Use a single security binding per security policy fix #1095

quarkiverse · Jan 4, 2024 · 64b1160 · 64b1160
1 parent 920cd1c
commit 64b1160
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 58 deletions.
diff --git a/docs/modules/ROOT/examples/ws-security-policy/application.properties b/docs/modules/ROOT/examples/ws-security-policy/application.properties
@@ -70,6 +70,8 @@ quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.
 quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
 quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.alias" = bob
 quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.security.crypto.merlin.file" = bob.${keystore.type}
+quarkus.cxf.endpoint."/helloSaml1".security.saml-callback-handler = #saml1CallbackHandler
+
 
 quarkus.cxf.endpoint."/helloSaml2".implementor = io.quarkiverse.cxf.it.security.policy.Saml2PolicyHelloServiceImpl
 quarkus.cxf.endpoint."/helloSaml2".security.return.security.error = true
@@ -80,7 +82,7 @@ quarkus.cxf.endpoint."/helloSaml2".security.signature.properties."org.apache.ws.
 quarkus.cxf.endpoint."/helloSaml2".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
 quarkus.cxf.endpoint."/helloSaml2".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.alias" = bob
 quarkus.cxf.endpoint."/helloSaml2".security.signature.properties."org.apache.ws.security.crypto.merlin.file" = bob.${keystore.type}
-
+quarkus.cxf.endpoint."/helloSaml2".security.saml-callback-handler = #saml2CallbackHandler
 # Clients
 # tag::client-trust-store[]
 quarkus.cxf.client.hello.client-endpoint-url = https://localhost:${quarkus.http.test-ssl-port}/services/hello

diff --git a/integration-tests/ws-security-policy/src/main/resources/application.properties b/integration-tests/ws-security-policy/src/main/resources/application.properties
@@ -70,6 +70,8 @@ quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.
 quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
 quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.alias" = bob
 quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.security.crypto.merlin.file" = bob.${keystore.type}
+quarkus.cxf.endpoint."/helloSaml1".security.saml-callback-handler = #saml1CallbackHandler
+
 
 quarkus.cxf.endpoint."/helloSaml2".implementor = io.quarkiverse.cxf.it.security.policy.Saml2PolicyHelloServiceImpl
 quarkus.cxf.endpoint."/helloSaml2".security.return.security.error = true
@@ -80,7 +82,7 @@ quarkus.cxf.endpoint."/helloSaml2".security.signature.properties."org.apache.ws.
 quarkus.cxf.endpoint."/helloSaml2".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
 quarkus.cxf.endpoint."/helloSaml2".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.alias" = bob
 quarkus.cxf.endpoint."/helloSaml2".security.signature.properties."org.apache.ws.security.crypto.merlin.file" = bob.${keystore.type}
-
+quarkus.cxf.endpoint."/helloSaml2".security.saml-callback-handler = #saml2CallbackHandler
 # Clients
 # tag::client-trust-store[]
 quarkus.cxf.client.hello.client-endpoint-url = https://localhost:${quarkus.http.test-ssl-port}/services/hello

diff --git a/integration-tests/ws-security-policy/src/main/resources/saml1-policy.xml b/integration-tests/ws-security-policy/src/main/resources/saml1-policy.xml
@@ -5,33 +5,11 @@
         xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
     <wsp:ExactlyOne>
         <wsp:All>
-            <sp:TransportBinding>
-                <wsp:Policy>
-                    <sp:TransportToken>
-                        <wsp:Policy>
-                            <sp:HttpsToken>
-                                <wsp:Policy/>
-                            </sp:HttpsToken>
-                        </wsp:Policy>
-                    </sp:TransportToken>
-                    <sp:Layout>
-                        <wsp:Policy>
-                            <sp:Lax/>
-                        </wsp:Policy>
-                    </sp:Layout>
-                    <sp:IncludeTimestamp/>
-                    <sp:AlgorithmSuite>
-                        <wsp:Policy>
-                            <sp:Basic128/>
-                        </wsp:Policy>
-                    </sp:AlgorithmSuite>
-                </wsp:Policy>
-            </sp:TransportBinding>
             <sp:AsymmetricBinding>
                 <wsp:Policy>
                     <sp:InitiatorToken>
                         <wsp:Policy>
-                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
+                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                 <wsp:Policy>
                                     <sp:WssX509V3Token10/>
                                     <sp:RequireEmbeddedTokenReference/>
@@ -41,7 +19,7 @@
                     </sp:InitiatorToken>
                     <sp:RecipientToken>
                         <wsp:Policy>
-                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
+                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator">
                                 <wsp:Policy>
                                     <sp:WssX509V3Token10/>
                                     <sp:RequireEmbeddedTokenReference/>
@@ -72,7 +50,7 @@
             </sp:SignedParts>
             <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                 <wsp:Policy>
-                    <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                    <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
                         <wsp:Policy>
                             <sp:WssSamlV11Token11/>
                         </wsp:Policy>

diff --git a/integration-tests/ws-security-policy/src/main/resources/saml2-policy.xml b/integration-tests/ws-security-policy/src/main/resources/saml2-policy.xml
@@ -5,33 +5,11 @@
         xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
     <wsp:ExactlyOne>
         <wsp:All>
-            <sp:TransportBinding>
-                <wsp:Policy>
-                    <sp:TransportToken>
-                        <wsp:Policy>
-                            <sp:HttpsToken>
-                                <wsp:Policy/>
-                            </sp:HttpsToken>
-                        </wsp:Policy>
-                    </sp:TransportToken>
-                    <sp:Layout>
-                        <wsp:Policy>
-                            <sp:Lax/>
-                        </wsp:Policy>
-                    </sp:Layout>
-                    <sp:IncludeTimestamp/>
-                    <sp:AlgorithmSuite>
-                        <wsp:Policy>
-                            <sp:Basic128/>
-                        </wsp:Policy>
-                    </sp:AlgorithmSuite>
-                </wsp:Policy>
-            </sp:TransportBinding>
             <sp:AsymmetricBinding>
                 <wsp:Policy>
                     <sp:InitiatorToken>
                         <wsp:Policy>
-                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
+                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                 <wsp:Policy>
                                     <sp:WssX509V3Token10/>
                                     <sp:RequireEmbeddedTokenReference/>
@@ -41,7 +19,7 @@
                     </sp:InitiatorToken>
                     <sp:RecipientToken>
                         <wsp:Policy>
-                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
+                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator">
                                 <wsp:Policy>
                                     <sp:WssX509V3Token10/>
                                     <sp:RequireEmbeddedTokenReference/>
@@ -72,7 +50,7 @@
             </sp:SignedParts>
             <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                 <wsp:Policy>
-                    <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                    <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
                         <wsp:Policy>
                             <sp:WssSamlV20Token11/>
                         </wsp:Policy>

diff --git a/.../test/java/io/quarkiverse/cxf/it/security/policy/UsernameTokenSecurityPolicyStaxTest.java b/.../test/java/io/quarkiverse/cxf/it/security/policy/UsernameTokenSecurityPolicyStaxTest.java
@@ -6,7 +6,6 @@
 import java.util.Map;
 
 import org.hamcrest.Matcher;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
 import io.quarkus.test.junit.QuarkusTest;
@@ -76,24 +75,22 @@ protected String usernameTokenNotSatisfied() {
 
     @Override
     Matcher<String> unsignedUnencryptedErrorMessage() {
-        /* The Stax implmentation does not honor security.return.security.error = true */
+        /* The Stax implementation does not honor security.return.security.error = true */
         return containsString("<faultstring>XML_STREAM_EXC</faultstring>");
     }
 
     @Override
     Matcher<String> missingSamlErrorMessage(final String endpoint) {
-        /* The Stax implmentation does not honor security.return.security.error = true */
-        return containsString("An error was discovered processing the &lt;wsse:Security> header");
+        /* The Stax implementation does not honor security.return.security.error = true */
+        return containsString("<faultstring>XML_STREAM_EXC</faultstring>");
     }
 
-    @Disabled("https://github.com/quarkiverse/quarkus-cxf/issues/1095")
     @Override
     @Test
     void helloSaml1() {
         super.helloSaml1();
     }
 
-    @Disabled("https://github.com/quarkiverse/quarkus-cxf/issues/1095")
     @Override
     @Test
     void helloSaml2() {