cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1485693 [9/14] - in /cxf/trunk: ./ distribution/src/main/release/samples/sts/src/main/java/demo/wssec/client/ distribution/src/main/release/samples/sts/src/main/java/demo/wssec/server/ distribution/src/main/release/samples/sts/src/main/jav...
Date Thu, 23 May 2013 13:17:32 GMT
Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,18 +25,17 @@ import java.util.List;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
 
 /**
  * Validate SupportingToken policies.
@@ -54,21 +53,22 @@ public class ConcreteSupportingTokenPoli
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.SUPPORTING_TOKENS);
-        if (ais == null || ais.isEmpty()) {                       
-            return true;
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
+        if (!ais.isEmpty()) {
+            setMessage(message);
+            setResults(results);
+            setSignedResults(signedResults);
+            setEncryptedResults(encryptedResults);
+            
+            parsePolicies(ais, message);
         }
         
-        setMessage(message);
-        setResults(results);
-        setSignedResults(signedResults);
-        setEncryptedResults(encryptedResults);
-        
+        return true;
+    }
+    
+    private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
         for (AssertionInfo ai : ais) {
-            SupportingToken binding = (SupportingToken)ai.getAssertion();
-            if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SUPPORTING != binding.getTokenType()) {
-                continue;
-            }
+            SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
             
             setSignedParts(binding.getSignedParts());
@@ -76,8 +76,8 @@ public class ConcreteSupportingTokenPoli
             setSignedElements(binding.getSignedElements());
             setEncryptedElements(binding.getEncryptedElements());
             
-            List<Token> tokens = binding.getTokens();
-            for (Token token : tokens) {
+            List<AbstractToken> tokens = binding.getTokens();
+            for (AbstractToken token : tokens) {
                 if (!isTokenRequired(token, message)) {
                     continue;
                 }
@@ -118,10 +118,7 @@ public class ConcreteSupportingTokenPoli
                     continue;
                 }
             }
-
         }
-        
-        return true;
     }
     
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/DefaultClaimsPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,7 +25,7 @@ import java.util.List;
 import org.w3c.dom.Element;
 
 import org.apache.cxf.helpers.DOMUtils;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 
 /**
  * Validate a WS-SecurityPolicy Claims policy for the 
@@ -42,7 +42,7 @@ public class DefaultClaimsPolicyValidato
      */
     public boolean validatePolicy(
         Element claimsPolicy,
-        AssertionWrapper assertion
+        SamlAssertionWrapper assertion
     ) {
         if (claimsPolicy == null) {
             return false;
@@ -78,7 +78,7 @@ public class DefaultClaimsPolicyValidato
         return DEFAULT_CLAIMS_NAMESPACE;
     }
     
-    private boolean findClaimInAssertion(AssertionWrapper assertion, URI claimURI) {
+    private boolean findClaimInAssertion(SamlAssertionWrapper assertion, URI claimURI) {
         if (assertion.getSaml1() != null) {
             return findClaimInAssertion(assertion.getSaml1(), claimURI);
         } else if (assertion.getSaml2() != null) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,18 +25,17 @@ import java.util.List;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
 
 /**
  * Validate an EncryptedSupportingToken policy. 
@@ -54,21 +53,22 @@ public class EncryptedTokenPolicyValidat
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.ENCRYPTED_SUPPORTING_TOKENS);
-        if (ais == null || ais.isEmpty()) {                       
-            return true;
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
+        if (!ais.isEmpty()) {
+            setMessage(message);
+            setResults(results);
+            setSignedResults(signedResults);
+            setEncryptedResults(encryptedResults);
+            
+            parsePolicies(ais, message);
         }
         
-        setMessage(message);
-        setResults(results);
-        setSignedResults(signedResults);
-        setEncryptedResults(encryptedResults);
-
+        return true;
+    }
+    
+    private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
         for (AssertionInfo ai : ais) {
-            SupportingToken binding = (SupportingToken)ai.getAssertion();
-            if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENCRYPTED != binding.getTokenType()) {
-                continue;
-            }
+            SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
             
             setSignedParts(binding.getSignedParts());
@@ -76,8 +76,8 @@ public class EncryptedTokenPolicyValidat
             setSignedElements(binding.getSignedElements());
             setEncryptedElements(binding.getEncryptedElements());
 
-            List<Token> tokens = binding.getTokens();
-            for (Token token : tokens) {
+            List<AbstractToken> tokens = binding.getTokens();
+            for (AbstractToken token : tokens) {
                 if (!isTokenRequired(token, message)) {
                     continue;
                 }
@@ -119,8 +119,6 @@ public class EncryptedTokenPolicyValidat
                 }
             }
         }
-        
-        return true;
     }
     
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,18 +25,18 @@ import java.util.List;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
 
 /**
  * Validate an EndorsingEncryptedSupportingToken policy. 
@@ -55,22 +55,23 @@ public class EndorsingEncryptedTokenPoli
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
-        if (ais == null || ais.isEmpty()) {                       
-            return true;
+        Collection<AssertionInfo> ais = 
+            getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+        if (!ais.isEmpty()) {
+            setMessage(message);
+            setResults(results);
+            setSignedResults(signedResults);
+            setEncryptedResults(encryptedResults);
+            
+            parsePolicies(ais, message);
         }
         
-        setMessage(message);
-        setResults(results);
-        setSignedResults(signedResults);
-        setEncryptedResults(encryptedResults);
-
+        return true;
+    }
+    
+    private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
         for (AssertionInfo ai : ais) {
-            SupportingToken binding = (SupportingToken)ai.getAssertion();
-            if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENDORSING_ENCRYPTED 
-                != binding.getTokenType()) {
-                continue;
-            }
+            SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
             
             setSignedParts(binding.getSignedParts());
@@ -78,14 +79,14 @@ public class EndorsingEncryptedTokenPoli
             setSignedElements(binding.getSignedElements());
             setEncryptedElements(binding.getEncryptedElements());
 
-            List<Token> tokens = binding.getTokens();
-            for (Token token : tokens) {
+            List<AbstractToken> tokens = binding.getTokens();
+            for (AbstractToken token : tokens) {
                 if (!isTokenRequired(token, message)) {
                     continue;
                 }
                 
-                boolean derived = token.isDerivedKeys();
-                setDerived(derived);
+                DerivedKeys derivedKeys = token.getDerivedKeys();
+                setDerived(derivedKeys == DerivedKeys.RequireDerivedKeys);
                 boolean processingFailed = false;
                 if (token instanceof KerberosToken) {
                     if (!processKerberosTokens()) {
@@ -124,8 +125,6 @@ public class EndorsingEncryptedTokenPoli
                 }
             }
         }
-        
-        return true;
     }
     
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,18 +25,18 @@ import java.util.List;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
 
 /**
  * Validate an EndorsingSupportingToken policy. 
@@ -55,21 +55,23 @@ public class EndorsingTokenPolicyValidat
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.ENDORSING_SUPPORTING_TOKENS);
-        if (ais == null || ais.isEmpty()) {                       
-            return true;
+        Collection<AssertionInfo> ais = 
+            getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
+        if (!ais.isEmpty()) {
+            setMessage(message);
+            setResults(results);
+            setSignedResults(signedResults);
+            setEncryptedResults(encryptedResults);
+            
+            parsePolicies(ais, message);
         }
         
-        setMessage(message);
-        setResults(results);
-        setSignedResults(signedResults);
-        setEncryptedResults(encryptedResults);
-
+        return true;
+    }
+    
+    private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
         for (AssertionInfo ai : ais) {
-            SupportingToken binding = (SupportingToken)ai.getAssertion();
-            if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENDORSING != binding.getTokenType()) {
-                continue;
-            }
+            SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
             
             setSignedParts(binding.getSignedParts());
@@ -77,14 +79,14 @@ public class EndorsingTokenPolicyValidat
             setSignedElements(binding.getSignedElements());
             setEncryptedElements(binding.getEncryptedElements());
             
-            List<Token> tokens = binding.getTokens();
-            for (Token token : tokens) {
+            List<AbstractToken> tokens = binding.getTokens();
+            for (AbstractToken token : tokens) {
                 if (!isTokenRequired(token, message)) {
                     continue;
                 }
                 
-                boolean derived = token.isDerivedKeys();
-                setDerived(derived);
+                DerivedKeys derivedKeys = token.getDerivedKeys();
+                setDerived(derivedKeys == DerivedKeys.RequireDerivedKeys);
                 boolean processingFailed = false;
                 if (token instanceof KerberosToken) {
                     if (!processKerberosTokens()) {
@@ -122,8 +124,6 @@ public class EndorsingTokenPolicyValidat
                 }
             }
         }
-        
-        return true;
     }
     
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -29,12 +29,12 @@ import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.saml.SAMLKeyInfo;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SAMLKeyInfo;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.policy.model.IssuedToken;
 
 import org.opensaml.common.SAMLVersion;
 
@@ -58,7 +58,7 @@ public class IssuedTokenPolicyValidator 
     
     public boolean validatePolicy(
         Collection<AssertionInfo> ais,
-        AssertionWrapper assertionWrapper
+        SamlAssertionWrapper assertionWrapper
     ) {
         if (ais == null || ais.isEmpty()) {
             return true;
@@ -79,7 +79,7 @@ public class IssuedTokenPolicyValidator 
                 continue;
             }
 
-            Element template = issuedToken.getRstTemplate();
+            Element template = issuedToken.getRequestSecurityTokenTemplate();
             if (template != null && !checkIssuedTokenTemplate(template, assertionWrapper)) {
                 ai.setNotAsserted("Error in validating the IssuedToken policy");
                 continue;
@@ -130,7 +130,7 @@ public class IssuedTokenPolicyValidator 
                 return false;
             }
 
-            Element template = issuedToken.getRstTemplate();
+            Element template = issuedToken.getRequestSecurityTokenTemplate();
             if (template != null && !checkIssuedTokenTemplate(template, binarySecurityToken)) {
                 ai.setNotAsserted("Error in validating the IssuedToken policy");
                 return false;
@@ -142,7 +142,7 @@ public class IssuedTokenPolicyValidator 
     /**
      * Check the issued token template against the received assertion
      */
-    private boolean checkIssuedTokenTemplate(Element template, AssertionWrapper assertionWrapper) {
+    private boolean checkIssuedTokenTemplate(Element template, SamlAssertionWrapper assertionWrapper) {
         Element child = DOMUtils.getFirstElement(template);
         while (child != null) {
             if ("TokenType".equals(child.getLocalName())) {

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -21,12 +21,15 @@ package org.apache.cxf.ws.security.wss4j
 
 import java.util.Collection;
 
+import javax.xml.namespace.QName;
+
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.ws.security.message.token.KerberosSecurity;
+import org.apache.wss4j.dom.message.token.KerberosSecurity;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KerberosToken.ApReqTokenType;
 
 /**
  * Validate a WSSecurityEngineResult corresponding to the processing of a Kerberos Token
@@ -46,36 +49,67 @@ public class KerberosTokenPolicyValidato
         AssertionInfoMap aim,
         KerberosSecurity kerberosToken
     ) {
-        Collection<AssertionInfo> krbAis = aim.get(SP12Constants.KERBEROS_TOKEN);
-        if (krbAis != null && !krbAis.isEmpty()) {
-            for (AssertionInfo ai : krbAis) {
-                KerberosToken kerberosTokenPolicy = (KerberosToken)ai.getAssertion();
-                ai.setAsserted(true);
-                
-                if (!isTokenRequired(kerberosTokenPolicy, message)) {
-                    continue;
-                }
-                
-                if (!checkToken(kerberosTokenPolicy, kerberosToken)) {
-                    ai.setNotAsserted("An incorrect Kerberos Token Type is detected");
-                    continue;
-                }
-            }
+        Collection<AssertionInfo> krbAis = getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
+        if (!krbAis.isEmpty()) {
+            parsePolicies(aim, krbAis, kerberosToken);
         }
+        
         return true;
     }
     
-    private boolean checkToken(KerberosToken kerberosTokenPolicy, KerberosSecurity kerberosToken) {
-        boolean isV5ApReq = kerberosTokenPolicy.isV5ApReqToken11();
-        boolean isGssV5ApReq = kerberosTokenPolicy.isGssV5ApReqToken11();
+    private void parsePolicies(
+        AssertionInfoMap aim, 
+        Collection<AssertionInfo> ais, 
+        KerberosSecurity kerberosToken
+    ) {
+        for (AssertionInfo ai : ais) {
+            KerberosToken kerberosTokenPolicy = (KerberosToken)ai.getAssertion();
+            ai.setAsserted(true);
+            
+            if (!isTokenRequired(kerberosTokenPolicy, message)) {
+                assertPolicy(
+                    aim, 
+                    new QName(kerberosTokenPolicy.getVersion().getNamespace(), 
+                              "WssKerberosV5ApReqToken11")
+                );
+                assertPolicy(
+                    aim, 
+                    new QName(kerberosTokenPolicy.getVersion().getNamespace(), 
+                              "WssGssKerberosV5ApReqToken11")
+                );
+                continue;
+            }
+            
+            if (!checkToken(aim, kerberosTokenPolicy, kerberosToken)) {
+                ai.setNotAsserted("An incorrect Kerberos Token Type is detected");
+                continue;
+            }
+        }
+    }
+    
+    private boolean checkToken(
+        AssertionInfoMap aim,
+        KerberosToken kerberosTokenPolicy, 
+        KerberosSecurity kerberosToken
+    ) {
+        ApReqTokenType apReqTokenType = kerberosTokenPolicy.getApReqTokenType();
 
-        if (isV5ApReq && kerberosToken.isV5ApReq()) {
-            return true;
-        } else if (isGssV5ApReq && kerberosToken.isGssV5ApReq()) {
+        if (apReqTokenType == ApReqTokenType.WssKerberosV5ApReqToken11 
+            && kerberosToken.isV5ApReq()) {
+            assertPolicy(
+                aim, 
+                new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssKerberosV5ApReqToken11")
+            );
             return true;
-        } else if (!(isV5ApReq || isGssV5ApReq)) {
+        } else if (apReqTokenType == ApReqTokenType.WssGssKerberosV5ApReqToken11 
+            && kerberosToken.isGssV5ApReq()) {
+            assertPolicy(
+                aim, 
+                new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssGssKerberosV5ApReqToken11")
+            );
             return true;
         }
+        
         return false;
     }
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java Thu May 23 13:17:26 2013
@@ -29,17 +29,17 @@ import org.w3c.dom.Element;
 
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.helpers.CastUtils;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.Layout;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSSecurityEngine;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.message.token.BinarySecurity;
-import org.apache.ws.security.message.token.PKIPathSecurity;
-import org.apache.ws.security.message.token.X509Security;
-import org.apache.ws.security.saml.SAMLKeyInfo;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SAMLKeyInfo;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSDataRef;
+import org.apache.wss4j.dom.WSSecurityEngine;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.message.token.PKIPathSecurity;
+import org.apache.wss4j.dom.message.token.X509Security;
+import org.apache.wss4j.policy.model.Layout;
+import org.apache.wss4j.policy.model.Layout.LayoutType;
 
 /**
  * Validate a Layout policy.
@@ -57,9 +57,9 @@ public class LayoutPolicyValidator {
     }
     
     public boolean validatePolicy(Layout layout) {
-        boolean timestampFirst = layout.getValue() == SPConstants.Layout.LaxTsFirst;
-        boolean timestampLast = layout.getValue() == SPConstants.Layout.LaxTsLast;
-        boolean strict = layout.getValue() == SPConstants.Layout.Strict;
+        boolean timestampFirst = layout.getLayoutType() == LayoutType.LaxTsFirst;
+        boolean timestampLast = layout.getLayoutType() == LayoutType.LaxTsLast;
+        boolean strict = layout.getLayoutType() == LayoutType.Strict;
         
         if (timestampFirst) {
             if (results.isEmpty()) {
@@ -209,8 +209,8 @@ public class LayoutPolicyValidator {
                 }
             } else if (actInt.intValue() == WSConstants.ST_SIGNED
                 || actInt.intValue() == WSConstants.ST_UNSIGNED) {
-                AssertionWrapper assertionWrapper = 
-                    (AssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+                SamlAssertionWrapper assertionWrapper = 
+                    (SamlAssertionWrapper)token.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                 SAMLKeyInfo samlKeyInfo = assertionWrapper.getSubjectKeyInfo();
                 if (samlKeyInfo != null) {
                     X509Certificate[] subjectCerts = samlKeyInfo.getCerts();

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -24,19 +24,22 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
+import javax.xml.namespace.QName;
+
 import org.w3c.dom.Element;
 
 import org.apache.cxf.message.Message;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.wss4j.SAMLUtils;
-import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.saml.ext.AssertionWrapper;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.saml.DOMSAMLUtil;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SamlToken.SamlTokenType;
 import org.opensaml.common.SAMLVersion;
 
 /**
@@ -54,25 +57,39 @@ public class SamlTokenPolicyValidator ex
         List<WSSecurityEngineResult> results,
         List<WSSecurityEngineResult> signedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.SAML_TOKEN);
-        if (ais == null || ais.isEmpty()) {
-            return true;
-        }
-        
         body = soapBody;
         signed = signedResults;
         
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+        if (!ais.isEmpty()) {
+            parsePolicies(aim, ais, message, results, signedResults);
+        }
+        
+        return true;
+    }
+    
+    private void parsePolicies(
+        AssertionInfoMap aim, 
+        Collection<AssertionInfo> ais, 
+        Message message,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
         final List<Integer> actions = new ArrayList<Integer>(2);
         actions.add(WSConstants.ST_SIGNED);
         actions.add(WSConstants.ST_UNSIGNED);
         List<WSSecurityEngineResult> samlResults = 
-            WSS4JUtils.fetchAllActionResults(results, actions);
+            WSSecurityUtil.fetchAllActionResults(results, actions);
         
         for (AssertionInfo ai : ais) {
             SamlToken samlToken = (SamlToken)ai.getAssertion();
             ai.setAsserted(true);
 
             if (!isTokenRequired(samlToken, message)) {
+                assertPolicy(
+                    aim, 
+                    new QName(samlToken.getVersion().getNamespace(), samlToken.getSamlTokenType().name())
+                );
                 continue;
             }
 
@@ -85,10 +102,10 @@ public class SamlTokenPolicyValidator ex
             
             // All of the received SAML Assertions must conform to the policy
             for (WSSecurityEngineResult result : samlResults) {
-                AssertionWrapper assertionWrapper = 
-                    (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+                SamlAssertionWrapper assertionWrapper = 
+                    (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                 
-                if (!checkVersion(samlToken, assertionWrapper)) {
+                if (!checkVersion(aim, samlToken, assertionWrapper)) {
                     ai.setNotAsserted("Wrong SAML Version");
                     continue;
                 }
@@ -101,7 +118,7 @@ public class SamlTokenPolicyValidator ex
                     ai.setNotAsserted("Assertion fails holder-of-key requirements");
                     continue;
                 }
-                if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, body, signed)) {
+                if (!DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, body, signed)) {
                     ai.setNotAsserted("Assertion fails sender-vouches requirements");
                     continue;
                 }
@@ -112,8 +129,6 @@ public class SamlTokenPolicyValidator ex
                  */
             }
         }
-        
-        return true;
     }
     
     /**
@@ -133,15 +148,22 @@ public class SamlTokenPolicyValidator ex
     /**
      * Check the policy version against the received assertion
      */
-    private boolean checkVersion(SamlToken samlToken, AssertionWrapper assertionWrapper) {
-        if ((samlToken.isUseSamlVersion11Profile10()
-            || samlToken.isUseSamlVersion11Profile11())
+    private boolean checkVersion(
+        AssertionInfoMap aim,
+        SamlToken samlToken, 
+        SamlAssertionWrapper assertionWrapper
+    ) {
+        SamlTokenType samlTokenType = samlToken.getSamlTokenType();
+        if ((samlTokenType == SamlTokenType.WssSamlV11Token10
+            || samlTokenType == SamlTokenType.WssSamlV11Token11)
             && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) {
             return false;
-        } else if (samlToken.isUseSamlVersion20Profile11()
+        } else if (samlTokenType == SamlTokenType.WssSamlV20Token11
             && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) {
             return false;
         }
+        
+        assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), samlTokenType.name()));
         return true;
     }
     

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -27,11 +27,13 @@ import org.w3c.dom.Element;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.SecurityContextToken;
 
 /**
  * Validate a SecurityContextToken policy.
@@ -46,17 +48,31 @@ public class SecurityContextTokenPolicyV
         List<WSSecurityEngineResult> results,
         List<WSSecurityEngineResult> signedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.SECURITY_CONTEXT_TOKEN);
-        if (ais == null || ais.isEmpty()) {
-            return true;
+        Collection<AssertionInfo> ais = 
+            getAllAssertionsByLocalname(aim, SPConstants.SECURITY_CONTEXT_TOKEN);
+        if (!ais.isEmpty()) {
+            parsePolicies(aim, ais, message, results);
         }
-
+        
+        return true;
+    }
+    
+    private void parsePolicies(
+        AssertionInfoMap aim,
+        Collection<AssertionInfo> ais, 
+        Message message,
+        List<WSSecurityEngineResult> results
+    ) {
         List<WSSecurityEngineResult> sctResults = 
-            WSS4JUtils.fetchAllActionResults(results, WSConstants.SCT);
+            WSSecurityUtil.fetchAllActionResults(results, WSConstants.SCT);
 
         for (AssertionInfo ai : ais) {
             SecurityContextToken sctPolicy = (SecurityContextToken)ai.getAssertion();
             ai.setAsserted(true);
+            
+            assertPolicy(aim, SP12Constants.REQUIRE_EXTERNAL_URI_REFERENCE);
+            assertPolicy(aim, SP12Constants.SC13_SECURITY_CONTEXT_TOKEN);
+            assertPolicy(aim, SP11Constants.SC10_SECURITY_CONTEXT_TOKEN);
 
             if (!isTokenRequired(sctPolicy, message)) {
                 continue;
@@ -69,7 +85,5 @@ public class SecurityContextTokenPolicyV
                 continue;
             }
         }
-        return true;
     }
-    
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,18 +25,17 @@ import java.util.List;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
 
 /**
  * Validate a SignedEncryptedSupportingToken policy. 
@@ -55,21 +54,23 @@ public class SignedEncryptedTokenPolicyV
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
-        if (ais == null || ais.isEmpty()) {                       
-            return true;
+        Collection<AssertionInfo> ais = 
+            getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+        if (!ais.isEmpty()) {
+            setMessage(message);
+            setResults(results);
+            setSignedResults(signedResults);
+            setEncryptedResults(encryptedResults);
+            
+            parsePolicies(ais, message);
         }
-
-        setMessage(message);
-        setResults(results);
-        setSignedResults(signedResults);
-        setEncryptedResults(encryptedResults);
         
+        return true;
+    }
+    
+    private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
         for (AssertionInfo ai : ais) {
-            SupportingToken binding = (SupportingToken)ai.getAssertion();
-            if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED_ENCRYPTED != binding.getTokenType()) {
-                continue;
-            }
+            SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
             
             setSignedParts(binding.getSignedParts());
@@ -77,8 +78,8 @@ public class SignedEncryptedTokenPolicyV
             setSignedElements(binding.getSignedElements());
             setEncryptedElements(binding.getEncryptedElements());
 
-            List<Token> tokens = binding.getTokens();
-            for (Token token : tokens) {
+            List<AbstractToken> tokens = binding.getTokens();
+            for (AbstractToken token : tokens) {
                 if (!isTokenRequired(token, message)) {
                     continue;
                 }
@@ -120,8 +121,7 @@ public class SignedEncryptedTokenPolicyV
                 }
             }
         }
-        
-        return true;
     }
     
+    
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,18 +25,18 @@ import java.util.List;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
 
 /**
  * Validate a SignedEndorsingEncryptedSupportingToken policy. 
@@ -56,22 +56,23 @@ public class SignedEndorsingEncryptedTok
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
-        if (ais == null || ais.isEmpty()) {                       
-            return true;
+        Collection<AssertionInfo> ais = 
+            getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+        if (!ais.isEmpty()) {
+            setMessage(message);
+            setResults(results);
+            setSignedResults(signedResults);
+            setEncryptedResults(encryptedResults);
+            
+            parsePolicies(ais, message);
         }
-
-        setMessage(message);
-        setResults(results);
-        setSignedResults(signedResults);
-        setEncryptedResults(encryptedResults);
         
+        return true;
+    }
+    
+    private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
         for (AssertionInfo ai : ais) {
-            SupportingToken binding = (SupportingToken)ai.getAssertion();
-            if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED_ENDORSING_ENCRYPTED 
-                != binding.getTokenType()) {
-                continue;
-            }
+            SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
             
             setSignedParts(binding.getSignedParts());
@@ -79,14 +80,14 @@ public class SignedEndorsingEncryptedTok
             setSignedElements(binding.getSignedElements());
             setEncryptedElements(binding.getEncryptedElements());
 
-            List<Token> tokens = binding.getTokens();
-            for (Token token : tokens) {
+            List<AbstractToken> tokens = binding.getTokens();
+            for (AbstractToken token : tokens) {
                 if (!isTokenRequired(token, message)) {
                     continue;
                 }
                 
-                boolean derived = token.isDerivedKeys();
-                setDerived(derived);
+                DerivedKeys derivedKeys = token.getDerivedKeys();
+                setDerived(derivedKeys == DerivedKeys.RequireDerivedKeys);
                 boolean processingFailed = false;
                 if (token instanceof KerberosToken) {
                     if (!processKerberosTokens()) {
@@ -125,8 +126,6 @@ public class SignedEndorsingEncryptedTok
                 }
             }
         }
-        
-        return true;
     }
     
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,18 +25,18 @@ import java.util.List;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
 
 /**
  * Validate a SignedEndorsingSupportingToken policy. 
@@ -55,21 +55,23 @@ public class SignedEndorsingTokenPolicyV
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
-        if (ais == null || ais.isEmpty()) {                       
-            return true;
+        Collection<AssertionInfo> ais = 
+            getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+        if (!ais.isEmpty()) {
+            setMessage(message);
+            setResults(results);
+            setSignedResults(signedResults);
+            setEncryptedResults(encryptedResults);
+
+            parsePolicies(ais, message);
         }
         
-        setMessage(message);
-        setResults(results);
-        setSignedResults(signedResults);
-        setEncryptedResults(encryptedResults);
-
+        return true;
+    }
+    
+    private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
         for (AssertionInfo ai : ais) {
-            SupportingToken binding = (SupportingToken)ai.getAssertion();
-            if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED_ENDORSING != binding.getTokenType()) {
-                continue;
-            }
+            SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
             
             setSignedParts(binding.getSignedParts());
@@ -77,14 +79,14 @@ public class SignedEndorsingTokenPolicyV
             setSignedElements(binding.getSignedElements());
             setEncryptedElements(binding.getEncryptedElements());
 
-            List<Token> tokens = binding.getTokens();
-            for (Token token : tokens) {
+            List<AbstractToken> tokens = binding.getTokens();
+            for (AbstractToken token : tokens) {
                 if (!isTokenRequired(token, message)) {
                     continue;
                 }
                 
-                boolean derived = token.isDerivedKeys();
-                setDerived(derived);
+                DerivedKeys derivedKeys = token.getDerivedKeys();
+                setDerived(derivedKeys == DerivedKeys.RequireDerivedKeys);
                 boolean processingFailed = false;
                 if (token instanceof KerberosToken) {
                     if (!processKerberosTokens()) {
@@ -122,8 +124,6 @@ public class SignedEndorsingTokenPolicyV
                 }
             }
         }
-        
-        return true;
     }
     
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,18 +25,17 @@ import java.util.List;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.IssuedToken;
-import org.apache.cxf.ws.security.policy.model.KerberosToken;
-import org.apache.cxf.ws.security.policy.model.KeyValueToken;
-import org.apache.cxf.ws.security.policy.model.SamlToken;
-import org.apache.cxf.ws.security.policy.model.SecurityContextToken;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.policy.model.Token;
-import org.apache.cxf.ws.security.policy.model.UsernameToken;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.X509Token;
 
 /**
  * Validate SignedSupportingToken policies.
@@ -54,21 +53,23 @@ public class SignedTokenPolicyValidator 
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.SIGNED_SUPPORTING_TOKENS);
-        if (ais == null || ais.isEmpty()) {                       
-            return true;
+        Collection<AssertionInfo> ais = 
+            getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
+        if (!ais.isEmpty()) {
+            setMessage(message);
+            setResults(results);
+            setSignedResults(signedResults);
+            setEncryptedResults(encryptedResults);
+            
+            parsePolicies(ais, message);
         }
         
-        setMessage(message);
-        setResults(results);
-        setSignedResults(signedResults);
-        setEncryptedResults(encryptedResults);
-        
+        return true;
+    }
+    
+    private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
         for (AssertionInfo ai : ais) {
-            SupportingToken binding = (SupportingToken)ai.getAssertion();
-            if (SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED != binding.getTokenType()) {
-                continue;
-            }
+            SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
             
             setSignedParts(binding.getSignedParts());
@@ -76,8 +77,8 @@ public class SignedTokenPolicyValidator 
             setSignedElements(binding.getSignedElements());
             setEncryptedElements(binding.getEncryptedElements());
             
-            List<Token> tokens = binding.getTokens();
-            for (Token token : tokens) {
+            List<AbstractToken> tokens = binding.getTokens();
+            for (AbstractToken token : tokens) {
                 if (!isTokenRequired(token, message)) {
                     continue;
                 }
@@ -118,10 +119,6 @@ public class SignedTokenPolicyValidator 
                     continue;
                 }
             }
-
         }
-        
-        return true;
     }
-    
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SupportingTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SupportingTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SupportingTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SupportingTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,7 +25,7 @@ import org.w3c.dom.Element;
 
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
 
 /**
  * Validate a WS-SecurityPolicy corresponding to a SupportingToken.

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java Thu May 23 13:17:26 2013
@@ -27,10 +27,10 @@ import org.w3c.dom.Element;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.SymmetricBinding;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.SymmetricBinding;
 
 /**
  * Validate a SymmetricBinding policy.
@@ -45,11 +45,23 @@ public class SymmetricBindingPolicyValid
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
-        if (ais == null || ais.isEmpty()) {                       
-            return true;
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+        if (!ais.isEmpty()) {                       
+            parsePolicies(aim, ais, message, soapBody, results, signedResults, encryptedResults);
         }
         
+        return true;
+    }
+    
+    private void parsePolicies(
+        AssertionInfoMap aim,
+        Collection<AssertionInfo> ais, 
+        Message message,
+        Element soapBody,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults,
+        List<WSSecurityEngineResult> encryptedResults
+    ) {
         boolean hasDerivedKeys = false;
         for (WSSecurityEngineResult result : results) {
             Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
@@ -64,7 +76,7 @@ public class SymmetricBindingPolicyValid
             ai.setAsserted(true);
 
             // Check the protection order
-            if (!checkProtectionOrder(binding, ai, results)) {
+            if (!checkProtectionOrder(binding, aim, ai, results)) {
                 continue;
             }
             
@@ -78,8 +90,6 @@ public class SymmetricBindingPolicyValid
                 continue;
             }
         }
-        
-        return true;
     }
     
     /**
@@ -101,6 +111,9 @@ public class SymmetricBindingPolicyValid
                 ai.setNotAsserted("Message fails the DerivedKeys requirement");
                 return false;
             }
+            assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+            assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+            assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
         }
         
         if (binding.getSignatureToken() != null) {
@@ -111,6 +124,9 @@ public class SymmetricBindingPolicyValid
                 ai.setNotAsserted("Message fails the DerivedKeys requirement");
                 return false;
             }
+            assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+            assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+            assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
         }
         
         if (binding.getProtectionToken() != null) {
@@ -121,6 +137,9 @@ public class SymmetricBindingPolicyValid
                 ai.setNotAsserted("Message fails the DerivedKeys requirement");
                 return false;
             }
+            assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+            assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+            assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
         }
         
         return true;

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -25,7 +25,7 @@ import org.w3c.dom.Element;
 
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
 
 /**
  * Validate a WS-SecurityPolicy corresponding to a received token.

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java Thu May 23 13:17:26 2013
@@ -22,6 +22,8 @@ package org.apache.cxf.ws.security.wss4j
 import java.util.Collection;
 import java.util.List;
 
+import javax.xml.namespace.QName;
+
 import org.w3c.dom.Element;
 
 import org.apache.cxf.message.Message;
@@ -29,10 +31,12 @@ import org.apache.cxf.message.MessageUti
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.Layout;
-import org.apache.cxf.ws.security.policy.model.TransportBinding;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.Layout;
+import org.apache.wss4j.policy.model.TransportBinding;
 
 /**
  * Validate a TransportBinding policy.
@@ -47,11 +51,27 @@ public class TransportBindingPolicyValid
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
-        if (ais == null || ais.isEmpty()) {                       
-            return true;
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+        if (!ais.isEmpty()) {
+            parsePolicies(aim, ais, message, results, signedResults);
+            
+            // We don't need to check these policies for the Transport binding
+            assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
+            assertPolicy(aim, SP11Constants.ENCRYPTED_PARTS);
+            assertPolicy(aim, SP12Constants.SIGNED_PARTS);
+            assertPolicy(aim, SP11Constants.SIGNED_PARTS);
         }
         
+        return true;
+    }
+    
+    private void parsePolicies(
+        AssertionInfoMap aim,
+        Collection<AssertionInfo> ais, 
+        Message message,
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
         for (AssertionInfo ai : ais) {
             TransportBinding binding = (TransportBinding)ai.getAssertion();
             ai.setAsserted(true);
@@ -74,33 +94,40 @@ public class TransportBindingPolicyValid
             if (!algorithmValidator.validatePolicy(ai, binding.getAlgorithmSuite())) {
                 continue;
             }
+            assertPolicy(aim, binding.getAlgorithmSuite());
+            String namespace = binding.getAlgorithmSuite().getVersion().getNamespace();
+            String name = binding.getAlgorithmSuite().getAlgorithmSuiteType().getName();
+            Collection<AssertionInfo> algSuiteAis = aim.get(new QName(namespace, name));
+            if (algSuiteAis != null) {
+                for (AssertionInfo algSuiteAi : algSuiteAis) {
+                    algSuiteAi.setAsserted(true);
+                }
+            }
             
             // Check the IncludeTimestamp
             if (!validateTimestamp(binding.isIncludeTimestamp(), true, results, signedResults, message)) {
                 String error = "Received Timestamp does not match the requirements";
-                notAssertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP, error);
                 ai.setNotAsserted(error);
                 continue;
             }
-            assertPolicy(aim, SP12Constants.INCLUDE_TIMESTAMP);
+            assertPolicy(aim, SPConstants.INCLUDE_TIMESTAMP);
             
             // Check the Layout
             Layout layout = binding.getLayout();
             LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator(results, signedResults);
             if (!layoutValidator.validatePolicy(layout)) {
                 String error = "Layout does not match the requirements";
-                notAssertPolicy(aim, layout, error);
+                notAssertPolicy(aim, binding.getLayout(), error);
                 ai.setNotAsserted(error);
                 continue;
             }
-            assertPolicy(aim, layout);
+            assertPolicy(aim, binding.getLayout());
+            assertPolicy(aim, SPConstants.LAYOUT_LAX);
+            assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST);
+            assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST);
+            assertPolicy(aim, SPConstants.LAYOUT_STRICT);
         }
-        
-        // We don't need to check these policies for the Transport binding
-        assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
-        assertPolicy(aim, SP12Constants.SIGNED_PARTS);
-        
-        return true;
+
     }
     
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -28,13 +28,15 @@ import org.w3c.dom.Element;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.SupportingToken;
-import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.message.token.UsernameToken;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.message.token.UsernameToken;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SP13Constants;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
+import org.apache.wss4j.policy.model.SupportingTokens;
+import org.apache.wss4j.policy.model.UsernameToken.PasswordType;
 
 /**
  * Validate a UsernameToken policy.
@@ -49,22 +51,36 @@ public class UsernameTokenPolicyValidato
         List<WSSecurityEngineResult> results,
         List<WSSecurityEngineResult> signedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.USERNAME_TOKEN);
-        if (ais == null || ais.isEmpty()) {
-            return true;
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+        if (!ais.isEmpty()) {
+            parsePolicies(ais, message, results);
+            
+            assertPolicy(aim, SP13Constants.CREATED);
+            assertPolicy(aim, SP13Constants.NONCE);
+            assertPolicy(aim, SPConstants.NO_PASSWORD);
+            assertPolicy(aim, SPConstants.HASH_PASSWORD);
+            assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
+            assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
         }
         
+        return true;
+    }
+    
+    private void parsePolicies(
+        Collection<AssertionInfo> ais, 
+        Message message,
+        List<WSSecurityEngineResult> results
+    ) {
         final List<Integer> actions = new ArrayList<Integer>(2);
         actions.add(WSConstants.UT);
         actions.add(WSConstants.UT_NOPASSWORD);
         List<WSSecurityEngineResult> utResults = 
-            WSS4JUtils.fetchAllActionResults(results, actions);
+            WSSecurityUtil.fetchAllActionResults(results, actions);
         
         for (AssertionInfo ai : ais) {
-            org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy = 
-                (org.apache.cxf.ws.security.policy.model.UsernameToken)ai.getAssertion();
+            org.apache.wss4j.policy.model.UsernameToken usernameTokenPolicy = 
+                (org.apache.wss4j.policy.model.UsernameToken)ai.getAssertion();
             ai.setAsserted(true);
-
             if (!isTokenRequired(usernameTokenPolicy, message)) {
                 continue;
             }
@@ -80,39 +96,43 @@ public class UsernameTokenPolicyValidato
                 continue;
             }
         }
-        return true;
     }
     
     /**
      * All UsernameTokens must conform to the policy
      */
     public boolean checkTokens(
-        org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy,
+        org.apache.wss4j.policy.model.UsernameToken usernameTokenPolicy,
         AssertionInfo ai,
         List<WSSecurityEngineResult> utResults
     ) {
         for (WSSecurityEngineResult result : utResults) {
             UsernameToken usernameToken = 
                 (UsernameToken)result.get(WSSecurityEngineResult.TAG_USERNAME_TOKEN);
-            if (usernameTokenPolicy.isHashPassword() != usernameToken.isHashed()) {
+            PasswordType passwordType = usernameTokenPolicy.getPasswordType();
+            boolean isHashPassword = passwordType == PasswordType.HashPassword;
+            boolean isNoPassword = passwordType == PasswordType.NoPassword;
+            if (isHashPassword != usernameToken.isHashed()) {
                 ai.setNotAsserted("Password hashing policy not enforced");
                 return false;
             }
-            if (usernameTokenPolicy.isNoPassword() && (usernameToken.getPassword() != null)) {
+            
+            if (isNoPassword && (usernameToken.getPassword() != null)) {
                 ai.setNotAsserted("Username Token NoPassword policy not enforced");
                 return false;
-            } else if (!usernameTokenPolicy.isNoPassword() && (usernameToken.getPassword() == null)
+            } else if (!isNoPassword && (usernameToken.getPassword() == null)
                 && isNonEndorsingSupportingToken(usernameTokenPolicy)) {
                 ai.setNotAsserted("Username Token No Password supplied");
                 return false;
             }
             
-            if (usernameTokenPolicy.isRequireCreated() 
+            if (usernameTokenPolicy.isCreated()
                 && (usernameToken.getCreated() == null || usernameToken.isHashed())) {
                 ai.setNotAsserted("Username Token Created policy not enforced");
                 return false;
             }
-            if (usernameTokenPolicy.isRequireNonce() 
+            
+            if (usernameTokenPolicy.isNonce() 
                 && (usernameToken.getNonce() == null || usernameToken.isHashed())) {
                 ai.setNotAsserted("Username Token Nonce policy not enforced");
                 return false;
@@ -126,15 +146,16 @@ public class UsernameTokenPolicyValidato
      * true then the corresponding UsernameToken must have a password element.
      */
     private boolean isNonEndorsingSupportingToken(
-        org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy
+        org.apache.wss4j.policy.model.UsernameToken usernameTokenPolicy
     ) {
-        SupportingToken supportingToken = usernameTokenPolicy.getSupportingToken();
-        if (supportingToken != null) {
-            SPConstants.SupportTokenType type = supportingToken.getTokenType();
-            if (type == SPConstants.SupportTokenType.SUPPORTING_TOKEN_SUPPORTING
-                || type == SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED
-                || type == SPConstants.SupportTokenType.SUPPORTING_TOKEN_SIGNED_ENCRYPTED
-                || type == SPConstants.SupportTokenType.SUPPORTING_TOKEN_ENCRYPTED) {
+        AbstractSecurityAssertion parentAssertion = usernameTokenPolicy.getParentAssertion();
+        if (parentAssertion instanceof SupportingTokens) {
+            SupportingTokens supportingToken = (SupportingTokens)parentAssertion;
+            String localname = supportingToken.getName().getLocalPart();
+            if (localname.equals(SPConstants.SUPPORTING_TOKENS)
+                || localname.equals(SPConstants.SIGNED_SUPPORTING_TOKENS)
+                || localname.equals(SPConstants.ENCRYPTED_SUPPORTING_TOKENS)
+                || localname.equals(SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS)) {
                 return true;
             }
         }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java Thu May 23 13:17:26 2013
@@ -28,16 +28,17 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.model.Wss11;
-import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.Wss11;
 
 /**
  * Validate a WSS11 policy.
  */
-public class WSS11PolicyValidator implements TokenPolicyValidator {
+public class WSS11PolicyValidator 
+    extends AbstractTokenPolicyValidator implements TokenPolicyValidator {
     
     public boolean validatePolicy(
         AssertionInfoMap aim,
@@ -46,13 +47,25 @@ public class WSS11PolicyValidator implem
         List<WSSecurityEngineResult> results,
         List<WSSecurityEngineResult> signedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.WSS11);
-        if (ais == null || ais.isEmpty()) {
-            return true;
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.WSS11);
+        if (!ais.isEmpty()) {
+            parsePolicies(ais, message, results);
+            
+            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_THUMBPRINT);
+            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY);
+            assertPolicy(aim, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION);
         }
         
+        return true;
+    }
+    
+    private void parsePolicies(
+        Collection<AssertionInfo> ais, 
+        Message message,  
+        List<WSSecurityEngineResult> results
+    ) {
         List<WSSecurityEngineResult> scResults =
-            WSS4JUtils.fetchAllActionResults(results, WSConstants.SC);
+            WSSecurityUtil.fetchAllActionResults(results, WSConstants.SC);
         
         for (AssertionInfo ai : ais) {
             Wss11 wss11 = (Wss11)ai.getAssertion();
@@ -70,7 +83,6 @@ public class WSS11PolicyValidator implem
                 continue;
             }
         }
-        return true;
     }
     
 }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java Thu May 23 13:17:26 2013
@@ -27,13 +27,13 @@ import org.w3c.dom.Element;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.SP12Constants;
-import org.apache.cxf.ws.security.policy.SPConstants;
-import org.apache.cxf.ws.security.policy.model.X509Token;
-import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
-import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
-import org.apache.ws.security.message.token.BinarySecurity;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.X509Token;
+import org.apache.wss4j.policy.model.X509Token.TokenType;
 
 /**
  * Validate an X509 Token policy.
@@ -50,13 +50,28 @@ public class X509TokenPolicyValidator ex
         List<WSSecurityEngineResult> results,
         List<WSSecurityEngineResult> signedResults
     ) {
-        Collection<AssertionInfo> ais = aim.get(SP12Constants.X509_TOKEN);
-        if (ais == null || ais.isEmpty()) {
-            return true;
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN);
+        if (!ais.isEmpty()) {
+            parsePolicies(ais, message, results);
+            
+            assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10);
+            assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11);
+            assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN10);
+            assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN11);
+            assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN10);
+            assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN11);
         }
         
+        return true;
+    }
+    
+    private void parsePolicies(
+        Collection<AssertionInfo> ais, 
+        Message message,
+        List<WSSecurityEngineResult> results
+    ) {
         List<WSSecurityEngineResult> bstResults = 
-            WSS4JUtils.fetchAllActionResults(results, WSConstants.BST);
+            WSSecurityUtil.fetchAllActionResults(results, WSConstants.BST);
         
         for (AssertionInfo ai : ais) {
             X509Token x509TokenPolicy = (X509Token)ai.getAssertion();
@@ -73,19 +88,18 @@ public class X509TokenPolicyValidator ex
                 continue;
             }
 
-            if (!checkTokenType(x509TokenPolicy.getTokenVersionAndType(), bstResults)) {
+            if (!checkTokenType(x509TokenPolicy.getTokenType(), bstResults)) {
                 ai.setNotAsserted("An incorrect X.509 Token Type is detected");
                 continue;
             }
         }
-        return true;
     }
     
     /**
      * Check that at least one received token matches the token type.
      */
     private boolean checkTokenType(
-        String requiredVersionAndType,
+        TokenType tokenType,
         List<WSSecurityEngineResult> bstResults
     ) {
         if (bstResults.isEmpty()) {
@@ -93,8 +107,8 @@ public class X509TokenPolicyValidator ex
         }
 
         String requiredType = X509_V3_VALUETYPE;
-        if (SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10.equals(requiredVersionAndType)
-            || SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11.equals(requiredVersionAndType)) {
+        if (tokenType == TokenType.WssX509PkiPathV1Token10
+            || tokenType == TokenType.WssX509PkiPathV1Token11) {
             requiredType = PKI_VALUETYPE;
         }
 

Modified: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java?rev=1485693&r1=1485692&r2=1485693&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java (original)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptorTest.java Thu May 23 13:17:26 2013
@@ -21,9 +21,9 @@ package org.apache.cxf.ws.security.trust
 import org.apache.cxf.configuration.security.AuthorizationPolicy;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageImpl;
-import org.apache.ws.security.WSSecurityException;
-import org.apache.ws.security.message.token.UsernameToken;
-import org.apache.ws.security.validate.Credential;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.message.token.UsernameToken;
+import org.apache.wss4j.dom.validate.Credential;
 
 import org.junit.Assert;
 import org.junit.Test;



Mime
View raw message