cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1204974 - in /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security: policy/interceptors/ wss4j/ wss4j/policyvalidators/
Date Tue, 22 Nov 2011 13:17:49 GMT
Author: coheigea
Date: Tue Nov 22 13:17:44 2011
New Revision: 1204974

URL: http://svn.apache.org/viewvc?rev=1204974&view=rev
Log:
More SecPol refactoring.

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?rev=1204974&r1=1204973&r2=1204974&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
Tue Nov 22 13:17:44 2011
@@ -417,8 +417,8 @@ public class IssuedTokenInterceptorProvi
                 if (!isRequestor(message)) {
                     List<WSHandlerResult> results = 
                         CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
-                    if (results != null) {
-                        parseHandlerResults(results, message, aim);
+                    if (results != null && results.size() > 0) {
+                        parseHandlerResults(results.get(0), message, aim);
                     }
                 } else {
                     //client side should be checked on the way out
@@ -430,39 +430,33 @@ public class IssuedTokenInterceptorProvi
         }
         
         private void parseHandlerResults(
-            List<WSHandlerResult> results,
+            WSHandlerResult rResult,
             Message message,
             AssertionInfoMap aim
         ) {
-            if (results != null) {
-                for (WSHandlerResult rResult : results) {
-                    List<WSSecurityEngineResult> signedResults = 
-                        new ArrayList<WSSecurityEngineResult>();
-                    WSSecurityUtil.fetchAllActionResults(
-                        rResult.getResults(), WSConstants.SIGN, signedResults
-                    );
-                    IssuedTokenPolicyValidator issuedValidator = 
-                        new IssuedTokenPolicyValidator(signedResults, message);
-                    Collection<AssertionInfo> issuedAis = aim.get(SP12Constants.ISSUED_TOKEN);
-                    
-                    for (AssertionWrapper assertionWrapper 
-                        : findSamlTokenResults(rResult.getResults())) {
-                        boolean valid = issuedValidator.validatePolicy(issuedAis, assertionWrapper);
-                        if (valid) {
-                            SecurityToken token = createSecurityToken(assertionWrapper);
-                            message.getExchange().put(SecurityConstants.TOKEN, token);
-                            return;
-                        }
-                    }
-                    for (BinarySecurity binarySecurityToken 
-                        : findBinarySecurityTokenResults(rResult.getResults())) {
-                        boolean valid = issuedValidator.validatePolicy(issuedAis, binarySecurityToken);
-                        if (valid) {
-                            SecurityToken token = createSecurityToken(binarySecurityToken);
-                            message.getExchange().put(SecurityConstants.TOKEN, token);
-                            return;
-                        }
-                    }
+            List<WSSecurityEngineResult> signedResults = new ArrayList<WSSecurityEngineResult>();
+            WSSecurityUtil.fetchAllActionResults(
+                rResult.getResults(), WSConstants.SIGN, signedResults
+            );
+            
+            IssuedTokenPolicyValidator issuedValidator = 
+                new IssuedTokenPolicyValidator(signedResults, message);
+            Collection<AssertionInfo> issuedAis = aim.get(SP12Constants.ISSUED_TOKEN);
+
+            for (AssertionWrapper assertionWrapper : findSamlTokenResults(rResult.getResults()))
{
+                boolean valid = issuedValidator.validatePolicy(issuedAis, assertionWrapper);
+                if (valid) {
+                    SecurityToken token = createSecurityToken(assertionWrapper);
+                    message.getExchange().put(SecurityConstants.TOKEN, token);
+                    return;
+                }
+            }
+            for (BinarySecurity binarySecurityToken : findBinarySecurityTokenResults(rResult.getResults()))
{
+                boolean valid = issuedValidator.validatePolicy(issuedAis, binarySecurityToken);
+                if (valid) {
+                    SecurityToken token = createSecurityToken(binarySecurityToken);
+                    message.getExchange().put(SecurityConstants.TOKEN, token);
+                    return;
                 }
             }
         }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java?rev=1204974&r1=1204973&r2=1204974&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
Tue Nov 22 13:17:44 2011
@@ -159,8 +159,8 @@ public class KerberosTokenInterceptorPro
                 if (!isRequestor(message)) {
                     List<WSHandlerResult> results = 
                         CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
-                    if (results != null) {
-                        parseHandlerResults(results, message, aim);
+                    if (results != null && results.size() > 0) {
+                        parseHandlerResults(results.get(0), message, aim);
                     }
                 } else {
                     //client side should be checked on the way out
@@ -172,26 +172,22 @@ public class KerberosTokenInterceptorPro
         }
         
         private void parseHandlerResults(
-            List<WSHandlerResult> results,
+            WSHandlerResult rResult,
             Message message,
             AssertionInfoMap aim
         ) {
-            if (results != null) {
-                for (WSHandlerResult rResult : results) {
-                    List<WSSecurityEngineResult> kerberosResults = findKerberosResults(rResult.getResults());
-                    for (WSSecurityEngineResult wser : kerberosResults) {
-                        KerberosSecurity kerberosToken = 
-                            (KerberosSecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
-                        KerberosTokenPolicyValidator kerberosValidator = 
-                            new KerberosTokenPolicyValidator(message);
-                        boolean valid = kerberosValidator.validatePolicy(aim, kerberosToken);
-                        if (valid) {
-                            SecurityToken token = createSecurityToken(kerberosToken);
-                            token.setSecret((byte[])wser.get(WSSecurityEngineResult.TAG_SECRET));
-                            message.getExchange().put(SecurityConstants.TOKEN, token);
-                            return;
-                        }
-                    }
+            List<WSSecurityEngineResult> kerberosResults = findKerberosResults(rResult.getResults());
+            for (WSSecurityEngineResult wser : kerberosResults) {
+                KerberosSecurity kerberosToken = 
+                    (KerberosSecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+                KerberosTokenPolicyValidator kerberosValidator = 
+                    new KerberosTokenPolicyValidator(message);
+                boolean valid = kerberosValidator.validatePolicy(aim, kerberosToken);
+                if (valid) {
+                    SecurityToken token = createSecurityToken(kerberosToken);
+                    token.setSecret((byte[])wser.get(WSSecurityEngineResult.TAG_SECRET));
+                    message.getExchange().put(SecurityConstants.TOKEN, token);
+                    return;
                 }
             }
         }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1204974&r1=1204973&r2=1204974&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Tue Nov 22 13:17:44 2011
@@ -76,6 +76,7 @@ import org.apache.cxf.ws.security.wss4j.
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.TokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.WSS11PolicyValidator;
@@ -523,41 +524,21 @@ public class PolicyBasedWSS4JInIntercept
         List<WSSecurityEngineResult> signedResults, 
         boolean utWithCallbacks
     ) {
-        List<WSSecurityEngineResult> utResults = new ArrayList<WSSecurityEngineResult>();
-        WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT, utResults);
-        WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_NOPASSWORD, utResults);
-        
-        List<WSSecurityEngineResult> samlResults = new ArrayList<WSSecurityEngineResult>();
-        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults);
-        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults);
-        
         boolean check = true;
-        X509TokenPolicyValidator x509Validator = new X509TokenPolicyValidator(msg, results);
-        check &= x509Validator.validatePolicy(aim);
+        TokenPolicyValidator x509Validator = new X509TokenPolicyValidator();
+        check &= x509Validator.validatePolicy(aim, msg, soapBody, results, signedResults);
         
-        if (utWithCallbacks) {
-            UsernameTokenPolicyValidator utValidator = 
-                new UsernameTokenPolicyValidator(msg, results);
-            check &= utValidator.validatePolicy(aim);
-        } else {
-            Collection<AssertionInfo> ais = aim.get(SP12Constants.USERNAME_TOKEN);
-            if (ais != null) {
-                for (AssertionInfo ai : ais) {
-                    ai.setAsserted(true);
-                }
-            }
-        }
+        TokenPolicyValidator utValidator = new UsernameTokenPolicyValidator(utWithCallbacks);
+        check &= utValidator.validatePolicy(aim, msg, soapBody, results, signedResults);
         
-        SamlTokenPolicyValidator samlValidator = 
-            new SamlTokenPolicyValidator(soapBody, signedResults, msg, results);
-        check &= samlValidator.validatePolicy(aim);
+        TokenPolicyValidator samlValidator = new SamlTokenPolicyValidator();
+        check &= samlValidator.validatePolicy(aim, msg, soapBody, results, signedResults);
         
-        SecurityContextTokenPolicyValidator sctValidator = 
-            new SecurityContextTokenPolicyValidator(msg, results);
-        check &= sctValidator.validatePolicy(aim);
+        TokenPolicyValidator sctValidator = new SecurityContextTokenPolicyValidator();
+        check &= sctValidator.validatePolicy(aim, msg, soapBody, results, signedResults);
         
-        WSS11PolicyValidator wss11Validator = new WSS11PolicyValidator(msg, results);
-        check &= wss11Validator.validatePolicy(aim);
+        TokenPolicyValidator wss11Validator = new WSS11PolicyValidator();
+        check &= wss11Validator.validatePolicy(aim, msg, soapBody, results, signedResults);
         
         return check;
     }
@@ -600,6 +581,14 @@ public class PolicyBasedWSS4JInIntercept
     ) {
         boolean check = true;
         
+        List<WSSecurityEngineResult> utResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT, utResults);
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_NOPASSWORD, utResults);
+        
+        List<WSSecurityEngineResult> samlResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults);
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults);
+        
         SignedTokenPolicyValidator suppValidator = 
             new SignedTokenPolicyValidator(msg, results, signedResults);
         suppValidator.setValidateUsernameToken(utWithCallbacks);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java?rev=1204974&r1=1204973&r2=1204974&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
Tue Nov 22 13:17:44 2011
@@ -26,6 +26,10 @@ import java.security.cert.X509Certificat
 import java.util.Arrays;
 import java.util.List;
 
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
+import org.apache.cxf.ws.security.policy.model.Token;
 import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
 import org.apache.ws.security.WSSecurityEngineResult;
 import org.apache.ws.security.saml.SAMLKeyInfo;
@@ -38,6 +42,33 @@ import org.apache.ws.security.saml.ext.O
 public abstract class AbstractSamlPolicyValidator extends AbstractTokenPolicyValidator {
     
     /**
+     * Check to see if a token is required or not.
+     * @param token the token
+     * @param message The message
+     * @return true if the token is required
+     */
+    protected boolean isTokenRequired(
+        Token token,
+        Message message
+    ) {
+        IncludeTokenType inclusion = token.getInclusion();
+        if (inclusion == IncludeTokenType.INCLUDE_TOKEN_NEVER) {
+            return false;
+        } else if (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
+            return true;
+        } else {
+            boolean initiator = MessageUtils.isRequestor(message);
+            if (initiator && (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR))
{
+                return true;
+            } else if (!initiator && (inclusion == IncludeTokenType.INCLUDE_TOKEN_ONCE
+                || inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT)) {
+                return true;
+            }
+            return false;
+        }
+    }
+    
+    /**
      * Check the holder-of-key requirements against the received assertion. The subject
      * credential of the SAML Assertion must have been used to sign some portion of
      * the message, thus showing proof-of-possession of the private/secret key. Alternatively,

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java?rev=1204974&r1=1204973&r2=1204974&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
Tue Nov 22 13:17:44 2011
@@ -39,7 +39,7 @@ import org.apache.ws.security.WSSecurity
  * Validate a WSSecurityEngineResult corresponding to the processing of a Signature, EncryptedKey
or
  * EncryptedData structure against an AlgorithmSuite policy.
  */
-public class AlgorithmSuitePolicyValidator extends AbstractTokenPolicyValidator {
+public class AlgorithmSuitePolicyValidator {
     
     private List<WSSecurityEngineResult> results;
 

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java?rev=1204974&r1=1204973&r2=1204974&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
Tue Nov 22 13:17:44 2011
@@ -40,7 +40,7 @@ import org.opensaml.common.SAMLVersion;
 
 /**
  * Validate a WSSecurityEngineResult corresponding to the processing of a SAML Assertion
- * against an IssuedToken policy.
+ * or Kerberos token against an IssuedToken policy.
  */
 public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
     
@@ -56,70 +56,73 @@ public class IssuedTokenPolicyValidator 
     }
     
     public boolean validatePolicy(
-        Collection<AssertionInfo> issuedAis,
+        Collection<AssertionInfo> ais,
         AssertionWrapper assertionWrapper
     ) {
-        if (issuedAis != null) {
-            for (AssertionInfo ai : issuedAis) {
-                IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
-                ai.setAsserted(true);
-                
-                boolean tokenRequired = isTokenRequired(issuedToken, message);
-                if (tokenRequired && assertionWrapper == null) {
-                    ai.setNotAsserted(
-                        "The received token does not match the token inclusion requirement"
-                    );
-                    return false;
-                }
-                if (!tokenRequired) {
-                    continue;
-                }
-                
-                Element template = issuedToken.getRstTemplate();
-                if (template != null && !checkIssuedTokenTemplate(template, assertionWrapper))
{
-                    ai.setNotAsserted("Error in validating the IssuedToken policy");
-                    return false;
-                }
-                
-                TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
-                Certificate[] tlsCerts = null;
-                if (tlsInfo != null) {
-                    tlsCerts = tlsInfo.getPeerCertificates();
-                }
-                if (!checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
-                    ai.setNotAsserted("Assertion fails holder-of-key requirements");
-                    return false;
-                }
+        if (ais == null || ais.isEmpty()) {
+            return true;
+        }
+        
+        for (AssertionInfo ai : ais) {
+            IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
+            ai.setAsserted(true);
+
+            if (!isTokenRequired(issuedToken, message)) {
+                continue;
+            }
+            
+            if (assertionWrapper == null) {
+                ai.setNotAsserted(
+                    "The received token does not match the token inclusion requirement"
+                );
+                return false;
+            }
+
+            Element template = issuedToken.getRstTemplate();
+            if (template != null && !checkIssuedTokenTemplate(template, assertionWrapper))
{
+                ai.setNotAsserted("Error in validating the IssuedToken policy");
+                return false;
+            }
+
+            TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+            Certificate[] tlsCerts = null;
+            if (tlsInfo != null) {
+                tlsCerts = tlsInfo.getPeerCertificates();
+            }
+            if (!checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
+                ai.setNotAsserted("Assertion fails holder-of-key requirements");
+                return false;
             }
         }
         return true;
     }
     
     public boolean validatePolicy(
-        Collection<AssertionInfo> issuedAis,
+        Collection<AssertionInfo> ais,
         BinarySecurity binarySecurityToken
     ) {
-        if (issuedAis != null) {
-            for (AssertionInfo ai : issuedAis) {
-                IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
-                ai.setAsserted(true);
-
-                boolean tokenRequired = isTokenRequired(issuedToken, message);
-                if (tokenRequired && binarySecurityToken == null) {
-                    ai.setNotAsserted(
-                        "The received token does not match the token inclusion requirement"
-                    );
-                    return false;
-                }
-                if (!tokenRequired) {
-                    continue;
-                }
+        if (ais == null || ais.isEmpty()) {
+            return true;
+        }
+        
+        for (AssertionInfo ai : ais) {
+            IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
+            ai.setAsserted(true);
 
-                Element template = issuedToken.getRstTemplate();
-                if (template != null && !checkIssuedTokenTemplate(template, binarySecurityToken))
{
-                    ai.setNotAsserted("Error in validating the IssuedToken policy");
-                    return false;
-                }
+            if (!isTokenRequired(issuedToken, message)) {
+                continue;
+            }
+            if (binarySecurityToken == null) {
+                ai.setNotAsserted(
+                    "The received token does not match the token inclusion requirement"
+                );
+                return false;
+            }
+
+            Element template = issuedToken.getRstTemplate();
+            if (template != null && !checkIssuedTokenTemplate(template, binarySecurityToken))
{
+                ai.setNotAsserted("Error in validating the IssuedToken policy");
+                return false;
             }
         }
         return true;

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1204974&r1=1204973&r2=1204974&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
Tue Nov 22 13:17:44 2011
@@ -43,53 +43,48 @@ import org.apache.ws.security.util.WSSec
 import org.opensaml.common.SAMLVersion;
 
 /**
- * Validate a WSSecurityEngineResult corresponding to the processing of a SAML Assertion
- * against the appropriate policy.
+ * Validate a SamlToken policy.
  */
-public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator {
+public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator implements TokenPolicyValidator
{
     
-    private List<WSSecurityEngineResult> signedResults;
-    private Element soapBody;
-    private Message message;
-    private List<WSSecurityEngineResult> samlResults;
-
-    public SamlTokenPolicyValidator(
-        Element soapBody,
-        List<WSSecurityEngineResult> signedResults,
-        Message message,
-        List<WSSecurityEngineResult> results
-    ) {
-        this.soapBody = soapBody;
-        this.signedResults = signedResults;
-        this.message = message;
-        samlResults = new ArrayList<WSSecurityEngineResult>();
-        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults);
-        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults);
-    }
+    private Element body;
+    private List<WSSecurityEngineResult> signed;
     
     public boolean validatePolicy(
-        AssertionInfoMap aim
+        AssertionInfoMap aim,
+        Message message,
+        Element soapBody,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
     ) {
-        Collection<AssertionInfo> samlAis = aim.get(SP12Constants.SAML_TOKEN);
-        if (samlAis == null || samlAis.isEmpty()) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.SAML_TOKEN);
+        if (ais == null || ais.isEmpty()) {
             return true;
         }
         
-        for (AssertionInfo ai : samlAis) {
+        body = soapBody;
+        signed = signedResults;
+        
+        List<WSSecurityEngineResult> samlResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults);
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults);
+        
+        for (AssertionInfo ai : ais) {
             SamlToken samlToken = (SamlToken)ai.getAssertion();
             ai.setAsserted(true);
 
-            boolean tokenRequired = isTokenRequired(samlToken, message);
-            if (tokenRequired && samlResults.isEmpty()) {
+            if (!isTokenRequired(samlToken, message)) {
+                continue;
+            }
+
+            if (samlResults.isEmpty()) {
                 ai.setNotAsserted(
                     "The received token does not match the token inclusion requirement"
                 );
                 return false;
             }
-            if (!tokenRequired) {
-                continue;
-            }
-
+            
+            // All of the received SAML Assertions must conform to the policy
             for (WSSecurityEngineResult result : samlResults) {
                 AssertionWrapper assertionWrapper = 
                     (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
@@ -169,7 +164,7 @@ public class SamlTokenPolicyValidator ex
         List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
         for (String confirmationMethod : confirmationMethods) {
             if (OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
-                if (signedResults == null || signedResults.isEmpty()) {
+                if (signed == null || signed.isEmpty()) {
                     return false;
                 }
                 if (!checkAssertionAndBodyAreSigned(assertionWrapper)) {
@@ -186,7 +181,7 @@ public class SamlTokenPolicyValidator ex
      * @return true if there is a signature which references the Assertion and the SOAP Body.
      */
     private boolean checkAssertionAndBodyAreSigned(AssertionWrapper assertionWrapper) {
-        for (WSSecurityEngineResult signedResult : signedResults) {
+        for (WSSecurityEngineResult signedResult : signed) {
             List<WSDataRef> sl =
                 CastUtils.cast((List<?>)signedResult.get(
                     WSSecurityEngineResult.TAG_DATA_REF_URIS
@@ -199,7 +194,7 @@ public class SamlTokenPolicyValidator ex
                     if (se == assertionWrapper.getElement()) {
                         assertionIsSigned = true;
                     }
-                    if (se == soapBody) {
+                    if (se == body) {
                         bodyIsSigned = true;
                     }
                     if (assertionIsSigned && bodyIsSigned) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java?rev=1204974&r1=1204973&r2=1204974&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
Tue Nov 22 13:17:44 2011
@@ -23,6 +23,8 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
+import org.w3c.dom.Element;
+
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
@@ -33,39 +35,39 @@ import org.apache.ws.security.WSSecurity
 import org.apache.ws.security.util.WSSecurityUtil;
 
 /**
- * Validate a WSSecurityEngineResult corresponding to the processing of a SecurityContextToken
- * against the appropriate policy.
+ * Validate a SecurityContextToken policy.
  */
-public class SecurityContextTokenPolicyValidator extends AbstractTokenPolicyValidator {
+public class SecurityContextTokenPolicyValidator 
+    extends AbstractTokenPolicyValidator implements TokenPolicyValidator {
     
-    private List<WSSecurityEngineResult> sctResults;
-    private Message message;
+    public boolean validatePolicy(
+        AssertionInfoMap aim,
+        Message message,
+        Element soapBody,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.SECURITY_CONTEXT_TOKEN);
+        if (ais == null || ais.isEmpty()) {
+            return true;
+        }
 
-    public SecurityContextTokenPolicyValidator(Message message, List<WSSecurityEngineResult>
results) {
-        this.message = message;
-        sctResults = new ArrayList<WSSecurityEngineResult>();
+        List<WSSecurityEngineResult> sctResults = new ArrayList<WSSecurityEngineResult>();
         WSSecurityUtil.fetchAllActionResults(results, WSConstants.SCT, sctResults);
-    }
-    
-    public boolean validatePolicy(AssertionInfoMap aim) {
-        Collection<AssertionInfo> sctAis = aim.get(SP12Constants.SECURITY_CONTEXT_TOKEN);
-        if (sctAis != null && !sctAis.isEmpty()) {
-            for (AssertionInfo ai : sctAis) {
-                SecurityContextToken sctPolicy = (SecurityContextToken)ai.getAssertion();
-                ai.setAsserted(true);
-                    
-                boolean tokenRequired = isTokenRequired(sctPolicy, message);
-                
-                if (!tokenRequired) {
-                    continue;
-                }
-                
-                if (sctResults.isEmpty()) {
-                    ai.setNotAsserted(
-                        "The received token does not match the token inclusion requirement"
-                    );
-                    return false;
-                }
+
+        for (AssertionInfo ai : ais) {
+            SecurityContextToken sctPolicy = (SecurityContextToken)ai.getAssertion();
+            ai.setAsserted(true);
+
+            if (!isTokenRequired(sctPolicy, message)) {
+                continue;
+            }
+
+            if (sctResults.isEmpty()) {
+                ai.setNotAsserted(
+                    "The received token does not match the token inclusion requirement"
+                );
+                return false;
             }
         }
         return true;

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java?rev=1204974&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java
(added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java
Tue Nov 22 13:17:44 2011
@@ -0,0 +1,45 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.List;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.ws.security.WSSecurityEngineResult;
+
+/**
+ * Validate a WS-SecurityPolicy corresponding to a received token.
+ */
+public interface TokenPolicyValidator {
+    
+    /**
+     * Validate a particular policy from the AssertionInfoMap argument. Return true if the
policy is valid.
+     */
+    boolean validatePolicy(
+        AssertionInfoMap aim, 
+        Message message,
+        Element soapBody,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    );
+}

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java?rev=1204974&r1=1204973&r2=1204974&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
Tue Nov 22 13:17:44 2011
@@ -23,6 +23,8 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
+import org.w3c.dom.Element;
+
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
@@ -33,46 +35,50 @@ import org.apache.ws.security.message.to
 import org.apache.ws.security.util.WSSecurityUtil;
 
 /**
- * Validate a WSSecurityEngineResult corresponding to the processing of a UsernameToken
- * against the appropriate policy.
+ * Validate a UsernameToken policy.
  */
-public class UsernameTokenPolicyValidator extends AbstractTokenPolicyValidator {
+public class UsernameTokenPolicyValidator 
+    extends AbstractTokenPolicyValidator implements TokenPolicyValidator {
     
-    private Message message;
-    private List<WSSecurityEngineResult> utResults;
-
-    public UsernameTokenPolicyValidator(
-        Message message,
-        List<WSSecurityEngineResult> results
-    ) {
-        this.message = message;
-        utResults = new ArrayList<WSSecurityEngineResult>();
-        WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT, utResults);
-        WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_NOPASSWORD, utResults);
+    private boolean utWithCallbacks;
+    
+    public UsernameTokenPolicyValidator(boolean utWithCallbacks) {
+        this.utWithCallbacks = utWithCallbacks;
     }
     
     public boolean validatePolicy(
-        AssertionInfoMap aim
+        AssertionInfoMap aim,
+        Message message,
+        Element soapBody,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
     ) {
-        Collection<AssertionInfo> utAis = aim.get(SP12Constants.USERNAME_TOKEN);
-        if (utAis == null || utAis.isEmpty()) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.USERNAME_TOKEN);
+        if (ais == null || ais.isEmpty()) {
             return true;
         }
         
-        for (AssertionInfo ai : utAis) {
+        List<WSSecurityEngineResult> utResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT, utResults);
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_NOPASSWORD, utResults);
+        
+        for (AssertionInfo ai : ais) {
             org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy = 
                 (org.apache.cxf.ws.security.policy.model.UsernameToken)ai.getAssertion();
             ai.setAsserted(true);
 
-            boolean tokenRequired = isTokenRequired(usernameTokenPolicy, message);
-            if (tokenRequired && utResults.isEmpty()) {
+            if (utWithCallbacks || !isTokenRequired(usernameTokenPolicy, message)) {
+                continue;
+            }
+
+            if (utResults.isEmpty()) {
                 ai.setNotAsserted(
                     "The received token does not match the token inclusion requirement"
                 );
                 return false;
             }
-            
-            if (tokenRequired && !checkTokens(usernameTokenPolicy, ai)) {
+
+            if (!checkTokens(usernameTokenPolicy, ai, utResults)) {
                 return false;
             }
 
@@ -80,9 +86,13 @@ public class UsernameTokenPolicyValidato
         return true;
     }
     
+    /**
+     * All UsernameTokens must conform to the policy
+     */
     public boolean checkTokens(
         org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy,
-        AssertionInfo ai
+        AssertionInfo ai,
+        List<WSSecurityEngineResult> utResults
     ) {
         for (WSSecurityEngineResult result : utResults) {
             UsernameToken usernameToken = 
@@ -96,7 +106,7 @@ public class UsernameTokenPolicyValidato
                 return false;
             }
             if (usernameTokenPolicy.isRequireCreated() 
-                    && (usernameToken.getCreated() == null || usernameToken.isHashed()))
{
+                && (usernameToken.getCreated() == null || usernameToken.isHashed()))
{
                 ai.setNotAsserted("Username Token Created policy not enforced");
                 return false;
             }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java?rev=1204974&r1=1204973&r2=1204974&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
Tue Nov 22 13:17:44 2011
@@ -23,6 +23,8 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
+import org.w3c.dom.Element;
+
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.ws.policy.AssertionInfo;
@@ -36,28 +38,23 @@ import org.apache.ws.security.util.WSSec
 /**
  * Validate a WSS11 policy.
  */
-public class WSS11PolicyValidator {
-    
-    private List<WSSecurityEngineResult> scResults;
-    private Message message;
-
-    public WSS11PolicyValidator(
-        Message message,
-        List<WSSecurityEngineResult> results
-    ) {
-        this.message = message;
-        scResults = new ArrayList<WSSecurityEngineResult>();
-        WSSecurityUtil.fetchAllActionResults(results, WSConstants.SC, scResults);
-    }
+public class WSS11PolicyValidator implements TokenPolicyValidator {
     
     public boolean validatePolicy(
-        AssertionInfoMap aim
+        AssertionInfoMap aim,
+        Message message,
+        Element soapBody,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
     ) {
         Collection<AssertionInfo> ais = aim.get(SP12Constants.WSS11);
         if (ais == null || ais.isEmpty()) {
             return true;
         }
         
+        List<WSSecurityEngineResult> scResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.SC, scResults);
+        
         for (AssertionInfo ai : ais) {
             Wss11 wss11 = (Wss11)ai.getAssertion();
             ai.setAsserted(true);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java?rev=1204974&r1=1204973&r2=1204974&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
Tue Nov 22 13:17:44 2011
@@ -23,6 +23,8 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
+import org.w3c.dom.Element;
+
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
@@ -35,35 +37,29 @@ import org.apache.ws.security.message.to
 import org.apache.ws.security.util.WSSecurityUtil;
 
 /**
- * Validate a WSSecurityEngineResult corresponding to the processing of an X.509 Token
- * against the appropriate policy.
+ * Validate an X509 Token policy.
  */
-public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator {
+public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator implements TokenPolicyValidator
{
     
     private static final String X509_V3_VALUETYPE = WSConstants.X509TOKEN_NS + "#X509v3";
     private static final String PKI_VALUETYPE = WSConstants.X509TOKEN_NS + "#X509PKIPathv1";
     
-    private List<WSSecurityEngineResult> bstResults;
-    private Message message;
-
-    public X509TokenPolicyValidator(
-        Message message,
-        List<WSSecurityEngineResult> results
-    ) {
-        this.message = message;
-        bstResults = new ArrayList<WSSecurityEngineResult>();
-        WSSecurityUtil.fetchAllActionResults(results, WSConstants.BST, bstResults);
-    }
-    
     public boolean validatePolicy(
-        AssertionInfoMap aim
+        AssertionInfoMap aim,
+        Message message,
+        Element soapBody,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
     ) {
-        Collection<AssertionInfo> x509Ais = aim.get(SP12Constants.X509_TOKEN);
-        if (x509Ais == null || x509Ais.isEmpty()) {
+        Collection<AssertionInfo> ais = aim.get(SP12Constants.X509_TOKEN);
+        if (ais == null || ais.isEmpty()) {
             return true;
         }
         
-        for (AssertionInfo ai : x509Ais) {
+        List<WSSecurityEngineResult> bstResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.BST, bstResults);
+        
+        for (AssertionInfo ai : ais) {
             X509Token x509TokenPolicy = (X509Token)ai.getAssertion();
             ai.setAsserted(true);
 
@@ -78,7 +74,7 @@ public class X509TokenPolicyValidator ex
                 return false;
             }
 
-            if (!checkTokenType(x509TokenPolicy.getTokenVersionAndType())) {
+            if (!checkTokenType(x509TokenPolicy.getTokenVersionAndType(), bstResults)) {
                 ai.setNotAsserted("An incorrect X.509 Token Type is detected");
                 return false;
             }
@@ -86,22 +82,30 @@ public class X509TokenPolicyValidator ex
         return true;
     }
     
-    private boolean checkTokenType(String requiredVersionAndType) {
-        if (!bstResults.isEmpty()) {
-            String requiredType = X509_V3_VALUETYPE;
-            if (SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10.equals(requiredType)
-                || SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11.equals(requiredType)) {
-                requiredType = PKI_VALUETYPE;
-            }
-            
-            for (WSSecurityEngineResult result : bstResults) {
-                BinarySecurity binarySecurityToken = 
-                    (BinarySecurity)result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
-                if (binarySecurityToken != null) {
-                    String type = binarySecurityToken.getValueType();
-                    if (requiredType.equals(type)) {
-                        return true;
-                    }
+    /**
+     * Check that at least one received token matches the token type.
+     */
+    private boolean checkTokenType(
+        String requiredVersionAndType,
+        List<WSSecurityEngineResult> bstResults
+    ) {
+        if (bstResults.isEmpty()) {
+            return false;
+        }
+
+        String requiredType = X509_V3_VALUETYPE;
+        if (SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10.equals(requiredType)
+            || SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11.equals(requiredType)) {
+            requiredType = PKI_VALUETYPE;
+        }
+
+        for (WSSecurityEngineResult result : bstResults) {
+            BinarySecurity binarySecurityToken = 
+                (BinarySecurity)result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+            if (binarySecurityToken != null) {
+                String type = binarySecurityToken.getValueType();
+                if (requiredType.equals(type)) {
+                    return true;
                 }
             }
         }



Mime
View raw message