cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1485693 [8/14] - in /cxf/trunk: ./ distribution/src/main/release/samples/sts/src/main/java/demo/wssec/client/ distribution/src/main/release/samples/sts/src/main/java/demo/wssec/server/ distribution/src/main/release/samples/sts/src/main/jav...
Date Thu, 23 May 2013 13:17:32 GMT
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java Thu May 23 13:17:26 2013
@@ -37,44 +37,46 @@ import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP11Constants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SpnegoContextToken;
-import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.TokenWrapper;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSEncryptionPart;
-import org.apache.ws.security.WSSConfig;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.conversation.ConversationConstants;
-import org.apache.ws.security.conversation.ConversationException;
-import org.apache.ws.security.handler.WSHandlerConstants;
-import org.apache.ws.security.handler.WSHandlerResult;
-import org.apache.ws.security.message.WSSecBase;
-import org.apache.ws.security.message.WSSecDKEncrypt;
-import org.apache.ws.security.message.WSSecDKSign;
-import org.apache.ws.security.message.WSSecEncrypt;
-import org.apache.ws.security.message.WSSecEncryptedKey;
-import org.apache.ws.security.message.WSSecHeader;
-import org.apache.ws.security.message.WSSecSignature;
-import org.apache.ws.security.message.WSSecTimestamp;
-import org.apache.ws.security.message.WSSecUsernameToken;
-import org.apache.ws.security.message.token.SecurityTokenReference;
-import org.apache.ws.security.util.Base64;
-import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.derivedKey.ConversationConstants;
+import org.apache.wss4j.common.derivedKey.ConversationException;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSEncryptionPart;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.bsp.BSPEnforcer;
+import org.apache.wss4j.dom.handler.WSHandlerConstants;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.apache.wss4j.dom.message.WSSecBase;
+import org.apache.wss4j.dom.message.WSSecDKEncrypt;
+import org.apache.wss4j.dom.message.WSSecDKSign;
+import org.apache.wss4j.dom.message.WSSecEncrypt;
+import org.apache.wss4j.dom.message.WSSecEncryptedKey;
+import org.apache.wss4j.dom.message.WSSecHeader;
+import org.apache.wss4j.dom.message.WSSecSignature;
+import org.apache.wss4j.dom.message.WSSecTimestamp;
+import org.apache.wss4j.dom.message.WSSecUsernameToken;
+import org.apache.wss4j.dom.message.token.SecurityTokenReference;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
+import org.apache.wss4j.policy.model.AbstractTokenWrapper;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
+import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.SecureConversationToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SpnegoContextToken;
+import org.apache.wss4j.policy.model.SymmetricBinding;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
+import org.apache.xml.security.utils.Base64;
 
 /**
  * 
@@ -95,14 +97,14 @@ public class SymmetricBindingHandler ext
         protectionOrder = binding.getProtectionOrder();
     }
     
-    private TokenWrapper getSignatureToken() {
+    private AbstractTokenWrapper getSignatureToken() {
         if (sbinding.getProtectionToken() != null) {
             return sbinding.getProtectionToken();
         }
         return sbinding.getSignatureToken();
     }
     
-    private TokenWrapper getEncryptionToken() {
+    private AbstractTokenWrapper getEncryptionToken() {
         if (sbinding.getProtectionToken() != null) {
             return sbinding.getProtectionToken();
         }
@@ -118,14 +120,17 @@ public class SymmetricBindingHandler ext
             initializeTokens();
         }
         
-        if (sbinding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
+        if (sbinding.getProtectionOrder() 
+            == AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
             doEncryptBeforeSign();
+            policyAsserted(SPConstants.ENCRYPT_BEFORE_SIGNING);
         } else {
             doSignBeforeEncrypt();
+            policyAsserted(SPConstants.SIGN_BEFORE_ENCRYPTING);
         }
         //REVIST - what to do with these policies?
-        policyAsserted(SP11Constants.TRUST_10);
-        policyAsserted(SP12Constants.TRUST_13);
+        policyAsserted(SPConstants.TRUST_10);
+        policyAsserted(SPConstants.TRUST_13);
     }
     
     private void initializeTokens()  {
@@ -146,8 +151,8 @@ public class SymmetricBindingHandler ext
     
     private void doEncryptBeforeSign() {
         try {
-            TokenWrapper encryptionWrapper = getEncryptionToken();
-            Token encryptionToken = encryptionWrapper.getToken();
+            AbstractTokenWrapper encryptionWrapper = getEncryptionToken();
+            AbstractToken encryptionToken = encryptionWrapper.getToken();
             List<WSEncryptionPart> encrParts = getEncryptedParts();
             List<WSEncryptionPart> sigParts = getSignedParts();
             
@@ -195,7 +200,7 @@ public class SymmetricBindingHandler ext
     
                 boolean attached = false;
                 
-                if (includeToken(encryptionToken.getInclusion())) {
+                if (includeToken(encryptionToken.getIncludeTokenType())) {
                     Element el = tok.getToken();
                     this.addEncryptedKeyElement(cloneElement(el));
                     attached = true;
@@ -233,12 +238,12 @@ public class SymmetricBindingHandler ext
                 }
                 
                 //Check for signature protection and encryption of UsernameToken
-                if (sbinding.isSignatureProtection() 
+                if (sbinding.isEncryptSignature() 
                     || encryptedTokensList.size() > 0 && isRequestor()) {
                     List<WSEncryptionPart> secondEncrParts = new ArrayList<WSEncryptionPart>();
                     
                     //Now encrypt the signature using the above token
-                    if (sbinding.isSignatureProtection()) {
+                    if (sbinding.isEncryptSignature()) {
                         if (this.mainSigId != null) {
                             WSEncryptionPart sigPart = 
                                 new WSEncryptionPart(this.mainSigId, "Element");
@@ -248,6 +253,7 @@ public class SymmetricBindingHandler ext
                         if (sigConfList != null && !sigConfList.isEmpty()) {
                             secondEncrParts.addAll(sigConfList);
                         }
+                        policyAsserted(SPConstants.ENCRYPT_SIGNATURE);
                     }
                     
                     if (isRequestor()) {
@@ -256,7 +262,8 @@ public class SymmetricBindingHandler ext
                     
                     Element secondRefList = null;
                     
-                    if (encryptionToken.isDerivedKeys() && !secondEncrParts.isEmpty()) {
+                    if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys 
+                        && !secondEncrParts.isEmpty()) {
                         secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null, 
                                 secondEncrParts);
                         this.addDerivedKeyElement(secondRefList);
@@ -275,10 +282,8 @@ public class SymmetricBindingHandler ext
     }
     
     private void doSignBeforeEncrypt() {
-        TokenWrapper sigTokenWrapper = getSignatureToken();
-        Token sigToken = sigTokenWrapper.getToken();
-        
-        
+        AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken();
+        AbstractToken sigToken = sigAbstractTokenWrapper.getToken();
         String sigTokId = null;
         Element sigTokElem = null;
         
@@ -293,7 +298,7 @@ public class SymmetricBindingHandler ext
                     sigTok = getSecurityToken();
                 } else if (sigToken instanceof X509Token) {
                     if (isRequestor()) {
-                        sigTokId = setupEncryptedKey(sigTokenWrapper, sigToken);
+                        sigTokId = setupEncryptedKey(sigAbstractTokenWrapper, sigToken);
                     } else {
                         sigTokId = getEncryptedKey();
                     }
@@ -310,10 +315,10 @@ public class SymmetricBindingHandler ext
             }
             
             if (sigTok == null && StringUtils.isEmpty(sigTokId)) {
-                policyNotAsserted(sigTokenWrapper, "No signature token id");
+                policyNotAsserted(sigAbstractTokenWrapper, "No signature token id");
                 return;
             } else {
-                policyAsserted(sigTokenWrapper);
+                policyAsserted(sigAbstractTokenWrapper);
             }
             if (sigTok == null) {
                 sigTok = tokenStore.getToken(sigTokId);
@@ -323,7 +328,7 @@ public class SymmetricBindingHandler ext
             //}
             
             boolean tokIncluded = true;
-            if (includeToken(sigToken.getInclusion())) {
+            if (includeToken(sigToken.getIncludeTokenType())) {
                 Element el = sigTok.getToken();
                 sigTokElem = cloneElement(el);
                 this.addEncryptedKeyElement(sigTokElem);
@@ -345,7 +350,7 @@ public class SymmetricBindingHandler ext
             if (isRequestor()) {
                 addSupportingTokens(sigs);
                 if (!sigs.isEmpty()) {
-                    signatures.add(doSignature(sigs, sigTokenWrapper, sigToken, sigTok, tokIncluded));
+                    signatures.add(doSignature(sigs, sigAbstractTokenWrapper, sigToken, sigTok, tokIncluded));
                 }
                 doEndorse();
             } else {
@@ -353,13 +358,13 @@ public class SymmetricBindingHandler ext
                 assertSupportingTokens(sigs);
                 addSignatureConfirmation(sigs);
                 if (!sigs.isEmpty()) {
-                    doSignature(sigs, sigTokenWrapper, sigToken, sigTok, tokIncluded);
+                    doSignature(sigs, sigAbstractTokenWrapper, sigToken, sigTok, tokIncluded);
                 }
             }
 
             //Encryption
-            TokenWrapper encrTokenWrapper = getEncryptionToken();
-            Token encrToken = encrTokenWrapper.getToken();
+            AbstractTokenWrapper encrAbstractTokenWrapper = getEncryptionToken();
+            AbstractToken encrToken = encrAbstractTokenWrapper.getToken();
             SecurityToken encrTok = null;
             if (sigToken.equals(encrToken)) {
                 //Use the same token
@@ -372,7 +377,7 @@ public class SymmetricBindingHandler ext
             List<WSEncryptionPart> enc = getEncryptedParts();
             
             //Check for signature protection
-            if (sbinding.isSignatureProtection()) {
+            if (sbinding.isEncryptSignature()) {
                 if (mainSigId != null) {
                     WSEncryptionPart sigPart = new WSEncryptionPart(mainSigId, "Element");
                     sigPart.setElement(bottomUpElement);
@@ -381,12 +386,13 @@ public class SymmetricBindingHandler ext
                 if (sigConfList != null && !sigConfList.isEmpty()) {
                     enc.addAll(sigConfList);
                 }
+                policyAsserted(SPConstants.ENCRYPT_SIGNATURE);
             }
             
             if (isRequestor()) {
                 enc.addAll(encryptedTokensList);
             }
-            doEncryption(encrTokenWrapper,
+            doEncryption(encrAbstractTokenWrapper,
                          encrTok,
                          tokIncluded,
                          enc,
@@ -396,15 +402,15 @@ public class SymmetricBindingHandler ext
         }
     }
     
-    private WSSecBase doEncryptionDerived(TokenWrapper recToken,
+    private WSSecBase doEncryptionDerived(AbstractTokenWrapper recToken,
                                           SecurityToken encrTok,
-                                          Token encrToken,
+                                          AbstractToken encrToken,
                                           boolean attached,
                                           List<WSEncryptionPart> encrParts,
                                           boolean atEnd) {
         try {
             WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(wssConfig);
-            if (recToken.getToken().getSPConstants() == SP12Constants.INSTANCE) {
+            if (recToken.getToken().getVersion() == SPConstants.SPVersion.SP12) {
                 dkEncr.setWscVersion(ConversationConstants.VERSION_05_12);
             }
 
@@ -472,9 +478,9 @@ public class SymmetricBindingHandler ext
                 }
             }
             
-            dkEncr.setSymmetricEncAlgorithm(sbinding.getAlgorithmSuite().getEncryption());
-            dkEncr.setDerivedKeyLength(sbinding.getAlgorithmSuite()
-                                           .getEncryptionDerivedKeyLength() / 8);
+            AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
+            dkEncr.setSymmetricEncAlgorithm(algType.getEncryption());
+            dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8);
             dkEncr.prepare(saaj.getSOAPPart());
             Element encrDKTokenElem = null;
             encrDKTokenElem = dkEncr.getdktElement();
@@ -492,18 +498,18 @@ public class SymmetricBindingHandler ext
         return null;
     }
     
-    private WSSecBase doEncryption(TokenWrapper recToken,
+    private WSSecBase doEncryption(AbstractTokenWrapper recToken,
                                    SecurityToken encrTok,
                                    boolean attached,
                                    List<WSEncryptionPart> encrParts,
                                    boolean atEnd) {
         //Do encryption
         if (recToken != null && recToken.getToken() != null && encrParts.size() > 0) {
-            Token encrToken = recToken.getToken();
+            AbstractToken encrToken = recToken.getToken();
             policyAsserted(recToken);
             policyAsserted(encrToken);
             AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
-            if (encrToken.isDerivedKeys()) {
+            if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
                 return doEncryptionDerived(recToken, encrTok, encrToken,
                                            attached, encrParts, atEnd);
             } else {
@@ -539,7 +545,7 @@ public class SymmetricBindingHandler ext
                     
                     encr.setDocument(saaj.getSOAPPart());
                     encr.setEncryptSymmKey(false);
-                    encr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());
+                    encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
                     
                     if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken) {
                         //Setting the AttachedReference or the UnattachedReference according to the flag
@@ -553,7 +559,7 @@ public class SymmetricBindingHandler ext
                         String tokenType = encrTok.getTokenType();
                         if (ref != null) {
                             SecurityTokenReference secRef = 
-                                new SecurityTokenReference(cloneElement(ref), false);
+                                new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
                             encr.setSecurityTokenReference(secRef);
                         } else if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
                             || WSConstants.SAML_NS.equals(tokenType)) {
@@ -601,19 +607,19 @@ public class SymmetricBindingHandler ext
     }    
     
     private byte[] doSignatureDK(List<WSEncryptionPart> sigs,
-                               TokenWrapper policyTokenWrapper, 
-                               Token policyToken, 
+                               AbstractTokenWrapper policyAbstractTokenWrapper, 
+                               AbstractToken policyToken, 
                                SecurityToken tok,
                                boolean included) throws WSSecurityException {
         Document doc = saaj.getSOAPPart();
         WSSecDKSign dkSign = new WSSecDKSign(wssConfig);
-        if (policyTokenWrapper.getToken().getSPConstants() == SP12Constants.INSTANCE) {
+        if (policyAbstractTokenWrapper.getToken().getVersion() == SPConstants.SPVersion.SP12) {
             dkSign.setWscVersion(ConversationConstants.VERSION_05_12);
         }
         
         //Check for whether the token is attached in the message or not
         boolean attached = false;
-        if (includeToken(policyToken.getInclusion())) {
+        if (includeToken(policyToken.getIncludeTokenType())) {
             attached = true;
         }
         
@@ -627,7 +633,8 @@ public class SymmetricBindingHandler ext
         
         if (ref != null) {
             dkSign.setExternalKey(tok.getSecret(), cloneElement(ref));
-        } else if (!isRequestor() && policyToken.isDerivedKeys() && tok.getSHA1() != null) {            
+        } else if (!isRequestor() && policyToken.getDerivedKeys() 
+            == DerivedKeys.RequireDerivedKeys && tok.getSHA1() != null) {            
             // If the Encrypted key used to create the derived key is not
             // attached use key identifier as defined in WSS1.1 section
             // 7.7 Encrypted Key reference
@@ -651,7 +658,8 @@ public class SymmetricBindingHandler ext
 
         //Set the algo info
         dkSign.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
-        dkSign.setDerivedKeyLength(sbinding.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8);
+        AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
+        dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
         if (tok.getSHA1() != null) {
             //Set the value type of the reference
             String tokenType = tok.getTokenType();
@@ -679,10 +687,10 @@ public class SymmetricBindingHandler ext
         try {
             dkSign.prepare(doc, secHeader);
         } catch (ConversationException e) {
-            throw new WSSecurityException(e.getMessage(), e);
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
         }
         
-        if (sbinding.isTokenProtection()) {
+        if (sbinding.isProtectTokens()) {
             String sigTokId = tok.getId();
             if (included) {
                 sigTokId = tok.getWsuId();
@@ -694,6 +702,7 @@ public class SymmetricBindingHandler ext
                 }
             }
             sigs.add(new WSEncryptionPart(sigTokId));
+            policyAsserted(SPConstants.PROTECT_TOKENS);
         }
         
         dkSign.setParts(sigs);
@@ -717,12 +726,12 @@ public class SymmetricBindingHandler ext
     }
     
     private byte[] doSignature(List<WSEncryptionPart> sigs,
-                             TokenWrapper policyTokenWrapper, 
-                             Token policyToken, 
+                             AbstractTokenWrapper policyAbstractTokenWrapper, 
+                             AbstractToken policyToken, 
                              SecurityToken tok,
                              boolean included) throws WSSecurityException {
-        if (policyToken.isDerivedKeys()) {
-            return doSignatureDK(sigs, policyTokenWrapper, policyToken, tok, included);
+        if (policyToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+            return doSignatureDK(sigs, policyAbstractTokenWrapper, policyToken, tok, included);
         } else {
             WSSecSignature sig = new WSSecSignature(wssConfig);
             // If a EncryptedKeyToken is used, set the correct value type to
@@ -754,7 +763,7 @@ public class SymmetricBindingHandler ext
                 
                 if (ref != null) {
                     SecurityTokenReference secRef = 
-                        new SecurityTokenReference(cloneElement(ref), false);
+                        new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
                     sig.setSecurityTokenReference(secRef);
                     sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                 } else {
@@ -791,8 +800,9 @@ public class SymmetricBindingHandler ext
                 sigTokId = tok.getId();
             }
                       
-            if (included && sbinding.isTokenProtection()) {
+            if (included && sbinding.isProtectTokens()) {
                 sigs.add(new WSEncryptionPart(sigTokId));
+                policyAsserted(SPConstants.PROTECT_TOKENS);
             }
             
             sig.setCustomTokenId(sigTokId);
@@ -802,7 +812,7 @@ public class SymmetricBindingHandler ext
             if (sbinding.getProtectionToken() != null) {
                 crypto = getEncryptionCrypto(sbinding.getProtectionToken());
             } else {
-                crypto = getSignatureCrypto(policyTokenWrapper);
+                crypto = getSignatureCrypto(policyAbstractTokenWrapper);
             }
             this.message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, crypto);
             sig.prepare(saaj.getSOAPPart(), crypto, secHeader);
@@ -822,7 +832,7 @@ public class SymmetricBindingHandler ext
         }
     }
 
-    private String setupEncryptedKey(TokenWrapper wrapper, Token sigToken) throws WSSecurityException {
+    private String setupEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken sigToken) throws WSSecurityException {
         WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(wrapper, sigToken);
         String id = encrKey.getId();
         byte[] secret = encrKey.getEphemeralKey();
@@ -944,14 +954,16 @@ public class SymmetricBindingHandler ext
     }
     
     private boolean hasSignedPartsOrElements() {
-        Collection<AssertionInfo> ais = aim.getAssertionInfo(SP12Constants.SIGNED_PARTS);
-        if (ais != null && ais.size() > 0) {
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(SPConstants.SIGNED_PARTS);
+        if (ais.size() > 0) {
             return true;
         }
-        ais = aim.getAssertionInfo(SP12Constants.SIGNED_ELEMENTS);
-        if (ais != null && ais.size() > 0) {
+        
+        ais = getAllAssertionsByLocalname(SPConstants.SIGNED_ELEMENTS);
+        if (ais.size() > 0) {
             return true;
         }
+        
         return false;
     }
 

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java Thu May 23 13:17:26 2013
@@ -33,47 +33,48 @@ import javax.xml.xpath.XPathExpressionEx
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
-
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
-import org.apache.cxf.ws.security.policy.model.Header;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecureConversationToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
-import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
-import org.apache.cxf.ws.security.policy.model.SpnegoContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.TokenWrapper;
-import org.apache.cxf.ws.security.policy.model.TransportBinding;
-import org.apache.cxf.ws.security.policy.model.TransportToken;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSEncryptionPart;
-import org.apache.ws.security.WSPasswordCallback;
-import org.apache.ws.security.WSSConfig;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.components.crypto.Crypto;
-import org.apache.ws.security.conversation.ConversationConstants;
-import org.apache.ws.security.message.WSSecDKSign;
-import org.apache.ws.security.message.WSSecEncryptedKey;
-import org.apache.ws.security.message.WSSecHeader;
-import org.apache.ws.security.message.WSSecSignature;
-import org.apache.ws.security.message.WSSecTimestamp;
-import org.apache.ws.security.message.WSSecUsernameToken;
-import org.apache.ws.security.message.token.SecurityTokenReference;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.derivedKey.ConversationConstants;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSEncryptionPart;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.bsp.BSPEnforcer;
+import org.apache.wss4j.dom.message.WSSecDKSign;
+import org.apache.wss4j.dom.message.WSSecEncryptedKey;
+import org.apache.wss4j.dom.message.WSSecHeader;
+import org.apache.wss4j.dom.message.WSSecSignature;
+import org.apache.wss4j.dom.message.WSSecTimestamp;
+import org.apache.wss4j.dom.message.WSSecUsernameToken;
+import org.apache.wss4j.dom.message.token.SecurityTokenReference;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
+import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
+import org.apache.wss4j.policy.model.Header;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecureConversationToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SignedElements;
+import org.apache.wss4j.policy.model.SignedParts;
+import org.apache.wss4j.policy.model.SpnegoContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.TransportBinding;
+import org.apache.wss4j.policy.model.TransportToken;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;;
 
 /**
  * 
@@ -91,9 +92,9 @@ public class TransportBindingHandler ext
         this.tbinding = binding;
     }
     
-    private void addSignedSupportingTokens(SupportingToken sgndSuppTokens) 
+    private void addSignedSupportingTokens(SupportingTokens sgndSuppTokens) 
         throws Exception {
-        for (Token token : sgndSuppTokens.getTokens()) {
+        for (AbstractToken token : sgndSuppTokens.getTokens()) {
             if (token instanceof UsernameToken) {
                 WSSecUsernameToken utBuilder = addUsernameToken((UsernameToken)token);
                 if (utBuilder != null) {
@@ -103,12 +104,12 @@ public class TransportBindingHandler ext
             } else if (token instanceof IssuedToken || token instanceof KerberosToken) {
                 SecurityToken secTok = getSecurityToken();
                 
-                if (includeToken(token.getInclusion())) {
+                if (includeToken(token.getIncludeTokenType())) {
                     //Add the token
                     addEncryptedKeyElement(cloneElement(secTok.getToken()));
                 }
             } else if (token instanceof SamlToken) {
-                AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
+                SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
                 if (assertionWrapper != null) {
                     addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
                 }
@@ -133,7 +134,7 @@ public class TransportBindingHandler ext
             if (this.isRequestor()) {
                 TransportToken transportTokenWrapper = tbinding.getTransportToken();
                 if (transportTokenWrapper != null) {
-                    Token transportToken = transportTokenWrapper.getToken();
+                    AbstractToken transportToken = transportTokenWrapper.getToken();
                     if (transportToken instanceof IssuedToken) {
                         SecurityToken secToken = getSecurityToken();
                         if (secToken == null) {
@@ -142,7 +143,7 @@ public class TransportBindingHandler ext
                         } else {
                             policyAsserted(transportToken);
                         }
-                        if (includeToken(transportToken.getInclusion())) {
+                        if (includeToken(transportToken.getIncludeTokenType())) {
                             Element el = secToken.getToken();
                             addEncryptedKeyElement(cloneElement(el));
                         } 
@@ -168,10 +169,10 @@ public class TransportBindingHandler ext
     private void handleNonEndorsingSupportingTokens() throws Exception {
         Collection<AssertionInfo> ais;
         
-        ais = aim.get(SP12Constants.SIGNED_SUPPORTING_TOKENS);
-        if (ais != null) {
+        ais = getAllAssertionsByLocalname(SPConstants.SIGNED_SUPPORTING_TOKENS);
+        if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
-                SupportingToken sgndSuppTokens = (SupportingToken)ai.getAssertion();
+                SupportingTokens sgndSuppTokens = (SupportingTokens)ai.getAssertion();
                 if (sgndSuppTokens != null) {
                     addSignedSupportingTokens(sgndSuppTokens);
                 }
@@ -179,10 +180,10 @@ public class TransportBindingHandler ext
             }
         }
         
-        ais = aim.get(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
-        if (ais != null) {
+        ais = getAllAssertionsByLocalname(SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+        if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
-                SupportingToken sgndSuppTokens = (SupportingToken)ai.getAssertion();
+                SupportingTokens sgndSuppTokens = (SupportingTokens)ai.getAssertion();
                 if (sgndSuppTokens != null) {
                     addSignedSupportingTokens(sgndSuppTokens);
                 }
@@ -190,10 +191,10 @@ public class TransportBindingHandler ext
             }
         }
         
-        ais = aim.get(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
-        if (ais != null) {
+        ais = getAllAssertionsByLocalname(SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
+        if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
-                SupportingToken encrSuppTokens = (SupportingToken)ai.getAssertion();
+                SupportingTokens encrSuppTokens = (SupportingTokens)ai.getAssertion();
                 if (encrSuppTokens != null) {
                     addSignedSupportingTokens(encrSuppTokens);
                 }
@@ -201,10 +202,10 @@ public class TransportBindingHandler ext
             }
         }
         
-        ais = aim.get(SP12Constants.SUPPORTING_TOKENS);
-        if (ais != null) {
+        ais = getAllAssertionsByLocalname(SPConstants.SUPPORTING_TOKENS);
+        if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
-                SupportingToken suppTokens = (SupportingToken)ai.getAssertion();
+                SupportingTokens suppTokens = (SupportingTokens)ai.getAssertion();
                 if (suppTokens != null && suppTokens.getTokens() != null 
                     && suppTokens.getTokens().size() > 0) {
                     handleSupportingTokens(suppTokens, false);
@@ -220,58 +221,58 @@ public class TransportBindingHandler ext
     private void handleEndorsingSupportingTokens() throws Exception {
         Collection<AssertionInfo> ais;
         
-        ais = aim.get(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
-        if (ais != null) {
-            SupportingToken sgndSuppTokens = null;
+        ais = getAllAssertionsByLocalname(SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+        if (!ais.isEmpty()) {
+            SupportingTokens sgndSuppTokens = null;
             for (AssertionInfo ai : ais) {
-                sgndSuppTokens = (SupportingToken)ai.getAssertion();
+                sgndSuppTokens = (SupportingTokens)ai.getAssertion();
                 ai.setAsserted(true);
             }
             if (sgndSuppTokens != null) {
-                for (Token token : sgndSuppTokens.getTokens()) {
+                for (AbstractToken token : sgndSuppTokens.getTokens()) {
                     handleEndorsingToken(token, sgndSuppTokens);
                 }
             }
         }
         
-        ais = aim.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
-        if (ais != null) {
-            SupportingToken endSuppTokens = null;
+        ais = getAllAssertionsByLocalname(SPConstants.ENDORSING_SUPPORTING_TOKENS);
+        if (!ais.isEmpty()) {
+            SupportingTokens endSuppTokens = null;
             for (AssertionInfo ai : ais) {
-                endSuppTokens = (SupportingToken)ai.getAssertion();
+                endSuppTokens = (SupportingTokens)ai.getAssertion();
                 ai.setAsserted(true);
             } 
             
             if (endSuppTokens != null) {
-                for (Token token : endSuppTokens.getTokens()) {
+                for (AbstractToken token : endSuppTokens.getTokens()) {
                     handleEndorsingToken(token, endSuppTokens);
                 }
             }
         }
-        ais = aim.get(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
-        if (ais != null) {
-            SupportingToken endSuppTokens = null;
+        ais = getAllAssertionsByLocalname(SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+        if (!ais.isEmpty()) {
+            SupportingTokens endSuppTokens = null;
             for (AssertionInfo ai : ais) {
-                endSuppTokens = (SupportingToken)ai.getAssertion();
+                endSuppTokens = (SupportingTokens)ai.getAssertion();
                 ai.setAsserted(true);
             } 
             
             if (endSuppTokens != null) {
-                for (Token token : endSuppTokens.getTokens()) {
+                for (AbstractToken token : endSuppTokens.getTokens()) {
                     handleEndorsingToken(token, endSuppTokens);
                 }
             }
         }
-        ais = aim.get(SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
-        if (ais != null) {
-            SupportingToken endSuppTokens = null;
+        ais = getAllAssertionsByLocalname(SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+        if (!ais.isEmpty()) {
+            SupportingTokens endSuppTokens = null;
             for (AssertionInfo ai : ais) {
-                endSuppTokens = (SupportingToken)ai.getAssertion();
+                endSuppTokens = (SupportingTokens)ai.getAssertion();
                 ai.setAsserted(true);
             } 
             
             if (endSuppTokens != null) {
-                for (Token token : endSuppTokens.getTokens()) {
+                for (AbstractToken token : endSuppTokens.getTokens()) {
                     handleEndorsingToken(token, endSuppTokens);
                 }
             }
@@ -279,7 +280,7 @@ public class TransportBindingHandler ext
     }
     
     private void handleEndorsingToken(
-        Token token, SupportingToken wrapper
+        AbstractToken token, SupportingTokens wrapper
     ) throws Exception {
         if (token instanceof IssuedToken
             || token instanceof SecureConversationToken
@@ -291,7 +292,7 @@ public class TransportBindingHandler ext
             || token instanceof KeyValueToken) {
             addSig(doX509TokenSignature(token, wrapper));
         } else if (token instanceof SamlToken) {
-            AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
+            SamlAssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
             assertionWrapper.toDOM(saaj.getSOAPPart());
             storeAssertionAsSecurityToken(assertionWrapper);
             addSig(doIssuedTokenSignature(token, wrapper));
@@ -315,7 +316,7 @@ public class TransportBindingHandler ext
     }
     
 
-    private byte[] doX509TokenSignature(Token token, SupportingToken wrapper) 
+    private byte[] doX509TokenSignature(AbstractToken token, SupportingTokens wrapper) 
         throws Exception {
         
         Document doc = saaj.getSOAPPart();
@@ -323,7 +324,7 @@ public class TransportBindingHandler ext
         List<WSEncryptionPart> sigParts = 
             signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
         
-        if (token.isDerivedKeys()) {
+        if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
             WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(wrapper, token);
             
             Element bstElem = encrKey.getBinarySecurityTokenElement();
@@ -334,9 +335,10 @@ public class TransportBindingHandler ext
             
             WSSecDKSign dkSig = new WSSecDKSign(wssConfig);
             
-            dkSig.setSigCanonicalization(binding.getAlgorithmSuite().getInclusiveC14n());
+            dkSig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
             dkSig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
-            dkSig.setDerivedKeyLength(binding.getAlgorithmSuite().getSignatureDerivedKeyLength() / 8);
+            AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
+            dkSig.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
             
             dkSig.setExternalKey(encrKey.getEphemeralKey(), encrKey.getId());
             
@@ -373,17 +375,20 @@ public class TransportBindingHandler ext
     }
 
     private byte[] doIssuedTokenSignature(
-        Token token, SupportingToken wrapper
+        AbstractToken token, SupportingTokens wrapper
     ) throws Exception {
         boolean tokenIncluded = false;
         // Get the issued token
         SecurityToken secTok = getSecurityToken();
         if (secTok == null) {
             LOG.fine("The retrieved SecurityToken was null");
-            throw new WSSecurityException("The retrieved SecurityToken was null");
+            Exception ex = new Exception("The retrieved SecurityToken was null");
+            throw new WSSecurityException(
+                WSSecurityException.ErrorCode.FAILURE, ex
+            );
         }
         
-        if (includeToken(token.getInclusion())) {
+        if (includeToken(token.getIncludeTokenType())) {
             //Add the token
             Element el = cloneElement(secTok.getToken());
             //if (securityTok != null) {
@@ -399,7 +404,7 @@ public class TransportBindingHandler ext
         List<WSEncryptionPart> sigParts = 
                 signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
         
-        if (token.isDerivedKeys()) {
+        if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
             return doDerivedKeySignature(tokenIncluded, secTok, token, sigParts);
         } else {
             return doSignature(tokenIncluded, secTok, token, wrapper, sigParts);
@@ -409,7 +414,7 @@ public class TransportBindingHandler ext
     private byte[] doDerivedKeySignature(
         boolean tokenIncluded,
         SecurityToken secTok,
-        Token token,
+        AbstractToken token,
         List<WSEncryptionPart> sigParts
     ) throws Exception {
         //Do Signature with derived keys
@@ -436,8 +441,9 @@ public class TransportBindingHandler ext
 
         // Set the algo info
         dkSign.setSignatureAlgorithm(algorithmSuite.getSymmetricSignature());
-        dkSign.setDerivedKeyLength(algorithmSuite.getSignatureDerivedKeyLength() / 8);
-        if (token.getSPConstants() == SP12Constants.INSTANCE) {
+        AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
+        dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
+        if (token.getVersion() == SPConstants.SPVersion.SP12) {
             dkSign.setWscVersion(ConversationConstants.VERSION_05_12);
         }
         Document doc = saaj.getSOAPPart();
@@ -457,8 +463,8 @@ public class TransportBindingHandler ext
     private byte[] doSignature(
         boolean tokenIncluded,
         SecurityToken secTok,
-        Token token,
-        TokenWrapper wrapper,
+        AbstractToken token,
+        SupportingTokens wrapper,
         List<WSEncryptionPart> sigParts
     ) throws Exception {
         WSSecSignature sig = new WSSecSignature(wssConfig);
@@ -473,7 +479,7 @@ public class TransportBindingHandler ext
         
         if (ref != null) {
             SecurityTokenReference secRef = 
-                new SecurityTokenReference(cloneElement(ref), false);
+                new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
             sig.setSecurityTokenReference(secRef);
             sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
         } else if (token instanceof UsernameToken) {
@@ -520,7 +526,7 @@ public class TransportBindingHandler ext
                 String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
                 uname = (String)message.getContextualProperty(userNameKey);
             }
-            String password = getPassword(uname, token, WSPasswordCallback.SIGNATURE);
+            String password = getPassword(uname, token, WSPasswordCallback.Usage.SIGNATURE);
             if (password == null) {
                 password = "";
             }
@@ -531,7 +537,7 @@ public class TransportBindingHandler ext
             sig.setSecretKey(secTok.getSecret());
             sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
         }
-        sig.setSigCanonicalization(binding.getAlgorithmSuite().getInclusiveC14n());
+        sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
 
         Document doc = saaj.getSOAPPart();
         sig.prepare(doc, crypto, secHeader);
@@ -555,8 +561,8 @@ public class TransportBindingHandler ext
      * Identifies the portions of the message to be signed/encrypted.
      */
     private List<WSEncryptionPart> signPartsAndElements(
-        SignedEncryptedParts signedParts,
-        SignedEncryptedElements signedElements
+        SignedParts signedParts,
+        SignedElements signedElements
     ) throws SOAPException {
         
         List<WSEncryptionPart> result = new ArrayList<WSEncryptionPart>();
@@ -594,8 +600,7 @@ public class TransportBindingHandler ext
             try {
                 result.addAll(
                     this.getElements(
-                        "Element", signedElements.getXPathExpressions(), 
-                        signedElements.getDeclaredNamespaces(), found, true
+                        "Element", signedElements.getXPaths(), found, true
                     )
                 );
             } catch (XPathExpressionException e) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/WSSecurityTokenHolder.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/WSSecurityTokenHolder.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/WSSecurityTokenHolder.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/WSSecurityTokenHolder.java Thu May 23 13:17:26 2013
@@ -20,8 +20,8 @@
 package org.apache.cxf.ws.security.wss4j.policyhandlers;
 
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
-import org.apache.ws.security.WSSConfig;
-import org.apache.ws.security.message.WSSecBase;
+import org.apache.wss4j.dom.WSSConfig;
+import org.apache.wss4j.dom.message.WSSecBase;
 
 /**
  * 

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java Thu May 23 13:17:26 2013
@@ -22,6 +22,8 @@ package org.apache.cxf.ws.security.wss4j
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
 import java.util.List;
 
 import javax.xml.namespace.QName;
@@ -33,27 +35,31 @@ import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.EncryptionToken;
-import org.apache.cxf.ws.security.policy.model.Layout;
-import org.apache.cxf.ws.security.policy.model.ProtectionToken;
-import org.apache.cxf.ws.security.policy.model.SignatureToken;
-import org.apache.cxf.ws.security.policy.model.SymmetricAsymmetricBindingBase;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.TokenWrapper;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
 import org.apache.neethi.Assertion;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.message.token.PKIPathSecurity;
-import org.apache.ws.security.message.token.Timestamp;
-import org.apache.ws.security.message.token.X509Security;
-import org.apache.ws.security.saml.SAMLKeyInfo;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+
+import org.apache.wss4j.common.saml.SAMLKeyInfo;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDataRef;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.message.token.PKIPathSecurity;
+import org.apache.wss4j.dom.message.token.Timestamp;
+import org.apache.wss4j.dom.message.token.X509Security;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
+import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding.ProtectionOrder;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
+import org.apache.wss4j.policy.model.AbstractTokenWrapper;
+import org.apache.wss4j.policy.model.EncryptionToken;
+import org.apache.wss4j.policy.model.Layout;
+import org.apache.wss4j.policy.model.ProtectionToken;
+import org.apache.wss4j.policy.model.SignatureToken;
+import org.apache.wss4j.policy.model.X509Token;
 
 /**
  * Some abstract functionality for validating a security binding.
@@ -78,7 +84,7 @@ public abstract class AbstractBindingPol
         Message message
     ) {
         List<WSSecurityEngineResult> timestampResults = 
-            WSS4JUtils.fetchAllActionResults(results, WSConstants.TS);
+            WSSecurityUtil.fetchAllActionResults(results, WSConstants.TS);
         
         // Check whether we received a timestamp and compare it to the policy
         if (includeTimestamp && timestampResults.size() != 1) {
@@ -150,7 +156,7 @@ public abstract class AbstractBindingPol
      * Check various properties set in the policy of the binding
      */
     protected boolean checkProperties(
-        SymmetricAsymmetricBindingBase binding, 
+        AbstractSymmetricAsymmetricBinding binding, 
         AssertionInfo ai,
         AssertionInfoMap aim,
         List<WSSecurityEngineResult> results,
@@ -162,15 +168,23 @@ public abstract class AbstractBindingPol
         if (!algorithmValidator.validatePolicy(ai, binding.getAlgorithmSuite())) {
             return false;
         }
+        assertPolicy(aim, binding.getAlgorithmSuite());
+        String namespace = binding.getAlgorithmSuite().getAlgorithmSuiteType().getNamespace();
+        String name = binding.getAlgorithmSuite().getAlgorithmSuiteType().getName();
+        Collection<AssertionInfo> algSuiteAis = aim.get(new QName(namespace, name));
+        if (algSuiteAis != null) {
+            for (AssertionInfo algSuiteAi : algSuiteAis) {
+                algSuiteAi.setAsserted(true);
+            }
+        }
         
         // Check the IncludeTimestamp
         if (!validateTimestamp(binding.isIncludeTimestamp(), false, results, signedResults, message)) {
             String error = "Received Timestamp does not match the requirements";
-            notAssertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP, error);
             ai.setNotAsserted(error);
             return false;
         }
-        assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
+        assertPolicy(aim, SPConstants.INCLUDE_TIMESTAMP);
         
         // Check the Layout
         Layout layout = binding.getLayout();
@@ -182,20 +196,27 @@ public abstract class AbstractBindingPol
             return false;
         }
         assertPolicy(aim, layout);
+        assertPolicy(aim, SPConstants.LAYOUT_LAX);
+        assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST);
+        assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST);
+        assertPolicy(aim, SPConstants.LAYOUT_STRICT);
         
         // Check the EntireHeaderAndBodySignatures property
-        if (binding.isEntireHeadersAndBodySignatures()
+        if (binding.isOnlySignEntireHeadersAndBody()
             && !validateEntireHeaderAndBodySignatures(signedResults)) {
             String error = "OnlySignEntireHeadersAndBody does not match the requirements";
             ai.setNotAsserted(error);
             return false;
         }
+        assertPolicy(aim, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY);
         
         // Check whether the signatures were encrypted or not
-        if (binding.isSignatureProtection() && !isSignatureEncrypted(results)) {
+        if (binding.isEncryptSignature() && !isSignatureEncrypted(results)) {
             ai.setNotAsserted("The signature is not protected");
             return false;
         }
+        assertPolicy(aim, SPConstants.ENCRYPT_SIGNATURE);
+        assertPolicy(aim, SPConstants.PROTECT_TOKENS);
         
         /*
         // Check ProtectTokens
@@ -212,18 +233,24 @@ public abstract class AbstractBindingPol
      * Check the Protection Order of the binding
      */
     protected boolean checkProtectionOrder(
-        SymmetricAsymmetricBindingBase binding, 
+        AbstractSymmetricAsymmetricBinding binding, 
+        AssertionInfoMap aim,
         AssertionInfo ai,
         List<WSSecurityEngineResult> results
     ) {
-        if (binding.getProtectionOrder() == SPConstants.ProtectionOrder.EncryptBeforeSigning) {
-            if (!binding.isSignatureProtection() && isSignedBeforeEncrypted(results)) {
+        ProtectionOrder protectionOrder = binding.getProtectionOrder();
+        if (protectionOrder == ProtectionOrder.EncryptBeforeSigning) {
+            if (!binding.isProtectTokens() && isSignedBeforeEncrypted(results)) {
                 ai.setNotAsserted("Not encrypted before signed");
                 return false;
             }
-        } else if (isEncryptedBeforeSigned(results)) {
-            ai.setNotAsserted("Not signed before encrypted");
-            return false;
+            assertPolicy(aim, SPConstants.ENCRYPT_BEFORE_SIGNING);
+        } else if (protectionOrder == ProtectionOrder.SignBeforeEncrypting) { 
+            if (isEncryptedBeforeSigned(results)) {
+                ai.setNotAsserted("Not signed before encrypted");
+                return false;
+            }
+            assertPolicy(aim, SPConstants.SIGN_BEFORE_ENCRYPTING);
         }
         return true;
     }
@@ -284,14 +311,15 @@ public abstract class AbstractBindingPol
      * Check the derived key requirement.
      */
     protected boolean checkDerivedKeys(
-        TokenWrapper tokenWrapper, 
+        AbstractTokenWrapper tokenWrapper, 
         boolean hasDerivedKeys,
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Token token = tokenWrapper.getToken();
+        AbstractToken token = tokenWrapper.getToken();
+        boolean isDerivedKeys = token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys;
         // If derived keys are not required then just return
-        if (!(token instanceof X509Token && token.isDerivedKeys())) {
+        if (!(token instanceof X509Token && isDerivedKeys)) {
             return true;
         }
         if (tokenWrapper instanceof EncryptionToken 
@@ -381,8 +409,8 @@ public abstract class AbstractBindingPol
                 }
             } else if (actInt.intValue() == WSConstants.ST_SIGNED
                 || actInt.intValue() == WSConstants.ST_UNSIGNED) {
-                AssertionWrapper assertionWrapper = 
-                    (AssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+                SamlAssertionWrapper assertionWrapper = 
+                    (SamlAssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                 SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
                 if (samlKeyInfo != null) {
                     X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
@@ -472,6 +500,17 @@ public abstract class AbstractBindingPol
         }
     }
     
+    protected boolean assertPolicy(AssertionInfoMap aim, String localname) {
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+        if (!ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
+                ai.setAsserted(true);
+            }    
+            return true;
+        }
+        return false;
+    }
+    
     protected boolean assertPolicy(AssertionInfoMap aim, QName q) {
         Collection<AssertionInfo> ais = aim.get(q);
         if (ais != null && !ais.isEmpty()) {
@@ -491,4 +530,25 @@ public abstract class AbstractBindingPol
             }    
         }
     }
+    
+    protected Collection<AssertionInfo> getAllAssertionsByLocalname(
+        AssertionInfoMap aim,
+        String localname
+    ) {
+        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+        
+        if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+            Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
+            if (sp11Ais != null) {
+                ais.addAll(sp11Ais);
+            }
+            if (sp12Ais != null) {
+                ais.addAll(sp12Ais);
+            }
+            return ais;
+        }
+            
+        return Collections.emptySet();
+    }
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java Thu May 23 13:17:26 2013
@@ -24,12 +24,12 @@ import java.util.List;
 
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
-import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.wss4j.SAMLUtils;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.saml.SAMLKeyInfo;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SAMLKeyInfo;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.saml.DOMSAMLUtil;
+import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
+import org.apache.wss4j.policy.model.AbstractToken;
 
 /**
  * Some abstract functionality for validating SAML Assertions
@@ -43,10 +43,10 @@ public abstract class AbstractSamlPolicy
      * @return true if the token is required
      */
     protected boolean isTokenRequired(
-        Token token,
+        AbstractToken token,
         Message message
     ) {
-        IncludeTokenType inclusion = token.getInclusion();
+        IncludeTokenType inclusion = token.getIncludeTokenType();
         if (inclusion == IncludeTokenType.INCLUDE_TOKEN_NEVER) {
             return false;
         } else if (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
@@ -73,11 +73,11 @@ public abstract class AbstractSamlPolicy
      * @param signedResults a list of all of the signed results
      */
     public boolean checkHolderOfKey(
-        AssertionWrapper assertionWrapper,
+        SamlAssertionWrapper assertionWrapper,
         List<WSSecurityEngineResult> signedResults,
         Certificate[] tlsCerts
     ) {
-        return SAMLUtils.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts);
+        return DOMSAMLUtil.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts);
     }
 
     /**
@@ -93,7 +93,7 @@ public abstract class AbstractSamlPolicy
         List<WSSecurityEngineResult> signedResults,
         Certificate[] tlsCerts
     ) {
-        return SAMLUtils.compareCredentials(subjectKeyInfo, signedResults, tlsCerts);
+        return DOMSAMLUtil.compareCredentials(subjectKeyInfo, signedResults, tlsCerts);
     }
     
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -45,19 +45,22 @@ import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.helpers.MapNamespaceContext;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.security.transport.TLSSessionInfo;
-import org.apache.cxf.ws.security.policy.model.Header;
-import org.apache.cxf.ws.security.policy.model.SignedEncryptedElements;
-import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSSecurityEngine;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.message.token.KerberosSecurity;
-import org.apache.ws.security.message.token.PKIPathSecurity;
-import org.apache.ws.security.message.token.X509Security;
-import org.apache.ws.security.saml.SAMLKeyInfo;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SAMLKeyInfo;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDataRef;
+import org.apache.wss4j.dom.WSSecurityEngine;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.message.token.KerberosSecurity;
+import org.apache.wss4j.dom.message.token.PKIPathSecurity;
+import org.apache.wss4j.dom.message.token.X509Security;
+import org.apache.wss4j.policy.model.EncryptedElements;
+import org.apache.wss4j.policy.model.EncryptedParts;
+import org.apache.wss4j.policy.model.Header;
+import org.apache.wss4j.policy.model.RequiredElements;
+import org.apache.wss4j.policy.model.SignedElements;
+import org.apache.wss4j.policy.model.SignedParts;
 
 /**
  * A base class to use to validate various SupportingToken policies.
@@ -79,10 +82,10 @@ public abstract class AbstractSupporting
     private boolean encrypted;
     private boolean derived;
     private boolean endorsed; 
-    private SignedEncryptedElements signedElements;
-    private SignedEncryptedElements encryptedElements;
-    private SignedEncryptedParts signedParts;
-    private SignedEncryptedParts encryptedParts;
+    private SignedElements signedElements;
+    private EncryptedElements encryptedElements;
+    private SignedParts signedParts;
+    private EncryptedParts encryptedParts;
 
     /**
      * Set the list of UsernameToken results
@@ -584,8 +587,8 @@ public abstract class AbstractSupporting
                 }
             } else if (actInt.intValue() == WSConstants.ST_SIGNED
                 || actInt.intValue() == WSConstants.ST_UNSIGNED) {
-                AssertionWrapper assertionWrapper = 
-                    (AssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+                SamlAssertionWrapper assertionWrapper = 
+                    (SamlAssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                 SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
                 if (samlKeyInfo != null) {
                     X509Certificate[] subjectCerts = samlKeyInfo.getCerts();
@@ -621,7 +624,7 @@ public abstract class AbstractSupporting
      * Validate the SignedParts or EncryptedParts policies
      */
     private boolean validateSignedEncryptedParts(
-        SignedEncryptedParts parts,
+        SignedParts parts,
         boolean content,
         List<WSSecurityEngineResult> protResults,
         List<WSSecurityEngineResult> tokenResults
@@ -701,7 +704,7 @@ public abstract class AbstractSupporting
      * Validate SignedElements or EncryptedElements policies
      */
     private boolean validateSignedEncryptedElements(
-        SignedEncryptedElements elements,
+        RequiredElements elements,
         boolean content,
         List<WSSecurityEngineResult> protResults,
         List<WSSecurityEngineResult> tokenResults
@@ -710,15 +713,18 @@ public abstract class AbstractSupporting
             return true;
         }
         
-        Map<String, String> namespaces = elements.getDeclaredNamespaces();
-        List<String> xpaths = elements.getXPathExpressions();
+        List<org.apache.wss4j.policy.model.XPath> xpaths = elements.getXPaths();
+        
+        //Map<String, String> namespaces = elements.getDeclaredNamespaces();
+        //List<String> xpaths = elements.getXPathExpressions();
         
         if (xpaths != null) {
             SOAPMessage soapMessage = message.getContent(SOAPMessage.class);
             Element soapEnvelope = soapMessage.getSOAPPart().getDocumentElement();
             
-            for (String xPath : xpaths) {
-                if (!checkXPathResult(soapEnvelope, xPath, namespaces, protResults, tokenResults)) {
+            for (org.apache.wss4j.policy.model.XPath xPath : xpaths) {
+                if (!checkXPathResult(soapEnvelope, xPath.getXPath(), xPath.getPrefixNamespaceMap(), 
+                                      protResults, tokenResults)) {
                     return false;
                 }
             }
@@ -823,19 +829,19 @@ public abstract class AbstractSupporting
         this.timestamp = timestamp;
     }
 
-    public void setSignedElements(SignedEncryptedElements signedElements) {
+    public void setSignedElements(SignedElements signedElements) {
         this.signedElements = signedElements;
     }
 
-    public void setEncryptedElements(SignedEncryptedElements encryptedElements) {
+    public void setEncryptedElements(EncryptedElements encryptedElements) {
         this.encryptedElements = encryptedElements;
     }
 
-    public void setSignedParts(SignedEncryptedParts signedParts) {
+    public void setSignedParts(SignedParts signedParts) {
         this.signedParts = signedParts;
     }
 
-    public void setEncryptedParts(SignedEncryptedParts encryptedParts) {
+    public void setEncryptedParts(EncryptedParts encryptedParts) {
         this.encryptedParts = encryptedParts;
     }
     

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -19,10 +19,20 @@
 
 package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+
+import javax.xml.namespace.QName;
+
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
-import org.apache.cxf.ws.security.policy.SPConstants.IncludeTokenType;
-import org.apache.cxf.ws.security.policy.model.Token;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
+import org.apache.wss4j.policy.model.AbstractToken;
 
 /**
  * Some abstract functionality for validating a Security Token.
@@ -36,10 +46,10 @@ public abstract class AbstractTokenPolic
      * @return true if the token is required
      */
     protected boolean isTokenRequired(
-        Token token,
+        AbstractToken token,
         Message message
     ) {
-        IncludeTokenType inclusion = token.getInclusion();
+        IncludeTokenType inclusion = token.getIncludeTokenType();
         if (inclusion == IncludeTokenType.INCLUDE_TOKEN_NEVER) {
             return false;
         } else if (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
@@ -56,4 +66,46 @@ public abstract class AbstractTokenPolic
         }
     }
     
+    protected boolean assertPolicy(AssertionInfoMap aim, QName name) {
+        Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
+        if (aim != null && !ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
+                ai.setAsserted(true);
+            }    
+            return true;
+        }
+        return false;
+    }
+    
+    protected boolean assertPolicy(AssertionInfoMap aim, String localname) {
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+        if (!ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
+                ai.setAsserted(true);
+            }    
+            return true;
+        }
+        return false;
+    }
+    
+    protected Collection<AssertionInfo> getAllAssertionsByLocalname(
+        AssertionInfoMap aim,
+        String localname
+    ) {
+        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+        
+        if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+            Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
+            if (sp11Ais != null) {
+                ais.addAll(sp11Ais);
+            }
+            if (sp12Ais != null) {
+                ais.addAll(sp12Ais);
+            }
+            return ais;
+        }
+            
+        return Collections.emptySet();
+    }
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java Thu May 23 13:17:26 2013
@@ -28,12 +28,13 @@ import java.util.List;
 
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.transform.STRTransform;
+import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDataRef;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.transform.STRTransform;
+import org.apache.wss4j.policy.model.AlgorithmSuite;
+import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
 
 /**
  * Validate a WSSecurityEngineResult corresponding to the processing of a Signature, EncryptedKey or
@@ -85,7 +86,7 @@ public class AlgorithmSuitePolicyValidat
         }
         String c14nMethod = 
             (String)result.get(WSSecurityEngineResult.TAG_CANONICALIZATION_METHOD);
-        if (!algorithmPolicy.getInclusiveC14n().equals(c14nMethod)) {
+        if (!algorithmPolicy.getC14n().getValue().equals(c14nMethod)) {
             ai.setNotAsserted(
                 "The c14n method does not match the requirement"
             );
@@ -113,9 +114,10 @@ public class AlgorithmSuitePolicyValidat
         AlgorithmSuite algorithmPolicy,
         AssertionInfo ai
     ) {
+        AlgorithmSuiteType algorithmSuiteType = algorithmPolicy.getAlgorithmSuiteType();
         for (WSDataRef dataRef : dataRefs) {
             String digestMethod = dataRef.getDigestAlgorithm();
-            if (!algorithmPolicy.getDigest().equals(digestMethod)) {
+            if (!algorithmSuiteType.getDigest().equals(digestMethod)) {
                 ai.setNotAsserted(
                     "The digest method does not match the requirement"
                 );
@@ -129,7 +131,7 @@ public class AlgorithmSuitePolicyValidat
                 return false;
             }
             for (String transformAlgorithm : transformAlgorithms) {
-                if (!(algorithmPolicy.getInclusiveC14n().equals(transformAlgorithm)
+                if (!(algorithmPolicy.getC14n().getValue().equals(transformAlgorithm)
                     || STRTransform.TRANSFORM_URI.equals(transformAlgorithm))) {
                     ai.setNotAsserted("The transform algorithms do not match the requirement");
                     return false;
@@ -147,11 +149,12 @@ public class AlgorithmSuitePolicyValidat
         AlgorithmSuite algorithmPolicy,
         AssertionInfo ai
     ) {
+        AlgorithmSuiteType algorithmSuiteType = algorithmPolicy.getAlgorithmSuiteType();
         String transportMethod = 
             (String)result.get(WSSecurityEngineResult.TAG_ENCRYPTED_KEY_TRANSPORT_METHOD);
         if (transportMethod != null 
-            && !algorithmPolicy.getSymmetricKeyWrap().equals(transportMethod)
-            && !algorithmPolicy.getAsymmetricKeyWrap().equals(transportMethod)) {
+            && !algorithmSuiteType.getSymmetricKeyWrap().equals(transportMethod)
+            && !algorithmSuiteType.getAsymmetricKeyWrap().equals(transportMethod)) {
             ai.setNotAsserted(
                 "The Key transport method does not match the requirement"
             );
@@ -163,7 +166,7 @@ public class AlgorithmSuitePolicyValidat
         if (dataRefs != null) {
             for (WSDataRef dataRef : dataRefs) {
                 String encryptionAlgorithm = dataRef.getAlgorithm();
-                if (!algorithmPolicy.getEncryption().equals(encryptionAlgorithm)) {
+                if (!algorithmSuiteType.getEncryption().equals(encryptionAlgorithm)) {
                     ai.setNotAsserted(
                         "The encryption algorithm does not match the requirement"
                     );
@@ -199,11 +202,12 @@ public class AlgorithmSuitePolicyValidat
             return false;
         }
         
+        AlgorithmSuiteType algorithmSuiteType = algorithmPolicy.getAlgorithmSuiteType();
         byte[] secret = (byte[])result.get(WSSecurityEngineResult.TAG_SECRET);
         if (signature) {
             Principal principal = (Principal)result.get(WSSecurityEngineResult.TAG_PRINCIPAL);
             if (principal instanceof WSDerivedKeyTokenPrincipal) {
-                int requiredLength = algorithmPolicy.getSignatureDerivedKeyLength();
+                int requiredLength = algorithmSuiteType.getSignatureDerivedKeyLength();
                 if (secret == null || secret.length != (requiredLength / 8)) {
                     ai.setNotAsserted(
                         "The signature derived key length does not match the requirement"
@@ -211,16 +215,16 @@ public class AlgorithmSuitePolicyValidat
                     return false;
                 }
             } else if (secret != null 
-                && (secret.length < (algorithmPolicy.getMinimumSymmetricKeyLength() / 8)
-                    || secret.length > (algorithmPolicy.getMaximumSymmetricKeyLength() / 8))) {
+                && (secret.length < (algorithmSuiteType.getMinimumSymmetricKeyLength() / 8)
+                    || secret.length > (algorithmSuiteType.getMaximumSymmetricKeyLength() / 8))) {
                 ai.setNotAsserted(
                     "The symmetric key length does not match the requirement"
                 );
                 return false;
             }
         } else if (secret != null 
-            && (secret.length < (algorithmPolicy.getMinimumSymmetricKeyLength() / 8)
-                || secret.length > (algorithmPolicy.getMaximumSymmetricKeyLength() / 8))) {
+            && (secret.length < (algorithmSuiteType.getMinimumSymmetricKeyLength() / 8)
+                || secret.length > (algorithmSuiteType.getMaximumSymmetricKeyLength() / 8))) {
             ai.setNotAsserted(
                 "The symmetric key length does not match the requirement"
             );
@@ -238,10 +242,11 @@ public class AlgorithmSuitePolicyValidat
         AlgorithmSuite algorithmPolicy,
         AssertionInfo ai
     ) {
+        AlgorithmSuiteType algorithmSuiteType = algorithmPolicy.getAlgorithmSuiteType();
         if (publicKey instanceof RSAPublicKey) {
             int modulus = ((RSAPublicKey)publicKey).getModulus().bitLength();
-            if (modulus < algorithmPolicy.getMinimumAsymmetricKeyLength()
-                || modulus > algorithmPolicy.getMaximumAsymmetricKeyLength()) {
+            if (modulus < algorithmSuiteType.getMinimumAsymmetricKeyLength()
+                || modulus > algorithmSuiteType.getMaximumAsymmetricKeyLength()) {
                 ai.setNotAsserted(
                     "The asymmetric key length does not match the requirement"
                 );
@@ -249,8 +254,8 @@ public class AlgorithmSuitePolicyValidat
             }
         } else if (publicKey instanceof DSAPublicKey) {
             int length = ((DSAPublicKey)publicKey).getParams().getP().bitLength();
-            if (length < algorithmPolicy.getMinimumAsymmetricKeyLength()
-                || length > algorithmPolicy.getMaximumAsymmetricKeyLength()) {
+            if (length < algorithmSuiteType.getMinimumAsymmetricKeyLength()
+                || length > algorithmSuiteType.getMaximumAsymmetricKeyLength()) {
                 ai.setNotAsserted(
                     "The asymmetric key length does not match the requirement"
                 );

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java Thu May 23 13:17:26 2013
@@ -28,13 +28,13 @@ import org.w3c.dom.Element;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.AsymmetricBinding;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.TokenWrapper;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractTokenWrapper;
+import org.apache.wss4j.policy.model.AsymmetricBinding;
+import org.apache.wss4j.policy.model.X509Token;
 
 /**
  * Validate an AsymmetricBinding policy.
@@ -49,11 +49,23 @@ public class AsymmetricBindingPolicyVali
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
-        if (ais == null || ais.isEmpty()) {                       
-            return true;
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+        if (!ais.isEmpty()) {
+            parsePolicies(aim, ais, message, soapBody, results, signedResults, encryptedResults);
         }
         
+        return true;
+    }
+    
+    private void parsePolicies(
+        AssertionInfoMap aim,
+        Collection<AssertionInfo> ais,
+        Message message,
+        Element soapBody,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults,
+        List<WSSecurityEngineResult> encryptedResults
+    ) {
         boolean hasDerivedKeys = false;
         for (WSSecurityEngineResult result : results) {
             Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
@@ -68,7 +80,7 @@ public class AsymmetricBindingPolicyVali
             ai.setAsserted(true);
 
             // Check the protection order
-            if (!checkProtectionOrder(binding, ai, results)) {
+            if (!checkProtectionOrder(binding, aim, ai, results)) {
                 continue;
             }
             
@@ -82,11 +94,8 @@ public class AsymmetricBindingPolicyVali
                 continue;
             }
         }
-        
-        return true;
     }
     
-    
     /**
      * Check various tokens of the binding
      */
@@ -128,7 +137,7 @@ public class AsymmetricBindingPolicyVali
     }
     
     private boolean checkInitiatorTokens(
-        TokenWrapper wrapper, 
+        AbstractTokenWrapper wrapper, 
         AsymmetricBinding binding, 
         AssertionInfo ai,
         AssertionInfoMap aim, 
@@ -136,7 +145,7 @@ public class AsymmetricBindingPolicyVali
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults) {
 
-        Token token = wrapper.getToken();
+        AbstractToken token = wrapper.getToken();
         if (token instanceof X509Token) {
             boolean foundCert = false;
             for (WSSecurityEngineResult result : signedResults) {
@@ -159,12 +168,15 @@ public class AsymmetricBindingPolicyVali
             ai.setNotAsserted("Message fails the DerivedKeys requirement");
             return false;
         }
+        assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+        assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+        assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
 
         return true;
     }
 
     private boolean checkRecipientTokens(
-        TokenWrapper wrapper, 
+        AbstractTokenWrapper wrapper, 
         AsymmetricBinding binding, 
         AssertionInfo ai,
         AssertionInfoMap aim, 
@@ -177,6 +189,9 @@ public class AsymmetricBindingPolicyVali
             ai.setNotAsserted("Message fails the DerivedKeys requirement");
             return false;
         }
+        assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+        assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+        assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
 
         return true;
     }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/BindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/BindingPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/BindingPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/BindingPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,7 +25,7 @@ import org.w3c.dom.Element;
 
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
 
 /**
  * Validate a WS-SecurityPolicy corresponding to a binding.

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ClaimsPolicyValidator.java Thu May 23 13:17:26 2013
@@ -21,7 +21,7 @@ package org.apache.cxf.ws.security.wss4j
 
 import org.w3c.dom.Element;
 
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 
 /**
  * Validate a WS-SecurityPolicy Claims policy.
@@ -34,7 +34,7 @@ public interface ClaimsPolicyValidator {
      */
     boolean validatePolicy(
         Element claimsPolicy,
-        AssertionWrapper assertion
+        SamlAssertionWrapper assertion
     );
     
     /**



Mime
View raw message