cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1086895 [1/2] - in /cxf/trunk/rt/ws/security/src: main/java/org/apache/cxf/ws/security/policy/ main/java/org/apache/cxf/ws/security/policy/builders/ main/java/org/apache/cxf/ws/security/policy/model/ main/java/org/apache/cxf/ws/security/ws...
Date Wed, 30 Mar 2011 10:20:14 GMT
Author: coheigea
Date: Wed Mar 30 10:20:13 2011
New Revision: 1086895

URL: http://svn.apache.org/viewvc?rev=1086895&view=rev
Log:
[CXF-3432] - Support WS-SecurityPolicy SamlToken expressions (Part I)
 - Add inbound support for enforcing SAML SupportingTokens.

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SamlTokenBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SamlToken.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
      - copied, changed from r1086519, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractSAMLCallbackHandler.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomSamlValidator.java
      - copied, changed from r1086519, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomSamlValidator.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/PolicyBasedSamlTest.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SAML1CallbackHandler.java
      - copied, changed from r1086519, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SAML1CallbackHandler.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SAML2CallbackHandler.java
      - copied, changed from r1086519, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SAML2CallbackHandler.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
      - copied, changed from r1086519, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SamlTokenTest.java
    cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/
    cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_assertion_policy.xml
    cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml2_request.xml
    cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml_assertion_policy.xml
    cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/saml_request.xml
    cxf/trunk/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/saml/wsse-request-clean.xml
Removed:
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractSAMLCallbackHandler.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomSamlValidator.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SAML1CallbackHandler.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SAML2CallbackHandler.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SamlTokenTest.java
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Token.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java?rev=1086895&r1=1086894&r2=1086895&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java Wed Mar 30 10:20:13 2011
@@ -101,6 +101,9 @@ public final class SP11Constants extends
 
     public static final QName USERNAME_TOKEN = new QName(SP11Constants.SP_NS,
             SPConstants.USERNAME_TOKEN , SP11Constants.SP_PREFIX);
+    
+    public static final QName SAML_TOKEN = new QName(SP11Constants.SP_NS,
+            SPConstants.SAML_TOKEN , SP11Constants.SP_PREFIX);
 
     public static final QName WSS_USERNAME_TOKEN10 = new QName(SP11Constants.SP_NS,
             SPConstants.USERNAME_TOKEN10 , SP11Constants.SP_PREFIX);
@@ -238,7 +241,7 @@ public final class SP11Constants extends
     public static final QName MUST_SUPPORT_ISSUED_TOKENS = new QName(
             SP11Constants.SP_NS, SPConstants.MUST_SUPPORT_ISSUED_TOKENS , SP11Constants.SP_PREFIX);
 
-    public static final QName ISSUER = new QName(SP11Constants.SP_NS, SPConstants.ISSUER ,
+    public static final QName ISSUER = new QName(SP11Constants.SP_NS, SPConstants.ISSUER,
             SP11Constants.SP_PREFIX);
 
     public static final QName REQUIRE_DERIVED_KEYS = new QName(SP11Constants.SP_NS,
@@ -378,6 +381,9 @@ public final class SP11Constants extends
     public QName getUserNameToken() {
         return USERNAME_TOKEN;
     }
+    public QName getSamlToken() {
+        return SAML_TOKEN;
+    }
     public QName getX509Token() {
         return X509_TOKEN;
     }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java?rev=1086895&r1=1086894&r2=1086895&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java Wed Mar 30 10:20:13 2011
@@ -122,7 +122,11 @@ public final class SP12Constants extends
             SPConstants.CONTENT_ENCRYPTED_ELEMENTS, SP12Constants.SP_PREFIX);
 
     public static final QName USERNAME_TOKEN = new QName(SP12Constants.SP_NS,
-            SPConstants.USERNAME_TOKEN , SP12Constants.SP_PREFIX);
+            SPConstants.USERNAME_TOKEN, SP12Constants.SP_PREFIX);
+    
+    public static final QName SAML_TOKEN = new QName(SP12Constants.SP_NS,
+            SPConstants.SAML_TOKEN, SP12Constants.SP_PREFIX);
+    
     public static final QName KEYVALUE_TOKEN = new QName(SP12Constants.SP_NS,
                                                          SPConstants.KEYVALUE_TOKEN ,
                                                          SP12Constants.SP_PREFIX);
@@ -439,6 +443,9 @@ public final class SP12Constants extends
     public QName getUserNameToken() {
         return USERNAME_TOKEN;
     }
+    public QName getSamlToken() {
+        return SAML_TOKEN;
+    }
     public QName getKeyValueToken() {
         return KEYVALUE_TOKEN;
     }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java?rev=1086895&r1=1086894&r2=1086895&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java Wed Mar 30 10:20:13 2011
@@ -122,14 +122,21 @@ public abstract class SPConstants {
 
     public static final String WSS_X509_PKI_PATH_V1_TOKEN11 = "WssX509PkiPathV1Token11";
     
-    
     public static final String USERNAME_TOKEN = "UsernameToken";
+    
+    public static final String SAML_TOKEN = "SamlToken";
+
     public static final String KEYVALUE_TOKEN = "KeyValueToken";
     
     public static final String USERNAME_TOKEN10 = "WssUsernameToken10";
     
     public static final String USERNAME_TOKEN11 = "WssUsernameToken11";
-
+    
+    public static final String SAML_11_TOKEN_10 = "WssSamlV11Token10";
+    
+    public static final String SAML_11_TOKEN_11 = "WssSamlV11Token11";
+    
+    public static final String SAML_20_TOKEN_11 = "WssSamlV20Token11";
     
     public static final String TRANSPORT_TOKEN = "TransportToken";
     
@@ -372,6 +379,8 @@ public abstract class SPConstants {
     
     public static final String ISSUER = "Issuer";
     
+    public static final String ISSUER_NAME = "IssuerName";
+    
     public static final String REQUIRE_DERIVED_KEYS = "RequireDerivedKeys";
     
     public static final String REQUIRE_IMPLIED_DERIVED_KEYS = "RequireImpliedDerivedKeys";
@@ -439,6 +448,7 @@ public abstract class SPConstants {
     public abstract QName getTransportBinding();
     public abstract QName getTransportToken();
     public abstract QName getUserNameToken();
+    public abstract QName getSamlToken();
     public abstract QName getX509Token();
     
     public abstract QName getSupportingTokens();

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java?rev=1086895&r1=1086894&r2=1086895&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java Wed Mar 30 10:20:13 2011
@@ -46,6 +46,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.builders.RecipientTokenBuilder;
 import org.apache.cxf.ws.security.policy.builders.RequiredElementsBuilder;
 import org.apache.cxf.ws.security.policy.builders.RequiredPartsBuilder;
+import org.apache.cxf.ws.security.policy.builders.SamlTokenBuilder;
 import org.apache.cxf.ws.security.policy.builders.SecureConversationTokenBuilder;
 import org.apache.cxf.ws.security.policy.builders.SecurityContextTokenBuilder;
 import org.apache.cxf.ws.security.policy.builders.SignedElementsBuilder;
@@ -103,6 +104,7 @@ public final class WSSecurityPolicyLoade
         reg.registerBuilder(new RecipientTokenBuilder(pbuild));
         reg.registerBuilder(new RequiredElementsBuilder());
         reg.registerBuilder(new RequiredPartsBuilder());
+        reg.registerBuilder(new SamlTokenBuilder(pbuild));
         reg.registerBuilder(new SecureConversationTokenBuilder(pbuild));
         reg.registerBuilder(new SecurityContextTokenBuilder());
         reg.registerBuilder(new SignedElementsBuilder());

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SamlTokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SamlTokenBuilder.java?rev=1086895&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SamlTokenBuilder.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SamlTokenBuilder.java Wed Mar 30 10:20:13 2011
@@ -0,0 +1,93 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.policy.builders;
+
+
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.ws.policy.PolicyBuilder;
+import org.apache.cxf.ws.policy.PolicyConstants;
+import org.apache.cxf.ws.security.policy.SP11Constants;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.SamlToken;
+import org.apache.neethi.Assertion;
+import org.apache.neethi.AssertionBuilderFactory;
+import org.apache.neethi.builders.AssertionBuilder;
+
+
+public class SamlTokenBuilder implements AssertionBuilder<Element> {
+    private static final QName KNOWN_ELEMENTS[]  
+        = {SP11Constants.SAML_TOKEN, SP12Constants.SAML_TOKEN};
+
+    PolicyBuilder builder;
+    public SamlTokenBuilder(PolicyBuilder b) {
+        builder = b;
+    }
+    
+    public Assertion build(Element element, AssertionBuilderFactory factory) {
+        
+        SPConstants consts = SP11Constants.SP_NS.equals(element.getNamespaceURI())
+            ? SP11Constants.INSTANCE : SP12Constants.INSTANCE;
+
+        SamlToken samlToken = new SamlToken(consts);
+        samlToken.setOptional(PolicyConstants.isOptional(element));
+        samlToken.setIgnorable(PolicyConstants.isIgnorable(element));
+
+        String attribute = element.getAttributeNS(element.getNamespaceURI(), SPConstants.ATTR_INCLUDE_TOKEN);
+        if (attribute != null) {
+            samlToken.setInclusion(consts.getInclusionFromAttributeValue(attribute));
+        }
+        
+        Element child = DOMUtils.getFirstElement(element);
+        while (child != null) {
+            String ln = child.getLocalName();
+            if (org.apache.neethi.Constants.ELEM_POLICY.equals(ln)) {
+                NodeList policyChildren = child.getChildNodes();
+                if (policyChildren != null) {
+                    for (int i = 0; i < policyChildren.getLength(); i++) {
+                        Node policyChild = policyChildren.item(i);
+                        if (policyChild instanceof Element) {
+                            QName qname = 
+                                new QName(policyChild.getNamespaceURI(), policyChild.getLocalName());
+                            if (SPConstants.SAML_11_TOKEN_10.equals(qname.getLocalPart())) {
+                                samlToken.setUseSamlVersion11Profile10(true);
+                            } else if (SPConstants.SAML_11_TOKEN_11.equals(qname.getLocalPart())) {
+                                samlToken.setUseSamlVersion11Profile11(true);
+                            } else if (SPConstants.SAML_20_TOKEN_11.equals(qname.getLocalPart())) {
+                                samlToken.setUseSamlVersion20Profile11(true);
+                            }
+                        }
+                    }
+                }
+            }
+            child = DOMUtils.getNextElement(child);
+        }
+        return samlToken;
+    }
+
+    public QName[] getKnownElements() {
+        return KNOWN_ELEMENTS;
+    }
+}

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SamlToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SamlToken.java?rev=1086895&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SamlToken.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SamlToken.java Wed Mar 30 10:20:13 2011
@@ -0,0 +1,124 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.policy.model;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamWriter;
+
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+
+public class SamlToken extends Token {
+    private boolean useSamlVersion11Profile10;
+    private boolean useSamlVersion11Profile11;
+    private boolean useSamlVersion20Profile11;
+
+    public SamlToken(SPConstants version) {
+        super(version);
+    }
+
+    public boolean isUseSamlVersion11Profile10() {
+        return useSamlVersion11Profile10;
+    }
+
+    public void setUseSamlVersion11Profile10(boolean useSamlVersion11Profile10) {
+        this.useSamlVersion11Profile10 = useSamlVersion11Profile10;
+    }
+    
+    public boolean isUseSamlVersion11Profile11() {
+        return useSamlVersion11Profile11;
+    }
+
+    public void setUseSamlVersion11Profile11(boolean useSamlVersion11Profile11) {
+        this.useSamlVersion11Profile11 = useSamlVersion11Profile11;
+    }
+    
+    public boolean isUseSamlVersion20Profile11() {
+        return useSamlVersion20Profile11;
+    }
+
+    public void setUseSamlVersion20Profile11(boolean useSamlVersion20Profile11) {
+        this.useSamlVersion20Profile11 = useSamlVersion20Profile11;
+    }
+    
+    public QName getName() {
+        return SP12Constants.INSTANCE.getSamlToken();
+    }
+
+    public void serialize(XMLStreamWriter writer) throws XMLStreamException {
+        QName name = constants.getSamlToken();
+        String localname = name.getLocalPart();
+        String namespaceURI = name.getNamespaceURI();
+
+        String prefix = writer.getPrefix(namespaceURI);
+        if (prefix == null) {
+            prefix = name.getPrefix();
+            writer.setPrefix(prefix, namespaceURI);
+        }
+
+        // <sp:SamlToken
+        writer.writeStartElement(prefix, localname, namespaceURI);
+
+        writer.writeNamespace(prefix, namespaceURI);
+
+        String inclusion;
+
+        inclusion = constants.getAttributeValueFromInclusion(getInclusion());
+
+        if (inclusion != null) {
+            writer.writeAttribute(prefix, namespaceURI, SPConstants.ATTR_INCLUDE_TOKEN, inclusion);
+        }
+
+        if (isUseSamlVersion11Profile10() || isUseSamlVersion11Profile11()
+            || isUseSamlVersion20Profile11()) {
+            String pPrefix = writer.getPrefix(SPConstants.POLICY.getNamespaceURI());
+            if (pPrefix == null) {
+                pPrefix = SPConstants.POLICY.getPrefix();
+                writer.setPrefix(SPConstants.POLICY.getPrefix(), SPConstants.POLICY.getNamespaceURI());
+            }
+
+            // <wsp:Policy>
+            writer.writeStartElement(pPrefix, SPConstants.POLICY.getLocalPart(), SPConstants.POLICY
+                .getNamespaceURI());
+
+            // CHECKME
+            if (isUseSamlVersion11Profile10()) {
+                // <sp:WssSamlV11Token10 />
+                writer.writeStartElement(prefix, SPConstants.SAML_11_TOKEN_10, namespaceURI);
+            } else if (isUseSamlVersion11Profile11()) {
+                // <sp:WssSamlV11Token11 />
+                writer.writeStartElement(prefix, SPConstants.SAML_11_TOKEN_11, namespaceURI);
+            } else {
+               // <sp:WssSamlV20Token11 />
+                writer.writeStartElement(prefix, SPConstants.SAML_20_TOKEN_11, namespaceURI);
+            }
+
+            writer.writeEndElement();
+
+            // </wsp:Policy>
+            writer.writeEndElement();
+
+        }
+
+        writer.writeEndElement();
+        // </sp:SamlToken>
+
+    }
+}

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Token.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Token.java?rev=1086895&r1=1086894&r2=1086895&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Token.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/Token.java Wed Mar 30 10:20:13 2011
@@ -36,6 +36,8 @@ public abstract class Token extends Abst
     private boolean impliedDerivedKeys;
 
     private boolean explicitDerivedKeys;
+    
+    private String issuerName;
 
     public Token(SPConstants version) {
         super(version);
@@ -94,4 +96,11 @@ public abstract class Token extends Abst
         this.impliedDerivedKeys = impliedDerivedKeys;
     }
 
+    public String getIssuerName() {
+        return issuerName;
+    }
+    
+    public void setIssuerName(String issuerName) {
+        this.issuerName = issuerName;
+    }
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1086895&r1=1086894&r2=1086895&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Wed Mar 30 10:20:13 2011
@@ -74,6 +74,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.model.X509Token;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
 import org.apache.neethi.Assertion;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSDataRef;
@@ -517,7 +518,7 @@ public class PolicyBasedWSS4JInIntercept
         
         for (WSSecurityEngineResult wser : results) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-            switch (actInt.intValue()) {                    
+            switch (actInt.intValue()) {   
             case WSConstants.SIGN:
                 if (hasDerivedKeys == null) {
                     hasDerivedKeys = Boolean.FALSE;
@@ -569,6 +570,11 @@ public class PolicyBasedWSS4JInIntercept
                     }
                 }
                 break;
+            case WSConstants.ST_SIGNED:
+            case WSConstants.ST_UNSIGNED:
+                SamlTokenPolicyValidator validator = new SamlTokenPolicyValidator();
+                validator.validatePolicy(aim, wser);
+                break;
             case WSConstants.TS:
                 assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
                 break;

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1086895&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java Wed Mar 30 10:20:13 2011
@@ -0,0 +1,92 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.Collection;
+
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.model.SamlToken;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+import org.opensaml.common.SAMLVersion;
+
+/**
+ * Validate a WSSecurityEngineResult corresponding to the processing of a SAML Assertion
+ * against the appropriate policy.
+ */
+public class SamlTokenPolicyValidator {
+    
+    public void validatePolicy(
+        AssertionInfoMap aim,
+        WSSecurityEngineResult wser
+    ) {
+        Collection<AssertionInfo> samlAis = aim.get(SP12Constants.SAML_TOKEN);
+        if (samlAis != null && !samlAis.isEmpty()) {
+            for (AssertionInfo ai : samlAis) {
+                AssertionWrapper assertionWrapper = 
+                    (AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+                SamlToken samlToken = (SamlToken)ai.getAssertion();
+                ai.setAsserted(true);
+
+                if (!checkVersion(samlToken, assertionWrapper)) {
+                    ai.setNotAsserted("Wrong SAML Version");
+                }
+                /*
+                if (!checkIssuerName(samlToken, assertionWrapper)) {
+                    ai.setNotAsserted("Wrong IssuerName");
+                }
+                */
+            }
+        }
+    }
+    
+    /**
+     * Check the IssuerName policy against the received assertion
+    private boolean checkIssuerName(SamlToken samlToken, AssertionWrapper assertionWrapper) {
+        String issuerName = samlToken.getIssuerName();
+        if (issuerName != null && !"".equals(issuerName)) {
+            String assertionIssuer = assertionWrapper.getIssuerString();
+            if (!issuerName.equals(assertionIssuer)) {
+                return false;
+            }
+        }
+        return true;
+    }
+    */
+    
+    /**
+     * Check the policy version against the received assertion
+     */
+    private boolean checkVersion(SamlToken samlToken, AssertionWrapper assertionWrapper) {
+        if ((samlToken.isUseSamlVersion11Profile10()
+            || samlToken.isUseSamlVersion11Profile11())
+            && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) {
+            return false;
+        } else if (samlToken.isUseSamlVersion20Profile11()
+            && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) {
+            return false;
+        }
+        return true;
+    }
+   
+}

Added: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java?rev=1086895&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java (added)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java Wed Mar 30 10:20:13 2011
@@ -0,0 +1,617 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.wss4j;
+
+import java.net.URL;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Vector;
+import java.util.concurrent.Executor;
+
+import javax.xml.namespace.NamespaceContext;
+import javax.xml.namespace.QName;
+import javax.xml.soap.Node;
+import javax.xml.soap.SOAPException;
+import javax.xml.soap.SOAPMessage;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpression;
+import javax.xml.xpath.XPathFactory;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusException;
+import org.apache.cxf.binding.Binding;
+import org.apache.cxf.binding.soap.SoapMessage;
+import org.apache.cxf.endpoint.Endpoint;
+import org.apache.cxf.feature.AbstractFeature;
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.interceptor.AbstractAttributedInterceptorProvider;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.service.Service;
+import org.apache.cxf.service.model.BindingInfo;
+import org.apache.cxf.service.model.EndpointInfo;
+import org.apache.cxf.transport.MessageObserver;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.policy.PolicyAssertion;
+import org.apache.cxf.ws.policy.PolicyBuilder;
+import org.apache.cxf.ws.policy.PolicyException;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
+import org.apache.cxf.ws.security.tokenstore.MemoryTokenStore;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.cxf.ws.security.tokenstore.TokenStore;
+import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
+import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor.PolicyBasedWSS4JOutInterceptorInternal;
+import org.apache.neethi.Policy;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDataRef;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.components.crypto.CryptoType;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.ws.security.util.WSSecurityUtil;
+
+public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest {
+    protected PolicyBuilder policyBuilder;
+
+    protected Bus createBus() throws BusException {
+        Bus b = super.createBus();
+        this.policyBuilder = 
+            b.getExtension(PolicyBuilder.class);
+        return b;
+    }
+    
+    protected void runAndValidate(String document, String policyDocument,
+            List<QName> assertedOutAssertions, List<QName> notAssertedOutAssertions,
+            List<QName> assertedInAssertions, List<QName> notAssertedInAssertions,
+            List<CoverageType> types) throws Exception {
+        
+        this.runAndValidate(document, policyDocument, null,
+                new AssertionsHolder(assertedOutAssertions, notAssertedOutAssertions),
+                new AssertionsHolder(assertedInAssertions, notAssertedInAssertions),
+                types);
+    }
+    
+    protected void runAndValidate(
+            String document,
+            String outPolicyDocument, String inPolicyDocument,
+            AssertionsHolder outAssertions,
+            AssertionsHolder inAssertions,
+            List<CoverageType> types) throws Exception {
+        
+        final Element outPolicyElement = this.readDocument(outPolicyDocument)
+                .getDocumentElement();
+        final Element inPolicyElement;
+
+        if (inPolicyDocument != null) {
+            inPolicyElement = this.readDocument(inPolicyDocument)
+                    .getDocumentElement();
+        } else {
+            inPolicyElement = outPolicyElement;
+        }
+            
+        
+        final Policy outPolicy = this.policyBuilder.getPolicy(outPolicyElement);
+        final Policy inPolicy = this.policyBuilder.getPolicy(inPolicyElement);
+        
+        final Document originalDoc = this.readDocument(document);
+        
+        final Document inDoc = this.runOutInterceptorAndValidate(
+                originalDoc, outPolicy, outAssertions.getAssertedAssertions(),
+                outAssertions.getNotAssertedAssertions());
+        
+        // Can't use this method if you want output that is not mangled.
+        // Such is the case when you want to capture output to use
+        // as input to another test case.
+        //DOMUtils.writeXml(inDoc, System.out);
+        
+        // Use this snippet if you need intermediate output for debugging.
+        /*
+        TransformerFactory tf = TransformerFactory.newInstance();
+        Transformer t = tf.newTransformer();
+        t.setOutputProperty(OutputKeys.INDENT, "no");
+        t.transform(new DOMSource(inDoc), new StreamResult(System.out));
+        */
+        
+        
+        this.runInInterceptorAndValidate(inDoc,
+                inPolicy, inAssertions.getAssertedAssertions(),
+                inAssertions.getNotAssertedAssertions(), types);
+    }
+    
+    protected void runInInterceptorAndValidate(String document,
+            String policyDocument, QName assertedInAssertion,
+            QName notAssertedInAssertion, 
+            CoverageType type) throws Exception {
+        
+        this.runInInterceptorAndValidate(
+                document, policyDocument, 
+                assertedInAssertion == null ? null 
+                        : Arrays.asList(assertedInAssertion),
+                notAssertedInAssertion == null ? null
+                        : Arrays.asList(notAssertedInAssertion),
+                Arrays.asList(type));
+    }
+    
+    protected void runInInterceptorAndValidate(String document,
+            String policyDocument, List<QName> assertedInAssertions,
+            List<QName> notAssertedInAssertions,
+            List<CoverageType> types) throws Exception {
+        
+        final Policy policy = this.policyBuilder.getPolicy(
+                this.readDocument(policyDocument).getDocumentElement());
+        
+        final Document doc = this.readDocument(document);
+        
+        this.runInInterceptorAndValidate(
+                doc, policy, 
+                assertedInAssertions,
+                notAssertedInAssertions,
+                types);
+    }
+    
+    protected void runInInterceptorAndValidate(Document document,
+            Policy policy, List<QName> assertedInAssertions,
+            List<QName> notAssertedInAssertions,
+            List<CoverageType> types) throws Exception {
+        
+        final AssertionInfoMap aim = new AssertionInfoMap(policy);
+        
+        this.runInInterceptorAndValidateWss(document, aim, types);
+        
+        try {
+            aim.checkEffectivePolicy(policy);
+        } catch (PolicyException e) {
+            // Expected but not relevant
+        } finally {
+            if (assertedInAssertions != null) {
+                for (QName assertionType : assertedInAssertions) {
+                    Collection<AssertionInfo> ais = aim.get(assertionType);
+                    assertNotNull(ais);
+                    for (AssertionInfo ai : ais) {
+                        assertTrue(assertionType + " policy erroneously failed.",
+                                ((PolicyAssertion)ai.getAssertion()).isAsserted(aim));
+                    }
+                }
+            }
+            
+            if (notAssertedInAssertions != null) {
+                for (QName assertionType : notAssertedInAssertions) {
+                    Collection<AssertionInfo> ais = aim.get(assertionType);
+                    assertNotNull(ais);
+                    for (AssertionInfo ai : ais) {
+                        assertFalse(assertionType + " policy erroneously asserted.",
+                                    ((PolicyAssertion)ai.getAssertion()).isAsserted(aim));
+                    }
+                }
+            }
+        }
+    }
+    
+    protected void runInInterceptorAndValidateWss(Document document, AssertionInfoMap aim,
+            List<CoverageType> types) throws Exception {
+        
+        PolicyBasedWSS4JInInterceptor inHandler = 
+            this.getInInterceptor(types);
+            
+        SoapMessage inmsg = this.getSoapMessageForDom(document, aim);
+
+        inHandler.handleMessage(inmsg);
+        
+        for (CoverageType type : types) {
+            switch(type) {
+            case SIGNED:
+                this.verifyWss4jSigResults(inmsg);
+                break;
+            case ENCRYPTED:
+                this.verifyWss4jEncResults(inmsg);
+                break;
+            default:
+                fail("Unsupported coverage type.");
+            }
+        }
+    }
+    
+    protected Document runOutInterceptorAndValidate(Document document, Policy policy,
+            List<QName> assertedOutAssertions, 
+            List<QName> notAssertedOutAssertions) throws Exception {
+        
+        AssertionInfoMap aim = new AssertionInfoMap(policy);
+        
+        final SoapMessage msg = 
+            this.getOutSoapMessageForDom(document, aim);
+        
+        return this.runOutInterceptorAndValidate(msg, policy, aim,
+                assertedOutAssertions, notAssertedOutAssertions);       
+    }    
+        
+    
+    protected Document runOutInterceptorAndValidate(SoapMessage msg, Policy policy,
+            AssertionInfoMap aim,
+            List<QName> assertedOutAssertions, 
+            List<QName> notAssertedOutAssertions) throws Exception {
+        
+        this.getOutInterceptor().handleMessage(msg);
+        
+        try {
+            aim.checkEffectivePolicy(policy);
+        } catch (PolicyException e) {
+            // Expected but not relevant
+        } finally {
+            if (assertedOutAssertions != null) {
+                for (QName assertionType : assertedOutAssertions) {
+                    Collection<AssertionInfo> ais = aim.get(assertionType);
+                    assertNotNull(ais);
+                    for (AssertionInfo ai : ais) {
+                        assertTrue(assertionType + " policy erroneously failed.",
+                                   ((PolicyAssertion)ai.getAssertion()).isAsserted(aim));
+                    }
+                }
+            }
+            
+            if (notAssertedOutAssertions != null) {
+                for (QName assertionType : notAssertedOutAssertions) {
+                    Collection<AssertionInfo> ais = aim.get(assertionType);
+                    assertNotNull(ais);
+                    for (AssertionInfo ai : ais) {
+                        assertFalse(assertionType + " policy erroneously asserted.",
+                                    ((PolicyAssertion)ai.getAssertion()).isAsserted(aim));
+                    }
+                }
+            }
+        }
+        
+        return msg.getContent(SOAPMessage.class).getSOAPPart();
+    }
+    
+    // TODO: This method can be removed when testAsymmetricBindingAlgorithmSuitePolicy
+    // is cleaned up by adding server side enforcement of signature related algorithms.
+    protected void runOutInterceptorAndValidateAsymmetricBinding(String policyDoc) throws Exception {
+        final Document originalDoc = this.readDocument("wsse-request-clean.xml");
+        
+        final Element outPolicyElement = 
+                this.readDocument(policyDoc).getDocumentElement();
+       
+        final Policy outPolicy = this.policyBuilder.getPolicy(outPolicyElement);
+        final AssertionInfoMap aim = new AssertionInfoMap(outPolicy);
+        
+        final Document signedDoc = this.runOutInterceptorAndValidate(
+                originalDoc, outPolicy, Arrays.asList(SP12Constants.ASYMMETRIC_BINDING), null);
+        
+        this.verifySignatureAlgorithms(signedDoc, aim);
+    }
+      
+    // TODO: This method can be removed or reduced when testSignedElementsWithIssuedSAMLToken is
+    // cleaned up.
+    protected void runOutInterceptorAndValidateSamlTokenAttached(String policyDoc) throws Exception {
+        // create the request message
+        final Document document = this.readDocument("wsse-request-clean.xml");
+        final Element outPolicyElement = 
+            this.readDocument(policyDoc).getDocumentElement();
+        final Policy policy = this.policyBuilder.getPolicy(outPolicyElement);
+        
+        AssertionInfoMap aim = new AssertionInfoMap(policy);        
+        SoapMessage msg = this.getOutSoapMessageForDom(document, aim);
+        
+        // add an "issued" assertion into the message exchange
+        Element issuedAssertion = 
+            this.readDocument("example-sts-issued-saml-assertion.xml").getDocumentElement();
+        
+        String assertionId = issuedAssertion.getAttributeNode("AssertionID").getNodeValue();
+        
+        SecurityToken issuedToken = 
+            new SecurityToken(assertionId, issuedAssertion, null);
+        
+        Properties cryptoProps = new Properties();
+        URL url = ClassLoader.getSystemResource("outsecurity.properties");
+        cryptoProps.load(url.openStream());
+        Crypto crypto = CryptoFactory.getInstance(cryptoProps);
+        String alias = cryptoProps.getProperty("org.apache.ws.security.crypto.merlin.keystore.alias");
+        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+        cryptoType.setAlias(alias);
+        issuedToken.setX509Certificate(crypto.getX509Certificates(cryptoType)[0], crypto);
+        
+        msg.getExchange().get(Endpoint.class).put(SecurityConstants.TOKEN_ID, 
+                issuedToken.getId());
+        msg.getExchange().put(SecurityConstants.TOKEN_ID, issuedToken.getId());
+        
+        TokenStore tokenStore = new MemoryTokenStore();
+        msg.getExchange().get(Endpoint.class).getEndpointInfo()
+            .setProperty(TokenStore.class.getName(), tokenStore);
+        tokenStore.add(issuedToken);
+        
+        // fire the interceptor and verify results
+        final Document signedDoc = this.runOutInterceptorAndValidate(
+                msg, policy, aim, null, null);
+        
+        verifySignatureCoversAssertion(signedDoc, assertionId);
+    }
+    
+    protected PolicyBasedWSS4JOutInterceptorInternal getOutInterceptor() {
+        return PolicyBasedWSS4JOutInterceptor.INSTANCE.createEndingInterceptor();
+    }
+    
+    protected PolicyBasedWSS4JInInterceptor getInInterceptor(List<CoverageType> types) {
+        PolicyBasedWSS4JInInterceptor inHandler = new PolicyBasedWSS4JInInterceptor();
+        String action = "";
+        
+        for (CoverageType type : types) {
+            switch(type) {
+            case SIGNED:
+                action += " " + WSHandlerConstants.SIGNATURE;
+                break;
+            case ENCRYPTED:
+                action += " " + WSHandlerConstants.ENCRYPT;
+                break;
+            default:
+                fail("Unsupported coverage type.");
+            }
+        }
+        inHandler.setProperty(WSHandlerConstants.ACTION, action);
+        inHandler.setProperty(WSHandlerConstants.SIG_PROP_FILE, 
+                "insecurity.properties");
+        inHandler.setProperty(WSHandlerConstants.DEC_PROP_FILE,
+                "insecurity.properties");
+        inHandler.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, 
+                TestPwdCallback.class.getName());
+        inHandler.setProperty(WSHandlerConstants.IS_BSP_COMPLIANT, "false");
+        
+        return inHandler;
+    }
+    
+    /**
+     * Gets a SoapMessage, but with the needed SecurityConstants in the context properties
+     * so that it can be passed to PolicyBasedWSS4JOutInterceptor.
+     *
+     * @see #getSoapMessageForDom(Document, AssertionInfoMap)
+     */
+    protected SoapMessage getOutSoapMessageForDom(Document doc, AssertionInfoMap aim)
+        throws SOAPException {
+        SoapMessage msg = this.getSoapMessageForDom(doc, aim);
+        msg.put(SecurityConstants.SIGNATURE_PROPERTIES, "outsecurity.properties");
+        msg.put(SecurityConstants.ENCRYPT_PROPERTIES, "outsecurity.properties");
+        msg.put(SecurityConstants.CALLBACK_HANDLER, TestPwdCallback.class.getName());
+        msg.put(SecurityConstants.SIGNATURE_USERNAME, "myalias");
+        msg.put(SecurityConstants.ENCRYPT_USERNAME, "myalias");
+        
+        msg.getExchange().put(Endpoint.class, new MockEndpoint());
+        msg.getExchange().put(Bus.class, this.bus);
+        msg.put(Message.REQUESTOR_ROLE, true);
+        
+        return msg;
+    }
+    
+    protected SoapMessage getSoapMessageForDom(Document doc, AssertionInfoMap aim)
+        throws SOAPException {
+        
+        SoapMessage msg = this.getSoapMessageForDom(doc);
+        if (aim != null) {
+            msg.put(AssertionInfoMap.class, aim);
+        }
+        
+        return msg;
+    }
+    
+    protected void verifyWss4jSigResults(SoapMessage inmsg) {
+        WSSecurityEngineResult result = 
+            (WSSecurityEngineResult) inmsg.get(WSS4JInInterceptor.SIGNATURE_RESULT);
+        assertNotNull(result);
+    }
+    
+    protected void verifyWss4jEncResults(SoapMessage inmsg) {
+        //
+        // There should be exactly 1 (WSS4J) HandlerResult
+        //
+        final List<WSHandlerResult> handlerResults = 
+            CastUtils.cast((List<?>)inmsg.get(WSHandlerConstants.RECV_RESULTS));
+        assertNotNull(handlerResults);
+        assertSame(handlerResults.size(), 1);
+
+        List<WSSecurityEngineResult> protectionResults = new Vector<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(handlerResults.get(0).getResults(),
+                WSConstants.ENCR, protectionResults);
+        assertNotNull(protectionResults);
+        
+        //
+        // This result should contain a reference to the decrypted element
+        //
+        final Map<String, Object> result = (Map<String, Object>) protectionResults
+                .get(0);
+        final List<WSDataRef> protectedElements = 
+            CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+        assertNotNull(protectedElements);
+    }
+    
+    // TODO: This method can be removed when runOutInterceptorAndValidateAsymmetricBinding
+    // is cleaned up by adding server side enforcement of signature related algorithms.
+    // See https://issues.apache.org/jira/browse/WSS-222
+    protected void verifySignatureAlgorithms(Document signedDoc, AssertionInfoMap aim) throws Exception { 
+        final AssertionInfo assertInfo = aim.get(SP12Constants.ASYMMETRIC_BINDING).iterator().next();
+        assertNotNull(assertInfo);
+        
+        final AsymmetricBinding binding = (AsymmetricBinding) assertInfo.getAssertion();
+        final String expectedSignatureMethod = binding.getAlgorithmSuite().getAsymmetricSignature();
+        final String expectedDigestAlgorithm = binding.getAlgorithmSuite().getDigest();
+        final String expectedCanonAlgorithm  = binding.getAlgorithmSuite().getInclusiveC14n();
+            
+        XPathFactory factory = XPathFactory.newInstance();
+        XPath xpath = factory.newXPath();
+        final NamespaceContext nsContext = this.getNamespaceContext();
+        xpath.setNamespaceContext(nsContext);
+        
+        // Signature Algorithm
+        final XPathExpression sigAlgoExpr = 
+            xpath.compile("/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo" 
+                              + "/ds:SignatureMethod/@Algorithm");
+        
+        final String sigMethod =  (String) sigAlgoExpr.evaluate(signedDoc, XPathConstants.STRING);
+        assertEquals(expectedSignatureMethod, sigMethod);
+        
+        // Digest Method Algorithm
+        final XPathExpression digestAlgoExpr = xpath.compile(
+            "/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/ds:DigestMethod");
+        
+        final NodeList digestMethodNodes = 
+            (NodeList) digestAlgoExpr.evaluate(signedDoc, XPathConstants.NODESET);
+        
+        for (int i = 0; i < digestMethodNodes.getLength(); i++) {
+            Node node = (Node)digestMethodNodes.item(i);
+            String digestAlgorithm = node.getAttributes().getNamedItem("Algorithm").getNodeValue();
+            assertEquals(expectedDigestAlgorithm, digestAlgorithm);
+        }
+        
+        // Canonicalization Algorithm
+        final XPathExpression canonAlgoExpr =
+            xpath.compile("/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo" 
+                              + "/ds:CanonicalizationMethod/@Algorithm");
+        final String canonMethod =  (String) canonAlgoExpr.evaluate(signedDoc, XPathConstants.STRING);
+        assertEquals(expectedCanonAlgorithm, canonMethod);
+    }
+    
+    // TODO: This method can be removed when runOutInterceptorAndValidateSamlTokenAttached
+    // is cleaned up.
+    protected void verifySignatureCoversAssertion(Document signedDoc, String assertionId) throws Exception {
+        XPathFactory factory = XPathFactory.newInstance();
+        XPath xpath = factory.newXPath();
+        final NamespaceContext nsContext = this.getNamespaceContext();
+        xpath.setNamespaceContext(nsContext);
+        
+        // Find the SecurityTokenReference for the assertion
+        final XPathExpression strExpr = xpath.compile(
+            "/s:Envelope/s:Header/wsse:Security/wsse:SecurityTokenReference/wsse:KeyIdentifier");
+        
+        final NodeList strKeyIdNodes = 
+            (NodeList) strExpr.evaluate(signedDoc, XPathConstants.NODESET);
+        
+        String strId = null;
+        for (int i = 0; i < strKeyIdNodes.getLength(); i++) {
+            Node keyIdNode = (Node) strKeyIdNodes.item(i);
+            String strKey = keyIdNode.getTextContent();
+            if (strKey.equals(assertionId)) {
+                Node strNode = (Node) keyIdNode.getParentNode();
+                strId = strNode.getAttributes().
+                    getNamedItemNS(nsContext.getNamespaceURI("wsu"), "Id").getNodeValue();
+                break;
+            }
+        }
+        assertNotNull("SecurityTokenReference for " + assertionId + " not found in security header.", strId);
+        
+        // Verify STR is included in the signature references
+        final XPathExpression sigRefExpr = xpath.compile(
+            "/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference");
+        
+        final NodeList sigReferenceNodes = 
+            (NodeList) sigRefExpr.evaluate(signedDoc, XPathConstants.NODESET);
+        
+        boolean foundStrReference = false;
+        for (int i = 0; i < sigReferenceNodes.getLength(); i++) {
+            Node sigRefNode = (Node) sigReferenceNodes.item(i);
+            String sigRefURI = sigRefNode.getAttributes().getNamedItem("URI").getNodeValue();
+            if (sigRefURI.equals("#" + strId)) {
+                foundStrReference = true;
+                break;
+            }
+        }
+        
+        assertTrue("SecurityTokenReference for " + assertionId + " is not signed.", foundStrReference);
+    }
+    
+    protected static final class MockEndpoint extends 
+        AbstractAttributedInterceptorProvider implements Endpoint {
+
+        private static final long serialVersionUID = 1L;
+
+        private EndpointInfo epi = new EndpointInfo();
+        
+        public MockEndpoint() {
+            epi.setBinding(new BindingInfo(null, null));
+        }
+        
+        
+        public List<AbstractFeature> getActiveFeatures() {
+            return null;
+        }
+
+        public Binding getBinding() {
+            return null;
+        }
+
+        public EndpointInfo getEndpointInfo() {
+            return this.epi;
+        }
+
+        public Executor getExecutor() {
+            return null;
+        }
+
+        public MessageObserver getInFaultObserver() {
+            return null;
+        }
+
+        public MessageObserver getOutFaultObserver() {
+            return null;
+        }
+
+        public Service getService() {
+            return null;
+        }
+
+        public void setExecutor(Executor executor) {   
+        }
+
+        public void setInFaultObserver(MessageObserver observer) {
+        }
+
+        public void setOutFaultObserver(MessageObserver observer) {            
+        }
+    }
+    
+    /**
+     * A simple container used to reduce argument numbers to satisfy
+     * project code conventions.
+     */
+    protected static final class AssertionsHolder {
+        private List<QName> assertedAssertions;
+        private List<QName> notAssertedAssertions;
+        
+        public AssertionsHolder(List<QName> assertedAssertions,
+                List<QName> notAssertedAssertions) {
+            super();
+            this.assertedAssertions = assertedAssertions;
+            this.notAssertedAssertions = notAssertedAssertions;
+        }
+        
+        public List<QName> getAssertedAssertions() {
+            return this.assertedAssertions;
+        }
+        public List<QName> getNotAssertedAssertions() {
+            return this.notAssertedAssertions;
+        }
+    }
+}

Modified: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java?rev=1086895&r1=1086894&r2=1086895&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java (original)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java Wed Mar 30 10:20:13 2011
@@ -18,70 +18,16 @@
  */
 package org.apache.cxf.ws.security.wss4j;
 
-import java.net.URL;
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
-import java.util.Properties;
-import java.util.Vector;
-import java.util.concurrent.Executor;
 
-import javax.xml.namespace.NamespaceContext;
 import javax.xml.namespace.QName;
-import javax.xml.soap.Node;
-import javax.xml.soap.SOAPException;
-import javax.xml.soap.SOAPMessage;
-import javax.xml.xpath.XPath;
-import javax.xml.xpath.XPathConstants;
-import javax.xml.xpath.XPathExpression;
-import javax.xml.xpath.XPathFactory;
 
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.NodeList;
-import org.apache.cxf.Bus;
-import org.apache.cxf.BusException;
-import org.apache.cxf.binding.Binding;
-import org.apache.cxf.binding.soap.SoapMessage;
-import org.apache.cxf.endpoint.Endpoint;
-import org.apache.cxf.feature.AbstractFeature;
-import org.apache.cxf.helpers.CastUtils;
-import org.apache.cxf.interceptor.AbstractAttributedInterceptorProvider;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.service.Service;
-import org.apache.cxf.service.model.BindingInfo;
-import org.apache.cxf.service.model.EndpointInfo;
-import org.apache.cxf.transport.MessageObserver;
-import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.policy.PolicyAssertion;
-import org.apache.cxf.ws.policy.PolicyBuilder;
-import org.apache.cxf.ws.policy.PolicyException;
-import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
-import org.apache.cxf.ws.security.tokenstore.MemoryTokenStore;
-import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
-import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor.PolicyBasedWSS4JOutInterceptorInternal;
-import org.apache.neethi.Policy;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.components.crypto.CryptoFactory;
-import org.apache.ws.security.components.crypto.CryptoType;
-import org.apache.ws.security.handler.WSHandlerConstants;
-import org.apache.ws.security.handler.WSHandlerResult;
-import org.apache.ws.security.util.WSSecurityUtil;
 import org.junit.Test;
 
-
-public class PolicyBasedWss4JInOutTest extends AbstractSecurityTest {
-    private PolicyBuilder policyBuilder;
+public class PolicyBasedWss4JInOutTest extends AbstractPolicySecurityTest {
 
     @Test
     public void testSignedElementsPolicyWithIncompleteCoverage() throws Exception {
@@ -602,540 +548,5 @@ public class PolicyBasedWss4JInOutTest e
         
         // TODO: Tests for derived keys.
     }
-
-    
-    protected Bus createBus() throws BusException {
-        Bus b = super.createBus();
-        this.policyBuilder = 
-            b.getExtension(PolicyBuilder.class);
-        return b;
-    }
-    
-    private void runAndValidate(String document, String policyDocument,
-            List<QName> assertedOutAssertions, List<QName> notAssertedOutAssertions,
-            List<QName> assertedInAssertions, List<QName> notAssertedInAssertions,
-            List<CoverageType> types) throws Exception {
-        
-        this.runAndValidate(document, policyDocument, null,
-                new AssertionsHolder(assertedOutAssertions, notAssertedOutAssertions),
-                new AssertionsHolder(assertedInAssertions, notAssertedInAssertions),
-                types);
-    }
-    
-    private void runAndValidate(
-            String document,
-            String outPolicyDocument, String inPolicyDocument,
-            AssertionsHolder outAssertions,
-            AssertionsHolder inAssertions,
-            List<CoverageType> types) throws Exception {
-        
-        final Element outPolicyElement = this.readDocument(outPolicyDocument)
-                .getDocumentElement();
-        final Element inPolicyElement;
-
-        if (inPolicyDocument != null) {
-            inPolicyElement = this.readDocument(inPolicyDocument)
-                    .getDocumentElement();
-        } else {
-            inPolicyElement = outPolicyElement;
-        }
-            
-        
-        final Policy outPolicy = this.policyBuilder.getPolicy(outPolicyElement);
-        final Policy inPolicy = this.policyBuilder.getPolicy(inPolicyElement);
-        
-        final Document originalDoc = this.readDocument(document);
-        
-        final Document inDoc = this.runOutInterceptorAndValidate(
-                originalDoc, outPolicy, outAssertions.getAssertedAssertions(),
-                outAssertions.getNotAssertedAssertions());
-        
-        // Can't use this method if you want output that is not mangled.
-        // Such is the case when you want to capture output to use
-        // as input to another test case.
-        //DOMUtils.writeXml(inDoc, System.out);
-        
-        // Use this snippet if you need intermediate output for debugging.
-        /*
-        TransformerFactory tf = TransformerFactory.newInstance();
-        Transformer t = tf.newTransformer();
-        t.setOutputProperty(OutputKeys.INDENT, "no");
-        t.transform(new DOMSource(inDoc), new StreamResult(System.out));
-        */
-        
-        
-        this.runInInterceptorAndValidate(inDoc,
-                inPolicy, inAssertions.getAssertedAssertions(),
-                inAssertions.getNotAssertedAssertions(), types);
-    }
-    
-    private void runInInterceptorAndValidate(String document,
-            String policyDocument, QName assertedInAssertion,
-            QName notAssertedInAssertion, 
-            CoverageType type) throws Exception {
-        
-        this.runInInterceptorAndValidate(
-                document, policyDocument, 
-                assertedInAssertion == null ? null 
-                        : Arrays.asList(assertedInAssertion),
-                notAssertedInAssertion == null ? null
-                        : Arrays.asList(notAssertedInAssertion),
-                Arrays.asList(type));
-    }
-    
-    private void runInInterceptorAndValidate(String document,
-            String policyDocument, List<QName> assertedInAssertions,
-            List<QName> notAssertedInAssertions,
-            List<CoverageType> types) throws Exception {
-        
-        final Policy policy = this.policyBuilder.getPolicy(
-                this.readDocument(policyDocument).getDocumentElement());
-        
-        final Document doc = this.readDocument(document);
-        
-        this.runInInterceptorAndValidate(
-                doc, policy, 
-                assertedInAssertions,
-                notAssertedInAssertions,
-                types);
-    }
-    
-    private void runInInterceptorAndValidate(Document document,
-            Policy policy, List<QName> assertedInAssertions,
-            List<QName> notAssertedInAssertions,
-            List<CoverageType> types) throws Exception {
-        
-        final AssertionInfoMap aim = new AssertionInfoMap(policy);
-        
-        this.runInInterceptorAndValidateWss(document, aim, types);
-        
-        try {
-            aim.checkEffectivePolicy(policy);
-        } catch (PolicyException e) {
-            // Expected but not relevant
-        } finally {
-            if (assertedInAssertions != null) {
-                for (QName assertionType : assertedInAssertions) {
-                    Collection<AssertionInfo> ais = aim.get(assertionType);
-                    assertNotNull(ais);
-                    for (AssertionInfo ai : ais) {
-                        assertTrue(assertionType + " policy erroneously failed.",
-                                ((PolicyAssertion)ai.getAssertion()).isAsserted(aim));
-                    }
-                }
-            }
-            
-            if (notAssertedInAssertions != null) {
-                for (QName assertionType : notAssertedInAssertions) {
-                    Collection<AssertionInfo> ais = aim.get(assertionType);
-                    assertNotNull(ais);
-                    for (AssertionInfo ai : ais) {
-                        assertFalse(assertionType + " policy erroneously asserted.",
-                                    ((PolicyAssertion)ai.getAssertion()).isAsserted(aim));
-                    }
-                }
-            }
-        }
-    }
-    
-    private void runInInterceptorAndValidateWss(Document document, AssertionInfoMap aim,
-            List<CoverageType> types) throws Exception {
-        
-        PolicyBasedWSS4JInInterceptor inHandler = 
-            this.getInInterceptor(types);
-            
-        SoapMessage inmsg = this.getSoapMessageForDom(document, aim);
-
-        inHandler.handleMessage(inmsg);
-        
-        for (CoverageType type : types) {
-            switch(type) {
-            case SIGNED:
-                this.verifyWss4jSigResults(inmsg);
-                break;
-            case ENCRYPTED:
-                this.verifyWss4jEncResults(inmsg);
-                break;
-            default:
-                fail("Unsupported coverage type.");
-            }
-        }
-    }
-    
-    private Document runOutInterceptorAndValidate(Document document, Policy policy,
-            List<QName> assertedOutAssertions, 
-            List<QName> notAssertedOutAssertions) throws Exception {
-        
-        AssertionInfoMap aim = new AssertionInfoMap(policy);
-        
-        final SoapMessage msg = 
-            this.getOutSoapMessageForDom(document, aim);
-        
-        return this.runOutInterceptorAndValidate(msg, policy, aim,
-                assertedOutAssertions, notAssertedOutAssertions);       
-    }    
-        
-    
-    private Document runOutInterceptorAndValidate(SoapMessage msg, Policy policy,
-            AssertionInfoMap aim,
-            List<QName> assertedOutAssertions, 
-            List<QName> notAssertedOutAssertions) throws Exception {
-        
-        this.getOutInterceptor().handleMessage(msg);
-        
-        try {
-            aim.checkEffectivePolicy(policy);
-        } catch (PolicyException e) {
-            // Expected but not relevant
-        } finally {
-            if (assertedOutAssertions != null) {
-                for (QName assertionType : assertedOutAssertions) {
-                    Collection<AssertionInfo> ais = aim.get(assertionType);
-                    assertNotNull(ais);
-                    for (AssertionInfo ai : ais) {
-                        assertTrue(assertionType + " policy erroneously failed.",
-                                   ((PolicyAssertion)ai.getAssertion()).isAsserted(aim));
-                    }
-                }
-            }
-            
-            if (notAssertedOutAssertions != null) {
-                for (QName assertionType : notAssertedOutAssertions) {
-                    Collection<AssertionInfo> ais = aim.get(assertionType);
-                    assertNotNull(ais);
-                    for (AssertionInfo ai : ais) {
-                        assertFalse(assertionType + " policy erroneously asserted.",
-                                    ((PolicyAssertion)ai.getAssertion()).isAsserted(aim));
-                    }
-                }
-            }
-        }
-        
-        return msg.getContent(SOAPMessage.class).getSOAPPart();
-    }
-    
-    // TODO: This method can be removed when testAsymmetricBindingAlgorithmSuitePolicy
-    // is cleaned up by adding server side enforcement of signature related algorithms.
-    private void runOutInterceptorAndValidateAsymmetricBinding(String policyDoc) throws Exception {
-        final Document originalDoc = this.readDocument("wsse-request-clean.xml");
-        
-        final Element outPolicyElement = 
-                this.readDocument(policyDoc).getDocumentElement();
-       
-        final Policy outPolicy = this.policyBuilder.getPolicy(outPolicyElement);
-        final AssertionInfoMap aim = new AssertionInfoMap(outPolicy);
-        
-        final Document signedDoc = this.runOutInterceptorAndValidate(
-                originalDoc, outPolicy, Arrays.asList(SP12Constants.ASYMMETRIC_BINDING), null);
-        
-        this.verifySignatureAlgorithms(signedDoc, aim);
-    }
-      
-    // TODO: This method can be removed or reduced when testSignedElementsWithIssuedSAMLToken is
-    // cleaned up.
-    private void runOutInterceptorAndValidateSamlTokenAttached(String policyDoc) throws Exception {
-        // create the request message
-        final Document document = this.readDocument("wsse-request-clean.xml");
-        final Element outPolicyElement = 
-            this.readDocument(policyDoc).getDocumentElement();
-        final Policy policy = this.policyBuilder.getPolicy(outPolicyElement);
-        
-        AssertionInfoMap aim = new AssertionInfoMap(policy);        
-        SoapMessage msg = this.getOutSoapMessageForDom(document, aim);
-        
-        // add an "issued" assertion into the message exchange
-        Element issuedAssertion = 
-            this.readDocument("example-sts-issued-saml-assertion.xml").getDocumentElement();
-        
-        String assertionId = issuedAssertion.getAttributeNode("AssertionID").getNodeValue();
-        
-        SecurityToken issuedToken = 
-            new SecurityToken(assertionId, issuedAssertion, null);
-        
-        Properties cryptoProps = new Properties();
-        URL url = ClassLoader.getSystemResource("outsecurity.properties");
-        cryptoProps.load(url.openStream());
-        Crypto crypto = CryptoFactory.getInstance(cryptoProps);
-        String alias = cryptoProps.getProperty("org.apache.ws.security.crypto.merlin.keystore.alias");
-        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
-        cryptoType.setAlias(alias);
-        issuedToken.setX509Certificate(crypto.getX509Certificates(cryptoType)[0], crypto);
-        
-        msg.getExchange().get(Endpoint.class).put(SecurityConstants.TOKEN_ID, 
-                issuedToken.getId());
-        msg.getExchange().put(SecurityConstants.TOKEN_ID, issuedToken.getId());
-        
-        TokenStore tokenStore = new MemoryTokenStore();
-        msg.getExchange().get(Endpoint.class).getEndpointInfo()
-            .setProperty(TokenStore.class.getName(), tokenStore);
-        tokenStore.add(issuedToken);
-        
-        // fire the interceptor and verify results
-        final Document signedDoc = this.runOutInterceptorAndValidate(
-                msg, policy, aim, null, null);
-        
-        verifySignatureCoversAssertion(signedDoc, assertionId);
-    }
-    
-    private PolicyBasedWSS4JOutInterceptorInternal getOutInterceptor() {
-        return PolicyBasedWSS4JOutInterceptor.INSTANCE.createEndingInterceptor();
-    }
-    
-    private PolicyBasedWSS4JInInterceptor getInInterceptor(List<CoverageType> types) {
-        PolicyBasedWSS4JInInterceptor inHandler = new PolicyBasedWSS4JInInterceptor();
-        String action = "";
-        
-        for (CoverageType type : types) {
-            switch(type) {
-            case SIGNED:
-                action += " " + WSHandlerConstants.SIGNATURE;
-                break;
-            case ENCRYPTED:
-                action += " " + WSHandlerConstants.ENCRYPT;
-                break;
-            default:
-                fail("Unsupported coverage type.");
-            }
-        }
-        inHandler.setProperty(WSHandlerConstants.ACTION, action);
-        inHandler.setProperty(WSHandlerConstants.SIG_PROP_FILE, 
-                "insecurity.properties");
-        inHandler.setProperty(WSHandlerConstants.DEC_PROP_FILE,
-                "insecurity.properties");
-        inHandler.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, 
-                TestPwdCallback.class.getName());
-        inHandler.setProperty(WSHandlerConstants.IS_BSP_COMPLIANT, "false");
-        
-        return inHandler;
-    }
-    
-    /**
-     * Gets a SoapMessage, but with the needed SecurityConstants in the context properties
-     * so that it can be passed to PolicyBasedWSS4JOutInterceptor.
-     *
-     * @see #getSoapMessageForDom(Document, AssertionInfoMap)
-     */
-    private SoapMessage getOutSoapMessageForDom(Document doc, AssertionInfoMap aim)
-        throws SOAPException {
-        SoapMessage msg = this.getSoapMessageForDom(doc, aim);
-        msg.put(SecurityConstants.SIGNATURE_PROPERTIES, "outsecurity.properties");
-        msg.put(SecurityConstants.ENCRYPT_PROPERTIES, "outsecurity.properties");
-        msg.put(SecurityConstants.CALLBACK_HANDLER, TestPwdCallback.class.getName());
-        msg.put(SecurityConstants.SIGNATURE_USERNAME, "myalias");
-        msg.put(SecurityConstants.ENCRYPT_USERNAME, "myalias");
-        
-        msg.getExchange().put(Endpoint.class, new MockEndpoint());
-        msg.getExchange().put(Bus.class, this.bus);
-        msg.put(Message.REQUESTOR_ROLE, true);
-        
-        return msg;
-    }
-    
-    private SoapMessage getSoapMessageForDom(Document doc, AssertionInfoMap aim)
-        throws SOAPException {
-        
-        SoapMessage msg = this.getSoapMessageForDom(doc);
-        if (aim != null) {
-            msg.put(AssertionInfoMap.class, aim);
-        }
-        
-        return msg;
-    }
-    
-    private void verifyWss4jSigResults(SoapMessage inmsg) {
-        WSSecurityEngineResult result = 
-            (WSSecurityEngineResult) inmsg.get(WSS4JInInterceptor.SIGNATURE_RESULT);
-        assertNotNull(result);
-    }
-    
-    private void verifyWss4jEncResults(SoapMessage inmsg) {
-        //
-        // There should be exactly 1 (WSS4J) HandlerResult
-        //
-        final List<WSHandlerResult> handlerResults = 
-            CastUtils.cast((List<?>)inmsg.get(WSHandlerConstants.RECV_RESULTS));
-        assertNotNull(handlerResults);
-        assertSame(handlerResults.size(), 1);
-
-        List<WSSecurityEngineResult> protectionResults = new Vector<WSSecurityEngineResult>();
-        WSSecurityUtil.fetchAllActionResults(handlerResults.get(0).getResults(),
-                WSConstants.ENCR, protectionResults);
-        assertNotNull(protectionResults);
-        
-        //
-        // This result should contain a reference to the decrypted element
-        //
-        final Map<String, Object> result = (Map<String, Object>) protectionResults
-                .get(0);
-        final List<WSDataRef> protectedElements = 
-            CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
-        assertNotNull(protectedElements);
-    }
-    
-    // TODO: This method can be removed when runOutInterceptorAndValidateAsymmetricBinding
-    // is cleaned up by adding server side enforcement of signature related algorithms.
-    // See https://issues.apache.org/jira/browse/WSS-222
-    private void verifySignatureAlgorithms(Document signedDoc, AssertionInfoMap aim) throws Exception { 
-        final AssertionInfo assertInfo = aim.get(SP12Constants.ASYMMETRIC_BINDING).iterator().next();
-        assertNotNull(assertInfo);
-        
-        final AsymmetricBinding binding = (AsymmetricBinding) assertInfo.getAssertion();
-        final String expectedSignatureMethod = binding.getAlgorithmSuite().getAsymmetricSignature();
-        final String expectedDigestAlgorithm = binding.getAlgorithmSuite().getDigest();
-        final String expectedCanonAlgorithm  = binding.getAlgorithmSuite().getInclusiveC14n();
-            
-        XPathFactory factory = XPathFactory.newInstance();
-        XPath xpath = factory.newXPath();
-        final NamespaceContext nsContext = this.getNamespaceContext();
-        xpath.setNamespaceContext(nsContext);
-        
-        // Signature Algorithm
-        final XPathExpression sigAlgoExpr = 
-            xpath.compile("/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo" 
-                              + "/ds:SignatureMethod/@Algorithm");
-        
-        final String sigMethod =  (String) sigAlgoExpr.evaluate(signedDoc, XPathConstants.STRING);
-        assertEquals(expectedSignatureMethod, sigMethod);
-        
-        // Digest Method Algorithm
-        final XPathExpression digestAlgoExpr = xpath.compile(
-            "/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/ds:DigestMethod");
-        
-        final NodeList digestMethodNodes = 
-            (NodeList) digestAlgoExpr.evaluate(signedDoc, XPathConstants.NODESET);
-        
-        for (int i = 0; i < digestMethodNodes.getLength(); i++) {
-            Node node = (Node)digestMethodNodes.item(i);
-            String digestAlgorithm = node.getAttributes().getNamedItem("Algorithm").getNodeValue();
-            assertEquals(expectedDigestAlgorithm, digestAlgorithm);
-        }
-        
-        // Canonicalization Algorithm
-        final XPathExpression canonAlgoExpr =
-            xpath.compile("/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo" 
-                              + "/ds:CanonicalizationMethod/@Algorithm");
-        final String canonMethod =  (String) canonAlgoExpr.evaluate(signedDoc, XPathConstants.STRING);
-        assertEquals(expectedCanonAlgorithm, canonMethod);
-    }
-    
-    // TODO: This method can be removed when runOutInterceptorAndValidateSamlTokenAttached
-    // is cleaned up.
-    private void verifySignatureCoversAssertion(Document signedDoc, String assertionId) throws Exception {
-        XPathFactory factory = XPathFactory.newInstance();
-        XPath xpath = factory.newXPath();
-        final NamespaceContext nsContext = this.getNamespaceContext();
-        xpath.setNamespaceContext(nsContext);
-        
-        // Find the SecurityTokenReference for the assertion
-        final XPathExpression strExpr = xpath.compile(
-            "/s:Envelope/s:Header/wsse:Security/wsse:SecurityTokenReference/wsse:KeyIdentifier");
-        
-        final NodeList strKeyIdNodes = 
-            (NodeList) strExpr.evaluate(signedDoc, XPathConstants.NODESET);
-        
-        String strId = null;
-        for (int i = 0; i < strKeyIdNodes.getLength(); i++) {
-            Node keyIdNode = (Node) strKeyIdNodes.item(i);
-            String strKey = keyIdNode.getTextContent();
-            if (strKey.equals(assertionId)) {
-                Node strNode = (Node) keyIdNode.getParentNode();
-                strId = strNode.getAttributes().
-                    getNamedItemNS(nsContext.getNamespaceURI("wsu"), "Id").getNodeValue();
-                break;
-            }
-        }
-        assertNotNull("SecurityTokenReference for " + assertionId + " not found in security header.", strId);
-        
-        // Verify STR is included in the signature references
-        final XPathExpression sigRefExpr = xpath.compile(
-            "/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference");
-        
-        final NodeList sigReferenceNodes = 
-            (NodeList) sigRefExpr.evaluate(signedDoc, XPathConstants.NODESET);
-        
-        boolean foundStrReference = false;
-        for (int i = 0; i < sigReferenceNodes.getLength(); i++) {
-            Node sigRefNode = (Node) sigReferenceNodes.item(i);
-            String sigRefURI = sigRefNode.getAttributes().getNamedItem("URI").getNodeValue();
-            if (sigRefURI.equals("#" + strId)) {
-                foundStrReference = true;
-                break;
-            }
-        }
-        
-        assertTrue("SecurityTokenReference for " + assertionId + " is not signed.", foundStrReference);
-    }
-    
-    private static final class MockEndpoint extends 
-        AbstractAttributedInterceptorProvider implements Endpoint {
-
-        private static final long serialVersionUID = 1L;
-
-        private EndpointInfo epi = new EndpointInfo();
-        
-        public MockEndpoint() {
-            epi.setBinding(new BindingInfo(null, null));
-        }
-        
-        
-        public List<AbstractFeature> getActiveFeatures() {
-            return null;
-        }
-
-        public Binding getBinding() {
-            return null;
-        }
-
-        public EndpointInfo getEndpointInfo() {
-            return this.epi;
-        }
-
-        public Executor getExecutor() {
-            return null;
-        }
-
-        public MessageObserver getInFaultObserver() {
-            return null;
-        }
-
-        public MessageObserver getOutFaultObserver() {
-            return null;
-        }
-
-        public Service getService() {
-            return null;
-        }
-
-        public void setExecutor(Executor executor) {   
-        }
-
-        public void setInFaultObserver(MessageObserver observer) {
-        }
-
-        public void setOutFaultObserver(MessageObserver observer) {            
-        }
-    }
-    
-    /**
-     * A simple container used to reduce argument numbers to satisfy
-     * project code conventions.
-     */
-    private static final class AssertionsHolder {
-        private List<QName> assertedAssertions;
-        private List<QName> notAssertedAssertions;
-        
-        public AssertionsHolder(List<QName> assertedAssertions,
-                List<QName> notAssertedAssertions) {
-            super();
-            this.assertedAssertions = assertedAssertions;
-            this.notAssertedAssertions = notAssertedAssertions;
-        }
-        
-        public List<QName> getAssertedAssertions() {
-            return this.assertedAssertions;
-        }
-        public List<QName> getNotAssertedAssertions() {
-            return this.notAssertedAssertions;
-        }
-    }
+  
 }

Copied: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java (from r1086519, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractSAMLCallbackHandler.java)
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java?p2=cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java&p1=cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractSAMLCallbackHandler.java&r1=1086519&r2=1086895&rev=1086895&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractSAMLCallbackHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java Wed Mar 30 10:20:13 2011
@@ -17,7 +17,7 @@
  * under the License.
  */
 
-package org.apache.cxf.ws.security.wss4j;
+package org.apache.cxf.ws.security.wss4j.saml;
 
 import java.security.cert.X509Certificate;
 import java.util.Collections;

Copied: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomSamlValidator.java (from r1086519, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomSamlValidator.java)
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomSamlValidator.java?p2=cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomSamlValidator.java&p1=cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomSamlValidator.java&r1=1086519&r2=1086895&rev=1086895&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomSamlValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/CustomSamlValidator.java Wed Mar 30 10:20:13 2011
@@ -17,7 +17,7 @@
  * under the License.
  */
 
-package org.apache.cxf.ws.security.wss4j;
+package org.apache.cxf.ws.security.wss4j.saml;
 
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.handler.RequestData;

Added: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/PolicyBasedSamlTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/PolicyBasedSamlTest.java?rev=1086895&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/PolicyBasedSamlTest.java (added)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/PolicyBasedSamlTest.java Wed Mar 30 10:20:13 2011
@@ -0,0 +1,98 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.wss4j.saml;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.wss4j.AbstractPolicySecurityTest;
+import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
+import org.junit.Test;
+
+/**
+ * A test for using SAML Assertions via WS-SecurityPolicy expressions.
+ */
+public class PolicyBasedSamlTest extends AbstractPolicySecurityTest {
+
+    @Test
+    public void testSaml1Assertion() throws Exception {
+        //
+        // This should fail as the policy wants a SAML1 assertion and none is in the request
+        //
+        this.runInInterceptorAndValidate(
+                "wsse-request-clean.xml",
+                "saml_assertion_policy.xml",
+                null,
+                Arrays.asList(SP12Constants.SAML_TOKEN),
+                new ArrayList<CoverageType>());
+        //
+        // This should pass as the policy wants a SAML1 assertion and it is in the request
+        //
+        this.runInInterceptorAndValidate(
+                "saml_request.xml",
+                "saml_assertion_policy.xml",
+                Arrays.asList(SP12Constants.SAML_TOKEN),
+                null,
+                new ArrayList<CoverageType>());
+        //
+        // This should fail as the policy wants a SAML1 assertion and a SAML2 Assertion
+        // is in the request
+        //
+        this.runInInterceptorAndValidate(
+                "saml2_request.xml",
+                "saml_assertion_policy.xml",
+                null,
+                Arrays.asList(SP12Constants.SAML_TOKEN),
+                new ArrayList<CoverageType>());
+    }
+     
+    @Test
+    public void testSaml2Assertion() throws Exception {
+        //
+        // This should fail as the policy wants a SAML2 assertion and none is in the request
+        //
+        this.runInInterceptorAndValidate(
+                "wsse-request-clean.xml",
+                "saml2_assertion_policy.xml",
+                null,
+                Arrays.asList(SP12Constants.SAML_TOKEN),
+                new ArrayList<CoverageType>());
+        //
+        // This should pass as the policy wants a SAML2 assertion and it is in the request
+        //
+        this.runInInterceptorAndValidate(
+                "saml2_request.xml",
+                "saml2_assertion_policy.xml",
+                Arrays.asList(SP12Constants.SAML_TOKEN),
+                null,
+                new ArrayList<CoverageType>());
+        //
+        // This should fail as the policy wants a SAML2 assertion and a SAML1 Assertion
+        // is in the request
+        //
+        this.runInInterceptorAndValidate(
+                "saml_request.xml",
+                "saml2_assertion_policy.xml",
+                null,
+                Arrays.asList(SP12Constants.SAML_TOKEN),
+                new ArrayList<CoverageType>());
+    }
+    
+}



Mime
View raw message