cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1485693 [4/14] - in /cxf/trunk: ./ distribution/src/main/release/samples/sts/src/main/java/demo/wssec/client/ distribution/src/main/release/samples/sts/src/main/java/demo/wssec/server/ distribution/src/main/release/samples/sts/src/main/jav...
Date Thu, 23 May 2013 13:17:32 GMT
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java Thu May 23 13:17:26 2013
@@ -19,10 +19,14 @@
 
 package org.apache.cxf.ws.security.policy.interceptors;
 
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Date;
+import java.util.List;
 import java.util.logging.Logger;
 
+import javax.xml.namespace.QName;
+
 import org.w3c.dom.Element;
 
 import org.apache.cxf.binding.soap.SoapBindingConstants;
@@ -41,19 +45,10 @@ import org.apache.cxf.ws.addressing.Addr
 import org.apache.cxf.ws.addressing.JAXWSAConstants;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.policy.PolicyBuilder;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.Binding;
-import org.apache.cxf.ws.security.policy.model.Header;
-import org.apache.cxf.ws.security.policy.model.ProtectionToken;
-import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
-import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
-import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.Trust10;
-import org.apache.cxf.ws.security.policy.model.Trust13;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
+import org.apache.cxf.ws.security.trust.DefaultSymmetricBinding;
 import org.apache.cxf.ws.security.trust.STSClient;
 import org.apache.cxf.ws.security.trust.STSUtils;
 import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
@@ -61,8 +56,17 @@ import org.apache.neethi.All;
 import org.apache.neethi.Assertion;
 import org.apache.neethi.ExactlyOne;
 import org.apache.neethi.Policy;
-import org.apache.ws.security.message.token.SecurityContextToken;
-import org.apache.ws.security.util.Base64;
+import org.apache.wss4j.dom.message.token.SecurityContextToken;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.SPConstants.SPVersion;
+import org.apache.wss4j.policy.model.AbstractBinding;
+import org.apache.wss4j.policy.model.Header;
+import org.apache.wss4j.policy.model.ProtectionToken;
+import org.apache.wss4j.policy.model.SecureConversationToken;
+import org.apache.wss4j.policy.model.SignedParts;
+import org.apache.wss4j.policy.model.Trust10;
+import org.apache.wss4j.policy.model.Trust13;
+import org.apache.xml.security.utils.Base64;
 
 class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
     static final Logger LOG = LogUtils.getL7dLogger(SecureConversationInInterceptor.class);
@@ -70,19 +74,21 @@ class SecureConversationInInterceptor ex
     
     public SecureConversationInInterceptor() {
         super(Phase.PRE_PROTOCOL);
+        getBefore().add(WSS4JInInterceptor.class.getName());
     }
-    private Binding getBinding(AssertionInfoMap aim) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
-        if (ais != null && !ais.isEmpty()) {
-            return (Binding)ais.iterator().next().getAssertion();
-        }
-        ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
-        if (ais != null && !ais.isEmpty()) {
-            return (Binding)ais.iterator().next().getAssertion();
-        }
-        ais = aim.get(SP12Constants.TRANSPORT_BINDING);
-        if (ais != null && !ais.isEmpty()) {
-            return (Binding)ais.iterator().next().getAssertion();
+    private AbstractBinding getBinding(AssertionInfoMap aim) {
+        Collection<AssertionInfo> ais = 
+            NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+        if (!ais.isEmpty()) {
+            return (AbstractBinding)ais.iterator().next().getAssertion();
+        }
+        ais = NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+        if (!ais.isEmpty()) {
+            return (AbstractBinding)ais.iterator().next().getAssertion();
+        }
+        ais = NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+        if (!ais.isEmpty()) {
+            return (AbstractBinding)ais.iterator().next().getAssertion();
         }
         return null;
     }
@@ -91,15 +97,17 @@ class SecureConversationInInterceptor ex
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
         // extract Assertion information
         if (aim != null) {
-            Collection<AssertionInfo> ais = aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN);
-            if (ais == null || ais.isEmpty()) {
+            Collection<AssertionInfo> ais = 
+                NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+            if (ais.isEmpty()) {
                 return;
             }
             if (isRequestor(message)) {
                 //client side should be checked on the way out
                 for (AssertionInfo ai : ais) {
                     ai.setAsserted(true);
-                }      
+                }
+                assertPolicies(aim);
                 
                 Object s = message.getContextualProperty(SecurityConstants.STS_TOKEN_DO_CANCEL);
                 if (s != null && (Boolean.TRUE.equals(s) || "true".equalsIgnoreCase(s.toString()))) {
@@ -126,7 +134,7 @@ class SecureConversationInInterceptor ex
 
                 SecureConversationToken tok = (SecureConversationToken)ais.iterator()
                     .next().getAssertion();
-                Policy pol = tok.getBootstrapPolicy();
+                Policy pol = tok.getBootstrapPolicy().getPolicy();
                 if (s.endsWith("Cancel") || s.endsWith("/Renew")) {
                     //Cancel and Renew just sign with the token
                     Policy p = new Policy();
@@ -136,31 +144,52 @@ class SecureConversationInInterceptor ex
                     Assertion ass = NegotiationUtils.getAddressingPolicy(aim, false);
                     all.addPolicyComponent(ass);
                     ea.addPolicyComponent(all);
-                    PolicyBuilder pbuilder = message.getExchange().getBus()
-                        .getExtension(PolicyBuilder.class);
-                    SymmetricBinding binding = new SymmetricBinding(SP12Constants.INSTANCE, pbuilder);
+                    
+                    final SecureConversationToken secureConversationToken = 
+                        new SecureConversationToken(
+                            SPConstants.SPVersion.SP12,
+                            SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT,
+                            null,
+                            null,
+                            null,
+                            null
+                        );
+                    secureConversationToken.setOptional(true);
+                    
+                    class InternalProtectionToken extends ProtectionToken {
+                        public InternalProtectionToken(SPVersion version, Policy nestedPolicy) {
+                            super(version, nestedPolicy);
+                            super.setToken(secureConversationToken);
+                        }
+                    }
+                    
+                    DefaultSymmetricBinding binding = 
+                        new DefaultSymmetricBinding(SPConstants.SPVersion.SP12, new Policy());
+                    binding.setProtectionToken(
+                        new InternalProtectionToken(SPConstants.SPVersion.SP12, new Policy())
+                    );
                     binding.setIncludeTimestamp(true);
-                    ProtectionToken token = new ProtectionToken(SP12Constants.INSTANCE, pbuilder);
-                    token.setToken(new SecureConversationToken(SP12Constants.INSTANCE));
-                    binding.setProtectionToken(token);
-                    binding.setEntireHeadersAndBodySignatures(true);
+                    binding.setOnlySignEntireHeadersAndBody(true);
+                    binding.setProtectTokens(false);
                     
-                    Binding origBinding = getBinding(aim);
+                    AbstractBinding origBinding = getBinding(aim);
                     binding.setAlgorithmSuite(origBinding.getAlgorithmSuite());
                     all.addPolicyComponent(binding);
                     
-                    SignedEncryptedParts parts = new SignedEncryptedParts(true, 
-                                                                          SP12Constants.INSTANCE);
-                    parts.setBody(true);
+                    List<Header> headers = null;
                     if (addNs != null) {
-                        parts.addHeader(new Header("To", addNs));
-                        parts.addHeader(new Header("From", addNs));
-                        parts.addHeader(new Header("FaultTo", addNs));
-                        parts.addHeader(new Header("ReplyTO", addNs));
-                        parts.addHeader(new Header("MessageID", addNs));
-                        parts.addHeader(new Header("RelatesTo", addNs));
-                        parts.addHeader(new Header("Action", addNs));
+                        headers = new ArrayList<Header>();
+                        headers.add(new Header("To", addNs));
+                        headers.add(new Header("From", addNs));
+                        headers.add(new Header("FaultTo", addNs));
+                        headers.add(new Header("ReplyTo", addNs));
+                        headers.add(new Header("Action", addNs));
+                        headers.add(new Header("MessageID", addNs));
+                        headers.add(new Header("RelatesTo", addNs));
                     }
+                    
+                    SignedParts parts = 
+                        new SignedParts(SPConstants.SPVersion.SP12, true, null, headers, false);
                     all.addPolicyComponent(parts);
                     pol = p;
                     message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
@@ -187,8 +216,23 @@ class SecureConversationInInterceptor ex
             } else {
                 message.getInterceptorChain().add(SecureConversationTokenFinderInterceptor.INSTANCE);
             }
+            
+            assertPolicies(aim);
         }
     }
+    
+    private void assertPolicies(AssertionInfoMap aim) {
+        NegotiationUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
+        NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_AMEND);
+        NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_CANCEL);
+        NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_RENEW);
+        QName oldCancelQName = 
+            new QName(
+                "http://schemas.microsoft.com/ws/2005/07/securitypolicy", 
+                SPConstants.MUST_NOT_SEND_CANCEL
+            );
+        NegotiationUtils.assertPolicy(aim, oldCancelQName);
+    }
 
     private void unmapSecurityProps(Message message) {
         Exchange ex = message.getExchange();
@@ -311,8 +355,9 @@ class SecureConversationInInterceptor ex
             AssertionInfoMap aim = message.get(AssertionInfoMap.class);
             // extract Assertion information
             if (aim != null) {
-                Collection<AssertionInfo> ais = aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN);
-                if (ais == null || ais.isEmpty()) {
+                Collection<AssertionInfo> ais = 
+                    NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+                if (ais.isEmpty()) {
                     return;
                 }
                 for (AssertionInfo inf : ais) {
@@ -341,8 +386,9 @@ class SecureConversationInInterceptor ex
             if (aim == null) {
                 return;
             }
-            Collection<AssertionInfo> ais = aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN);
-            if (ais == null || ais.isEmpty()) {
+            Collection<AssertionInfo> ais = 
+                NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+            if (ais.isEmpty()) {
                 return;
             }
             

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java Thu May 23 13:17:26 2013
@@ -32,14 +32,14 @@ import org.apache.cxf.ws.addressing.Addr
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
-import org.apache.cxf.ws.security.policy.model.Trust10;
-import org.apache.cxf.ws.security.policy.model.Trust13;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.trust.STSClient;
 import org.apache.cxf.ws.security.trust.STSUtils;
-import org.apache.ws.security.WSConstants;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.SecureConversationToken;
+import org.apache.wss4j.policy.model.Trust10;
+import org.apache.wss4j.policy.model.Trust13;
 
 class SecureConversationOutInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
     public SecureConversationOutInterceptor() {
@@ -49,8 +49,9 @@ class SecureConversationOutInterceptor e
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
         // extract Assertion information
         if (aim != null) {
-            Collection<AssertionInfo> ais = aim.get(SP12Constants.SECURE_CONVERSATION_TOKEN);
-            if (ais == null || ais.isEmpty()) {
+            Collection<AssertionInfo> ais = 
+                NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+            if (ais.isEmpty()) {
                 return;
             }
             if (isRequestor(message)) {
@@ -79,8 +80,8 @@ class SecureConversationOutInterceptor e
                     message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getId());
                     message.getExchange().put(SecurityConstants.TOKEN, tok);
                     NegotiationUtils.getTokenStore(message).add(tok);
-                    
                 }
+                NegotiationUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
             } else {
                 //server side should be checked on the way in
                 for (AssertionInfo ai : ais) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationTokenInterceptorProvider.java Thu May 23 13:17:26 2013
@@ -29,18 +29,17 @@ import org.apache.cxf.common.logging.Log
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.policy.PolicyBuilder;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP11Constants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants.SupportTokenType;
-import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
-import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
 import org.apache.cxf.ws.security.trust.STSClient;
 import org.apache.neethi.All;
 import org.apache.neethi.ExactlyOne;
 import org.apache.neethi.Policy;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
+import org.apache.wss4j.policy.model.SecureConversationToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
 
 /**
  * 
@@ -53,7 +52,9 @@ public class SecureConversationTokenInte
 
     public SecureConversationTokenInterceptorProvider() {
         super(Arrays.asList(SP11Constants.SECURE_CONVERSATION_TOKEN,
-                            SP12Constants.SECURE_CONVERSATION_TOKEN));
+                            SP12Constants.SECURE_CONVERSATION_TOKEN,
+                            SP12Constants.BOOTSTRAP_POLICY,
+                            SP11Constants.BOOTSTRAP_POLICY));
         this.getOutInterceptors().add(new SecureConversationOutInterceptor());
         this.getOutFaultInterceptors().add(new SecureConversationOutInterceptor());
         this.getInInterceptors().add(new SecureConversationInInterceptor());
@@ -67,7 +68,7 @@ public class SecureConversationTokenInte
                             boolean endorse) {
         client.setTrust(NegotiationUtils.getTrust10(aim));
         client.setTrust(NegotiationUtils.getTrust13(aim));
-        Policy pol = itok.getBootstrapPolicy();
+        Policy pol = itok.getBootstrapPolicy().getPolicy();
         Policy p = new Policy();
         ExactlyOne ea = new ExactlyOne();
         p.addPolicyComponent(ea);
@@ -76,10 +77,10 @@ public class SecureConversationTokenInte
         ea.addPolicyComponent(all);
         
         if (endorse) {
-            SupportingToken st = new SupportingToken(SupportTokenType.SUPPORTING_TOKEN_ENDORSING,
-                                                     SP12Constants.INSTANCE,
-                                                     message.getExchange()
-                                                         .getBus().getExtension(PolicyBuilder.class));
+            SupportingTokens st = 
+                new SupportingTokens(SPConstants.SPVersion.SP12, 
+                                     SP12Constants.SupportingTokenTypes.EndorsingSupportingTokens,
+                                     new Policy());
             st.addToken(itok);
             all.addPolicyComponent(st);
         }
@@ -94,7 +95,7 @@ public class SecureConversationTokenInte
         AlgorithmSuite suite = NegotiationUtils.getAlgorithmSuite(aim);
         if (suite != null) {
             client.setAlgorithmSuite(suite);
-            int x = suite.getMaximumSymmetricKeyLength();
+            int x = suite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength();
             if (x < 256) {
                 client.setKeySize(x);
             }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java Thu May 23 13:17:26 2013
@@ -22,8 +22,6 @@ package org.apache.cxf.ws.security.polic
 import java.util.Collection;
 import java.util.logging.Logger;
 
-import javax.xml.namespace.QName;
-
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.interceptor.Fault;
@@ -33,7 +31,8 @@ import org.apache.cxf.phase.Phase;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.policy.PolicyException;
-import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
 
 /**
  * Interceptor verifies critical policy security assertions for client side
@@ -59,37 +58,43 @@ public class SecurityVerificationOutInte
         if (MessageUtils.isRequestor(message)) {
             AssertionInfoMap aim = message.get(AssertionInfoMap.class);
             if (aim != null) {
-                Collection<AssertionInfo> aisTransport = aim.get(SP12Constants.TRANSPORT_BINDING);
-                Collection<AssertionInfo> aisAssymetric = aim.get(SP12Constants.ASYMMETRIC_BINDING);
-                Collection<AssertionInfo> aisSymetric = aim.get(SP12Constants.SYMMETRIC_BINDING);
-                if (((aisTransport == null) || aisTransport.isEmpty()) 
-                    && ((aisAssymetric == null) || aisAssymetric.isEmpty()) 
-                    && ((aisSymetric == null) || aisSymetric.isEmpty())) {
+                Collection<AssertionInfo> aisTransport = 
+                    NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+                Collection<AssertionInfo> aisAssymetric = 
+                    NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+                Collection<AssertionInfo> aisSymetric = 
+                    NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+                
+                if (aisTransport.isEmpty() && aisAssymetric.isEmpty() && aisSymetric.isEmpty()) {
+                    
+                    Collection<AssertionInfo> aisSignedParts = 
+                        NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
+                    checkAssertion(aisSignedParts, SPConstants.SIGNED_PARTS);
                     
-                    Collection<AssertionInfo> aisSignedParts = aim.get(SP12Constants.SIGNED_PARTS);
-                    checkAssertion(aisSignedParts, SP12Constants.SIGNED_PARTS);
                     Collection<AssertionInfo> aisSignedElements = aim.get(SP12Constants.SIGNED_ELEMENTS);
-                    checkAssertion(aisSignedElements, SP12Constants.SIGNED_ELEMENTS);
+                    checkAssertion(aisSignedElements, SPConstants.SIGNED_ELEMENTS);
                     
                     Collection<AssertionInfo> aisEncryptedParts = aim.get(SP12Constants.ENCRYPTED_PARTS);
-                    checkAssertion(aisEncryptedParts, SP12Constants.ENCRYPTED_PARTS);
+                    checkAssertion(aisEncryptedParts, SPConstants.ENCRYPTED_PARTS);
+                    
                     Collection<AssertionInfo> aisEncryptedElements = 
                         aim.get(SP12Constants.ENCRYPTED_ELEMENTS);
-                    checkAssertion(aisEncryptedElements, SP12Constants.ENCRYPTED_ELEMENTS);
+                    checkAssertion(aisEncryptedElements, SPConstants.ENCRYPTED_ELEMENTS);
+                    
                     Collection<AssertionInfo> aisContentEncryptedElements = 
                         aim.get(SP12Constants.CONTENT_ENCRYPTED_ELEMENTS);
-                    checkAssertion(aisContentEncryptedElements, SP12Constants.CONTENT_ENCRYPTED_ELEMENTS);
+                    checkAssertion(aisContentEncryptedElements, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
                 }
             }
         }
     }
 
-    private void checkAssertion(Collection<AssertionInfo> ais, QName assertion) {
+    private void checkAssertion(Collection<AssertionInfo> ais, String assertionName) {
         if ((ais != null) && (!ais.isEmpty())) {
             String error = String
                 .format("%s assertion cannot be fulfilled without binding. "
                         + "At least one binding assertion (%s, %s, %s) must be specified in policy.",
-                        assertion.getLocalPart(), SP12Constants.TRANSPORT_BINDING.getLocalPart(),
+                        assertionName, SP12Constants.TRANSPORT_BINDING.getLocalPart(),
                         SP12Constants.ASYMMETRIC_BINDING.getLocalPart(),
                         SP12Constants.SYMMETRIC_BINDING.getLocalPart());
             AssertionInfo info = ais.iterator().next();

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java Thu May 23 13:17:26 2013
@@ -43,7 +43,6 @@ import org.apache.cxf.ws.addressing.JAXW
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.cxf.ws.security.trust.STSUtils;
@@ -52,12 +51,13 @@ import org.apache.neethi.All;
 import org.apache.neethi.Assertion;
 import org.apache.neethi.ExactlyOne;
 import org.apache.neethi.Policy;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.message.token.SecurityContextToken;
-import org.apache.ws.security.spnego.SpnegoTokenContext;
-import org.apache.ws.security.util.Base64;
-import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.wss4j.common.spnego.SpnegoTokenContext;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.message.token.SecurityContextToken;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.xml.security.utils.Base64;
 
 class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
     static final Logger LOG = LogUtils.getL7dLogger(SpnegoContextTokenInInterceptor.class);
@@ -70,8 +70,9 @@ class SpnegoContextTokenInInterceptor ex
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
         // extract Assertion information
         if (aim != null) {
-            Collection<AssertionInfo> ais = aim.get(SP12Constants.SPNEGO_CONTEXT_TOKEN);
-            if (ais == null || ais.isEmpty()) {
+            Collection<AssertionInfo> ais = 
+                NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
+            if (ais.isEmpty()) {
                 return;
             }
             if (isRequestor(message)) {
@@ -348,8 +349,9 @@ class SpnegoContextTokenInInterceptor ex
             AssertionInfoMap aim = message.get(AssertionInfoMap.class);
             // extract Assertion information
             if (aim != null) {
-                Collection<AssertionInfo> ais = aim.get(SP12Constants.SPNEGO_CONTEXT_TOKEN);
-                if (ais == null || ais.isEmpty()) {
+                Collection<AssertionInfo> ais = 
+                    NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
+                if (ais.isEmpty()) {
                     return;
                 }
                 for (AssertionInfo inf : ais) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java Thu May 23 13:17:26 2013
@@ -32,16 +32,16 @@ import org.apache.cxf.ws.addressing.Addr
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.Trust10;
-import org.apache.cxf.ws.security.policy.model.Trust13;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.trust.STSClient;
 import org.apache.cxf.ws.security.trust.STSUtils;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.spnego.SpnegoClientAction;
-import org.apache.ws.security.spnego.SpnegoTokenContext;
-import org.apache.ws.security.util.Base64;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.spnego.SpnegoClientAction;
+import org.apache.wss4j.common.spnego.SpnegoTokenContext;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.Trust10;
+import org.apache.wss4j.policy.model.Trust13;
+import org.apache.xml.security.utils.Base64;
 
 class SpnegoContextTokenOutInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
     public SpnegoContextTokenOutInterceptor() {
@@ -51,8 +51,9 @@ class SpnegoContextTokenOutInterceptor e
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
         // extract Assertion information
         if (aim != null) {
-            Collection<AssertionInfo> ais = aim.get(SP12Constants.SPNEGO_CONTEXT_TOKEN);
-            if (ais == null || ais.isEmpty()) {
+            Collection<AssertionInfo> ais = 
+                NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
+            if (ais.isEmpty()) {
                 return;
             }
             if (isRequestor(message)) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoTokenInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoTokenInterceptorProvider.java Thu May 23 13:17:26 2013
@@ -30,14 +30,14 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP11Constants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
 import org.apache.cxf.ws.security.trust.STSClient;
 import org.apache.neethi.All;
 import org.apache.neethi.ExactlyOne;
 import org.apache.neethi.Policy;
-import org.apache.ws.security.WSSConfig;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
 
 /**
  * 
@@ -79,7 +79,7 @@ public class SpnegoTokenInterceptorProvi
         AlgorithmSuite suite = NegotiationUtils.getAlgorithmSuite(aim);
         if (suite != null) {
             client.setAlgorithmSuite(suite);
-            int x = suite.getMaximumSymmetricKeyLength();
+            int x = suite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength();
             if (x < 256) {
                 client.setKeySize(x);
             }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java Thu May 23 13:17:26 2013
@@ -26,8 +26,9 @@ import javax.xml.namespace.QName;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
-import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
 
 /**
  * 
@@ -39,6 +40,7 @@ public class UsernameTokenInterceptorPro
         ASSERTION_TYPES = new ArrayList<QName>();
         
         ASSERTION_TYPES.add(SP12Constants.USERNAME_TOKEN);
+        ASSERTION_TYPES.add(SP11Constants.USERNAME_TOKEN);
     }
 
     public UsernameTokenInterceptorProvider() {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityInterceptorProvider.java Thu May 23 13:17:26 2013
@@ -25,9 +25,12 @@ import java.util.Collection;
 import javax.xml.namespace.QName;
 
 import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
-import org.apache.cxf.ws.security.policy.SP12Constants;
 import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor;
 import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor;
+import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor;
+import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxOutInterceptor;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
 
 /**
  * 
@@ -41,6 +44,10 @@ public class WSSecurityInterceptorProvid
         ASSERTION_TYPES.add(SP12Constants.TRANSPORT_BINDING);
         ASSERTION_TYPES.add(SP12Constants.ASYMMETRIC_BINDING);
         ASSERTION_TYPES.add(SP12Constants.SYMMETRIC_BINDING);
+        
+        ASSERTION_TYPES.add(SP11Constants.TRANSPORT_BINDING);
+        ASSERTION_TYPES.add(SP11Constants.ASYMMETRIC_BINDING);
+        ASSERTION_TYPES.add(SP11Constants.SYMMETRIC_BINDING);
     }
 
     public WSSecurityInterceptorProvider() {
@@ -49,5 +56,10 @@ public class WSSecurityInterceptorProvid
         this.getOutFaultInterceptors().add(PolicyBasedWSS4JOutInterceptor.INSTANCE);
         this.getInInterceptors().add(PolicyBasedWSS4JInInterceptor.INSTANCE);
         this.getInFaultInterceptors().add(PolicyBasedWSS4JInInterceptor.INSTANCE);
+        
+        this.getOutInterceptors().add(PolicyBasedWSS4JStaxOutInterceptor.INSTANCE);
+        this.getOutFaultInterceptors().add(PolicyBasedWSS4JStaxOutInterceptor.INSTANCE);
+        this.getInInterceptors().add(PolicyBasedWSS4JStaxInInterceptor.INSTANCE);
+        this.getInFaultInterceptors().add(PolicyBasedWSS4JStaxInInterceptor.INSTANCE);
     }
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/WSSecurityPolicyInterceptorProvider.java Thu May 23 13:17:26 2013
@@ -25,8 +25,8 @@ import java.util.Collection;
 import javax.xml.namespace.QName;
 
 import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
-import org.apache.cxf.ws.security.policy.SP11Constants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
 
 /**
  * 
@@ -39,9 +39,13 @@ public class WSSecurityPolicyInterceptor
         ASSERTION_TYPES.add(SP12Constants.LAYOUT);
         ASSERTION_TYPES.add(SP12Constants.INCLUDE_TIMESTAMP);
         ASSERTION_TYPES.add(SP12Constants.ALGORITHM_SUITE);
+        ASSERTION_TYPES.add(SP12Constants.ENCRYPT_SIGNATURE);
+        ASSERTION_TYPES.add(SP12Constants.PROTECT_TOKENS);
+        ASSERTION_TYPES.add(SP12Constants.ENCRYPT_BEFORE_SIGNING);
+        ASSERTION_TYPES.add(SP12Constants.SIGN_BEFORE_ENCRYPTING);
+        ASSERTION_TYPES.add(SP12Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY);
         ASSERTION_TYPES.add(SP12Constants.WSS10);
         ASSERTION_TYPES.add(SP12Constants.WSS11);
-        ASSERTION_TYPES.add(SP11Constants.TRUST_10);
         ASSERTION_TYPES.add(SP12Constants.TRUST_13);
         ASSERTION_TYPES.add(SP12Constants.PROTECTION_TOKEN);
         ASSERTION_TYPES.add(SP12Constants.X509_TOKEN);
@@ -61,14 +65,48 @@ public class WSSecurityPolicyInterceptor
         ASSERTION_TYPES.add(SP12Constants.ENCRYPTED_ELEMENTS);
         ASSERTION_TYPES.add(SP12Constants.SIGNED_ELEMENTS);
         ASSERTION_TYPES.add(SP12Constants.CONTENT_ENCRYPTED_ELEMENTS);
-        ASSERTION_TYPES.add(SP12Constants.INSTANCE.getSupportingTokens());
-        ASSERTION_TYPES.add(SP12Constants.INSTANCE.getSignedSupportingTokens());
-        ASSERTION_TYPES.add(SP12Constants.INSTANCE.getEndorsingSupportingTokens());
-        ASSERTION_TYPES.add(SP12Constants.INSTANCE.getSignedEndorsingSupportingTokens());
+        ASSERTION_TYPES.add(SP12Constants.SUPPORTING_TOKENS);
+        ASSERTION_TYPES.add(SP12Constants.SIGNED_SUPPORTING_TOKENS);
+        ASSERTION_TYPES.add(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
         ASSERTION_TYPES.add(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
+        ASSERTION_TYPES.add(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
         ASSERTION_TYPES.add(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
         ASSERTION_TYPES.add(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
         ASSERTION_TYPES.add(SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+        
+        ASSERTION_TYPES.add(SP11Constants.LAYOUT);
+        ASSERTION_TYPES.add(SP11Constants.INCLUDE_TIMESTAMP);
+        ASSERTION_TYPES.add(SP11Constants.ALGORITHM_SUITE);
+        ASSERTION_TYPES.add(SP11Constants.ENCRYPT_SIGNATURE);
+        ASSERTION_TYPES.add(SP11Constants.PROTECT_TOKENS);
+        ASSERTION_TYPES.add(SP11Constants.ENCRYPT_BEFORE_SIGNING);
+        ASSERTION_TYPES.add(SP11Constants.SIGN_BEFORE_ENCRYPTING);
+        ASSERTION_TYPES.add(SP11Constants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY);
+        ASSERTION_TYPES.add(SP11Constants.WSS10);
+        ASSERTION_TYPES.add(SP11Constants.WSS11);
+        ASSERTION_TYPES.add(SP11Constants.TRUST_10);
+        ASSERTION_TYPES.add(SP11Constants.PROTECTION_TOKEN);
+        ASSERTION_TYPES.add(SP11Constants.X509_TOKEN);
+        ASSERTION_TYPES.add(SP11Constants.ENCRYPTION_TOKEN);
+        ASSERTION_TYPES.add(SP11Constants.SIGNATURE_TOKEN);
+        ASSERTION_TYPES.add(SP11Constants.TRANSPORT_TOKEN);            
+        ASSERTION_TYPES.add(SP11Constants.INITIATOR_TOKEN);
+        ASSERTION_TYPES.add(SP11Constants.INITIATOR_SIGNATURE_TOKEN);
+        ASSERTION_TYPES.add(SP11Constants.INITIATOR_ENCRYPTION_TOKEN);
+        ASSERTION_TYPES.add(SP11Constants.RECIPIENT_TOKEN);
+        ASSERTION_TYPES.add(SP11Constants.RECIPIENT_SIGNATURE_TOKEN);
+        ASSERTION_TYPES.add(SP11Constants.RECIPIENT_ENCRYPTION_TOKEN);
+        ASSERTION_TYPES.add(SP11Constants.SIGNED_PARTS);
+        ASSERTION_TYPES.add(SP11Constants.REQUIRED_PARTS);
+        ASSERTION_TYPES.add(SP11Constants.REQUIRED_ELEMENTS);
+        ASSERTION_TYPES.add(SP11Constants.ENCRYPTED_PARTS);
+        ASSERTION_TYPES.add(SP11Constants.ENCRYPTED_ELEMENTS);
+        ASSERTION_TYPES.add(SP11Constants.SIGNED_ELEMENTS);
+        ASSERTION_TYPES.add(SP11Constants.CONTENT_ENCRYPTED_ELEMENTS);
+        ASSERTION_TYPES.add(SP11Constants.SUPPORTING_TOKENS);
+        ASSERTION_TYPES.add(SP11Constants.SIGNED_SUPPORTING_TOKENS);
+        ASSERTION_TYPES.add(SP11Constants.ENDORSING_SUPPORTING_TOKENS);
+        ASSERTION_TYPES.add(SP11Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
     }
 
     public WSSecurityPolicyInterceptorProvider() {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/EHCacheTokenStore.java Thu May 23 13:17:26 2013
@@ -37,7 +37,7 @@ import org.apache.cxf.Bus;
 import org.apache.cxf.buslifecycle.BusLifeCycleListener;
 import org.apache.cxf.buslifecycle.BusLifeCycleManager;
 import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.ws.security.cache.EHCacheManagerHolder;
+import org.apache.wss4j.common.cache.EHCacheManagerHolder;
 
 /**
  * An in-memory EHCache implementation of the TokenStore interface. The default TTL is 60 minutes
@@ -59,7 +59,7 @@ public class EHCacheTokenStore implement
             b.getExtension(BusLifeCycleManager.class).registerLifeCycleListener(this);
         }
 
-        cacheManager = EHCacheManagerHolder.getCacheManager(bus, configFileURL);
+        cacheManager = EHCacheManagerHolder.getCacheManager(configFileURL);
         // Cannot overflow to disk as SecurityToken Elements can't be serialized
         CacheConfiguration cc = EHCacheManagerHolder.getCacheConfiguration(key, cacheManager);
         cc.overflowToDisk(false); //tokens not writable

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/SecurityToken.java Thu May 23 13:17:26 2013
@@ -33,10 +33,10 @@ import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.staxutils.StaxUtils;
 import org.apache.cxf.staxutils.W3CDOMStreamWriter;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.message.token.Reference;
-import org.apache.ws.security.util.XmlSchemaDateFormat;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.message.token.Reference;
+import org.apache.wss4j.dom.util.XmlSchemaDateFormat;
 
 
 /**

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/tokenstore/TokenStoreFactory.java Thu May 23 13:17:26 2013
@@ -26,7 +26,6 @@ import org.apache.cxf.common.classloader
 import org.apache.cxf.message.Message;
 import org.apache.cxf.resource.ResourceManager;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.cache.ReplayCacheFactory;
 
 /**
  * An abstract factory to return a TokenStore instance. It returns an EHCacheTokenStoreFactory
@@ -69,7 +68,7 @@ public abstract class TokenStoreFactory 
             url = rm.resolveResource((String)o, URL.class);
             try {
                 if (url == null) {
-                    url = ClassLoaderUtils.getResource((String)o, ReplayCacheFactory.class);
+                    url = ClassLoaderUtils.getResource((String)o, TokenStoreFactory.class);
                 }
                 if (url == null) {
                     url = new URL((String)o);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java Thu May 23 13:17:26 2013
@@ -25,6 +25,7 @@ import java.io.StringReader;
 import java.net.URL;
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.Iterator;
@@ -91,16 +92,6 @@ import org.apache.cxf.ws.policy.PolicyCo
 import org.apache.cxf.ws.policy.PolicyEngine;
 import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
-import org.apache.cxf.ws.security.policy.model.Binding;
-import org.apache.cxf.ws.security.policy.model.Header;
-import org.apache.cxf.ws.security.policy.model.ProtectionToken;
-import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
-import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
-import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.Trust10;
-import org.apache.cxf.ws.security.policy.model.Trust13;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.trust.claims.ClaimsCallback;
 import org.apache.cxf.ws.security.trust.delegation.DelegationCallback;
@@ -111,27 +102,39 @@ import org.apache.neethi.All;
 import org.apache.neethi.ExactlyOne;
 import org.apache.neethi.Policy;
 import org.apache.neethi.PolicyComponent;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDocInfo;
-import org.apache.ws.security.WSSConfig;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.components.crypto.CryptoFactory;
-import org.apache.ws.security.components.crypto.CryptoType;
-import org.apache.ws.security.conversation.ConversationException;
-import org.apache.ws.security.conversation.dkalgo.P_SHA1;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.message.token.Reference;
-import org.apache.ws.security.processor.EncryptedKeyProcessor;
-import org.apache.ws.security.processor.X509Util;
-import org.apache.ws.security.util.Base64;
-import org.apache.ws.security.util.WSSecurityUtil;
-import org.apache.ws.security.util.XmlSchemaDateFormat;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.crypto.CryptoType;
+import org.apache.wss4j.common.derivedKey.ConversationException;
+import org.apache.wss4j.common.derivedKey.P_SHA1;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDocInfo;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.message.token.Reference;
+import org.apache.wss4j.dom.processor.EncryptedKeyProcessor;
+import org.apache.wss4j.dom.processor.X509Util;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.dom.util.XmlSchemaDateFormat;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.SPConstants.SPVersion;
+import org.apache.wss4j.policy.model.AbstractBinding;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
+import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
+import org.apache.wss4j.policy.model.Header;
+import org.apache.wss4j.policy.model.ProtectionToken;
+import org.apache.wss4j.policy.model.SecureConversationToken;
+import org.apache.wss4j.policy.model.SignedParts;
+import org.apache.wss4j.policy.model.Trust10;
+import org.apache.wss4j.policy.model.Trust13;
+import org.apache.xml.security.exceptions.Base64DecodingException;
 import org.apache.xml.security.keys.content.X509Data;
 import org.apache.xml.security.keys.content.keyvalues.DSAKeyValue;
 import org.apache.xml.security.keys.content.keyvalues.RSAKeyValue;
+import org.apache.xml.security.utils.Base64;
 
 /**
  * An abstract class with some functionality to invoke on a SecurityTokenService (STS) via the
@@ -159,7 +162,7 @@ public abstract class AbstractSTSClient 
     protected AlgorithmSuite algorithmSuite;
     protected String namespace = STSUtils.WST_NS_05_12;
     protected String addressingNamespace = "http://www.w3.org/2005/08/addressing";
-    protected String wspNamespace = SPConstants.P_NS;
+    protected String wspNamespace = "http://www.w3.org/ns/ws-policy";
     protected Object onBehalfOf;
     protected boolean enableAppliesTo = true;
 
@@ -440,8 +443,8 @@ public abstract class AbstractSTSClient 
             while (i.hasNext() && algorithmSuite == null) {
                 List<PolicyComponent> p = CastUtils.cast((List<?>)i.next());
                 for (PolicyComponent p2 : p) {
-                    if (p2 instanceof Binding) {
-                        algorithmSuite = ((Binding)p2).getAlgorithmSuite();
+                    if (p2 instanceof AbstractBinding) {
+                        algorithmSuite = ((AbstractBinding)p2).getAlgorithmSuite();
                     }
                 }
             }
@@ -812,8 +815,9 @@ public abstract class AbstractSTSClient 
             if (algorithmSuite == null) {
                 requestorEntropy = WSSecurityUtil.generateNonce(keySize / 8);
             } else {
+                AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
                 requestorEntropy = WSSecurityUtil
-                    .generateNonce(algorithmSuite.getMaximumSymmetricKeyLength() / 8);
+                    .generateNonce(algType.getMaximumSymmetricKeyLength() / 8);
             }
             writer.writeCharacters(Base64.encode(requestorEntropy));
 
@@ -1050,38 +1054,52 @@ public abstract class AbstractSTSClient 
             All all = new All();
             one.addPolicyComponent(all);
             all.addAssertion(getAddressingAssertion());
+
+            final SecureConversationToken secureConversationToken = 
+                new SecureConversationToken(
+                    SPConstants.SPVersion.SP12,
+                    SPConstants.IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT,
+                    null,
+                    null,
+                    null,
+                    null
+                );
+            secureConversationToken.setOptional(true);
+            
+            class InternalProtectionToken extends ProtectionToken {
+                public InternalProtectionToken(SPVersion version, Policy nestedPolicy) {
+                    super(version, nestedPolicy);
+                    super.setToken(secureConversationToken);
+                }
+            }
             
-            PolicyBuilder pbuilder = bus.getExtension(PolicyBuilder.class);
-            SymmetricBinding binding = new SymmetricBinding(pbuilder);
+            DefaultSymmetricBinding binding = 
+                new DefaultSymmetricBinding(SPConstants.SPVersion.SP12, new Policy());
             all.addAssertion(binding);
             all.addAssertion(getAddressingAssertion());
-            ProtectionToken ptoken = new ProtectionToken(pbuilder);
-            binding.setProtectionToken(ptoken);
+            binding.setProtectionToken(
+                new InternalProtectionToken(SPConstants.SPVersion.SP12, new Policy())
+            );
             binding.setIncludeTimestamp(true);
-            binding.setEntireHeadersAndBodySignatures(true);
-            binding.setTokenProtection(false);
-            AlgorithmSuite suite = new AlgorithmSuite();
-            binding.setAlgorithmSuite(suite);
-            SecureConversationToken sct = new SecureConversationToken();
-            sct.setOptional(true);
-            ptoken.setToken(sct);
-            
-            SignedEncryptedParts parts = new SignedEncryptedParts(true);
-            parts.setOptional(true);
-            parts.setBody(true);
+            binding.setOnlySignEntireHeadersAndBody(true);
+            binding.setProtectTokens(false);
             
             String addrNamespace = addressingNamespace;
             if (addrNamespace == null) {
                 addrNamespace = "http://www.w3.org/2005/08/addressing";
             }
             
-            parts.addHeader(new Header("To", addrNamespace));
-            parts.addHeader(new Header("From", addrNamespace));
-            parts.addHeader(new Header("FaultTo", addrNamespace));
-            parts.addHeader(new Header("ReplyTo", addrNamespace));
-            parts.addHeader(new Header("Action", addrNamespace));
-            parts.addHeader(new Header("MessageID", addrNamespace));
-            parts.addHeader(new Header("RelatesTo", addrNamespace));
+            List<Header> headers = new ArrayList<Header>();
+            headers.add(new Header("To", addrNamespace));
+            headers.add(new Header("From", addrNamespace));
+            headers.add(new Header("FaultTo", addrNamespace));
+            headers.add(new Header("ReplyTo", addrNamespace));
+            headers.add(new Header("Action", addrNamespace));
+            headers.add(new Header("MessageID", addrNamespace));
+            headers.add(new Header("RelatesTo", addrNamespace));
+            
+            SignedParts parts = new SignedParts(SPConstants.SPVersion.SP12, true, null, headers, false);
+            parts.setOptional(true);
             all.addPolicyComponent(parts);
             
             client.getRequestContext().put(PolicyConstants.POLICY_OVERRIDE, cancelPolicy);
@@ -1223,7 +1241,7 @@ public abstract class AbstractSTSClient 
     }
 
     protected SecurityToken createSecurityToken(Element el, byte[] requestorEntropy)
-        throws WSSecurityException {
+        throws WSSecurityException, Base64DecodingException {
 
         if ("RequestSecurityTokenResponseCollection".equals(el.getLocalName())) {
             el = DOMUtils.getFirstElement(el);
@@ -1337,7 +1355,7 @@ public abstract class AbstractSTSClient 
         return token;
     }
     
-    protected byte[] decryptKey(Element child) throws TrustException, WSSecurityException {
+    protected byte[] decryptKey(Element child) throws TrustException, WSSecurityException, Base64DecodingException {
         String encryptionAlgorithm = X509Util.getEncAlgo(child);
         // For the SPNEGO case just return the decoded cipher value and decrypt it later
         if (encryptionAlgorithm != null && encryptionAlgorithm.endsWith("spnego#GSS_Wrap")) {
@@ -1354,7 +1372,7 @@ public abstract class AbstractSTSClient 
                 }
             }
             if (cipherValue == null) {
-                throw new WSSecurityException(WSSecurityException.INVALID_SECURITY, "noCipher");
+                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "noCipher");
             }
             return cipherValue;
         } else {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java Thu May 23 13:17:26 2013
@@ -33,9 +33,9 @@ import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.AbstractPhaseInterceptor;
 import org.apache.cxf.phase.Phase;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.message.token.UsernameToken;
-import org.apache.ws.security.validate.Credential;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.message.token.UsernameToken;
+import org.apache.wss4j.dom.validate.Credential;
 
 public class AuthPolicyValidatingInterceptor extends AbstractPhaseInterceptor<Message> {
 

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSSamlAssertionValidator.java Thu May 23 13:17:26 2013
@@ -19,11 +19,11 @@
 
 package org.apache.cxf.ws.security.trust;
 
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
-import org.apache.ws.security.validate.Credential;
-import org.apache.ws.security.validate.SamlAssertionValidator;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.validate.Credential;
+import org.apache.wss4j.dom.validate.SamlAssertionValidator;
 
 /**
  * This class validates a SAML Assertion by invoking the SamlAssertionValidator in WSS4J. It 
@@ -56,7 +56,7 @@ public class STSSamlAssertionValidator e
      */
     @Override
     protected Credential verifySignedAssertion(
-        AssertionWrapper assertion,
+        SamlAssertionWrapper assertion,
         RequestData data
     ) throws WSSecurityException {
         try {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSTokenValidator.java Thu May 23 13:17:26 2013
@@ -31,11 +31,11 @@ import org.apache.cxf.ws.security.Securi
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.cxf.ws.security.tokenstore.TokenStoreFactory;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
-import org.apache.ws.security.validate.Credential;
-import org.apache.ws.security.validate.Validator;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.validate.Credential;
+import org.apache.wss4j.dom.validate.Validator;
 
 /**
  * 
@@ -70,13 +70,13 @@ public class STSTokenValidator implement
             SecurityToken token = new SecurityToken();
             Element tokenElement = null;
             int hash = 0;
-            if (credential.getAssertion() != null) {
-                AssertionWrapper assertion = credential.getAssertion();
+            if (credential.getSamlAssertion() != null) {
+                SamlAssertionWrapper assertion = credential.getSamlAssertion();
                 byte[] signatureValue = assertion.getSignatureValue();
                 if (signatureValue != null && signatureValue.length > 0) {
                     hash = Arrays.hashCode(signatureValue);
                 }
-                tokenElement = credential.getAssertion().getElement();
+                tokenElement = credential.getSamlAssertion().getElement();
             } else if (credential.getUsernametoken() != null) {
                 tokenElement = credential.getUsernametoken().getElement();
                 hash = credential.getUsernametoken().hashCode();
@@ -93,7 +93,7 @@ public class STSTokenValidator implement
             if (tokenStore != null && hash != 0) {
                 SecurityToken transformedToken = getTransformedToken(tokenStore, hash);
                 if (transformedToken != null) {
-                    AssertionWrapper assertion = new AssertionWrapper(transformedToken.getToken());
+                    SamlAssertionWrapper assertion = new SamlAssertionWrapper(transformedToken.getToken());
                     credential.setTransformedToken(assertion);
                     return credential;
                 }
@@ -106,7 +106,7 @@ public class STSTokenValidator implement
                 List<SecurityToken> tokens = c.validateSecurityToken(token);
                 SecurityToken returnedToken = tokens.get(0);
                 if (returnedToken != token) {
-                    AssertionWrapper assertion = new AssertionWrapper(returnedToken.getToken());
+                    SamlAssertionWrapper assertion = new SamlAssertionWrapper(returnedToken.getToken());
                     credential.setTransformedToken(assertion);
                     if (hash != 0) {
                         tokenStore.add(returnedToken);
@@ -119,7 +119,7 @@ public class STSTokenValidator implement
         } catch (RuntimeException e) {
             throw e;
         } catch (Exception e) {
-            throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity", null, e);
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", null, e);
         }
     }
     
@@ -147,14 +147,14 @@ public class STSTokenValidator implement
     protected boolean isValidatedLocally(Credential credential, RequestData data) 
         throws WSSecurityException {
         
-        if (!alwaysValidateToSts && credential.getAssertion() != null) {
+        if (!alwaysValidateToSts && credential.getSamlAssertion() != null) {
             try {
                 samlValidator.validate(credential, data);
                 return samlValidator.isTrustVerificationSucceeded();
             } catch (RuntimeException e) {
                 throw e;
             } catch (Exception e) {
-                throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity", null, e);
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity", null, e);
             }
         }
         return false;

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSUtils.java Thu May 23 13:17:26 2013
@@ -19,6 +19,7 @@
 
 package org.apache.cxf.ws.security.trust;
 
+import javax.xml.bind.JAXBException;
 import javax.xml.namespace.QName;
 
 import org.apache.cxf.Bus;
@@ -44,9 +45,11 @@ import org.apache.cxf.service.model.Oper
 import org.apache.cxf.service.model.ServiceInfo;
 import org.apache.cxf.transport.ConduitInitiator;
 import org.apache.cxf.transport.ConduitInitiatorManager;
+import org.apache.cxf.ws.addressing.EndpointReferenceType;
+import org.apache.cxf.ws.addressing.VersionTransformer;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
 import org.apache.neethi.Policy;
+import org.apache.wss4j.policy.model.IssuedToken;
 
 /**
  * 
@@ -102,12 +105,18 @@ public final class STSUtils {
             if (MessageUtils.getContextualBoolean(message, SecurityConstants.STS_CLIENT_SOAP12_BINDING, false)) {
                 client.setSoap12();
             }
-            if ((itok != null) && (itok.getIssuerEpr() != null)) {
+            if ((itok != null) && (itok.getIssuer() != null)) {
+                EndpointReferenceType epr = null;
+                try {
+                    epr = VersionTransformer.parseEndpointReference(itok.getIssuer());
+                } catch (JAXBException e) {
+                    throw new IllegalArgumentException(e);
+                }
                 //configure via mex
                 boolean useEPRWSAAddrAsMEXLocation = !Boolean.valueOf(
                         (String)message.getContextualProperty(
                          SecurityConstants.DISABLE_STS_CLIENT_WSMEX_CALL_USING_EPR_ADDRESS));
-                client.configureViaEPR(itok.getIssuerEpr(), useEPRWSAAddrAsMEXLocation);
+                client.configureViaEPR(epr, useEPRWSAAddrAsMEXLocation);
             }
         }
         return client;

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java Thu May 23 13:17:26 2013
@@ -33,13 +33,13 @@ import org.apache.cxf.binding.soap.SoapM
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.PhaseInterceptorChain;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.handler.WSHandlerConstants;
-import org.apache.ws.security.handler.WSHandlerResult;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.message.token.UsernameToken;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.message.token.UsernameToken;
 
 /**
  * This CallbackHandler implementation obtains the previously received message from a 
@@ -97,8 +97,8 @@ public class ReceivedTokenCallbackHandle
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.ST_SIGNED
                 || actInt.intValue() == WSConstants.ST_UNSIGNED) {
-                AssertionWrapper assertion = 
-                    (AssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+                SamlAssertionWrapper assertion = 
+                    (SamlAssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                 return assertion.getElement();
             } else if (actInt.intValue() == WSConstants.UT
                 || actInt.intValue() == WSConstants.UT_NOPASSWORD) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java Thu May 23 13:17:26 2013
@@ -31,7 +31,7 @@ import org.w3c.dom.Node;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.ws.security.message.token.UsernameToken;
+import org.apache.wss4j.dom.message.token.UsernameToken;
 
 /**
  * This CallbackHandler implementation obtains a username via the jaxws property 

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java Thu May 23 13:17:26 2013
@@ -21,6 +21,7 @@ package org.apache.cxf.ws.security.wss4j
 
 import java.util.Collection;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.Set;
 import java.util.logging.Logger;
 
@@ -48,11 +49,13 @@ import org.apache.cxf.ws.policy.Assertio
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.policy.PolicyException;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.Token;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
 
 /**
  * An abstract interceptor that can be used to form the basis of an interceptor to add and process
@@ -70,6 +73,7 @@ public abstract class AbstractTokenInter
         super(Phase.PRE_PROTOCOL);
         addAfter(PolicyBasedWSS4JOutInterceptor.class.getName());
         addAfter(PolicyBasedWSS4JInInterceptor.class.getName());
+        addAfter(PolicyBasedWSS4JStaxInInterceptor.class.getName());
     }
     
     public Set<QName> getUnderstoodHeaders() {
@@ -78,6 +82,12 @@ public abstract class AbstractTokenInter
 
     public void handleMessage(SoapMessage message) throws Fault {
 
+        boolean enableStax = 
+            MessageUtils.isTrue(message.getContextualProperty(SecurityConstants.ENABLE_STREAMING_SECURITY));
+        if (enableStax) {
+            return;
+        }
+        
         boolean isReq = MessageUtils.isRequestor(message);
         boolean isOut = MessageUtils.isOutbound(message);
         
@@ -106,26 +116,64 @@ public abstract class AbstractTokenInter
     
     protected abstract void addToken(SoapMessage message);
     
-    protected abstract Token assertTokens(SoapMessage message);
+    protected abstract AbstractToken assertTokens(SoapMessage message);
     
-    protected Token assertTokens(SoapMessage message, QName assertion, boolean signed) {
+    protected boolean assertPolicy(AssertionInfoMap aim, String localname) {
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+        if (!ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
+                ai.setAsserted(true);
+            }    
+            return true;
+        }
+        return false;
+    }
+    
+    protected boolean assertPolicy(AssertionInfoMap aim, QName name) {
+        Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
+        if (ais != null && !ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
+                ai.setAsserted(true);
+            }    
+            return true;
+        }
+        return false;
+    }
+    
+    protected Collection<AssertionInfo> getAllAssertionsByLocalname(
+        AssertionInfoMap aim,
+        String localname
+    ) {
+        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+        
+        if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+            Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
+            if (sp11Ais != null) {
+                ais.addAll(sp11Ais);
+            }
+            if (sp12Ais != null) {
+                ais.addAll(sp12Ais);
+            }
+            return ais;
+        }
+            
+        return Collections.emptySet();
+    }
+    
+    protected AbstractToken assertTokens(SoapMessage message, String localname, boolean signed) {
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        Collection<AssertionInfo> ais = aim.getAssertionInfo(assertion);
-        Token tok = null;
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+        AbstractToken tok = null;
         for (AssertionInfo ai : ais) {
-            tok = (Token)ai.getAssertion();
+            tok = (AbstractToken)ai.getAssertion();
             ai.setAsserted(true);                
         }
-        ais = aim.getAssertionInfo(SP12Constants.SUPPORTING_TOKENS);
-        for (AssertionInfo ai : ais) {
-            ai.setAsserted(true);
-        }
+        
+        assertPolicy(aim, SPConstants.SUPPORTING_TOKENS);
         
         if (signed || isTLSInUse(message)) {
-            ais = aim.getAssertionInfo(SP12Constants.SIGNED_SUPPORTING_TOKENS);
-            for (AssertionInfo ai : ais) {
-                ai.setAsserted(true);
-            }
+            assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
         }
         return tok;
     }
@@ -190,7 +238,8 @@ public abstract class AbstractTokenInter
         return sh;
     }
     
-    protected String getPassword(String userName, Token info, int type, SoapMessage message) {
+    protected String getPassword(String userName, AbstractToken info, 
+                                 WSPasswordCallback.Usage usage, SoapMessage message) {
         //Then try to get the password from the given callback handler
     
         CallbackHandler handler = getCallback(message);
@@ -199,7 +248,7 @@ public abstract class AbstractTokenInter
             return null;
         }
         
-        WSPasswordCallback[] cb = {new WSPasswordCallback(userName, type)};
+        WSPasswordCallback[] cb = {new WSPasswordCallback(userName, usage)};
         try {
             handler.handle(cb);
         } catch (Exception e) {
@@ -210,14 +259,13 @@ public abstract class AbstractTokenInter
         return cb[0].getPassword();
     }
     
-    protected void policyNotAsserted(Token assertion, String reason, SoapMessage message) {
+    protected void policyNotAsserted(AbstractToken assertion, String reason, SoapMessage message) {
         if (assertion == null) {
             return;
         }
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
 
-        Collection<AssertionInfo> ais;
-        ais = aim.get(assertion.getName());
+        Collection<AssertionInfo> ais = aim.get(assertion.getName());
         if (ais != null) {
             for (AssertionInfo ai : ais) {
                 if (ai.getAssertion() == assertion) {
@@ -230,13 +278,12 @@ public abstract class AbstractTokenInter
         }
     }
     
-    protected void policyNotAsserted(Token assertion, Exception reason, SoapMessage message) {
+    protected void policyNotAsserted(AbstractToken assertion, Exception reason, SoapMessage message) {
         if (assertion == null) {
             return;
         }
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        Collection<AssertionInfo> ais;
-        ais = aim.get(assertion.getName());
+        Collection<AssertionInfo> ais = aim.get(assertion.getName());
         if (ais != null) {
             for (AssertionInfo ai : ais) {
                 if (ai.getAssertion() == assertion) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java Thu May 23 13:17:26 2013
@@ -35,11 +35,11 @@ import org.apache.cxf.interceptor.securi
 import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.PhaseInterceptorChain;
 import org.apache.cxf.security.SecurityContext;
-import org.apache.ws.security.WSSecurityEngine;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.validate.UsernameTokenValidator;
-import org.apache.ws.security.validate.Validator;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSSecurityEngine;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.validate.UsernameTokenValidator;
+import org.apache.wss4j.dom.validate.Validator;
 
 
 /**
@@ -139,13 +139,15 @@ public abstract class AbstractUsernameTo
         } catch (Exception ex) {
             String errorMessage = "Failed Authentication : Subject has not been created";
             LOG.severe(errorMessage);
-            throw new WSSecurityException(errorMessage, ex);
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, 
+                                          ex);
         }
         if (subject == null || subject.getPrincipals().size() == 0
             || !subject.getPrincipals().iterator().next().getName().equals(name)) {
             String errorMessage = "Failed Authentication : Invalid Subject";
             LOG.severe(errorMessage);
-            throw new WSSecurityException(errorMessage);
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION, 
+                                          new Exception(errorMessage));
         }
         msg.put(Subject.class, subject);
     }
@@ -182,7 +184,7 @@ public abstract class AbstractUsernameTo
         
         @Override
         protected void verifyCustomPassword(
-            org.apache.ws.security.message.token.UsernameToken usernameToken,
+            org.apache.wss4j.dom.message.token.UsernameToken usernameToken,
             RequestData data
         ) throws WSSecurityException {
             AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
@@ -192,7 +194,7 @@ public abstract class AbstractUsernameTo
         
         @Override
         protected void verifyPlaintextPassword(
-            org.apache.ws.security.message.token.UsernameToken usernameToken,
+            org.apache.wss4j.dom.message.token.UsernameToken usernameToken,
             RequestData data
         ) throws WSSecurityException {
             AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(
@@ -202,11 +204,11 @@ public abstract class AbstractUsernameTo
         
         @Override
         protected void verifyDigestPassword(
-            org.apache.ws.security.message.token.UsernameToken usernameToken,
+            org.apache.wss4j.dom.message.token.UsernameToken usernameToken,
             RequestData data
         ) throws WSSecurityException {
             if (!supportDigestPasswords) {
-                throw new WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
             }
             String user = usernameToken.getName();
             String password = usernameToken.getPassword();
@@ -220,7 +222,7 @@ public abstract class AbstractUsernameTo
         
         @Override
         protected void verifyUnknownPassword(
-            org.apache.ws.security.message.token.UsernameToken usernameToken,
+            org.apache.wss4j.dom.message.token.UsernameToken usernameToken,
             RequestData data
         ) throws WSSecurityException {
             AbstractUsernameTokenAuthenticatingInterceptor.this.setSubject(

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java Thu May 23 13:17:26 2013
@@ -40,13 +40,13 @@ import org.apache.cxf.message.MessageUti
 import org.apache.cxf.phase.PhaseInterceptor;
 import org.apache.cxf.resource.ResourceManager;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.components.crypto.CryptoFactory;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.handler.WSHandler;
-import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.handler.WSHandler;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
 
 public abstract class AbstractWSS4JInterceptor extends WSHandler implements SoapInterceptor, 
     PhaseInterceptor<SoapMessage> {
@@ -190,6 +190,16 @@ public abstract class AbstractWSS4JInter
         if (certConstraints != null) {
             msg.setContextualProperty(WSHandlerConstants.SIG_SUBJECT_CERT_CONSTRAINTS, certConstraints);
         }
+        
+        // Now set SAML SenderVouches + Holder Of Key requirements
+        boolean validateSAMLSubjectConf = 
+            MessageUtils.getContextualBoolean(
+                msg, SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, true
+            );
+        msg.setContextualProperty(
+            WSHandlerConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, 
+            Boolean.toString(validateSAMLSubjectConf)
+        );
     }
 
     @Override



Mime
View raw message