cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject svn commit: r751299 - in /cxf/trunk: api/src/main/java/org/apache/cxf/ws/policy/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/ rt/ws/security/src/ma...
Date Sat, 07 Mar 2009 17:41:08 GMT
Author: dkulp
Date: Sat Mar  7 17:41:07 2009
New Revision: 751299

URL: http://svn.apache.org/viewvc?rev=751299&view=rev
Log:
Add some validation of incoming secure messages to make sure they match policies.

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java   (with props)
Modified:
    cxf/trunk/api/src/main/java/org/apache/cxf/ws/policy/AssertionInfoMap.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/EncryptedPartsBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/RequiredPartsBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SignedPartsBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Header.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RecipientToken.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredParts.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedParts.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java
    cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java

Modified: cxf/trunk/api/src/main/java/org/apache/cxf/ws/policy/AssertionInfoMap.java
URL: http://svn.apache.org/viewvc/cxf/trunk/api/src/main/java/org/apache/cxf/ws/policy/AssertionInfoMap.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/api/src/main/java/org/apache/cxf/ws/policy/AssertionInfoMap.java (original)
+++ cxf/trunk/api/src/main/java/org/apache/cxf/ws/policy/AssertionInfoMap.java Sat Mar  7 17:41:07 2009
@@ -24,8 +24,10 @@
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Iterator;
+import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.ResourceBundle;
+import java.util.Set;
 
 import javax.xml.namespace.QName;
 
@@ -115,20 +117,25 @@
                 return;
             }
         }
-        StringBuilder error = new StringBuilder("\n");
+        
+        Set<String> msgs = new LinkedHashSet<String>();
+        
         for (QName name : errors) {
             Collection<AssertionInfo> ais = getAssertionInfo(name);
             for (AssertionInfo ai : ais) {
                 if (!ai.isAsserted()) {
-                    error.append("\n      ");
-                    error.append(name.toString());
+                    String s = name.toString();
                     if (ai.getErrorMessage() != null) {
-                        error.append(": ").append(ai.getErrorMessage());
+                        s += ": " + ai.getErrorMessage();
                     }
+                    msgs.add(s);
                 }
             }
         }
-        
+        StringBuilder error = new StringBuilder("\n");
+        for (String msg : msgs) {
+            error.append("\n").append(msg);
+        }
         
         throw new PolicyException(new Message("NO_ALTERNATIVE_EXC", BUNDLE, error.toString()));
     }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/EncryptedPartsBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/EncryptedPartsBuilder.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/EncryptedPartsBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/EncryptedPartsBuilder.java Sat Mar  7 17:41:07 2009
@@ -67,17 +67,12 @@
     private void processElement(Element element, SignedEncryptedParts parent) {
 
         if ("Header".equals(element.getLocalName())) {
-            Header header = new Header();
-
             String nameAttribute = element.getAttribute(SPConstants.NAME);
-            if (nameAttribute != null) {
-                header.setName(nameAttribute);
+            if (nameAttribute == null) {
+                nameAttribute = "";
             }
-
             String namespaceAttribute = element.getAttribute(SPConstants.NAMESPACE);
-            header.setNamespace(namespaceAttribute);
-
-            parent.addHeader(header);
+            parent.addHeader(new Header(nameAttribute, namespaceAttribute));
 
         } else if ("Body".equals(element.getLocalName())) {
             parent.setBody(true);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/RequiredPartsBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/RequiredPartsBuilder.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/RequiredPartsBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/RequiredPartsBuilder.java Sat Mar  7 17:41:07 2009
@@ -55,17 +55,14 @@
 
     private void processElement(Element element, RequiredParts parent) {
         if ("Header".equals(element.getLocalName())) {
-            Header header = new Header();
 
             String nameAttribute = element.getAttribute(SPConstants.NAME);
-            if (nameAttribute != null) {
-                header.setName(nameAttribute);
+            if (nameAttribute == null) {
+                nameAttribute = "";
             }
 
             String namespaceAttribute = element.getAttribute(SPConstants.NAMESPACE);
-            header.setNamespace(namespaceAttribute);
-
-            parent.addHeader(header);
+            parent.addHeader(new Header(nameAttribute, namespaceAttribute));
         }
     }
 

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SignedPartsBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SignedPartsBuilder.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SignedPartsBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SignedPartsBuilder.java Sat Mar  7 17:41:07 2009
@@ -68,17 +68,14 @@
     private void processElement(Element element, SignedEncryptedParts parent) {
 
         if ("Header".equals(element.getLocalName())) {
-            Header header = new Header();
 
             String nameAttribute = element.getAttribute(SPConstants.NAME);
-            if (nameAttribute != null) {
-                header.setName(nameAttribute);
+            if (nameAttribute == null) {
+                nameAttribute = "";
             }
-
             String namespaceAttribute = element.getAttribute(SPConstants.NAMESPACE);
-            header.setNamespace(namespaceAttribute);
 
-            parent.addHeader(header);
+            parent.addHeader(new Header(nameAttribute, namespaceAttribute));
 
         } else if ("Body".equals(element.getLocalName())) {
             parent.setBody(true);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java Sat Mar  7 17:41:07 2009
@@ -21,6 +21,7 @@
 
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Vector;
 
 
 import org.apache.cxf.Bus;
@@ -43,6 +44,9 @@
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.cxf.ws.security.trust.STSClient;
+import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
 
 /**
  * 
@@ -171,6 +175,7 @@
     static class IssuedTokenInInterceptor extends AbstractPhaseInterceptor<Message> {
         public IssuedTokenInInterceptor() {
             super(Phase.PRE_PROTOCOL);
+            addAfter(WSS4JInInterceptor.class.getName());
         }
 
         public void handleMessage(Message message) throws Fault {
@@ -182,7 +187,25 @@
                     return;
                 }
                 if (!isRequestor(message)) {
-                    //TODO
+                    boolean found = false;
+                    Vector results = (Vector)message.get(WSHandlerConstants.RECV_RESULTS);
+                    for (int i = 0; i < results.size(); i++) {
+                        WSHandlerResult rResult =
+                                (WSHandlerResult) results.get(i);
+
+                        Vector wsSecEngineResults = rResult.getResults();
+
+                        for (int j = 0; j < wsSecEngineResults.size(); j++) {
+                            //WSSecurityEngineResult wser =
+                            //        (WSSecurityEngineResult) wsSecEngineResults.get(j);
+                            //Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+                            //how to find if it's due to an IssuedToken?
+                            found = true;
+                        }
+                    }
+                    if (!found) {
+                        ais.iterator().next().setAsserted(false);
+                    }
                 } else {
                     //client side should be checked on the way out
                     for (AssertionInfo ai : ais) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java Sat Mar  7 17:41:07 2009
@@ -364,6 +364,7 @@
 
         public void handleMessage(SoapMessage message) throws Fault {
             //Find the SC token
+            boolean found = false;
             Vector results = (Vector)message.get(WSHandlerConstants.RECV_RESULTS);
             for (int i = 0; i < results.size(); i++) {
                 WSHandlerResult rResult =
@@ -380,9 +381,21 @@
                             = (SecurityContextToken)wser
                                 .get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
                         message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getID());
+                        found = true;
                     }
                 }
             }
+            if (!found) {
+                AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+                // extract Assertion information
+                if (aim != null) {
+                    Collection<AssertionInfo> ais = aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN);
+                    if (ais == null || ais.isEmpty()) {
+                        return;
+                    }
+                    ais.iterator().next().setNotAsserted("No SecureConversation token found in message.");
+                }
+            }
         }
     }
     static class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessage> {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java Sat Mar  7 17:41:07 2009
@@ -27,8 +27,8 @@
 import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
 import org.apache.cxf.ws.security.policy.SP11Constants;
 import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
 import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor;
-import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
 
 /**
  * 
@@ -52,7 +52,7 @@
         super(ASSERTION_TYPES);
         this.getOutInterceptors().add(new PolicyBasedWSS4JOutInterceptor());
         this.getOutFaultInterceptors().add(new PolicyBasedWSS4JOutInterceptor());
-        this.getInInterceptors().add(new WSS4JInInterceptor(true));
-        this.getInFaultInterceptors().add(new WSS4JInInterceptor());
+        this.getInInterceptors().add(new PolicyBasedWSS4JInInterceptor());
+        this.getInFaultInterceptors().add(new PolicyBasedWSS4JInInterceptor());
     }
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Header.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Header.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Header.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Header.java Sat Mar  7 17:41:07 2009
@@ -18,45 +18,37 @@
  */
 package org.apache.cxf.ws.security.policy.model;
 
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.common.util.StringUtils;
+
 public class Header {
 
-    private String name;
-    private String namespace;
+    private QName name;
 
-    public Header() {
-    }
     
     public Header(String nm, String ns) {
-        name = nm;
-        namespace = ns;
+        name = new QName(ns, nm);
     }
     
-    /**
-     * @return Returns the name.
-     */
-    public String getName() {
+    public QName getQName() {
         return name;
     }
-
+    
     /**
-     * @param name The name to set.
+     * @return Returns the name.
      */
-    public void setName(String name) {
-        this.name = name;
+    public String getName() {
+        if (StringUtils.isEmpty(name.getLocalPart())) {
+            return null;
+        }
+        return name.getLocalPart();
     }
-
     /**
      * @return Returns the namespace.
      */
     public String getNamespace() {
-        return namespace;
-    }
-
-    /**
-     * @param namespace The namespace to set.
-     */
-    public void setNamespace(String namespace) {
-        this.namespace = namespace;
+        return name.getNamespaceURI();
     }
 
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RecipientToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RecipientToken.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RecipientToken.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RecipientToken.java Sat Mar  7 17:41:07 2009
@@ -25,7 +25,7 @@
 import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.policy.SPConstants;
 
-public class RecipientToken extends  TokenWrapper {
+public class RecipientToken extends TokenWrapper {
 
     public RecipientToken(SPConstants version) {
         super(version);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredParts.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredParts.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredParts.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/RequiredParts.java Sat Mar  7 17:41:07 2009
@@ -26,6 +26,7 @@
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.XMLStreamWriter;
 
+import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.policy.SPConstants;
 import org.apache.neethi.PolicyComponent;
@@ -86,7 +87,7 @@
             // <sp:Header Name=".." Namespace=".." />
             writer.writeStartElement(prefix, SPConstants.HEADER, namespaceURI);
             // Name attribute is optional
-            if (header.getName() != null) {
+            if (!StringUtils.isEmpty(header.getName())) {
                 writer.writeAttribute("Name", header.getName());
             }
             writer.writeAttribute("Namespace", header.getNamespace());

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedParts.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedParts.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedParts.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SignedEncryptedParts.java Sat Mar  7 17:41:07 2009
@@ -26,6 +26,7 @@
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.XMLStreamWriter;
 
+import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.policy.SPConstants;
 import org.apache.neethi.PolicyComponent;
@@ -140,7 +141,7 @@
             // <sp:Header Name=".." Namespace=".." />
             writer.writeStartElement(prefix, SPConstants.HEADER, namespaceURI);
             // Name attribute is optional
-            if (header.getName() != null) {
+            if (!StringUtils.isEmpty(header.getName())) {
                 writer.writeAttribute("Name", header.getName());
             }
             writer.writeAttribute("Namespace", header.getNamespace());

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java Sat Mar  7 17:41:07 2009
@@ -18,41 +18,22 @@
  */
 package org.apache.cxf.ws.security.wss4j;
 
-import java.io.IOException;
 import java.net.URI;
-import java.net.URL;
-import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Hashtable;
-import java.util.List;
 import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
 
 import javax.xml.namespace.QName;
 
-import org.apache.cxf.Bus;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.binding.soap.interceptor.SoapInterceptor;
-import org.apache.cxf.common.classloader.ClassLoaderUtils;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.phase.PhaseInterceptor;
-import org.apache.cxf.resource.ResourceManager;
-import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.policy.PolicyAssertion;
-import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP11Constants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.Wss11;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.components.crypto.Crypto;
@@ -63,7 +44,7 @@
 
 public abstract class AbstractWSS4JInterceptor extends WSHandler implements SoapInterceptor, 
     PhaseInterceptor<SoapMessage> {
-    
+
     private static final Set<QName> HEADERS = new HashSet<QName>();
     static {
         HEADERS.add(new QName(WSConstants.WSSE_NS, "Security"));
@@ -165,286 +146,11 @@
         this.before = before;
     }
     
-    private boolean isRequestor(SoapMessage message) {
-        return Boolean.TRUE.equals(message.get(
-            org.apache.cxf.message.Message.REQUESTOR_ROLE));
+    protected boolean isRequestor(SoapMessage message) {
+        return MessageUtils.isRequestor(message);
     }  
-    
-    protected void policyAsserted(AssertionInfoMap aim, PolicyAssertion assertion) {
-        if (assertion == null) {
-            return;
-        }
-        Collection<AssertionInfo> ais;
-        ais = aim.get(assertion.getName());
-        if (ais != null) {
-            for (AssertionInfo ai : ais) {
-                if (ai.getAssertion() == assertion) {
-                    ai.setAsserted(true);
-                }
-            }
-        }
-    }
-    protected void policyAsserted(AssertionInfoMap aim, QName qn) {
-        Collection<AssertionInfo> ais;
-        ais = aim.get(qn);
-        if (ais != null) {
-            for (AssertionInfo ai : ais) {
-                ai.setAsserted(true);
-            }
-        }
-    }
-    private static Properties getProps(Object o, SoapMessage message) {
-        Properties properties = null;
-        if (o instanceof Properties) {
-            properties = (Properties)o;
-        } else if (o instanceof String) {
-            ResourceManager rm = message.getExchange().get(Bus.class).getExtension(ResourceManager.class);
-            URL url = rm.resolveResource((String)o, URL.class);
-            try {
-                if (url == null) {
-                    url = ClassLoaderUtils.getResource((String)o, AbstractWSS4JInterceptor.class);
-                }
-                if (url != null) {
-                    properties = new Properties();
-                    properties.load(url.openStream());
-                }
-            } catch (IOException e) {
-                properties = null;
-            }
-        } else if (o instanceof URL) {
-            properties = new Properties();
-            try {
-                properties.load(((URL)o).openStream());
-            } catch (IOException e) {
-                properties = null;
-            }            
-        }
-        
-        return properties;
-    }
-    
-    String addToAction(String action, String val, boolean pre) {
-        if (action.contains(val)) {
-            return action;
-        }
-        if (pre) {
-            return val + " " + action; 
-        } 
-        return action + " " + val;
-    }
-    boolean assertPolicy(AssertionInfoMap aim, QName q) {
-        Collection<AssertionInfo> ais = aim.get(q);
-        if (ais != null && !ais.isEmpty()) {
-            for (AssertionInfo ai : ais) {
-                ai.setAsserted(true);
-            }    
-            return true;
-        }
-        return false;
-    }
-    String assertAsymetricBinding(AssertionInfoMap aim, String action, SoapMessage message) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
-        if (ais != null) {
-            for (AssertionInfo ai : ais) {
-                AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
-                if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
-                    action = addToAction(action, "Signature", true);
-                    action = addToAction(action, "Encrypt", true);
-                } else {
-                    action = addToAction(action, "Encrypt", true);
-                    action = addToAction(action, "Signature", true);
-                }
-                Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
-                Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
-                if (e != null) {
-                    message.put("SignaturePropRefId", "RefId-" + e.toString());
-                    message.put("RefId-" + e.toString(), getProps(e, message));
-                }
-                if (s != null) {
-                    message.put("decryptionPropRefId", "RefId-" + s.toString());
-                    message.put("RefId-" + s.toString(), getProps(s, message));
-                }
-                ai.setAsserted(true);
-                policyAsserted(aim, abinding.getInitiatorToken());
-                policyAsserted(aim, abinding.getRecipientToken());
-                policyAsserted(aim, abinding.getInitiatorToken().getToken());
-                policyAsserted(aim, abinding.getRecipientToken().getToken());
-                policyAsserted(aim, SP12Constants.ENCRYPTED_PARTS);
-            }
-        }
-     
-        return action;
-    }
-    String assertSymetricBinding(AssertionInfoMap aim, String action, SoapMessage message) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
-        if (ais != null) {
-            for (AssertionInfo ai : ais) {
-                SymmetricBinding abinding = (SymmetricBinding)ai.getAssertion();
-                if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
-                    action = addToAction(action, "Signature", true);
-                    action = addToAction(action, "Encrypt", true);
-                } else {
-                    action = addToAction(action, "Encrypt", true);
-                    action = addToAction(action, "Signature", true);
-                }
-                Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
-                Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
-                if (abinding.getProtectionToken() != null) {
-                    s = e;
-                }
-                if (isRequestor(message)) {
-                    if (e != null) {
-                        message.put("SignaturePropRefId", "RefId-" + e.toString());
-                        message.put("RefId-" + e.toString(), getProps(e, message));
-                    }
-                    if (s != null) {
-                        message.put("decryptionPropRefId", "RefId-" + s.toString());
-                        message.put("RefId-" + s.toString(), getProps(s, message));
-                    }
-                } else {
-                    if (s != null) {
-                        message.put("SignaturePropRefId", "RefId-" + s.toString());
-                        message.put("RefId-" + s.toString(), getProps(s, message));
-                    }
-                    if (e != null) {
-                        message.put("decryptionPropRefId", "RefId-" + e.toString());
-                        message.put("RefId-" + e.toString(), getProps(e, message));
-                    }
-                }
-                ai.setAsserted(true);
-                if (abinding.getEncryptionToken() != null) {
-                    policyAsserted(aim, abinding.getEncryptionToken());
-                    policyAsserted(aim, abinding.getEncryptionToken().getToken());
-                }
-                if (abinding.getSignatureToken() != null) {
-                    policyAsserted(aim, abinding.getSignatureToken());
-                    policyAsserted(aim, abinding.getSignatureToken().getToken());
-                }
-                if (abinding.getProtectionToken() != null) {
-                    policyAsserted(aim, abinding.getProtectionToken());
-                    policyAsserted(aim, abinding.getProtectionToken().getToken());
-                }
-                policyAsserted(aim, SP12Constants.ENCRYPTED_PARTS);
-            }
-        }
-        return action;
-    }
-    void assertTransportBinding(AssertionInfoMap aim, SoapMessage message) {
-        assertPolicy(aim, SP12Constants.TRANSPORT_BINDING);
-        assertPolicy(aim, SP12Constants.TRANSPORT_TOKEN);
-        policyAsserted(aim, SP12Constants.ENCRYPTED_PARTS);        
-    }
-    void assertWSS11(AssertionInfoMap aim, SoapMessage message) {
-        if (isRequestor(message)) {
-            message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "false");
-        }
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.WSS11);
-        if (ais != null) {
-            for (AssertionInfo ai : ais) {
-                ai.setAsserted(true);
-                Wss11 wss11 = (Wss11)ai.getAssertion();
-                if (isRequestor(message)) {
-                    message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, 
-                                wss11.isRequireSignatureConfirmation() ? "true" : "false");
-                }
-            }
-        }
-    }
-    
-    protected PolicyAssertion findAndAssertPolicy(AssertionInfoMap aim, QName n) {
-        Collection<AssertionInfo> ais = aim.getAssertionInfo(n);
-        if (ais != null && !ais.isEmpty()) {
-            AssertionInfo ai = ais.iterator().next();
-            ai.setAsserted(true);
-            return ai.getAssertion();
-        }
-        return null;
-    }
-    protected String assertSupportingTokens(AssertionInfoMap aim,
-                                          SoapMessage message, 
-                                          String action,
-                                          QName n) {
-        SupportingToken sp = (SupportingToken)findAndAssertPolicy(aim, n);
-        if (sp != null) {
-            action = doTokens(sp.getTokens(), action, aim, message);
-        }
-        return action;
-    }
-    protected void checkPolicies(SoapMessage message, RequestData data) {
-        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        // extract Assertion information
-        String action = getString(WSHandlerConstants.ACTION, message);
-        if (action == null) {
-            action = "";
-        }
-        if (aim != null) {
-            if (assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP)) {
-                action = addToAction(action, WSHandlerConstants.TIMESTAMP, true);
-            }
-            assertPolicy(aim, SP12Constants.LAYOUT);
-            action = assertAsymetricBinding(aim, action, message);
-            action = assertSymetricBinding(aim, action, message);
-            assertTransportBinding(aim, message);
-            
-            action = assertSupportingTokens(aim, message, 
-                                            action, SP12Constants.SIGNED_SUPPORTING_TOKENS);
-            action = assertSupportingTokens(aim, message, 
-                                            action, SP12Constants.ENDORSING_SUPPORTING_TOKENS);
-            action = assertSupportingTokens(aim, message, 
-                                            action, SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
-            action = assertSupportingTokens(aim, message, 
-                                            action, SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
-            action = assertSupportingTokens(aim, message, 
-                                            action, SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
-            action = assertSupportingTokens(aim, message, 
-                                            action, 
-                                            SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
-            action = assertSupportingTokens(aim, message, 
-                                            action, SP12Constants.SUPPORTING_TOKENS);
-            action = assertSupportingTokens(aim, message, 
-                                            action, SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
-            assertWSS11(aim, message);
-            assertPolicy(aim, SP12Constants.WSS10);
-            assertPolicy(aim, SP12Constants.TRUST_13);
-            assertPolicy(aim, SP11Constants.TRUST_10);
-            policyAsserted(aim, SP12Constants.SIGNED_PARTS);
 
-            message.put(WSHandlerConstants.ACTION, action.trim());
-        }
-    }
-    
-    private String doTokens(List<Token> tokens, 
-                            String action, 
-                            AssertionInfoMap aim,
-                            SoapMessage msg) {
-        for (Token token : tokens) {
-            if (token instanceof UsernameToken) {
-                if (!action.contains(WSHandlerConstants.USERNAME_TOKEN)
-                    && !isRequestor(msg)) {
-                    action = WSHandlerConstants.USERNAME_TOKEN + " " + action;
-                }
-                Collection<AssertionInfo> ais2 = aim.get(SP12Constants.USERNAME_TOKEN);
-                if (ais2 != null && !ais2.isEmpty()) {
-                    for (AssertionInfo ai2 : ais2) {
-                        if (ai2.getAssertion() == token) {
-                            ai2.setAsserted(true);
-                        }
-                    }                    
-                }
-            } else {
-                Collection<AssertionInfo> ais2 = aim.get(token.getName());
-                if (ais2 != null && !ais2.isEmpty()) {
-                    for (AssertionInfo ai2 : ais2) {
-                        if (ai2.getAssertion() == token) {
-                            ai2.setAsserted(true);
-                        }
-                    }                    
-                }
-            }
-        }        
-        return action;
-    }
-    
+
     public Crypto loadSignatureCrypto(RequestData reqData) 
         throws WSSecurityException {
         Crypto crypto = null;

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=751299&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Sat Mar  7 17:41:07 2009
@@ -0,0 +1,510 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Properties;
+import java.util.Vector;
+
+import javax.xml.namespace.QName;
+import javax.xml.soap.SOAPException;
+import javax.xml.soap.SOAPMessage;
+import javax.xml.stream.XMLStreamException;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.common.classloader.ClassLoaderUtils;
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.resource.ResourceManager;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.policy.PolicyAssertion;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.SP11Constants;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
+import org.apache.cxf.ws.security.policy.model.Header;
+import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
+import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
+import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.security.policy.model.Wss11;
+import org.apache.cxf.ws.security.policy.model.X509Token;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDataRef;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.handler.WSHandlerConstants;
+
+/**
+ * 
+ */
+public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
+
+    /**
+     * 
+     */
+    public PolicyBasedWSS4JInInterceptor() {
+        super(true);
+    }
+    
+    
+    private static Properties getProps(Object o, SoapMessage message) {
+        Properties properties = null;
+        if (o instanceof Properties) {
+            properties = (Properties)o;
+        } else if (o instanceof String) {
+            ResourceManager rm = message.getExchange().get(Bus.class).getExtension(ResourceManager.class);
+            URL url = rm.resolveResource((String)o, URL.class);
+            try {
+                if (url == null) {
+                    url = ClassLoaderUtils.getResource((String)o, AbstractWSS4JInterceptor.class);
+                }
+                if (url != null) {
+                    properties = new Properties();
+                    properties.load(url.openStream());
+                }
+            } catch (IOException e) {
+                properties = null;
+            }
+        } else if (o instanceof URL) {
+            properties = new Properties();
+            try {
+                properties.load(((URL)o).openStream());
+            } catch (IOException e) {
+                properties = null;
+            }            
+        }
+        
+        return properties;
+    }
+    
+    private boolean containsPolicy(AssertionInfoMap aim, 
+                                     QName n) {
+        Collection<AssertionInfo> ais = aim.getAssertionInfo(n);
+        return ais != null && !ais.isEmpty();
+    }
+    private void handleWSS11(AssertionInfoMap aim, SoapMessage message) {
+        if (!isRequestor(message)) {
+            assertPolicy(aim, SP12Constants.WSS11);
+            return;
+        }
+        message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "false");
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.WSS11);
+        if (ais != null) {
+            for (AssertionInfo ai : ais) {
+                Wss11 wss11 = (Wss11)ai.getAssertion();
+                if (wss11.isRequireSignatureConfirmation()) {
+                    message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION,
+                                "true");
+                } else {
+                    ai.setAsserted(true);
+                }
+            }
+        }
+    }
+
+    private String addToAction(String action, String val, boolean pre) {
+        if (action.contains(val)) {
+            return action;
+        }
+        if (pre) {
+            return val + " " + action; 
+        } 
+        return action + " " + val;
+    }
+    private boolean assertPolicy(AssertionInfoMap aim, QName q) {
+        Collection<AssertionInfo> ais = aim.get(q);
+        if (ais != null && !ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
+                ai.setAsserted(true);
+            }    
+            return true;
+        }
+        return false;
+    }
+    private void assertPolicy(AssertionInfoMap aim, Token token, boolean derived) {
+        if (!derived && token instanceof X509Token && token.isDerivedKeys()) {
+            notAssertPolicy(aim, token, "No derived keys found.");
+        }
+    }
+    private void assertPolicy(AssertionInfoMap aim, PolicyAssertion token) {
+        Collection<AssertionInfo> ais = aim.get(token.getName());
+        if (ais != null && !ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
+                if (ai.getAssertion() == token) {
+                    ai.setAsserted(true);
+                }
+            }    
+        }
+    }
+    private void notAssertPolicy(AssertionInfoMap aim, PolicyAssertion token, String msg) {
+        Collection<AssertionInfo> ais = aim.get(token.getName());
+        if (ais != null && !ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
+                if (ai.getAssertion() == token) {
+                    ai.setNotAsserted(msg);
+                }
+            }    
+        }
+    }
+
+    private String checkAsymetricBinding(AssertionInfoMap aim, 
+                                 String action, 
+                                 SoapMessage message) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
+        if (ais != null) {
+            for (AssertionInfo ai : ais) {
+                AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
+                if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
+                    action = addToAction(action, "Signature", true);
+                    action = addToAction(action, "Encrypt", true);
+                } else {
+                    action = addToAction(action, "Encrypt", true);
+                    action = addToAction(action, "Signature", true);
+                }
+                Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
+                Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+                if (e != null) {
+                    message.put("SignaturePropRefId", "RefId-" + e.toString());
+                    message.put("RefId-" + e.toString(), getProps(e, message));
+                }
+                if (s != null) {
+                    message.put("decryptionPropRefId", "RefId-" + s.toString());
+                    message.put("RefId-" + s.toString(), getProps(s, message));
+                }
+            }
+        }
+     
+        return action;
+    }
+    private String checkSymetricBinding(AssertionInfoMap aim, 
+                                String action, 
+                                SoapMessage message) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
+        if (ais != null) {
+            for (AssertionInfo ai : ais) {
+                SymmetricBinding abinding = (SymmetricBinding)ai.getAssertion();
+                if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
+                    action = addToAction(action, "Signature", true);
+                    action = addToAction(action, "Encrypt", true);
+                } else {
+                    action = addToAction(action, "Encrypt", true);
+                    action = addToAction(action, "Signature", true);
+                }
+                Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
+                Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+                if (abinding.getProtectionToken() != null) {
+                    s = e;
+                }
+                if (isRequestor(message)) {
+                    if (e != null) {
+                        message.put("SignaturePropRefId", "RefId-" + e.toString());
+                        message.put("RefId-" + e.toString(), getProps(e, message));
+                    }
+                    if (s != null) {
+                        message.put("decryptionPropRefId", "RefId-" + s.toString());
+                        message.put("RefId-" + s.toString(), getProps(s, message));
+                    }
+                } else {
+                    if (s != null) {
+                        message.put("SignaturePropRefId", "RefId-" + s.toString());
+                        message.put("RefId-" + s.toString(), getProps(s, message));
+                    }
+                    if (e != null) {
+                        message.put("decryptionPropRefId", "RefId-" + e.toString());
+                        message.put("RefId-" + e.toString(), getProps(e, message));
+                    }
+                }
+            }
+        }
+        return action;
+    }
+    
+    
+    private void assertTokens(AssertionInfoMap aim, 
+                              QName name, 
+                              Collection<QName> signed,
+                              SoapMessage msg,
+                              SOAPMessage doc,
+                              String type) throws SOAPException {
+        Collection<AssertionInfo> ais = aim.get(name);
+        if (ais != null) {
+            for (AssertionInfo ai : ais) {
+                ai.setAsserted(true);
+                SignedEncryptedParts p = (SignedEncryptedParts)ai.getAssertion();
+                if (p.isBody() && !signed.contains(msg.getVersion().getBody())) {
+                    ai.setNotAsserted(msg.getVersion().getBody() + " not " + type);
+                    return;
+                }
+                for (Header h : p.getHeaders()) {
+                    if (!signed.contains(h.getQName())) {
+                        boolean found = false;
+                        Element nd = DOMUtils.getFirstElement(doc.getSOAPHeader());
+                        while (nd != null && !found) {
+                            if (h.getNamespace().equals(nd.getNamespaceURI())
+                                && (nd.getLocalName().equals(h.getName())
+                                    || h.getName() == null)) {
+                                found = true;
+                            }
+                            nd = DOMUtils.getNextElement(nd);
+                        }
+                        if (found) {
+                            ai.setNotAsserted(h.getQName() + " not + " + type);
+                            return;
+                        }
+                    }
+                }
+                
+            }
+        }
+    }
+    protected void computeAction(SoapMessage message, RequestData data) {
+        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+        // extract Assertion information
+        String action = getString(WSHandlerConstants.ACTION, message);
+        if (action == null) {
+            action = "";
+        }
+        if (aim != null) {
+            if (containsPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP)) {
+                action = addToAction(action, WSHandlerConstants.TIMESTAMP, true);
+            }
+            if (containsPolicy(aim, SP12Constants.USERNAME_TOKEN)) {
+                if (isRequestor(message)) {
+                    assertPolicy(aim, SP12Constants.USERNAME_TOKEN);
+                } else {
+                    action = addToAction(action, WSHandlerConstants.USERNAME_TOKEN, true);
+                }
+            }
+            
+            //relatively irrelevant stuff from a verification standpoint
+            assertPolicy(aim, SP12Constants.LAYOUT);
+            assertPolicy(aim, SP12Constants.WSS10);
+            assertPolicy(aim, SP12Constants.TRUST_13);
+            assertPolicy(aim, SP11Constants.TRUST_10);
+            
+            //things that DO impact setup
+            handleWSS11(aim, message);
+            action = checkAsymetricBinding(aim, action, message);
+            action = checkSymetricBinding(aim, action, message);
+            
+            //stuff we can default to asserted an un-assert if a condition isn't met
+            assertPolicy(aim, SP12Constants.KEYVALUE_TOKEN);
+            assertPolicy(aim, SP12Constants.X509_TOKEN);
+
+            message.put(WSHandlerConstants.ACTION, action.trim());
+        }
+    }
+    
+    enum Protections {
+        NONE,
+        SIGN,
+        ENCRYPT,
+        SIGN_ENCRYPT,
+        ENCRYPT_SIGN,
+        ENCRYPT_SIGN_PROTECT,
+    };
+    private Protections addSign(Protections prots) {
+        if (prots == Protections.NONE) {
+            return Protections.SIGN;
+        }
+        if (prots == Protections.ENCRYPT) {
+            return Protections.ENCRYPT_SIGN;
+        }
+        return prots;
+    }
+    private Protections addEncrypt(Protections prots) {
+        if (prots == Protections.NONE) {
+            return Protections.ENCRYPT;
+        }
+        if (prots == Protections.SIGN) {
+            return Protections.SIGN_ENCRYPT;
+        }
+        if (prots == Protections.ENCRYPT_SIGN
+            || prots == Protections.SIGN_ENCRYPT) {
+            return Protections.ENCRYPT_SIGN_PROTECT;
+        }
+        return prots;
+    }
+    
+    protected void doResults(SoapMessage msg, String actor, 
+                             SOAPMessage doc, Vector results) throws SOAPException, XMLStreamException {
+        AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
+        Collection<QName> signed = new HashSet<QName>();
+        Collection<QName> encrypted = new HashSet<QName>();
+        boolean hasDerivedKeys = false;
+        boolean hasEndorsement = false;
+        Protections prots = Protections.NONE;
+        
+        for (int j = 0; j < results.size(); j++) {
+            WSSecurityEngineResult wser =
+                    (WSSecurityEngineResult) results.get(j);
+            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+            switch (actInt.intValue()) {                    
+            case WSConstants.SIGN:
+                List<WSDataRef> sl = CastUtils.cast((List<?>)wser
+                                                       .get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+                if (sl != null) {
+                    if (sl.size() == 1
+                        && sl.get(0).getName().equals(new QName(WSConstants.SIG_NS, WSConstants.SIG_LN))) {
+                        //endorsing the signature
+                        hasEndorsement = true;
+                        break;
+                    }
+                    for (WSDataRef r : sl) {
+                        signed.add(r.getName());
+                    }
+                    prots = addSign(prots);
+                }
+                break;
+            case WSConstants.ENCR:
+                List<WSDataRef> el = CastUtils.cast((List<?>)wser
+                                                       .get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+                if (el != null) {
+                    for (WSDataRef r : el) {
+                        encrypted.add(r.getName());
+                    }
+                    prots = addEncrypt(prots);
+                }
+                break;
+            case WSConstants.UT:
+                assertPolicy(aim, SP12Constants.USERNAME_TOKEN);
+                break;
+            case WSConstants.TS:
+                assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
+                break;
+            case WSConstants.DKT:
+                hasDerivedKeys = true;
+                break;
+            case WSConstants.SC:
+                assertPolicy(aim, SP12Constants.WSS11);
+                break;
+            default:
+                //System.out.println(actInt);
+                //anything else to process?  Maybe check tokens for BKT requirements?
+            }                        
+        }
+        assertTokens(aim, SP12Constants.SIGNED_PARTS, signed, msg, doc, "signed");
+        assertTokens(aim, SP12Constants.ENCRYPTED_PARTS, signed, msg, doc, "encrypted");
+        
+        assertAsymetricBinding(aim, msg, doc, prots, hasDerivedKeys);
+        assertSymetricBinding(aim, msg, doc, prots, hasDerivedKeys);
+        assertTransportBinding(aim);
+        
+        
+        //REVISIT - probably can verify some of these like if UT is encrypted and/or signed, etc...
+        assertPolicy(aim, SP12Constants.SIGNED_SUPPORTING_TOKENS);
+        assertPolicy(aim, SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+        assertPolicy(aim, SP12Constants.SUPPORTING_TOKENS);
+        assertPolicy(aim, SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
+        if (hasEndorsement || isRequestor(msg)) {
+            assertPolicy(aim, SP12Constants.ENDORSING_SUPPORTING_TOKENS);
+            assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+            assertPolicy(aim, SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+            assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+        }
+        
+        super.doResults(msg, actor, doc, results);
+    }
+    private boolean assertSymetricBinding(AssertionInfoMap aim, 
+                                           SoapMessage message,
+                                           SOAPMessage doc,
+                                           Protections prots,
+                                           boolean derived) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
+        if (ais == null) {
+            return true;
+        }
+        
+        for (AssertionInfo ai : ais) {
+            SymmetricBinding abinding = (SymmetricBinding)ai.getAssertion();
+            ai.setAsserted(true);
+            if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
+                if (abinding.isSignatureProtection()) {
+                    if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
+                        ai.setNotAsserted("Not encrypted before signed and then protected");
+                    }
+                } else if (prots != Protections.ENCRYPT_SIGN) {
+                    ai.setNotAsserted("Not encrypted before signed");                    
+                }
+            } else if (prots != Protections.SIGN_ENCRYPT) {
+                ai.setNotAsserted("Not signed before encrypted");                                    
+            }
+            
+            if (abinding.getEncryptionToken() != null) {
+                assertPolicy(aim, abinding.getEncryptionToken());
+                assertPolicy(aim, abinding.getEncryptionToken().getToken(), derived);
+            }
+            if (abinding.getSignatureToken() != null) {
+                assertPolicy(aim, abinding.getSignatureToken());
+                assertPolicy(aim, abinding.getSignatureToken().getToken(), derived);
+            }
+            if (abinding.getProtectionToken() != null) {
+                assertPolicy(aim, abinding.getProtectionToken());
+                assertPolicy(aim, abinding.getProtectionToken().getToken(), derived);
+            }
+        }
+        return true;
+    }
+    private boolean assertAsymetricBinding(AssertionInfoMap aim, 
+                                           SoapMessage message,
+                                           SOAPMessage doc,
+                                           Protections prots,
+                                           boolean derived) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
+        if (ais == null) {
+            return true;
+        }
+        for (AssertionInfo ai : ais) {
+            AsymmetricBinding abinding = (AsymmetricBinding)ai.getAssertion();
+            ai.setAsserted(true);
+            if (abinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
+                if (abinding.isSignatureProtection()) {
+                    if (prots != Protections.ENCRYPT_SIGN_PROTECT) {
+                        ai.setNotAsserted("Not encrypted before signed and then protected");
+                    }
+                } else if (prots != Protections.ENCRYPT_SIGN) {
+                    ai.setNotAsserted("Not encrypted before signed");                    
+                }
+            } else if (prots != Protections.SIGN_ENCRYPT) {
+                ai.setNotAsserted("Not signed before encrypted");                                    
+            }
+            assertPolicy(aim, abinding.getInitiatorToken());
+            assertPolicy(aim, abinding.getRecipientToken());
+            assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
+            assertPolicy(aim, abinding.getRecipientToken().getToken(), derived);
+        }
+        return true;
+    }
+    private boolean assertTransportBinding(AssertionInfoMap aim) {
+        assertPolicy(aim, SP12Constants.TRANSPORT_TOKEN);
+        assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
+        return !assertPolicy(aim, SP12Constants.TRANSPORT_BINDING);
+    }
+
+}

Propchange: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Sat Mar  7 17:41:07 2009
@@ -127,6 +127,7 @@
         return doc;
     }
     
+    
     public void handleMessage(SoapMessage msg) throws Fault {
         SOAPMessage doc = getSOAPMessage(msg);
         
@@ -154,8 +155,7 @@
          */
         try {
             reqData.setMsgContext(msg);
-            checkPolicies(msg, reqData);
-
+            computeAction(msg, reqData);
             Vector actions = new Vector();
             String action = getAction(msg, version);
 
@@ -257,7 +257,7 @@
                 LOG.warning("Security processing failed (actions mismatch)");
                 throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
             }
-
+            
             doResults(msg, actor, doc, wsResult);
 
             if (doTimeLog) {
@@ -286,7 +286,17 @@
         }
     }
 
-    private void doResults(SoapMessage msg, String actor, SOAPMessage doc, Vector wsResult)
+    /**
+     * Do whatever is necessary to determine the action for the incoming message and 
+     * do whatever other setup work is necessary.
+     * 
+     * @param msg
+     * @param reqData
+     */
+    protected void computeAction(SoapMessage msg, RequestData reqData) {
+        
+    }
+    protected void doResults(SoapMessage msg, String actor, SOAPMessage doc, Vector wsResult)
         throws SOAPException, XMLStreamException {
         /*
          * All ok up to this point. Now construct and setup the security result

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptor.java Sat Mar  7 17:41:07 2009
@@ -131,7 +131,6 @@
             RequestData reqData = new RequestData();
     
             reqData.setMsgContext(mc);
-            checkPolicies(mc, reqData);
             
             /*
              * The overall try, just to have a finally at the end to perform some

Modified: cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java?rev=751299&r1=751298&r2=751299&view=diff
==============================================================================
--- cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java (original)
+++ cxf/trunk/systests/src/test/java/org/apache/cxf/systest/ws/security/SecurityPolicyTest.java Sat Mar  7 17:41:07 2009
@@ -129,10 +129,11 @@
             pt.doubleIt(BigInteger.valueOf(25));
         } catch (Exception ex) {
             String msg = ex.getMessage();
-            if (!msg.contains("UsernameToken: No user")) {
+            if (!msg.contains("UsernameToken")) {
                 throw ex;
             }
         }
+        ((BindingProvider)pt).getRequestContext().put(SecurityConstants.USERNAME, "bob");
         ((BindingProvider)pt).getRequestContext().put(SecurityConstants.SIGNATURE_USERNAME, "bob");
         ((BindingProvider)pt).getRequestContext().put(SecurityConstants.PASSWORD, "pwd");
         pt.doubleIt(BigInteger.valueOf(25));



Mime
View raw message