Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1211875 - in /cxf/trunk:
 rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/
 rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/
 rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/
 ...
Date: Thu, 08 Dec 2011 13:29:05 -0000
To: commits@cxf.apache.org
From: coheigea@apache.org
Message-Id: <20111208132906.9A2B923889DA@eris.apache.org>

Author: coheigea
Date: Thu Dec  8 13:29:05 2011
New Revision: 1211875

URL: http://svn.apache.org/viewvc?rev=1211875&view=rev
Log:
[WSS-3960] - Patch for InitiatorSignatureToken Support in WS-Policy definition
 - Patch applied (with some minor modifications), thanks.
 - I added a systest.

Added:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorSignatureTokenBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/InitiatorSignatureToken.java
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509Signature.wsdl
Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/AsymmetricBindingBuilder.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/AsymmetricBinding.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
    cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
    cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP11Constants.java Thu Dec  8 13:29:05 2011
@@ -177,6 +177,9 @@ public final class SP11Constants extends
 
     public static final QName INITIATOR_TOKEN = new QName(SP11Constants.SP_NS,
             SPConstants.INITIATOR_TOKEN , SP11Constants.SP_PREFIX);
+    
+    public static final QName INITIATOR_SIGNATURE_TOKEN = new QName(SP11Constants.SP_NS,
+            SPConstants.INITIATOR_SIGNATURE_TOKEN , SP11Constants.SP_PREFIX);
 
     public static final QName RECIPIENT_TOKEN = new QName(SP11Constants.SP_NS,
             SPConstants.RECIPIENT_TOKEN , SP11Constants.SP_PREFIX);
@@ -342,6 +345,9 @@ public final class SP11Constants extends
     public QName getInitiatorToken() {
         return INITIATOR_TOKEN;
     }
+    public QName getInitiatorSignatureToken() {
+        return INITIATOR_SIGNATURE_TOKEN;
+    }
     public QName getIssuedToken() {
         return ISSUED_TOKEN;
     }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SP12Constants.java Thu Dec  8 13:29:05 2011
@@ -213,7 +213,10 @@ public final class SP12Constants extends
 
     public static final QName INITIATOR_TOKEN = new QName(SP12Constants.SP_NS,
             SPConstants.INITIATOR_TOKEN , SP12Constants.SP_PREFIX);
-
+    
+    public static final QName INITIATOR_SIGNATURE_TOKEN = new QName(SP12Constants.SP_NS,
+            SPConstants.INITIATOR_SIGNATURE_TOKEN , SP12Constants.SP_PREFIX);
+        
     public static final QName RECIPIENT_TOKEN = new QName(SP12Constants.SP_NS,
             SPConstants.RECIPIENT_TOKEN , SP12Constants.SP_PREFIX);
 
@@ -401,6 +404,9 @@ public final class SP12Constants extends
     public QName getInitiatorToken() {
         return INITIATOR_TOKEN;
     }
+    public QName getInitiatorSignatureToken() {
+        return INITIATOR_SIGNATURE_TOKEN;
+    }
     public QName getIssuedToken() {
         return ISSUED_TOKEN;
     }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/SPConstants.java Thu Dec  8 13:29:05 2011
@@ -171,9 +171,9 @@ public abstract class SPConstants {
     
     public static final String INITIATOR_TOKEN = "InitiatorToken";
     
-    public static final String RECIPIENT_TOKEN = "RecipientToken";
-    
+    public static final String INITIATOR_SIGNATURE_TOKEN = "InitiatorSignatureToken";
     
+    public static final String RECIPIENT_TOKEN = "RecipientToken";
     
     public static final String SUPPORTING_TOKENS = "SupportingTokens";
     
@@ -439,6 +439,7 @@ public abstract class SPConstants {
     public abstract QName getEncryptionToken();
     public abstract QName getHttpsToken();
     public abstract QName getInitiatorToken();
+    public abstract QName getInitiatorSignatureToken();
     public abstract QName getIssuedToken();
     public abstract QName getIncludeToken();
     public abstract QName getLayout();

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/WSSecurityPolicyLoader.java Thu Dec  8 13:29:05 2011
@@ -38,6 +38,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.builders.EncryptedElementsBuilder;
 import org.apache.cxf.ws.security.policy.builders.EncryptedPartsBuilder;
 import org.apache.cxf.ws.security.policy.builders.HttpsTokenBuilder;
+import org.apache.cxf.ws.security.policy.builders.InitiatorSignatureTokenBuilder;
 import org.apache.cxf.ws.security.policy.builders.InitiatorTokenBuilder;
 import org.apache.cxf.ws.security.policy.builders.IssuedTokenBuilder;
 import org.apache.cxf.ws.security.policy.builders.KerberosTokenBuilder;
@@ -100,6 +101,7 @@ public final class WSSecurityPolicyLoade
         reg.registerBuilder(new EncryptedPartsBuilder());
         reg.registerBuilder(new HttpsTokenBuilder(pbuild));
         reg.registerBuilder(new InitiatorTokenBuilder(pbuild));
+        reg.registerBuilder(new InitiatorSignatureTokenBuilder(pbuild));
         reg.registerBuilder(new IssuedTokenBuilder(pbuild));
         reg.registerBuilder(new LayoutBuilder());
         reg.registerBuilder(new ProtectionTokenBuilder(pbuild));

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/AsymmetricBindingBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/AsymmetricBindingBuilder.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/AsymmetricBindingBuilder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/AsymmetricBindingBuilder.java Thu Dec  8 13:29:05 2011
@@ -32,6 +32,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.SPConstants;
 import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
 import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
+import org.apache.cxf.ws.security.policy.model.InitiatorSignatureToken;
 import org.apache.cxf.ws.security.policy.model.InitiatorToken;
 import org.apache.cxf.ws.security.policy.model.Layout;
 import org.apache.cxf.ws.security.policy.model.RecipientToken;
@@ -93,7 +94,10 @@ public class AsymmetricBindingBuilder im
             
             if (SPConstants.INITIATOR_TOKEN.equals(name.getLocalPart())) {
                 asymmetricBinding.setInitiatorToken((InitiatorToken)assertion);
-
+                
+            } else if (SPConstants.INITIATOR_SIGNATURE_TOKEN.equals(name.getLocalPart())) {
+                asymmetricBinding.setInitiatorSignatureToken((InitiatorSignatureToken)assertion);
+                
             } else if (SPConstants.RECIPIENT_TOKEN.equals(name.getLocalPart())) {
                 asymmetricBinding.setRecipientToken((RecipientToken)assertion);
 

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorSignatureTokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorSignatureTokenBuilder.java?rev=1211875&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorSignatureTokenBuilder.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/InitiatorSignatureTokenBuilder.java Thu Dec  8 13:29:05 2011
@@ -0,0 +1,85 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.policy.builders;
+
+import java.util.Iterator;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.helpers.DOMUtils;
+import org.apache.cxf.ws.policy.PolicyBuilder;
+import org.apache.cxf.ws.policy.PolicyConstants;
+import org.apache.cxf.ws.security.policy.SP11Constants;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+import org.apache.cxf.ws.security.policy.model.InitiatorSignatureToken;
+import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.neethi.Assertion;
+import org.apache.neethi.AssertionBuilderFactory;
+import org.apache.neethi.Policy;
+import org.apache.neethi.builders.AssertionBuilder;
+
+public class InitiatorSignatureTokenBuilder implements AssertionBuilder<Element> {
+    
+    PolicyBuilder builder;
+    public InitiatorSignatureTokenBuilder(PolicyBuilder b) {
+        builder = b;
+    }
+    public QName[] getKnownElements() {
+        return new QName[]{SP11Constants.INITIATOR_SIGNATURE_TOKEN, SP12Constants.INITIATOR_SIGNATURE_TOKEN};
+    }
+    
+    public Assertion build(Element element, AssertionBuilderFactory factory)
+        throws IllegalArgumentException {
+        
+        SPConstants consts = SP11Constants.SP_NS.equals(element.getNamespaceURI())
+            ? SP11Constants.INSTANCE : SP12Constants.INSTANCE;
+
+        InitiatorSignatureToken initiatorToken = new InitiatorSignatureToken(consts, builder);
+        initiatorToken.setOptional(PolicyConstants.isOptional(element));
+        initiatorToken.setIgnorable(PolicyConstants.isIgnorable(element));
+
+        Policy policy = builder.getPolicy(DOMUtils.getFirstElement(element));
+        policy = (Policy)policy.normalize(builder.getPolicyRegistry(), false);
+
+        for (Iterator iterator = policy.getAlternatives(); iterator.hasNext();) {
+            processAlternative((List)iterator.next(), initiatorToken);
+            break; // TODO process all the token that must be set ..
+        }
+
+        return initiatorToken;
+    }
+
+    private void processAlternative(List assertions, InitiatorSignatureToken parent) {
+
+        Object token;
+
+        for (Iterator iterator = assertions.iterator(); iterator.hasNext();) {
+            token = iterator.next();
+
+            if (token instanceof Token) {
+                parent.setInitiatorSignatureToken((Token)token);
+            }
+        }
+    }
+
+}

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java Thu Dec  8 13:29:05 2011
@@ -48,6 +48,7 @@ public class WSSecurityPolicyInterceptor
         ASSERTION_TYPES.add(SP12Constants.SIGNATURE_TOKEN);
         ASSERTION_TYPES.add(SP12Constants.TRANSPORT_TOKEN);            
         ASSERTION_TYPES.add(SP12Constants.INITIATOR_TOKEN);
+        ASSERTION_TYPES.add(SP12Constants.INITIATOR_SIGNATURE_TOKEN);
         ASSERTION_TYPES.add(SP12Constants.RECIPIENT_TOKEN);   
         ASSERTION_TYPES.add(SP12Constants.SIGNED_PARTS);
         ASSERTION_TYPES.add(SP12Constants.REQUIRED_PARTS);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/AsymmetricBinding.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/AsymmetricBinding.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/AsymmetricBinding.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/AsymmetricBinding.java Thu Dec  8 13:29:05 2011
@@ -35,6 +35,8 @@ import org.apache.neethi.PolicyComponent
 public class AsymmetricBinding extends SymmetricAsymmetricBindingBase {
 
     private InitiatorToken initiatorToken;
+    
+    private InitiatorSignatureToken initiatorSignatureToken;
 
     private RecipientToken recipientToken;
 
@@ -55,6 +57,20 @@ public class AsymmetricBinding extends S
     public void setInitiatorToken(InitiatorToken initiatorToken) {
         this.initiatorToken = initiatorToken;
     }
+    
+    /**
+     * @return Returns the initiatorToken.
+     */
+    public InitiatorSignatureToken getInitiatorSignatureToken() {
+        return initiatorSignatureToken;
+    }
+
+    /**
+     * @param initiatorToken The initiatorToken to set.
+     */
+    public void setInitiatorSignatureToken(InitiatorSignatureToken initiatorSignatureToken) {
+        this.initiatorSignatureToken = initiatorSignatureToken;
+    }
 
     /**
      * @return Returns the recipientToken.
@@ -95,6 +111,9 @@ public class AsymmetricBinding extends S
         if (getInitiatorToken() != null) {
             all.addPolicyComponent(getInitiatorToken());
         }
+        if (getInitiatorSignatureToken() != null) {
+            all.addPolicyComponent(getInitiatorSignatureToken());
+        }
         if (getRecipientToken() != null) {
             all.addPolicyComponent(getRecipientToken());
         }
@@ -145,13 +164,22 @@ public class AsymmetricBinding extends S
         writer.writeStartElement(pPrefix, SPConstants.POLICY.getLocalPart(), SPConstants.POLICY
             .getNamespaceURI());
 
-        if (initiatorToken == null) {
-            throw new RuntimeException("InitiatorToken is not set");
+        if (initiatorToken == null && initiatorSignatureToken == null) {
+            throw new RuntimeException("InitiatorToken or InitiatorSignatureToken is not set");
         }
 
-        // <sp:InitiatorToken>
-        initiatorToken.serialize(writer);
-        // </sp:InitiatorToken>
+        if (initiatorToken != null) {
+            // <sp:InitiatorToken>
+            initiatorToken.serialize(writer);
+            // </sp:InitiatorToken>
+        }
+        
+        if (initiatorSignatureToken != null) {
+            // <sp:InitiatorSignatureToken>
+            initiatorSignatureToken.serialize(writer);
+            // </sp:InitiatorSignatureToken>
+        }
+        
 
         if (recipientToken == null) {
             throw new RuntimeException("RecipientToken is not set");

Added: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/InitiatorSignatureToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/InitiatorSignatureToken.java?rev=1211875&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/InitiatorSignatureToken.java (added)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/InitiatorSignatureToken.java Thu Dec  8 13:29:05 2011
@@ -0,0 +1,93 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.policy.model;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamWriter;
+
+import org.apache.cxf.ws.policy.PolicyBuilder;
+import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.cxf.ws.security.policy.SPConstants;
+
+public class InitiatorSignatureToken extends TokenWrapper {
+
+    public InitiatorSignatureToken(SPConstants version, PolicyBuilder b) {
+        super(version, b);
+    }
+
+    /**
+     * @return Returns the initiatorToken.
+     */
+    public Token getInitiatorSignatureToken() {
+        return getToken();
+    }
+
+
+    /**
+     * @param initiatorToken The initiatorToken to set.
+     */
+    public void setInitiatorSignatureToken(Token initiatorSignatureToken) {
+        setToken(initiatorSignatureToken);
+    }
+
+    public QName getRealName() {
+        return constants.getInitiatorSignatureToken();
+    }
+    public QName getName() {
+        return SP12Constants.INSTANCE.getInitiatorSignatureToken();
+    }
+
+    public void serialize(XMLStreamWriter writer) throws XMLStreamException {
+        String localName = getRealName().getLocalPart();
+        String namespaceURI = getRealName().getNamespaceURI();
+
+        String prefix = writer.getPrefix(namespaceURI);
+
+        if (prefix == null) {
+            prefix = getRealName().getPrefix();
+            writer.setPrefix(prefix, namespaceURI);
+        }
+
+        // <sp:InitiatorSignatureToken>
+        writer.writeStartElement(prefix, localName, namespaceURI);
+
+        String pPrefix = writer.getPrefix(SPConstants.POLICY.getNamespaceURI());
+        if (pPrefix == null) {
+            pPrefix = SPConstants.POLICY.getPrefix();
+            writer.setPrefix(pPrefix, SPConstants.POLICY.getNamespaceURI());
+        }
+
+        // <wsp:Policy>
+        writer.writeStartElement(pPrefix, SPConstants.POLICY.getLocalPart(), SPConstants.POLICY
+            .getNamespaceURI());
+
+        Token token = getInitiatorSignatureToken();
+        if (token == null) {
+            throw new RuntimeException("InitiatorSignatureToken doesn't contain any token assertions");
+        }
+        token.serialize(writer);
+
+        // </wsp:Policy>
+        writer.writeEndElement();
+
+        // </sp:InitiatorToken>
+        writer.writeEndElement();
+    }
+}

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java Thu Dec  8 13:29:05 2011
@@ -102,6 +102,9 @@ public class AsymmetricBindingHandler ex
     private void doSignBeforeEncrypt() {
         try {
             TokenWrapper initiatorWrapper = abinding.getInitiatorToken();
+            if (initiatorWrapper == null) {
+                initiatorWrapper = abinding.getInitiatorSignatureToken();
+            }
             boolean attached = false;
             if (initiatorWrapper != null) {
                 Token initiatorToken = initiatorWrapper.getToken();
@@ -141,7 +144,7 @@ public class AsymmetricBindingHandler ex
                 }
 
                 addSupportingTokens(sigs);
-                doSignature(sigs, attached);
+                doSignature(initiatorWrapper, sigs, attached);
                 doEndorse();
             } else {
                 //confirm sig
@@ -153,9 +156,8 @@ public class AsymmetricBindingHandler ex
                         convertToEncryptionPart(timestampEl.getElement());
                     sigs.add(timestampPart);
                 }
-
                 addSignatureConfirmation(sigs);
-                doSignature(sigs, attached);
+                doSignature(abinding.getRecipientToken(), sigs, attached);
             }
 
             List<WSEncryptionPart> enc = getEncryptedParts();
@@ -194,10 +196,16 @@ public class AsymmetricBindingHandler ex
             wrapper = abinding.getRecipientToken();
         } else {
             wrapper = abinding.getInitiatorToken();
+            if (wrapper == null) {
+                wrapper = abinding.getInitiatorSignatureToken();
+            }
         }
         encryptionToken = wrapper.getToken();
         
         TokenWrapper initiatorWrapper = abinding.getInitiatorToken();
+        if (initiatorWrapper == null) {
+            initiatorWrapper = abinding.getInitiatorSignatureToken();
+        }
         boolean attached = false;
         if (initiatorWrapper != null) {
             Token initiatorToken = initiatorWrapper.getToken();
@@ -268,17 +276,16 @@ public class AsymmetricBindingHandler ex
                 addSignatureConfirmation(sigParts);
             }
             
-            if ((sigParts.size() > 0 
-                    && isRequestor()
-                    && abinding.getInitiatorToken() != null) 
-                || (!isRequestor() && abinding.getRecipientToken() != null)) {
-                try {
-                    doSignature(sigParts, attached);
-                } catch (WSSecurityException ex) {
-                    throw new Fault(ex);
-                } catch (SOAPException ex) {
-                    throw new Fault(ex);
+            try {
+                if ((sigParts.size() > 0) && initiatorWrapper != null && isRequestor()) {
+                    doSignature(initiatorWrapper, sigParts, attached);
+                } else if (!isRequestor() && abinding.getRecipientToken() != null) {
+                    doSignature(abinding.getRecipientToken(), sigParts, attached);
                 }
+            } catch (WSSecurityException ex) {
+                throw new Fault(ex);
+            } catch (SOAPException ex) {
+                throw new Fault(ex);
             }
 
             if (isRequestor()) {
@@ -412,31 +419,36 @@ public class AsymmetricBindingHandler ex
     }    
     
     private void assertUnusedTokens(TokenWrapper wrapper) {
+        if (wrapper == null) {
+            return;
+        }
         Collection<AssertionInfo> ais = aim.getAssertionInfo(wrapper.getName());
-        for (AssertionInfo ai : ais) {
-            if (ai.getAssertion() == wrapper) {
-                ai.setAsserted(true);
+        if (ais != null) {
+            for (AssertionInfo ai : ais) {
+                if (ai.getAssertion() == wrapper) {
+                    ai.setAsserted(true);
+                }
             }
         }
         ais = aim.getAssertionInfo(wrapper.getToken().getName());
-        for (AssertionInfo ai : ais) {
-            if (ai.getAssertion() == wrapper.getToken()) {
-                ai.setAsserted(true);
+        if (ais != null) {
+            for (AssertionInfo ai : ais) {
+                if (ai.getAssertion() == wrapper.getToken()) {
+                    ai.setAsserted(true);
+                }
             }
         }
     }
     
-    private void doSignature(List<WSEncryptionPart> sigParts, boolean attached) 
+    private void doSignature(TokenWrapper wrapper, List<WSEncryptionPart> sigParts, boolean attached) 
         throws WSSecurityException, SOAPException {
-        Token sigToken = null;
-        TokenWrapper wrapper = null;
-        if (isRequestor()) {
-            wrapper = abinding.getInitiatorToken();
-        } else {
-            wrapper = abinding.getRecipientToken();
+        
+        if (!isRequestor()) {
             assertUnusedTokens(abinding.getInitiatorToken());
+            assertUnusedTokens(abinding.getInitiatorSignatureToken());
         }
-        sigToken = wrapper.getToken();
+        
+        Token sigToken = wrapper.getToken();
         sigParts.addAll(this.getSignedParts());
         if (sigParts.isEmpty()) {
             // Add the BST to the security header if required

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java Thu Dec  8 13:29:05 2011
@@ -123,6 +123,33 @@ public class AsymmetricBindingPolicyVali
                 return false;
             }
         }
+        if (binding.getInitiatorSignatureToken() != null) {
+            Token token = binding.getInitiatorSignatureToken().getToken();
+            if (token instanceof X509Token) {
+                boolean foundCert = false;
+                for (WSSecurityEngineResult result : signedResults) {
+                    X509Certificate cert = 
+                        (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+                    if (cert != null) {
+                        foundCert = true;
+                        break;
+                    }
+                }
+                if (!foundCert && !signedResults.isEmpty()) {
+                    String error = "An X.509 certificate was not used for the initiator signature token";
+                    notAssertPolicy(aim, binding.getInitiatorSignatureToken().getName(), error);
+                    ai.setNotAsserted(error);
+                    return false;
+                }
+            }
+            assertPolicy(aim, binding.getInitiatorSignatureToken());
+            if (!checkDerivedKeys(
+                binding.getInitiatorSignatureToken(), hasDerivedKeys, signedResults, encryptedResults
+            )) {
+                ai.setNotAsserted("Message fails the DerivedKeys requirement");
+                return false;
+            }
+        }
         if (binding.getRecipientToken() != null) {
             assertPolicy(aim, binding.getRecipientToken());
             if (!checkDerivedKeys(

Modified: cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java (original)
+++ cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java Thu Dec  8 13:29:05 2011
@@ -278,6 +278,28 @@ public class X509TokenTest extends Abstr
         x509Port.doubleIt(25);
     }
     
+    @org.junit.Test
+    public void testAsymmetricSignature() throws Exception {
+        if (!unrestrictedPoliciesInstalled) {
+            return;
+        }
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = X509TokenTest.class.getResource("client/client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+
+        URL wsdl = X509TokenTest.class.getResource("DoubleItX509Signature.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricSignaturePort");
+        DoubleItPortType x509Port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(x509Port, PORT);
+        x509Port.doubleIt(25);
+    }
+    
     private boolean checkUnrestrictedPoliciesInstalled() {
         try {
             byte[] data = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07};

Added: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509Signature.wsdl
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509Signature.wsdl?rev=1211875&view=auto
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509Signature.wsdl (added)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509Signature.wsdl Thu Dec  8 13:29:05 2011
@@ -0,0 +1,124 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<wsdl:definitions name="DoubleIt"
+    xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
+    xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://www.example.org/contract/DoubleIt"
+    targetNamespace="http://www.example.org/contract/DoubleIt" 
+    xmlns:wsp="http://www.w3.org/ns/ws-policy"
+    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
+    xmlns:wsaws="http://www.w3.org/2005/08/addressing" 
+    xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
+    xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802">
+    
+    <wsdl:import location="src/test/resources/DoubleItLogical.wsdl" 
+                 namespace="http://www.example.org/contract/DoubleIt"/>
+
+    <wsdl:binding name="DoubleItAsymmetricSignatureBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItAsymmetricSignaturePolicy" />
+        <soap:binding style="document"
+            transport="http://schemas.xmlsoap.org/soap/http" />
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction="" />
+            <wsdl:input>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal" />
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault" />
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
+    
+    <wsdl:service name="DoubleItService">
+        <wsdl:port name="DoubleItAsymmetricSignaturePort" 
+                   binding="tns:DoubleItAsymmetricSignatureBinding">
+            <soap:address location="http://localhost:9001/DoubleItX509AsymmetricSignature" />
+        </wsdl:port>
+    </wsdl:service>
+
+    <wsp:Policy wsu:Id="DoubleItAsymmetricSignaturePolicy">
+      <wsp:ExactlyOne>
+         <wsp:All>
+            <sp:AsymmetricBinding>
+               <wsp:Policy>
+                  <sp:InitiatorSignatureToken>
+                     <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                     </wsp:Policy>
+                  </sp:InitiatorSignatureToken>
+                  <sp:RecipientToken>
+                     <wsp:Policy>
+                        <sp:X509Token
+                           sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                           <wsp:Policy>
+                              <sp:WssX509V3Token10 />
+                              <sp:RequireIssuerSerialReference />
+                           </wsp:Policy>
+                        </sp:X509Token>
+                     </wsp:Policy>
+                  </sp:RecipientToken>
+                  <sp:Layout>
+                     <wsp:Policy>
+                        <sp:Lax/>
+                     </wsp:Policy>
+                  </sp:Layout>
+                  <sp:IncludeTimestamp/>
+                  <sp:OnlySignEntireHeadersAndBody/>
+                  <sp:AlgorithmSuite>
+                     <wsp:Policy>
+                        <sp:Basic256/>
+                     </wsp:Policy>
+                  </sp:AlgorithmSuite>
+               </wsp:Policy>
+            </sp:AsymmetricBinding>
+         </wsp:All>
+      </wsp:ExactlyOne>
+    </wsp:Policy>
+    
+    
+    <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
+      <wsp:ExactlyOne>
+         <wsp:All>
+            <sp:SignedParts>
+               <sp:Body/>
+            </sp:SignedParts>
+         </wsp:All>
+      </wsp:ExactlyOne>
+   </wsp:Policy>
+   <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy">
+      <wsp:ExactlyOne>
+         <wsp:All>
+            <sp:SignedParts>
+               <sp:Body/>
+            </sp:SignedParts>
+         </wsp:All>
+      </wsp:ExactlyOne>
+   </wsp:Policy>
+    
+</wsdl:definitions>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client/client.xml Thu Dec  8 13:29:05 2011
@@ -80,6 +80,20 @@
        </jaxws:properties>
     </jaxws:client>
     
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricSignaturePort" 
+                  createdFromAPI="true">
+       <jaxws:properties>
+           <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+           <entry key="ws-security.encryption.username" value="bob"/>
+           <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+           <entry key="ws-security.signature.username" value="alice"/>
+           <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+       </jaxws:properties>
+    </jaxws:client>
+    
     <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricProtectTokensPort" 
                   createdFromAPI="true">
        <jaxws:properties>

Modified: cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml?rev=1211875&r1=1211874&r2=1211875&view=diff
==============================================================================
--- cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml (original)
+++ cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server/server.xml Thu Dec  8 13:29:05 2011
@@ -142,6 +142,27 @@
     </jaxws:endpoint> 
     
     <jaxws:endpoint 
+       id="AsymmetricSignature"
+       address="http://localhost:${testutil.ports.Server}/DoubleItX509AsymmetricSignature" 
+       serviceName="s:DoubleItService"
+       endpointName="s:DoubleItAsymmetricSignaturePort"
+       xmlns:s="http://www.example.org/contract/DoubleIt"
+       implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
+       wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509Signature.wsdl">
+        
+       <jaxws:properties>
+          <entry key="ws-security.callback-handler" 
+                  value="org.apache.cxf.systest.ws.wssec10.client.KeystorePasswordCallback"/>
+          <entry key="ws-security.signature.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/> 
+          <entry key="ws-security.encryption.properties" 
+                  value="org/apache/cxf/systest/ws/wssec10/client/alice.properties"/> 
+          <entry key="ws-security.encryption.username" value="alice"/>
+       </jaxws:properties> 
+     
+    </jaxws:endpoint> 
+    
+    <jaxws:endpoint 
        id="AsymmetricProtectTokens"
        address="http://localhost:${testutil.ports.Server}/DoubleItX509AsymmetricProtect" 
        serviceName="s:DoubleItService"