cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/2] cxf git commit: An initial refactor about how policies are asserted
Date Sat, 14 Mar 2015 12:44:24 GMT
An initial refactor about how policies are asserted


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a2e5fae3
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a2e5fae3
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a2e5fae3

Branch: refs/heads/master
Commit: a2e5fae3a093965b75361210ef475abb9e6abf56
Parents: 08f376b
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Sat Mar 14 12:43:35 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Sat Mar 14 12:43:35 2015 +0000

----------------------------------------------------------------------
 .../cxf/ws/security/policy/PolicyUtils.java     | 111 +++++++++++
 .../HttpsTokenInterceptorProvider.java          |  23 +--
 .../IssuedTokenInterceptorProvider.java         |   9 +-
 .../KerberosTokenInterceptorProvider.java       |  19 +-
 .../policy/interceptors/NegotiationUtils.java   |  90 +--------
 .../SecureConversationInInterceptor.java        |  25 +--
 .../SecureConversationOutInterceptor.java       |   7 +-
 .../SecurityVerificationOutInterceptor.java     |  17 +-
 .../SpnegoContextTokenInInterceptor.java        |   5 +-
 .../SpnegoContextTokenOutInterceptor.java       |   3 +-
 .../wss4j/AbstractTokenInterceptor.java         |  54 +-----
 .../wss4j/AlgorithmSuiteTranslater.java         |  78 +++-----
 .../wss4j/KerberosTokenInterceptor.java         |   5 +-
 .../wss4j/PolicyBasedWSS4JInInterceptor.java    |  67 +++----
 .../wss4j/PolicyBasedWSS4JOutInterceptor.java   | 189 +++++++++----------
 .../ws/security/wss4j/SamlTokenInterceptor.java |  20 +-
 .../wss4j/UsernameTokenInterceptor.java         |  37 ++--
 .../cxf/ws/security/wss4j/WSS4JUtils.java       |   2 +-
 .../policyhandlers/AbstractBindingBuilder.java  |  19 +-
 .../AbstractCommonBindingHandler.java           |  58 +-----
 .../AbstractStaxBindingHandler.java             |  23 ++-
 .../StaxTransportBindingHandler.java            |  21 ++-
 .../AbstractBindingPolicyValidator.java         |  72 +------
 .../AbstractTokenPolicyValidator.java           |  52 -----
 .../AlgorithmSuitePolicyValidator.java          |   5 +-
 .../AsymmetricBindingPolicyValidator.java       |  21 ++-
 .../ConcreteSupportingTokenPolicyValidator.java |   4 +-
 .../EncryptedTokenPolicyValidator.java          |   4 +-
 .../EndorsingEncryptedTokenPolicyValidator.java |   3 +-
 .../EndorsingTokenPolicyValidator.java          |   3 +-
 .../IssuedTokenPolicyValidator.java             |   9 +-
 .../KerberosTokenPolicyValidator.java           |  14 +-
 .../policyvalidators/LayoutPolicyValidator.java |  12 +-
 .../SamlTokenPolicyValidator.java               |  11 +-
 .../SecurityContextTokenPolicyValidator.java    |  10 +-
 .../SignedEncryptedTokenPolicyValidator.java    |   3 +-
 ...dEndorsingEncryptedTokenPolicyValidator.java |   3 +-
 .../SignedEndorsingTokenPolicyValidator.java    |   3 +-
 .../SignedTokenPolicyValidator.java             |   3 +-
 .../SymmetricBindingPolicyValidator.java        |  29 +--
 .../TransportBindingPolicyValidator.java        |  17 +-
 .../UsernameTokenPolicyValidator.java           |  17 +-
 .../policyvalidators/WSS11PolicyValidator.java  |  19 +-
 .../X509TokenPolicyValidator.java               |  24 +--
 44 files changed, 519 insertions(+), 701 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java
new file mode 100644
index 0000000..b8cf971
--- /dev/null
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/PolicyUtils.java
@@ -0,0 +1,111 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.policy;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+
+import javax.xml.namespace.QName;
+
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
+
+/**
+ * Some common functionality that can be shared for working with policies
+ */
+public final class PolicyUtils {
+    
+    private PolicyUtils() {
+        // complete
+    }
+
+    public static Collection<AssertionInfo> getAllAssertionsByLocalname(
+        AssertionInfoMap aim, String localname
+    ) {
+        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+
+        if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+            Collection<AssertionInfo> ais = new HashSet<>();
+            if (sp11Ais != null) {
+                ais.addAll(sp11Ais);
+            }
+            if (sp12Ais != null) {
+                ais.addAll(sp12Ais);
+            }
+            return ais;
+        }
+
+        return Collections.emptySet();
+    }
+
+    public static boolean assertPolicy(AssertionInfoMap aim, QName name) {
+        Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
+        if (ais != null && !ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
+                ai.setAsserted(true);
+            }    
+            return true;
+        }
+        return false;
+    }
+    
+    public static boolean assertPolicy(AssertionInfoMap aim, String localname) {
+        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+        if (!ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
+                ai.setAsserted(true);
+            }    
+            return true;
+        }
+        return false;
+    }
+    
+    public static AssertionInfo getFirstAssertionByLocalname(
+        AssertionInfoMap aim, String localname
+    ) {
+        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+        if (sp11Ais != null && !sp11Ais.isEmpty()) {
+            return sp11Ais.iterator().next();
+        }
+
+        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+        if (sp12Ais != null && !sp12Ais.isEmpty()) {
+            return sp12Ais.iterator().next();
+        }
+
+        return null;
+    }
+
+    public static boolean isThereAnAssertionByLocalname(
+        AssertionInfoMap aim, String localname
+    ) {
+        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
+        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
+
+        if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
+            return true;
+        }
+
+        return false;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
index 55bca22..5d6ebae 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/HttpsTokenInterceptorProvider.java
@@ -50,6 +50,7 @@ import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.policy.PolicyException;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor;
 import org.apache.neethi.Assertion;
 import org.apache.wss4j.policy.SP11Constants;
@@ -127,7 +128,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
             // extract Assertion information
             if (aim != null) {
                 Collection<AssertionInfo> ais = 
-                    NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.HTTPS_TOKEN);
+                    PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.HTTPS_TOKEN);
                 if (ais.isEmpty()) {
                     return;
                 }
@@ -171,7 +172,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
                             }
                         };
                         message.put(MessageTrustDecider.class, trust);
-                        NegotiationUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
+                        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
                     }
                     if (token.getAuthenticationType() == HttpsToken.AuthenticationType.HttpBasicAuthentication) {
                         List<String> auth = headers.get("Authorization");
@@ -179,7 +180,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
                             || !auth.get(0).startsWith("Basic")) {
                             ai.setNotAsserted("HttpBasicAuthentication is set, but not being used");
                         } else {
-                            NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
+                            PolicyUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
                         }
                     }
                     if (token.getAuthenticationType() == HttpsToken.AuthenticationType.HttpDigestAuthentication) {
@@ -188,7 +189,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
                             || !auth.get(0).startsWith("Digest")) {
                             ai.setNotAsserted("HttpDigestAuthentication is set, but not being used");
                         } else {
-                            NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
+                            PolicyUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
                         }
                     }
                 } else {
@@ -213,7 +214,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
             // extract Assertion information
             if (aim != null) {
                 Collection<AssertionInfo> ais = 
-                    NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.HTTPS_TOKEN);
+                    PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.HTTPS_TOKEN);
                 boolean requestor = isRequestor(message);
                 if (ais.isEmpty()) {
                     if (!requestor) {
@@ -252,9 +253,9 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
                         ai.setAsserted(true);
                     }
                     
-                    NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
-                    NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
-                    NegotiationUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
+                    PolicyUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
+                    PolicyUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
+                    PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
                 }
             }
         }
@@ -287,7 +288,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
                             new HttpsSecurityTokenImpl(true, policy.getUserName());
                         httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
                         httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
-                        NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
+                        PolicyUtils.assertPolicy(aim, SPConstants.HTTP_BASIC_AUTHENTICATION);
                     }
                 }
                 if (token.getAuthenticationType() == HttpsToken.AuthenticationType.HttpDigestAuthentication) {
@@ -303,7 +304,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
                             new HttpsSecurityTokenImpl(false, policy.getUserName());
                         httpsSecurityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
                         httpsTokenSecurityEvent.setSecurityToken(httpsSecurityToken);
-                        NegotiationUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
+                        PolicyUtils.assertPolicy(aim, SPConstants.HTTP_DIGEST_AUTHENTICATION);
                     }
                 }
 
@@ -315,7 +316,7 @@ public class HttpsTokenInterceptorProvider extends AbstractPolicyInterceptorProv
                             || tlsInfo.getPeerCertificates().length == 0) {
                             asserted = false;
                         } else {
-                            NegotiationUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
+                            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_CLIENT_CERTIFICATE);
                         }
                     }
                     

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
index 20249be..5e5b0d1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
@@ -45,6 +45,7 @@ import org.apache.cxf.ws.policy.AbstractPolicyInterceptorProvider;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.cxf.ws.security.trust.STSClient;
@@ -149,7 +150,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
             
             if (aim != null) {
                 Collection<AssertionInfo> ais = 
-                    NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ISSUED_TOKEN);
+                    PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ISSUED_TOKEN);
                 if (ais.isEmpty()) {
                     return;
                 }
@@ -196,7 +197,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
         
         private Trust10 getTrust10(AssertionInfoMap aim) {
             Collection<AssertionInfo> ais = 
-                NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
+                PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
             if (ais.isEmpty()) {
                 return null;
             }
@@ -204,7 +205,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
         }
         private Trust13 getTrust13(AssertionInfoMap aim) {
             Collection<AssertionInfo> ais = 
-                NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
+                PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
             if (ais.isEmpty()) {
                 return null;
             }
@@ -550,7 +551,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
             // extract Assertion information
             if (aim != null) {
                 Collection<AssertionInfo> ais = 
-                    NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ISSUED_TOKEN);
+                    PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ISSUED_TOKEN);
                 if (ais.isEmpty()) {
                     return;
                 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
index 1907276..6083f66 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
@@ -43,6 +43,7 @@ import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.kerberos.KerberosClient;
 import org.apache.cxf.ws.security.kerberos.KerberosUtils;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.cxf.ws.security.wss4j.KerberosTokenInterceptor;
@@ -112,7 +113,7 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
             // extract Assertion information
             if (aim != null) {
                 Collection<AssertionInfo> ais = 
-                    NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
+                    PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
                 if (ais.isEmpty()) {
                     return;
                 }
@@ -150,8 +151,8 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
                     }                    
                 }
                 
-                NegotiationUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
-                NegotiationUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
+                PolicyUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
+                PolicyUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
             }
         }
         
@@ -172,7 +173,7 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
                 MessageUtils.isTrue(message.getContextualProperty(SecurityConstants.ENABLE_STREAMING_SECURITY));
             if (aim != null && !enableStax) {
                 Collection<AssertionInfo> ais = 
-                    NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
+                    PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
                 if (ais.isEmpty()) {
                     return;
                 }
@@ -189,8 +190,8 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
                     }                    
                 }
                 
-                NegotiationUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
-                NegotiationUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
+                PolicyUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
+                PolicyUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
             }
         }
         
@@ -252,7 +253,7 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
                 MessageUtils.isTrue(message.getContextualProperty(SecurityConstants.ENABLE_STREAMING_SECURITY));
             if (aim != null && enableStax) {
                 Collection<AssertionInfo> ais = 
-                    NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
+                    PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
                 if (ais.isEmpty()) {
                     return;
                 }
@@ -275,8 +276,8 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
                     }                    
                 }
                 
-                NegotiationUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
-                NegotiationUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
+                PolicyUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
+                PolicyUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
             }
         }
         

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
index 68c05b8..5283822 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
@@ -20,12 +20,9 @@
 package org.apache.cxf.ws.security.policy.interceptors;
 
 import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
 import java.util.List;
 
 import javax.security.auth.callback.CallbackHandler;
-import javax.xml.namespace.QName;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.binding.soap.SoapMessage;
@@ -49,6 +46,7 @@ import org.apache.cxf.ws.policy.EndpointPolicy;
 import org.apache.cxf.ws.policy.PolicyEngine;
 import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.cxf.ws.security.trust.STSUtils;
@@ -62,8 +60,6 @@ import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.dom.message.token.SecurityContextToken;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractBinding;
 import org.apache.wss4j.policy.model.AlgorithmSuite;
@@ -83,7 +79,7 @@ final class NegotiationUtils {
     }
 
     static Trust10 getTrust10(AssertionInfoMap aim) {
-        AssertionInfo ai = getFirstAssertionByLocalname(aim, SPConstants.TRUST_10);
+        AssertionInfo ai = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.TRUST_10);
         if (ai == null) {
             return null;
         }
@@ -91,7 +87,7 @@ final class NegotiationUtils {
     }
     
     static Trust13 getTrust13(AssertionInfoMap aim) {
-        AssertionInfo ai = getFirstAssertionByLocalname(aim, SPConstants.TRUST_13);
+        AssertionInfo ai = PolicyUtils.getFirstAssertionByLocalname(aim, SPConstants.TRUST_13);
         if (ai == null) {
             return null;
         }
@@ -133,19 +129,19 @@ final class NegotiationUtils {
     static AlgorithmSuite getAlgorithmSuite(AssertionInfoMap aim) {
         AbstractBinding transport = null;
         Collection<AssertionInfo> ais = 
-            getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 transport = (AbstractBinding)ai.getAssertion();
             }                    
         } else {
-            ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+            ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
             if (!ais.isEmpty()) {
                 for (AssertionInfo ai : ais) {
                     transport = (AbstractBinding)ai.getAssertion();
                 }                    
             } else {
-                ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+                ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
                 if (!ais.isEmpty()) {
                     for (AssertionInfo ai : ais) {
                         transport = (AbstractBinding)ai.getAssertion();
@@ -303,78 +299,4 @@ final class NegotiationUtils {
         return handler;
     }
     
-    static boolean assertPolicy(AssertionInfoMap aim, QName name) {
-        Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
-        if (ais != null && !ais.isEmpty()) {
-            for (AssertionInfo ai : ais) {
-                ai.setAsserted(true);
-            }    
-            return true;
-        }
-        return false;
-    }
-    
-    static boolean assertPolicy(AssertionInfoMap aim, String localname) {
-        Collection<AssertionInfo> ais = 
-            NegotiationUtils.getAllAssertionsByLocalname(aim, localname);
-        if (!ais.isEmpty()) {
-            for (AssertionInfo ai : ais) {
-                ai.setAsserted(true);
-            }    
-            return true;
-        }
-        return false;
-    }
-    
-    static Collection<AssertionInfo> getAllAssertionsByLocalname(
-        AssertionInfoMap aim,
-        String localname
-    ) {
-        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
-        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-        
-        if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
-            Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
-            if (sp11Ais != null) {
-                ais.addAll(sp11Ais);
-            }
-            if (sp12Ais != null) {
-                ais.addAll(sp12Ais);
-            }
-            return ais;
-        }
-            
-        return Collections.emptySet();
-    }
-    
-    static AssertionInfo getFirstAssertionByLocalname(
-        AssertionInfoMap aim, String localname
-    ) {
-        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
-        if (sp11Ais != null && !sp11Ais.isEmpty()) {
-            return sp11Ais.iterator().next();
-        }
-
-        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-        if (sp12Ais != null && !sp12Ais.isEmpty()) {
-            return sp12Ais.iterator().next();
-        }
-
-        return null;
-    }
-    
-    static boolean isThereAnAssertionByLocalname(
-        AssertionInfoMap aim,
-        String localname
-    ) {
-        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
-        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-
-        if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
-            return true;
-        }
-
-        return false;
-    }
-
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
index b70f13a..ada01ef 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationInInterceptor.java
@@ -47,6 +47,7 @@ import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider.HttpsTokenInInterceptor;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
@@ -84,15 +85,15 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
     }
     private AbstractBinding getBinding(AssertionInfoMap aim) {
         Collection<AssertionInfo> ais = 
-            NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
         if (!ais.isEmpty()) {
             return (AbstractBinding)ais.iterator().next().getAssertion();
         }
-        ais = NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
         if (!ais.isEmpty()) {
             return (AbstractBinding)ais.iterator().next().getAssertion();
         }
-        ais = NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
         if (!ais.isEmpty()) {
             return (AbstractBinding)ais.iterator().next().getAssertion();
         }
@@ -104,7 +105,7 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
         // extract Assertion information
         if (aim != null) {
             final Collection<AssertionInfo> ais = 
-                NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+                PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
             if (ais.isEmpty()) {
                 return;
             }
@@ -255,7 +256,7 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
     
     private SignedParts getSignedParts(AssertionInfoMap aim, String addNs) {
         Collection<AssertionInfo> signedPartsAis = 
-            NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
         SignedParts signedParts = null;
         if (!signedPartsAis.isEmpty()) {
             signedParts = (SignedParts)signedPartsAis.iterator().next().getAssertion();
@@ -279,16 +280,16 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
     }
     
     private void assertPolicies(AssertionInfoMap aim) {
-        NegotiationUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
-        NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_AMEND);
-        NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_CANCEL);
-        NegotiationUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_RENEW);
+        PolicyUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
+        PolicyUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_AMEND);
+        PolicyUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_CANCEL);
+        PolicyUtils.assertPolicy(aim, SPConstants.MUST_NOT_SEND_RENEW);
         QName oldCancelQName = 
             new QName(
                 "http://schemas.microsoft.com/ws/2005/07/securitypolicy", 
                 SPConstants.MUST_NOT_SEND_CANCEL
             );
-        NegotiationUtils.assertPolicy(aim, oldCancelQName);
+        PolicyUtils.assertPolicy(aim, oldCancelQName);
     }
 
     private void unmapSecurityProps(Message message) {
@@ -473,7 +474,7 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
             // extract Assertion information
             if (aim != null) {
                 Collection<AssertionInfo> ais = 
-                    NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+                    PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
                 if (ais.isEmpty()) {
                     return;
                 }
@@ -507,7 +508,7 @@ class SecureConversationInInterceptor extends AbstractPhaseInterceptor<SoapMessa
                 return;
             }
             Collection<AssertionInfo> ais = 
-                NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+                PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
             if (ais.isEmpty()) {
                 return;
             }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
index cf67507..ee84f92 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecureConversationOutInterceptor.java
@@ -36,6 +36,7 @@ import org.apache.cxf.ws.addressing.AddressingProperties;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider.IssuedTokenOutInterceptor;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.trust.STSClient;
@@ -61,7 +62,7 @@ class SecureConversationOutInterceptor extends AbstractPhaseInterceptor<SoapMess
         // extract Assertion information
         if (aim != null) {
             Collection<AssertionInfo> ais = 
-                NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
+                PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURE_CONVERSATION_TOKEN);
             if (ais.isEmpty()) {
                 return;
             }
@@ -92,13 +93,13 @@ class SecureConversationOutInterceptor extends AbstractPhaseInterceptor<SoapMess
                     message.getExchange().put(SecurityConstants.TOKEN, tok);
                     NegotiationUtils.getTokenStore(message).add(tok);
                 }
-                NegotiationUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
+                PolicyUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
             } else {
                 //server side should be checked on the way in
                 for (AssertionInfo ai : ais) {
                     ai.setAsserted(true);
                 }
-                NegotiationUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
+                PolicyUtils.assertPolicy(aim, SPConstants.BOOTSTRAP_POLICY);
             }
         }
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
index fe51e30..ff0bb03 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SecurityVerificationOutInterceptor.java
@@ -31,6 +31,7 @@ import org.apache.cxf.phase.Phase;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.policy.PolicyException;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
 
@@ -77,38 +78,38 @@ public class SecurityVerificationOutInterceptor extends AbstractPhaseInterceptor
     
     private boolean isThereASecurityBinding(AssertionInfoMap aim) {
         return 
-            NegotiationUtils.isThereAnAssertionByLocalname(aim, SPConstants.TRANSPORT_BINDING)
-            || NegotiationUtils.isThereAnAssertionByLocalname(aim, SPConstants.ASYMMETRIC_BINDING)
-            || NegotiationUtils.isThereAnAssertionByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+            PolicyUtils.isThereAnAssertionByLocalname(aim, SPConstants.TRANSPORT_BINDING)
+            || PolicyUtils.isThereAnAssertionByLocalname(aim, SPConstants.ASYMMETRIC_BINDING)
+            || PolicyUtils.isThereAnAssertionByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
     }
     
     private AssertionInfo getSecuredPart(AssertionInfoMap aim) {
         Collection<AssertionInfo> assertions = 
-            NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_PARTS);
         if (!assertions.isEmpty()) {
             return assertions.iterator().next();
         }
         
         assertions = 
-            NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
         if (!assertions.isEmpty()) {
             return assertions.iterator().next();
         }
         
         assertions = 
-            NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_PARTS);
         if (!assertions.isEmpty()) {
             return assertions.iterator().next();
         }
         
         assertions = 
-            NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
         if (!assertions.isEmpty()) {
             return assertions.iterator().next();
         }
         
         assertions = 
-            NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
         if (!assertions.isEmpty()) {
             return assertions.iterator().next();
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
index 632ddea..e0be4e5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
@@ -42,6 +42,7 @@ import org.apache.cxf.ws.addressing.JAXWSAConstants;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider.HttpsTokenInInterceptor;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
@@ -74,7 +75,7 @@ class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessa
         // extract Assertion information
         if (aim != null) {
             Collection<AssertionInfo> ais = 
-                NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
+                PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
             if (ais.isEmpty()) {
                 return;
             }
@@ -375,7 +376,7 @@ class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessa
             // extract Assertion information
             if (aim != null) {
                 Collection<AssertionInfo> ais = 
-                    NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
+                    PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
                 if (ais.isEmpty()) {
                     return;
                 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
index 6daca9d..cdbac47 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
@@ -32,6 +32,7 @@ import org.apache.cxf.ws.addressing.AddressingProperties;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.cxf.ws.security.trust.STSClient;
 import org.apache.cxf.ws.security.trust.STSUtils;
@@ -52,7 +53,7 @@ class SpnegoContextTokenOutInterceptor extends AbstractPhaseInterceptor<SoapMess
         // extract Assertion information
         if (aim != null) {
             Collection<AssertionInfo> ais = 
-                NegotiationUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
+                PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SPNEGO_CONTEXT_TOKEN);
             if (ais.isEmpty()) {
                 return;
             }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
index c943b79..4895e68 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
@@ -21,7 +21,6 @@ package org.apache.cxf.ws.security.wss4j;
 
 import java.util.Collection;
 import java.util.Collections;
-import java.util.HashSet;
 import java.util.Set;
 import java.util.logging.Logger;
 
@@ -30,7 +29,6 @@ import javax.xml.namespace.QName;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
-
 import org.apache.cxf.binding.soap.SoapHeader;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
@@ -49,11 +47,10 @@ import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.policy.PolicyException;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.dom.WSConstants;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
 
@@ -118,62 +115,19 @@ public abstract class AbstractTokenInterceptor extends AbstractSoapInterceptor {
     
     protected abstract AbstractToken assertTokens(SoapMessage message);
     
-    protected boolean assertPolicy(AssertionInfoMap aim, String localname) {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
-        if (!ais.isEmpty()) {
-            for (AssertionInfo ai : ais) {
-                ai.setAsserted(true);
-            }    
-            return true;
-        }
-        return false;
-    }
-    
-    protected boolean assertPolicy(AssertionInfoMap aim, QName name) {
-        Collection<AssertionInfo> ais = aim.getAssertionInfo(name);
-        if (ais != null && !ais.isEmpty()) {
-            for (AssertionInfo ai : ais) {
-                ai.setAsserted(true);
-            }    
-            return true;
-        }
-        return false;
-    }
-    
-    protected Collection<AssertionInfo> getAllAssertionsByLocalname(
-        AssertionInfoMap aim,
-        String localname
-    ) {
-        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
-        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-        
-        if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
-            Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
-            if (sp11Ais != null) {
-                ais.addAll(sp11Ais);
-            }
-            if (sp12Ais != null) {
-                ais.addAll(sp12Ais);
-            }
-            return ais;
-        }
-            
-        return Collections.emptySet();
-    }
-    
     protected AbstractToken assertTokens(SoapMessage message, String localname, boolean signed) {
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+        Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, localname);
         AbstractToken tok = null;
         for (AssertionInfo ai : ais) {
             tok = (AbstractToken)ai.getAssertion();
             ai.setAsserted(true);                
         }
         
-        assertPolicy(aim, SPConstants.SUPPORTING_TOKENS);
+        PolicyUtils.assertPolicy(aim, SPConstants.SUPPORTING_TOKENS);
         
         if (signed || isTLSInUse(message)) {
-            assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
+            PolicyUtils.assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
         }
         return tok;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
index aef7915..fac455b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
@@ -21,20 +21,15 @@ package org.apache.cxf.ws.security.wss4j;
 
 import java.util.ArrayList;
 import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
 import java.util.List;
 
-import javax.xml.namespace.QName;
-
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.common.crypto.AlgorithmSuite;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.handler.RequestData;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractBinding;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
@@ -62,14 +57,14 @@ public final class AlgorithmSuiteTranslater {
         }
 
         // Now look for an AlgorithmSuite for a SAML Assertion
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
         if (!ais.isEmpty()) {
-            List<org.apache.wss4j.policy.model.AlgorithmSuite> samlAlgorithmSuites
-                = new ArrayList<org.apache.wss4j.policy.model.AlgorithmSuite>();
+            List<org.apache.wss4j.policy.model.AlgorithmSuite> samlAlgorithmSuites = new ArrayList<>();
             for (AssertionInfo ai : ais) {
                 SamlToken samlToken = (SamlToken)ai.getAssertion();
                 AbstractSecurityAssertion parentAssertion = samlToken.getParentAssertion();
-                if ((parentAssertion instanceof SupportingTokens)
+                if (parentAssertion instanceof SupportingTokens
                     && ((SupportingTokens)parentAssertion).getAlgorithmSuite() != null) {
                     samlAlgorithmSuites.add(((SupportingTokens)parentAssertion).getAlgorithmSuite());
                 }
@@ -89,8 +84,7 @@ public final class AlgorithmSuiteTranslater {
     ) {
         AlgorithmSuite algorithmSuite = null;
         
-        for (org.apache.wss4j.policy.model.AlgorithmSuite cxfAlgorithmSuite 
-            : algorithmSuites) {
+        for (org.apache.wss4j.policy.model.AlgorithmSuite cxfAlgorithmSuite : algorithmSuites) {
             if (cxfAlgorithmSuite == null) {
                 continue;
             }
@@ -151,28 +145,28 @@ public final class AlgorithmSuiteTranslater {
      * Get all of the WS-SecurityPolicy Bindings that are in operation
      */
     private List<AbstractBinding> getBindings(AssertionInfoMap aim) {
-        List<AbstractBinding> bindings = new ArrayList<AbstractBinding>();
-        if (aim != null) {
-            Collection<AssertionInfo> ais = 
-                getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
-            if (!ais.isEmpty()) {
-                for (AssertionInfo ai : ais) {
-                    bindings.add((AbstractBinding)ai.getAssertion());
-                }
+        List<AbstractBinding> bindings = new ArrayList<>();
+        
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+        if (!ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
+                bindings.add((AbstractBinding)ai.getAssertion());
             }
-            ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
-            if (!ais.isEmpty()) {     
-                for (AssertionInfo ai : ais) {
-                    bindings.add((AbstractBinding)ai.getAssertion());
-                }
+        }
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+        if (!ais.isEmpty()) {     
+            for (AssertionInfo ai : ais) {
+                bindings.add((AbstractBinding)ai.getAssertion());
             }
-            ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
-            if (!ais.isEmpty()) {     
-                for (AssertionInfo ai : ais) {
-                    bindings.add((AbstractBinding)ai.getAssertion());
-                }
+        }
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+        if (!ais.isEmpty()) {     
+            for (AssertionInfo ai : ais) {
+                bindings.add((AbstractBinding)ai.getAssertion());
             }
         }
+        
         return bindings;
     }
     
@@ -182,8 +176,7 @@ public final class AlgorithmSuiteTranslater {
     private List<org.apache.wss4j.policy.model.AlgorithmSuite> getAlgorithmSuites(
         List<AbstractBinding> bindings
     ) {
-        List<org.apache.wss4j.policy.model.AlgorithmSuite> algorithmSuites = 
-            new ArrayList<org.apache.wss4j.policy.model.AlgorithmSuite>();
+        List<org.apache.wss4j.policy.model.AlgorithmSuite> algorithmSuites = new ArrayList<>();
         for (AbstractBinding binding : bindings) {
             if (binding.getAlgorithmSuite() != null) {
                 algorithmSuites.add(binding.getAlgorithmSuite());
@@ -192,25 +185,4 @@ public final class AlgorithmSuiteTranslater {
         return algorithmSuites;
     }
     
-    private Collection<AssertionInfo> getAllAssertionsByLocalname(
-        AssertionInfoMap aim,
-        String localname
-    ) {
-        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
-        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-        
-        if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
-            Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
-            if (sp11Ais != null) {
-                ais.addAll(sp11Ais);
-            }
-            if (sp12Ais != null) {
-                ais.addAll(sp12Ais);
-            }
-            return ais;
-        }
-            
-        return Collections.emptySet();
-    }
-
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
index 5900c10..de83d7b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java
@@ -21,6 +21,7 @@ package org.apache.cxf.ws.security.wss4j;
 
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
 
@@ -38,8 +39,8 @@ public class KerberosTokenInterceptor extends BinarySecurityTokenInterceptor {
     
     protected AbstractToken assertTokens(SoapMessage message) {
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        assertPolicy(aim, "WssKerberosV5ApReqToken11");
-        assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
+        PolicyUtils.assertPolicy(aim, "WssKerberosV5ApReqToken11");
+        PolicyUtils.assertPolicy(aim, "WssGssKerberosV5ApReqToken11");
         return assertTokens(message, SPConstants.KERBEROS_TOKEN, false);
     }
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index 116e2a0..abeb41c 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -23,7 +23,6 @@ import java.net.URL;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -56,6 +55,7 @@ import org.apache.cxf.service.model.EndpointInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator;
@@ -133,7 +133,8 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
     private void handleWSS11(AssertionInfoMap aim, SoapMessage message) {
         if (isRequestor(message)) {
             message.put(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION, "false");
-            Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.WSS11);
+            Collection<AssertionInfo> ais = 
+                PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS11);
             if (!ais.isEmpty()) {
                 for (AssertionInfo ai : ais) {
                     Wss11 wss11 = (Wss11)ai.getAssertion();
@@ -168,7 +169,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
     }
     
     private boolean assertPolicy(AssertionInfoMap aim, String localname) {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, localname);
+        Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, localname);
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 ai.setAsserted(true);
@@ -178,32 +179,11 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
         return false;
     }
     
-    private Collection<AssertionInfo> getAllAssertionsByLocalname(
-        AssertionInfoMap aim,
-        String localname
-    ) {
-        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
-        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-        
-        if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
-            Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
-            if (sp11Ais != null) {
-                ais.addAll(sp11Ais);
-            }
-            if (sp12Ais != null) {
-                ais.addAll(sp12Ais);
-            }
-            return ais;
-        }
-            
-        return Collections.emptySet();
-    }
-
     private String checkAsymmetricBinding(
         AssertionInfoMap aim, String action, SoapMessage message, RequestData data
     ) throws WSSecurityException {
         Collection<AssertionInfo> ais = 
-            getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
         if (ais.isEmpty()) {
             return action;
         }
@@ -289,7 +269,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
         AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
         if (aim != null) {
             Collection<AssertionInfo> ais = 
-                getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+                PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
             
             if (!ais.isEmpty()) {
                 return true;
@@ -307,7 +287,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
         AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
         if (aim != null) {
             Collection<AssertionInfo> ais = 
-                getAllAssertionsByLocalname(aim, SPConstants.INCLUDE_TIMESTAMP);
+                PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.INCLUDE_TIMESTAMP);
             
             if (!ais.isEmpty()) {
                 return true;
@@ -325,7 +305,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
         AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
         if (aim != null) {
             Collection<AssertionInfo> ais = 
-                getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+                PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
             
             if (!ais.isEmpty()) {
                 return true;
@@ -339,7 +319,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
         AssertionInfoMap aim, SoapMessage message
     ) throws WSSecurityException {
         Collection<AssertionInfo> ais = 
-            getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
         
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
@@ -355,7 +335,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
         AssertionInfoMap aim, String action, SoapMessage message, RequestData data
     ) throws WSSecurityException {
         Collection<AssertionInfo> ais = 
-            getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
         if (ais.isEmpty()) {
             return action;
         }
@@ -505,7 +485,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
                                    CoverageType type,
                                    CoverageScope scope,
                                    final XPath xpath) throws SOAPException {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, name);
+        Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, name);
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 ai.setAsserted(true);
@@ -548,7 +528,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
                               Element soapHeader,
                               Element soapBody,
                               CoverageType type) throws SOAPException {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, name);
+        Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, name);
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 ai.setAsserted(true);
@@ -654,7 +634,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
             assertPolicy(aim, SPConstants.RSA_KEY_VALUE);
             
             // WSS10
-            ais = getAllAssertionsByLocalname(aim, SPConstants.WSS10);
+            ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS10);
             if (!ais.isEmpty()) {
                 for (AssertionInfo ai : ais) {
                     ai.setAsserted(true);
@@ -666,7 +646,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
             }
             
             // Trust 1.0
-            ais = getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
+            ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_10);
             boolean trust10Asserted = false;
             if (!ais.isEmpty()) {
                 for (AssertionInfo ai : ais) {
@@ -681,7 +661,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
             }
             
             // Trust 1.3
-            ais = getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
+            ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRUST_13);
             if (!ais.isEmpty()) {
                 for (AssertionInfo ai : ais) {
                     ai.setAsserted(true);
@@ -973,7 +953,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
     private boolean assertHeadersExists(AssertionInfoMap aim, SoapMessage msg, Node header) 
         throws SOAPException {
         
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.REQUIRED_PARTS);
+        Collection<AssertionInfo> ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.REQUIRED_PARTS);
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 RequiredParts rp = (RequiredParts)ai.getAssertion();
@@ -988,7 +968,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
             }
         }
         
-        ais = getAllAssertionsByLocalname(aim, SPConstants.REQUIRED_ELEMENTS);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.REQUIRED_ELEMENTS);
         if (!ais.isEmpty()) {
             for (AssertionInfo ai : ais) {
                 RequiredElements rp = (RequiredElements)ai.getAssertion();
@@ -1025,17 +1005,17 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
 
     private boolean isTransportBinding(AssertionInfoMap aim, SoapMessage message) {
         Collection<AssertionInfo> ais = 
-            getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
         if (ais.size() > 0) {
             return false;
         }
         
-        ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
         if (ais.size() > 0) {
             return false;
         }
         
-        ais = getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
         if (ais.size() > 0) {
             return true;
         }
@@ -1055,15 +1035,16 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
     }
     
     private boolean containsXPathPolicy(AssertionInfoMap aim) {
-        Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ELEMENTS);
         if (ais.size() > 0) {
             return true;
         }
-        ais = getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_ELEMENTS);
         if (ais.size() > 0) {
             return true;
         }
-        ais = getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.CONTENT_ENCRYPTED_ELEMENTS);
         if (ais.size() > 0) {
             return true;
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
index 54faf7e..b73cd6c 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
@@ -21,16 +21,13 @@ package org.apache.cxf.ws.security.wss4j;
 import java.security.Provider;
 import java.util.Collection;
 import java.util.Collections;
-import java.util.HashSet;
 import java.util.Set;
 import java.util.logging.Logger;
 
-import javax.xml.namespace.QName;
 import javax.xml.soap.SOAPException;
 import javax.xml.soap.SOAPMessage;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.binding.soap.SoapFault;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor;
@@ -45,6 +42,7 @@ import org.apache.cxf.phase.PhaseInterceptor;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler;
 import org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler;
 import org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler;
@@ -54,8 +52,6 @@ import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.dom.WSSConfig;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.message.WSSecHeader;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractBinding;
 import org.apache.wss4j.policy.model.AsymmetricBinding;
@@ -120,6 +116,11 @@ public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<Soa
         }
         
         private void handleMessageInternal(SoapMessage message) throws Fault {
+            AssertionInfoMap aim = message.get(AssertionInfoMap.class);
+            if (aim == null) {
+                // no policies available
+                return;
+            }
             SOAPMessage saaj = message.getContent(SOAPMessage.class);
 
             boolean mustUnderstand = 
@@ -128,91 +129,100 @@ public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<Soa
                 );
             String actor = (String)message.getContextualProperty(SecurityConstants.ACTOR);
             
-            AssertionInfoMap aim = message.get(AssertionInfoMap.class);
             // extract Assertion information
-            if (aim != null) {
-                AbstractBinding transport = null;
-                Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
-                if (!ais.isEmpty()) {
-                    for (AssertionInfo ai : ais) {
-                        transport = (AbstractBinding)ai.getAssertion();
-                        ai.setAsserted(true);
-                    }                    
+            AbstractBinding binding = getSecurityBinding(aim);
+
+            if (binding == null && isRequestor(message)) {
+                Policy policy = new Policy();
+                binding = new TransportBinding(org.apache.wss4j.policy.SPConstants.SPVersion.SP11,
+                                                 policy);
+            }
+
+            if (binding != null) {
+                WSSecHeader secHeader = new WSSecHeader(actor, mustUnderstand);
+                Element el = null;
+                try {
+                    el = secHeader.insertSecurityHeader(saaj.getSOAPPart());
+                } catch (WSSecurityException e) {
+                    throw new SoapFault(
+                        new Message("SECURITY_FAILED", LOG), e, message.getVersion().getSender()
+                    );
                 }
-                ais = getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
-                if (!ais.isEmpty()) {
-                    for (AssertionInfo ai : ais) {
-                        transport = (AbstractBinding)ai.getAssertion();
-                        ai.setAsserted(true);
-                    }                    
+                try {
+                    //move to end
+                    SAAJUtils.getHeader(saaj).removeChild(el);
+                    SAAJUtils.getHeader(saaj).appendChild(el);
+                } catch (SOAPException e) {
+                    //ignore
                 }
-                ais = getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
-                if (!ais.isEmpty()) {
-                    for (AssertionInfo ai : ais) {
-                        transport = (AbstractBinding)ai.getAssertion();
-                        ai.setAsserted(true);
-                    }                    
+
+                WSSConfig config = (WSSConfig)message.getContextualProperty(WSSConfig.class.getName());
+                if (config == null) {
+                    config = WSSConfig.getNewInstance();
                 }
+                translateProperties(message);
 
-                if (transport == null && isRequestor(message)) {
-                    Policy policy = new Policy();
-                    transport = new TransportBinding(org.apache.wss4j.policy.SPConstants.SPVersion.SP11,
-                                                     policy);
+                String asymSignatureAlgorithm = 
+                    (String)message.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
+                if (asymSignatureAlgorithm != null && binding.getAlgorithmSuite() != null) {
+                    binding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
                 }
-                
-                if (transport != null) {
-                    WSSecHeader secHeader = new WSSecHeader(actor, mustUnderstand);
-                    Element el = null;
-                    try {
-                        el = secHeader.insertSecurityHeader(saaj.getSOAPPart());
-                    } catch (WSSecurityException e) {
-                        throw new SoapFault(
-                            new Message("SECURITY_FAILED", LOG), e, message.getVersion().getSender()
-                        );
-                    }
-                    try {
-                        //move to end
-                        SAAJUtils.getHeader(saaj).removeChild(el);
-                        SAAJUtils.getHeader(saaj).appendChild(el);
-                    } catch (SOAPException e) {
-                        //ignore
-                    }
-                    
-                    WSSConfig config = (WSSConfig)message.getContextualProperty(WSSConfig.class.getName());
-                    if (config == null) {
-                        config = WSSConfig.getNewInstance();
-                    }
-                    translateProperties(message);
-                    
-                    String asymSignatureAlgorithm = 
-                        (String)message.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
-                    if (asymSignatureAlgorithm != null && transport.getAlgorithmSuite() != null) {
-                        transport.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
-                    }
 
-                    try {
-                        if (transport instanceof TransportBinding) {
-                            new TransportBindingHandler(config, (TransportBinding)transport, saaj,
-                                                        secHeader, aim, message).handleBinding();
-                        } else if (transport instanceof SymmetricBinding) {
-                            new SymmetricBindingHandler(config, (SymmetricBinding)transport, saaj,
-                                                         secHeader, aim, message).handleBinding();
-                        } else {
-                            new AsymmetricBindingHandler(config, (AsymmetricBinding)transport, saaj,
-                                                         secHeader, aim, message).handleBinding();
-                        }
-                    } catch (SOAPException e) {
-                        throw new SoapFault(
-                            new Message("SECURITY_FAILED", LOG), e, message.getVersion().getSender()
-                        );
-                    }
-                    
-                    if (el.getFirstChild() == null) {
-                        el.getParentNode().removeChild(el);
+                try {
+                    if (binding instanceof TransportBinding) {
+                        new TransportBindingHandler(config, (TransportBinding)binding, saaj,
+                                                    secHeader, aim, message).handleBinding();
+                    } else if (binding instanceof SymmetricBinding) {
+                        new SymmetricBindingHandler(config, (SymmetricBinding)binding, saaj,
+                                                    secHeader, aim, message).handleBinding();
+                    } else {
+                        new AsymmetricBindingHandler(config, (AsymmetricBinding)binding, saaj,
+                                                     secHeader, aim, message).handleBinding();
                     }
+                } catch (SOAPException e) {
+                    throw new SoapFault(
+                        new Message("SECURITY_FAILED", LOG), e, message.getVersion().getSender()
+                    );
+                }
+
+                if (el.getFirstChild() == null) {
+                    el.getParentNode().removeChild(el);
+                }
+            }
+            
+        }
+        
+        private AbstractBinding getSecurityBinding(AssertionInfoMap aim) {
+            Collection<AssertionInfo> ais = 
+                PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+            if (!ais.isEmpty()) {
+                AbstractBinding binding = null;
+                for (AssertionInfo ai : ais) {
+                    binding = (AbstractBinding)ai.getAssertion();
+                    ai.setAsserted(true);
+                }
+                return binding;
+            }
+            ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+            if (!ais.isEmpty()) {
+                AbstractBinding binding = null;
+                for (AssertionInfo ai : ais) {
+                    binding = (AbstractBinding)ai.getAssertion();
+                    ai.setAsserted(true);
+                }
+                return binding;
+            }
+            ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+            if (!ais.isEmpty()) {
+                AbstractBinding binding = null;
+                for (AssertionInfo ai : ais) {
+                    binding = (AbstractBinding)ai.getAssertion();
+                    ai.setAsserted(true);
                 }
+                return binding;
             }
             
+            return null;
         }
 
         public Set<String> getAfter() {
@@ -247,26 +257,5 @@ public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<Soa
                 msg.put(WSHandlerConstants.IS_BSP_COMPLIANT, bspCompliant);
             }
         }
-        
-        private Collection<AssertionInfo> getAllAssertionsByLocalname(
-            AssertionInfoMap aim,
-            String localname
-        ) {
-            Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localname));
-            Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localname));
-            
-            if ((sp11Ais != null && !sp11Ais.isEmpty()) || (sp12Ais != null && !sp12Ais.isEmpty())) {
-                Collection<AssertionInfo> ais = new HashSet<AssertionInfo>();
-                if (sp11Ais != null) {
-                    ais.addAll(sp11Ais);
-                }
-                if (sp12Ais != null) {
-                    ais.addAll(sp12Ais);
-                }
-                return ais;
-            }
-                
-            return Collections.emptySet();
-        }
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a2e5fae3/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
index ec2e51d..0d128d8 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
@@ -44,6 +44,7 @@ import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.crypto.CryptoFactory;
 import org.apache.wss4j.common.ext.WSPasswordCallback;
@@ -113,7 +114,8 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
                         
                         // Check version against policy
                         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-                        for (AssertionInfo ai : getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN)) {
+                        for (AssertionInfo ai 
+                            : PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN)) {
                             SamlToken samlToken = (SamlToken)ai.getAssertion();
                             for (WSSecurityEngineResult result : samlResults) {
                                 SamlAssertionWrapper assertionWrapper = 
@@ -175,9 +177,9 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
 
     protected AbstractToken assertTokens(SoapMessage message) {
         AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        assertPolicy(aim, "WssSamlV11Token10");
-        assertPolicy(aim, "WssSamlV11Token11");
-        assertPolicy(aim, "WssSamlV20Token11");
+        PolicyUtils.assertPolicy(aim, "WssSamlV11Token10");
+        PolicyUtils.assertPolicy(aim, "WssSamlV11Token11");
+        PolicyUtils.assertPolicy(aim, "WssSamlV20Token11");
         return assertTokens(message, SPConstants.SAML_TOKEN, true);
     }
 
@@ -191,7 +193,7 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
             if (wrapper == null) {
                 AssertionInfoMap aim = message.get(AssertionInfoMap.class);
                 Collection<AssertionInfo> ais = 
-                    getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+                    PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
                 for (AssertionInfo ai : ais) {
                     if (ai.isAsserted()) {
                         ai.setAsserted(false);
@@ -236,12 +238,12 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
         SamlTokenType tokenType = token.getSamlTokenType();
         if (tokenType == SamlTokenType.WssSamlV11Token10 || tokenType == SamlTokenType.WssSamlV11Token11) {
             samlCallback.setSamlVersion(Version.SAML_11);
-            assertPolicy(aim, "WssSamlV11Token10");
-            assertPolicy(aim, "WssSamlV11Token11");
+            PolicyUtils.assertPolicy(aim, "WssSamlV11Token10");
+            PolicyUtils.assertPolicy(aim, "WssSamlV11Token11");
             
         } else if (tokenType == SamlTokenType.WssSamlV20Token11) {
             samlCallback.setSamlVersion(Version.SAML_20);
-            assertPolicy(aim, "WssSamlV20Token11");
+            PolicyUtils.assertPolicy(aim, "WssSamlV20Token11");
         }
         SAMLUtil.doSAMLCallback(handler, samlCallback);
         SamlAssertionWrapper assertion = new SamlAssertionWrapper(samlCallback);
@@ -324,7 +326,7 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
             && assertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) {
             return false;
         }
-        assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), tokenType.name()));
+        PolicyUtils.assertPolicy(aim, new QName(samlToken.getVersion().getNamespace(), tokenType.name()));
         return true;
     }
     


Mime
View raw message