cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [3/3] cxf git commit: Refactor of policy validators
Date Fri, 20 Mar 2015 16:48:39 GMT
Refactor of policy validators


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/9de88cce
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/9de88cce
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/9de88cce

Branch: refs/heads/master
Commit: 9de88cce894ca9ea746abf27943635467e23c153
Parents: 3f975fa
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Mar 20 16:47:34 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Mar 20 16:48:07 2015 +0000

----------------------------------------------------------------------
 .../IssuedTokenInterceptorProvider.java         | 104 ++-----
 .../KerberosTokenInterceptorProvider.java       |  64 +---
 .../wss4j/PolicyBasedWSS4JInInterceptor.java    | 216 ++++++--------
 .../AbstractBindingPolicyValidator.java         |   2 +-
 .../AbstractSamlPolicyValidator.java            |   2 +-
 .../AbstractSecurityPolicyValidator.java        |  59 ++++
 .../AbstractSupportingTokenPolicyValidator.java | 298 +++++++++----------
 .../AbstractTokenPolicyValidator.java           |  59 ----
 .../AlgorithmSuitePolicyValidator.java          |  50 ++--
 .../AsymmetricBindingPolicyValidator.java       |  53 ++--
 .../BindingPolicyValidator.java                 |  46 ---
 .../ConcreteSupportingTokenPolicyValidator.java |  70 ++---
 .../EncryptedTokenPolicyValidator.java          |  68 ++---
 .../EndorsingEncryptedTokenPolicyValidator.java |  77 ++---
 .../EndorsingTokenPolicyValidator.java          |  75 ++---
 .../IssuedTokenPolicyValidator.java             | 159 +++++++---
 .../KerberosTokenPolicyValidator.java           | 137 ++++++---
 .../policyvalidators/LayoutPolicyValidator.java |  49 ++-
 .../PolicyValidatorParameters.java              | 125 ++++++++
 .../SamlTokenPolicyValidator.java               |  76 ++---
 .../SecurityContextTokenPolicyValidator.java    |  46 ++-
 .../SecurityPolicyValidator.java                |  41 +++
 .../SignedEncryptedTokenPolicyValidator.java    |  68 ++---
 ...dEndorsingEncryptedTokenPolicyValidator.java |  77 ++---
 .../SignedEndorsingTokenPolicyValidator.java    |  75 ++---
 .../SignedTokenPolicyValidator.java             |  71 ++---
 .../SupportingTokenPolicyValidator.java         |  60 ----
 .../SymmetricBindingPolicyValidator.java        |  53 ++--
 .../policyvalidators/TokenPolicyValidator.java  |  45 ---
 .../TransportBindingPolicyValidator.java        |  65 ++--
 .../UsernameTokenPolicyValidator.java           |  58 ++--
 .../policyvalidators/WSS11PolicyValidator.java  |  46 ++-
 .../X509TokenPolicyValidator.java               |  50 ++--
 .../cxf/sts/token/renewer/SAMLTokenRenewer.java |   8 +-
 34 files changed, 1257 insertions(+), 1295 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
index 5761f78..867bcae 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
@@ -19,7 +19,6 @@
 
 package org.apache.cxf.ws.security.policy.interceptors;
 
-import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -44,13 +43,12 @@ import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxInInterceptor;
 import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxOutInterceptor;
 import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.IssuedTokenPolicyValidator;
-import org.apache.wss4j.common.saml.SAMLKeyInfo;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.message.token.BinarySecurity;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
@@ -186,88 +184,26 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
             Message message,
             Collection<AssertionInfo> issuedAis
         ) {
+            PolicyValidatorParameters parameters = new PolicyValidatorParameters();
+            parameters.setAssertionInfoMap(message.get(AssertionInfoMap.class));
+            parameters.setMessage(message);
+            parameters.setResults(rResult.getResults());
+            
+            final List<Integer> actions = new ArrayList<>(1);
+            actions.add(WSConstants.SIGN);
             List<WSSecurityEngineResult> signedResults = 
-                WSSecurityUtil.fetchAllActionResults(rResult.getResults(), WSConstants.SIGN);
+                WSSecurityUtil.fetchAllActionResults(rResult.getResults(), actions);
+            parameters.setSignedResults(signedResults);
             
-            IssuedTokenPolicyValidator issuedValidator = 
-                new IssuedTokenPolicyValidator(signedResults, message);
-
-            for (SamlAssertionWrapper assertionWrapper : findSamlTokenResults(rResult.getResults())) {
-                boolean valid = issuedValidator.validatePolicy(issuedAis, assertionWrapper);
-                if (valid) {
-                    SecurityToken token = createSecurityToken(assertionWrapper);
-                    message.getExchange().put(SecurityConstants.TOKEN, token);
-                    return;
-                }
-            }
-            for (BinarySecurity binarySecurityToken : findBinarySecurityTokenResults(rResult.getResults())) {
-                boolean valid = issuedValidator.validatePolicy(issuedAis, binarySecurityToken);
-                if (valid) {
-                    SecurityToken token = createSecurityToken(binarySecurityToken);
-                    message.getExchange().put(SecurityConstants.TOKEN, token);
-                    return;
-                }
-            }
-        }
-        
-        private List<SamlAssertionWrapper> findSamlTokenResults(
-            List<WSSecurityEngineResult> wsSecEngineResults
-        ) {
-            List<SamlAssertionWrapper> results = new ArrayList<SamlAssertionWrapper>();
-            for (WSSecurityEngineResult wser : wsSecEngineResults) {
-                Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-                if (actInt.intValue() == WSConstants.ST_SIGNED
-                    || actInt.intValue() == WSConstants.ST_UNSIGNED) {
-                    results.add((SamlAssertionWrapper)wser.get(WSSecurityEngineResult.TAG_SAML_ASSERTION));
-                }
-            }
-            return results;
-        }
-        
-        private List<BinarySecurity> findBinarySecurityTokenResults(
-            List<WSSecurityEngineResult> wsSecEngineResults
-        ) {
-            List<BinarySecurity> results = new ArrayList<BinarySecurity>();
-            for (WSSecurityEngineResult wser : wsSecEngineResults) {
-                Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-                if (actInt.intValue() == WSConstants.BST 
-                    && Boolean.TRUE.equals(wser.get(WSSecurityEngineResult.TAG_VALIDATED_TOKEN))) {
-                    results.add((BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN));
-                }
-            }
-            return results;
-        }
-        
-        private SecurityToken createSecurityToken(
-            SamlAssertionWrapper assertionWrapper
-        ) {
-            SecurityToken token = new SecurityToken(assertionWrapper.getId());
-
-            SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
-            if (subjectKeyInfo != null) {
-                token.setSecret(subjectKeyInfo.getSecret());
-                X509Certificate[] certs = subjectKeyInfo.getCerts();
-                if (certs != null && certs.length > 0) {
-                    token.setX509Certificate(certs[0], null);
-                }
-            }
-            if (assertionWrapper.getSaml1() != null) {
-                token.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
-            } else if (assertionWrapper.getSaml2() != null) {
-                token.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
-            }
-            token.setToken(assertionWrapper.getElement());
-
-            return token;
-        }
-    
-        private SecurityToken createSecurityToken(BinarySecurity binarySecurityToken) {
-            SecurityToken token = new SecurityToken(binarySecurityToken.getID());
-            token.setToken(binarySecurityToken.getElement());
-            token.setSecret(binarySecurityToken.getToken());
-            token.setTokenType(binarySecurityToken.getValueType());
-    
-            return token;
+            final List<Integer> samlActions = new ArrayList<>(2);
+            samlActions.add(WSConstants.ST_SIGNED);
+            samlActions.add(WSConstants.ST_UNSIGNED);
+            List<WSSecurityEngineResult> samlResults = 
+                WSSecurityUtil.fetchAllActionResults(rResult.getResults(), samlActions);
+            parameters.setSamlResults(samlResults);
+            
+            SecurityPolicyValidator issuedValidator = new IssuedTokenPolicyValidator();
+            issuedValidator.validatePolicies(parameters, issuedAis);
         }
         
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
index 2c14dd3..7c03bb2 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
@@ -20,7 +20,6 @@
 package org.apache.cxf.ws.security.policy.interceptors;
 
 import java.security.Key;
-import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.List;
@@ -53,13 +52,11 @@ import org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JStaxOutInterceptor;
 import org.apache.cxf.ws.security.wss4j.StaxSecurityContextInInterceptor;
 import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.KerberosTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator;
 import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.dom.WSConstants;
-import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.message.token.BinarySecurity;
-import org.apache.wss4j.dom.message.token.KerberosSecurity;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
@@ -175,7 +172,7 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
                     List<WSHandlerResult> results = 
                         CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
                     if (results != null && results.size() > 0) {
-                        parseHandlerResults(results.get(0), message, aim);
+                        parseHandlerResults(results.get(0), message, aim, ais);
                     }
                 } else {
                     //client side should be checked on the way out
@@ -192,41 +189,19 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
         private void parseHandlerResults(
             WSHandlerResult rResult,
             Message message,
-            AssertionInfoMap aim
+            AssertionInfoMap aim,
+            Collection<AssertionInfo> ais
         ) {
-            List<WSSecurityEngineResult> kerberosResults = findKerberosResults(rResult.getResults());
-            for (WSSecurityEngineResult wser : kerberosResults) {
-                KerberosSecurity kerberosToken = 
-                    (KerberosSecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
-                KerberosTokenPolicyValidator kerberosValidator = 
-                    new KerberosTokenPolicyValidator(message);
-                boolean valid = kerberosValidator.validatePolicy(aim, kerberosToken);
-                if (valid) {
-                    SecurityToken token = createSecurityToken(kerberosToken);
-                    token.setSecret((byte[])wser.get(WSSecurityEngineResult.TAG_SECRET));
-                    SecurityUtils.getTokenStore(message).add(token);
-                    message.getExchange().put(SecurityConstants.TOKEN_ID, token.getId());
-                    return;
-                }
-            }
+            
+            PolicyValidatorParameters parameters = new PolicyValidatorParameters();
+            parameters.setAssertionInfoMap(message.get(AssertionInfoMap.class));
+            parameters.setMessage(message);
+            parameters.setResults(rResult.getResults());
+            
+            SecurityPolicyValidator kerberosValidator = new KerberosTokenPolicyValidator();
+            kerberosValidator.validatePolicies(parameters, ais);
         }
         
-        private List<WSSecurityEngineResult> findKerberosResults(
-            List<WSSecurityEngineResult> wsSecEngineResults
-        ) {
-            List<WSSecurityEngineResult> results = new ArrayList<WSSecurityEngineResult>();
-            for (WSSecurityEngineResult wser : wsSecEngineResults) {
-                Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-                if (actInt.intValue() == WSConstants.BST) {
-                    BinarySecurity binarySecurity = 
-                        (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
-                    if (binarySecurity instanceof KerberosSecurity) {
-                        results.add(wser);
-                    }
-                }
-            }
-            return results;
-        }
     }
     
     static class KerberosTokenStaxInInterceptor extends AbstractPhaseInterceptor<Message> {
@@ -334,17 +309,4 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
         }
     }
     
-    private static SecurityToken createSecurityToken(KerberosSecurity binarySecurityToken) {
-        SecurityToken token = new SecurityToken(binarySecurityToken.getID());
-        token.setToken(binarySecurityToken.getElement());
-        token.setTokenType(binarySecurityToken.getValueType());
-        byte[] tokenBytes = binarySecurityToken.getToken();
-        try {
-            token.setSHA1(Base64.encode(WSSecurityUtil.generateDigest(tokenBytes)));
-        } catch (WSSecurityException e) {
-            // Just consume this for now as it isn't critical...
-        }
-        return token;
-    }
-        
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index d96ecba..8dd7243 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -54,21 +54,20 @@ import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.AsymmetricBindingPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.BindingPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.ConcreteSupportingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EncryptedTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingEncryptedTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.LayoutPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.PolicyValidatorParameters;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityContextTokenPolicyValidator;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.SecurityPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEncryptedTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingEncryptedTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedEndorsingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SignedTokenPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.SupportingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SymmetricBindingPolicyValidator;
-import org.apache.cxf.ws.security.wss4j.policyvalidators.TokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.TransportBindingPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.WSS11PolicyValidator;
@@ -641,16 +640,47 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
             LOG.fine("Incoming request failed signed-encrypted policy validation");
         }
         
-        if (!checkTokenCoverage(aim, msg, soapBody, results, signedResults)) {
+        PolicyValidatorParameters parameters = new PolicyValidatorParameters();
+        parameters.setAssertionInfoMap(aim);
+        parameters.setMessage(msg);
+        parameters.setSoapBody(soapBody);
+        parameters.setResults(results);
+        parameters.setSignedResults(signedResults);
+        parameters.setEncryptedResults(encryptResults);
+        parameters.setUtWithCallbacks(utWithCallbacks);
+        
+        final List<Integer> utActions = new ArrayList<>(2);
+        utActions.add(WSConstants.UT);
+        utActions.add(WSConstants.UT_NOPASSWORD);
+        List<WSSecurityEngineResult> utResults = 
+            WSSecurityUtil.fetchAllActionResults(results, utActions);
+        parameters.setUsernameTokenResults(utResults);
+        
+        final List<Integer> samlActions = new ArrayList<>(2);
+        samlActions.add(WSConstants.ST_SIGNED);
+        samlActions.add(WSConstants.ST_UNSIGNED);
+        List<WSSecurityEngineResult> samlResults = 
+            WSSecurityUtil.fetchAllActionResults(results, samlActions);
+        parameters.setSamlResults(samlResults);
+        
+        // Store the timestamp element
+        WSSecurityEngineResult tsResult = WSSecurityUtil.fetchActionResult(results, WSConstants.TS);
+        Element timestamp = null;
+        if (tsResult != null) {
+            Timestamp ts = (Timestamp)tsResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
+            timestamp = ts.getElement();
+        }
+        parameters.setTimestampElement(timestamp);
+        
+        if (!checkTokenCoverage(parameters)) {
             LOG.fine("Incoming request failed token policy validation");
         }
         
-        if (!checkBindingCoverage(aim, msg, soapBody, results, signedResults, encryptResults)) {
+        if (!checkBindingCoverage(parameters)) {
             LOG.fine("Incoming request failed binding policy validation");
         }
 
-        if (!checkSupportingTokenCoverage(aim, msg, results, signedResults, 
-            encryptResults, utWithCallbacks)) {
+        if (!checkSupportingTokenCoverage(parameters)) {
             LOG.fine("Incoming request failed supporting token policy validation");
         }
         
@@ -704,28 +734,31 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
     /**
      * Check the token coverage
      */
-    private boolean checkTokenCoverage(
-        AssertionInfoMap aim,
-        SoapMessage msg,
-        Element soapBody,
-        List<WSSecurityEngineResult> results, 
-        List<WSSecurityEngineResult> signedResults
-    ) {
+    private boolean checkTokenCoverage(PolicyValidatorParameters parameters) {
+        
         boolean check = true;
-        TokenPolicyValidator x509Validator = new X509TokenPolicyValidator();
-        check &= x509Validator.validatePolicy(aim, msg, soapBody, results, signedResults);
+        AssertionInfoMap aim = parameters.getAssertionInfoMap();
         
-        TokenPolicyValidator utValidator = new UsernameTokenPolicyValidator();
-        check &= utValidator.validatePolicy(aim, msg, soapBody, results, signedResults);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN);
+        SecurityPolicyValidator x509Validator = new X509TokenPolicyValidator();
+        check &= x509Validator.validatePolicies(parameters, ais);
         
-        TokenPolicyValidator samlValidator = new SamlTokenPolicyValidator();
-        check &= samlValidator.validatePolicy(aim, msg, soapBody, results, signedResults);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
+        SecurityPolicyValidator utValidator = new UsernameTokenPolicyValidator();
+        check &= utValidator.validatePolicies(parameters, ais);
         
-        TokenPolicyValidator sctValidator = new SecurityContextTokenPolicyValidator();
-        check &= sctValidator.validatePolicy(aim, msg, soapBody, results, signedResults);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
+        SecurityPolicyValidator samlValidator = new SamlTokenPolicyValidator();
+        check &= samlValidator.validatePolicies(parameters, ais);
         
-        TokenPolicyValidator wss11Validator = new WSS11PolicyValidator();
-        check &= wss11Validator.validatePolicy(aim, msg, soapBody, results, signedResults);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SECURITY_CONTEXT_TOKEN);
+        SecurityPolicyValidator sctValidator = new SecurityContextTokenPolicyValidator();
+        check &= sctValidator.validatePolicies(parameters, ais);
+        
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS11);
+        SecurityPolicyValidator wss11Validator = new WSS11PolicyValidator();
+        check &= wss11Validator.validatePolicies(parameters, ais);
         
         return check;
     }
@@ -733,41 +766,31 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
     /**
      * Check the binding coverage
      */
-    private boolean checkBindingCoverage(
-        AssertionInfoMap aim, 
-        SoapMessage msg,
-        Element soapBody,
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults,
-        List<WSSecurityEngineResult> encryptedResults
-    ) {
+    private boolean checkBindingCoverage(PolicyValidatorParameters parameters) {
         boolean check = true;
+        AssertionInfoMap aim = parameters.getAssertionInfoMap();
         
-        BindingPolicyValidator transportValidator = new TransportBindingPolicyValidator();
-        check &= 
-            transportValidator.validatePolicy(
-                aim, msg, soapBody, results, signedResults, encryptedResults
-            );
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.TRANSPORT_BINDING);
+        SecurityPolicyValidator transportValidator = new TransportBindingPolicyValidator();
+        check &= transportValidator.validatePolicies(parameters, ais);
             
-        BindingPolicyValidator symmetricValidator = new SymmetricBindingPolicyValidator();
-        check &= 
-            symmetricValidator.validatePolicy(
-                aim, msg, soapBody, results, signedResults, encryptedResults
-            );
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SYMMETRIC_BINDING);
+        SecurityPolicyValidator symmetricValidator = new SymmetricBindingPolicyValidator();
+        check &= symmetricValidator.validatePolicies(parameters, ais);
 
-        BindingPolicyValidator asymmetricValidator = new AsymmetricBindingPolicyValidator();
-        check &= 
-            asymmetricValidator.validatePolicy(
-                aim, msg, soapBody, results, signedResults, encryptedResults
-            );
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
+        SecurityPolicyValidator asymmetricValidator = new AsymmetricBindingPolicyValidator();
+        check &= asymmetricValidator.validatePolicies(parameters, ais);
         
         // Check AlgorithmSuite + Layout that might not be tied to a binding
-        AlgorithmSuitePolicyValidator algorithmSuiteValidator = new AlgorithmSuitePolicyValidator();
-        check &= 
-            algorithmSuiteValidator.validatePolicy(aim, msg, soapBody, results, signedResults);
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE);
+        SecurityPolicyValidator algorithmSuiteValidator = new AlgorithmSuitePolicyValidator();
+        check &= algorithmSuiteValidator.validatePolicies(parameters, ais);
         
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.LAYOUT);
         LayoutPolicyValidator layoutValidator = new LayoutPolicyValidator();
-        check &= layoutValidator.validatePolicy(aim, msg, soapBody, results, signedResults);
+        check &= layoutValidator.validatePolicies(parameters, ais);
         
         return check;
     }
@@ -775,83 +798,42 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
     /**
      * Check the supporting token coverage
      */
-    private boolean checkSupportingTokenCoverage(
-        AssertionInfoMap aim,
-        SoapMessage msg,
-        List<WSSecurityEngineResult> results, 
-        List<WSSecurityEngineResult> signedResults,
-        List<WSSecurityEngineResult> encryptedResults,
-        boolean utWithCallbacks
-    ) {
-        final List<Integer> utActions = new ArrayList<>(2);
-        utActions.add(WSConstants.UT);
-        utActions.add(WSConstants.UT_NOPASSWORD);
-        List<WSSecurityEngineResult> utResults = 
-            WSSecurityUtil.fetchAllActionResults(results, utActions);
-        
-        final List<Integer> samlActions = new ArrayList<>(2);
-        samlActions.add(WSConstants.ST_SIGNED);
-        samlActions.add(WSConstants.ST_UNSIGNED);
-        List<WSSecurityEngineResult> samlResults = 
-            WSSecurityUtil.fetchAllActionResults(results, samlActions);
-        
-        // Store the timestamp element
-        WSSecurityEngineResult tsResult = WSSecurityUtil.fetchActionResult(results, WSConstants.TS);
-        Element timestamp = null;
-        if (tsResult != null) {
-            Timestamp ts = (Timestamp)tsResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);
-            timestamp = ts.getElement();
-        }
-        
+    private boolean checkSupportingTokenCoverage(PolicyValidatorParameters parameters) {
         boolean check = true;
+        AssertionInfoMap aim = parameters.getAssertionInfoMap();
         
-        SupportingTokenPolicyValidator validator = new ConcreteSupportingTokenPolicyValidator();
-        validator.setUsernameTokenResults(utResults, utWithCallbacks);
-        validator.setSAMLTokenResults(samlResults);
-        validator.setTimestampElement(timestamp);
-        check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults);
+        Collection<AssertionInfo> ais = 
+            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SUPPORTING_TOKENS);
+        SecurityPolicyValidator validator = new ConcreteSupportingTokenPolicyValidator();
+        check &= validator.validatePolicies(parameters, ais);
         
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
         validator = new SignedTokenPolicyValidator();
-        validator.setUsernameTokenResults(utResults, utWithCallbacks);
-        validator.setSAMLTokenResults(samlResults);
-        validator.setTimestampElement(timestamp);
-        check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults);
-
+        check &= validator.validatePolicies(parameters, ais);
+        
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_SUPPORTING_TOKENS);
         validator = new EndorsingTokenPolicyValidator();
-        validator.setUsernameTokenResults(utResults, utWithCallbacks);
-        validator.setSAMLTokenResults(samlResults);
-        validator.setTimestampElement(timestamp);
-        check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults);
-
+        check &= validator.validatePolicies(parameters, ais);
+        
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_SUPPORTING_TOKENS);
         validator = new SignedEndorsingTokenPolicyValidator();
-        validator.setUsernameTokenResults(utResults, utWithCallbacks);
-        validator.setSAMLTokenResults(samlResults);
-        validator.setTimestampElement(timestamp);
-        check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults);
-
+        check &= validator.validatePolicies(parameters, ais);
+        
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
         validator = new SignedEncryptedTokenPolicyValidator();
-        validator.setUsernameTokenResults(utResults, utWithCallbacks);
-        validator.setSAMLTokenResults(samlResults);
-        validator.setTimestampElement(timestamp);
-        check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults);
-
+        check &= validator.validatePolicies(parameters, ais);
+        
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENCRYPTED_SUPPORTING_TOKENS);
         validator = new EncryptedTokenPolicyValidator();
-        validator.setUsernameTokenResults(utResults, utWithCallbacks);
-        validator.setSAMLTokenResults(samlResults);
-        validator.setTimestampElement(timestamp);
-        check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults);
-
+        check &= validator.validatePolicies(parameters, ais);
+        
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
         validator = new EndorsingEncryptedTokenPolicyValidator();
-        validator.setUsernameTokenResults(utResults, utWithCallbacks);
-        validator.setSAMLTokenResults(samlResults);
-        validator.setTimestampElement(timestamp);
-        check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults);
+        check &= validator.validatePolicies(parameters, ais);
 
+        ais = PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
         validator = new SignedEndorsingEncryptedTokenPolicyValidator();
-        validator.setUsernameTokenResults(utResults, utWithCallbacks);
-        validator.setSAMLTokenResults(samlResults);
-        validator.setTimestampElement(timestamp);
-        check &= validator.validatePolicy(aim, msg, results, signedResults, encryptedResults);
+        check &= validator.validatePolicies(parameters, ais);
         
         return check;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
index 5eb7eea..b35a49b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
@@ -58,7 +58,7 @@ import org.apache.wss4j.policy.model.X509Token;
 /**
  * Some abstract functionality for validating a security binding.
  */
-public abstract class AbstractBindingPolicyValidator implements BindingPolicyValidator {
+public abstract class AbstractBindingPolicyValidator implements SecurityPolicyValidator {
     
     private static final QName SIG_QNAME = new QName(WSConstants.SIG_NS, WSConstants.SIG_LN);
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
index a0a8e9f..993f8e6 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
@@ -30,7 +30,7 @@ import org.apache.wss4j.dom.saml.DOMSAMLUtil;
 /**
  * Some abstract functionality for validating SAML Assertions
  */
-public abstract class AbstractSamlPolicyValidator extends AbstractTokenPolicyValidator {
+public abstract class AbstractSamlPolicyValidator extends AbstractSecurityPolicyValidator {
     
     /**
      * Check the holder-of-key requirements against the received assertion. The subject

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSecurityPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSecurityPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSecurityPolicyValidator.java
new file mode 100644
index 0000000..2b7d73b
--- /dev/null
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSecurityPolicyValidator.java
@@ -0,0 +1,59 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageUtils;
+import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
+import org.apache.wss4j.policy.model.AbstractToken;
+
+/**
+ * Some abstract functionality for validating policies
+ */
+public abstract class AbstractSecurityPolicyValidator implements SecurityPolicyValidator {
+    
+    /**
+     * Check to see if a token is required or not.
+     * @param token the token
+     * @param message The message
+     * @return true if the token is required
+     */
+    protected boolean isTokenRequired(
+        AbstractToken token,
+        Message message
+    ) {
+        IncludeTokenType inclusion = token.getIncludeTokenType();
+        if (inclusion == IncludeTokenType.INCLUDE_TOKEN_NEVER) {
+            return false;
+        } else if (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
+            return true;
+        } else {
+            boolean initiator = MessageUtils.isRequestor(message);
+            if (initiator && (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR)) {
+                return true;
+            } else if (!initiator && (inclusion == IncludeTokenType.INCLUDE_TOKEN_ONCE
+                || inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT)) {
+                return true;
+            }
+            return false;
+        }
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
index e9023eb..93d60c2 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
@@ -70,100 +70,35 @@ import org.apache.wss4j.policy.model.SupportingTokens;
 /**
  * A base class to use to validate various SupportingToken policies.
  */
-public abstract class AbstractSupportingTokenPolicyValidator 
-    extends AbstractTokenPolicyValidator implements SupportingTokenPolicyValidator {
+public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSecurityPolicyValidator {
     
     private static final Logger LOG = LogUtils.getL7dLogger(AbstractSupportingTokenPolicyValidator.class);
     
-    private Message message;
-    private List<WSSecurityEngineResult> results;
-    private List<WSSecurityEngineResult> signedResults;
-    private List<WSSecurityEngineResult> encryptedResults;
-    private List<WSSecurityEngineResult> utResults;
-    private List<WSSecurityEngineResult> samlResults;
-    private boolean validateUsernameToken = true;
-    private Element timestamp;
-    private boolean signed;
-    private boolean encrypted;
-    private boolean derived;
-    private boolean endorsed; 
     private SignedElements signedElements;
     private EncryptedElements encryptedElements;
     private SignedParts signedParts;
     private EncryptedParts encryptedParts;
-
-    /**
-     * Set the list of UsernameToken results
-     */
-    public void setUsernameTokenResults(
-        List<WSSecurityEngineResult> utResultsList,
-        boolean valUsernameToken
-    ) {
-        utResults = utResultsList;
-        validateUsernameToken = valUsernameToken;
-    }
-    
-    /**
-     * Set the list of SAMLToken results
-     */
-    public void setSAMLTokenResults(List<WSSecurityEngineResult> samlResultsList) {
-        samlResults = samlResultsList;
-    }
-    
-    /**
-     * Set the Timestamp element
-     */
-    public void setTimestampElement(Element timestampElement) {
-        timestamp = timestampElement;
-    }
-    
-    public void setMessage(Message msg) {
-        message = msg;
-    }
-    
-    public void setResults(List<WSSecurityEngineResult> results) {
-        this.results = results;
-    }
-    
-    public void setSignedResults(List<WSSecurityEngineResult> signedResults) {
-        this.signedResults = signedResults;
-    }
-    
-    public void setEncryptedResults(List<WSSecurityEngineResult> encryptedResults) {
-        this.encryptedResults = encryptedResults;
-    }
-    
-    public void setSigned(boolean signed) {
-        this.signed = signed;
-    }
-    
-    public void setEncrypted(boolean encrypted) {
-        this.encrypted = encrypted;
-    }
-    
-    public void setDerived(boolean derived) {
-        this.derived = derived;
-    }
-    
-    public void setEndorsed(boolean endorsed) {
-        this.endorsed = endorsed;
-    }
     
+    protected abstract boolean isSigned();
+    protected abstract boolean isEncrypted();
+    protected abstract boolean isEndorsing();
+
     /**
      * Process UsernameTokens.
      */
-    protected boolean processUsernameTokens() {
-        if (!validateUsernameToken) {
+    protected boolean processUsernameTokens(PolicyValidatorParameters parameters, boolean derived) {
+        if (!parameters.isUtWithCallbacks()) {
             return true;
         }
         
         List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
-        tokenResults.addAll(utResults);
+        tokenResults.addAll(parameters.getUsernameTokenResults());
         List<WSSecurityEngineResult> dktResults = new ArrayList<>();
-        for (WSSecurityEngineResult wser : utResults) {
+        for (WSSecurityEngineResult wser : parameters.getUsernameTokenResults()) {
             if (derived) {
                 byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
-                WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
+                WSSecurityEngineResult dktResult = 
+                    getMatchingDerivedKey(secret, parameters.getResults());
                 if (dktResult != null) {
                     dktResults.add(dktResult);
                 }
@@ -174,14 +109,22 @@ public abstract class AbstractSupportingTokenPolicyValidator
             return false;
         }
         
-        if (signed && !areTokensSigned(tokenResults)) {
+        if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(),
+                                           parameters.getEncryptedResults(),
+                                           parameters.getMessage())) {
             return false;
         }
-        if (encrypted && !areTokensEncrypted(tokenResults)) {
+        if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults(),
+                                                 parameters.getMessage())) {
             return false;
         }
         tokenResults.addAll(dktResults);
-        if ((endorsed && !checkEndorsed(tokenResults)) || !validateSignedEncryptedPolicies(tokenResults)) {
+        if ((isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(),
+                                             parameters.getMessage(),
+                                             parameters.getTimestampElement())) 
+            || !validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(),
+                                                parameters.getEncryptedResults(),
+                                                parameters.getMessage())) {
             return false;
         }
         
@@ -192,22 +135,30 @@ public abstract class AbstractSupportingTokenPolicyValidator
     /**
      * Process SAML Tokens. Only signed results are supported.
      */
-    protected boolean processSAMLTokens() {
-        if (samlResults.isEmpty()) {
+    protected boolean processSAMLTokens(PolicyValidatorParameters parameters) {
+        if (parameters.getSamlResults().isEmpty()) {
             return false;
         }
         
-        if (signed && !areTokensSigned(samlResults)) {
+        if (isSigned() && !areTokensSigned(parameters.getSamlResults(), parameters.getSignedResults(),
+                                           parameters.getEncryptedResults(),
+                                           parameters.getMessage())) {
             return false;
         }
-        if (encrypted && !areTokensEncrypted(samlResults)) {
+        if (isEncrypted() && !areTokensEncrypted(parameters.getSamlResults(), 
+                                                 parameters.getEncryptedResults(),
+                                                 parameters.getMessage())) {
             return false;
         }
-        if (endorsed && !checkEndorsed(samlResults)) {
+        if (isEndorsing() && !checkEndorsed(parameters.getSamlResults(), parameters.getSignedResults(),
+                                            parameters.getMessage(),
+                                            parameters.getTimestampElement())) {
             return false;
         }
         
-        if (!validateSignedEncryptedPolicies(samlResults)) {
+        if (!validateSignedEncryptedPolicies(parameters.getSamlResults(), parameters.getSignedResults(),
+                                             parameters.getEncryptedResults(),
+                                             parameters.getMessage())) {
             return false;
         }
         
@@ -218,10 +169,10 @@ public abstract class AbstractSupportingTokenPolicyValidator
     /**
      * Process Kerberos Tokens.
      */
-    protected boolean processKerberosTokens() {
+    protected boolean processKerberosTokens(PolicyValidatorParameters parameters, boolean derived) {
         List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
         List<WSSecurityEngineResult> dktResults = new ArrayList<>();
-        for (WSSecurityEngineResult wser : results) {
+        for (WSSecurityEngineResult wser : parameters.getResults()) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.BST) {
                 BinarySecurity binarySecurity = 
@@ -229,7 +180,8 @@ public abstract class AbstractSupportingTokenPolicyValidator
                 if (binarySecurity instanceof KerberosSecurity) {
                     if (derived) {
                         byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
-                        WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
+                        WSSecurityEngineResult dktResult = 
+                            getMatchingDerivedKey(secret, parameters.getResults());
                         if (dktResult != null) {
                             dktResults.add(dktResult);
                         }
@@ -243,18 +195,25 @@ public abstract class AbstractSupportingTokenPolicyValidator
             return false;
         }
         
-        if (signed && !areTokensSigned(tokenResults)) {
+        if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(),
+                                           parameters.getEncryptedResults(),
+                                           parameters.getMessage())) {
             return false;
         }
-        if (encrypted && !areTokensEncrypted(tokenResults)) {
+        if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults(),
+                                                 parameters.getMessage())) {
             return false;
         }
         tokenResults.addAll(dktResults);
-        if (endorsed && !checkEndorsed(tokenResults)) {
+        if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(),
+                                            parameters.getMessage(),
+                                            parameters.getTimestampElement())) {
             return false;
         }
         
-        if (!validateSignedEncryptedPolicies(tokenResults)) {
+        if (!validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(),
+                                             parameters.getEncryptedResults(),
+                                             parameters.getMessage())) {
             return false;
         }
         
@@ -265,10 +224,10 @@ public abstract class AbstractSupportingTokenPolicyValidator
     /**
      * Process X509 Tokens.
      */
-    protected boolean processX509Tokens() {
+    protected boolean processX509Tokens(PolicyValidatorParameters parameters, boolean derived) {
         List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
         List<WSSecurityEngineResult> dktResults = new ArrayList<>();
-        for (WSSecurityEngineResult wser : results) {
+        for (WSSecurityEngineResult wser : parameters.getResults()) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.BST) {
                 BinarySecurity binarySecurity = 
@@ -276,7 +235,8 @@ public abstract class AbstractSupportingTokenPolicyValidator
                 if (binarySecurity instanceof X509Security
                     || binarySecurity instanceof PKIPathSecurity) {
                     if (derived) {
-                        WSSecurityEngineResult resultToStore = processX509DerivedTokenResult(wser);
+                        WSSecurityEngineResult resultToStore = 
+                            processX509DerivedTokenResult(wser, parameters.getResults());
                         if (resultToStore != null) {
                             dktResults.add(resultToStore);
                         }
@@ -290,18 +250,25 @@ public abstract class AbstractSupportingTokenPolicyValidator
             return false;
         }
         
-        if (signed && !areTokensSigned(tokenResults)) {
+        if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(),
+                                           parameters.getEncryptedResults(),
+                                           parameters.getMessage())) {
             return false;
         }
-        if (encrypted && !areTokensEncrypted(tokenResults)) {
+        if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults(),
+                                                 parameters.getMessage())) {
             return false;
         }
         tokenResults.addAll(dktResults);
-        if (endorsed && !checkEndorsed(tokenResults)) {
+        if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(),
+                                            parameters.getMessage(),
+                                            parameters.getTimestampElement())) {
             return false;
         }
         
-        if (!validateSignedEncryptedPolicies(tokenResults)) {
+        if (!validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(),
+                                             parameters.getEncryptedResults(),
+                                             parameters.getMessage())) {
             return false;
         }
         
@@ -311,9 +278,9 @@ public abstract class AbstractSupportingTokenPolicyValidator
     /**
      * Process KeyValue Tokens.
      */
-    protected boolean processKeyValueTokens() {
+    protected boolean processKeyValueTokens(PolicyValidatorParameters parameters) {
         List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
-        for (WSSecurityEngineResult wser : signedResults) {
+        for (WSSecurityEngineResult wser : parameters.getSignedResults()) {
             PublicKey publicKey = 
                 (PublicKey)wser.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
             if (publicKey != null) {
@@ -325,17 +292,24 @@ public abstract class AbstractSupportingTokenPolicyValidator
             return false;
         }
         
-        if (signed && !areTokensSigned(tokenResults)) {
+        if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(),
+                                           parameters.getEncryptedResults(),
+                                           parameters.getMessage())) {
             return false;
         }
-        if (encrypted && !areTokensEncrypted(tokenResults)) {
+        if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults(),
+                                                 parameters.getMessage())) {
             return false;
         }
-        if (endorsed && !checkEndorsed(tokenResults)) {
+        if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(),
+                                            parameters.getMessage(),
+                                            parameters.getTimestampElement())) {
             return false;
         }
         
-        if (!validateSignedEncryptedPolicies(tokenResults)) {
+        if (!validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(),
+                                             parameters.getEncryptedResults(),
+                                             parameters.getMessage())) {
             return false;
         }
         
@@ -346,20 +320,24 @@ public abstract class AbstractSupportingTokenPolicyValidator
      * Validate (SignedParts|SignedElements|EncryptedParts|EncryptedElements) policies of this
      * SupportingToken.
      */
-    private boolean validateSignedEncryptedPolicies(List<WSSecurityEngineResult> tokenResults) {
-        if (!validateSignedEncryptedParts(signedParts, false, signedResults, tokenResults)) {
+    private boolean validateSignedEncryptedPolicies(List<WSSecurityEngineResult> tokenResults,
+                                                    List<WSSecurityEngineResult> signedResults,
+                                                    List<WSSecurityEngineResult> encryptedResults,
+                                                    Message message) {
+        if (!validateSignedEncryptedParts(signedParts, false, signedResults, tokenResults, message)) {
             return false;
         }
         
-        if (!validateSignedEncryptedParts(encryptedParts, true, encryptedResults, tokenResults)) {
+        if (!validateSignedEncryptedParts(encryptedParts, true, encryptedResults, tokenResults, message)) {
             return false;
         }
         
-        if (!validateSignedEncryptedElements(signedElements, false, signedResults, tokenResults)) {
+        if (!validateSignedEncryptedElements(signedElements, false, signedResults, tokenResults, message)) {
             return false;
         }
         
-        if (!validateSignedEncryptedElements(encryptedElements, false, encryptedResults, tokenResults)) {
+        if (!validateSignedEncryptedElements(encryptedElements, false, encryptedResults, tokenResults, 
+                                             message)) {
             return false;
         }
         
@@ -370,15 +348,15 @@ public abstract class AbstractSupportingTokenPolicyValidator
     /**
      * Process Security Context Tokens.
      */
-    protected boolean processSCTokens() {
+    protected boolean processSCTokens(PolicyValidatorParameters parameters, boolean derived) {
         List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
         List<WSSecurityEngineResult> dktResults = new ArrayList<>();
-        for (WSSecurityEngineResult wser : results) {
+        for (WSSecurityEngineResult wser : parameters.getResults()) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.SCT) {
                 if (derived) {
                     byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
-                    WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
+                    WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret, parameters.getResults());
                     if (dktResult != null) {
                         dktResults.add(dktResult);
                     }
@@ -391,18 +369,25 @@ public abstract class AbstractSupportingTokenPolicyValidator
             return false;
         }
         
-        if (signed && !areTokensSigned(tokenResults)) {
+        if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(),
+                                           parameters.getEncryptedResults(),
+                                           parameters.getMessage())) {
             return false;
         }
-        if (encrypted && !areTokensEncrypted(tokenResults)) {
+        if (isEncrypted() && !areTokensEncrypted(tokenResults, parameters.getEncryptedResults(),
+                                                 parameters.getMessage())) {
             return false;
         }
         tokenResults.addAll(dktResults);
-        if (endorsed && !checkEndorsed(tokenResults)) {
+        if (isEndorsing() && !checkEndorsed(tokenResults, parameters.getSignedResults(),
+                                            parameters.getMessage(),
+                                            parameters.getTimestampElement())) {
             return false;
         }
         
-        if (!validateSignedEncryptedPolicies(tokenResults)) {
+        if (!validateSignedEncryptedPolicies(tokenResults, parameters.getSignedResults(),
+                                             parameters.getEncryptedResults(),
+                                             parameters.getMessage())) {
             return false;
         }
         
@@ -413,13 +398,14 @@ public abstract class AbstractSupportingTokenPolicyValidator
      * Find an EncryptedKey element that has a cert that matches the cert of the signature, then
      * find a DerivedKey element that matches that EncryptedKey element.
      */
-    private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult result) {
+    private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult result,
+                                                                 List<WSSecurityEngineResult> results) {
         X509Certificate cert = 
             (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
-        WSSecurityEngineResult encrResult = getMatchingEncryptedKey(cert);
+        WSSecurityEngineResult encrResult = getMatchingEncryptedKey(cert, results);
         if (encrResult != null) {
             byte[] secret = (byte[])encrResult.get(WSSecurityEngineResult.TAG_SECRET);
-            WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret);
+            WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret, results);
             if (dktResult != null) {
                 return dktResult;
             }
@@ -431,7 +417,8 @@ public abstract class AbstractSupportingTokenPolicyValidator
      * Get a security result representing a Derived Key that has a secret key that
      * matches the parameter.
      */
-    private WSSecurityEngineResult getMatchingDerivedKey(byte[] secret) {
+    private WSSecurityEngineResult getMatchingDerivedKey(byte[] secret,
+                                                         List<WSSecurityEngineResult> results) {
         for (WSSecurityEngineResult wser : results) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.DKT) {
@@ -447,7 +434,8 @@ public abstract class AbstractSupportingTokenPolicyValidator
     /**
      * Get a security result representing an EncryptedKey that matches the parameter.
      */
-    private WSSecurityEngineResult getMatchingEncryptedKey(X509Certificate cert) {
+    private WSSecurityEngineResult getMatchingEncryptedKey(X509Certificate cert,
+                                                           List<WSSecurityEngineResult> results) {
         for (WSSecurityEngineResult wser : results) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.ENCR) {
@@ -461,7 +449,7 @@ public abstract class AbstractSupportingTokenPolicyValidator
         return null;
     }
     
-    private boolean isTLSInUse() {
+    private boolean isTLSInUse(Message message) {
         // See whether TLS is in use or not
         TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
         if (tlsInfo != null) {
@@ -475,13 +463,16 @@ public abstract class AbstractSupportingTokenPolicyValidator
      * check that the Timestamp is signed. Otherwise, check that the signature is signed.
      * @return true if the endorsed supporting token policy is correct
      */
-    private boolean checkEndorsed(List<WSSecurityEngineResult> tokenResults) {
+    private boolean checkEndorsed(List<WSSecurityEngineResult> tokenResults,
+                                  List<WSSecurityEngineResult> signedResults,
+                                  Message message,
+                                  Element timestamp) {
         boolean endorsingSatisfied = false;
-        if (isTLSInUse()) {
-            endorsingSatisfied = checkTimestampIsSigned(tokenResults);
+        if (isTLSInUse(message)) {
+            endorsingSatisfied = checkTimestampIsSigned(tokenResults, signedResults, timestamp);
         }
         if (!endorsingSatisfied) {
-            endorsingSatisfied = checkSignatureIsSigned(tokenResults);
+            endorsingSatisfied = checkSignatureIsSigned(tokenResults, signedResults);
         }
         return endorsingSatisfied;
     }
@@ -490,11 +481,15 @@ public abstract class AbstractSupportingTokenPolicyValidator
     /**
      * Return true if a list of tokens were signed, false otherwise.
      */
-    private boolean areTokensSigned(List<WSSecurityEngineResult> tokens) {
-        if (!isTLSInUse()) {
+    private boolean areTokensSigned(List<WSSecurityEngineResult> tokens,
+                                    List<WSSecurityEngineResult> signedResults,
+                                    List<WSSecurityEngineResult> encryptedResults,
+                                    Message message) {
+        if (!isTLSInUse(message)) {
             for (WSSecurityEngineResult wser : tokens) {
                 Element tokenElement = (Element)wser.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
-                if (tokenElement == null || !isTokenSigned(tokenElement)) {
+                if (tokenElement == null 
+                    || !isTokenSigned(tokenElement, signedResults, encryptedResults)) {
                     return false;
                 }
             }
@@ -505,11 +500,13 @@ public abstract class AbstractSupportingTokenPolicyValidator
     /**
      * Return true if a list of tokens were encrypted, false otherwise.
      */
-    private boolean areTokensEncrypted(List<WSSecurityEngineResult> tokens) {
-        if (!isTLSInUse()) {
+    private boolean areTokensEncrypted(List<WSSecurityEngineResult> tokens,
+                                       List<WSSecurityEngineResult> encryptedResults,
+                                       Message message) {
+        if (!isTLSInUse(message)) {
             for (WSSecurityEngineResult wser : tokens) {
                 Element tokenElement = (Element)wser.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
-                if (tokenElement == null || !isTokenEncrypted(tokenElement)) {
+                if (tokenElement == null || !isTokenEncrypted(tokenElement, encryptedResults)) {
                     return false;
                 }
             }
@@ -522,7 +519,9 @@ public abstract class AbstractSupportingTokenPolicyValidator
      * @param tokenResults A list of WSSecurityEngineResults corresponding to tokens
      * @return true if the Timestamp is signed
      */
-    private boolean checkTimestampIsSigned(List<WSSecurityEngineResult> tokenResults) {
+    private boolean checkTimestampIsSigned(List<WSSecurityEngineResult> tokenResults,
+                                           List<WSSecurityEngineResult> signedResults,
+                                           Element timestamp) {
         for (WSSecurityEngineResult signedResult : signedResults) {
             List<WSDataRef> sl =
                 CastUtils.cast((List<?>)signedResult.get(
@@ -545,7 +544,8 @@ public abstract class AbstractSupportingTokenPolicyValidator
      * @param tokenResults A list of WSSecurityEngineResults corresponding to tokens
      * @return true if the Signature is itself signed
      */
-    private boolean checkSignatureIsSigned(List<WSSecurityEngineResult> tokenResults) {
+    private boolean checkSignatureIsSigned(List<WSSecurityEngineResult> tokenResults,
+                                           List<WSSecurityEngineResult> signedResults) {
         for (WSSecurityEngineResult signedResult : signedResults) {
             List<WSDataRef> sl =
                 CastUtils.cast((List<?>)signedResult.get(
@@ -636,7 +636,8 @@ public abstract class AbstractSupportingTokenPolicyValidator
         SignedParts parts,
         boolean content,
         List<WSSecurityEngineResult> protResults,
-        List<WSSecurityEngineResult> tokenResults
+        List<WSSecurityEngineResult> tokenResults,
+        Message message
     ) {
         if (parts == null) {
             return true;
@@ -716,7 +717,8 @@ public abstract class AbstractSupportingTokenPolicyValidator
         RequiredElements elements,
         boolean content,
         List<WSSecurityEngineResult> protResults,
-        List<WSSecurityEngineResult> tokenResults
+        List<WSSecurityEngineResult> tokenResults,
+        Message message
     ) {
         if (elements == null) {
             return true;
@@ -797,13 +799,14 @@ public abstract class AbstractSupportingTokenPolicyValidator
     /**
      * Return true if a token was signed, false otherwise.
      */
-    private boolean isTokenSigned(Element token) {
+    private boolean isTokenSigned(Element token, List<WSSecurityEngineResult> signedResults,
+                                  List<WSSecurityEngineResult> encryptedResults) {
         for (WSSecurityEngineResult signedResult : signedResults) {
             List<WSDataRef> dataRefs = 
                 CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
             for (WSDataRef dataRef : dataRefs) {
                 if (token == dataRef.getProtectedElement()
-                    || isEncryptedTokenSigned(token, dataRef)) {
+                    || isEncryptedTokenSigned(token, dataRef, encryptedResults)) {
                     return true;
                 }
             }
@@ -811,7 +814,8 @@ public abstract class AbstractSupportingTokenPolicyValidator
         return false;
     }
     
-    private boolean isEncryptedTokenSigned(Element token, WSDataRef signedRef) {
+    private boolean isEncryptedTokenSigned(Element token, WSDataRef signedRef,
+                                           List<WSSecurityEngineResult> encryptedResults) {
         if (signedRef.getProtectedElement() != null
             && "EncryptedData".equals(signedRef.getProtectedElement().getLocalName())
             && WSConstants.ENC_NS.equals(signedRef.getProtectedElement().getNamespaceURI())) {
@@ -837,7 +841,7 @@ public abstract class AbstractSupportingTokenPolicyValidator
     /**
      * Return true if a token was encrypted, false otherwise.
      */
-    private boolean isTokenEncrypted(Element token) {
+    private boolean isTokenEncrypted(Element token, List<WSSecurityEngineResult> encryptedResults) {
         for (WSSecurityEngineResult result : encryptedResults) {
             List<WSDataRef> dataRefs = 
                 CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
@@ -853,18 +857,6 @@ public abstract class AbstractSupportingTokenPolicyValidator
         return false;
     }
 
-    public void setUtResults(List<WSSecurityEngineResult> utResults) {
-        this.utResults = utResults;
-    }
-
-    public void setValidateUsernameToken(boolean validateUsernameToken) {
-        this.validateUsernameToken = validateUsernameToken;
-    }
-
-    public void setTimestamp(Element timestamp) {
-        this.timestamp = timestamp;
-    }
-
     public void setSignedElements(SignedElements signedElements) {
         this.signedElements = signedElements;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
deleted file mode 100644
index ba046d6..0000000
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractTokenPolicyValidator.java
+++ /dev/null
@@ -1,59 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.ws.security.wss4j.policyvalidators;
-
-import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageUtils;
-import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
-import org.apache.wss4j.policy.model.AbstractToken;
-
-/**
- * Some abstract functionality for validating a Security Token.
- */
-public abstract class AbstractTokenPolicyValidator {
-    
-    /**
-     * Check to see if a token is required or not.
-     * @param token the token
-     * @param message The message
-     * @return true if the token is required
-     */
-    protected boolean isTokenRequired(
-        AbstractToken token,
-        Message message
-    ) {
-        IncludeTokenType inclusion = token.getIncludeTokenType();
-        if (inclusion == IncludeTokenType.INCLUDE_TOKEN_NEVER) {
-            return false;
-        } else if (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
-            return true;
-        } else {
-            boolean initiator = MessageUtils.isRequestor(message);
-            if (initiator && (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR)) {
-                return true;
-            } else if (!initiator && (inclusion == IncludeTokenType.INCLUDE_TOKEN_ONCE
-                || inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT)) {
-                return true;
-            }
-            return false;
-        }
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
index 8f9ce14..08b1c5a 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
@@ -29,18 +29,15 @@ import java.util.List;
 
 import javax.xml.namespace.QName;
 
-import org.w3c.dom.Element;
 import org.apache.cxf.helpers.CastUtils;
-import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDataRef;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.transform.STRTransform;
-import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.model.AlgorithmSuite;
 import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
 
@@ -48,39 +45,36 @@ import org.apache.wss4j.policy.model.AlgorithmSuite.AlgorithmSuiteType;
  * Validate results corresponding to the processing of a Signature, EncryptedKey or
  * EncryptedData structure against an AlgorithmSuite policy.
  */
-public class AlgorithmSuitePolicyValidator extends AbstractTokenPolicyValidator {
+public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidator {
     
-    public boolean validatePolicy(
-        AssertionInfoMap aim,
-        Message message,
-        Element soapBody,
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults
-    ) {
-        Collection<AssertionInfo> ais = 
-            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ALGORITHM_SUITE);
-        if (!ais.isEmpty()) {
-            parsePolicies(aim, ais, message, results);
+    /**
+     * Return true if this SecurityPolicyValidator implementation is capable of validating a 
+     * policy defined by the AssertionInfo parameter
+     */
+    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
+        if (assertionInfo.getAssertion() != null 
+            && (SP12Constants.ALGORITHM_SUITE.equals(assertionInfo.getAssertion().getName())
+                || SP11Constants.ALGORITHM_SUITE.equals(assertionInfo.getAssertion().getName()))) {
+            return true;
         }
-
-        return true;
+        
+        return false;
     }
     
-    private void parsePolicies(
-        AssertionInfoMap aim,
-        Collection<AssertionInfo> ais, 
-        Message message,  
-        List<WSSecurityEngineResult> results
-    ) {
+    /**
+     * Validate policies. Return true if all of the policies are valid.
+     */
+    public boolean validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
         for (AssertionInfo ai : ais) {
             AlgorithmSuite algorithmSuite = (AlgorithmSuite)ai.getAssertion();
             ai.setAsserted(true);
             
-            boolean valid = validatePolicy(ai, algorithmSuite, results);
+            boolean valid = validatePolicy(ai, algorithmSuite, parameters.getResults());
             if (valid) {
                 String namespace = algorithmSuite.getAlgorithmSuiteType().getNamespace();
                 String name = algorithmSuite.getAlgorithmSuiteType().getName();
-                Collection<AssertionInfo> algSuiteAis = aim.get(new QName(namespace, name));
+                Collection<AssertionInfo> algSuiteAis = 
+                    parameters.getAssertionInfoMap().get(new QName(namespace, name));
                 if (algSuiteAis != null) {
                     for (AssertionInfo algSuiteAi : algSuiteAis) {
                         algSuiteAi.setAsserted(true);
@@ -90,6 +84,8 @@ public class AlgorithmSuitePolicyValidator extends AbstractTokenPolicyValidator
                 ai.setNotAsserted("Error in validating AlgorithmSuite policy");
             }
         }
+        
+        return true;
     }
     
     public boolean validatePolicy(

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
index 45e008a..26cd466 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
@@ -25,14 +25,13 @@ import java.util.List;
 
 import javax.xml.namespace.QName;
 
-import org.w3c.dom.Element;
-import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.SP11Constants;
+import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
 import org.apache.wss4j.policy.model.AbstractTokenWrapper;
@@ -44,34 +43,26 @@ import org.apache.wss4j.policy.model.X509Token;
  */
 public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValidator {
     
-    public boolean validatePolicy(
-        AssertionInfoMap aim,
-        Message message,
-        Element soapBody,
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults,
-        List<WSSecurityEngineResult> encryptedResults
-    ) {
-        Collection<AssertionInfo> ais = 
-            PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.ASYMMETRIC_BINDING);
-        if (!ais.isEmpty()) {
-            parsePolicies(aim, ais, message, soapBody, results, signedResults, encryptedResults);
+    /**
+     * Return true if this SecurityPolicyValidator implementation is capable of validating a 
+     * policy defined by the AssertionInfo parameter
+     */
+    public boolean canValidatePolicy(AssertionInfo assertionInfo) {
+        if (assertionInfo.getAssertion() != null 
+            && (SP12Constants.ASYMMETRIC_BINDING.equals(assertionInfo.getAssertion().getName())
+                || SP11Constants.ASYMMETRIC_BINDING.equals(assertionInfo.getAssertion().getName()))) {
+            return true;
         }
         
-        return true;
+        return false;
     }
     
-    private void parsePolicies(
-        AssertionInfoMap aim,
-        Collection<AssertionInfo> ais,
-        Message message,
-        Element soapBody,
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults,
-        List<WSSecurityEngineResult> encryptedResults
-    ) {
+    /**
+     * Validate policies. Return true if all of the policies are valid.
+     */
+    public boolean validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
         boolean hasDerivedKeys = false;
-        for (WSSecurityEngineResult result : results) {
+        for (WSSecurityEngineResult result : parameters.getResults()) {
             Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.DKT) {
                 hasDerivedKeys = true;
@@ -84,20 +75,24 @@ public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValid
             ai.setAsserted(true);
 
             // Check the protection order
-            if (!checkProtectionOrder(binding, aim, ai, results)) {
+            if (!checkProtectionOrder(binding, parameters.getAssertionInfoMap(), ai, parameters.getResults())) {
                 continue;
             }
             
             // Check various properties of the binding
-            if (!checkProperties(binding, ai, aim, results, signedResults, message)) {
+            if (!checkProperties(binding, ai, parameters.getAssertionInfoMap(), parameters.getResults(), 
+                                 parameters.getSignedResults(), parameters.getMessage())) {
                 continue;
             }
             
             // Check various tokens of the binding
-            if (!checkTokens(binding, ai, aim, hasDerivedKeys, signedResults, encryptedResults)) {
+            if (!checkTokens(binding, ai, parameters.getAssertionInfoMap(), hasDerivedKeys, 
+                             parameters.getSignedResults(), parameters.getEncryptedResults())) {
                 continue;
             }
         }
+        
+        return true;
     }
     
     /**

http://git-wip-us.apache.org/repos/asf/cxf/blob/9de88cce/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/BindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/BindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/BindingPolicyValidator.java
deleted file mode 100644
index a45a27e..0000000
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/BindingPolicyValidator.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.ws.security.wss4j.policyvalidators;
-
-import java.util.List;
-
-import org.w3c.dom.Element;
-
-import org.apache.cxf.message.Message;
-import org.apache.cxf.ws.policy.AssertionInfoMap;
-import org.apache.wss4j.dom.WSSecurityEngineResult;
-
-/**
- * Validate a WS-SecurityPolicy corresponding to a binding.
- */
-public interface BindingPolicyValidator {
-    
-    /**
-     * Validate a particular policy from the AssertionInfoMap argument. Return true if the policy is valid.
-     */
-    boolean validatePolicy(
-        AssertionInfoMap aim, 
-        Message message,
-        Element soapBody,
-        List<WSSecurityEngineResult> results,
-        List<WSSecurityEngineResult> signedResults,
-        List<WSSecurityEngineResult> encryptedResults
-    );
-}


Mime
View raw message