cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1485693 [5/14] - in /cxf/trunk: ./ distribution/src/main/release/samples/sts/src/main/java/demo/wssec/client/ distribution/src/main/release/samples/sts/src/main/java/demo/wssec/server/ distribution/src/main/release/samples/sts/src/main/jav...
Date Thu, 23 May 2013 13:17:32 GMT
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java Thu May 23 13:17:26 2013
@@ -21,19 +21,26 @@ package org.apache.cxf.ws.security.wss4j
 
 import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
 import java.util.List;
 
+import javax.xml.namespace.QName;
+
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.Binding;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.AlgorithmSuite;
-import org.apache.ws.security.handler.RequestData;
+import org.apache.wss4j.common.crypto.AlgorithmSuite;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractBinding;
+import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
+import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
 
 /**
  * Translate any AlgorithmSuite policy that may be operative into a WSS4J AlgorithmSuite object
@@ -46,7 +53,7 @@ public final class AlgorithmSuiteTransla
             return;
         }
         
-        List<org.apache.cxf.ws.security.policy.model.AlgorithmSuite> algorithmSuites = 
+        List<org.apache.wss4j.policy.model.AlgorithmSuite> algorithmSuites = 
             getAlgorithmSuites(getBindings(aim));
         if (!algorithmSuites.isEmpty()) {
             // Translate into WSS4J's AlgorithmSuite class
@@ -55,15 +62,16 @@ public final class AlgorithmSuiteTransla
         }
 
         // Now look for an AlgorithmSuite for a SAML Assertion
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.SAML_TOKEN);
-        if (ais != null && !ais.isEmpty()) {
-            List<org.apache.cxf.ws.security.policy.model.AlgorithmSuite> samlAlgorithmSuites
-                = new ArrayList<org.apache.cxf.ws.security.policy.model.AlgorithmSuite>();
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+        if (!ais.isEmpty()) {
+            List<org.apache.wss4j.policy.model.AlgorithmSuite> samlAlgorithmSuites
+                = new ArrayList<org.apache.wss4j.policy.model.AlgorithmSuite>();
             for (AssertionInfo ai : ais) {
                 SamlToken samlToken = (SamlToken)ai.getAssertion();
-                SupportingToken supportingToken = samlToken.getSupportingToken();
-                if (supportingToken != null && supportingToken.getAlgorithmSuite() != null) {
-                    samlAlgorithmSuites.add(supportingToken.getAlgorithmSuite());
+                AbstractSecurityAssertion parentAssertion = samlToken.getParentAssertion();
+                if ((parentAssertion instanceof SupportingTokens)
+                    && ((SupportingTokens)parentAssertion).getAlgorithmSuite() != null) {
+                    samlAlgorithmSuites.add(((SupportingTokens)parentAssertion).getAlgorithmSuite());
                 }
             }
 
@@ -77,11 +85,11 @@ public final class AlgorithmSuiteTransla
      * Translate a list of CXF AlgorithmSuite objects into a single WSS4J AlgorithmSuite object
      */
     private AlgorithmSuite translateAlgorithmSuites(
-        List<org.apache.cxf.ws.security.policy.model.AlgorithmSuite> algorithmSuites
+        List<org.apache.wss4j.policy.model.AlgorithmSuite> algorithmSuites
     ) {
         AlgorithmSuite algorithmSuite = null;
         
-        for (org.apache.cxf.ws.security.policy.model.AlgorithmSuite cxfAlgorithmSuite 
+        for (org.apache.wss4j.policy.model.AlgorithmSuite cxfAlgorithmSuite 
             : algorithmSuites) {
             if (cxfAlgorithmSuite == null) {
                 continue;
@@ -92,40 +100,41 @@ public final class AlgorithmSuiteTransla
                 algorithmSuite = new AlgorithmSuite();
             }
             
+            AlgorithmSuiteType algorithmSuiteType = cxfAlgorithmSuite.getAlgorithmSuiteType();
             // Set asymmetric key lengths
             if (algorithmSuite.getMaximumAsymmetricKeyLength() 
-                < cxfAlgorithmSuite.getMaximumAsymmetricKeyLength()) {
+                < algorithmSuiteType.getMaximumAsymmetricKeyLength()) {
                 algorithmSuite.setMaximumAsymmetricKeyLength(
-                    cxfAlgorithmSuite.getMaximumAsymmetricKeyLength());
+                    algorithmSuiteType.getMaximumAsymmetricKeyLength());
             }
             if (algorithmSuite.getMinimumAsymmetricKeyLength() 
-                > cxfAlgorithmSuite.getMinimumAsymmetricKeyLength()) {
+                > algorithmSuiteType.getMinimumAsymmetricKeyLength()) {
                 algorithmSuite.setMinimumAsymmetricKeyLength(
-                    cxfAlgorithmSuite.getMinimumAsymmetricKeyLength());
+                    algorithmSuiteType.getMinimumAsymmetricKeyLength());
             }
             
             // Set symmetric key lengths
             if (algorithmSuite.getMaximumSymmetricKeyLength() 
-                < cxfAlgorithmSuite.getMaximumSymmetricKeyLength()) {
+                < algorithmSuiteType.getMaximumSymmetricKeyLength()) {
                 algorithmSuite.setMaximumSymmetricKeyLength(
-                    cxfAlgorithmSuite.getMaximumSymmetricKeyLength());
+                    algorithmSuiteType.getMaximumSymmetricKeyLength());
             }
             if (algorithmSuite.getMinimumSymmetricKeyLength() 
-                > cxfAlgorithmSuite.getMinimumSymmetricKeyLength()) {
+                > algorithmSuiteType.getMinimumSymmetricKeyLength()) {
                 algorithmSuite.setMinimumSymmetricKeyLength(
-                    cxfAlgorithmSuite.getMinimumSymmetricKeyLength());
+                    algorithmSuiteType.getMinimumSymmetricKeyLength());
             }
                 
-            algorithmSuite.addEncryptionMethod(cxfAlgorithmSuite.getEncryption());
-            algorithmSuite.addKeyWrapAlgorithm(cxfAlgorithmSuite.getSymmetricKeyWrap());
-            algorithmSuite.addKeyWrapAlgorithm(cxfAlgorithmSuite.getAsymmetricKeyWrap());
+            algorithmSuite.addEncryptionMethod(algorithmSuiteType.getEncryption());
+            algorithmSuite.addKeyWrapAlgorithm(algorithmSuiteType.getSymmetricKeyWrap());
+            algorithmSuite.addKeyWrapAlgorithm(algorithmSuiteType.getAsymmetricKeyWrap());
     
             algorithmSuite.addSignatureMethod(cxfAlgorithmSuite.getAsymmetricSignature());
             algorithmSuite.addSignatureMethod(cxfAlgorithmSuite.getSymmetricSignature());
-            algorithmSuite.addDigestAlgorithm(cxfAlgorithmSuite.getDigest());
-            algorithmSuite.addC14nAlgorithm(cxfAlgorithmSuite.getInclusiveC14n());
+            algorithmSuite.addDigestAlgorithm(algorithmSuiteType.getDigest());
+            algorithmSuite.addC14nAlgorithm(cxfAlgorithmSuite.getC14n().getValue());
     
-            algorithmSuite.addTransformAlgorithm(cxfAlgorithmSuite.getInclusiveC14n());
+            algorithmSuite.addTransformAlgorithm(cxfAlgorithmSuite.getC14n().getValue());
             algorithmSuite.addTransformAlgorithm(SPConstants.STRT10);
             algorithmSuite.addTransformAlgorithm(WSConstants.NS_XMLDSIG_ENVELOPED_SIGNATURE);
     
@@ -139,25 +148,26 @@ public final class AlgorithmSuiteTransla
     /**
      * Get all of the WS-SecurityPolicy Bindings that are in operation
      */
-    private List<Binding> getBindings(AssertionInfoMap aim) {
-        List<Binding> bindings = new ArrayList<Binding>();
+    private List<AbstractBinding> getBindings(AssertionInfoMap aim) {
+        List<AbstractBinding> bindings = new ArrayList<AbstractBinding>();
         if (aim != null) {
-            Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
-            if (ais != null && !ais.isEmpty()) {
+            Collection<AssertionInfo> ais = 
+                getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+            if (!ais.isEmpty()) {
                 for (AssertionInfo ai : ais) {
-                    bindings.add((Binding)ai.getAssertion());
+                    bindings.add((AbstractBinding)ai.getAssertion());
                 }
             }
-            ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
-            if (ais != null && !ais.isEmpty()) {     
+            ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+            if (!ais.isEmpty()) {     
                 for (AssertionInfo ai : ais) {
-                    bindings.add((Binding)ai.getAssertion());
+                    bindings.add((AbstractBinding)ai.getAssertion());
                 }
             }
-            ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
-            if (ais != null && !ais.isEmpty()) {     
+            ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+            if (!ais.isEmpty()) {     
                 for (AssertionInfo ai : ais) {
-                    bindings.add((Binding)ai.getAssertion());
+                    bindings.add((AbstractBinding)ai.getAssertion());
                 }
             }
         }
@@ -167,17 +177,38 @@ public final class AlgorithmSuiteTransla
     /**
      * Get all of the CXF AlgorithmSuites from the bindings
      */
-    private List<org.apache.cxf.ws.security.policy.model.AlgorithmSuite> getAlgorithmSuites(
-        List<Binding> bindings
+    private List<org.apache.wss4j.policy.model.AlgorithmSuite> getAlgorithmSuites(
+        List<AbstractBinding> bindings
     ) {
-        List<org.apache.cxf.ws.security.policy.model.AlgorithmSuite> algorithmSuites = 
-            new ArrayList<org.apache.cxf.ws.security.policy.model.AlgorithmSuite>();
-        for (Binding binding : bindings) {
+        List<org.apache.wss4j.policy.model.AlgorithmSuite> algorithmSuites = 
+            new ArrayList<org.apache.wss4j.policy.model.AlgorithmSuite>();
+        for (AbstractBinding binding : bindings) {
             if (binding.getAlgorithmSuite() != null) {
                 algorithmSuites.add(binding.getAlgorithmSuite());
             }
         }
         return algorithmSuites;
     }
+    
+    private Collection<AssertionInfo> getAllAssertionsByLocalname(
+        AssertionInfoMap aim,
+        String localname
+    ) {
+        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+        
+        if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+            Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
+            if (sp11Ais != null) {
+                ais.addAll(sp11Ais);
+            }
+            if (sp12Ais != null) {
+                ais.addAll(sp12Ais);
+            }
+            return ais;
+        }
+            
+        return Collections.emptySet();
+    }
 
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java Thu May 23 13:17:26 2013
@@ -45,12 +45,13 @@ import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.phase.Phase;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.handler.WSHandlerConstants;
-import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDataRef;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
 
 /**
  * Utility to enable the checking of WS-Security signature/encryption
@@ -144,10 +145,10 @@ public class CryptoCoverageChecker exten
         
         for (final WSHandlerResult wshr : results) {
             final List<WSSecurityEngineResult> wsSecurityEngineSignResults = 
-                WSS4JUtils.fetchAllActionResults(wshr.getResults(), WSConstants.SIGN);
+                WSSecurityUtil.fetchAllActionResults(wshr.getResults(), WSConstants.SIGN);
             
             final List<WSSecurityEngineResult> wsSecurityEngineEncResults = 
-                WSS4JUtils.fetchAllActionResults(wshr.getResults(), WSConstants.ENCR);
+                WSSecurityUtil.fetchAllActionResults(wshr.getResults(), WSConstants.ENCR);
             
             for (WSSecurityEngineResult wser : wsSecurityEngineSignResults) {
             

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java Thu May 23 13:17:26 2013
@@ -37,9 +37,9 @@ import org.w3c.dom.NodeList;
 
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.helpers.MapNamespaceContext;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSSecurityException;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDataRef;
 
 
 /**
@@ -125,8 +125,9 @@ public final class CryptoCoverageUtil {
         CoverageScope scope
     ) throws WSSecurityException {
         if (!CryptoCoverageUtil.matchElement(refs, type, scope, soapBody)) {
-            throw new WSSecurityException("The " + getCoverageTypeString(type)
+            Exception ex = new Exception("The " + getCoverageTypeString(type)
                     + " does not cover the required elements (soap:Body).");
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
         }
     }
 
@@ -172,9 +173,10 @@ public final class CryptoCoverageUtil {
         
         for (Element el : elements) {
             if (!CryptoCoverageUtil.matchElement(refs, type, scope, el)) {
-                throw new WSSecurityException("The " + getCoverageTypeString(type)
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
+                        new Exception("The " + getCoverageTypeString(type)
                         + " does not cover the required elements ({"
-                        + namespace + "}" + name + ").");
+                        + namespace + "}" + name + ")."));
             }
         }          
     }
@@ -282,7 +284,7 @@ public final class CryptoCoverageUtil {
                         XPathConstants.NODESET);
             } catch (XPathExpressionException e) {
                 // The xpath's are not valid in the config.
-                throw new WSSecurityException(WSSecurityException.FAILURE);
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
             }
             
             // If we found nodes then we need to do the check.
@@ -298,9 +300,10 @@ public final class CryptoCoverageUtil {
                     // We looked through all of the refs, but the element was
                     // not signed.
                     if (!instanceMatched) {
-                        throw new WSSecurityException("The " + getCoverageTypeString(type)
+                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
+                                new Exception("The " + getCoverageTypeString(type)
                                 + " does not cover the required elements ("
-                                + xpathString + ").");
+                                + xpathString + ")."));
                     }
                 }
             }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/DefaultCryptoCoverageChecker.java Thu May 23 13:17:26 2013
@@ -22,7 +22,7 @@ package org.apache.cxf.ws.security.wss4j
 import org.apache.cxf.ws.addressing.Names;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
-import org.apache.ws.security.WSConstants;
+import org.apache.wss4j.dom.WSConstants;
 
 /**
  * This utility extends the CryptoCoverageChecker to provide an easy way to check to see

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java Thu May 23 13:17:26 2013
@@ -36,21 +36,22 @@ import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.interceptor.security.DefaultSecurityContext;
 import org.apache.cxf.security.SecurityContext;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.Token;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDocInfo;
-import org.apache.ws.security.WSSConfig;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.handler.WSHandlerConstants;
-import org.apache.ws.security.handler.WSHandlerResult;
-import org.apache.ws.security.processor.BinarySecurityTokenProcessor;
-import org.apache.ws.security.validate.Validator;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDocInfo;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.apache.wss4j.dom.processor.BinarySecurityTokenProcessor;
+import org.apache.wss4j.dom.validate.Validator;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
 
 /**
  * An interceptor to add a Kerberos token to the security header of an outbound request, and to
@@ -86,7 +87,10 @@ public class KerberosTokenInterceptor ex
                         WSHandlerResult rResult = new WSHandlerResult(null, bstResults);
                         results.add(0, rResult);
 
-                        assertTokens(message, SP12Constants.KERBEROS_TOKEN, false);
+                        assertTokens(message, SPConstants.KERBEROS_TOKEN, false);
+                        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+                        assertPolicy(aim, "WssKerberosV5ApReqToken11");
+                        assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
                         
                         Principal principal = 
                             (Principal)bstResults.get(0).get(WSSecurityEngineResult.TAG_PRINCIPAL);
@@ -128,8 +132,8 @@ public class KerberosTokenInterceptor ex
                     }
                 } catch (RuntimeException t) {
                     throw t;
-                } catch (Throwable t) {
-                    throw new WSSecurityException(t.getMessage(), t);
+                } catch (Exception ex) {
+                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
                 }
                 return super.getValidator(qName);
             }
@@ -142,8 +146,11 @@ public class KerberosTokenInterceptor ex
         return results;
     }
     
-    protected Token assertTokens(SoapMessage message) {
-        return assertTokens(message, SP12Constants.KERBEROS_TOKEN, true);
+    protected AbstractToken assertTokens(SoapMessage message) {
+        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+        assertPolicy(aim, "WssKerberosV5ApReqToken11");
+        assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
+        return assertTokens(message, SPConstants.KERBEROS_TOKEN, true);
     }
 
     protected void addToken(SoapMessage message) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Thu May 23 13:17:26 2013
@@ -25,6 +25,7 @@ import java.net.URL;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -52,21 +53,12 @@ import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.helpers.MapNamespaceContext;
 import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.resource.ResourceManager;
 import org.apache.cxf.service.model.EndpointInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP11Constants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.ContentEncryptedElements;
-import org.apache.cxf.ws.security.policy.model.Header;
-import org.apache.cxf.ws.security.policy.model.RequiredElements;
-import org.apache.cxf.ws.security.policy.model.RequiredParts;
-import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
-import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.Wss11;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator;
@@ -88,16 +80,27 @@ import org.apache.cxf.ws.security.wss4j.
 import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.WSS11PolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.X509TokenPolicyValidator;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.components.crypto.CryptoFactory;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.handler.WSHandlerConstants;
-import org.apache.ws.security.message.token.Timestamp;
-import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDataRef;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.message.token.Timestamp;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SP13Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.Header;
+import org.apache.wss4j.policy.model.RequiredElements;
+import org.apache.wss4j.policy.model.RequiredParts;
+import org.apache.wss4j.policy.model.SignedParts;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.UsernameToken.PasswordType;
+import org.apache.wss4j.policy.model.Wss11;
 
 /**
  * 
@@ -116,7 +119,9 @@ public class PolicyBasedWSS4JInIntercept
     
     public void handleMessage(SoapMessage msg) throws Fault {
         AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
-        if (aim != null) {
+        boolean enableStax = 
+            MessageUtils.isTrue(msg.getContextualProperty(SecurityConstants.ENABLE_STREAMING_SECURITY));
+        if (aim != null && !enableStax) {
             super.handleMessage(msg);
         }
     }
@@ -164,8 +169,8 @@ public class PolicyBasedWSS4JInIntercept
     private void handleWSS11(AssertionInfoMap aim, SoapMessage message) {
         if (isRequestor(message)) {
             message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "false");
-            Collection<AssertionInfo> ais = aim.get(SP12Constants.WSS11);
-            if (ais != null) {
+            Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.WSS11);
+            if (!ais.isEmpty()) {
                 for (AssertionInfo ai : ais) {
                     Wss11 wss11 = (Wss11)ai.getAssertion();
                     if (wss11.isRequireSignatureConfirmation()) {
@@ -187,8 +192,8 @@ public class PolicyBasedWSS4JInIntercept
         return action + " " + val;
     }
     
-    private boolean assertPolicy(AssertionInfoMap aim, QName q) {
-        Collection<AssertionInfo> ais = aim.get(q);
+    private boolean assertPolicy(AssertionInfoMap aim, QName name) {
+        Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
         if (ais != null && !ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 ai.setAsserted(true);
@@ -197,12 +202,45 @@ public class PolicyBasedWSS4JInIntercept
         }
         return false;
     }
+    
+    private boolean assertPolicy(AssertionInfoMap aim, String localname) {
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+        if (!ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
+                ai.setAsserted(true);
+            }    
+            return true;
+        }
+        return false;
+    }
+    
+    private Collection<AssertionInfo> getAllAssertionsByLocalname(
+        AssertionInfoMap aim,
+        String localname
+    ) {
+        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+        
+        if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+            Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
+            if (sp11Ais != null) {
+                ais.addAll(sp11Ais);
+            }
+            if (sp12Ais != null) {
+                ais.addAll(sp12Ais);
+            }
+            return ais;
+        }
+            
+        return Collections.emptySet();
+    }
 
     private String checkAsymmetricBinding(
         AssertionInfoMap aim, String action, SoapMessage message
     ) throws WSSecurityException {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
-        if (ais == null || ais.isEmpty()) {
+        Collection<AssertionInfo> ais = 
+            getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+        if (ais.isEmpty()) {
             return action;
         }
         
@@ -231,10 +269,10 @@ public class PolicyBasedWSS4JInIntercept
         }
         
         if (encrCrypto != null) {
-            message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
+            message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
             message.put("RefId-" + encrCrypto.hashCode(), (Crypto)encrCrypto);
         } else if (signCrypto != null) {
-            message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
+            message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
             message.put("RefId-" + signCrypto.hashCode(), (Crypto)signCrypto);
         }
      
@@ -269,10 +307,10 @@ public class PolicyBasedWSS4JInIntercept
         }
         
         if (encrCrypto != null) {
-            message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
+            message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + encrCrypto.hashCode());
             message.put("RefId-" + encrCrypto.hashCode(), (Crypto)encrCrypto);
         } else if (signCrypto != null) {
-            message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
+            message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + signCrypto.hashCode());
             message.put("RefId-" + signCrypto.hashCode(), (Crypto)signCrypto);
         }
 
@@ -282,12 +320,13 @@ public class PolicyBasedWSS4JInIntercept
     private void checkUsernameToken(
         AssertionInfoMap aim, SoapMessage message
     ) throws WSSecurityException {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.USERNAME_TOKEN);
+        Collection<AssertionInfo> ais = 
+            getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
         
-        if (ais != null && !ais.isEmpty()) {
+        if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 UsernameToken policy = (UsernameToken)ai.getAssertion();
-                if (policy.isNoPassword()) {
+                if (policy.getPasswordType() == PasswordType.NoPassword) {
                     message.put(WSHandlerConstants.ALLOW_USERNAMETOKEN_NOPASSWORD, "true");
                 }
             }
@@ -297,8 +336,9 @@ public class PolicyBasedWSS4JInIntercept
     private String checkSymmetricBinding(
         AssertionInfoMap aim, String action, SoapMessage message
     ) throws WSSecurityException {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
-        if (ais == null || ais.isEmpty()) {
+        Collection<AssertionInfo> ais = 
+            getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+        if (ais.isEmpty()) {
             return action;
         }
         
@@ -327,7 +367,7 @@ public class PolicyBasedWSS4JInIntercept
                 crypto = signCrypto;
             }
             if (crypto != null) {
-                message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + crypto.hashCode());
+                message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + crypto.hashCode());
                 message.put("RefId-" + crypto.hashCode(), crypto);
             }
             
@@ -345,7 +385,7 @@ public class PolicyBasedWSS4JInIntercept
                 crypto = encrCrypto;
             }
             if (crypto != null) {
-                message.put(WSHandlerConstants.SIG_PROP_REF_ID, "RefId-" + crypto.hashCode());
+                message.put(WSHandlerConstants.SIG_VER_PROP_REF_ID, "RefId-" + crypto.hashCode());
                 message.put("RefId-" + crypto.hashCode(), crypto);
             }
             
@@ -371,7 +411,8 @@ public class PolicyBasedWSS4JInIntercept
             Properties props = getProps(e, propsURL, message);
             if (props == null) {
                 LOG.fine("Cannot find Crypto Encryption properties: " + e);
-                throw new WSSecurityException("Cannot find Crypto Encryption properties: " + e);
+                Exception ex = new Exception("Cannot find Crypto Encryption properties: " + e);
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
             }
             
             encrCrypto = CryptoFactory.getInstance(props);
@@ -393,7 +434,8 @@ public class PolicyBasedWSS4JInIntercept
             Properties props = getProps(s, propsURL, message);
             if (props == null) {
                 LOG.fine("Cannot find Crypto Signature properties: " + s);
-                throw new WSSecurityException("Cannot find Crypto Signature properties: " + s);
+                Exception ex = new Exception("Cannot find Crypto Signature properties: " + s);
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
             }
             
             signCrypto = CryptoFactory.getInstance(props);
@@ -407,39 +449,38 @@ public class PolicyBasedWSS4JInIntercept
     }
     
     private boolean assertXPathTokens(AssertionInfoMap aim, 
-                                   QName name, 
+                                   String name, 
                                    Collection<WSDataRef> refs,
                                    Element soapEnvelope,
                                    CoverageType type,
                                    CoverageScope scope,
                                    final XPath xpath) throws SOAPException {
-        Collection<AssertionInfo> ais = aim.get(name);
-        if (ais != null) {
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, name);
+        if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 ai.setAsserted(true);
-                Map<String, String> namespaces = null;
-                List<String> xpaths = null;
-                if (CoverageScope.CONTENT.equals(scope)) {
-                    ContentEncryptedElements p = (ContentEncryptedElements)ai.getAssertion();
-                    namespaces = p.getDeclaredNamespaces();
-                    xpaths = p.getXPathExpressions();
-                } else {
-                    SignedEncryptedElements p = (SignedEncryptedElements)ai.getAssertion();
-                    namespaces = p.getDeclaredNamespaces();
-                    xpaths = p.getXPathExpressions();
-                }
                 
-                if (xpaths != null) {
-                    if (namespaces != null) {
-                        xpath.setNamespaceContext(new MapNamespaceContext(namespaces));
+                RequiredElements elements = (RequiredElements)ai.getAssertion();
+                
+                if (elements != null && elements.getXPaths() != null 
+                    && !elements.getXPaths().isEmpty()) {
+                    List<String> expressions = new ArrayList<String>();
+                    for (org.apache.wss4j.policy.model.XPath xPath : elements.getXPaths()) {
+                        expressions.add(xPath.getXPath());
+                    }
+
+                    if (elements.getXPaths().get(0).getPrefixNamespaceMap() != null) {
+                        xpath.setNamespaceContext(
+                            new MapNamespaceContext(elements.getXPaths().get(0).getPrefixNamespaceMap())
+                        );
                     }
                     try {
                         CryptoCoverageUtil.checkCoverage(soapEnvelope, refs,
-                                xpath, xpaths, type, scope);
+                                                         xpath, expressions, type, scope);
                     } catch (WSSecurityException e) {
                         ai.setNotAsserted("No " + type 
-                                + " element found matching one of the XPaths " 
-                                + Arrays.toString(xpaths.toArray()));
+                                          + " element found matching one of the XPaths " 
+                                          + Arrays.toString(expressions.toArray()));
                     }
                 }
             }
@@ -449,17 +490,17 @@ public class PolicyBasedWSS4JInIntercept
 
     
     private boolean assertTokens(AssertionInfoMap aim, 
-                              QName name, 
+                              String name, 
                               Collection<WSDataRef> signed,
                               SoapMessage msg,
                               Element soapHeader,
                               Element soapBody,
                               CoverageType type) throws SOAPException {
-        Collection<AssertionInfo> ais = aim.get(name);
-        if (ais != null) {
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, name);
+        if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 ai.setAsserted(true);
-                SignedEncryptedParts p = (SignedEncryptedParts)ai.getAssertion();
+                SignedParts p = (SignedParts)ai.getAssertion();
                 
                 if (p.isBody()) {
                     try {
@@ -484,7 +525,7 @@ public class PolicyBasedWSS4JInIntercept
                                 .getNamespace(), h.getName(), type,
                                 CoverageScope.ELEMENT);
                     } catch (WSSecurityException e) {
-                        ai.setNotAsserted(h.getQName() + " not + " + type);
+                        ai.setNotAsserted(h.getNamespace() + ":" + h.getName() + " not + " + type);
                     }
                 }
             }
@@ -520,8 +561,36 @@ public class PolicyBasedWSS4JInIntercept
             checkUsernameToken(aim, message);
             
             // stuff we can default to asserted and un-assert if a condition isn't met
-            assertPolicy(aim, SP12Constants.KEYVALUE_TOKEN);
-
+            assertPolicy(aim, SPConstants.KEY_VALUE_TOKEN);
+            assertPolicy(aim, SPConstants.RSA_KEY_VALUE);
+            assertPolicy(aim, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE);
+            assertPolicy(aim, SPConstants.REQUIRE_THUMBPRINT_REFERENCE);
+            assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
+            assertPolicy(aim, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE);
+            assertPolicy(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
+            
+            // WSS10
+            assertPolicy(aim, SPConstants.WSS10);
+            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
+            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
+            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
+            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
+            
+            // Trust 1.0
+            assertPolicy(aim, SPConstants.TRUST_10);
+            assertPolicy(aim, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE);
+            assertPolicy(aim, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE);
+            assertPolicy(aim, SPConstants.REQUIRE_CLIENT_ENTROPY);
+            assertPolicy(aim, SPConstants.REQUIRE_SERVER_ENTROPY);
+            assertPolicy(aim, SPConstants.MUST_SUPPORT_ISSUED_TOKENS);
+            
+            // Trust 1.3
+            assertPolicy(aim, SPConstants.TRUST_13);
+            assertPolicy(aim, SP12Constants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION);
+            assertPolicy(aim, SP12Constants.REQUIRE_APPLIES_TO);
+            assertPolicy(aim, SP13Constants.SCOPE_POLICY_15);
+            assertPolicy(aim, SP13Constants.MUST_SUPPORT_INTERACTIVE_CHALLENGE);
+            
             message.put(WSHandlerConstants.ACTION, action.trim());
         }
     }
@@ -546,7 +615,7 @@ public class PolicyBasedWSS4JInIntercept
         actions.add(WSConstants.SIGN);
         actions.add(WSConstants.UT_SIGN);
         List<WSSecurityEngineResult> signedResults = 
-            WSS4JUtils.fetchAllActionResults(results, actions);
+            WSSecurityUtil.fetchAllActionResults(results, actions);
         for (WSSecurityEngineResult result : signedResults) {
             List<WSDataRef> sl = 
                 CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
@@ -558,7 +627,7 @@ public class PolicyBasedWSS4JInIntercept
         }
         
         List<WSSecurityEngineResult> encryptResults = 
-            WSS4JUtils.fetchAllActionResults(results, WSConstants.ENCR);
+            WSSecurityUtil.fetchAllActionResults(results, WSConstants.ENCR);
         for (WSSecurityEngineResult result : encryptResults) {
             List<WSDataRef> sl = 
                 CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
@@ -589,11 +658,6 @@ public class PolicyBasedWSS4JInIntercept
             LOG.fine("Incoming request failed supporting token policy validation");
         }
         
-        // relatively irrelevant stuff from a verification standpoint
-        assertPolicy(aim, SP12Constants.WSS10);
-        assertPolicy(aim, SP12Constants.TRUST_13);
-        assertPolicy(aim, SP11Constants.TRUST_10);
-        
         super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks);
     }
     
@@ -615,10 +679,10 @@ public class PolicyBasedWSS4JInIntercept
         boolean check = true;
         if (!isTransportBinding(aim)) {
             check &= assertTokens(
-                aim, SP12Constants.SIGNED_PARTS, signed, msg, soapHeader, soapBody, CoverageType.SIGNED
+                aim, SPConstants.SIGNED_PARTS, signed, msg, soapHeader, soapBody, CoverageType.SIGNED
             );
             check &= assertTokens(
-                aim, SP12Constants.ENCRYPTED_PARTS, encrypted, msg, soapHeader, soapBody, 
+                aim, SPConstants.ENCRYPTED_PARTS, encrypted, msg, soapHeader, soapBody, 
                 CoverageType.ENCRYPTED
             );
         }
@@ -629,11 +693,11 @@ public class PolicyBasedWSS4JInIntercept
             final XPathFactory factory = XPathFactory.newInstance();
             final XPath xpath = factory.newXPath();
             
-            check &= assertXPathTokens(aim, SP12Constants.SIGNED_ELEMENTS, signed, soapEnvelope,
+            check &= assertXPathTokens(aim, SPConstants.SIGNED_ELEMENTS, signed, soapEnvelope,
                     CoverageType.SIGNED, CoverageScope.ELEMENT, xpath);
-            check &= assertXPathTokens(aim, SP12Constants.ENCRYPTED_ELEMENTS, encrypted, soapEnvelope,
+            check &= assertXPathTokens(aim, SPConstants.ENCRYPTED_ELEMENTS, encrypted, soapEnvelope,
                     CoverageType.ENCRYPTED, CoverageScope.ELEMENT, xpath);
-            check &= assertXPathTokens(aim, SP12Constants.CONTENT_ENCRYPTED_ELEMENTS, encrypted, 
+            check &= assertXPathTokens(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS, encrypted, 
                     soapEnvelope, CoverageType.ENCRYPTED, CoverageScope.CONTENT, xpath);
         }
         
@@ -719,13 +783,13 @@ public class PolicyBasedWSS4JInIntercept
         utActions.add(WSConstants.UT);
         utActions.add(WSConstants.UT_NOPASSWORD);
         List<WSSecurityEngineResult> utResults = 
-            WSS4JUtils.fetchAllActionResults(results, utActions);
+            WSSecurityUtil.fetchAllActionResults(results, utActions);
         
         final List<Integer> samlActions = new ArrayList<Integer>(2);
         samlActions.add(WSConstants.ST_SIGNED);
         samlActions.add(WSConstants.ST_UNSIGNED);
         List<WSSecurityEngineResult> samlResults = 
-            WSS4JUtils.fetchAllActionResults(results, samlActions);
+            WSSecurityUtil.fetchAllActionResults(results, samlActions);
         
         // Store the timestamp element
         WSSecurityEngineResult tsResult = WSSecurityUtil.fetchActionResult(results, WSConstants.TS);
@@ -791,41 +855,48 @@ public class PolicyBasedWSS4JInIntercept
     private boolean assertHeadersExists(AssertionInfoMap aim, SoapMessage msg, Node header) 
         throws SOAPException {
         
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.REQUIRED_PARTS);
-        if (ais != null) {
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.REQUIRED_PARTS);
+        if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 RequiredParts rp = (RequiredParts)ai.getAssertion();
                 ai.setAsserted(true);
                 for (Header h : rp.getHeaders()) {
+                    QName qName = new QName(h.getNamespace(), h.getName());
                     if (header == null 
-                        || DOMUtils.getFirstChildWithName((Element)header, h.getQName()) == null) {
-                        ai.setNotAsserted("No header element of name " + h.getQName() + " found.");
+                        || DOMUtils.getFirstChildWithName((Element)header, qName) == null) {
+                        ai.setNotAsserted("No header element of name " + qName + " found.");
                     }
                 }
             }
         }
-        ais = aim.get(SP12Constants.REQUIRED_ELEMENTS);
-        if (ais != null) {
+        
+        ais = getAllAssertionsByLocalname(aim, SPConstants.REQUIRED_ELEMENTS);
+        if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 RequiredElements rp = (RequiredElements)ai.getAssertion();
                 ai.setAsserted(true);
-                Map<String, String> namespaces = rp.getDeclaredNamespaces();
-                XPathFactory factory = XPathFactory.newInstance();
-                for (String expression : rp.getXPathExpressions()) {
-                    XPath xpath = factory.newXPath();
-                    if (namespaces != null) {
-                        xpath.setNamespaceContext(new MapNamespaceContext(namespaces));
-                    }
-                    NodeList list;
-                    try {
-                        list = (NodeList)xpath.evaluate(expression, 
-                                                                 header,
-                                                                 XPathConstants.NODESET);
-                        if (list.getLength() == 0) {
-                            ai.setNotAsserted("No header element matching XPath " + expression + " found.");
+                
+                if (rp != null && rp.getXPaths() != null && !rp.getXPaths().isEmpty()) {
+                    XPathFactory factory = XPathFactory.newInstance();
+                    for (org.apache.wss4j.policy.model.XPath xPath : rp.getXPaths()) {
+                        Map<String, String> namespaces = xPath.getPrefixNamespaceMap();
+                        String expression = xPath.getXPath();
+    
+                        XPath xpath = factory.newXPath();
+                        if (namespaces != null) {
+                            xpath.setNamespaceContext(new MapNamespaceContext(namespaces));
+                        }
+                        NodeList list;
+                        try {
+                            list = (NodeList)xpath.evaluate(expression, 
+                                                                     header,
+                                                                     XPathConstants.NODESET);
+                            if (list.getLength() == 0) {
+                                ai.setNotAsserted("No header element matching XPath " + expression + " found.");
+                            }
+                        } catch (XPathExpressionException e) {
+                            ai.setNotAsserted("Invalid XPath expression " + expression + " " + e.getMessage());
                         }
-                    } catch (XPathExpressionException e) {
-                        ai.setNotAsserted("Invalid XPath expression " + expression + " " + e.getMessage());
                     }
                 }
             }
@@ -835,14 +906,15 @@ public class PolicyBasedWSS4JInIntercept
     }
 
     private boolean isTransportBinding(AssertionInfoMap aim) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
-        if (ais != null && ais.size() > 0) {
-            ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
-            if (ais != null && ais.size() > 0) {
+        Collection<AssertionInfo> ais = 
+            getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+        if (ais.size() > 0) {
+            ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+            if (ais.size() > 0) {
                 return false;
             }
-            ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
-            if (ais != null && ais.size() > 0) {
+            ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+            if (ais.size() > 0) {
                 return false;
             }
             return true;
@@ -851,16 +923,16 @@ public class PolicyBasedWSS4JInIntercept
     }
     
     private boolean containsXPathPolicy(AssertionInfoMap aim) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_ELEMENTS);
-        if (ais != null && ais.size() > 0) {
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
+        if (ais.size() > 0) {
             return true;
         }
-        ais = aim.get(SP12Constants.ENCRYPTED_ELEMENTS);
-        if (ais != null && ais.size() > 0) {
+        ais = getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
+        if (ais.size() > 0) {
             return true;
         }
-        ais = aim.get(SP12Constants.CONTENT_ENCRYPTED_ELEMENTS);
-        if (ais != null && ais.size() > 0) {
+        ais = getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
+        if (ais.size() > 0) {
             return true;
         }
         return false;

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java Thu May 23 13:17:26 2013
@@ -20,9 +20,11 @@ package org.apache.cxf.ws.security.wss4j
 
 import java.util.Collection;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.Set;
 import java.util.logging.Logger;
 
+import javax.xml.namespace.QName;
 import javax.xml.soap.SOAPException;
 import javax.xml.soap.SOAPMessage;
 
@@ -35,24 +37,28 @@ import org.apache.cxf.binding.soap.saaj.
 import org.apache.cxf.common.i18n.Message;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.interceptor.Fault;
+import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.phase.AbstractPhaseInterceptor;
 import org.apache.cxf.phase.Phase;
 import org.apache.cxf.phase.PhaseInterceptor;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.policy.PolicyBuilder;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.Binding;
-import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.TransportBinding;
 import org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler;
 import org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler;
 import org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler;
-import org.apache.ws.security.WSSConfig;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.message.WSSecHeader;
+import org.apache.neethi.Policy;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.message.WSSecHeader;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractBinding;
+import org.apache.wss4j.policy.model.AsymmetricBinding;
+import org.apache.wss4j.policy.model.SymmetricBinding;
+import org.apache.wss4j.policy.model.TransportBinding;
 
 public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<SoapMessage> {
     public static final String SECURITY_PROCESSED = PolicyBasedWSS4JOutInterceptor.class.getName() + ".DONE";
@@ -72,11 +78,15 @@ public class PolicyBasedWSS4JOutIntercep
 
 
     public void handleMessage(SoapMessage mc) throws Fault {
-        if (mc.getContent(SOAPMessage.class) == null) {
-            saajOut.handleMessage(mc);
+        boolean enableStax = 
+            MessageUtils.isTrue(mc.getContextualProperty(SecurityConstants.ENABLE_STREAMING_SECURITY));
+        if (!enableStax) {
+            if (mc.getContent(SOAPMessage.class) == null) {
+                saajOut.handleMessage(mc);
+            }
+            mc.put(SECURITY_PROCESSED, Boolean.TRUE);
+            mc.getInterceptorChain().add(ending);
         }
-        mc.put(SECURITY_PROCESSED, Boolean.TRUE);
-        mc.getInterceptorChain().add(ending);
     }    
     public void handleFault(SoapMessage message) {
         saajOut.handleFault(message);
@@ -99,36 +109,36 @@ public class PolicyBasedWSS4JOutIntercep
             boolean mustUnderstand = true;
             String actor = null;
             
-
             AssertionInfoMap aim = message.get(AssertionInfoMap.class);
             // extract Assertion information
             if (aim != null) {
-                Binding transport = null;
-                ais = aim.get(SP12Constants.TRANSPORT_BINDING);
-                if (ais != null) {
+                AbstractBinding transport = null;
+                ais = getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+                if (!ais.isEmpty()) {
                     for (AssertionInfo ai : ais) {
-                        transport = (Binding)ai.getAssertion();
+                        transport = (AbstractBinding)ai.getAssertion();
                         ai.setAsserted(true);
                     }                    
                 }
-                ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
-                if (ais != null) {
+                ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+                if (!ais.isEmpty()) {
                     for (AssertionInfo ai : ais) {
-                        transport = (Binding)ai.getAssertion();
+                        transport = (AbstractBinding)ai.getAssertion();
                         ai.setAsserted(true);
                     }                    
                 }
-                ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
-                if (ais != null) {
+                ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+                if (!ais.isEmpty()) {
                     for (AssertionInfo ai : ais) {
-                        transport = (Binding)ai.getAssertion();
+                        transport = (AbstractBinding)ai.getAssertion();
                         ai.setAsserted(true);
                     }                    
                 }
+
                 if (transport == null && isRequestor(message)) {
-                    transport = new TransportBinding(SP12Constants.INSTANCE,
-                                                     message.getExchange().getBus()
-                                                         .getExtension(PolicyBuilder.class));
+                    Policy policy = new Policy();
+                    transport = new TransportBinding(org.apache.wss4j.policy.SPConstants.SPVersion.SP11,
+                                                     policy);
                 }
                 
                 if (transport != null) {
@@ -153,7 +163,7 @@ public class PolicyBasedWSS4JOutIntercep
                     if (config == null) {
                         config = WSSConfig.getNewInstance();
                     }
-                    translateProperties(message, config);
+                    translateProperties(message);
 
                     if (transport instanceof TransportBinding) {
                         new TransportBindingHandler(config, (TransportBinding)transport, saaj,
@@ -171,14 +181,14 @@ public class PolicyBasedWSS4JOutIntercep
                     }
                 }
                 
-                ais = aim.get(SP12Constants.WSS10);
-                if (ais != null) {
+                ais = getAllAssertionsByLocalname(aim, SPConstants.WSS10);
+                if (!ais.isEmpty()) {
                     for (AssertionInfo ai : ais) {
                         ai.setAsserted(true);
                     }                    
                 }
-                ais = aim.get(SP12Constants.WSS11);
-                if (ais != null) {
+                ais = getAllAssertionsByLocalname(aim, SPConstants.WSS10);
+                if (!ais.isEmpty()) {
                     for (AssertionInfo ai : ais) {
                         ai.setAsserted(true);
                     }                    
@@ -213,13 +223,32 @@ public class PolicyBasedWSS4JOutIntercep
             return null;
         }
         
-        private void translateProperties(SoapMessage msg, WSSConfig config) {
+        private void translateProperties(SoapMessage msg) {
             String bspCompliant = (String)msg.getContextualProperty(SecurityConstants.IS_BSP_COMPLIANT);
-            if ("1".equals(bspCompliant) || "true".equals(bspCompliant)) {
-                config.setWsiBSPCompliant(true);
-            } else if ("0".equals(bspCompliant) || "false".equals(bspCompliant)) {
-                config.setWsiBSPCompliant(false);
+            if (bspCompliant != null) {
+                msg.setContextualProperty(WSHandlerConstants.IS_BSP_COMPLIANT, bspCompliant);
             }
         }
+        
+        private Collection<AssertionInfo> getAllAssertionsByLocalname(
+            AssertionInfoMap aim,
+            String localname
+        ) {
+            Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+            Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+            
+            if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+                Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
+                if (sp11Ais != null) {
+                    ais.addAll(sp11Ais);
+                }
+                if (sp12Ais != null) {
+                    ais.addAll(sp12Ais);
+                }
+                return ais;
+            }
+                
+            return Collections.emptySet();
+        }
     }
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SAMLUtils.java Thu May 23 13:17:26 2013
@@ -19,30 +19,13 @@
 
 package org.apache.cxf.ws.security.wss4j;
 
-import java.security.Principal;
-import java.security.PublicKey;
-import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
-import java.util.logging.Logger;
 
 import org.w3c.dom.Element;
 
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.helpers.CastUtils;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.security.transport.TLSSessionInfo;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.saml.SAMLKeyInfo;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
-import org.apache.ws.security.saml.ext.OpenSAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.opensaml.common.SAMLVersion;
 import org.opensaml.xml.XMLObject;
 
@@ -51,25 +34,23 @@ import org.opensaml.xml.XMLObject;
  */
 public final class SAMLUtils {
     
-    private static final Logger LOG = LogUtils.getL7dLogger(SAMLUtils.class);
-    
     private SAMLUtils() {
     }
     
     public static List<String> parseRolesInAssertion(Object assertion, String roleAttributeName) {
-        if (((AssertionWrapper) assertion).getSamlVersion().equals(SAMLVersion.VERSION_20)) {
-            return parseRolesInAssertion(((AssertionWrapper)assertion).getSaml2(), roleAttributeName);
+        if (((SamlAssertionWrapper) assertion).getSamlVersion().equals(SAMLVersion.VERSION_20)) {
+            return parseRolesInAssertion(((SamlAssertionWrapper)assertion).getSaml2(), roleAttributeName);
         } else {
-            return parseRolesInAssertion(((AssertionWrapper)assertion).getSaml1(), roleAttributeName);
+            return parseRolesInAssertion(((SamlAssertionWrapper)assertion).getSaml1(), roleAttributeName);
         }
     }
     
     public static String getIssuer(Object assertion) {
-        return ((AssertionWrapper)assertion).getIssuerString();
+        return ((SamlAssertionWrapper)assertion).getIssuerString();
     }
     
     public static Element getAssertionElement(Object assertion) {
-        return ((AssertionWrapper)assertion).getElement();
+        return ((SamlAssertionWrapper)assertion).getElement();
     }
     
     //
@@ -148,217 +129,4 @@ public final class SAMLUtils {
         return Collections.unmodifiableList(roles);
     }
     
-    public static void validateSAMLResults(
-        List<WSSecurityEngineResult> results,
-        Message message,
-        Element body
-    ) throws WSSecurityException {
-        final List<Integer> samlActions = new ArrayList<Integer>(2);
-        samlActions.add(WSConstants.ST_SIGNED);
-        samlActions.add(WSConstants.ST_UNSIGNED);
-        List<WSSecurityEngineResult> samlResults = 
-            WSS4JUtils.fetchAllActionResults(results, samlActions);
-        
-        if (samlResults.isEmpty()) {
-            return;
-        }
-        
-        final List<Integer> signedActions = new ArrayList<Integer>(2);
-        signedActions.add(WSConstants.SIGN);
-        signedActions.add(WSConstants.UT_SIGN);
-        List<WSSecurityEngineResult> signedResults = 
-            WSS4JUtils.fetchAllActionResults(results, signedActions);
-        
-        for (WSSecurityEngineResult samlResult : samlResults) {
-            AssertionWrapper assertionWrapper = 
-                (AssertionWrapper)samlResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
-            
-            TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
-            Certificate[] tlsCerts = null;
-            if (tlsInfo != null) {
-                tlsCerts = tlsInfo.getPeerCertificates();
-            }
-            if (!SAMLUtils.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
-                LOG.warning("Assertion fails holder-of-key requirements");
-                throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
-            }
-            if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, body, signedResults)) {
-                LOG.warning("Assertion fails sender-vouches requirements");
-                throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
-            }
-        }
-        
-    }
-    
-    /**
-     * Check the holder-of-key requirements against the received assertion. The subject
-     * credential of the SAML Assertion must have been used to sign some portion of
-     * the message, thus showing proof-of-possession of the private/secret key. Alternatively,
-     * the subject credential of the SAML Assertion must match a client certificate credential
-     * when 2-way TLS is used.
-     * @param assertionWrapper the SAML Assertion wrapper object
-     * @param signedResults a list of all of the signed results
-     */
-    public static boolean checkHolderOfKey(
-        AssertionWrapper assertionWrapper,
-        List<WSSecurityEngineResult> signedResults,
-        Certificate[] tlsCerts
-    ) {
-        List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
-        for (String confirmationMethod : confirmationMethods) {
-            if (OpenSAMLUtil.isMethodHolderOfKey(confirmationMethod)) {
-                if (tlsCerts == null && (signedResults == null || signedResults.isEmpty())) {
-                    return false;
-                }
-                SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
-                if (!compareCredentials(subjectKeyInfo, signedResults, tlsCerts)) {
-                    return false;
-                }
-            }
-        }
-        return true;
-    }
-
-    /**
-     * Compare the credentials of the assertion to the credentials used in 2-way TLS or those
-     * used to verify signatures.
-     * Return true on a match
-     * @param subjectKeyInfo the SAMLKeyInfo object
-     * @param signedResults a list of all of the signed results
-     * @return true if the credentials of the assertion were used to verify a signature
-     */
-    public static boolean compareCredentials(
-        SAMLKeyInfo subjectKeyInfo,
-        List<WSSecurityEngineResult> signedResults,
-        Certificate[] tlsCerts
-    ) {
-        X509Certificate[] subjectCerts = subjectKeyInfo.getCerts();
-        PublicKey subjectPublicKey = subjectKeyInfo.getPublicKey();
-        byte[] subjectSecretKey = subjectKeyInfo.getSecret();
-        
-        //
-        // Try to match the TLS certs first
-        //
-        if (tlsCerts != null && tlsCerts.length > 0 && subjectCerts != null 
-            && subjectCerts.length > 0 && tlsCerts[0].equals(subjectCerts[0])) {
-            return true;
-        } else if (tlsCerts != null && tlsCerts.length > 0 && subjectPublicKey != null
-            && tlsCerts[0].getPublicKey().equals(subjectPublicKey)) {
-            return true;
-        }
-        
-        //
-        // Now try the message-level signatures
-        //
-        for (WSSecurityEngineResult signedResult : signedResults) {
-            X509Certificate[] certs =
-                (X509Certificate[])signedResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
-            PublicKey publicKey =
-                (PublicKey)signedResult.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
-            byte[] secretKey =
-                (byte[])signedResult.get(WSSecurityEngineResult.TAG_SECRET);
-            if (certs != null && certs.length > 0 && subjectCerts != null
-                && subjectCerts.length > 0 && certs[0].equals(subjectCerts[0])) {
-                return true;
-            }
-            if (publicKey != null && publicKey.equals(subjectPublicKey)) {
-                return true;
-            }
-            if (checkSecretKey(secretKey, subjectSecretKey, signedResult)) {
-                return true;
-            }
-        }
-        return false;
-    }
-    
-    private static boolean checkSecretKey(
-        byte[] secretKey,
-        byte[] subjectSecretKey,
-        WSSecurityEngineResult signedResult
-    ) {
-        if (secretKey != null && subjectSecretKey != null) {
-            if (Arrays.equals(secretKey, subjectSecretKey)) {
-                return true;
-            } else {
-                Principal principal =
-                    (Principal)signedResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
-                if (principal instanceof WSDerivedKeyTokenPrincipal) {
-                    secretKey = ((WSDerivedKeyTokenPrincipal)principal).getSecret();
-                    if (Arrays.equals(secretKey, subjectSecretKey)) {
-                        return true;
-                    }
-                }
-            }
-        }
-        return false;
-    }
-    
-    /**
-     * Check the sender-vouches requirements against the received assertion. The SAML
-     * Assertion and the SOAP Body must be signed by the same signature.
-     */
-    public static boolean checkSenderVouches(
-        AssertionWrapper assertionWrapper,
-        Certificate[] tlsCerts,
-        Element body,
-        List<WSSecurityEngineResult> signed
-    ) {
-        //
-        // If we have a 2-way TLS connection, then we don't have to check that the
-        // assertion + SOAP body are signed
-        //
-        if (tlsCerts != null && tlsCerts.length > 0) {
-            return true;
-        }
-        List<String> confirmationMethods = assertionWrapper.getConfirmationMethods();
-        for (String confirmationMethod : confirmationMethods) {
-            if (OpenSAMLUtil.isMethodSenderVouches(confirmationMethod)) {
-                if (signed == null || signed.isEmpty()) {
-                    return false;
-                }
-                if (!checkAssertionAndBodyAreSigned(assertionWrapper, body, signed)) {
-                    return false;
-                }
-            }
-        }
-        return true;
-    }
-
-    /**
-     * Return true if there is a signature which references the Assertion and the SOAP Body.
-     * @param assertionWrapper the AssertionWrapper object
-     * @param body The SOAP body
-     * @param signed The List of signed results
-     * @return true if there is a signature which references the Assertion and the SOAP Body.
-     */
-    private static boolean checkAssertionAndBodyAreSigned(
-        AssertionWrapper assertionWrapper,
-        Element body,
-        List<WSSecurityEngineResult> signed
-    ) {
-        for (WSSecurityEngineResult signedResult : signed) {
-            List<WSDataRef> sl =
-                CastUtils.cast((List<?>)signedResult.get(
-                    WSSecurityEngineResult.TAG_DATA_REF_URIS
-                ));
-            boolean assertionIsSigned = false;
-            boolean bodyIsSigned = false;
-            if (sl != null) {
-                for (WSDataRef dataRef : sl) {
-                    Element se = dataRef.getProtectedElement();
-                    if (se == assertionWrapper.getElement()) {
-                        assertionIsSigned = true;
-                    }
-                    if (se == body) {
-                        bodyIsSigned = true;
-                    }
-                    if (assertionIsSigned && bodyIsSigned) {
-                        return true;
-                    }
-                }
-            }
-        }
-        return false;
-    }
-
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java Thu May 23 13:17:26 2013
@@ -48,25 +48,27 @@ import org.apache.cxf.security.SecurityC
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDocInfo;
-import org.apache.ws.security.WSPasswordCallback;
-import org.apache.ws.security.WSSConfig;
-import org.apache.ws.security.WSSecurityEngine;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.components.crypto.CryptoFactory;
-import org.apache.ws.security.handler.RequestData;
-import org.apache.ws.security.handler.WSHandlerConstants;
-import org.apache.ws.security.handler.WSHandlerResult;
-import org.apache.ws.security.processor.SAMLTokenProcessor;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
-import org.apache.ws.security.saml.ext.SAMLParms;
-import org.apache.ws.security.validate.Validator;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SAMLCallback;
+import org.apache.wss4j.common.saml.SAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDocInfo;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.WSSecurityEngine;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.apache.wss4j.dom.processor.SAMLTokenProcessor;
+import org.apache.wss4j.dom.validate.Validator;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SamlToken.SamlTokenType;
 import org.opensaml.common.SAMLVersion;
 
 /**
@@ -104,24 +106,24 @@ public class SamlTokenInterceptor extend
 
                         boolean signed = false;
                         for (WSSecurityEngineResult result : samlResults) {
-                            AssertionWrapper wrapper = 
-                                (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+                            SamlAssertionWrapper wrapper = 
+                                (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                             if (wrapper.isSigned()) {
                                 signed = true;
                                 break;
                             }
                         }
-                        assertTokens(message, SP12Constants.SAML_TOKEN, signed);
+                        assertTokens(message, SPConstants.SAML_TOKEN, signed);
                         
                         // Check version against policy
                         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-                        for (AssertionInfo ai : aim.getAssertionInfo(SP12Constants.SAML_TOKEN)) {
+                        for (AssertionInfo ai : getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN)) {
                             SamlToken samlToken = (SamlToken)ai.getAssertion();
                             for (WSSecurityEngineResult result : samlResults) {
-                                AssertionWrapper assertionWrapper = 
-                                    (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+                                SamlAssertionWrapper assertionWrapper = 
+                                    (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
 
-                                if (!checkVersion(samlToken, assertionWrapper)) {
+                                if (!checkVersion(aim, samlToken, assertionWrapper)) {
                                     ai.setNotAsserted("Wrong SAML Version");
                                 }
                             }
@@ -173,8 +175,8 @@ public class SamlTokenInterceptor extend
                         }
                     } catch (RuntimeException t) {
                         throw t;
-                    } catch (Throwable t) {
-                        throw new WSSecurityException(t.getMessage(), t);
+                    } catch (Exception ex) {
+                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
                     }
                 }
                 return super.getValidator(qName);
@@ -188,8 +190,12 @@ public class SamlTokenInterceptor extend
         return results;
     }
 
-    protected Token assertTokens(SoapMessage message) {
-        return assertTokens(message, SP12Constants.SAML_TOKEN, true);
+    protected AbstractToken assertTokens(SoapMessage message) {
+        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+        assertPolicy(aim, "WssSamlV11Token10");
+        assertPolicy(aim, "WssSamlV11Token11");
+        assertPolicy(aim, "WssSamlV20Token11");
+        return assertTokens(message, SPConstants.SAML_TOKEN, true);
     }
 
     protected void addToken(SoapMessage message) {
@@ -198,10 +204,11 @@ public class SamlTokenInterceptor extend
 
         Header h = findSecurityHeader(message, true);
         try {
-            AssertionWrapper wrapper = addSamlToken(tok, message);
+            SamlAssertionWrapper wrapper = addSamlToken(tok, message);
             if (wrapper == null) {
                 AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-                Collection<AssertionInfo> ais = aim.getAssertionInfo(SP12Constants.SAML_TOKEN);
+                Collection<AssertionInfo> ais = 
+                    getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
                 for (AssertionInfo ai : ais) {
                     if (ai.isAsserted()) {
                         ai.setAsserted(false);
@@ -217,7 +224,7 @@ public class SamlTokenInterceptor extend
     }
 
     
-    private AssertionWrapper addSamlToken(
+    private SamlAssertionWrapper addSamlToken(
         SamlToken token, SoapMessage message
     ) throws WSSecurityException {
         //
@@ -240,14 +247,21 @@ public class SamlTokenInterceptor extend
             return null;
         }
 
-        SAMLParms samlParms = new SAMLParms();
-        samlParms.setCallbackHandler(handler);
-        if (token.isUseSamlVersion11Profile10() || token.isUseSamlVersion11Profile11()) {
-            samlParms.setSAMLVersion(SAMLVersion.VERSION_11);
-        } else if (token.isUseSamlVersion20Profile11()) {
-            samlParms.setSAMLVersion(SAMLVersion.VERSION_20);
+        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+        
+        SAMLCallback samlCallback = new SAMLCallback();
+        SamlTokenType tokenType = token.getSamlTokenType();
+        if (tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11) {
+            samlCallback.setSamlVersion(SAMLVersion.VERSION_11);
+            assertPolicy(aim, "WssSamlV11Token10");
+            assertPolicy(aim, "WssSamlV11Token11");
+            
+        } else if (tokenType == SamlTokenType.WssSamlV20Token11) {
+            samlCallback.setSamlVersion(SAMLVersion.VERSION_20);
+            assertPolicy(aim, "WssSamlV20Token11");
         }
-        AssertionWrapper assertion = new AssertionWrapper(samlParms);
+        SAMLUtil.doSAMLCallback(handler, samlCallback);
+        SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
 
         boolean selfSignAssertion = 
             MessageUtils.getContextualBoolean(
@@ -275,7 +289,7 @@ public class SamlTokenInterceptor extend
 
             String password = (String)message.getContextualProperty(SecurityConstants.PASSWORD);
             if (StringUtils.isEmpty(password)) {
-                password = getPassword(user, token, WSPasswordCallback.SIGNATURE, message);
+                password = getPassword(user, token, WSPasswordCallback.Usage.SIGNATURE, message);
             }
             if (password == null) {
                 password = "";
@@ -356,15 +370,21 @@ public class SamlTokenInterceptor extend
     /**
      * Check the policy version against the received assertion
      */
-    private boolean checkVersion(SamlToken samlToken, AssertionWrapper assertionWrapper) {
-        if ((samlToken.isUseSamlVersion11Profile10()
-            || samlToken.isUseSamlVersion11Profile11())
+    private boolean checkVersion(
+        AssertionInfoMap aim,
+        SamlToken samlToken, 
+        SamlAssertionWrapper assertionWrapper
+    ) {
+        SamlTokenType tokenType = samlToken.getSamlTokenType();
+        if ((tokenType == SamlTokenType.WssSamlV11Token10 
+            || tokenType == SamlTokenType.WssSamlV11Token11)
             && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) {
             return false;
-        } else if (samlToken.isUseSamlVersion20Profile11()
+        } else if (tokenType == SamlTokenType.WssSamlV20Token11
             && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) {
             return false;
         }
+        assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), tokenType.name()));
         return true;
     }
     



Mime
View raw message