ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1624262 - in /webservices/wss4j/trunk: ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/ ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/ ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/ ws-secu...
Date Thu, 11 Sep 2014 11:27:18 GMT
Author: coheigea
Date: Thu Sep 11 11:27:18 2014
New Revision: 1624262

URL: http://svn.apache.org/r1624262
Log:
[WSS-510] - Provide a way of requiring a particular SAML subject confirmation method

Modified:
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
    webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java?rev=1624262&r1=1624261&r2=1624262&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SamlAssertionValidator.java
Thu Sep 11 11:27:18 2014
@@ -56,6 +56,11 @@ public class SamlAssertionValidator exte
     private boolean validateSignatureAgainstProfile = true;
     
     /**
+     * If this is set, then the value must appear as one of the Subject Confirmation Methods
+     */
+    private String requiredSubjectConfirmationMethod;
+    
+    /**
      * Set the time in seconds in the future within which the NotBefore time of an incoming

      * Assertion is valid. The default is 60 seconds.
      */
@@ -77,23 +82,8 @@ public class SamlAssertionValidator exte
         }
         SamlAssertionWrapper samlAssertion = credential.getSamlAssertion();
         
-        // Check HOK requirements
-        String confirmMethod = null;
-        List<String> methods = samlAssertion.getConfirmationMethods();
-        if (methods != null && methods.size() > 0) {
-            confirmMethod = methods.get(0);
-        }
-        if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) {
-            if (samlAssertion.getSubjectKeyInfo() == null) {
-                LOG.debug("There is no Subject KeyInfo to match the holder-of-key subject
conf method");
-                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noKeyInSAMLToken");
-            }
-            // The assertion must have been signed for HOK
-            if (!samlAssertion.isSigned()) {
-                LOG.debug("A holder-of-key assertion must be signed");
-                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
-            }
-        }
+        // Check the Subject Confirmation requirements
+        verifySubjectConfirmationMethod(samlAssertion);
         
         // Check conditions
         checkConditions(samlAssertion);
@@ -112,6 +102,49 @@ public class SamlAssertionValidator exte
     }
     
     /**
+     * Check the Subject Confirmation method requirements
+     */
+    protected void verifySubjectConfirmationMethod(
+        SamlAssertionWrapper samlAssertion
+    ) throws WSSecurityException {
+        
+        List<String> methods = samlAssertion.getConfirmationMethods();
+        if ((methods == null || methods.isEmpty()) 
+            && requiredSubjectConfirmationMethod != null) {
+            LOG.debug("A required subject confirmation method was not present");
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, 
+                                          "invalidSAMLsecurity");
+        }
+        
+        boolean signed = samlAssertion.isSigned();
+        boolean requiredMethodFound = false;
+        for (String method : methods) {
+            if (OpenSAMLUtil.isMethodHolderOfKey(method)) {
+                if (samlAssertion.getSubjectKeyInfo() == null) {
+                    LOG.debug("There is no Subject KeyInfo to match the holder-of-key subject
conf method");
+                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"noKeyInSAMLToken");
+                }
+                
+                // The assertion must have been signed for HOK
+                if (!signed) {
+                    LOG.debug("A holder-of-key assertion must be signed");
+                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
+                }
+            }
+            
+            if (method != null && method.equals(requiredSubjectConfirmationMethod))
{
+                requiredMethodFound = true;
+            }
+        }
+        
+        if (!requiredMethodFound && requiredSubjectConfirmationMethod != null) {
+            LOG.debug("A required subject confirmation method was not present");
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, 
+                                          "invalidSAMLsecurity");
+        }
+    }
+    
+    /**
      * Verify trust in the signature of a signed Assertion. This method is separate so that
      * the user can override if if they want.
      * @param samlAssertion The signed Assertion
@@ -194,5 +227,13 @@ public class SamlAssertionValidator exte
     public void setValidateSignatureAgainstProfile(boolean validateSignatureAgainstProfile)
{
         this.validateSignatureAgainstProfile = validateSignatureAgainstProfile;
     }
+
+    public String getRequiredSubjectConfirmationMethod() {
+        return requiredSubjectConfirmationMethod;
+    }
+
+    public void setRequiredSubjectConfirmationMethod(String requiredSubjectConfirmationMethod)
{
+        this.requiredSubjectConfirmationMethod = requiredSubjectConfirmationMethod;
+    }
     
 }

Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java?rev=1624262&r1=1624261&r2=1624262&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlTokenTest.java
Thu Sep 11 11:27:18 2014
@@ -40,6 +40,7 @@ import org.apache.wss4j.common.saml.SAML
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
 import org.apache.wss4j.common.saml.builder.SAML1Constants;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
 import org.apache.wss4j.common.util.XMLUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSConfig;
@@ -60,6 +61,7 @@ import org.apache.wss4j.dom.message.WSSe
 import org.apache.wss4j.dom.message.WSSecSAMLToken;
 import org.apache.wss4j.dom.message.token.SecurityTokenReference;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.dom.validate.SamlAssertionValidator;
 import org.apache.xml.security.encryption.EncryptedData;
 import org.apache.xml.security.encryption.EncryptedKey;
 import org.apache.xml.security.encryption.XMLCipher;
@@ -957,6 +959,57 @@ public class SamlTokenTest extends org.j
         assertEquals(assertionString, secondAssertionString);
     }
     
+    @org.junit.Test
+    public void testRequiredSubjectConfirmationMethod() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+        callbackHandler.setIssuer("www.example.com");
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+
+        WSSecSAMLToken wsSign = new WSSecSAMLToken();
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        Document unsignedDoc = wsSign.build(doc, samlAssertion, secHeader);
+
+        WSSConfig config = WSSConfig.getNewInstance();
+        SamlAssertionValidator assertionValidator = new SamlAssertionValidator();
+        assertionValidator.setRequiredSubjectConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
+        config.setValidator(WSSecurityEngine.SAML_TOKEN, assertionValidator);
+        config.setValidator(WSSecurityEngine.SAML2_TOKEN, assertionValidator);
+        config.setValidateSamlSubjectConfirmation(false);
+        
+        WSSecurityEngine newEngine = new WSSecurityEngine();
+        newEngine.setWssConfig(config);
+        newEngine.processSecurityHeader(unsignedDoc, null, null, null);
+        
+        // Now create a Bearer assertion
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        
+        samlCallback = new SAMLCallback();
+        SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+        samlAssertion = new SamlAssertionWrapper(samlCallback);
+
+        wsSign = new WSSecSAMLToken();
+
+        doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+        secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        unsignedDoc = wsSign.build(doc, samlAssertion, secHeader);
+        try {
+            newEngine.processSecurityHeader(unsignedDoc, null, null, null);
+            fail("Failure expected on an incorrect subject confirmation method");
+        } catch (WSSecurityException ex) {
+            // expected
+        }
+    }
+    
     private void encryptElement(
         Document document,
         Element elementToEncrypt,

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java?rev=1624262&r1=1624261&r2=1624262&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/SAMLTokenInputHandler.java
Thu Sep 11 11:27:18 2014
@@ -157,15 +157,20 @@ public class SAMLTokenInputHandler exten
             }
         }
 
-        String confirmMethod = null;
+        final InboundSecurityToken subjectSecurityToken;
+        
         List<String> methods = samlAssertionWrapper.getConfirmationMethods();
-        if (methods != null && methods.size() > 0) {
-            confirmMethod = methods.get(0);
+        boolean holderOfKey = false;
+        if (methods != null) {
+            for (String method : methods) {
+                if (OpenSAMLUtil.isMethodHolderOfKey(method)) {
+                    holderOfKey = true;
+                    break;
+                }
+            }
         }
 
-        final InboundSecurityToken subjectSecurityToken;
-
-        if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) {
+        if (holderOfKey) {
 
             // First try to get the credential from a CallbackHandler
             final byte[] subjectSecretKey = SAMLUtil.getSecretKeyFromCallbackHandler(
@@ -200,11 +205,6 @@ public class SAMLTokenInputHandler exten
                     }
                 };
             } else {
-                // The assertion must have been signed for HOK
-                if (!samlAssertionWrapper.isSigned()) {
-                    throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
"invalidSAMLsecurity");
-                }
-
                 int subjectKeyInfoIndex = getSubjectKeyInfoIndex(eventQueue);
                 if (subjectKeyInfoIndex < 0) {
                     throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
"noKeyInSAMLToken");

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java?rev=1624262&r1=1624261&r2=1624262&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/validate/SamlTokenValidatorImpl.java
Thu Sep 11 11:27:18 2014
@@ -19,10 +19,12 @@
 package org.apache.wss4j.stax.validate;
 
 import java.util.Date;
+import java.util.List;
 
 import org.apache.wss4j.common.cache.ReplayCache;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.stax.securityToken.SamlSecurityToken;
 import org.apache.wss4j.stax.impl.securityToken.SamlSecurityTokenImpl;
@@ -33,6 +35,9 @@ import org.opensaml.common.SAMLVersion;
 
 public class SamlTokenValidatorImpl extends SignatureTokenValidatorImpl implements SamlTokenValidator
{
     
+    private static final transient org.slf4j.Logger LOG =
+        org.slf4j.LoggerFactory.getLogger(SamlTokenValidatorImpl.class);
+                                          
     /**
      * The time in seconds in the future within which the NotBefore time of an incoming
      * Assertion is valid. The default is 60 seconds.
@@ -44,6 +49,11 @@ public class SamlTokenValidatorImpl exte
      * relevant profile. Default is true.
      */
     private boolean validateSignatureAgainstProfile = true;
+    
+    /**
+     * If this is set, then the value must appear as one of the Subject Confirmation Methods
+     */
+    private String requiredSubjectConfirmationMethod;
 
     /**
      * Set the time in seconds in the future within which the NotBefore time of an incoming
@@ -68,6 +78,14 @@ public class SamlTokenValidatorImpl exte
     public void setValidateSignatureAgainstProfile(boolean validateSignatureAgainstProfile)
{
         this.validateSignatureAgainstProfile = validateSignatureAgainstProfile;
     }
+    
+    public String getRequiredSubjectConfirmationMethod() {
+        return requiredSubjectConfirmationMethod;
+    }
+
+    public void setRequiredSubjectConfirmationMethod(String requiredSubjectConfirmationMethod)
{
+        this.requiredSubjectConfirmationMethod = requiredSubjectConfirmationMethod;
+    }
 
     @Override
     public <T extends SamlSecurityToken & InboundSecurityToken> T validate(final
SamlAssertionWrapper samlAssertionWrapper,
@@ -76,6 +94,9 @@ public class SamlTokenValidatorImpl exte
         // Check conditions
         checkConditions(samlAssertionWrapper);
         
+        // Check the Subject Confirmation requirements
+        verifySubjectConfirmationMethod(samlAssertionWrapper);
+        
         // Check OneTimeUse Condition
         checkOneTimeUse(samlAssertionWrapper, 
                         tokenContext.getWssSecurityProperties().getSamlOneTimeUseReplayCache());
@@ -101,6 +122,41 @@ public class SamlTokenValidatorImpl exte
         return token;
     }
 
+    /**
+     * Check the Subject Confirmation method requirements
+     */
+    protected void verifySubjectConfirmationMethod(
+        SamlAssertionWrapper samlAssertion
+    ) throws WSSecurityException {
+        
+        List<String> methods = samlAssertion.getConfirmationMethods();
+        if ((methods == null || methods.isEmpty()) 
+            && requiredSubjectConfirmationMethod != null) {
+            LOG.debug("A required subject confirmation method was not present");
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, 
+                                          "invalidSAMLsecurity");
+        }
+        
+        boolean signed = samlAssertion.isSigned();
+        boolean requiredMethodFound = false;
+        for (String method : methods) {
+            // The assertion must have been signed for HOK
+            if (OpenSAMLUtil.isMethodHolderOfKey(method) && !signed) {
+                LOG.debug("A holder-of-key assertion must be signed");
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+            }
+            
+            if (method != null && method.equals(requiredSubjectConfirmationMethod))
{
+                requiredMethodFound = true;
+            }
+        }
+        
+        if (!requiredMethodFound && requiredSubjectConfirmationMethod != null) {
+            LOG.debug("A required subject confirmation method was not present");
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, 
+                                          "invalidSAMLsecurity");
+        }
+    }
     
     /**
      * Check the Conditions of the Assertion.

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java?rev=1624262&r1=1624261&r2=1624262&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/saml/SAMLTokenTest.java
Thu Sep 11 11:27:18 2014
@@ -26,6 +26,7 @@ import org.apache.wss4j.common.saml.SAML
 import org.apache.wss4j.common.saml.SAMLUtil;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.common.saml.builder.SAML1Constants;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.common.KeystoreCallbackHandler;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
@@ -42,6 +43,7 @@ import org.apache.wss4j.stax.test.Abstra
 import org.apache.wss4j.stax.test.utils.SOAPUtil;
 import org.apache.wss4j.stax.test.utils.StAX2DOM;
 import org.apache.wss4j.stax.test.utils.XmlReaderToWriter;
+import org.apache.wss4j.stax.validate.SamlTokenValidatorImpl;
 import org.apache.xml.security.encryption.EncryptedData;
 import org.apache.xml.security.encryption.EncryptedKey;
 import org.apache.xml.security.encryption.XMLCipher;
@@ -64,6 +66,7 @@ import org.w3c.dom.NodeList;
 
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
+import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.XMLStreamReader;
 import javax.xml.stream.XMLStreamWriter;
 import javax.xml.transform.dom.DOMSource;
@@ -927,6 +930,99 @@ public class SAMLTokenTest extends Abstr
         }
     }
     
+    @Test
+    public void testRequiredSubjectConfirmationMethod() throws Exception {
+
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        {
+            SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+            callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+            callbackHandler.setIssuer("www.example.com");
+            callbackHandler.setSignAssertion(false);
+
+            InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+            String action = WSHandlerConstants.SAML_TOKEN_UNSIGNED + " " + WSHandlerConstants.SIGNATURE;
+            Properties properties = new Properties();
+            properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler);
+            properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{urn:oasis:names:tc:SAML:2.0:assertion}Assertion;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+            Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action,
properties);
+
+            //some test that we can really sure we get what we want from WSS4J
+            NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(),
WSSConstants.TAG_dsig_Signature.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 1);
+
+            javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+            transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+        }
+
+        // Test that we have a SenderVouches assertion
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+            securityProperties.setSamlCallbackHandler(new SAMLCallbackHandlerImpl());
+            
+            SamlTokenValidatorImpl validator = new SamlTokenValidatorImpl();
+            validator.setRequiredSubjectConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
+            securityProperties.addValidator(WSSConstants.TAG_saml2_Assertion, validator);
+            securityProperties.addValidator(WSSConstants.TAG_saml_Assertion, validator);
+            
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
+            Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(),
xmlStreamReader);
+
+            //header element must still be there
+            NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(),
WSSConstants.TAG_dsig_Signature.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 1);
+        }
+        
+        baos = new ByteArrayOutputStream();
+        // Now create a Bearer assertion
+        {
+            SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+            callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+            callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+            callbackHandler.setIssuer("www.example.com");
+            callbackHandler.setSignAssertion(false);
+
+            InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+            String action = WSHandlerConstants.SAML_TOKEN_UNSIGNED + " " + WSHandlerConstants.SIGNATURE;
+            Properties properties = new Properties();
+            properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler);
+            properties.setProperty(WSHandlerConstants.SIGNATURE_PARTS, "{Element}{urn:oasis:names:tc:SAML:2.0:assertion}Assertion;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;");
+            Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action,
properties);
+
+            //some test that we can really sure we get what we want from WSS4J
+            NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(),
WSSConstants.TAG_dsig_Signature.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 1);
+
+            javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+            transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+        }
+
+        // Test that we have a SenderVouches assertion
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+            securityProperties.setSamlCallbackHandler(new SAMLCallbackHandlerImpl());
+            
+            SamlTokenValidatorImpl validator = new SamlTokenValidatorImpl();
+            validator.setRequiredSubjectConfirmationMethod(SAML2Constants.CONF_SENDER_VOUCHES);
+            securityProperties.addValidator(WSSConstants.TAG_saml2_Assertion, validator);
+            securityProperties.addValidator(WSSConstants.TAG_saml_Assertion, validator);
+            
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
+            try {
+                StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+                fail("Failure expected on a Bearer assertion");
+            }  catch (XMLStreamException e) {
+                // expected
+            }
+        }
+    }
+    
     private void encryptElement(
         Document document,
         Element elementToEncrypt,



Mime
View raw message