLRealmCodec;
import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityException;
@@ -63,6 +64,9 @@ public class StaticSTSProperties impleme
private IdentityMapper identityMapper;
private List<Relationship> relationships;
private RelationshipResolver relationshipResolver;
+ private SAMLRealmCodec samlRealmCodec;
+
+
/**
* Load the CallbackHandler, Crypto objects, if necessary.
@@ -388,4 +392,12 @@ public class StaticSTSProperties impleme
return relationshipResolver;
}
+ public SAMLRealmCodec getSamlRealmCodec() {
+ return samlRealmCodec;
+ }
+
+ public void setSamlRealmCodec(SAMLRealmCodec samlRealmCodec) {
+ this.samlRealmCodec = samlRealmCodec;
+ }
+
}
Modified: cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java?rev=1499202&r1=1499201&r2=1499202&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java (original)
+++ cxf/branches/2.7.x-fixes/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/TokenIssueOperation.java Wed Jul 3 04:16:05 2013
@@ -19,14 +19,18 @@
package org.apache.cxf.sts.operation;
+import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.xml.bind.JAXBElement;
import javax.xml.ws.WebServiceContext;
+import javax.xml.ws.handler.MessageContext;
import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.sts.QNameConstants;
import org.apache.cxf.sts.claims.RequestClaimCollection;
import org.apache.cxf.sts.event.STSIssueFailureEvent;
@@ -55,7 +59,12 @@ import org.apache.cxf.ws.security.sts.pr
import org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType;
import org.apache.cxf.ws.security.sts.provider.operation.IssueOperation;
import org.apache.cxf.ws.security.sts.provider.operation.IssueSingleOperation;
+import org.apache.ws.security.SAMLTokenPrincipal;
+import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.springframework.context.ApplicationEvent;
/**
@@ -112,6 +121,29 @@ public class TokenIssueOperation extends
TokenRequirements tokenRequirements = requestParser.getTokenRequirements();
String tokenType = tokenRequirements.getTokenType();
+
+
+ if (stsProperties.getSamlRealmCodec() != null) {
+ AssertionWrapper assertion = fetchSAMLAssertionFromWSSecuritySAMLToken(context);
+
+ if (assertion != null) {
+ String wssecRealm = stsProperties.getSamlRealmCodec().getRealmFromToken(assertion);
+ SAMLTokenPrincipal samlPrincipal = new SAMLTokenPrincipal(assertion);
+ if (LOG.isLoggable(Level.FINE)) {
+ LOG.fine("SAML token realm of user '" + samlPrincipal.getName() + "' is " + wssecRealm);
+ }
+
+ ReceivedToken wssecToken = new ReceivedToken(assertion.getElement());
+ wssecToken.setState(STATE.VALID);
+ TokenValidatorResponse tokenResponse = new TokenValidatorResponse();
+ tokenResponse.setPrincipal(samlPrincipal);
+ tokenResponse.setToken(wssecToken);
+ tokenResponse.setTokenRealm(wssecRealm);
+ tokenResponse.setAdditionalProperties(new HashMap<String, Object>());
+ processValidToken(providerParameters, wssecToken, tokenResponse);
+ providerParameters.setPrincipal(wssecToken.getPrincipal());
+ }
+ }
// Validate OnBehalfOf token if present
@@ -345,5 +377,37 @@ public class TokenIssueOperation extends
QNameConstants.WS_TRUST_FACTORY.createBinarySecret(binarySecretType);
return binarySecret;
}
+
+ /**
+ * Method to fetch SAML assertion from the WS-Security header
+ */
+
+ private static AssertionWrapper fetchSAMLAssertionFromWSSecuritySAMLToken(
+ WebServiceContext wsContext
+ ) {
+
+ MessageContext messageContext = wsContext.getMessageContext();
+ final List<WSHandlerResult> handlerResults =
+ CastUtils.cast((List<?>) messageContext.get(WSHandlerConstants.RECV_RESULTS));
+
+ if (handlerResults != null && handlerResults.size() > 0) {
+ WSHandlerResult handlerResult = handlerResults.get(0);
+ List<WSSecurityEngineResult> engineResults = handlerResult.getResults();
+
+ for (WSSecurityEngineResult engineResult : engineResults) {
+ /*
+ Integer actInt = (Integer)engineResult.get(WSSecurityEngineResult.TAG_ACTION);
+ String id = (String)engineResult.get(WSSecurityEngineResult.TAG_ID);
+ Element tokenElement =
+ (Element)engineResult.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+ */
+ Object token = engineResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ if (token instanceof AssertionWrapper) {
+ return (AssertionWrapper)token;
+ }
+ }
+ }
+ return null;
+ }
}
Added: cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/CustomIdentityMapper.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/CustomIdentityMapper.java?rev=1499202&view=auto
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/CustomIdentityMapper.java (added)
+++ cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/CustomIdentityMapper.java Wed Jul 3 04:16:05 2013
@@ -0,0 +1,49 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.common;
+
+import java.security.Principal;
+
+import org.apache.cxf.sts.IdentityMapper;
+import org.apache.ws.security.CustomTokenPrincipal;
+
+/**
+ * A test implementation of IdentityMapper.
+ */
+public class CustomIdentityMapper implements IdentityMapper {
+
+ /**
+ * Map a principal in the source realm to the target realm
+ * @param sourceRealm the source realm of the Principal
+ * @param sourcePrincipal the principal in the source realm
+ * @param targetRealm the target realm of the Principal
+ * @return the principal in the target realm
+ */
+ public Principal mapPrincipal(String sourceRealm, Principal sourcePrincipal, String targetRealm) {
+ if ("a-issuer".equals(sourceRealm)) {
+ String name = sourcePrincipal.getName().toUpperCase();
+ return new CustomTokenPrincipal(name);
+ } else if ("b-issuer".equals(sourceRealm)) {
+ String name = sourcePrincipal.getName().toLowerCase();
+ return new CustomTokenPrincipal(name);
+ }
+ return null;
+ }
+
+}
Added: cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SAMLRealmCNCodec.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SAMLRealmCNCodec.java?rev=1499202&view=auto
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SAMLRealmCNCodec.java (added)
+++ cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SAMLRealmCNCodec.java Wed Jul 3 04:16:05 2013
@@ -0,0 +1,31 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.common;
+
+import org.apache.cxf.sts.token.realm.SAMLRealmCodec;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+public class SAMLRealmCNCodec implements SAMLRealmCodec {
+
+ @Override
+ public String getRealmFromToken(AssertionWrapper assertion) {
+ return assertion.getIssuerString();
+ }
+}
+
Added: cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/UriRealmParser.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/UriRealmParser.java?rev=1499202&view=auto
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/UriRealmParser.java (added)
+++ cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/UriRealmParser.java Wed Jul 3 04:16:05 2013
@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.sts.common;
+
+import java.util.StringTokenizer;
+
+import javax.xml.ws.WebServiceContext;
+
+import org.apache.cxf.sts.RealmParser;
+import org.apache.cxf.ws.security.sts.provider.STSException;
+
+public class UriRealmParser implements RealmParser {
+
+ @Override
+ public String parseRealm(WebServiceContext context) throws STSException {
+
+
+ String realm = null;
+ try {
+ String url = (String)context.getMessageContext().get("org.apache.cxf.request.url");
+
+ StringTokenizer st = new StringTokenizer(url, "/");
+
+ int count = st.countTokens();
+ if (count <= 4) {
+ return null;
+ }
+ count--;
+ for (int i = 0; i < count; i++) {
+ realm = st.nextToken();
+ }
+ } catch (Exception ex) {
+ // No realm found
+ }
+ return realm;
+
+ }
+
+}
Modified: cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/issueunit/IssueUnitTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/issueunit/IssueUnitTest.java?rev=1499202&r1=1499201&r2=1499202&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/issueunit/IssueUnitTest.java (original)
+++ cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/issueunit/IssueUnitTest.java Wed Jul 3 04:16:05 2013
@@ -23,8 +23,10 @@ import java.security.cert.X509Certificat
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import java.util.Properties;
import javax.security.auth.callback.CallbackHandler;
+import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -33,15 +35,32 @@ import org.w3c.dom.Element;
import org.apache.cxf.Bus;
import org.apache.cxf.bus.spring.SpringBusFactory;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.jaxws.context.WebServiceContextImpl;
+import org.apache.cxf.jaxws.context.WrappedMessageContext;
+import org.apache.cxf.message.MessageImpl;
+import org.apache.cxf.sts.STSConstants;
+import org.apache.cxf.sts.StaticSTSProperties;
+import org.apache.cxf.sts.request.KeyRequirements;
+import org.apache.cxf.sts.request.TokenRequirements;
+import org.apache.cxf.sts.service.EncryptionProperties;
+import org.apache.cxf.sts.token.provider.SAMLTokenProvider;
+import org.apache.cxf.sts.token.provider.TokenProviderParameters;
+import org.apache.cxf.sts.token.provider.TokenProviderResponse;
+import org.apache.cxf.sts.token.realm.SAMLRealm;
+import org.apache.cxf.systest.sts.common.CommonCallbackHandler;
import org.apache.cxf.systest.sts.common.SecurityTestUtil;
import org.apache.cxf.systest.sts.deployment.STSServer;
import org.apache.cxf.testutil.common.AbstractBusClientServerTestBase;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.cxf.ws.security.trust.STSClient;
+import org.apache.ws.security.CustomTokenPrincipal;
+import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.ws.security.components.crypto.CryptoType;
@@ -241,7 +260,7 @@ public class IssueUnitTest extends Abstr
// Get a token
SecurityToken token =
requestSecurityToken(
- SAML2_TOKEN_TYPE, BEARER_KEYTYPE, bst.getElement(), bus, DEFAULT_ADDRESS, null
+ SAML2_TOKEN_TYPE, BEARER_KEYTYPE, bst.getElement(), bus, DEFAULT_ADDRESS, null, null, null, null
);
assertTrue(SAML2_TOKEN_TYPE.equals(token.getTokenType()));
assertTrue(token.getToken() != null);
@@ -361,6 +380,75 @@ public class IssueUnitTest extends Abstr
bus.shutdown(true);
}
+ //CHECKSTYLE:OFF
+ @org.junit.Test
+ public void testSAMLinWSSecToOtherRealm() throws Exception {
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = IssueUnitTest.class.getResource("cxf-client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
+ CallbackHandler callbackHandler = new CommonCallbackHandler();
+
+ //Create SAML token
+ Element samlToken =
+ createSAMLAssertion(WSConstants.WSS_SAML2_TOKEN_TYPE, crypto, "mystskey",
+ callbackHandler, null, "alice", "a-issuer");
+
+ String id = null;
+ QName elName = DOMUtils.getElementQName(samlToken);
+ if (elName.equals(new QName(WSConstants.SAML_NS, "Assertion"))
+ && samlToken.hasAttributeNS(null, "AssertionID")) {
+ id = samlToken.getAttributeNS(null, "AssertionID");
+ } else if (elName.equals(new QName(WSConstants.SAML2_NS, "Assertion"))
+ && samlToken.hasAttributeNS(null, "ID")) {
+ id = samlToken.getAttributeNS(null, "ID");
+ }
+ if (id == null) {
+ id = samlToken.getAttributeNS(WSConstants.WSU_NS, "Id");
+ }
+
+ SecurityToken wstoken = new SecurityToken(id, samlToken, null, null);
+ Map<String, Object> properties = new HashMap<String, Object>();
+ properties.put(SecurityConstants.TOKEN, wstoken);
+ properties.put(SecurityConstants.TOKEN_ID, wstoken.getId());
+
+ // Get a token
+
+ SecurityToken token =
+ requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, null,
+ bus, DEFAULT_ADDRESS, null, properties, "b-issuer", "Transport_SAML_Port");
+
+ /*
+ SecurityToken token =
+ requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, null,
+ bus, DEFAULT_ADDRESS, null, properties, "b-issuer", null);
+ */
+ assertTrue(SAML2_TOKEN_TYPE.equals(token.getTokenType()));
+ assertTrue(token.getToken() != null);
+
+ List<WSSecurityEngineResult> results = processToken(token);
+ assertTrue(results != null && results.size() == 1);
+ AssertionWrapper assertion =
+ (AssertionWrapper)results.get(0).get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+ assertTrue(assertion != null);
+ assertTrue(assertion.isSigned());
+
+ List<String> methods = assertion.getConfirmationMethods();
+ String confirmMethod = null;
+ if (methods != null && methods.size() > 0) {
+ confirmMethod = methods.get(0);
+ }
+ assertTrue(confirmMethod.contains("bearer"));
+
+ assertTrue("b-issuer".equals(assertion.getIssuerString()));
+ String subjectName = assertion.getSaml2().getSubject().getNameID().getValue();
+ assertTrue("Subject must be ALICE instead of " + subjectName, "ALICE".equals(subjectName));
+
+ }
private SecurityToken requestSecurityToken(
String tokenType,
@@ -368,7 +456,7 @@ public class IssueUnitTest extends Abstr
Bus bus,
String endpointAddress
) throws Exception {
- return requestSecurityToken(tokenType, keyType, null, bus, endpointAddress, null);
+ return requestSecurityToken(tokenType, keyType, null, bus, endpointAddress, null, null, null, null);
}
private SecurityToken requestSecurityToken(
@@ -378,7 +466,7 @@ public class IssueUnitTest extends Abstr
String endpointAddress,
String context
) throws Exception {
- return requestSecurityToken(tokenType, keyType, null, bus, endpointAddress, context);
+ return requestSecurityToken(tokenType, keyType, null, bus, endpointAddress, context, null, null, null);
}
private SecurityToken requestSecurityToken(
@@ -387,23 +475,39 @@ public class IssueUnitTest extends Abstr
Element supportingToken,
Bus bus,
String endpointAddress,
- String context
+ String context,
+ Map<String, Object> msgProperties,
+ String realmUri,
+ String wsdlPort
) throws Exception {
STSClient stsClient = new STSClient(bus);
String port = "8443";
if (standalone) {
port = STSPORT;
}
- stsClient.setWsdlLocation("https://localhost:" + port + "/SecurityTokenService/Transport?wsdl");
+ if (realmUri != null) {
+ stsClient.setWsdlLocation("https://localhost:" + port + "/SecurityTokenService/" + realmUri
+ + "/Transport?wsdl");
+ } else {
+ stsClient.setWsdlLocation("https://localhost:" + port + "/SecurityTokenService/Transport?wsdl");
+ }
stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService");
- stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port");
+ if (wsdlPort != null) {
+ stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}" + wsdlPort);
+ } else {
+ stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port");
+ }
- Map<String, Object> properties = new HashMap<String, Object>();
- properties.put(SecurityConstants.USERNAME, "alice");
- properties.put(
- SecurityConstants.CALLBACK_HANDLER,
- "org.apache.cxf.systest.sts.common.CommonCallbackHandler"
- );
+
+ Map<String, Object> properties = msgProperties;
+ if (properties == null) {
+ properties = new HashMap<String, Object>();
+ properties.put(SecurityConstants.USERNAME, "alice");
+ properties.put(
+ SecurityConstants.CALLBACK_HANDLER,
+ "org.apache.cxf.systest.sts.common.CommonCallbackHandler"
+ );
+ }
properties.put(SecurityConstants.IS_BSP_COMPLIANT, "false");
if (PUBLIC_KEY_KEYTYPE.equals(keyType)) {
@@ -482,4 +586,77 @@ public class IssueUnitTest extends Abstr
token.getToken(), requestData, new WSDocInfo(token.getToken().getOwnerDocument())
);
}
+
+ private Properties getEncryptionProperties() {
+ Properties properties = new Properties();
+ properties.put(
+ "org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin"
+ );
+ properties.put("org.apache.ws.security.crypto.merlin.keystore.password", "stsspass");
+ properties.put("org.apache.ws.security.crypto.merlin.keystore.file", "stsstore.jks");
+
+ return properties;
+ }
+
+ /*
+ * Mock up an SAML assertion element
+ */
+ private Element createSAMLAssertion(
+ String tokenType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler,
+ Map<String, SAMLRealm> realms, String user, String issuer
+ ) throws WSSecurityException {
+ SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
+ samlTokenProvider.setRealmMap(realms);
+
+ TokenProviderParameters providerParameters =
+ createProviderParameters(
+ tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, signatureUsername,
+ callbackHandler, user, issuer
+ );
+ if (realms != null) {
+ providerParameters.setRealm("A");
+ }
+ TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
+ assertTrue(providerResponse != null);
+ assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
+
+ return providerResponse.getToken();
+ }
+
+ private TokenProviderParameters createProviderParameters(
+ String tokenType, String keyType, Crypto crypto,
+ String signatureUsername, CallbackHandler callbackHandler,
+ String username, String issuer
+ ) throws WSSecurityException {
+ TokenProviderParameters parameters = new TokenProviderParameters();
+
+ TokenRequirements tokenRequirements = new TokenRequirements();
+ tokenRequirements.setTokenType(tokenType);
+ parameters.setTokenRequirements(tokenRequirements);
+
+ KeyRequirements keyRequirements = new KeyRequirements();
+ keyRequirements.setKeyType(keyType);
+ parameters.setKeyRequirements(keyRequirements);
+
+ parameters.setPrincipal(new CustomTokenPrincipal(username));
+ // Mock up message context
+ MessageImpl msg = new MessageImpl();
+ WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
+ WebServiceContextImpl webServiceContext = new WebServiceContextImpl(msgCtx);
+ parameters.setWebServiceContext(webServiceContext);
+
+ parameters.setAppliesToAddress("http://dummy-service.com/dummy");
+
+ // Add STSProperties object
+ StaticSTSProperties stsProperties = new StaticSTSProperties();
+ stsProperties.setSignatureCrypto(crypto);
+ stsProperties.setSignatureUsername(signatureUsername);
+ stsProperties.setCallbackHandler(callbackHandler);
+ stsProperties.setIssuer(issuer);
+ parameters.setStsProperties(stsProperties);
+
+ parameters.setEncryptionProperties(new EncryptionProperties());
+
+ return parameters;
+ }
}
Modified: cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml?rev=1499202&r1=1499201&r2=1499202&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml (original)
+++ cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-transport.xml Wed Jul 3 04:16:05 2013
@@ -47,12 +47,40 @@
</cxf:features>
</cxf:bus>
+ <bean id="transportSTSProviderBean2"
+ class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider">
+ <property name="issueOperation" ref="transportIssueDelegate" />
+ <property name="validateOperation" ref="transportValidateDelegate" />
+ </bean>
+
+ <bean id="transportIssueDelegate" class="org.apache.cxf.sts.operation.TokenIssueOperation">
+ <property name="tokenProviders" ref="transportTokenProviders" />
+ <property name="tokenValidators" ref="transportTokenValidators" />
+ <property name="services" ref="transportService" />
+ <property name="stsProperties" ref="transportSTSProperties" />
+ </bean>
+
+ <bean id="transportValidateDelegate" class="org.apache.cxf.sts.operation.TokenValidateOperation">
+ <property name="tokenValidators" ref="transportTokenValidators" />
+ <property name="stsProperties" ref="transportSTSProperties" />
+ </bean>
+
+ <util:list id="transportTokenValidators">
+ <ref bean="transportSamlTokenValidator" />
+ </util:list>
+
+ <util:list id="transportTokenProviders">
+ <ref bean="transportSamlTokenProvider" />
+ </util:list>
+
+
<bean id="transportSTSProviderBean"
class="org.apache.cxf.sts.provider.DefaultSecurityTokenServiceProvider">
<property name="services" ref="transportService" />
<property name="stsProperties" ref="transportSTSProperties" />
</bean>
+
<bean id="transportService" class="org.apache.cxf.sts.service.StaticService">
<property name="endpoints" ref="transportEndpoints" />
</bean>
@@ -61,6 +89,45 @@
<value>https://localhost:(\d)*/doubleit/services/doubleittransport.*
</value>
</util:list>
+
+ <bean id="transportSamlTokenValidator" class="org.apache.cxf.sts.token.validator.SAMLTokenValidator">
+ <property name="samlRealmCodec" ref="samlRealmCodec" />
+ </bean>
+
+ <bean id="transportSamlTokenProvider" class="org.apache.cxf.sts.token.provider.SAMLTokenProvider">
+ <property name="realmMap" ref="realms"/>
+ </bean>
+
+ <bean id="realmA"
+ class="org.apache.cxf.sts.token.realm.SAMLRealm">
+ <property name="issuer" value="a-issuer"/>
+ </bean>
+
+ <bean id="realmB"
+ class="org.apache.cxf.sts.token.realm.SAMLRealm">
+ <property name="issuer" value="b-issuer"/>
+ </bean>
+
+ <util:map id="realms">
+ <entry key="a-issuer" value-ref="realmA"/>
+ <entry key="b-issuer" value-ref="realmB"/>
+ </util:map>
+
+
+ <bean id="samlRealmCodec" class="org.apache.cxf.systest.sts.common.SAMLRealmCNCodec" />
+
+ <bean id="customRealmParser" class="org.apache.cxf.systest.sts.common.UriRealmParser" />
+
+ <bean id="identityMapper" class="org.apache.cxf.systest.sts.common.CustomIdentityMapper" />
+
+ <util:list id="relationships">
+ <bean class="org.apache.cxf.sts.token.realm.Relationship">
+ <property name="sourceRealm" value="a-issuer" />
+ <property name="targetRealm" value="b-issuer"/>
+ <property name="identityMapper" ref="identityMapper" />
+ <property name="type" value="FederatedIdentity" />
+ </bean>
+ </util:list>
<bean id="transportSTSProperties" class="org.apache.cxf.sts.StaticSTSProperties">
<property name="signaturePropertiesFile" value="stsKeystore.properties" />
@@ -70,6 +137,11 @@
<property name="encryptionPropertiesFile" value="stsKeystore.properties" />
<property name="issuer" value="DoubleItSTSIssuer" />
<property name="encryptionUsername" value="myservicekey" />
+
+ <property name="realmParser" ref="customRealmParser"/>
+
+ <property name="relationships" ref="relationships" />
+ <property name="samlRealmCodec" ref="samlRealmCodec" />
</bean>
<jaxws:endpoint id="transportSTS" implementor="#transportSTSProviderBean"
@@ -83,6 +155,34 @@
value="org.apache.cxf.systest.sts.common.CommonCallbackHandler" />
</jaxws:properties>
</jaxws:endpoint>
+
+
+ <jaxws:endpoint id="transportSTS-realmB" implementor="#transportSTSProviderBean2"
+ address="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/b-issuer/Transport"
+ wsdlLocation="src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl"
+ xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+ serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_SAML_Port"
+ depends-on="ClientAuthHttpsSettings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.sts.common.CommonCallbackHandler" />
+ <entry key="ws-security.signature.properties" value="stsKeystore.properties"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ <!--
+ <jaxws:endpoint id="transportSTS-realmB" implementor="#transportSTSProviderBean2"
+ address="https://localhost:${testutil.ports.STSServer}/SecurityTokenService/b-issuer/Transport"
+ wsdlLocation="src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl"
+ xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
+ serviceName="ns1:SecurityTokenService" endpointName="ns1:Transport_Port"
+ depends-on="ClientAuthHttpsSettings">
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.sts.common.CommonCallbackHandler" />
+ <entry key="ws-security.signature.properties" value="stsKeystore.properties"/>
+ </jaxws:properties>
+ </jaxws:endpoint>
+ -->
<httpj:engine-factory id="ClientAuthHttpsSettings"
bus="cxf">
Modified: cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl
URL: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl?rev=1499202&r1=1499201&r2=1499202&view=diff
==============================================================================
--- cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl (original)
+++ cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl Wed Jul 3 04:16:05 2013
@@ -401,6 +401,80 @@
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="Transport_SAML_Binding" type="wstrust:STS">
+ <wsp:PolicyReference URI="#Transport_SAML_policy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="Issue">
+ <soap:operation
+ soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" />
+ <wsdl:input>
+ <wsp:PolicyReference
+ URI="#Input_policy" />
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <wsp:PolicyReference
+ URI="#Output_policy" />
+ <soap:body use="literal" />
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name="Validate">
+ <soap:operation
+ soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate" />
+ <wsdl:input>
+ <wsp:PolicyReference
+ URI="#Input_policy" />
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <wsp:PolicyReference
+ URI="#Output_policy" />
+ <soap:body use="literal" />
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name="Cancel">
+ <soap:operation
+ soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name="Renew">
+ <soap:operation
+ soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name="KeyExchangeToken">
+ <soap:operation
+ soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ </wsdl:output>
+ </wsdl:operation>
+ <wsdl:operation name="RequestCollection">
+ <soap:operation
+ soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ </wsdl:output>
+ </wsdl:operation>
+ </wsdl:binding>
+
<wsdl:service name="SecurityTokenService">
<wsdl:port name="UT_Port" binding="tns:UT_Binding">
<soap:address location="http://localhost:8080/SecurityTokenService/UT" />
@@ -411,7 +485,10 @@
<wsdl:port name="Transport_Port" binding="tns:Transport_Binding">
<soap:address location="https://localhost:8443/SecurityTokenService/Transport" />
</wsdl:port>
- <wsdl:port name="UTEncrypted_Port" binding="tns:UTEncrypted_Binding">
+ <wsdl:port name="Transport_SAML_Port" binding="tns:Transport_SAML_Binding">
+ <soap:address location="https://localhost:8443/SecurityTokenService/Transport" />
+ </wsdl:port>
+ <wsdl:port name="UTEncrypted_Port" binding="tns:UTEncrypted_Binding">
<soap:address location="http://localhost:8080/SecurityTokenService/UTEncrypted" />
</wsdl:port>
</wsdl:service>
@@ -611,66 +688,166 @@
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
-
+
<wsp:Policy wsu:Id="Transport_policy">
- <wsp:ExactlyOne>
- <wsp:All>
- <wsap10:UsingAddressing/>
- <sp:TransportBinding
- xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
- <wsp:Policy>
- <sp:TransportToken>
- <wsp:Policy>
- <sp:HttpsToken>
- <wsp:Policy/>
- </sp:HttpsToken>
- </wsp:Policy>
- </sp:TransportToken>
- <sp:AlgorithmSuite>
- <wsp:Policy>
- <sp:Basic128 />
- </wsp:Policy>
- </sp:AlgorithmSuite>
- <sp:Layout>
- <wsp:Policy>
- <sp:Lax />
- </wsp:Policy>
- </sp:Layout>
- <sp:IncludeTimestamp />
- </wsp:Policy>
- </sp:TransportBinding>
- <sp:SignedSupportingTokens
- xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
- <wsp:Policy>
- <sp:UsernameToken
- sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
- <wsp:Policy>
- <sp:WssUsernameToken10 />
- </wsp:Policy>
- </sp:UsernameToken>
- </wsp:Policy>
- </sp:SignedSupportingTokens>
- <sp:Wss11
- xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
- <wsp:Policy>
- <sp:MustSupportRefKeyIdentifier />
- <sp:MustSupportRefIssuerSerial />
- <sp:MustSupportRefThumbprint />
- <sp:MustSupportRefEncryptedKey />
- </wsp:Policy>
- </sp:Wss11>
- <sp:Trust13
- xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
- <wsp:Policy>
- <sp:MustSupportIssuedTokens />
- <sp:RequireClientEntropy />
- <sp:RequireServerEntropy />
- </wsp:Policy>
- </sp:Trust13>
- </wsp:All>
- </wsp:ExactlyOne>
- </wsp:Policy>
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsap10:UsingAddressing />
+ <sp:TransportBinding
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+ <wsp:Policy />
+ </sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <!-- <sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy> <sp:WssUsernameToken10 /> </wsp:Policy> </sp:UsernameToken>
+ </wsp:Policy> </sp:SignedSupportingTokens> -->
+ <sp:SignedSupportingTokens
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsp:Policy>
+ <sp:UsernameToken
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssUsernameToken10 />
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </wsp:All>
+ <wsp:All>
+ <wsp:Policy>
+ <sp:SamlToken
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssSamlV20Token11 />
+ </wsp:Policy>
+ </sp:SamlToken>
+ </wsp:Policy>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ </sp:SignedSupportingTokens>
+ <sp:Wss11
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:MustSupportRefKeyIdentifier />
+ <sp:MustSupportRefIssuerSerial />
+ <sp:MustSupportRefThumbprint />
+ <sp:MustSupportRefEncryptedKey />
+ </wsp:Policy>
+ </sp:Wss11>
+ <sp:Trust13
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:MustSupportIssuedTokens />
+ <sp:RequireClientEntropy />
+ <sp:RequireServerEntropy />
+ </wsp:Policy>
+ </sp:Trust13>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ <wsp:Policy wsu:Id="Transport_SAML_policy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <wsap10:UsingAddressing />
+ <sp:TransportBinding
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:TransportToken>
+ <wsp:Policy>
+ <sp:HttpsToken>
+ <wsp:Policy />
+ </sp:HttpsToken>
+ </wsp:Policy>
+ </sp:TransportToken>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128 />
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax />
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp />
+ </wsp:Policy>
+ </sp:TransportBinding>
+ <!-- <sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy> <sp:WssUsernameToken10 /> </wsp:Policy> </sp:UsernameToken>
+ </wsp:Policy> </sp:SignedSupportingTokens> -->
+ <sp:SignedSupportingTokens
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <wsp:ExactlyOne>
+<!--
+ <wsp:All>
+ <wsp:Policy>
+ <sp:UsernameToken
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssUsernameToken10 />
+ </wsp:Policy>
+ </sp:UsernameToken>
+ </wsp:Policy>
+ </wsp:All>
+ -->
+ <wsp:All>
+ <wsp:Policy>
+ <sp:SamlToken
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssSamlV20Token11 />
+ </wsp:Policy>
+ </sp:SamlToken>
+ </wsp:Policy>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+ </sp:SignedSupportingTokens>
+ <sp:Wss11
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:MustSupportRefKeyIdentifier />
+ <sp:MustSupportRefIssuerSerial />
+ <sp:MustSupportRefThumbprint />
+ <sp:MustSupportRefEncryptedKey />
+ </wsp:Policy>
+ </sp:Wss11>
+ <sp:Trust13
+ xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
+ <wsp:Policy>
+ <sp:MustSupportIssuedTokens />
+ <sp:RequireClientEntropy />
+ <sp:RequireServerEntropy />
+ </wsp:Policy>
+ </sp:Trust13>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
<wsp:Policy wsu:Id="Input_policy">
<wsp:ExactlyOne>
<wsp:All>