Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: coheigea@apache.org
To: commits@cxf.apache.org
Message-Id: <61b460d797714f0bae432ecc550b5984@git.apache.org>
Subject: cxf git commit: Refactoring of policy validators
Date: Mon, 16 Mar 2015 13:32:16 +0000 (UTC)

Repository: cxf
Updated Branches:
  refs/heads/master 6168d90fa -> d4f9674ba


Refactoring of policy validators


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d4f9674b
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d4f9674b
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d4f9674b

Branch: refs/heads/master
Commit: d4f9674baa811936429271cbf64c4a558282c764
Parents: 6168d90
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Mar 16 13:32:01 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Mar 16 13:32:01 2015 +0000

----------------------------------------------------------------------
 .../AbstractBindingPolicyValidator.java         |  15 ++-
 .../AbstractSamlPolicyValidator.java            |  31 -----
 .../AbstractSupportingTokenPolicyValidator.java | 123 +++++++++----------
 .../AsymmetricBindingPolicyValidator.java       |  21 +++-
 .../IssuedTokenPolicyValidator.java             |  23 ++--
 .../KerberosTokenPolicyValidator.java           |  11 +-
 .../policyvalidators/LayoutPolicyValidator.java |  15 ++-
 .../SamlTokenPolicyValidator.java               |  11 +-
 .../SecurityContextTokenPolicyValidator.java    |  17 ++-
 .../SymmetricBindingPolicyValidator.java        |  26 ++--
 .../TransportBindingPolicyValidator.java        |   5 +-
 .../UsernameTokenPolicyValidator.java           |  36 ++++--
 .../policyvalidators/WSS11PolicyValidator.java  |  44 +++++--
 .../X509TokenPolicyValidator.java               |  44 ++++---
 14 files changed, 250 insertions(+), 172 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/d4f9674b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
index 0003d7e..5eb7eea 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
@@ -165,7 +165,8 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
             ai.setNotAsserted(error);
             return false;
         }
-        PolicyUtils.assertPolicy(aim, SPConstants.INCLUDE_TIMESTAMP);
+        String namespace = binding.getName().getNamespaceURI();
+        PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.INCLUDE_TIMESTAMP));
         
         // Check the EntireHeaderAndBodySignatures property
         if (binding.isOnlySignEntireHeadersAndBody()
@@ -174,15 +175,15 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
             ai.setNotAsserted(error);
             return false;
         }
-        PolicyUtils.assertPolicy(aim, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY);
+        PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
         
         // Check whether the signatures were encrypted or not
         if (binding.isEncryptSignature() && !isSignatureEncrypted(results)) {
             ai.setNotAsserted("The signature is not protected");
             return false;
         }
-        PolicyUtils.assertPolicy(aim, SPConstants.ENCRYPT_SIGNATURE);
-        PolicyUtils.assertPolicy(aim, SPConstants.PROTECT_TOKENS);
+        PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.ENCRYPT_SIGNATURE));
+        PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.PROTECT_TOKENS));
         
         /*
         // Check ProtectTokens
@@ -205,18 +206,20 @@ public abstract class AbstractBindingPolicyValidator implements BindingPolicyVal
         List<WSSecurityEngineResult> results
     ) {
         ProtectionOrder protectionOrder = binding.getProtectionOrder();
+        String namespace = binding.getName().getNamespaceURI();
+        
         if (protectionOrder == ProtectionOrder.EncryptBeforeSigning) {
             if (!binding.isProtectTokens() && isSignedBeforeEncrypted(results)) {
                 ai.setNotAsserted("Not encrypted before signed");
                 return false;
             }
-            PolicyUtils.assertPolicy(aim, SPConstants.ENCRYPT_BEFORE_SIGNING);
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.ENCRYPT_BEFORE_SIGNING));
         } else if (protectionOrder == ProtectionOrder.SignBeforeEncrypting) { 
             if (isEncryptedBeforeSigned(results)) {
                 ai.setNotAsserted("Not signed before encrypted");
                 return false;
             }
-            PolicyUtils.assertPolicy(aim, SPConstants.SIGN_BEFORE_ENCRYPTING);
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.SIGN_BEFORE_ENCRYPTING));
         }
         return true;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d4f9674b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
index a366cab..a0a8e9f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSamlPolicyValidator.java
@@ -22,14 +22,10 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 import java.security.cert.Certificate;
 import java.util.List;
 
-import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageUtils;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.saml.DOMSAMLUtil;
-import org.apache.wss4j.policy.SPConstants.IncludeTokenType;
-import org.apache.wss4j.policy.model.AbstractToken;
 
 /**
  * Some abstract functionality for validating SAML Assertions
@@ -37,33 +33,6 @@ import org.apache.wss4j.policy.model.AbstractToken;
 public abstract class AbstractSamlPolicyValidator extends AbstractTokenPolicyValidator {
     
     /**
-     * Check to see if a token is required or not.
-     * @param token the token
-     * @param message The message
-     * @return true if the token is required
-     */
-    protected boolean isTokenRequired(
-        AbstractToken token,
-        Message message
-    ) {
-        IncludeTokenType inclusion = token.getIncludeTokenType();
-        if (inclusion == IncludeTokenType.INCLUDE_TOKEN_NEVER) {
-            return false;
-        } else if (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS) {
-            return true;
-        } else {
-            boolean initiator = MessageUtils.isRequestor(message);
-            if (initiator && (inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR)) {
-                return true;
-            } else if (!initiator && (inclusion == IncludeTokenType.INCLUDE_TOKEN_ONCE
-                || inclusion == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT)) {
-                return true;
-            }
-            return false;
-        }
-    }
-    
-    /**
      * Check the holder-of-key requirements against the received assertion. The subject
      * credential of the SAML Assertion must have been used to sign some portion of
      * the message, thus showing proof-of-possession of the private/secret key. Alternatively,

http://git-wip-us.apache.org/repos/asf/cxf/blob/d4f9674b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
index a6419dd..e9023eb 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
@@ -57,8 +57,6 @@ import org.apache.wss4j.dom.message.token.BinarySecurity;
 import org.apache.wss4j.dom.message.token.KerberosSecurity;
 import org.apache.wss4j.dom.message.token.PKIPathSecurity;
 import org.apache.wss4j.dom.message.token.X509Security;
-import org.apache.wss4j.policy.SP11Constants;
-import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.EncryptedElements;
@@ -159,9 +157,9 @@ public abstract class AbstractSupportingTokenPolicyValidator
             return true;
         }
         
-        List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
+        List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
         tokenResults.addAll(utResults);
-        List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
+        List<WSSecurityEngineResult> dktResults = new ArrayList<>();
         for (WSSecurityEngineResult wser : utResults) {
             if (derived) {
                 byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
@@ -221,8 +219,8 @@ public abstract class AbstractSupportingTokenPolicyValidator
      * Process Kerberos Tokens.
      */
     protected boolean processKerberosTokens() {
-        List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
-        List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
+        List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
+        List<WSSecurityEngineResult> dktResults = new ArrayList<>();
         for (WSSecurityEngineResult wser : results) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.BST) {
@@ -268,8 +266,8 @@ public abstract class AbstractSupportingTokenPolicyValidator
      * Process X509 Tokens.
      */
     protected boolean processX509Tokens() {
-        List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
-        List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
+        List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
+        List<WSSecurityEngineResult> dktResults = new ArrayList<>();
         for (WSSecurityEngineResult wser : results) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.BST) {
@@ -314,7 +312,7 @@ public abstract class AbstractSupportingTokenPolicyValidator
      * Process KeyValue Tokens.
      */
     protected boolean processKeyValueTokens() {
-        List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
+        List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
         for (WSSecurityEngineResult wser : signedResults) {
             PublicKey publicKey = 
                 (PublicKey)wser.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
@@ -373,8 +371,8 @@ public abstract class AbstractSupportingTokenPolicyValidator
      * Process Security Context Tokens.
      */
     protected boolean processSCTokens() {
-        List<WSSecurityEngineResult> tokenResults = new ArrayList<WSSecurityEngineResult>();
-        List<WSSecurityEngineResult> dktResults = new ArrayList<WSSecurityEngineResult>();
+        List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
+        List<WSSecurityEngineResult> dktResults = new ArrayList<>();
         for (WSSecurityEngineResult wser : results) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.SCT) {
@@ -729,13 +727,29 @@ public abstract class AbstractSupportingTokenPolicyValidator
         //Map<String, String> namespaces = elements.getDeclaredNamespaces();
         //List<String> xpaths = elements.getXPathExpressions();
         
-        if (xpaths != null) {
+        if (xpaths != null && !xpaths.isEmpty()) {
             SOAPMessage soapMessage = message.getContent(SOAPMessage.class);
             Element soapEnvelope = soapMessage.getSOAPPart().getDocumentElement();
             
+            // XPathFactory and XPath are not thread-safe so we must recreate them
+            // each request.
+            final XPathFactory factory = XPathFactory.newInstance();
+            final XPath xpath = factory.newXPath();
+            
+            List<String> expressions = new ArrayList<>();
+            MapNamespaceContext namespaceContext = new MapNamespaceContext();
+            
+            for (org.apache.wss4j.policy.model.XPath xPath : xpaths) {
+                expressions.add(xPath.getXPath());
+                Map<String, String> namespaceMap = xPath.getPrefixNamespaceMap();
+                if (namespaceMap != null) {
+                    namespaceContext.addNamespaces(namespaceMap);
+                }
+            }
+            xpath.setNamespaceContext(namespaceContext);
+            
             for (org.apache.wss4j.policy.model.XPath xPath : xpaths) {
-                if (!checkXPathResult(soapEnvelope, xPath.getXPath(), xPath.getPrefixNamespaceMap(), 
-                                      protResults, tokenResults)) {
+                if (!checkXPathResult(soapEnvelope, xpath, xPath.getXPath(), protResults, tokenResults)) {
                     return false;
                 }
             }
@@ -749,44 +763,31 @@ public abstract class AbstractSupportingTokenPolicyValidator
      */
     private boolean checkXPathResult(
         Element soapEnvelope,
-        String xPath,
-        Map<String, String> namespaces,
+        XPath xpath,
+        String xPathString,
         List<WSSecurityEngineResult> protResults,
         List<WSSecurityEngineResult> tokenResults
     ) {
-        // XPathFactory and XPath are not thread-safe so we must recreate them
-        // each request.
-        final XPathFactory factory = XPathFactory.newInstance();
-        final XPath xpath = factory.newXPath();
-        
-        if (namespaces != null) {
-            xpath.setNamespaceContext(new MapNamespaceContext(namespaces));
+        // Get the matching nodes
+        NodeList list;
+        try {
+            list = (NodeList)xpath.evaluate(xPathString, 
+                                            soapEnvelope,
+                                            XPathConstants.NODESET);
+        } catch (XPathExpressionException e) {
+            LOG.log(Level.FINE, e.getMessage(), e);
+            return false;
         }
-        
-        // For each XPath
-        for (String xpathString : Arrays.asList(xPath)) {
-            // Get the matching nodes
-            NodeList list;
-            try {
-                list = (NodeList)xpath.evaluate(
-                        xpathString, 
-                        soapEnvelope,
-                        XPathConstants.NODESET);
-            } catch (XPathExpressionException e) {
-                LOG.log(Level.FINE, e.getMessage(), e);
-                return false;
-            }
-            
-            // If we found nodes then we need to do the check.
-            if (list.getLength() != 0) {
-                // For each matching element, check for a ref that
-                // covers it.
-                for (int x = 0; x < list.getLength(); x++) {
-                    final Element el = (Element)list.item(x);
-                    
-                    if (!checkProtectionResult(el, false, protResults, tokenResults)) {
-                        return false;
-                    }
+
+        // If we found nodes then we need to do the check.
+        if (list.getLength() != 0) {
+            // For each matching element, check for a ref that
+            // covers it.
+            for (int x = 0; x < list.getLength(); x++) {
+                final Element el = (Element)list.item(x);
+
+                if (!checkProtectionResult(el, false, protResults, tokenResults)) {
+                    return false;
                 }
             }
         }
@@ -883,39 +884,31 @@ public abstract class AbstractSupportingTokenPolicyValidator
     protected void assertSecurePartsIfTokenNotRequired(
         SupportingTokens supportingToken, AssertionInfoMap aim
     ) {
+        String namespace = supportingToken.getName().getNamespaceURI();
         if (supportingToken.getSignedParts() != null) {
             assertSecurePartsIfTokenNotRequired(supportingToken.getSignedParts(),
-                                                SPConstants.SIGNED_PARTS, aim);
+                                                new QName(namespace, SPConstants.SIGNED_PARTS), aim);
         }
         if (supportingToken.getSignedElements() != null) {
             assertSecurePartsIfTokenNotRequired(supportingToken.getSignedElements(),
-                                                SPConstants.SIGNED_ELEMENTS, aim);
+                                                new QName(namespace, SPConstants.SIGNED_ELEMENTS), aim);
         }
         if (supportingToken.getEncryptedParts() != null) {
             assertSecurePartsIfTokenNotRequired(supportingToken.getEncryptedParts(),
-                                                SPConstants.ENCRYPTED_PARTS, aim);
+                                                new QName(namespace, SPConstants.ENCRYPTED_PARTS), aim);
         }
         if (supportingToken.getEncryptedElements() != null) {
             assertSecurePartsIfTokenNotRequired(supportingToken.getEncryptedElements(),
-                                                SPConstants.ENCRYPTED_ELEMENTS, aim);
+                                                new QName(namespace, SPConstants.ENCRYPTED_ELEMENTS), aim);
         }
     }
 
     protected void assertSecurePartsIfTokenNotRequired(
-        AbstractSecurityAssertion securedPart, String localName, AssertionInfoMap aim
+        AbstractSecurityAssertion securedPart, QName name, AssertionInfoMap aim
     ) {
-        Collection<AssertionInfo> sp11Ais = aim.get(new QName(SP11Constants.SP_NS, localName));
-        if (sp11Ais != null && !sp11Ais.isEmpty()) {
-            for (AssertionInfo ai : sp11Ais) {
-                if (ai.getAssertion().equals(securedPart)) {
-                    ai.setAsserted(true);
-                }
-            }    
-        }
-
-        Collection<AssertionInfo> sp12Ais = aim.get(new QName(SP12Constants.SP_NS, localName));
-        if (sp12Ais != null && !sp12Ais.isEmpty()) {
-            for (AssertionInfo ai : sp12Ais) {
+        Collection<AssertionInfo> ais = aim.get(name);
+        if (ais != null && !ais.isEmpty()) {
+            for (AssertionInfo ai : ais) {
                 if (ai.getAssertion().equals(securedPart)) {
                     ai.setAsserted(true);
                 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d4f9674b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
index 04c6777..45e008a 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
@@ -23,6 +23,8 @@ import java.security.cert.X509Certificate;
 import java.util.Collection;
 import java.util.List;
 
+import javax.xml.namespace.QName;
+
 import org.w3c.dom.Element;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
@@ -32,6 +34,7 @@ import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
 import org.apache.wss4j.policy.model.AbstractTokenWrapper;
 import org.apache.wss4j.policy.model.AsymmetricBinding;
 import org.apache.wss4j.policy.model.X509Token;
@@ -169,9 +172,7 @@ public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValid
             ai.setNotAsserted("Message fails the DerivedKeys requirement");
             return false;
         }
-        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
-        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
-        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
+        assertToken(wrapper, aim);
 
         return true;
     }
@@ -190,11 +191,19 @@ public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValid
             ai.setNotAsserted("Message fails the DerivedKeys requirement");
             return false;
         }
-        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
-        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
-        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
+        assertToken(wrapper, aim);
 
         return true;
     }
     
+    private void assertToken(AbstractTokenWrapper tokenWrapper, AssertionInfoMap aim) {
+        String namespace = tokenWrapper.getName().getNamespaceURI();
+        
+        AbstractToken token = tokenWrapper.getToken();
+        DerivedKeys derivedKeys = token.getDerivedKeys();
+        if (derivedKeys != null) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, derivedKeys.name()));
+        }
+    }
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d4f9674b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
index 55db72f..72ce7e9 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
@@ -23,6 +23,8 @@ import java.security.cert.Certificate;
 import java.util.Collection;
 import java.util.List;
 
+import javax.xml.namespace.QName;
+
 import org.w3c.dom.Element;
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.message.Message;
@@ -68,6 +70,7 @@ public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
         for (AssertionInfo ai : ais) {
             IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
             ai.setAsserted(true);
+            assertToken(issuedToken, message.get(AssertionInfoMap.class));
 
             if (!isTokenRequired(issuedToken, message)) {
                 continue;
@@ -107,10 +110,6 @@ public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
             }
         }
         
-        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
-        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXTERNAL_REFERENCE);
-        
         return true;
     }
     
@@ -125,6 +124,7 @@ public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
         for (AssertionInfo ai : ais) {
             IssuedToken issuedToken = (IssuedToken)ai.getAssertion();
             ai.setAsserted(true);
+            assertToken(issuedToken, message.get(AssertionInfoMap.class));
 
             if (!isTokenRequired(issuedToken, message)) {
                 continue;
@@ -143,13 +143,20 @@ public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
             }
         }
         
-        AssertionInfoMap aim = message.get(AssertionInfoMap.class);
-        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_INTERNAL_REFERENCE);
-        PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXTERNAL_REFERENCE);
-        
         return true;
     }
     
+    private void assertToken(IssuedToken token, AssertionInfoMap aim) {
+        String namespace = token.getName().getNamespaceURI();
+        
+        if (token.isRequireExternalReference()) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.REQUIRE_EXTERNAL_REFERENCE));
+        }
+        if (token.isRequireInternalReference()) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.REQUIRE_INTERNAL_REFERENCE));
+        }
+    }
+    
     /**
      * Check the issued token template against the received assertion
      */

http://git-wip-us.apache.org/repos/asf/cxf/blob/d4f9674b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
index aa22d73..5cb8189 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
@@ -54,8 +54,6 @@ public class KerberosTokenPolicyValidator extends AbstractTokenPolicyValidator {
             PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.KERBEROS_TOKEN);
         if (!krbAis.isEmpty()) {
             parsePolicies(aim, krbAis, kerberosToken);
-            
-            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
         }
         
         return true;
@@ -69,6 +67,7 @@ public class KerberosTokenPolicyValidator extends AbstractTokenPolicyValidator {
         for (AssertionInfo ai : ais) {
             KerberosToken kerberosTokenPolicy = (KerberosToken)ai.getAssertion();
             ai.setAsserted(true);
+            assertToken(kerberosTokenPolicy, aim);
             
             if (!isTokenRequired(kerberosTokenPolicy, message)) {
                 PolicyUtils.assertPolicy(
@@ -91,6 +90,14 @@ public class KerberosTokenPolicyValidator extends AbstractTokenPolicyValidator {
         }
     }
     
+    private void assertToken(KerberosToken token, AssertionInfoMap aim) {
+        String namespace = token.getName().getNamespaceURI();
+        
+        if (token.isRequireKeyIdentifierReference()) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+        }
+    }
+    
     private boolean checkToken(
         AssertionInfoMap aim,
         KerberosToken kerberosTokenPolicy, 

http://git-wip-us.apache.org/repos/asf/cxf/blob/d4f9674b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
index 4ac51b0..1643f53 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
@@ -77,17 +77,22 @@ public class LayoutPolicyValidator extends AbstractTokenPolicyValidator {
         for (AssertionInfo ai : ais) {
             Layout layout = (Layout)ai.getAssertion();
             ai.setAsserted(true);
+            assertToken(layout, aim);
             
             if (!validatePolicy(layout, results, signedResults)) {
                 String error = "Layout does not match the requirements";
                 ai.setNotAsserted(error);
             }
         }
-        
-        PolicyUtils.assertPolicy(aim, SPConstants.LAYOUT_LAX);
-        PolicyUtils.assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST);
-        PolicyUtils.assertPolicy(aim, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST);
-        PolicyUtils.assertPolicy(aim, SPConstants.LAYOUT_STRICT);
+    }
+    
+    private void assertToken(Layout token, AssertionInfoMap aim) {
+        String namespace = token.getName().getNamespaceURI();
+
+        LayoutType layoutType = token.getLayoutType();
+        if (layoutType != null) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, layoutType.name()));
+        }
     }
     
     public boolean validatePolicy(

http://git-wip-us.apache.org/repos/asf/cxf/blob/d4f9674b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
index 37adc67..b0b9a16 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SamlTokenPolicyValidator.java
@@ -64,8 +64,6 @@ public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator implem
             PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.SAML_TOKEN);
         if (!ais.isEmpty()) {
             parsePolicies(aim, ais, message, results, signedResults);
-            
-            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
         }
         
         return true;
@@ -87,6 +85,7 @@ public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator implem
         for (AssertionInfo ai : ais) {
             SamlToken samlToken = (SamlToken)ai.getAssertion();
             ai.setAsserted(true);
+            assertToken(samlToken, aim);
 
             if (!isTokenRequired(samlToken, message)) {
                 PolicyUtils.assertPolicy(
@@ -172,4 +171,12 @@ public class SamlTokenPolicyValidator extends AbstractSamlPolicyValidator implem
         return true;
     }
     
+    private void assertToken(SamlToken token, AssertionInfoMap aim) {
+        String namespace = token.getName().getNamespaceURI();
+        
+        if (token.isRequireKeyIdentifierReference()) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+        }
+    }
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d4f9674b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
index 6171e9e..5c3e587 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
@@ -69,11 +69,8 @@ public class SecurityContextTokenPolicyValidator
         for (AssertionInfo ai : ais) {
             SecurityContextToken sctPolicy = (SecurityContextToken)ai.getAssertion();
             ai.setAsserted(true);
+            assertToken(sctPolicy, aim);
             
-            PolicyUtils.assertPolicy(aim, SP12Constants.REQUIRE_EXTERNAL_URI_REFERENCE);
-            PolicyUtils.assertPolicy(aim, SP12Constants.SC13_SECURITY_CONTEXT_TOKEN);
-            PolicyUtils.assertPolicy(aim, SP11Constants.SC10_SECURITY_CONTEXT_TOKEN);
-
             if (!isTokenRequired(sctPolicy, message)) {
                 continue;
             }
@@ -86,4 +83,16 @@ public class SecurityContextTokenPolicyValidator
             }
         }
     }
+    
+    private void assertToken(SecurityContextToken token, AssertionInfoMap aim) {
+        if (token.isRequireExternalUriReference()) {
+            PolicyUtils.assertPolicy(aim, SP12Constants.REQUIRE_EXTERNAL_URI_REFERENCE);
+        }
+        if (token.isSc10SecurityContextToken()) {
+            PolicyUtils.assertPolicy(aim, SP11Constants.SC10_SECURITY_CONTEXT_TOKEN);
+        }
+        if (token.isSc13SecurityContextToken()) {
+            PolicyUtils.assertPolicy(aim, SP12Constants.SC13_SECURITY_CONTEXT_TOKEN);
+        }
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d4f9674b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
index cbaecbb..4f72206 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
@@ -22,6 +22,8 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 import java.util.Collection;
 import java.util.List;
 
+import javax.xml.namespace.QName;
+
 import org.w3c.dom.Element;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
@@ -30,6 +32,9 @@ import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.policy.SPConstants;
+import org.apache.wss4j.policy.model.AbstractToken;
+import org.apache.wss4j.policy.model.AbstractToken.DerivedKeys;
+import org.apache.wss4j.policy.model.AbstractTokenWrapper;
 import org.apache.wss4j.policy.model.SymmetricBinding;
 
 /**
@@ -112,9 +117,7 @@ public class SymmetricBindingPolicyValidator extends AbstractBindingPolicyValida
                 ai.setNotAsserted("Message fails the DerivedKeys requirement");
                 return false;
             }
-            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
-            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
-            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
+            assertToken(binding.getEncryptionToken(), aim);
         }
         
         if (binding.getSignatureToken() != null) {
@@ -125,9 +128,7 @@ public class SymmetricBindingPolicyValidator extends AbstractBindingPolicyValida
                 ai.setNotAsserted("Message fails the DerivedKeys requirement");
                 return false;
             }
-            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
-            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
-            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
+            assertToken(binding.getSignatureToken(), aim);
         }
         
         if (binding.getProtectionToken() != null) {
@@ -138,12 +139,19 @@ public class SymmetricBindingPolicyValidator extends AbstractBindingPolicyValida
                 ai.setNotAsserted("Message fails the DerivedKeys requirement");
                 return false;
             }
-            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_DERIVED_KEYS);
-            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS);
-            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS);
+            assertToken(binding.getProtectionToken(), aim);
         }
         
         return true;
     }
     
+    private void assertToken(AbstractTokenWrapper tokenWrapper, AssertionInfoMap aim) {
+        String namespace = tokenWrapper.getName().getNamespaceURI();
+        
+        AbstractToken token = tokenWrapper.getToken();
+        DerivedKeys derivedKeys = token.getDerivedKeys();
+        if (derivedKeys != null) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, derivedKeys.name()));
+        }
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d4f9674b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
index cb4ccbb..b8141a5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/TransportBindingPolicyValidator.java
@@ -22,6 +22,8 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 import java.util.Collection;
 import java.util.List;
 
+import javax.xml.namespace.QName;
+
 import org.w3c.dom.Element;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
@@ -93,7 +95,8 @@ public class TransportBindingPolicyValidator extends AbstractBindingPolicyValida
                 ai.setNotAsserted(error);
                 continue;
             }
-            PolicyUtils.assertPolicy(aim, SPConstants.INCLUDE_TIMESTAMP);
+            PolicyUtils.assertPolicy(aim,
+                                     new QName(binding.getName().getNamespaceURI(), SPConstants.INCLUDE_TIMESTAMP));
         }
 
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d4f9674b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
index e642a9a..3f0a23e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/UsernameTokenPolicyValidator.java
@@ -23,6 +23,8 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 
+import javax.xml.namespace.QName;
+
 import org.w3c.dom.Element;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
@@ -37,6 +39,7 @@ import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.SupportingTokens;
 import org.apache.wss4j.policy.model.UsernameToken.PasswordType;
+import org.apache.wss4j.policy.model.UsernameToken.UsernameTokenType;
 
 /**
  * Validate a UsernameToken policy.
@@ -54,20 +57,14 @@ public class UsernameTokenPolicyValidator
         Collection<AssertionInfo> ais = 
             PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
         if (!ais.isEmpty()) {
-            parsePolicies(ais, message, results);
-            
-            PolicyUtils.assertPolicy(aim, SP13Constants.CREATED);
-            PolicyUtils.assertPolicy(aim, SP13Constants.NONCE);
-            PolicyUtils.assertPolicy(aim, SPConstants.NO_PASSWORD);
-            PolicyUtils.assertPolicy(aim, SPConstants.HASH_PASSWORD);
-            PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
-            PolicyUtils.assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
+            parsePolicies(aim, ais, message, results);
         }
         
         return true;
     }
     
     private void parsePolicies(
+        AssertionInfoMap aim,
         Collection<AssertionInfo> ais, 
         Message message,
         List<WSSecurityEngineResult> results
@@ -82,6 +79,8 @@ public class UsernameTokenPolicyValidator
             org.apache.wss4j.policy.model.UsernameToken usernameTokenPolicy = 
                 (org.apache.wss4j.policy.model.UsernameToken)ai.getAssertion();
             ai.setAsserted(true);
+            assertToken(usernameTokenPolicy, aim);
+            
             if (!isTokenRequired(usernameTokenPolicy, message)) {
                 continue;
             }
@@ -99,6 +98,27 @@ public class UsernameTokenPolicyValidator
         }
     }
     
+    private void assertToken(org.apache.wss4j.policy.model.UsernameToken token, AssertionInfoMap aim) {
+        String namespace = token.getName().getNamespaceURI();
+        
+        if (token.isCreated()) {
+            PolicyUtils.assertPolicy(aim, SP13Constants.CREATED);
+        }
+        if (token.isNonce()) {
+            PolicyUtils.assertPolicy(aim, SP13Constants.NONCE);
+        }
+        
+        PasswordType passwordType = token.getPasswordType();
+        if (passwordType != null) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, passwordType.name()));
+        }
+        
+        UsernameTokenType usernameTokenType = token.getUsernameTokenType();
+        if (usernameTokenType != null) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, usernameTokenType.name()));
+        }
+    }
+    
     /**
      * All UsernameTokens must conform to the policy
      */

http://git-wip-us.apache.org/repos/asf/cxf/blob/d4f9674b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
index f163b81..d28dd81 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
@@ -22,6 +22,8 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 import java.util.Collection;
 import java.util.List;
 
+import javax.xml.namespace.QName;
+
 import org.w3c.dom.Element;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
@@ -50,23 +52,14 @@ public class WSS11PolicyValidator
         Collection<AssertionInfo> ais = 
             PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.WSS11);
         if (!ais.isEmpty()) {
-            parsePolicies(ais, message, results);
-            
-            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_THUMBPRINT);
-            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY);
-            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION);
-            
-            // WSS 1.0
-            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER);
-            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL);
-            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI);
-            PolicyUtils.assertPolicy(aim, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN);
+            parsePolicies(aim, ais, message, results);
         }
         
         return true;
     }
     
     private void parsePolicies(
+        AssertionInfoMap aim,
         Collection<AssertionInfo> ais, 
         Message message,  
         List<WSSecurityEngineResult> results
@@ -77,6 +70,7 @@ public class WSS11PolicyValidator
         for (AssertionInfo ai : ais) {
             Wss11 wss11 = (Wss11)ai.getAssertion();
             ai.setAsserted(true);
+            assertToken(wss11, aim);
 
             if (!MessageUtils.isRequestor(message)) {
                 continue;
@@ -92,4 +86,32 @@ public class WSS11PolicyValidator
         }
     }
     
+    private void assertToken(Wss11 token, AssertionInfoMap aim) {
+        String namespace = token.getName().getNamespaceURI();
+        
+        if (token.isMustSupportRefEmbeddedToken()) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN));
+        }
+        if (token.isMustSupportRefEncryptedKey()) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY));
+        }
+        if (token.isMustSupportRefExternalURI()) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI));
+        }
+        if (token.isMustSupportRefIssuerSerial()) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL));
+        }
+        if (token.isMustSupportRefKeyIdentifier()) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER));
+        }
+        if (token.isMustSupportRefThumbprint()) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.MUST_SUPPORT_REF_THUMBPRINT));
+        }
+        if (token.isRequireSignatureConfirmation()) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION));
+        }
+        
+    }
+    
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d4f9674b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
index dfc6a74..027582d 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
@@ -25,6 +25,8 @@ import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.xml.namespace.QName;
+
 import org.w3c.dom.Element;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.message.Message;
@@ -63,25 +65,14 @@ public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator imple
         Collection<AssertionInfo> ais = 
             PolicyUtils.getAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN);
         if (!ais.isEmpty()) {
-            parsePolicies(ais, message, signedResults, results);
-            
-            PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10);
-            PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11);
-            PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN10);
-            PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_V1_TOKEN11);
-            PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN10);
-            PolicyUtils.assertPolicy(aim, SPConstants.WSS_X509_V3_TOKEN11);
-            
-            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE);
-            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_THUMBPRINT_REFERENCE);
-            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE);
-            PolicyUtils.assertPolicy(aim, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE);
+            parsePolicies(aim, ais, message, signedResults, results);
         }
         
         return true;
     }
     
     private void parsePolicies(
+        AssertionInfoMap aim,
         Collection<AssertionInfo> ais, 
         Message message,
         List<WSSecurityEngineResult> signedResults,
@@ -93,7 +84,8 @@ public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator imple
         for (AssertionInfo ai : ais) {
             X509Token x509TokenPolicy = (X509Token)ai.getAssertion();
             ai.setAsserted(true);
-
+            assertToken(x509TokenPolicy, aim);
+            
             if (!isTokenRequired(x509TokenPolicy, message)) {
                 continue;
             }
@@ -112,6 +104,30 @@ public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator imple
         }
     }
     
+    private void assertToken(X509Token token, AssertionInfoMap aim) {
+        String namespace = token.getName().getNamespaceURI();
+        
+        // Assert references
+        if (token.isRequireIssuerSerialReference()) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE));
+        }
+        if (token.isRequireThumbprintReference()) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.REQUIRE_THUMBPRINT_REFERENCE));
+        }
+        if (token.isRequireEmbeddedTokenReference()) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE));
+        }
+        if (token.isRequireKeyIdentifierReference()) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+        }
+       
+        // Assert TokenType
+        TokenType tokenType = token.getTokenType();
+        if (tokenType != null) {
+            PolicyUtils.assertPolicy(aim, new QName(namespace, tokenType.name()));
+        }
+    }
+    
     /**
      * Check that at least one received token matches the token type.
      */