You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/05/29 16:39:15 UTC
svn commit: r1487503 - in /cxf/trunk:
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/ services/s...
Author: coheigea
Date: Wed May 29 14:39:15 2013
New Revision: 1487503
URL: http://svn.apache.org/r1487503
Log:
Added support for streaming derived keys, EncryptBeforeSigning + EncryptSignature policies + tests
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractSecurityTest.java
cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java
cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java
cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/common/SecurityTestUtil.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/SecurityTestUtil.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/StaxX509TokenTest.java
cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/stax-server.xml
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JStaxInInterceptor.java Wed May 29 14:39:15 2013
@@ -174,11 +174,21 @@ public class WSS4JStaxInInterceptor exte
WSS4JUtils.getReplayCache(
msg, SecurityConstants.ENABLE_NONCE_CACHE, SecurityConstants.NONCE_CACHE_INSTANCE
);
- if (nonceCache != null) {
- if (securityProperties != null) {
- securityProperties.setNonceReplayCache(nonceCache);
+ if (nonceCache == null) {
+ if (config != null) {
+ config.put(ConfigurationConstants.ENABLE_NONCE_CACHE, "false");
+ config.remove(ConfigurationConstants.NONCE_CACHE_INSTANCE);
} else {
+ securityProperties.setEnableNonceReplayCache(false);
+ securityProperties.setNonceReplayCache(null);
+ }
+ } else {
+ if (config != null) {
+ config.put(ConfigurationConstants.ENABLE_NONCE_CACHE, "true");
config.put(ConfigurationConstants.NONCE_CACHE_INSTANCE, nonceCache);
+ } else {
+ securityProperties.setEnableNonceReplayCache(true);
+ securityProperties.setNonceReplayCache(nonceCache);
}
}
@@ -186,11 +196,21 @@ public class WSS4JStaxInInterceptor exte
WSS4JUtils.getReplayCache(
msg, SecurityConstants.ENABLE_TIMESTAMP_CACHE, SecurityConstants.TIMESTAMP_CACHE_INSTANCE
);
- if (timestampCache != null) {
- if (securityProperties != null) {
- securityProperties.setTimestampReplayCache(timestampCache);
+ if (timestampCache == null) {
+ if (config != null) {
+ config.put(ConfigurationConstants.ENABLE_TIMESTAMP_CACHE, "false");
+ config.remove(ConfigurationConstants.TIMESTAMP_CACHE_INSTANCE);
} else {
+ securityProperties.setEnableTimestampReplayCache(false);
+ securityProperties.setTimestampReplayCache(null);
+ }
+ } else {
+ if (config != null) {
+ config.put(ConfigurationConstants.ENABLE_TIMESTAMP_CACHE, "true");
config.put(ConfigurationConstants.TIMESTAMP_CACHE_INSTANCE, timestampCache);
+ } else {
+ securityProperties.setEnableTimestampReplayCache(true);
+ securityProperties.setTimestampReplayCache(timestampCache);
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java Wed May 29 14:39:15 2013
@@ -499,7 +499,7 @@ public abstract class AbstractStaxBindin
protected Map<AbstractToken, SecurePart> handleSupportingTokens(
Collection<Assertion> tokens,
boolean endorse
- ) throws WSSecurityException {
+ ) throws Exception {
Map<AbstractToken, SecurePart> ret = new HashMap<AbstractToken, SecurePart>();
if (tokens != null) {
for (Assertion pa : tokens) {
@@ -514,7 +514,7 @@ public abstract class AbstractStaxBindin
protected Map<AbstractToken, SecurePart> handleSupportingTokens(
SupportingTokens suppTokens,
boolean endorse
- ) throws WSSecurityException {
+ ) throws Exception {
return handleSupportingTokens(suppTokens, endorse, new HashMap<AbstractToken, SecurePart>());
}
@@ -522,7 +522,7 @@ public abstract class AbstractStaxBindin
SupportingTokens suppTokens,
boolean endorse,
Map<AbstractToken, SecurePart> ret
- ) throws WSSecurityException {
+ ) throws Exception {
if (suppTokens == null) {
return ret;
}
@@ -622,21 +622,9 @@ public abstract class AbstractStaxBindin
protected void handleUsernameTokenSupportingToken(
UsernameToken token, boolean endorse, boolean encryptedToken, Map<AbstractToken, SecurePart> ret
- ) throws WSSecurityException {
+ ) throws Exception {
if (endorse) {
- /* TODO
- WSSecUsernameToken utBuilder = addDKUsernameToken(token, true);
- if (utBuilder != null) {
- utBuilder.prepare(saaj.getSOAPPart());
- addSupportingElement(utBuilder.getUsernameTokenElement());
- ret.put(token, utBuilder);
- if (encryptedToken) {
- WSEncryptionPart part = new WSEncryptionPart(utBuilder.getId(), "Element");
- part.setElement(utBuilder.getUsernameTokenElement());
- encryptedTokensList.add(part);
- }
- }
- */
+ throw new Exception("Endorsing UsernameTokens are not supported in the streaming code");
} else {
SecurePart securePart = addUsernameToken(token);
if (securePart != null) {
@@ -668,7 +656,7 @@ public abstract class AbstractStaxBindin
return null;
}
- protected void addSupportingTokens() throws WSSecurityException {
+ protected void addSupportingTokens() throws Exception {
Collection<Assertion> sgndSuppTokens =
findAndAssertPolicy(SP12Constants.SIGNED_SUPPORTING_TOKENS);
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java Wed May 29 14:39:15 2013
@@ -38,6 +38,7 @@ import org.apache.wss4j.common.ext.WSSec
import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
import org.apache.wss4j.policy.model.AbstractTokenWrapper;
import org.apache.wss4j.policy.model.AlgorithmSuite;
import org.apache.wss4j.policy.model.AsymmetricBinding;
@@ -69,7 +70,7 @@ public class StaxAsymmetricBindingHandle
if (abinding.getProtectionOrder()
== AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
- // doEncryptBeforeSign();
+ doEncryptBeforeSign();
} else {
doSignBeforeEncrypt();
}
@@ -138,20 +139,14 @@ public class StaxAsymmetricBindingHandle
}
List<SecurePart> enc = getEncryptedParts();
- /*
+
//Check for signature protection
if (abinding.isEncryptSignature()) {
- if (mainSigId != null) {
- WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element");
- sigPart.setElement(bottomUpElement);
- enc.add(sigPart);
- }
- if (sigConfList != null && !sigConfList.isEmpty()) {
- enc.addAll(sigConfList);
- }
- policyAsserted(SPConstants.ENCRYPT_SIGNATURE);
+ SecurePart part =
+ new SecurePart(new QName(WSSConstants.NS_DSIG, "Signature"), Modifier.Element);
+ enc.add(part);
}
- */
+
//Do encryption
AbstractTokenWrapper encToken;
if (isRequestor()) {
@@ -174,98 +169,98 @@ public class StaxAsymmetricBindingHandle
throw new Fault(e);
}
}
-/*
+
private void doEncryptBeforeSign() {
- AbstractTokenWrapper wrapper;
- AbstractToken encryptionToken = null;
- if (isRequestor()) {
- wrapper = abinding.getRecipientEncryptionToken();
- if (wrapper == null) {
- wrapper = abinding.getRecipientToken();
- }
- } else {
- wrapper = abinding.getInitiatorEncryptionToken();
- if (wrapper == null) {
- wrapper = abinding.getInitiatorToken();
- }
- }
- encryptionToken = wrapper.getToken();
-
- AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
- if (initiatorWrapper == null) {
- initiatorWrapper = abinding.getInitiatorToken();
- }
- boolean attached = false;
- if (initiatorWrapper != null) {
- AbstractToken initiatorToken = initiatorWrapper.getToken();
- if (initiatorToken instanceof IssuedToken) {
- SecurityToken secToken = getSecurityToken();
- if (secToken == null) {
- policyNotAsserted(initiatorToken, "Security token is not found or expired");
- return;
- } else {
- policyAsserted(initiatorToken);
-
- if (includeToken(initiatorToken.getIncludeTokenType())) {
- Element el = secToken.getToken();
- this.addEncryptedKeyElement(cloneElement(el));
- attached = true;
- }
+ try {
+ AbstractTokenWrapper wrapper;
+ AbstractToken encryptionToken = null;
+ if (isRequestor()) {
+ wrapper = abinding.getRecipientEncryptionToken();
+ if (wrapper == null) {
+ wrapper = abinding.getRecipientToken();
+ }
+ } else {
+ wrapper = abinding.getInitiatorEncryptionToken();
+ if (wrapper == null) {
+ wrapper = abinding.getInitiatorToken();
}
- } else if (initiatorToken instanceof SamlToken) {
- try {
- SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken)initiatorToken);
- if (assertionWrapper != null) {
+ }
+ encryptionToken = wrapper.getToken();
+
+ AbstractTokenWrapper initiatorWrapper = abinding.getInitiatorSignatureToken();
+ if (initiatorWrapper == null) {
+ initiatorWrapper = abinding.getInitiatorToken();
+ }
+
+ boolean attached = false;
+ /*
+ if (initiatorWrapper != null) {
+ AbstractToken initiatorToken = initiatorWrapper.getToken();
+ if (initiatorToken instanceof IssuedToken) {
+ SecurityToken secToken = getSecurityToken();
+ if (secToken == null) {
+ policyNotAsserted(initiatorToken, "Security token is not found or expired");
+ return;
+ } else {
+ policyAsserted(initiatorToken);
+
if (includeToken(initiatorToken.getIncludeTokenType())) {
- addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
- storeAssertionAsSecurityToken(assertionWrapper);
+ Element el = secToken.getToken();
+ this.addEncryptedKeyElement(cloneElement(el));
+ attached = true;
+ }
+ }
+ } else if (initiatorToken instanceof SamlToken) {
+ try {
+ SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken)initiatorToken);
+ if (assertionWrapper != null) {
+ if (includeToken(initiatorToken.getIncludeTokenType())) {
+ addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
+ storeAssertionAsSecurityToken(assertionWrapper);
+ }
+ policyAsserted(initiatorToken);
}
- policyAsserted(initiatorToken);
+ } catch (Exception e) {
+ String reason = e.getMessage();
+ LOG.log(Level.FINE, "Encrypt before sign failed due to : " + reason);
+ throw new Fault(e);
}
- } catch (Exception e) {
- String reason = e.getMessage();
- LOG.log(Level.FINE, "Encrypt before sign failed due to : " + reason);
- throw new Fault(e);
}
}
- }
-
- List<WSEncryptionPart> encrParts = null;
- List<WSEncryptionPart> sigParts = null;
- try {
- encrParts = getEncryptedParts();
- //Signed parts are determined before encryption because encrypted signed headers
- //will not be included otherwise
- sigParts = getSignedParts();
- } catch (SOAPException ex) {
- throw new Fault(ex);
- }
-
- //if (encryptionToken == null && encrParts.size() > 0) {
- //REVISIT - no token to encrypt with
- //}
-
- if (encryptionToken != null && encrParts.size() > 0) {
- WSSecBase encrBase = doEncryption(wrapper, encrParts, true);
- handleEncryptedSignedHeaders(encrParts, sigParts);
-
- if (timestampEl != null) {
- WSEncryptionPart timestampPart =
- convertToEncryptionPart(timestampEl.getElement());
- sigParts.add(timestampPart);
- }
+ */
- if (isRequestor()) {
- try {
- addSupportingTokens(sigParts);
- } catch (WSSecurityException ex) {
- policyNotAsserted(encryptionToken, ex);
- }
- } else {
- addSignatureConfirmation(sigParts);
+ List<SecurePart> encrParts = null;
+ List<SecurePart> sigParts = null;
+ try {
+ encrParts = getEncryptedParts();
+ //Signed parts are determined before encryption because encrypted signed headers
+ //will not be included otherwise
+ sigParts = getSignedParts();
+ } catch (SOAPException ex) {
+ throw new Fault(ex);
}
- try {
+ if (encryptionToken != null && encrParts.size() > 0) {
+ //Check for signature protection
+ if (abinding.isEncryptSignature()) {
+ SecurePart part =
+ new SecurePart(new QName(WSSConstants.NS_DSIG, "Signature"), Modifier.Element);
+ encrParts.add(part);
+ }
+
+ doEncryption(wrapper, encrParts, true);
+ if (timestampAdded) {
+ SecurePart part =
+ new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
+ sigParts.add(part);
+ }
+
+ if (isRequestor()) {
+ addSupportingTokens();
+ } else {
+ addSignatureConfirmation(sigParts);
+ }
+
if ((sigParts.size() > 0) && initiatorWrapper != null && isRequestor()) {
doSignature(initiatorWrapper, sigParts, attached);
} else if (!isRequestor()) {
@@ -277,68 +272,18 @@ public class StaxAsymmetricBindingHandle
doSignature(recipientSignatureToken, sigParts, attached);
}
}
- } catch (WSSecurityException ex) {
- throw new Fault(ex);
- } catch (SOAPException ex) {
- throw new Fault(ex);
- }
-
- if (isRequestor()) {
- doEndorse();
+
+ //if (isRequestor()) {
+ // doEndorse();
+ //}
}
-
- checkForSignatureProtection(encryptionToken, encrBase);
+ } catch (Exception e) {
+ String reason = e.getMessage();
+ LOG.log(Level.WARNING, "Encrypt before signing failed due to : " + reason);
+ throw new Fault(e);
}
}
-
- private void checkForSignatureProtection(AbstractToken encryptionToken, WSSecBase encrBase) {
- // Check for signature protection
- if (abinding.isEncryptSignature()) {
- policyAsserted(SPConstants.ENCRYPT_SIGNATURE);
- List<WSEncryptionPart> secondEncrParts = new ArrayList<WSEncryptionPart>();
- // Now encrypt the signature using the above token
- if (mainSigId != null) {
- WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element");
- sigPart.setElement(bottomUpElement);
- secondEncrParts.add(sigPart);
- }
-
- if (sigConfList != null && !sigConfList.isEmpty()) {
- secondEncrParts.addAll(sigConfList);
- }
-
- if (isRequestor()) {
- secondEncrParts.addAll(encryptedTokensList);
- }
-
- if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys && !secondEncrParts.isEmpty()
- && encrBase instanceof WSSecDKEncrypt) {
- try {
- Element secondRefList
- = ((WSSecDKEncrypt)encrBase).encryptForExternalRef(null, secondEncrParts);
- ((WSSecDKEncrypt)encrBase).addExternalRefElement(secondRefList, secHeader);
-
- } catch (WSSecurityException ex) {
- throw new Fault(ex);
- }
- } else if (!secondEncrParts.isEmpty() && encrBase instanceof WSSecEncrypt) {
- try {
- // Encrypt, get hold of the ref list and add it
- Element secondRefList = saaj.getSOAPPart()
- .createElementNS(WSConstants.ENC_NS,
- WSConstants.ENC_PREFIX + ":ReferenceList");
- this.insertBeforeBottomUp(secondRefList);
- ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts);
-
- } catch (WSSecurityException ex) {
- throw new Fault(ex);
- }
- }
- }
- }
- */
-
private void doEncryption(AbstractTokenWrapper recToken,
List<SecurePart> encrParts,
boolean externalRef) throws SOAPException {
@@ -349,13 +294,16 @@ public class StaxAsymmetricBindingHandle
// Action
Map<String, Object> config = getProperties();
+ String actionToPerform = ConfigurationConstants.ENCRYPT;
+ if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ actionToPerform = ConfigurationConstants.ENCRYPT_DERIVED;
+ }
+
if (config.containsKey(ConfigurationConstants.ACTION)) {
String action = (String)config.get(ConfigurationConstants.ACTION);
- config.put(ConfigurationConstants.ACTION,
- action + " " + ConfigurationConstants.ENCRYPT);
+ config.put(ConfigurationConstants.ACTION, action + " " + actionToPerform);
} else {
- config.put(ConfigurationConstants.ACTION,
- ConfigurationConstants.ENCRYPT);
+ config.put(ConfigurationConstants.ACTION, actionToPerform);
}
String parts = "";
@@ -375,34 +323,7 @@ public class StaxAsymmetricBindingHandle
}
config.put(ConfigurationConstants.ENCRYPTION_PARTS, parts);
-
- /*
- if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
- try {
- WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(wssConfig);
-
- if (encrKey == null) {
- setupEncryptedKey(recToken, encrToken);
- }
-
- dkEncr.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
- dkEncr.setParts(encrParts);
- dkEncr.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
- + WSConstants.ENC_KEY_VALUE_TYPE);
- AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
- dkEncr.setSymmetricEncAlgorithm(algType.getEncryption());
- dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8);
- dkEncr.prepare(saaj.getSOAPPart());
-
- addDerivedKeyElement(dkEncr.getdktElement());
- Element refList = dkEncr.encryptForExternalRef(null, encrParts);
- insertBeforeBottomUp(refList);
- return dkEncr;
- } catch (Exception e) {
- policyNotAsserted(recToken, e);
- }
- } else {
- */
+
config.put(ConfigurationConstants.ENC_KEY_ID,
getKeyIdentifierType(recToken, encrToken));
@@ -423,13 +344,16 @@ public class StaxAsymmetricBindingHandle
// Action
Map<String, Object> config = getProperties();
+ String actionToPerform = ConfigurationConstants.SIGNATURE;
+ if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ actionToPerform = ConfigurationConstants.SIGNATURE_DERIVED;
+ }
+
if (config.containsKey(ConfigurationConstants.ACTION)) {
String action = (String)config.get(ConfigurationConstants.ACTION);
- config.put(ConfigurationConstants.ACTION,
- action + " " + ConfigurationConstants.SIGNATURE);
+ config.put(ConfigurationConstants.ACTION, action + " " + actionToPerform);
} else {
- config.put(ConfigurationConstants.ACTION,
- ConfigurationConstants.SIGNATURE);
+ config.put(ConfigurationConstants.ACTION, actionToPerform);
}
String parts = "";
@@ -457,62 +381,10 @@ public class StaxAsymmetricBindingHandle
configureSignature(wrapper, sigToken, false);
- /*
if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
- // Set up the encrypted key to use
- setupEncryptedKey(wrapper, sigToken);
-
- WSSecDKSign dkSign = new WSSecDKSign(wssConfig);
- dkSign.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
-
- // Set the algo info
- dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite()
- .getSymmetricSignature());
- AlgorithmSuiteType algType = abinding.getAlgorithmSuite().getAlgorithmSuiteType();
- dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
- dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
- + WSConstants.ENC_KEY_VALUE_TYPE);
-
- try {
- dkSign.prepare(saaj.getSOAPPart(), secHeader);
-
- if (abinding.isProtectTokens()) {
- policyAsserted(SPConstants.PROTECT_TOKENS);
- if (bstElement != null) {
- WSEncryptionPart bstPart =
- new WSEncryptionPart(bstElement.getAttributeNS(WSConstants.WSU_NS, "Id"));
- bstPart.setElement(bstElement);
- sigParts.add(bstPart);
- } else {
- WSEncryptionPart ekPart =
- new WSEncryptionPart(encrKey.getId());
- ekPart.setElement(encrKey.getEncryptedKeyElement());
- sigParts.add(ekPart);
- }
- }
-
- dkSign.setParts(sigParts);
-
- List<Reference> referenceList = dkSign.addReferencesToSign(sigParts, secHeader);
-
- // Add elements to header
- addDerivedKeyElement(dkSign.getdktElement());
-
- //Do signature
- if (bottomUpElement == null) {
- dkSign.computeSignature(referenceList, false, null);
- } else {
- dkSign.computeSignature(referenceList, true, bottomUpElement);
- }
- bottomUpElement = dkSign.getSignatureElement();
- signatures.add(dkSign.getSignatureValue());
-
- mainSigId = dkSign.getSignatureId();
- } catch (Exception ex) {
- throw new Fault(ex);
- }
- } else {
- */
+ config.put(ConfigurationConstants.SIG_ALGO,
+ abinding.getAlgorithmSuite().getSymmetricSignature());
+ }
}
}
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java Wed May 29 14:39:15 2013
@@ -34,6 +34,7 @@ import org.apache.cxf.ws.policy.Assertio
import org.apache.wss4j.common.ConfigurationConstants;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
import org.apache.wss4j.policy.model.Header;
import org.apache.wss4j.policy.model.IssuedToken;
@@ -153,7 +154,7 @@ public class StaxTransportBindingHandler
} else if (token instanceof SamlToken) {
addSamlToken((SamlToken)token, false, false);
} else {
- //REVISIT - not supported for signed. Exception?
+ throw new Exception(token.getName() + " is not supported in the streaming code");
}
}
@@ -245,23 +246,9 @@ public class StaxTransportBindingHandler
tbinding.getAlgorithmSuite().getAsymmetricSignature());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
config.put(ConfigurationConstants.SIG_DIGEST_ALGO, algType.getDigest());
- } /*TODO else if (token instanceof UsernameToken) {
- // Create a UsernameToken object for derived keys and store the security token
- WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken)token, true);
- String id = usernameToken.getId();
- byte[] secret = usernameToken.getDerivedKey();
-
- Date created = new Date();
- Date expires = new Date();
- expires.setTime(created.getTime() + 300000);
- SecurityToken tempTok =
- new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
- tempTok.setSecret(secret);
- getTokenStore().add(tempTok);
- message.setContextualProperty(SecurityConstants.TOKEN_ID, tempTok.getId());
-
- addSig(doIssuedTokenSignature(token, wrapper));
- }*/
+ } else if (token instanceof UsernameToken) {
+ throw new Exception("Endorsing UsernameTokens are not supported in the streaming code");
+ }
}
private void doX509TokenSignature(AbstractToken token, SupportingTokens wrapper)
@@ -271,46 +258,23 @@ public class StaxTransportBindingHandler
// Action
Map<String, Object> config = getProperties();
+ String actionToPerform = ConfigurationConstants.SIGNATURE;
+ if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ actionToPerform = ConfigurationConstants.SIGNATURE_DERIVED;
+ }
+
if (config.containsKey(ConfigurationConstants.ACTION)) {
String action = (String)config.get(ConfigurationConstants.ACTION);
- config.put(ConfigurationConstants.ACTION,
- action + " " + ConfigurationConstants.SIGNATURE);
+ config.put(ConfigurationConstants.ACTION, action + " " + actionToPerform);
} else {
- config.put(ConfigurationConstants.ACTION,
- ConfigurationConstants.SIGNATURE);
+ config.put(ConfigurationConstants.ACTION, actionToPerform);
}
- /*TODO if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
- WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(wrapper, token);
-
- Element bstElem = encrKey.getBinarySecurityTokenElement();
- if (bstElem != null) {
- addTopDownElement(bstElem);
- }
- encrKey.appendToHeader(secHeader);
-
- WSSecDKSign dkSig = new WSSecDKSign(wssConfig);
-
- dkSig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
- dkSig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
- AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
- dkSig.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
-
- dkSig.setExternalKey(encrKey.getEphemeralKey(), encrKey.getId());
-
- dkSig.prepare(doc, secHeader);
-
- dkSig.setParts(sigParts);
- List<Reference> referenceList = dkSig.addReferencesToSign(sigParts, secHeader);
-
- //Do signature
- dkSig.appendDKElementToHeader(secHeader);
- dkSig.computeSignature(referenceList, false, null);
-
- return dkSig.getSignatureValue();
- } else {*/
configureSignature(wrapper, token, false);
- // }
+ if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ config.put(ConfigurationConstants.SIG_ALGO,
+ tbinding.getAlgorithmSuite().getSymmetricSignature());
+ }
}
/**
Modified: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractSecurityTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractSecurityTest.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractSecurityTest.java (original)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractSecurityTest.java Wed May 29 14:39:15 2013
@@ -124,7 +124,9 @@ public abstract class AbstractSecurityTe
if (tmpFiles != null) {
for (File tmpFile : tmpFiles) {
if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache.instance")
- || tmpFile.getName().startsWith("ws-security.timestamp.cache.instance"))) {
+ || tmpFile.getName().startsWith("wss4j-nonce-cache")
+ || tmpFile.getName().startsWith("ws-security.timestamp.cache.instance")
+ || tmpFile.getName().startsWith("wss4j-timestamp-cache"))) {
tmpFile.delete();
}
}
Modified: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java (original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java Wed May 29 14:39:15 2013
@@ -35,8 +35,10 @@ public final class SecurityTestUtil {
File[] tmpFiles = new File(tmpDir).listFiles();
if (tmpFiles != null) {
for (File tmpFile : tmpFiles) {
- if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache.instance")
- || tmpFile.getName().startsWith("ws-security.timestamp.cache.instance"))) {
+ if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache")
+ || tmpFile.getName().startsWith("wss4j-nonce-cache")
+ || tmpFile.getName().startsWith("ws-security.timestamp.cache")
+ || tmpFile.getName().startsWith("wss4j-timestamp-cache"))) {
tmpFile.delete();
}
}
Modified: cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java (original)
+++ cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/common/SecurityTestUtil.java Wed May 29 14:39:15 2013
@@ -35,8 +35,10 @@ public final class SecurityTestUtil {
File[] tmpFiles = new File(tmpDir).listFiles();
if (tmpFiles != null) {
for (File tmpFile : tmpFiles) {
- if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache.instance")
- || tmpFile.getName().startsWith("ws-security.timestamp.cache.instance"))) {
+ if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache")
+ || tmpFile.getName().startsWith("wss4j-nonce-cache")
+ || tmpFile.getName().startsWith("ws-security.timestamp.cache")
+ || tmpFile.getName().startsWith("wss4j-timestamp-cache"))) {
tmpFile.delete();
}
}
Modified: cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/common/SecurityTestUtil.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/common/SecurityTestUtil.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/common/SecurityTestUtil.java (original)
+++ cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/common/SecurityTestUtil.java Wed May 29 14:39:15 2013
@@ -35,8 +35,10 @@ public final class SecurityTestUtil {
File[] tmpFiles = new File(tmpDir).listFiles();
if (tmpFiles != null) {
for (File tmpFile : tmpFiles) {
- if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache.instance")
- || tmpFile.getName().startsWith("ws-security.timestamp.cache.instance"))) {
+ if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache")
+ || tmpFile.getName().startsWith("wss4j-nonce-cache")
+ || tmpFile.getName().startsWith("ws-security.timestamp.cache")
+ || tmpFile.getName().startsWith("wss4j-timestamp-cache"))) {
tmpFile.delete();
}
}
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/SecurityTestUtil.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/SecurityTestUtil.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/SecurityTestUtil.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/common/SecurityTestUtil.java Wed May 29 14:39:15 2013
@@ -43,8 +43,10 @@ public final class SecurityTestUtil {
File[] tmpFiles = new File(tmpDir).listFiles();
if (tmpFiles != null) {
for (File tmpFile : tmpFiles) {
- if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache.instance")
- || tmpFile.getName().startsWith("ws-security.timestamp.cache.instance"))) {
+ if (tmpFile.exists() && (tmpFile.getName().startsWith("ws-security.nonce.cache")
+ || tmpFile.getName().startsWith("wss4j-nonce-cache")
+ || tmpFile.getName().startsWith("ws-security.timestamp.cache")
+ || tmpFile.getName().startsWith("wss4j-timestamp-cache"))) {
tmpFile.delete();
}
}
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/StaxX509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/StaxX509TokenTest.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/StaxX509TokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/StaxX509TokenTest.java Wed May 29 14:39:15 2013
@@ -247,7 +247,6 @@ public class StaxX509TokenTest extends A
bus.shutdown(true);
}
-
// TODO See WSS-449
@org.junit.Test
@org.junit.Ignore
@@ -278,6 +277,63 @@ public class StaxX509TokenTest extends A
bus.shutdown(true);
}
+ @org.junit.Test
+ public void testAsymmetricEncryptBeforeSigning() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = StaxX509TokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = StaxX509TokenTest.class.getResource("DoubleItX509.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricEncryptBeforeSigningPort");
+ DoubleItPortType x509Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(x509Port, PORT);
+
+ // DOM
+ x509Port.doubleIt(25);
+
+ // Streaming
+ SecurityTestUtil.enableStreaming(x509Port);
+ x509Port.doubleIt(25);
+
+ ((java.io.Closeable)x509Port).close();
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testAsymmetricEncryptSignature() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = StaxX509TokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = StaxX509TokenTest.class.getResource("DoubleItX509.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricEncryptSignaturePort");
+ DoubleItPortType x509Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(x509Port, PORT);
+
+ // DOM
+ x509Port.doubleIt(25);
+
+ // Streaming
+ // TODO See WSS-450
+ // SecurityTestUtil.enableStreaming(x509Port);
+ // x509Port.doubleIt(25);
+
+ ((java.io.Closeable)x509Port).close();
+ bus.shutdown(true);
+ }
+
// TODO - See WSS-442
@org.junit.Test
@org.junit.Ignore
@@ -330,7 +386,6 @@ public class StaxX509TokenTest extends A
bus.shutdown(true);
}
*/
-
@org.junit.Test
public void testTransportEndorsing() throws Exception {
Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java Wed May 29 14:39:15 2013
@@ -274,6 +274,62 @@ public class X509TokenTest extends Abstr
}
@org.junit.Test
+ public void testAsymmetricEncryptBeforeSigning() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricEncryptBeforeSigningPort");
+ DoubleItPortType x509Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(x509Port, PORT);
+
+ // DOM
+ x509Port.doubleIt(25);
+
+ // Streaming
+ SecurityTestUtil.enableStreaming(x509Port);
+ x509Port.doubleIt(25);
+
+ ((java.io.Closeable)x509Port).close();
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
+ public void testAsymmetricEncryptSignature() throws Exception {
+
+ SpringBusFactory bf = new SpringBusFactory();
+ URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+ Bus bus = bf.createBus(busFile.toString());
+ SpringBusFactory.setDefaultBus(bus);
+ SpringBusFactory.setThreadDefaultBus(bus);
+
+ URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl");
+ Service service = Service.create(wsdl, SERVICE_QNAME);
+ QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricEncryptSignaturePort");
+ DoubleItPortType x509Port =
+ service.getPort(portQName, DoubleItPortType.class);
+ updateAddressPort(x509Port, PORT);
+
+ // DOM
+ x509Port.doubleIt(25);
+
+ // Streaming
+ SecurityTestUtil.enableStreaming(x509Port);
+ x509Port.doubleIt(25);
+
+ ((java.io.Closeable)x509Port).close();
+ bus.shutdown(true);
+ }
+
+ @org.junit.Test
public void testAsymmetricProtectTokens() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
@@ -464,9 +520,7 @@ public class X509TokenTest extends Abstr
bus.shutdown(true);
}
- // TODO Failing due to a caching issue
@org.junit.Test
- @org.junit.Ignore
public void testAsymmetricSignature() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
@@ -494,9 +548,7 @@ public class X509TokenTest extends Abstr
bus.shutdown(true);
}
- // TODO Failing due to a caching issue
@org.junit.Test
- @org.junit.Ignore
public void testAsymmetricSignatureSP11() throws Exception {
SpringBusFactory bf = new SpringBusFactory();
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl Wed May 29 14:39:15 2013
@@ -144,6 +144,44 @@
</wsdl:fault>
</wsdl:operation>
</wsdl:binding>
+ <wsdl:binding name="DoubleItAsymmetricEncryptBeforeSigningBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItAsymmetricEncryptBeforeSigningPolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
+ <wsdl:binding name="DoubleItAsymmetricEncryptSignatureBinding" type="tns:DoubleItPortType">
+ <wsp:PolicyReference URI="#DoubleItAsymmetricEncryptSignaturePolicy" />
+ <soap:binding style="document"
+ transport="http://schemas.xmlsoap.org/soap/http" />
+ <wsdl:operation name="DoubleIt">
+ <soap:operation soapAction="" />
+ <wsdl:input>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+ </wsdl:input>
+ <wsdl:output>
+ <soap:body use="literal" />
+ <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+ </wsdl:output>
+ <wsdl:fault name="DoubleItFault">
+ <soap:body use="literal" name="DoubleItFault" />
+ </wsdl:fault>
+ </wsdl:operation>
+ </wsdl:binding>
<wsdl:binding name="DoubleItAsymmetricProtectTokensBinding" type="tns:DoubleItPortType">
<wsp:PolicyReference URI="#DoubleItAsymmetricProtectTokensPolicy" />
<soap:binding style="document"
@@ -350,6 +388,14 @@
binding="tns:DoubleItAsymmetricThumbprintBinding">
<soap:address location="http://localhost:9001/DoubleItX509AsymmetricThumbprint" />
</wsdl:port>
+ <wsdl:port name="DoubleItAsymmetricEncryptBeforeSigningPort"
+ binding="tns:DoubleItAsymmetricEncryptBeforeSigningBinding">
+ <soap:address location="http://localhost:9001/DoubleItX509AsymmetricEncryptBeforeSigning" />
+ </wsdl:port>
+ <wsdl:port name="DoubleItAsymmetricEncryptSignaturePort"
+ binding="tns:DoubleItAsymmetricEncryptSignatureBinding">
+ <soap:address location="http://localhost:9001/DoubleItX509AsymmetricEncryptSignature" />
+ </wsdl:port>
<wsdl:port name="DoubleItAsymmetricProtectTokensPort"
binding="tns:DoubleItAsymmetricProtectTokensBinding">
<soap:address location="http://localhost:9001/DoubleItX509AsymmetricProtect" />
@@ -606,6 +652,94 @@
</wsp:ExactlyOne>
</wsp:Policy>
+ <wsp:Policy wsu:Id="DoubleItAsymmetricEncryptBeforeSigningPolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ <sp:EncryptBeforeSigning/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
+ <wsp:Policy wsu:Id="DoubleItAsymmetricEncryptSignaturePolicy">
+ <wsp:ExactlyOne>
+ <wsp:All>
+ <sp:AsymmetricBinding>
+ <wsp:Policy>
+ <sp:InitiatorToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:InitiatorToken>
+ <sp:RecipientToken>
+ <wsp:Policy>
+ <sp:X509Token
+ sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator">
+ <wsp:Policy>
+ <sp:WssX509V3Token10 />
+ </wsp:Policy>
+ </sp:X509Token>
+ </wsp:Policy>
+ </sp:RecipientToken>
+ <sp:Layout>
+ <wsp:Policy>
+ <sp:Lax/>
+ </wsp:Policy>
+ </sp:Layout>
+ <sp:IncludeTimestamp/>
+ <sp:OnlySignEntireHeadersAndBody/>
+ <sp:EncryptSignature/>
+ <sp:AlgorithmSuite>
+ <wsp:Policy>
+ <sp:Basic128/>
+ </wsp:Policy>
+ </sp:AlgorithmSuite>
+ </wsp:Policy>
+ </sp:AsymmetricBinding>
+ </wsp:All>
+ </wsp:ExactlyOne>
+ </wsp:Policy>
+
<wsp:Policy wsu:Id="DoubleItAsymmetricProtectTokensPolicy">
<wsp:ExactlyOne>
<wsp:All>
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml Wed May 29 14:39:15 2013
@@ -112,6 +112,34 @@
</jaxws:properties>
</jaxws:client>
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricEncryptBeforeSigningPort"
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.username" value="bob"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ </jaxws:properties>
+ </jaxws:client>
+
+ <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricEncryptSignaturePort"
+ createdFromAPI="true">
+ <jaxws:properties>
+ <entry key="ws-security.encryption.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.username" value="bob"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/>
+ <entry key="ws-security.signature.username" value="alice"/>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ </jaxws:properties>
+ </jaxws:client>
+
<jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricSignaturePort"
createdFromAPI="true">
<jaxws:properties>
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml Wed May 29 14:39:15 2013
@@ -207,6 +207,46 @@
</jaxws:endpoint>
<jaxws:endpoint
+ id="AsymmetricEncryptBeforeSigning"
+ address="http://localhost:${testutil.ports.Server}/DoubleItX509AsymmetricEncryptBeforeSigning"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItAsymmetricEncryptBeforeSigningPort"
+ xmlns:s="http://www.example.org/contract/DoubleIt"
+ implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
+
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
+ <jaxws:endpoint
+ id="AsymmetricEncryptSignature"
+ address="http://localhost:${testutil.ports.Server}/DoubleItX509AsymmetricEncryptSignature"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItAsymmetricEncryptSignaturePort"
+ xmlns:s="http://www.example.org/contract/DoubleIt"
+ implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
+
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
+ <jaxws:endpoint
id="AsymmetricSignature"
address="http://localhost:${testutil.ports.Server}/DoubleItX509AsymmetricSignature"
serviceName="s:DoubleItService"
Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/stax-server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/stax-server.xml?rev=1487503&r1=1487502&r2=1487503&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/stax-server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/stax-server.xml Wed May 29 14:39:15 2013
@@ -214,6 +214,48 @@
</jaxws:endpoint>
<jaxws:endpoint
+ id="AsymmetricEncryptBeforeSigning"
+ address="http://localhost:${testutil.ports.StaxServer}/DoubleItX509AsymmetricEncryptBeforeSigning"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItAsymmetricEncryptBeforeSigningPort"
+ xmlns:s="http://www.example.org/contract/DoubleIt"
+ implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
+
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
+ <jaxws:endpoint
+ id="AsymmetricEncryptSignature"
+ address="http://localhost:${testutil.ports.StaxServer}/DoubleItX509AsymmetricEncryptSignature"
+ serviceName="s:DoubleItService"
+ endpointName="s:DoubleItAsymmetricEncryptSignaturePort"
+ xmlns:s="http://www.example.org/contract/DoubleIt"
+ implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+ wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl">
+
+ <jaxws:properties>
+ <entry key="ws-security.callback-handler"
+ value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+ <entry key="ws-security.signature.properties"
+ value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
+ <entry key="ws-security.encryption.username" value="useReqSigCert"/>
+ <entry key="ws-security.subject.cert.constraints" value=".*O=apache.org.*"/>
+ <entry key="ws-security.enable.streaming" value="true"/>
+ </jaxws:properties>
+
+ </jaxws:endpoint>
+
+ <jaxws:endpoint
id="AsymmetricSignature"
address="http://localhost:${testutil.ports.StaxServer}/DoubleItX509AsymmetricSignature"
serviceName="s:DoubleItService"