cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/3] cxf git commit: Refactor of policy validators
Date Fri, 20 Mar 2015 16:48:38 GMT
http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
index 15c2508..c78706a 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/ConcreteSupportingTokenPolicyValidator.java
@@ -22,12 +22,9 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 import java.util.Collection;
 import java.util.List;
 
-import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.PolicyUtils;
-import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.IssuedToken;
 import org.apache.wss4j.policy.model.KerberosToken;
@@ -44,32 +41,24 @@ import org.apache.wss4j.policy.model.X509Token;
  */
 public class ConcreteSupportingTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
     
-    public ConcreteSupportingTokenPolicyValidator() {
-        setSigned(false);
-    }
-    
-    public boolean validatePolicy(
-        AssertionInfoMap aim, 
-        Message message,
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults,
-        List<WSSecurityEngineResult> encryptedResults
-    ) {
-        Collection<AssertionInfo> ais = 
-            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
-        if (!ais.isEmpty()) {
-            setMessage(message);
-            setResults(results);
-            setSignedResults(signedResults);
-            setEncryptedResults(encryptedResults);
-            
-            parsePolicies(ais, message);
+    /**
+     * Return true if this SecurityPolicyValidator implementation is capable of validating a 
+     * policy defined by the AssertionInfo parameter
+     */
+    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
+        if (assertionInfo.getAssertion() != null 
+            && (SP12Constants.SUPPORTING_TOKENS.equals(assertionInfo.getAssertion().getName())
+                || SP11Constants.SUPPORTING_TOKENS.equals(assertionInfo.getAssertion().getName()))) {
+            return true;
         }
         
-        return true;
+        return false;
     }
     
-    private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
+    /**
+     * Validate policies. Return true if all of the policies are valid.
+     */
+    public boolean validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
         for (AssertionInfo ai : ais) {
             SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
@@ -81,34 +70,34 @@ public class ConcreteSupportingTokenPolicyValidator extends AbstractSupportingTo
             
             List<AbstractToken> tokens = binding.getTokens();
             for (AbstractToken token : tokens) {
-                if (!isTokenRequired(token, message)) {
+                if (!isTokenRequired(token, parameters.getMessage())) {
                     continue;
                 }
                 
                 boolean processingFailed = false;
                 if (token instanceof UsernameToken) {
-                    if (!processUsernameTokens()) {
+                    if (!processUsernameTokens(parameters, false)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SamlToken) {
-                    if (!processSAMLTokens()) {
+                    if (!processSAMLTokens(parameters)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof KerberosToken) {
-                    if (!processKerberosTokens()) {
+                    if (!processKerberosTokens(parameters, false)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof X509Token) {
-                    if (!processX509Tokens()) {
+                    if (!processX509Tokens(parameters, false)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof KeyValueToken) {
-                    if (!processKeyValueTokens()) {
+                    if (!processKeyValueTokens(parameters)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SecurityContextToken
                     || token instanceof SpnegoContextToken) {
-                    if (!processSCTokens()) {
+                    if (!processSCTokens(parameters, false)) {
                         processingFailed = true;
                     }
                 } else if (!(token instanceof IssuedToken)) {
@@ -123,6 +112,19 @@ public class ConcreteSupportingTokenPolicyValidator extends AbstractSupportingTo
                 }
             }
         }
+        
+        return true;
     }
     
+    protected boolean isSigned() {
+        return false;
+    }
+    
+    protected boolean isEncrypted() {
+        return false;
+    }
+    
+    protected boolean isEndorsing() {
+        return false;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
index f545be4..46eacb2 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EncryptedTokenPolicyValidator.java
@@ -22,12 +22,8 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 import java.util.Collection;
 import java.util.List;
 
-import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.PolicyUtils;
-import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.IssuedToken;
 import org.apache.wss4j.policy.model.KerberosToken;
@@ -44,32 +40,23 @@ import org.apache.wss4j.policy.model.X509Token;
  */
 public class EncryptedTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
     
-    public EncryptedTokenPolicyValidator() {
-        setEncrypted(true);
-    }
-    
-    public boolean validatePolicy(
-        AssertionInfoMap aim, 
-        Message message,
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults,
-        List<WSSecurityEngineResult> encryptedResults
-    ) {
-        Collection<AssertionInfo> ais = 
-            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
-        if (!ais.isEmpty()) {
-            setMessage(message);
-            setResults(results);
-            setSignedResults(signedResults);
-            setEncryptedResults(encryptedResults);
-            
-            parsePolicies(ais, message);
+    /**
+     * Return true if this SecurityPolicyValidator implementation is capable of validating a 
+     * policy defined by the AssertionInfo parameter
+     */
+    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
+        if (assertionInfo.getAssertion() != null 
+            && SP12Constants.ENCRYPTED_SUPPORTING_TOKENS.equals(assertionInfo.getAssertion().getName())) {
+            return true;
         }
         
-        return true;
+        return false;
     }
     
-    private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
+    /**
+     * Validate policies. Return true if all of the policies are valid.
+     */
+    public boolean validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
         for (AssertionInfo ai : ais) {
             SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
@@ -81,34 +68,34 @@ public class EncryptedTokenPolicyValidator extends AbstractSupportingTokenPolicy
 
             List<AbstractToken> tokens = binding.getTokens();
             for (AbstractToken token : tokens) {
-                if (!isTokenRequired(token, message)) {
+                if (!isTokenRequired(token, parameters.getMessage())) {
                     continue;
                 }
                 
                 boolean processingFailed = false;
                 if (token instanceof UsernameToken) {
-                    if (!processUsernameTokens()) {
+                    if (!processUsernameTokens(parameters, false)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof KerberosToken) {
-                    if (!processKerberosTokens()) {
+                    if (!processKerberosTokens(parameters, false)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof X509Token) {
-                    if (!processX509Tokens()) {
+                    if (!processX509Tokens(parameters, false)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof KeyValueToken) {
-                    if (!processKeyValueTokens()) {
+                    if (!processKeyValueTokens(parameters)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SecurityContextToken
                     || token instanceof SpnegoContextToken) {
-                    if (!processSCTokens()) {
+                    if (!processSCTokens(parameters, false)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SamlToken) {
-                    if (!processSAMLTokens()) {
+                    if (!processSAMLTokens(parameters)) {
                         processingFailed = true;
                     }
                 } else if (!(token instanceof IssuedToken)) {
@@ -123,6 +110,19 @@ public class EncryptedTokenPolicyValidator extends AbstractSupportingTokenPolicy
                 }
             }
         }
+        
+        return true;
     }
     
+    protected boolean isSigned() {
+        return false;
+    }
+    
+    protected boolean isEncrypted() {
+        return true;
+    }
+    
+    protected boolean isEndorsing() {
+        return false;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
index 3fc837f..d8b0ff8 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingEncryptedTokenPolicyValidator.java
@@ -22,12 +22,10 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 import java.util.Collection;
 import java.util.List;
 
-import org.apache.cxf.message.Message;
+import javax.xml.namespace.QName;
+
 import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.PolicyUtils;
-import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
 import org.apache.wss4j.policy.model.IssuedToken;
@@ -45,33 +43,24 @@ import org.apache.wss4j.policy.model.X509Token;
  */
 public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
     
-    public EndorsingEncryptedTokenPolicyValidator() {
-        setEndorsed(true);
-        setEncrypted(true);
-    }
-    
-    public boolean validatePolicy(
-        AssertionInfoMap aim, 
-        Message message,
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults,
-        List<WSSecurityEngineResult> encryptedResults
-    ) {
-        Collection<AssertionInfo> ais = 
-            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
-        if (!ais.isEmpty()) {
-            setMessage(message);
-            setResults(results);
-            setSignedResults(signedResults);
-            setEncryptedResults(encryptedResults);
-            
-            parsePolicies(aim, ais, message);
+    /**
+     * Return true if this SecurityPolicyValidator implementation is capable of validating a 
+     * policy defined by the AssertionInfo parameter
+     */
+    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
+        QName sp12QName = SP12Constants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS;
+        if (assertionInfo.getAssertion() != null 
+            && sp12QName.equals(assertionInfo.getAssertion().getName())) {
+            return true;
         }
         
-        return true;
+        return false;
     }
     
-    private void parsePolicies(AssertionInfoMap aim, Collection<AssertionInfo> ais, Message message) {
+    /**
+     * Validate policies. Return true if all of the policies are valid.
+     */
+    public boolean validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
         for (AssertionInfo ai : ais) {
             SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
@@ -83,37 +72,37 @@ public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTo
 
             List<AbstractToken> tokens = binding.getTokens();
             for (AbstractToken token : tokens) {
-                if (!isTokenRequired(token, message)) {
-                    assertSecurePartsIfTokenNotRequired(binding, aim);
+                if (!isTokenRequired(token, parameters.getMessage())) {
+                    assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
                     continue;
                 }
                 
                 DerivedKeys derivedKeys = token.getDerivedKeys();
-                setDerived(derivedKeys == DerivedKeys.RequireDerivedKeys);
+                boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
                 boolean processingFailed = false;
                 if (token instanceof KerberosToken) {
-                    if (!processKerberosTokens()) {
+                    if (!processKerberosTokens(parameters, derived)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof X509Token) {
-                    if (!processX509Tokens()) {
+                    if (!processX509Tokens(parameters, derived)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof KeyValueToken) {
-                    if (!processKeyValueTokens()) {
+                    if (!processKeyValueTokens(parameters)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof UsernameToken) {
-                    if (!processUsernameTokens()) {
+                    if (!processUsernameTokens(parameters, derived)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SecurityContextToken
                     || token instanceof SpnegoContextToken) {
-                    if (!processSCTokens()) {
+                    if (!processSCTokens(parameters, derived)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SamlToken) {
-                    if (!processSAMLTokens()) {
+                    if (!processSAMLTokens(parameters)) {
                         processingFailed = true;
                     }
                 } else if (!(token instanceof IssuedToken)) {
@@ -129,6 +118,20 @@ public class EndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTo
                 }
             }
         }
+        
+        return true;
+    }
+    
+    protected boolean isSigned() {
+        return false;
+    }
+    
+    protected boolean isEncrypted() {
+        return true;
+    }
+    
+    protected boolean isEndorsing() {
+        return true;
     }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
index cbdc07b..9acf13d 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/EndorsingTokenPolicyValidator.java
@@ -22,12 +22,9 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 import java.util.Collection;
 import java.util.List;
 
-import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.PolicyUtils;
-import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
 import org.apache.wss4j.policy.model.IssuedToken;
@@ -45,33 +42,24 @@ import org.apache.wss4j.policy.model.X509Token;
  */
 public class EndorsingTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
     
-    public EndorsingTokenPolicyValidator() {
-        setEndorsed(true);
-    }
-    
-    
-    public boolean validatePolicy(
-        AssertionInfoMap aim, 
-        Message message,
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults,
-        List<WSSecurityEngineResult> encryptedResults
-    ) {
-        Collection<AssertionInfo> ais = 
-            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
-        if (!ais.isEmpty()) {
-            setMessage(message);
-            setResults(results);
-            setSignedResults(signedResults);
-            setEncryptedResults(encryptedResults);
-            
-            parsePolicies(aim, ais, message);
+    /**
+     * Return true if this SecurityPolicyValidator implementation is capable of validating a 
+     * policy defined by the AssertionInfo parameter
+     */
+    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
+        if (assertionInfo.getAssertion() != null 
+            && (SP12Constants.ENDORSING_SUPPORTING_TOKENS.equals(assertionInfo.getAssertion().getName())
+                || SP11Constants.ENDORSING_SUPPORTING_TOKENS.equals(assertionInfo.getAssertion().getName()))) {
+            return true;
         }
         
-        return true;
+        return false;
     }
     
-    private void parsePolicies(AssertionInfoMap aim, Collection<AssertionInfo> ais, Message message) {
+    /**
+     * Validate policies. Return true if all of the policies are valid.
+     */
+    public boolean validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
         for (AssertionInfo ai : ais) {
             SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
@@ -83,37 +71,37 @@ public class EndorsingTokenPolicyValidator extends AbstractSupportingTokenPolicy
             
             List<AbstractToken> tokens = binding.getTokens();
             for (AbstractToken token : tokens) {
-                if (!isTokenRequired(token, message)) {
-                    assertSecurePartsIfTokenNotRequired(binding, aim);
+                if (!isTokenRequired(token, parameters.getMessage())) {
+                    assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
                     continue;
                 }
                 
                 DerivedKeys derivedKeys = token.getDerivedKeys();
-                setDerived(derivedKeys == DerivedKeys.RequireDerivedKeys);
+                boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
                 boolean processingFailed = false;
                 if (token instanceof KerberosToken) {
-                    if (!processKerberosTokens()) {
+                    if (!processKerberosTokens(parameters, derived)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof X509Token) {
-                    if (!processX509Tokens()) {
+                    if (!processX509Tokens(parameters, derived)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof KeyValueToken) {
-                    if (!processKeyValueTokens()) {
+                    if (!processKeyValueTokens(parameters)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof UsernameToken) {
-                    if (!processUsernameTokens()) {
+                    if (!processUsernameTokens(parameters, derived)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SecurityContextToken
                     || token instanceof SpnegoContextToken) {
-                    if (!processSCTokens()) {
+                    if (!processSCTokens(parameters, derived)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SamlToken) {
-                    if (!processSAMLTokens()) {
+                    if (!processSAMLTokens(parameters)) {
                         processingFailed = true;
                     }
                 } else if (!(token instanceof IssuedToken)) {
@@ -128,6 +116,19 @@ public class EndorsingTokenPolicyValidator extends AbstractSupportingTokenPolicy
                 }
             }
         }
+        
+        return true;
     }
     
+    protected boolean isSigned() {
+        return false;
+    }
+    
+    protected boolean isEncrypted() {
+        return false;
+    }
+    
+    protected boolean isEndorsing() {
+        return true;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
index 72ce7e9..401a63e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
@@ -20,23 +20,29 @@
 package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
 import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 
 import javax.xml.namespace.QName;
 
 import org.w3c.dom.Element;
 import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.message.Message;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.policy.PolicyUtils;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.IssuedToken;
 import org.opensaml.saml.common.SAMLVersion;
@@ -47,36 +53,77 @@ import org.opensaml.saml.common.SAMLVersion;
  */
 public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
     
-    private List<WSSecurityEngineResult> signedResults;
-    private Message message;
     private ClaimsPolicyValidator claimsValidator = new DefaultClaimsPolicyValidator();
 
-    public IssuedTokenPolicyValidator(
-        List<WSSecurityEngineResult> signedResults,
-        Message message
-    ) {
-        this.signedResults = signedResults;
-        this.message = message;
+    /**
+     * Return true if this SecurityPolicyValidator implementation is capable of validating a 
+     * policy defined by the AssertionInfo parameter
+     */
+    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
+        if (assertionInfo.getAssertion() != null 
+            && (SP12Constants.ISSUED_TOKEN.equals(assertionInfo.getAssertion().getName())
+                || SP11Constants.ISSUED_TOKEN.equals(assertionInfo.getAssertion().getName()))) {
+            return true;
+        }
+        
+        return false;
     }
     
-    public boolean validatePolicy(
-        Collection<AssertionInfo> ais,
-        SamlAssertionWrapper assertionWrapper
-    ) {
-        if (ais == null || ais.isEmpty()) {
-            return true;
+    /**
+     * Validate policies. Return true if all of the policies are valid.
+     */
+    public boolean validatePolicies(PolicyValidatorParameters parameters, 
+                                    Collection<AssertionInfo> ais) {
+        List<WSSecurityEngineResult> samlResults = parameters.getSamlResults();
+        if (samlResults != null) {
+            for (WSSecurityEngineResult samlResult : samlResults) {
+                SamlAssertionWrapper samlAssertion = 
+                    (SamlAssertionWrapper)samlResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
+                if (validateSAMLToken(parameters, samlAssertion, ais)) {
+                    // Store token on the security context
+                    SecurityToken token = createSecurityToken(samlAssertion);
+                    parameters.getMessage().getExchange().put(SecurityConstants.TOKEN, token);
+                    return true;
+                }
+            }
+        }
+        
+        List<WSSecurityEngineResult> bstResults = 
+            WSSecurityUtil.fetchAllActionResults(parameters.getResults(), 
+                                                 Collections.singletonList(WSConstants.BST));
+            
+        if (bstResults != null) {
+            for (WSSecurityEngineResult bstResult : bstResults) {
+                BinarySecurity binarySecurity = 
+                    (BinarySecurity)bstResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+                if (Boolean.TRUE.equals(bstResult.get(WSSecurityEngineResult.TAG_VALIDATED_TOKEN))
+                    && validateBinarySecurityToken(parameters, binarySecurity, ais)) {
+                    // Store token on the security context
+                    SecurityToken token = createSecurityToken(binarySecurity);
+                    parameters.getMessage().getExchange().put(SecurityConstants.TOKEN, token);
+                    return true;
+                }
+            }
         }
         
+        return true;
+    }
+    
+    private boolean validateSAMLToken(PolicyValidatorParameters parameters, 
+                                      SamlAssertionWrapper samlAssertion,
+                                      Collection<AssertionInfo> ais) {
+        boolean asserted = true;
         for (AssertionInfo ai : ais) {
             IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
             ai.setAsserted(true);
-            assertToken(issuedToken, message.get(AssertionInfoMap.class));
+            assertToken(issuedToken, parameters.getAssertionInfoMap());
 
-            if (!isTokenRequired(issuedToken, message)) {
+            if (!isTokenRequired(issuedToken, parameters.getMessage())) {
                 continue;
             }
             
-            if (assertionWrapper == null) {
+            if (samlAssertion == null) {
+                asserted = false;
                 ai.setNotAsserted(
                     "The received token does not match the token inclusion requirement"
                 );
@@ -84,7 +131,8 @@ public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
             }
 
             Element template = issuedToken.getRequestSecurityTokenTemplate();
-            if (template != null && !checkIssuedTokenTemplate(template, assertionWrapper)) {
+            if (template != null && !checkIssuedTokenTemplate(template, samlAssertion)) {
+                asserted = false;
                 ai.setNotAsserted("Error in validating the IssuedToken policy");
                 continue;
             }
@@ -93,57 +141,59 @@ public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
             if (claims != null) {
                 String dialect = claims.getAttributeNS(null, "Dialect");
                 if (claimsValidator.getDialect().equals(dialect)
-                    && !claimsValidator.validatePolicy(claims, assertionWrapper)) {
+                    && !claimsValidator.validatePolicy(claims, samlAssertion)) {
+                    asserted = false;
                     ai.setNotAsserted("Error in validating the Claims policy");
                     continue;
                 }
             }
 
-            TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+            TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
             Certificate[] tlsCerts = null;
             if (tlsInfo != null) {
                 tlsCerts = tlsInfo.getPeerCertificates();
             }
-            if (!checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
+            if (!checkHolderOfKey(samlAssertion, parameters.getSignedResults(), tlsCerts)) {
+                asserted = false;
                 ai.setNotAsserted("Assertion fails holder-of-key requirements");
                 continue;
             }
+            
         }
         
-        return true;
+        return asserted;
     }
     
-    public boolean validatePolicy(
-        Collection<AssertionInfo> ais,
-        BinarySecurity binarySecurityToken
-    ) {
-        if (ais == null || ais.isEmpty()) {
-            return true;
-        }
-        
+    private boolean validateBinarySecurityToken(PolicyValidatorParameters parameters, 
+                                                BinarySecurity binarySecurity, 
+                                                Collection<AssertionInfo> ais) {
+        boolean asserted = true;
         for (AssertionInfo ai : ais) {
             IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
             ai.setAsserted(true);
-            assertToken(issuedToken, message.get(AssertionInfoMap.class));
+            asserted = true;
+            assertToken(issuedToken, parameters.getAssertionInfoMap());
 
-            if (!isTokenRequired(issuedToken, message)) {
+            if (!isTokenRequired(issuedToken, parameters.getMessage())) {
                 continue;
             }
-            if (binarySecurityToken == null) {
+            if (binarySecurity == null) {
+                asserted = false;
                 ai.setNotAsserted(
                     "The received token does not match the token inclusion requirement"
                 );
-                return false;
+                continue;
             }
 
             Element template = issuedToken.getRequestSecurityTokenTemplate();
-            if (template != null && !checkIssuedTokenTemplate(template, binarySecurityToken)) {
+            if (template != null && !checkIssuedTokenTemplate(template, binarySecurity)) {
+                asserted = false;
                 ai.setNotAsserted("Error in validating the IssuedToken policy");
-                return false;
+                continue;
             }
         }
         
-        return true;
+        return asserted;
     }
     
     private void assertToken(IssuedToken token, AssertionInfoMap aim) {
@@ -216,5 +266,36 @@ public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
         return true;
     }
     
-   
+    private SecurityToken createSecurityToken(
+        SamlAssertionWrapper assertionWrapper
+    ) {
+        SecurityToken token = new SecurityToken(assertionWrapper.getId());
+
+        SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
+        if (subjectKeyInfo != null) {
+            token.setSecret(subjectKeyInfo.getSecret());
+            X509Certificate[] certs = subjectKeyInfo.getCerts();
+            if (certs != null && certs.length > 0) {
+                token.setX509Certificate(certs[0], null);
+            }
+        }
+        if (assertionWrapper.getSaml1() != null) {
+            token.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
+        } else if (assertionWrapper.getSaml2() != null) {
+            token.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
+        }
+        token.setToken(assertionWrapper.getElement());
+
+        return token;
+    }
+
+    private SecurityToken createSecurityToken(BinarySecurity binarySecurityToken) {
+        SecurityToken token = new SecurityToken(binarySecurityToken.getID());
+        token.setToken(binarySecurityToken.getElement());
+        token.setSecret(binarySecurityToken.getToken());
+        token.setTokenType(binarySecurityToken.getValueType());
+
+        return token;
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
index 5cb8189..b295fdf 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
@@ -19,75 +19,98 @@
 
 package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
+import java.util.ArrayList;
 import java.util.Collection;
+import java.util.List;
 
 import javax.xml.namespace.QName;
 
-import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.SecurityUtils;
 import org.apache.cxf.ws.security.policy.PolicyUtils;
+import org.apache.cxf.ws.security.tokenstore.SecurityToken;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.message.token.BinarySecurity;
 import org.apache.wss4j.dom.message.token.KerberosSecurity;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.KerberosToken;
 import org.apache.wss4j.policy.model.KerberosToken.ApReqTokenType;
+import org.apache.xml.security.utils.Base64;
 
 /**
  * Validate a WSSecurityEngineResult corresponding to the processing of a Kerberos Token
  * against the appropriate policy.
  */
-public class KerberosTokenPolicyValidator extends AbstractTokenPolicyValidator {
+public class KerberosTokenPolicyValidator extends AbstractSecurityPolicyValidator {
     
-    private Message message;
-
-    public KerberosTokenPolicyValidator(
-        Message message
-    ) {
-        this.message = message;
-    }
-    
-    public boolean validatePolicy(
-        AssertionInfoMap aim,
-        KerberosSecurity kerberosToken
-    ) {
-        Collection<AssertionInfo> krbAis = 
-            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
-        if (!krbAis.isEmpty()) {
-            parsePolicies(aim, krbAis, kerberosToken);
+    /**
+     * Return true if this SecurityPolicyValidator implementation is capable of validating a 
+     * policy defined by the AssertionInfo parameter
+     */
+    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
+        if (assertionInfo.getAssertion() != null 
+            && (SP12Constants.KERBEROS_TOKEN.equals(assertionInfo.getAssertion().getName())
+                || SP11Constants.KERBEROS_TOKEN.equals(assertionInfo.getAssertion().getName()))) {
+            return true;
         }
         
-        return true;
+        return false;
     }
     
-    private void parsePolicies(
-        AssertionInfoMap aim, 
-        Collection<AssertionInfo> ais, 
-        KerberosSecurity kerberosToken
-    ) {
-        for (AssertionInfo ai : ais) {
-            KerberosToken kerberosTokenPolicy = (KerberosToken)ai.getAssertion();
-            ai.setAsserted(true);
-            assertToken(kerberosTokenPolicy, aim);
+    /**
+     * Validate policies. Return true if all of the policies are valid.
+     */
+    public boolean validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
+        List<WSSecurityEngineResult> kerberosResults = findKerberosResults(parameters.getResults());
+        
+        for (WSSecurityEngineResult kerberosResult : kerberosResults) {
+            KerberosSecurity kerberosToken = 
+                (KerberosSecurity)kerberosResult.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
             
-            if (!isTokenRequired(kerberosTokenPolicy, message)) {
-                PolicyUtils.assertPolicy(
-                    aim, 
-                    new QName(kerberosTokenPolicy.getVersion().getNamespace(), 
-                              "WssKerberosV5ApReqToken11")
-                );
-                PolicyUtils.assertPolicy(
-                    aim, 
-                    new QName(kerberosTokenPolicy.getVersion().getNamespace(), 
-                              "WssGssKerberosV5ApReqToken11")
-                );
-                continue;
+            boolean asserted = true;
+            for (AssertionInfo ai : ais) {
+                KerberosToken kerberosTokenPolicy = (KerberosToken)ai.getAssertion();
+                ai.setAsserted(true);
+                assertToken(kerberosTokenPolicy, parameters.getAssertionInfoMap());
+                
+                if (!isTokenRequired(kerberosTokenPolicy, parameters.getMessage())) {
+                    PolicyUtils.assertPolicy(
+                        parameters.getAssertionInfoMap(), 
+                        new QName(kerberosTokenPolicy.getVersion().getNamespace(), 
+                                  "WssKerberosV5ApReqToken11")
+                    );
+                    PolicyUtils.assertPolicy(
+                        parameters.getAssertionInfoMap(), 
+                        new QName(kerberosTokenPolicy.getVersion().getNamespace(), 
+                                  "WssGssKerberosV5ApReqToken11")
+                    );
+                    continue;
+                }
+                
+                if (!checkToken(parameters.getAssertionInfoMap(), kerberosTokenPolicy, kerberosToken)) {
+                    asserted = false;
+                    ai.setNotAsserted("An incorrect Kerberos Token Type is detected");
+                    continue;
+                }
             }
             
-            if (!checkToken(aim, kerberosTokenPolicy, kerberosToken)) {
-                ai.setNotAsserted("An incorrect Kerberos Token Type is detected");
-                continue;
+            if (asserted) {
+                SecurityToken token = createSecurityToken(kerberosToken);
+                token.setSecret((byte[])kerberosResult.get(WSSecurityEngineResult.TAG_SECRET));
+                SecurityUtils.getTokenStore(parameters.getMessage()).add(token);
+                parameters.getMessage().getExchange().put(SecurityConstants.TOKEN_ID, token.getId());
+                return true;
             }
         }
+        
+        return true;
     }
     
     private void assertToken(KerberosToken token, AssertionInfoMap aim) {
@@ -123,4 +146,32 @@ public class KerberosTokenPolicyValidator extends AbstractTokenPolicyValidator {
         
         return false;
     }
+    
+    private List<WSSecurityEngineResult> findKerberosResults(List<WSSecurityEngineResult> wsSecEngineResults) {
+        List<WSSecurityEngineResult> results = new ArrayList<>();
+        for (WSSecurityEngineResult wser : wsSecEngineResults) {
+            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+            if (actInt.intValue() == WSConstants.BST) {
+                BinarySecurity binarySecurity = 
+                    (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+                if (binarySecurity instanceof KerberosSecurity) {
+                    results.add(wser);
+                }
+            }
+        }
+        return results;
+    }
+    
+    private SecurityToken createSecurityToken(KerberosSecurity binarySecurityToken) {
+        SecurityToken token = new SecurityToken(binarySecurityToken.getID());
+        token.setToken(binarySecurityToken.getElement());
+        token.setTokenType(binarySecurityToken.getValueType());
+        byte[] tokenBytes = binarySecurityToken.getToken();
+        try {
+            token.setSHA1(Base64.encode(WSSecurityUtil.generateDigest(tokenBytes)));
+        } catch (WSSecurityException e) {
+            // Just consume this for now as it isn't critical...
+        }
+        return token;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
index 1643f53..45f5ba0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
@@ -29,7 +29,6 @@ import javax.xml.namespace.QName;
 import org.w3c.dom.Element;
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.helpers.CastUtils;
-import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.PolicyUtils;
@@ -42,48 +41,46 @@ import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.message.token.BinarySecurity;
 import org.apache.wss4j.dom.message.token.PKIPathSecurity;
 import org.apache.wss4j.dom.message.token.X509Security;
-import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.model.Layout;
 import org.apache.wss4j.policy.model.Layout.LayoutType;
 
 /**
  * Validate a Layout policy.
  */
-public class LayoutPolicyValidator extends AbstractTokenPolicyValidator {
+public class LayoutPolicyValidator extends AbstractSecurityPolicyValidator {
     
-    public boolean validatePolicy(
-        AssertionInfoMap aim,
-        Message message,
-        Element soapBody,
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults
-    ) {
-        Collection<AssertionInfo> ais = 
-            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.LAYOUT);
-        if (!ais.isEmpty()) {
-            parsePolicies(aim, ais, message, results, signedResults);
+    /**
+     * Return true if this SecurityPolicyValidator implementation is capable of validating a 
+     * policy defined by the AssertionInfo parameter
+     */
+    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
+        if (assertionInfo.getAssertion() != null 
+            && (SP12Constants.USERNAME_TOKEN.equals(assertionInfo.getAssertion().getName())
+                || SP11Constants.USERNAME_TOKEN.equals(assertionInfo.getAssertion().getName()))) {
+            return true;
         }
-
-        return true;
-    }
         
-    private void parsePolicies(
-        AssertionInfoMap aim,
-        Collection<AssertionInfo> ais, 
-        Message message,  
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults
-    ) {
+        return false;
+    }
+    
+    /**
+     * Validate policies. Return true if all of the policies are valid.
+     */
+    public boolean validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
         for (AssertionInfo ai : ais) {
             Layout layout = (Layout)ai.getAssertion();
             ai.setAsserted(true);
-            assertToken(layout, aim);
+            assertToken(layout, parameters.getAssertionInfoMap());
             
-            if (!validatePolicy(layout, results, signedResults)) {
+            if (!validatePolicy(layout, parameters.getResults(), parameters.getSignedResults())) {
                 String error = "Layout does not match the requirements";
                 ai.setNotAsserted(error);
             }
         }
+        
+        return true;
     }
     
     private void assertToken(Layout token, AssertionInfoMap aim) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/PolicyValidatorParameters.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/PolicyValidatorParameters.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/PolicyValidatorParameters.java
new file mode 100644
index 0000000..24f3d13
--- /dev/null
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/PolicyValidatorParameters.java
@@ -0,0 +1,125 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.List;
+
+import org.w3c.dom.Element;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.wss4j.dom.WSSecurityEngineResult;
+
+/**
+ * Holds various parameters to the policy validators
+ */
+public class PolicyValidatorParameters {
+    private AssertionInfoMap assertionInfoMap;
+    private Message message;
+    private Element soapBody;
+    private List<WSSecurityEngineResult> results;
+    private List<WSSecurityEngineResult> signedResults;
+    private List<WSSecurityEngineResult> encryptedResults;
+    private List<WSSecurityEngineResult> usernameTokenResults;
+    private List<WSSecurityEngineResult> samlResults;
+    private Element timestampElement;
+    private boolean utWithCallbacks;
+ 
+    public Message getMessage() {
+        return message;
+    }
+    
+    public void setMessage(Message message) {
+        this.message = message;
+    }
+    
+    public Element getSoapBody() {
+        return soapBody;
+    }
+    
+    public void setSoapBody(Element soapBody) {
+        this.soapBody = soapBody;
+    }
+    
+    public List<WSSecurityEngineResult> getResults() {
+        return results;
+    }
+    
+    public void setResults(List<WSSecurityEngineResult> results) {
+        this.results = results;
+    }
+    
+    public List<WSSecurityEngineResult> getSignedResults() {
+        return signedResults;
+    }
+    
+    public void setSignedResults(List<WSSecurityEngineResult> signedResults) {
+        this.signedResults = signedResults;
+    }
+    
+    public List<WSSecurityEngineResult> getEncryptedResults() {
+        return encryptedResults;
+    }
+    
+    public void setEncryptedResults(List<WSSecurityEngineResult> encryptedResults) {
+        this.encryptedResults = encryptedResults;
+    }
+    
+    public AssertionInfoMap getAssertionInfoMap() {
+        return assertionInfoMap;
+    }
+
+    public void setAssertionInfoMap(AssertionInfoMap assertionInfoMap) {
+        this.assertionInfoMap = assertionInfoMap;
+    }
+    
+    public List<WSSecurityEngineResult> getUsernameTokenResults() {
+        return usernameTokenResults;
+    }
+
+    public void setUsernameTokenResults(List<WSSecurityEngineResult> usernameTokenResults) {
+        this.usernameTokenResults = usernameTokenResults;
+    }
+
+    public List<WSSecurityEngineResult> getSamlResults() {
+        return samlResults;
+    }
+
+    public void setSamlResults(List<WSSecurityEngineResult> samlResults) {
+        this.samlResults = samlResults;
+    }
+
+    public Element getTimestampElement() {
+        return timestampElement;
+    }
+
+    public void setTimestampElement(Element timestampElement) {
+        this.timestampElement = timestampElement;
+    }
+
+    public boolean isUtWithCallbacks() {
+        return utWithCallbacks;
+    }
+
+    public void setUtWithCallbacks(boolean utWithCallbacks) {
+        this.utWithCallbacks = utWithCallbacks;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
index b0b9a16..adaf971 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
@@ -20,23 +20,19 @@
 package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
 import java.security.cert.Certificate;
-import java.util.ArrayList;
 import java.util.Collection;
-import java.util.List;
 
 import javax.xml.namespace.QName;
 
-import org.w3c.dom.Element;
-import org.apache.cxf.message.Message;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.saml.DOMSAMLUtil;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.SamlToken;
 import org.apache.wss4j.policy.model.SamlToken.SamlTokenType;
@@ -45,57 +41,40 @@ import org.opensaml.saml.common.SAMLVersion;
 /**
  * Validate a SamlToken policy.
  */
-public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator implements TokenPolicyValidator {
+public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator {
     
-    private Element body;
-    private List<WSSecurityEngineResult> signed;
-    
-    public boolean validatePolicy(
-        AssertionInfoMap aim,
-        Message message,
-        Element soapBody,
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults
-    ) {
-        body = soapBody;
-        signed = signedResults;
-        
-        Collection<AssertionInfo> ais = 
-            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
-        if (!ais.isEmpty()) {
-            parsePolicies(aim, ais, message, results, signedResults);
+    /**
+     * Return true if this SecurityPolicyValidator implementation is capable of validating a 
+     * policy defined by the AssertionInfo parameter
+     */
+    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
+        if (assertionInfo.getAssertion() != null 
+            && (SP12Constants.USERNAME_TOKEN.equals(assertionInfo.getAssertion().getName())
+                || SP11Constants.USERNAME_TOKEN.equals(assertionInfo.getAssertion().getName()))) {
+            return true;
         }
         
-        return true;
+        return false;
     }
     
-    private void parsePolicies(
-        AssertionInfoMap aim, 
-        Collection<AssertionInfo> ais, 
-        Message message,
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults
-    ) {
-        final List<Integer> actions = new ArrayList<Integer>(2);
-        actions.add(WSConstants.ST_SIGNED);
-        actions.add(WSConstants.ST_UNSIGNED);
-        List<WSSecurityEngineResult> samlResults = 
-            WSSecurityUtil.fetchAllActionResults(results, actions);
-        
+    /**
+     * Validate policies. Return true if all of the policies are valid.
+     */
+    public boolean validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
         for (AssertionInfo ai : ais) {
             SamlToken samlToken = (SamlToken)ai.getAssertion();
             ai.setAsserted(true);
-            assertToken(samlToken, aim);
+            assertToken(samlToken, parameters.getAssertionInfoMap());
 
-            if (!isTokenRequired(samlToken, message)) {
+            if (!isTokenRequired(samlToken, parameters.getMessage())) {
                 PolicyUtils.assertPolicy(
-                    aim, 
+                    parameters.getAssertionInfoMap(), 
                     new QName(samlToken.getVersion().getNamespace(), samlToken.getSamlTokenType().name())
                 );
                 continue;
             }
 
-            if (samlResults.isEmpty()) {
+            if (parameters.getSamlResults().isEmpty()) {
                 ai.setNotAsserted(
                     "The received token does not match the token inclusion requirement"
                 );
@@ -103,24 +82,25 @@ public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator implem
             }
             
             // All of the received SAML Assertions must conform to the policy
-            for (WSSecurityEngineResult result : samlResults) {
+            for (WSSecurityEngineResult result : parameters.getSamlResults()) {
                 SamlAssertionWrapper assertionWrapper = 
                     (SamlAssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
                 
-                if (!checkVersion(aim, samlToken, assertionWrapper)) {
+                if (!checkVersion(parameters.getAssertionInfoMap(), samlToken, assertionWrapper)) {
                     ai.setNotAsserted("Wrong SAML Version");
                     continue;
                 }
-                TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
+                TLSSessionInfo tlsInfo = parameters.getMessage().get(TLSSessionInfo.class);
                 Certificate[] tlsCerts = null;
                 if (tlsInfo != null) {
                     tlsCerts = tlsInfo.getPeerCertificates();
                 }
-                if (!checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
+                if (!checkHolderOfKey(assertionWrapper, parameters.getSignedResults(), tlsCerts)) {
                     ai.setNotAsserted("Assertion fails holder-of-key requirements");
                     continue;
                 }
-                if (!DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, body, signed)) {
+                if (!DOMSAMLUtil.checkSenderVouches(assertionWrapper, tlsCerts, parameters.getSoapBody(),
+                                                    parameters.getSignedResults())) {
                     ai.setNotAsserted("Assertion fails sender-vouches requirements");
                     continue;
                 }
@@ -131,6 +111,8 @@ public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator implem
                  */
             }
         }
+        
+        return true;
     }
     
     /**

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
index 5c3e587..87452fd 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
@@ -22,8 +22,6 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 import java.util.Collection;
 import java.util.List;
 
-import org.w3c.dom.Element;
-import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.PolicyUtils;
@@ -32,46 +30,40 @@ import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
-import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.SecurityContextToken;
 
 /**
  * Validate a SecurityContextToken policy.
  */
-public class SecurityContextTokenPolicyValidator 
-    extends AbstractTokenPolicyValidator implements TokenPolicyValidator {
+public class SecurityContextTokenPolicyValidator extends AbstractSecurityPolicyValidator {
     
-    public boolean validatePolicy(
-        AssertionInfoMap aim,
-        Message message,
-        Element soapBody,
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults
-    ) {
-        Collection<AssertionInfo> ais = 
-            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURITY_CONTEXT_TOKEN);
-        if (!ais.isEmpty()) {
-            parsePolicies(aim, ais, message, results);
+    /**
+     * Return true if this SecurityPolicyValidator implementation is capable of validating a 
+     * policy defined by the AssertionInfo parameter
+     */
+    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
+        if (assertionInfo.getAssertion() != null 
+            && (SP12Constants.SECURITY_CONTEXT_TOKEN.equals(assertionInfo.getAssertion().getName())
+                || SP11Constants.SECURITY_CONTEXT_TOKEN.equals(assertionInfo.getAssertion().getName()))) {
+            return true;
         }
         
-        return true;
+        return false;
     }
     
-    private void parsePolicies(
-        AssertionInfoMap aim,
-        Collection<AssertionInfo> ais, 
-        Message message,
-        List<WSSecurityEngineResult> results
-    ) {
+    /**
+     * Validate policies. Return true if all of the policies are valid.
+     */
+    public boolean validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
         List<WSSecurityEngineResult> sctResults = 
-            WSSecurityUtil.fetchAllActionResults(results, WSConstants.SCT);
+            WSSecurityUtil.fetchAllActionResults(parameters.getResults(), WSConstants.SCT);
 
         for (AssertionInfo ai : ais) {
             SecurityContextToken sctPolicy = (SecurityContextToken)ai.getAssertion();
             ai.setAsserted(true);
-            assertToken(sctPolicy, aim);
+            assertToken(sctPolicy, parameters.getAssertionInfoMap());
             
-            if (!isTokenRequired(sctPolicy, message)) {
+            if (!isTokenRequired(sctPolicy, parameters.getMessage())) {
                 continue;
             }
 
@@ -82,6 +74,8 @@ public class SecurityContextTokenPolicyValidator
                 continue;
             }
         }
+        
+        return true;
     }
     
     private void assertToken(SecurityContextToken token, AssertionInfoMap aim) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityPolicyValidator.java
new file mode 100644
index 0000000..860c626
--- /dev/null
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityPolicyValidator.java
@@ -0,0 +1,41 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.Collection;
+
+import org.apache.cxf.ws.policy.AssertionInfo;
+
+/**
+ * Validate a WS-SecurityPolicy
+ */
+public interface SecurityPolicyValidator {
+    
+    /**
+     * Return true if this SecurityPolicyValidator implementation is capable of validating a 
+     * policy defined by the AssertionInfo parameter
+     */
+    boolean canValidatePolicy(AssertionInfo assertionInfo);
+    
+    /**
+     * Validate policies. Return true if all of the policies are valid.
+     */
+    boolean validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais);
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
index 7d7287a..6ab1e74 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEncryptedTokenPolicyValidator.java
@@ -22,12 +22,8 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 import java.util.Collection;
 import java.util.List;
 
-import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.PolicyUtils;
-import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.IssuedToken;
 import org.apache.wss4j.policy.model.KerberosToken;
@@ -44,33 +40,23 @@ import org.apache.wss4j.policy.model.X509Token;
  */
 public class SignedEncryptedTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
     
-    public SignedEncryptedTokenPolicyValidator() {
-        setSigned(true);
-        setEncrypted(true);
-    }
-    
-    public boolean validatePolicy(
-        AssertionInfoMap aim, 
-        Message message,
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults,
-        List<WSSecurityEngineResult> encryptedResults
-    ) {
-        Collection<AssertionInfo> ais = 
-            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
-        if (!ais.isEmpty()) {
-            setMessage(message);
-            setResults(results);
-            setSignedResults(signedResults);
-            setEncryptedResults(encryptedResults);
-            
-            parsePolicies(ais, message);
+    /**
+     * Return true if this SecurityPolicyValidator implementation is capable of validating a 
+     * policy defined by the AssertionInfo parameter
+     */
+    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
+        if (assertionInfo.getAssertion() != null 
+            && SP12Constants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS.equals(assertionInfo.getAssertion().getName())) {
+            return true;
         }
         
-        return true;
+        return false;
     }
     
-    private void parsePolicies(Collection<AssertionInfo> ais, Message message) {
+    /**
+     * Validate policies. Return true if all of the policies are valid.
+     */
+    public boolean validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
         for (AssertionInfo ai : ais) {
             SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
@@ -82,34 +68,34 @@ public class SignedEncryptedTokenPolicyValidator extends AbstractSupportingToken
 
             List<AbstractToken> tokens = binding.getTokens();
             for (AbstractToken token : tokens) {
-                if (!isTokenRequired(token, message)) {
+                if (!isTokenRequired(token, parameters.getMessage())) {
                     continue;
                 }
                 
                 boolean processingFailed = false;
                 if (token instanceof UsernameToken) {
-                    if (!processUsernameTokens()) {
+                    if (!processUsernameTokens(parameters, false)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof KerberosToken) {
-                    if (!processKerberosTokens()) {
+                    if (!processKerberosTokens(parameters, false)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof X509Token) {
-                    if (!processX509Tokens()) {
+                    if (!processX509Tokens(parameters, false)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof KeyValueToken) {
-                    if (!processKeyValueTokens()) {
+                    if (!processKeyValueTokens(parameters)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SecurityContextToken
                     || token instanceof SpnegoContextToken) {
-                    if (!processSCTokens()) {
+                    if (!processSCTokens(parameters, false)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SamlToken) {
-                    if (!processSAMLTokens()) {
+                    if (!processSAMLTokens(parameters)) {
                         processingFailed = true;
                     }
                 } else if (!(token instanceof IssuedToken)) {
@@ -124,7 +110,19 @@ public class SignedEncryptedTokenPolicyValidator extends AbstractSupportingToken
                 }
             }
         }
+        
+        return true;
     }
     
+    protected boolean isSigned() {
+        return true;
+    }
+    
+    protected boolean isEncrypted() {
+        return true;
+    }
     
+    protected boolean isEndorsing() {
+        return false;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
index 2d4f691..cde8eac 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingEncryptedTokenPolicyValidator.java
@@ -22,12 +22,10 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 import java.util.Collection;
 import java.util.List;
 
-import org.apache.cxf.message.Message;
+import javax.xml.namespace.QName;
+
 import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.PolicyUtils;
-import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
 import org.apache.wss4j.policy.model.IssuedToken;
@@ -45,34 +43,24 @@ import org.apache.wss4j.policy.model.X509Token;
  */
 public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
     
-    public SignedEndorsingEncryptedTokenPolicyValidator() {
-        setSigned(true);
-        setEndorsed(true);
-        setEncrypted(true);
-    }
-    
-    public boolean validatePolicy(
-        AssertionInfoMap aim, 
-        Message message,
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults,
-        List<WSSecurityEngineResult> encryptedResults
-    ) {
-        Collection<AssertionInfo> ais = 
-            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
-        if (!ais.isEmpty()) {
-            setMessage(message);
-            setResults(results);
-            setSignedResults(signedResults);
-            setEncryptedResults(encryptedResults);
-            
-            parsePolicies(aim, ais, message);
+    /**
+     * Return true if this SecurityPolicyValidator implementation is capable of validating a 
+     * policy defined by the AssertionInfo parameter
+     */
+    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
+        QName suppTokens12 = SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS;
+        if (assertionInfo.getAssertion() != null 
+            && suppTokens12.equals(assertionInfo.getAssertion().getName())) {
+            return true;
         }
         
-        return true;
+        return false;
     }
     
-    private void parsePolicies(AssertionInfoMap aim, Collection<AssertionInfo> ais, Message message) {
+    /**
+     * Validate policies. Return true if all of the policies are valid.
+     */
+    public boolean validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
         for (AssertionInfo ai : ais) {
             SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
@@ -84,37 +72,37 @@ public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSuppor
 
             List<AbstractToken> tokens = binding.getTokens();
             for (AbstractToken token : tokens) {
-                if (!isTokenRequired(token, message)) {
-                    assertSecurePartsIfTokenNotRequired(binding, aim);
+                if (!isTokenRequired(token, parameters.getMessage())) {
+                    assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
                     continue;
                 }
                 
                 DerivedKeys derivedKeys = token.getDerivedKeys();
-                setDerived(derivedKeys == DerivedKeys.RequireDerivedKeys);
+                boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
                 boolean processingFailed = false;
                 if (token instanceof KerberosToken) {
-                    if (!processKerberosTokens()) {
+                    if (!processKerberosTokens(parameters, derived)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SamlToken) {
-                    if (!processSAMLTokens()) {
+                    if (!processSAMLTokens(parameters)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof X509Token) {
-                    if (!processX509Tokens()) {
+                    if (!processX509Tokens(parameters, derived)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof KeyValueToken) {
-                    if (!processKeyValueTokens()) {
+                    if (!processKeyValueTokens(parameters)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof UsernameToken) {
-                    if (!processUsernameTokens()) {
+                    if (!processUsernameTokens(parameters, derived)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SecurityContextToken
                     || token instanceof SpnegoContextToken) {
-                    if (!processSCTokens()) {
+                    if (!processSCTokens(parameters, derived)) {
                         processingFailed = true;
                     }
                 } else if (!(token instanceof IssuedToken)) {
@@ -130,6 +118,19 @@ public class SignedEndorsingEncryptedTokenPolicyValidator extends AbstractSuppor
                 }
             }
         }
+        
+        return true;
     }
     
+    protected boolean isSigned() {
+        return true;
+    }
+    
+    protected boolean isEncrypted() {
+        return true;
+    }
+    
+    protected boolean isEndorsing() {
+        return true;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
index 14ef12f..d7911a9 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SignedEndorsingTokenPolicyValidator.java
@@ -22,12 +22,9 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 import java.util.Collection;
 import java.util.List;
 
-import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.PolicyUtils;
-import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
 import org.apache.wss4j.policy.model.IssuedToken;
@@ -45,33 +42,24 @@ import org.apache.wss4j.policy.model.X509Token;
  */
 public class SignedEndorsingTokenPolicyValidator extends AbstractSupportingTokenPolicyValidator {
     
-    public SignedEndorsingTokenPolicyValidator() {
-        setSigned(true);
-        setEndorsed(true);
-    }
-    
-    public boolean validatePolicy(
-        AssertionInfoMap aim, 
-        Message message,
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults,
-        List<WSSecurityEngineResult> encryptedResults
-    ) {
-        Collection<AssertionInfo> ais = 
-            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
-        if (!ais.isEmpty()) {
-            setMessage(message);
-            setResults(results);
-            setSignedResults(signedResults);
-            setEncryptedResults(encryptedResults);
-
-            parsePolicies(aim, ais, message);
+    /**
+     * Return true if this SecurityPolicyValidator implementation is capable of validating a 
+     * policy defined by the AssertionInfo parameter
+     */
+    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
+        if (assertionInfo.getAssertion() != null 
+            && (SP12Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS.equals(assertionInfo.getAssertion().getName())
+                || SP11Constants.SIGNED_ENDORSING_SUPPORTING_TOKENS.equals(assertionInfo.getAssertion().getName()))) {
+            return true;
         }
         
-        return true;
+        return false;
     }
     
-    private void parsePolicies(AssertionInfoMap aim, Collection<AssertionInfo> ais, Message message) {
+    /**
+     * Validate policies. Return true if all of the policies are valid.
+     */
+    public boolean validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
         for (AssertionInfo ai : ais) {
             SupportingTokens binding = (SupportingTokens)ai.getAssertion();
             ai.setAsserted(true);
@@ -83,37 +71,37 @@ public class SignedEndorsingTokenPolicyValidator extends AbstractSupportingToken
 
             List<AbstractToken> tokens = binding.getTokens();
             for (AbstractToken token : tokens) {
-                if (!isTokenRequired(token, message)) {
-                    assertSecurePartsIfTokenNotRequired(binding, aim);
+                if (!isTokenRequired(token, parameters.getMessage())) {
+                    assertSecurePartsIfTokenNotRequired(binding, parameters.getAssertionInfoMap());
                     continue;
                 }
                 
                 DerivedKeys derivedKeys = token.getDerivedKeys();
-                setDerived(derivedKeys == DerivedKeys.RequireDerivedKeys);
+                boolean derived = derivedKeys == DerivedKeys.RequireDerivedKeys;
                 boolean processingFailed = false;
                 if (token instanceof KerberosToken) {
-                    if (!processKerberosTokens()) {
+                    if (!processKerberosTokens(parameters, derived)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SamlToken) {
-                    if (!processSAMLTokens()) {
+                    if (!processSAMLTokens(parameters)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof X509Token) {
-                    if (!processX509Tokens()) {
+                    if (!processX509Tokens(parameters, derived)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof KeyValueToken) {
-                    if (!processKeyValueTokens()) {
+                    if (!processKeyValueTokens(parameters)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof UsernameToken) {
-                    if (!processUsernameTokens()) {
+                    if (!processUsernameTokens(parameters, derived)) {
                         processingFailed = true;
                     }
                 } else if (token instanceof SecurityContextToken 
                     || token instanceof SpnegoContextToken) {
-                    if (!processSCTokens()) {
+                    if (!processSCTokens(parameters, derived)) {
                         processingFailed = true;
                     }
                 } else if (!(token instanceof IssuedToken)) {
@@ -128,6 +116,19 @@ public class SignedEndorsingTokenPolicyValidator extends AbstractSupportingToken
                 }
             }
         }
+        
+        return true;
     }
     
+    protected boolean isSigned() {
+        return true;
+    }
+    
+    protected boolean isEncrypted() {
+        return false;
+    }
+    
+    protected boolean isEndorsing() {
+        return true;
+    }
 }


Mime
View raw message