From 64b116090cfc0f10fc1789ee11f4d59b7228c068 Mon Sep 17 00:00:00 2001
From: Freeman Fang <freeman.fang@gmail.com>
Date: Thu, 4 Jan 2024 12:31:34 -0500
Subject: [PATCH] Use a single security binding per security policy fix #1095

---
 .../ws-security-policy/application.properties |  4 ++-
 .../src/main/resources/application.properties |  4 ++-
 .../src/main/resources/saml1-policy.xml       | 28 ++-----------------
 .../src/main/resources/saml2-policy.xml       | 28 ++-----------------
 .../UsernameTokenSecurityPolicyStaxTest.java  |  9 ++----
 5 files changed, 15 insertions(+), 58 deletions(-)

diff --git a/docs/modules/ROOT/examples/ws-security-policy/application.properties b/docs/modules/ROOT/examples/ws-security-policy/application.properties
index 3adf24a76..00a2a3546 100644
--- a/docs/modules/ROOT/examples/ws-security-policy/application.properties
+++ b/docs/modules/ROOT/examples/ws-security-policy/application.properties
@@ -70,6 +70,8 @@ quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.
 quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
 quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.alias" = bob
 quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.security.crypto.merlin.file" = bob.${keystore.type}
+quarkus.cxf.endpoint."/helloSaml1".security.saml-callback-handler = #saml1CallbackHandler
+
 
 quarkus.cxf.endpoint."/helloSaml2".implementor = io.quarkiverse.cxf.it.security.policy.Saml2PolicyHelloServiceImpl
 quarkus.cxf.endpoint."/helloSaml2".security.return.security.error = true
@@ -80,7 +82,7 @@ quarkus.cxf.endpoint."/helloSaml2".security.signature.properties."org.apache.ws.
 quarkus.cxf.endpoint."/helloSaml2".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
 quarkus.cxf.endpoint."/helloSaml2".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.alias" = bob
 quarkus.cxf.endpoint."/helloSaml2".security.signature.properties."org.apache.ws.security.crypto.merlin.file" = bob.${keystore.type}
-
+quarkus.cxf.endpoint."/helloSaml2".security.saml-callback-handler = #saml2CallbackHandler
 # Clients
 # tag::client-trust-store[]
 quarkus.cxf.client.hello.client-endpoint-url = https://localhost:${quarkus.http.test-ssl-port}/services/hello
diff --git a/integration-tests/ws-security-policy/src/main/resources/application.properties b/integration-tests/ws-security-policy/src/main/resources/application.properties
index 3adf24a76..00a2a3546 100644
--- a/integration-tests/ws-security-policy/src/main/resources/application.properties
+++ b/integration-tests/ws-security-policy/src/main/resources/application.properties
@@ -70,6 +70,8 @@ quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.
 quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
 quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.alias" = bob
 quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.security.crypto.merlin.file" = bob.${keystore.type}
+quarkus.cxf.endpoint."/helloSaml1".security.saml-callback-handler = #saml1CallbackHandler
+
 
 quarkus.cxf.endpoint."/helloSaml2".implementor = io.quarkiverse.cxf.it.security.policy.Saml2PolicyHelloServiceImpl
 quarkus.cxf.endpoint."/helloSaml2".security.return.security.error = true
@@ -80,7 +82,7 @@ quarkus.cxf.endpoint."/helloSaml2".security.signature.properties."org.apache.ws.
 quarkus.cxf.endpoint."/helloSaml2".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password
 quarkus.cxf.endpoint."/helloSaml2".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.alias" = bob
 quarkus.cxf.endpoint."/helloSaml2".security.signature.properties."org.apache.ws.security.crypto.merlin.file" = bob.${keystore.type}
-
+quarkus.cxf.endpoint."/helloSaml2".security.saml-callback-handler = #saml2CallbackHandler
 # Clients
 # tag::client-trust-store[]
 quarkus.cxf.client.hello.client-endpoint-url = https://localhost:${quarkus.http.test-ssl-port}/services/hello
diff --git a/integration-tests/ws-security-policy/src/main/resources/saml1-policy.xml b/integration-tests/ws-security-policy/src/main/resources/saml1-policy.xml
index 3f87ea03b..3512268ca 100644
--- a/integration-tests/ws-security-policy/src/main/resources/saml1-policy.xml
+++ b/integration-tests/ws-security-policy/src/main/resources/saml1-policy.xml
@@ -5,33 +5,11 @@
         xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
     <wsp:ExactlyOne>
         <wsp:All>
-            <sp:TransportBinding>
-                <wsp:Policy>
-                    <sp:TransportToken>
-                        <wsp:Policy>
-                            <sp:HttpsToken>
-                                <wsp:Policy/>
-                            </sp:HttpsToken>
-                        </wsp:Policy>
-                    </sp:TransportToken>
-                    <sp:Layout>
-                        <wsp:Policy>
-                            <sp:Lax/>
-                        </wsp:Policy>
-                    </sp:Layout>
-                    <sp:IncludeTimestamp/>
-                    <sp:AlgorithmSuite>
-                        <wsp:Policy>
-                            <sp:Basic128/>
-                        </wsp:Policy>
-                    </sp:AlgorithmSuite>
-                </wsp:Policy>
-            </sp:TransportBinding>
             <sp:AsymmetricBinding>
                 <wsp:Policy>
                     <sp:InitiatorToken>
                         <wsp:Policy>
-                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
+                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                 <wsp:Policy>
                                     <sp:WssX509V3Token10/>
                                     <sp:RequireEmbeddedTokenReference/>
@@ -41,7 +19,7 @@
                     </sp:InitiatorToken>
                     <sp:RecipientToken>
                         <wsp:Policy>
-                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
+                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator">
                                 <wsp:Policy>
                                     <sp:WssX509V3Token10/>
                                     <sp:RequireEmbeddedTokenReference/>
@@ -72,7 +50,7 @@
             </sp:SignedParts>
             <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                 <wsp:Policy>
-                    <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                    <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
                         <wsp:Policy>
                             <sp:WssSamlV11Token11/>
                         </wsp:Policy>
diff --git a/integration-tests/ws-security-policy/src/main/resources/saml2-policy.xml b/integration-tests/ws-security-policy/src/main/resources/saml2-policy.xml
index a0436df80..16b78f173 100644
--- a/integration-tests/ws-security-policy/src/main/resources/saml2-policy.xml
+++ b/integration-tests/ws-security-policy/src/main/resources/saml2-policy.xml
@@ -5,33 +5,11 @@
         xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
     <wsp:ExactlyOne>
         <wsp:All>
-            <sp:TransportBinding>
-                <wsp:Policy>
-                    <sp:TransportToken>
-                        <wsp:Policy>
-                            <sp:HttpsToken>
-                                <wsp:Policy/>
-                            </sp:HttpsToken>
-                        </wsp:Policy>
-                    </sp:TransportToken>
-                    <sp:Layout>
-                        <wsp:Policy>
-                            <sp:Lax/>
-                        </wsp:Policy>
-                    </sp:Layout>
-                    <sp:IncludeTimestamp/>
-                    <sp:AlgorithmSuite>
-                        <wsp:Policy>
-                            <sp:Basic128/>
-                        </wsp:Policy>
-                    </sp:AlgorithmSuite>
-                </wsp:Policy>
-            </sp:TransportBinding>
             <sp:AsymmetricBinding>
                 <wsp:Policy>
                     <sp:InitiatorToken>
                         <wsp:Policy>
-                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
+                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                 <wsp:Policy>
                                     <sp:WssX509V3Token10/>
                                     <sp:RequireEmbeddedTokenReference/>
@@ -41,7 +19,7 @@
                     </sp:InitiatorToken>
                     <sp:RecipientToken>
                         <wsp:Policy>
-                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
+                            <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator">
                                 <wsp:Policy>
                                     <sp:WssX509V3Token10/>
                                     <sp:RequireEmbeddedTokenReference/>
@@ -72,7 +50,7 @@
             </sp:SignedParts>
             <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
                 <wsp:Policy>
-                    <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                    <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
                         <wsp:Policy>
                             <sp:WssSamlV20Token11/>
                         </wsp:Policy>
diff --git a/integration-tests/ws-security-policy/src/test/java/io/quarkiverse/cxf/it/security/policy/UsernameTokenSecurityPolicyStaxTest.java b/integration-tests/ws-security-policy/src/test/java/io/quarkiverse/cxf/it/security/policy/UsernameTokenSecurityPolicyStaxTest.java
index 95876466e..c4a671869 100644
--- a/integration-tests/ws-security-policy/src/test/java/io/quarkiverse/cxf/it/security/policy/UsernameTokenSecurityPolicyStaxTest.java
+++ b/integration-tests/ws-security-policy/src/test/java/io/quarkiverse/cxf/it/security/policy/UsernameTokenSecurityPolicyStaxTest.java
@@ -6,7 +6,6 @@
 import java.util.Map;
 
 import org.hamcrest.Matcher;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
 import io.quarkus.test.junit.QuarkusTest;
@@ -76,24 +75,22 @@ protected String usernameTokenNotSatisfied() {
 
     @Override
     Matcher<String> unsignedUnencryptedErrorMessage() {
-        /* The Stax implmentation does not honor security.return.security.error = true */
+        /* The Stax implementation does not honor security.return.security.error = true */
         return containsString("<faultstring>XML_STREAM_EXC</faultstring>");
     }
 
     @Override
     Matcher<String> missingSamlErrorMessage(final String endpoint) {
-        /* The Stax implmentation does not honor security.return.security.error = true */
-        return containsString("An error was discovered processing the &lt;wsse:Security> header");
+        /* The Stax implementation does not honor security.return.security.error = true */
+        return containsString("<faultstring>XML_STREAM_EXC</faultstring>");
     }
 
-    @Disabled("https://github.com/quarkiverse/quarkus-cxf/issues/1095")
     @Override
     @Test
     void helloSaml1() {
         super.helloSaml1();
     }
 
-    @Disabled("https://github.com/quarkiverse/quarkus-cxf/issues/1095")
     @Override
     @Test
     void helloSaml2() {