cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/2] cxf git commit: An initial refactor about how policies are asserted
Date Sat, 14 Mar 2015 12:44:23 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 08f376bdf -> a2e5fae3a


http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
index bd9ae7c..abf12e6 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
@@ -44,6 +44,7 @@ import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.common.cache.ReplayCache;
 import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.ext.WSSecurityException;
@@ -243,7 +244,8 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
     }
     
     private boolean isAllowNoPassword(AssertionInfoMap aim) throws WSSecurityException {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
 
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
@@ -283,12 +285,12 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
     
     protected UsernameToken assertTokens(SoapMessage message) {
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
-        assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
-        assertPolicy(aim, SPConstants.HASH_PASSWORD);
-        assertPolicy(aim, SPConstants.NO_PASSWORD);
-        assertPolicy(aim, SP13Constants.NONCE);
-        assertPolicy(aim, SP13Constants.CREATED);
+        PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
+        PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
+        PolicyUtils.assertPolicy(aim, SPConstants.HASH_PASSWORD);
+        PolicyUtils.assertPolicy(aim, SPConstants.NO_PASSWORD);
+        PolicyUtils.assertPolicy(aim, SP13Constants.NONCE);
+        PolicyUtils.assertPolicy(aim, SP13Constants.CREATED);
 
         return (UsernameToken)assertTokens(message, SPConstants.USERNAME_TOKEN, true);
     }
@@ -299,7 +301,8 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
         boolean signed
     ) {
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
         UsernameToken tok = null;
         for (AssertionInfo ai : ais) {
             tok = (UsernameToken)ai.getAssertion();
@@ -308,7 +311,7 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
                 && (princ == null || !princ.isPasswordDigest())) {
                 ai.setNotAsserted("Password hashing policy not enforced");
             } else {
-                assertPolicy(aim, SPConstants.HASH_PASSWORD);
+                PolicyUtils.assertPolicy(aim, SPConstants.HASH_PASSWORD);
             }
             
             if ((tok.getPasswordType() != UsernameToken.PasswordType.NoPassword)
@@ -316,28 +319,28 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
                 && (princ == null || princ.getPassword() == null)) {
                 ai.setNotAsserted("Username Token No Password supplied");
             } else {
-                assertPolicy(aim, SPConstants.NO_PASSWORD);
+                PolicyUtils.assertPolicy(aim, SPConstants.NO_PASSWORD);
             }
             
             if (tok.isCreated() && princ.getCreatedTime() == null) {
                 ai.setNotAsserted("No Created Time");
             } else {
-                assertPolicy(aim, SP13Constants.CREATED);
+                PolicyUtils.assertPolicy(aim, SP13Constants.CREATED);
             }
             
             if (tok.isNonce() && princ.getNonce() == null) {
                 ai.setNotAsserted("No Nonce");
             } else {
-                assertPolicy(aim, SP13Constants.NONCE);
+                PolicyUtils.assertPolicy(aim, SP13Constants.NONCE);
             }
         }
         
-        assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
-        assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
-        assertPolicy(aim, SPConstants.SUPPORTING_TOKENS);
+        PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
+        PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
+        PolicyUtils.assertPolicy(aim, SPConstants.SUPPORTING_TOKENS);
 
         if (signed || isTLSInUse(message)) {
-            assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
+            PolicyUtils.assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
         }
         return tok;
     }
@@ -366,7 +369,7 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
         if (utBuilder == null) {
             AssertionInfoMap aim = message.get(AssertionInfoMap.class);
             Collection<AssertionInfo> ais = 
-                getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+                PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
             for (AssertionInfo ai : ais) {
                 if (ai.isAsserted()) {
                     ai.setAsserted(false);

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
index d748ede..d69e94d 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JUtils.java
@@ -350,5 +350,5 @@ public final class WSS4JUtils {
         } 
         return CryptoFactory.getInstance(propFilename, classLoader);
     }
-    
+ 
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index 7dd95af..8198aa0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -69,6 +69,7 @@ import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.policy.PolicyConstants;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.cxf.ws.security.wss4j.AttachmentCallbackHandler;
@@ -1057,7 +1058,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             return new ArrayList<WSEncryptionPart>();
         }
         
-        List<WSEncryptionPart> signedParts = new ArrayList<WSEncryptionPart>();
+        List<WSEncryptionPart> signedParts = new ArrayList<>();
         if (parts != null) {
             isBody = parts.isBody();
             for (Header head : parts.getHeaders()) {
@@ -2038,36 +2039,36 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
     
     protected void addSupportingTokens(List<WSEncryptionPart> sigs) throws WSSecurityException {
         Collection<AssertionInfo> sgndSuppTokens = 
-            getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
         List<SupportingToken> sigSuppTokList = this.handleSupportingTokens(sgndSuppTokens, false);
         
         Collection<AssertionInfo> endSuppTokens = 
-            getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
         endSuppTokList = this.handleSupportingTokens(endSuppTokens, true);
 
         Collection<AssertionInfo> sgndEndSuppTokens =
-            getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
         sgndEndSuppTokList = this.handleSupportingTokens(sgndEndSuppTokens, true);
         
         Collection<AssertionInfo> sgndEncryptedSuppTokens =
-            getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
         List<SupportingToken> sgndEncSuppTokList 
             = this.handleSupportingTokens(sgndEncryptedSuppTokens, false);
         
         Collection<AssertionInfo> endorsingEncryptedSuppTokens =
-            getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
         endSuppTokList.addAll(this.handleSupportingTokens(endorsingEncryptedSuppTokens, true));
 
         Collection<AssertionInfo> sgndEndEncSuppTokens =
-            getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
         sgndEndSuppTokList.addAll(this.handleSupportingTokens(sgndEndEncSuppTokens, true));
 
         Collection<AssertionInfo> supportingToks =
-            getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
         this.handleSupportingTokens(supportingToks, false);
 
         Collection<AssertionInfo> encryptedSupportingToks =
-            getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
         this.handleSupportingTokens(encryptedSupportingToks, false);
 
         //Setup signature parts

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
index 5c8250c..e175f67 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractCommonBindingHandler.java
@@ -20,8 +20,6 @@
 package org.apache.cxf.ws.security.wss4j.policyhandlers;
 
 import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
@@ -35,13 +33,12 @@ import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.policy.PolicyException;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
 import org.apache.neethi.Assertion;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SP13Constants;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
@@ -408,48 +405,11 @@ public abstract class AbstractCommonBindingHandler {
         }
     }
     
-    protected AssertionInfo getFirstAssertionByLocalname(
-        AssertionInfoMap aim, String localname
-    ) {
-        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
-        if (sp11Ais != null && !sp11Ais.isEmpty()) {
-            return sp11Ais.iterator().next();
-        }
-
-        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-        if (sp12Ais != null && !sp12Ais.isEmpty()) {
-            return sp12Ais.iterator().next();
-        }
-
-        return null;
-    }
-    
     protected Collection<AssertionInfo> getAllAssertionsByLocalname(String localname) {
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        return getAllAssertionsByLocalname(aim, localname);
+        return PolicyUtils.getAllAssertionsByLocalname(aim, localname);
     }
     
-    protected Collection<AssertionInfo> getAllAssertionsByLocalname(
-        AssertionInfoMap aim,
-        String localname
-    ) {
-        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
-        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
-        if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
-            Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
-            if (sp11Ais != null) {
-                ais.addAll(sp11Ais);
-            }
-            if (sp12Ais != null) {
-                ais.addAll(sp12Ais);
-            }
-            return ais;
-        }
-
-        return Collections.emptySet();
-    }
-
     protected SoapMessage getMessage() {
         return message;
     }
@@ -487,14 +447,15 @@ public abstract class AbstractCommonBindingHandler {
     
     protected Wss10 getWss10() {
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.WSS10);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS10);
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 return (Wss10)ai.getAssertion();
             }            
         }
         
-        ais = getAllAssertionsByLocalname(aim, SPConstants.WSS11);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS11);
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 return (Wss10)ai.getAssertion();
@@ -515,14 +476,9 @@ public abstract class AbstractCommonBindingHandler {
         return st;
     }
    
-    protected void assertPolicy(QName n) {
+    protected void assertPolicy(QName name) {
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        Collection<AssertionInfo> ais = aim.getAssertionInfo(n);
-        if (ais != null && !ais.isEmpty()) {
-            for (AssertionInfo ai : ais) {
-                ai.setAsserted(true);
-            }
-        }
+        PolicyUtils.assertPolicy(aim, name);
     } 
     
     protected void assertPolicy(Assertion assertion) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
index f65085a..3715162 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
@@ -44,6 +44,7 @@ import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.wss4j.common.ext.WSPasswordCallback;
@@ -83,7 +84,6 @@ import org.apache.wss4j.policy.model.Wss11;
 import org.apache.wss4j.policy.model.X509Token;
 import org.apache.wss4j.policy.model.X509Token.TokenType;
 import org.apache.wss4j.policy.model.XPath;
-import org.apache.wss4j.policy.stax.PolicyUtils;
 import org.apache.wss4j.stax.ext.WSSConstants;
 import org.apache.wss4j.stax.ext.WSSConstants.UsernameTokenPasswordType;
 import org.apache.wss4j.stax.ext.WSSSecurityProperties;
@@ -472,7 +472,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
     }
     
     protected void configureLayout(AssertionInfoMap aim) {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.LAYOUT);
+        Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.LAYOUT);
         Layout layout = null;
         for (AssertionInfo ai : ais) {
             layout = (Layout)ai.getAssertion();
@@ -828,13 +828,13 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
         SignedElements elements = null;
         
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        AssertionInfo assertionInfo = getFirstAssertionByLocalname(aim, SPConstants.SIGNED_PARTS);
+        AssertionInfo assertionInfo = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.SIGNED_PARTS);
         if (assertionInfo != null) {
             parts = (SignedParts)assertionInfo.getAssertion();
             assertionInfo.setAsserted(true);
         }
         
-        assertionInfo = getFirstAssertionByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
+        assertionInfo = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
         if (assertionInfo != null) {
             elements = (SignedElements)assertionInfo.getAssertion();
             assertionInfo.setAsserted(true);
@@ -871,7 +871,8 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
         
         if (elements != null && elements.getXPaths() != null) {
             for (XPath xPath : elements.getXPaths()) {
-                List<QName> qnames = PolicyUtils.getElementPath(xPath);
+                List<QName> qnames = 
+                    org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(xPath);
                 if (!qnames.isEmpty()) {
                     SecurePart securePart = 
                         new SecurePart(qnames.get(qnames.size() - 1), Modifier.Element);
@@ -892,7 +893,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
         ContentEncryptedElements celements = null;
         
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
+        Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 parts = (EncryptedParts)ai.getAssertion();
@@ -900,7 +901,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
             }            
         }
         
-        ais = getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 elements = (EncryptedElements)ai.getAssertion();
@@ -908,7 +909,7 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
             }            
         }
         
-        ais = getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 celements = (ContentEncryptedElements)ai.getAssertion();
@@ -944,7 +945,8 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
         
         if (elements != null && elements.getXPaths() != null) {
             for (XPath xPath : elements.getXPaths()) {
-                List<QName> qnames = PolicyUtils.getElementPath(xPath);
+                List<QName> qnames = 
+                    org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(xPath);
                 if (!qnames.isEmpty()) {
                     SecurePart securePart = 
                         new SecurePart(qnames.get(qnames.size() - 1), Modifier.Element);
@@ -955,7 +957,8 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
         
         if (celements != null && celements.getXPaths() != null) {
             for (XPath xPath : celements.getXPaths()) {
-                List<QName> qnames = PolicyUtils.getElementPath(xPath);
+                List<QName> qnames = 
+                    org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(xPath);
                 if (!qnames.isEmpty()) {
                     SecurePart securePart = 
                         new SecurePart(qnames.get(qnames.size() - 1), Modifier.Content);

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
index f932698..1beb200 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
@@ -33,6 +33,7 @@ import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
 import org.apache.wss4j.policy.SP11Constants;
@@ -57,7 +58,6 @@ import org.apache.wss4j.policy.model.TransportToken;
 import org.apache.wss4j.policy.model.UsernameToken;
 import org.apache.wss4j.policy.model.X509Token;
 import org.apache.wss4j.policy.model.XPath;
-import org.apache.wss4j.policy.stax.PolicyUtils;
 import org.apache.wss4j.stax.ext.WSSConstants;
 import org.apache.wss4j.stax.ext.WSSSecurityProperties;
 import org.apache.xml.security.stax.ext.OutboundSecurityContext;
@@ -159,7 +159,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
     private void handleNonEndorsingSupportingTokens(AssertionInfoMap aim) throws Exception {
         Collection<AssertionInfo> ais;
         
-        ais = getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 SupportingTokens sgndSuppTokens = (SupportingTokens)ai.getAssertion();
@@ -170,7 +170,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
             }
         }
         
-        ais = getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 SupportingTokens sgndSuppTokens = (SupportingTokens)ai.getAssertion();
@@ -181,7 +181,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
             }
         }
         
-        ais = getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 SupportingTokens encrSuppTokens = (SupportingTokens)ai.getAssertion();
@@ -192,7 +192,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
             }
         }
         
-        ais = getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 SupportingTokens suppTokens = (SupportingTokens)ai.getAssertion();
@@ -233,7 +233,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
     private void handleEndorsingSupportingTokens(AssertionInfoMap aim) throws Exception {
         Collection<AssertionInfo> ais;
         
-        ais = getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
         if (!ais.isEmpty()) {
             SupportingTokens sgndSuppTokens = null;
             for (AssertionInfo ai : ais) {
@@ -247,7 +247,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
             }
         }
         
-        ais = getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
         if (!ais.isEmpty()) {
             SupportingTokens endSuppTokens = null;
             for (AssertionInfo ai : ais) {
@@ -261,7 +261,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
                 }
             }
         }
-        ais = getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
         if (!ais.isEmpty()) {
             SupportingTokens endSuppTokens = null;
             for (AssertionInfo ai : ais) {
@@ -275,7 +275,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
                 }
             }
         }
-        ais = getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
         if (!ais.isEmpty()) {
             SupportingTokens endSuppTokens = null;
             for (AssertionInfo ai : ais) {
@@ -412,7 +412,8 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
         // Handle SignedElements
         if (signedElements != null && signedElements.getXPaths() != null) {
             for (XPath xPath : signedElements.getXPaths()) {
-                List<QName> qnames = PolicyUtils.getElementPath(xPath);
+                List<QName> qnames = 
+                    org.apache.wss4j.policy.stax.PolicyUtils.getElementPath(xPath);
                 if (!qnames.isEmpty()) {
                     SecurePart part = 
                         new SecurePart(qnames.get(qnames.size() - 1), Modifier.Element);

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
index d6a4462..0003d7e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
@@ -22,21 +22,18 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
 import java.util.List;
 
 import javax.xml.namespace.QName;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.neethi.Assertion;
-
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
@@ -47,8 +44,6 @@ import org.apache.wss4j.dom.message.token.PKIPathSecurity;
 import org.apache.wss4j.dom.message.token.Timestamp;
 import org.apache.wss4j.dom.message.token.X509Security;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
 import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding.ProtectionOrder;
@@ -170,7 +165,7 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
             ai.setNotAsserted(error);
             return false;
         }
-        assertPolicy(aim, SPConstants.INCLUDE_TIMESTAMP);
+        PolicyUtils.assertPolicy(aim, SPConstants.INCLUDE_TIMESTAMP);
         
         // Check the EntireHeaderAndBodySignatures property
         if (binding.isOnlySignEntireHeadersAndBody()
@@ -179,15 +174,15 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
             ai.setNotAsserted(error);
             return false;
         }
-        assertPolicy(aim, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY);
+        PolicyUtils.assertPolicy(aim, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY);
         
         // Check whether the signatures were encrypted or not
         if (binding.isEncryptSignature() && !isSignatureEncrypted(results)) {
             ai.setNotAsserted("The signature is not protected");
             return false;
         }
-        assertPolicy(aim, SPConstants.ENCRYPT_SIGNATURE);
-        assertPolicy(aim, SPConstants.PROTECT_TOKENS);
+        PolicyUtils.assertPolicy(aim, SPConstants.ENCRYPT_SIGNATURE);
+        PolicyUtils.assertPolicy(aim, SPConstants.PROTECT_TOKENS);
         
         /*
         // Check ProtectTokens
@@ -215,13 +210,13 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
                 ai.setNotAsserted("Not encrypted before signed");
                 return false;
             }
-            assertPolicy(aim, SPConstants.ENCRYPT_BEFORE_SIGNING);
+            PolicyUtils.assertPolicy(aim, SPConstants.ENCRYPT_BEFORE_SIGNING);
         } else if (protectionOrder == ProtectionOrder.SignBeforeEncrypting) { 
             if (isEncryptedBeforeSigned(results)) {
                 ai.setNotAsserted("Not signed before encrypted");
                 return false;
             }
-            assertPolicy(aim, SPConstants.SIGN_BEFORE_ENCRYPTING);
+            PolicyUtils.assertPolicy(aim, SPConstants.SIGN_BEFORE_ENCRYPTING);
         }
         return true;
     }
@@ -447,17 +442,6 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
         return false;
     }
     
-    protected void assertPolicy(AssertionInfoMap aim, Assertion token) {
-        Collection<AssertionInfo> ais = aim.get(token.getName());
-        if (ais != null && !ais.isEmpty()) {
-            for (AssertionInfo ai : ais) {
-                if (ai.getAssertion() == token) {
-                    ai.setAsserted(true);
-                }
-            }    
-        }
-    }
-    
     protected void notAssertPolicy(AssertionInfoMap aim, Assertion token, String msg) {
         Collection<AssertionInfo> ais = aim.get(token.getName());
         if (ais != null && !ais.isEmpty()) {
@@ -469,28 +453,6 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
         }
     }
     
-    protected boolean assertPolicy(AssertionInfoMap aim, String localname) {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
-        if (!ais.isEmpty()) {
-            for (AssertionInfo ai : ais) {
-                ai.setAsserted(true);
-            }    
-            return true;
-        }
-        return false;
-    }
-    
-    protected boolean assertPolicy(AssertionInfoMap aim, QName q) {
-        Collection<AssertionInfo> ais = aim.get(q);
-        if (ais != null && !ais.isEmpty()) {
-            for (AssertionInfo ai : ais) {
-                ai.setAsserted(true);
-            }    
-            return true;
-        }
-        return false;
-    }
-    
     protected void notAssertPolicy(AssertionInfoMap aim, QName q, String msg) {
         Collection<AssertionInfo> ais = aim.get(q);
         if (ais != null && !ais.isEmpty()) {
@@ -500,24 +462,4 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
         }
     }
     
-    protected Collection<AssertionInfo> getAllAssertionsByLocalname(
-        AssertionInfoMap aim,
-        String localname
-    ) {
-        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
-        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-        
-        if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
-            Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
-            if (sp11Ais != null) {
-                ais.addAll(sp11Ais);
-            }
-            if (sp12Ais != null) {
-                ais.addAll(sp12Ais);
-            }
-            return ais;
-        }
-            
-        return Collections.emptySet();
-    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
index 734a495..ba046d6 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
@@ -19,18 +19,8 @@
 
 package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
-
-import javax.xml.namespace.QName;
-
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
-import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
 import org.apache.wss4j.policy.model.AbstractToken;
 
@@ -66,46 +56,4 @@ public abstract class AbstractTokenPolicyValidator {
         }
     }
     
-    protected boolean assertPolicy(AssertionInfoMap aim, QName name) {
-        Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
-        if (aim != null && !ais.isEmpty()) {
-            for (AssertionInfo ai : ais) {
-                ai.setAsserted(true);
-            }    
-            return true;
-        }
-        return false;
-    }
-    
-    protected boolean assertPolicy(AssertionInfoMap aim, String localname) {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
-        if (!ais.isEmpty()) {
-            for (AssertionInfo ai : ais) {
-                ai.setAsserted(true);
-            }    
-            return true;
-        }
-        return false;
-    }
-    
-    protected Collection<AssertionInfo> getAllAssertionsByLocalname(
-        AssertionInfoMap aim,
-        String localname
-    ) {
-        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
-        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-        
-        if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
-            Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
-            if (sp11Ais != null) {
-                ais.addAll(sp11Ais);
-            }
-            if (sp12Ais != null) {
-                ais.addAll(sp12Ais);
-            }
-            return ais;
-        }
-            
-        return Collections.emptySet();
-    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
index 533489d..8f9ce14 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
@@ -30,11 +30,11 @@ import java.util.List;
 import javax.xml.namespace.QName;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDataRef;
@@ -57,7 +57,8 @@ public class AlgorithmSuitePolicyValidator extends AbstractTokenPolicyValidator
         List<WSSecurityEngineResult> results,
         List<WSSecurityEngineResult> signedResults
     ) {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE);
         if (!ais.isEmpty()) {
             parsePolicies(aim, ais, message, results);
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
index b4047cf..04c6777 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
@@ -24,10 +24,10 @@ import java.util.Collection;
 import java.util.List;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.policy.SPConstants;
@@ -49,7 +49,8 @@ public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValid
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
         if (!ais.isEmpty()) {
             parsePolicies(aim, ais, message, soapBody, results, signedResults, encryptedResults);
         }
@@ -163,14 +164,14 @@ public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValid
                 return false;
             }
         }
-        assertPolicy(aim, wrapper);
+        PolicyUtils.assertPolicy(aim, wrapper.getName());
         if (!checkDerivedKeys(wrapper, hasDerivedKeys, signedResults, encryptedResults)) {
             ai.setNotAsserted("Message fails the DerivedKeys requirement");
             return false;
         }
-        assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
-        assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
-        assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
+        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
 
         return true;
     }
@@ -184,14 +185,14 @@ public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValid
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults) {
 
-        assertPolicy(aim, wrapper);
+        PolicyUtils.assertPolicy(aim, wrapper.getName());
         if (!checkDerivedKeys(wrapper, hasDerivedKeys, signedResults, encryptedResults)) {
             ai.setNotAsserted("Message fails the DerivedKeys requirement");
             return false;
         }
-        assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
-        assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
-        assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
+        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
 
         return true;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
index b332486..15c2508 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
@@ -25,6 +25,7 @@ import java.util.List;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
@@ -54,7 +55,8 @@ public class ConcreteSupportingTokenPolicyValidator extends AbstractSupportingTo
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
         if (!ais.isEmpty()) {
             setMessage(message);
             setResults(results);

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
index 2ebb47c..f545be4 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
@@ -25,6 +25,7 @@ import java.util.List;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
@@ -54,7 +55,8 @@ public class EncryptedTokenPolicyValidator extends AbstractSupportingTokenPolicy
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
         if (!ais.isEmpty()) {
             setMessage(message);
             setResults(results);

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
index cb490ba..3fc837f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
@@ -25,6 +25,7 @@ import java.util.List;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
@@ -57,7 +58,7 @@ public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTo
         List<WSSecurityEngineResult> encryptedResults
     ) {
         Collection<AssertionInfo> ais = 
-            getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
         if (!ais.isEmpty()) {
             setMessage(message);
             setResults(results);

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
index 50082c3..cbdc07b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
@@ -25,6 +25,7 @@ import java.util.List;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
@@ -57,7 +58,7 @@ public class EndorsingTokenPolicyValidator extends AbstractSupportingTokenPolicy
         List<WSSecurityEngineResult> encryptedResults
     ) {
         Collection<AssertionInfo> ais = 
-            getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
         if (!ais.isEmpty()) {
             setMessage(message);
             setResults(results);

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
index 8cdf20f..55db72f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
@@ -29,6 +29,7 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
@@ -107,8 +108,8 @@ public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
         }
         
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        assertPolicy(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
-        assertPolicy(aim, SPConstants.REQUIRE_EXTERNAL_REFERENCE);
+        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
+        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXTERNAL_REFERENCE);
         
         return true;
     }
@@ -143,8 +144,8 @@ public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
         }
         
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        assertPolicy(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
-        assertPolicy(aim, SPConstants.REQUIRE_EXTERNAL_REFERENCE);
+        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
+        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXTERNAL_REFERENCE);
         
         return true;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
index 6624e9c..aa22d73 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
@@ -26,6 +26,7 @@ import javax.xml.namespace.QName;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.message.token.KerberosSecurity;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.KerberosToken;
@@ -49,11 +50,12 @@ public class KerberosTokenPolicyValidator extends AbstractTokenPolicyValidator {
         AssertionInfoMap aim,
         KerberosSecurity kerberosToken
     ) {
-        Collection<AssertionInfo> krbAis = getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
+        Collection<AssertionInfo> krbAis = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
         if (!krbAis.isEmpty()) {
             parsePolicies(aim, krbAis, kerberosToken);
             
-            assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
+            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
         }
         
         return true;
@@ -69,12 +71,12 @@ public class KerberosTokenPolicyValidator extends AbstractTokenPolicyValidator {
             ai.setAsserted(true);
             
             if (!isTokenRequired(kerberosTokenPolicy, message)) {
-                assertPolicy(
+                PolicyUtils.assertPolicy(
                     aim, 
                     new QName(kerberosTokenPolicy.getVersion().getNamespace(), 
                               "WssKerberosV5ApReqToken11")
                 );
-                assertPolicy(
+                PolicyUtils.assertPolicy(
                     aim, 
                     new QName(kerberosTokenPolicy.getVersion().getNamespace(), 
                               "WssGssKerberosV5ApReqToken11")
@@ -98,14 +100,14 @@ public class KerberosTokenPolicyValidator extends AbstractTokenPolicyValidator {
 
         if (apReqTokenType == ApReqTokenType.WssKerberosV5ApReqToken11 
             && kerberosToken.isV5ApReq()) {
-            assertPolicy(
+            PolicyUtils.assertPolicy(
                 aim, 
                 new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssKerberosV5ApReqToken11")
             );
             return true;
         } else if (apReqTokenType == ApReqTokenType.WssGssKerberosV5ApReqToken11 
             && kerberosToken.isGssV5ApReq()) {
-            assertPolicy(
+            PolicyUtils.assertPolicy(
                 aim, 
                 new QName(kerberosTokenPolicy.getVersion().getNamespace(), "WssGssKerberosV5ApReqToken11")
             );

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
index 370906b..4ac51b0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
@@ -32,6 +32,7 @@ import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
@@ -57,7 +58,8 @@ public class LayoutPolicyValidator extends AbstractTokenPolicyValidator {
         List<WSSecurityEngineResult> results,
         List<WSSecurityEngineResult> signedResults
     ) {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.LAYOUT);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.LAYOUT);
         if (!ais.isEmpty()) {
             parsePolicies(aim, ais, message, results, signedResults);
         }
@@ -82,10 +84,10 @@ public class LayoutPolicyValidator extends AbstractTokenPolicyValidator {
             }
         }
         
-        assertPolicy(aim, SPConstants.LAYOUT_LAX);
-        assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST);
-        assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST);
-        assertPolicy(aim, SPConstants.LAYOUT_STRICT);
+        PolicyUtils.assertPolicy(aim, SPConstants.LAYOUT_LAX);
+        PolicyUtils.assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST);
+        PolicyUtils.assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST);
+        PolicyUtils.assertPolicy(aim, SPConstants.LAYOUT_STRICT);
     }
     
     public boolean validatePolicy(

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
index 6a77ff6..37adc67 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
@@ -27,11 +27,11 @@ import java.util.List;
 import javax.xml.namespace.QName;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.message.Message;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
@@ -60,11 +60,12 @@ public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator implem
         body = soapBody;
         signed = signedResults;
         
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
         if (!ais.isEmpty()) {
             parsePolicies(aim, ais, message, results, signedResults);
             
-            assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
+            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
         }
         
         return true;
@@ -88,7 +89,7 @@ public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator implem
             ai.setAsserted(true);
 
             if (!isTokenRequired(samlToken, message)) {
-                assertPolicy(
+                PolicyUtils.assertPolicy(
                     aim, 
                     new QName(samlToken.getVersion().getNamespace(), samlToken.getSamlTokenType().name())
                 );
@@ -166,7 +167,7 @@ public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator implem
         }
         
         if (samlTokenType != null) {
-            assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), samlTokenType.name()));
+            PolicyUtils.assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), samlTokenType.name()));
         }
         return true;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
index 5103b2b..6171e9e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
@@ -23,10 +23,10 @@ import java.util.Collection;
 import java.util.List;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
@@ -49,7 +49,7 @@ public class SecurityContextTokenPolicyValidator
         List<WSSecurityEngineResult> signedResults
     ) {
         Collection<AssertionInfo> ais = 
-            getAllAssertionsByLocalname(aim, SPConstants.SECURITY_CONTEXT_TOKEN);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURITY_CONTEXT_TOKEN);
         if (!ais.isEmpty()) {
             parsePolicies(aim, ais, message, results);
         }
@@ -70,9 +70,9 @@ public class SecurityContextTokenPolicyValidator
             SecurityContextToken sctPolicy = (SecurityContextToken)ai.getAssertion();
             ai.setAsserted(true);
             
-            assertPolicy(aim, SP12Constants.REQUIRE_EXTERNAL_URI_REFERENCE);
-            assertPolicy(aim, SP12Constants.SC13_SECURITY_CONTEXT_TOKEN);
-            assertPolicy(aim, SP11Constants.SC10_SECURITY_CONTEXT_TOKEN);
+            PolicyUtils.assertPolicy(aim, SP12Constants.REQUIRE_EXTERNAL_URI_REFERENCE);
+            PolicyUtils.assertPolicy(aim, SP12Constants.SC13_SECURITY_CONTEXT_TOKEN);
+            PolicyUtils.assertPolicy(aim, SP11Constants.SC10_SECURITY_CONTEXT_TOKEN);
 
             if (!isTokenRequired(sctPolicy, message)) {
                 continue;

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
index c40bae3..7d7287a 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
@@ -25,6 +25,7 @@ import java.util.List;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
@@ -56,7 +57,7 @@ public class SignedEncryptedTokenPolicyValidator extends AbstractSupportingToken
         List<WSSecurityEngineResult> encryptedResults
     ) {
         Collection<AssertionInfo> ais = 
-            getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
         if (!ais.isEmpty()) {
             setMessage(message);
             setResults(results);

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
index da0640b..2d4f691 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
@@ -25,6 +25,7 @@ import java.util.List;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
@@ -58,7 +59,7 @@ public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSuppor
         List<WSSecurityEngineResult> encryptedResults
     ) {
         Collection<AssertionInfo> ais = 
-            getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
         if (!ais.isEmpty()) {
             setMessage(message);
             setResults(results);

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
index 5262e7f..14ef12f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
@@ -25,6 +25,7 @@ import java.util.List;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
@@ -57,7 +58,7 @@ public class SignedEndorsingTokenPolicyValidator extends AbstractSupportingToken
         List<WSSecurityEngineResult> encryptedResults
     ) {
         Collection<AssertionInfo> ais = 
-            getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
         if (!ais.isEmpty()) {
             setMessage(message);
             setResults(results);

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
index b695b41..0727d19 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedTokenPolicyValidator.java
@@ -25,6 +25,7 @@ import java.util.List;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
@@ -54,7 +55,7 @@ public class SignedTokenPolicyValidator extends AbstractSupportingTokenPolicyVal
         List<WSSecurityEngineResult> encryptedResults
     ) {
         Collection<AssertionInfo> ais = 
-            getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
         if (!ais.isEmpty()) {
             setMessage(message);
             setResults(results);

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
index 2501eba..cbaecbb 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
@@ -23,10 +23,10 @@ import java.util.Collection;
 import java.util.List;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.policy.SPConstants;
@@ -45,7 +45,8 @@ public class SymmetricBindingPolicyValidator extends AbstractBindingPolicyValida
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
         if (!ais.isEmpty()) {                       
             parsePolicies(aim, ais, message, soapBody, results, signedResults, encryptedResults);
         }
@@ -104,42 +105,42 @@ public class SymmetricBindingPolicyValidator extends AbstractBindingPolicyValida
         List<WSSecurityEngineResult> encryptedResults
     ) {
         if (binding.getEncryptionToken() != null) {
-            assertPolicy(aim, binding.getEncryptionToken());
+            PolicyUtils.assertPolicy(aim, binding.getEncryptionToken().getName());
             if (!checkDerivedKeys(
                 binding.getEncryptionToken(), hasDerivedKeys, signedResults, encryptedResults
             )) {
                 ai.setNotAsserted("Message fails the DerivedKeys requirement");
                 return false;
             }
-            assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
-            assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
-            assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
+            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
         }
         
         if (binding.getSignatureToken() != null) {
-            assertPolicy(aim, binding.getSignatureToken());
+            PolicyUtils.assertPolicy(aim, binding.getSignatureToken().getName());
             if (!checkDerivedKeys(
                 binding.getSignatureToken(), hasDerivedKeys, signedResults, encryptedResults
             )) {
                 ai.setNotAsserted("Message fails the DerivedKeys requirement");
                 return false;
             }
-            assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
-            assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
-            assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
+            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
         }
         
         if (binding.getProtectionToken() != null) {
-            assertPolicy(aim, binding.getProtectionToken());
+            PolicyUtils.assertPolicy(aim, binding.getProtectionToken().getName());
             if (!checkDerivedKeys(
                 binding.getProtectionToken(), hasDerivedKeys, signedResults, encryptedResults
             )) {
                 ai.setNotAsserted("Message fails the DerivedKeys requirement");
                 return false;
             }
-            assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
-            assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
-            assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
+            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
+            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
+            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
         }
         
         return true;

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
index 963efca..cb4ccbb 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
@@ -23,12 +23,12 @@ import java.util.Collection;
 import java.util.List;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
@@ -48,15 +48,16 @@ public class TransportBindingPolicyValidator extends AbstractBindingPolicyValida
         List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> encryptedResults
     ) {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
         if (!ais.isEmpty()) {
             parsePolicies(aim, ais, message, results, signedResults);
             
             // We don't need to check these policies for the Transport binding
-            assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
-            assertPolicy(aim, SP11Constants.ENCRYPTED_PARTS);
-            assertPolicy(aim, SP12Constants.SIGNED_PARTS);
-            assertPolicy(aim, SP11Constants.SIGNED_PARTS);
+            PolicyUtils.assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);
+            PolicyUtils.assertPolicy(aim, SP11Constants.ENCRYPTED_PARTS);
+            PolicyUtils.assertPolicy(aim, SP12Constants.SIGNED_PARTS);
+            PolicyUtils.assertPolicy(aim, SP11Constants.SIGNED_PARTS);
         }
         
         return true;
@@ -83,7 +84,7 @@ public class TransportBindingPolicyValidator extends AbstractBindingPolicyValida
             
             // HttpsToken is validated by the HttpsTokenInterceptorProvider
             if (binding.getTransportToken() != null) {
-                assertPolicy(aim, binding.getTransportToken());
+                PolicyUtils.assertPolicy(aim, binding.getTransportToken().getName());
             }
             
             // Check the IncludeTimestamp
@@ -92,7 +93,7 @@ public class TransportBindingPolicyValidator extends AbstractBindingPolicyValida
                 ai.setNotAsserted(error);
                 continue;
             }
-            assertPolicy(aim, SPConstants.INCLUDE_TIMESTAMP);
+            PolicyUtils.assertPolicy(aim, SPConstants.INCLUDE_TIMESTAMP);
         }
 
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
index 0133bb9..e642a9a 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
@@ -24,10 +24,10 @@ import java.util.Collection;
 import java.util.List;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.message.token.UsernameToken;
@@ -51,16 +51,17 @@ public class UsernameTokenPolicyValidator
         List<WSSecurityEngineResult> results,
         List<WSSecurityEngineResult> signedResults
     ) {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
         if (!ais.isEmpty()) {
             parsePolicies(ais, message, results);
             
-            assertPolicy(aim, SP13Constants.CREATED);
-            assertPolicy(aim, SP13Constants.NONCE);
-            assertPolicy(aim, SPConstants.NO_PASSWORD);
-            assertPolicy(aim, SPConstants.HASH_PASSWORD);
-            assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
-            assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
+            PolicyUtils.assertPolicy(aim, SP13Constants.CREATED);
+            PolicyUtils.assertPolicy(aim, SP13Constants.NONCE);
+            PolicyUtils.assertPolicy(aim, SPConstants.NO_PASSWORD);
+            PolicyUtils.assertPolicy(aim, SPConstants.HASH_PASSWORD);
+            PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
+            PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
         }
         
         return true;

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
index bbaebf9..f163b81 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
@@ -23,11 +23,11 @@ import java.util.Collection;
 import java.util.List;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
@@ -47,19 +47,20 @@ public class WSS11PolicyValidator
         List<WSSecurityEngineResult> results,
         List<WSSecurityEngineResult> signedResults
     ) {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.WSS11);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS11);
         if (!ais.isEmpty()) {
             parsePolicies(ais, message, results);
             
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_THUMBPRINT);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY);
-            assertPolicy(aim, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION);
+            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_THUMBPRINT);
+            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY);
+            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION);
             
             // WSS 1.0
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
-            assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
+            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
+            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
+            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
+            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
         }
         
         return true;

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
index 4759f27..dfc6a74 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
@@ -30,6 +30,7 @@ import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
@@ -59,21 +60,22 @@ public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator imple
         List<WSSecurityEngineResult> results,
         List<WSSecurityEngineResult> signedResults
     ) {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN);
         if (!ais.isEmpty()) {
             parsePolicies(ais, message, signedResults, results);
             
-            assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10);
-            assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11);
-            assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN10);
-            assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN11);
-            assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN10);
-            assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN11);
+            PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10);
+            PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11);
+            PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN10);
+            PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN11);
+            PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN10);
+            PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN11);
             
-            assertPolicy(aim, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE);
-            assertPolicy(aim, SPConstants.REQUIRE_THUMBPRINT_REFERENCE);
-            assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
-            assertPolicy(aim, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE);
+            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE);
+            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_THUMBPRINT_REFERENCE);
+            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
+            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE);
         }
         
         return true;


Mime
View raw message