cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/4] cxf git commit: Another sweep of the policy validation code
Date Fri, 03 Apr 2015 11:35:33 GMT
Another sweep of the policy validation code


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2f164ec2
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2f164ec2
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2f164ec2

Branch: refs/heads/master
Commit: 2f164ec218a1e850d8cc4a6a9ffdb6dba248895f
Parents: f7a64ca
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Apr 3 00:39:02 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Apr 3 12:33:57 2015 +0100

----------------------------------------------------------------------
 .../IssuedTokenInterceptorProvider.java         |  4 +-
 .../policy/interceptors/NegotiationUtils.java   | 46 +++++-----
 .../security/wss4j/CryptoCoverageChecker.java   | 17 ++--
 .../wss4j/PolicyBasedWSS4JInInterceptor.java    | 10 +--
 .../policyhandlers/AbstractBindingBuilder.java  | 39 +++++----
 .../policyhandlers/SymmetricBindingHandler.java | 12 +--
 .../AbstractBindingPolicyValidator.java         |  6 +-
 .../AbstractSupportingTokenPolicyValidator.java | 91 +++++++++-----------
 .../AlgorithmSuitePolicyValidator.java          | 29 ++++---
 .../KerberosTokenPolicyValidator.java           |  9 +-
 10 files changed, 130 insertions(+), 133 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
index c6f12b0..dd14252 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
@@ -179,9 +179,7 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
             parameters.setMessage(message);
             parameters.setResults(rResult);
             
-            List<WSSecurityEngineResult> signedResults = 
-                rResult.getActionResults().get(WSConstants.SIGN);
-            parameters.setSignedResults(signedResults);
+            parameters.setSignedResults(rResult.getActionResults().get(WSConstants.SIGN));
             
             List<WSSecurityEngineResult> samlResults = new ArrayList<>();
             if (rResult.getActionResults().containsKey(WSConstants.ST_SIGNED)) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
index 6690523..2b0ca66 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/NegotiationUtils.java
@@ -221,33 +221,31 @@ final class NegotiationUtils {
         }
         
         for (WSHandlerResult rResult : results) {
-            List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
+            List<WSSecurityEngineResult> sctResults = 
+                rResult.getActionResults().get(WSConstants.SCT);
 
-            for (WSSecurityEngineResult wser : wsSecEngineResults) {
-                Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-                if (actInt.intValue() == WSConstants.SCT) {
-                    SecurityContextToken tok = 
-                        (SecurityContextToken)wser.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
-                    message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getIdentifier());
-                    
-                    SecurityToken token = TokenStoreUtils.getTokenStore(message).getToken(tok.getIdentifier());
-                    if (token == null || token.isExpired()) {
-                        byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
-                        if (secret != null) {
-                            token = new SecurityToken(tok.getIdentifier());
-                            token.setToken(tok.getElement());
-                            token.setSecret(secret);
-                            token.setTokenType(tok.getTokenType());
-                            TokenStoreUtils.getTokenStore(message).add(token);
-                        }
+            for (WSSecurityEngineResult wser : sctResults) {
+                SecurityContextToken tok = 
+                    (SecurityContextToken)wser.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
+                message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getIdentifier());
+
+                SecurityToken token = TokenStoreUtils.getTokenStore(message).getToken(tok.getIdentifier());
+                if (token == null || token.isExpired()) {
+                    byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
+                    if (secret != null) {
+                        token = new SecurityToken(tok.getIdentifier());
+                        token.setToken(tok.getElement());
+                        token.setSecret(secret);
+                        token.setTokenType(tok.getTokenType());
+                        TokenStoreUtils.getTokenStore(message).add(token);
                     }
-                    if (token != null) {
-                        final SecurityContext sc = token.getSecurityContext();
-                        if (sc != null) {
-                            message.put(SecurityContext.class, sc);
-                        }
-                        return true;
+                }
+                if (token != null) {
+                    final SecurityContext sc = token.getSecurityContext();
+                    if (sc != null) {
+                        message.put(SecurityContext.class, sc);
                     }
+                    return true;
                 }
             }
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
index 9a71a9e..0b634d2 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
@@ -139,11 +139,11 @@ public class CryptoCoverageChecker extends AbstractSoapInterceptor {
         
         // Get all encrypted and signed references
         for (WSHandlerResult wshr : results) {
-            for (WSSecurityEngineResult result : wshr.getResults()) {
-                Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
-                if (actInt == WSConstants.SIGN) {
+            List<WSSecurityEngineResult> signedResults = wshr.getActionResults().get(WSConstants.SIGN);
+            if (signedResults != null) {
+                for (WSSecurityEngineResult signedResult : signedResults) {
                     List<WSDataRef> sl = 
-                        CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+                        CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
                     if (sl != null) {
                         if (sl.size() == 1
                             && sl.get(0).getName().equals(new QName(WSConstants.SIG_NS,
WSConstants.SIG_LN))) {
@@ -153,9 +153,14 @@ public class CryptoCoverageChecker extends AbstractSoapInterceptor {
                         
                         signed.addAll(sl);
                     }
-                } else if (actInt == WSConstants.ENCR) {
+                }
+            }
+            
+            List<WSSecurityEngineResult> encryptedResults = wshr.getActionResults().get(WSConstants.ENCR);
+            if (encryptedResults != null) {
+                for (WSSecurityEngineResult encryptedResult : encryptedResults) {
                     List<WSDataRef> el = 
-                        CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+                        CastUtils.cast((List<?>)encryptedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
                     if (el != null) {
                         encrypted.addAll(el);
                     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index 59c73f0..c4c8b37 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -429,7 +429,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor
{
     
     private boolean assertTokens(AssertionInfoMap aim, 
                               String name, 
-                              Collection<WSDataRef> signed,
+                              Collection<WSDataRef> dataRefs,
                               SoapMessage msg,
                               Element soapHeader,
                               Element soapBody,
@@ -444,11 +444,11 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor
{
                     try {
                         if (CoverageType.SIGNED.equals(type)) {
                             CryptoCoverageUtil.checkBodyCoverage(
-                                soapBody, signed, type, CoverageScope.ELEMENT
+                                soapBody, dataRefs, type, CoverageScope.ELEMENT
                             );
                         } else {
                             CryptoCoverageUtil.checkBodyCoverage(
-                                soapBody, signed, type, CoverageScope.CONTENT
+                                soapBody, dataRefs, type, CoverageScope.CONTENT
                             );
                         }
                     } catch (WSSecurityException e) {
@@ -459,7 +459,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor
{
                 
                 for (Header h : p.getHeaders()) {
                     try {
-                        CryptoCoverageUtil.checkHeaderCoverage(soapHeader, signed, h
+                        CryptoCoverageUtil.checkHeaderCoverage(soapHeader, dataRefs, h
                                 .getNamespace(), h.getName(), type,
                                 CoverageScope.ELEMENT);
                     } catch (WSSecurityException e) {
@@ -474,7 +474,7 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor
{
                         if (attachments.isContentSignatureTransform()) {
                             scope = CoverageScope.CONTENT;
                         }
-                        CryptoCoverageUtil.checkAttachmentsCoverage(msg.getAttachments(),
signed, 
+                        CryptoCoverageUtil.checkAttachmentsCoverage(msg.getAttachments(),
dataRefs, 
                                                                 type, scope);
                     } catch (WSSecurityException e) {
                         ai.setNotAsserted("An attachment was not signed/encrypted");

http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index a866496..306dafd 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -1581,16 +1581,19 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         * receiving Actor and the sending Actor match.
         */
         for (WSHandlerResult rResult : results) {
-            List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
-            /*
-            * Scan the results for the first Signature action. Use the
-            * certificate of this Signature to set the certificate for the
-            * encryption action :-).
-            */
-            for (WSSecurityEngineResult wser : wsSecEngineResults) {
-                Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-                if (actInt.intValue() == WSConstants.SIGN) {
-                    return (X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+            List<WSSecurityEngineResult> signedResults = 
+                rResult.getActionResults().get(WSConstants.SIGN);
+            if (signedResults != null) {
+                /*
+                 * Scan the results for the first Signature action. Use the
+                 * certificate of this Signature to set the certificate for the
+                 * encryption action :-).
+                 */
+                for (WSSecurityEngineResult signedResult : signedResults) {
+                    if (signedResult.containsKey(WSSecurityEngineResult.TAG_X509_CERTIFICATE))
{
+                        return (X509Certificate)signedResult.get(
+                            WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+                    }
                 }
             }
         }
@@ -1634,15 +1637,13 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             .get(WSHandlerConstants.RECV_RESULTS));
         
         for (WSHandlerResult rResult : results) {
-            List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
-            
-            for (WSSecurityEngineResult wser : wsSecEngineResults) {
-                Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-                String encryptedKeyID = (String)wser.get(WSSecurityEngineResult.TAG_ID);
-                if (actInt.intValue() == WSConstants.ENCR
-                    && encryptedKeyID != null
-                    && encryptedKeyID.length() != 0) {
-                    return wser;
+            List<WSSecurityEngineResult> encryptedResults = rResult.getResults();
+            if (encryptedResults != null) {
+                for (WSSecurityEngineResult wser : encryptedResults) {
+                    String encryptedKeyID = (String)wser.get(WSSecurityEngineResult.TAG_ID);
+                    if (encryptedKeyID != null && encryptedKeyID.length() != 0) {
+                        return wser;
+                    }
                 }
             }
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index 65d4a2f..bfc67e0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -950,12 +950,12 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder
{
             .get(WSHandlerConstants.RECV_RESULTS));
         
         for (WSHandlerResult rResult : results) {
-            List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
+            List<WSSecurityEngineResult> wsSecEngineResults = 
+                rResult.getActionResults().get(WSConstants.UT_NOPASSWORD);
             
-            for (WSSecurityEngineResult wser : wsSecEngineResults) {
-                Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-                String utID = (String)wser.get(WSSecurityEngineResult.TAG_ID);
-                if (actInt.intValue() == WSConstants.UT_NOPASSWORD) {
+            if (wsSecEngineResults != null) {
+                for (WSSecurityEngineResult wser : wsSecEngineResults) {
+                    String utID = (String)wser.get(WSSecurityEngineResult.TAG_ID);
                     if (utID == null || utID.length() == 0) {
                         utID = wssConfig.getIdAllocator().createId("UsernameToken-", null);
                     }
@@ -963,7 +963,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
                     Date expires = new Date();
                     expires.setTime(created.getTime() + 300000);
                     SecurityToken tempTok = new SecurityToken(utID, created, expires);
-                    
+
                     byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                     tempTok.setSecret(secret);
                     tokenStore.add(tempTok);

http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
index d79470f..55a00b5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
@@ -310,12 +310,10 @@ public abstract class AbstractBindingPolicyValidator implements SecurityPolicyVa
         List<WSSecurityEngineResult> results,
         List<WSSecurityEngineResult> signedResults
     ) {
-        for (int i = 0; i < signedResults.size(); i++) {
-            WSSecurityEngineResult result = signedResults.get(i);
+        for (WSSecurityEngineResult result : signedResults) {
             
             // Get the Token result that was used for the signature
-            WSSecurityEngineResult tokenResult = 
-                findCorrespondingToken(result, results);
+            WSSecurityEngineResult tokenResult = findCorrespondingToken(result, results);
             if (tokenResult == null) {
                 return false;
             }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
index 74cf2c0..ad0c835 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
@@ -39,7 +39,6 @@ import javax.xml.xpath.XPathFactory;
 
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
-
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.helpers.DOMUtils;
@@ -57,6 +56,7 @@ import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDataRef;
 import org.apache.wss4j.dom.WSSecurityEngine;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.dom.message.token.KerberosSecurity;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
@@ -109,12 +109,12 @@ public abstract class AbstractSupportingTokenPolicyValidator extends
AbstractSec
             return false;
         }
         
-        if (derived) {
+        if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT))
{
             for (WSSecurityEngineResult wser : parameters.getUsernameTokenResults()) {
                 byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                 if (secret != null) {
                     WSSecurityEngineResult dktResult = 
-                        getMatchingDerivedKey(secret, parameters.getResults().getResults());
+                        getMatchingDerivedKey(secret, parameters.getResults());
                     if (dktResult != null) {
                         tokenResults.add(dktResult);
                     }
@@ -173,10 +173,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends
AbstractSec
      * Process Kerberos Tokens.
      */
     protected boolean processKerberosTokens(PolicyValidatorParameters parameters, boolean
derived) {
-        List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
-        for (WSSecurityEngineResult wser : parameters.getResults().getResults()) {
-            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-            if (actInt.intValue() == WSConstants.BST) {
+        List<WSSecurityEngineResult> tokenResults = null;
+        if (parameters.getResults().getActionResults().containsKey(WSConstants.BST)) {
+            tokenResults = new ArrayList<>();
+            for (WSSecurityEngineResult wser
+                : parameters.getResults().getActionResults().get(WSConstants.BST)) {
                 BinarySecurity binarySecurity = 
                     (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
                 if (binarySecurity instanceof KerberosSecurity) {
@@ -185,7 +186,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
             }
         }
         
-        if (tokenResults.isEmpty()) {
+        if (tokenResults == null || tokenResults.isEmpty()) {
             return false;
         }
         
@@ -199,12 +200,12 @@ public abstract class AbstractSupportingTokenPolicyValidator extends
AbstractSec
             return false;
         }
         
-        if (derived) {
+        if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT))
{
             List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
             for (WSSecurityEngineResult wser : tokenResults) {
                 byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                 WSSecurityEngineResult dktResult = 
-                    getMatchingDerivedKey(secret, parameters.getResults().getResults());
+                    getMatchingDerivedKey(secret, parameters.getResults());
                 if (dktResult != null) {
                     dktResults.add(dktResult);
                 }
@@ -231,10 +232,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends
AbstractSec
      * Process X509 Tokens.
      */
     protected boolean processX509Tokens(PolicyValidatorParameters parameters, boolean derived)
{
-        List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
-        for (WSSecurityEngineResult wser : parameters.getResults().getResults()) {
-            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-            if (actInt.intValue() == WSConstants.BST) {
+        List<WSSecurityEngineResult> tokenResults = null;
+        if (parameters.getResults().getActionResults().containsKey(WSConstants.BST)) {
+            tokenResults = new ArrayList<>();
+            for (WSSecurityEngineResult wser 
+                : parameters.getResults().getActionResults().get(WSConstants.BST)) {
                 BinarySecurity binarySecurity = 
                     (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
                 if (binarySecurity instanceof X509Security
@@ -244,7 +246,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
             }
         }
         
-        if (tokenResults.isEmpty()) {
+        if (tokenResults == null || tokenResults.isEmpty()) {
             return false;
         }
         
@@ -258,11 +260,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends
AbstractSec
             return false;
         }
         
-        if (derived) {
+        if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT))
{
             List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
             for (WSSecurityEngineResult wser : tokenResults) {
                 WSSecurityEngineResult resultToStore = 
-                    processX509DerivedTokenResult(wser, parameters.getResults().getResults());
+                    processX509DerivedTokenResult(wser, parameters.getResults());
                 if (resultToStore != null) {
                     dktResults.add(resultToStore);
                 }
@@ -289,16 +291,19 @@ public abstract class AbstractSupportingTokenPolicyValidator extends
AbstractSec
      * Process KeyValue Tokens.
      */
     protected boolean processKeyValueTokens(PolicyValidatorParameters parameters) {
-        List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
-        for (WSSecurityEngineResult wser : parameters.getSignedResults()) {
-            PublicKey publicKey = 
-                (PublicKey)wser.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
-            if (publicKey != null) {
-                tokenResults.add(wser);
+        List<WSSecurityEngineResult> tokenResults = null;
+        if (parameters.getSignedResults() != null && !parameters.getSignedResults().isEmpty())
{
+            tokenResults = new ArrayList<>();
+            for (WSSecurityEngineResult wser : parameters.getSignedResults()) {
+                PublicKey publicKey = 
+                    (PublicKey)wser.get(WSSecurityEngineResult.TAG_PUBLIC_KEY);
+                if (publicKey != null) {
+                    tokenResults.add(wser);
+                }
             }
         }
         
-        if (tokenResults.isEmpty()) {
+        if (tokenResults == null || tokenResults.isEmpty()) {
             return false;
         }
         
@@ -359,17 +364,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends
AbstractSec
      * Process Security Context Tokens.
      */
     protected boolean processSCTokens(PolicyValidatorParameters parameters, boolean derived)
{
-        List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
-        for (WSSecurityEngineResult wser : parameters.getResults().getResults()) {
-            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-            if (actInt.intValue() == WSConstants.SCT) {
-                tokenResults.add(wser);
-            }
-        }
-        
-        if (tokenResults.isEmpty()) {
+        if (!parameters.getResults().getActionResults().containsKey(WSConstants.SCT)) {
             return false;
         }
+        List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
+        tokenResults.addAll(parameters.getResults().getActionResults().get(WSConstants.SCT));
         
         if (isSigned() && !areTokensSigned(tokenResults, parameters.getSignedResults(),
                                            parameters.getEncryptedResults(),
@@ -381,12 +380,12 @@ public abstract class AbstractSupportingTokenPolicyValidator extends
AbstractSec
             return false;
         }
         
-        if (derived) {
+        if (derived && parameters.getResults().getActionResults().containsKey(WSConstants.DKT))
{
             List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
             for (WSSecurityEngineResult wser : tokenResults) {
                 byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                 WSSecurityEngineResult dktResult = 
-                    getMatchingDerivedKey(secret, parameters.getResults().getResults());
+                    getMatchingDerivedKey(secret, parameters.getResults());
                 if (dktResult != null) {
                     dktResults.add(dktResult);
                 }
@@ -414,7 +413,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
      * find a DerivedKey element that matches that EncryptedKey element.
      */
     private WSSecurityEngineResult processX509DerivedTokenResult(WSSecurityEngineResult result,
-                                                                 List<WSSecurityEngineResult>
results) {
+                                                                 WSHandlerResult results)
{
         X509Certificate cert = 
             (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
         WSSecurityEngineResult encrResult = getMatchingEncryptedKey(cert, results);
@@ -433,14 +432,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends
AbstractSec
      * matches the parameter.
      */
     private WSSecurityEngineResult getMatchingDerivedKey(byte[] secret,
-                                                         List<WSSecurityEngineResult>
results) {
-        for (WSSecurityEngineResult wser : results) {
-            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-            if (actInt.intValue() == WSConstants.DKT) {
-                byte[] dktSecret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
-                if (Arrays.equals(secret, dktSecret)) {
-                    return wser;
-                }
+                                                         WSHandlerResult results) {
+        for (WSSecurityEngineResult wser : results.getActionResults().get(WSConstants.DKT))
{
+            byte[] dktSecret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
+            if (Arrays.equals(secret, dktSecret)) {
+                return wser;
             }
         }
         return null;
@@ -450,10 +446,9 @@ public abstract class AbstractSupportingTokenPolicyValidator extends
AbstractSec
      * Get a security result representing an EncryptedKey that matches the parameter.
      */
     private WSSecurityEngineResult getMatchingEncryptedKey(X509Certificate cert,
-                                                           List<WSSecurityEngineResult>
results) {
-        for (WSSecurityEngineResult wser : results) {
-            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-            if (actInt.intValue() == WSConstants.ENCR) {
+                                                           WSHandlerResult results) {
+        if (results.getActionResults().containsKey(WSConstants.ENCR)) {
+            for (WSSecurityEngineResult wser : results.getActionResults().get(WSConstants.ENCR))
{
                 X509Certificate encrCert = 
                     (X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
                 if (cert.equals(encrCert)) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
index 706e0a5..3add3ed 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
@@ -35,7 +35,6 @@ import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDataRef;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.dom.transform.STRTransform;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
@@ -70,7 +69,8 @@ public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidat
             AlgorithmSuite algorithmSuite = (AlgorithmSuite)ai.getAssertion();
             ai.setAsserted(true);
             
-            boolean valid = validatePolicy(ai, algorithmSuite, parameters.getResults());
+            boolean valid = validatePolicy(ai, algorithmSuite, parameters.getSignedResults(),
+                                           parameters.getEncryptedResults());
             if (valid) {
                 String namespace = algorithmSuite.getAlgorithmSuiteType().getNamespace();
                 String name = algorithmSuite.getAlgorithmSuiteType().getName();
@@ -88,20 +88,23 @@ public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidat
     }
     
     private boolean validatePolicy(
-        AssertionInfo ai, AlgorithmSuite algorithmPolicy, WSHandlerResult results
+        AssertionInfo ai, AlgorithmSuite algorithmPolicy, 
+        List<WSSecurityEngineResult> signedResults, List<WSSecurityEngineResult>
encryptedResults
     ) {
-        boolean success = true;
-        for (WSSecurityEngineResult result : results.getResults()) {
-            Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
-            if (WSConstants.SIGN == actInt 
-                && !checkSignatureAlgorithms(result, algorithmPolicy, ai)) {
-                success = false;
-            } else if (WSConstants.ENCR == actInt
-                && !checkEncryptionAlgorithms(result, algorithmPolicy, ai)) {
-                success = false;
+        for (WSSecurityEngineResult signedResult : signedResults) {
+            if (!checkSignatureAlgorithms(signedResult, algorithmPolicy, ai)) {
+                return false;
             }
         }
-        return success;
+        if (encryptedResults != null) {
+            for (WSSecurityEngineResult encryptedResult : encryptedResults) {
+                if (!checkEncryptionAlgorithms(encryptedResult, algorithmPolicy, ai)) {
+                    return false;
+                }
+            }
+        }
+        
+        return true;
     }
     
     /**

http://git-wip-us.apache.org/repos/asf/cxf/blob/2f164ec2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
index 6c05801..e8cb852 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
@@ -69,7 +69,7 @@ public class KerberosTokenPolicyValidator extends AbstractSecurityPolicyValidato
      */
     public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo>
ais) {
         List<WSSecurityEngineResult> kerberosResults = 
-            findKerberosResults(parameters.getResults().getResults());
+            findKerberosResults(parameters.getResults().getActionResults().get(WSConstants.BST));
         
         for (WSSecurityEngineResult kerberosResult : kerberosResults) {
             KerberosSecurity kerberosToken = 
@@ -146,11 +146,10 @@ public class KerberosTokenPolicyValidator extends AbstractSecurityPolicyValidato
         return false;
     }
     
-    private List<WSSecurityEngineResult> findKerberosResults(List<WSSecurityEngineResult>
wsSecEngineResults) {
+    private List<WSSecurityEngineResult> findKerberosResults(List<WSSecurityEngineResult>
bstResults) {
         List<WSSecurityEngineResult> results = new ArrayList<>();
-        for (WSSecurityEngineResult wser : wsSecEngineResults) {
-            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
-            if (actInt.intValue() == WSConstants.BST) {
+        if (bstResults != null) {
+            for (WSSecurityEngineResult wser : bstResults) {
                 BinarySecurity binarySecurity = 
                     (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
                 if (binarySecurity instanceof KerberosSecurity) {


Mime
View raw message