cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/4] cxf git commit: Adding a new cxf-rt-security-saml module to remove OpenSAML dependencies from cxf-rt-security
Date Mon, 13 Apr 2015 12:04:51 GMT
http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.java b/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.java
deleted file mode 100644
index 22d61cf..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptor.java
+++ /dev/null
@@ -1,242 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.claims;
-
-import java.lang.reflect.Method;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.logging.Logger;
-
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.common.util.ClassHelper;
-import org.apache.cxf.interceptor.Fault;
-import org.apache.cxf.interceptor.security.AccessDeniedException;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.phase.AbstractPhaseInterceptor;
-import org.apache.cxf.phase.Phase;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.cxf.security.claims.authorization.Claim;
-import org.apache.cxf.security.claims.authorization.ClaimMode;
-import org.apache.cxf.security.claims.authorization.Claims;
-import org.apache.cxf.service.Service;
-import org.apache.cxf.service.invoker.MethodDispatcher;
-import org.apache.cxf.service.model.BindingOperationInfo;
-
-
-public class ClaimsAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
-
-    private static final Logger LOG = LogUtils.getL7dLogger(ClaimsAuthorizingInterceptor.class);
-    
-    private static final Set<String> SKIP_METHODS;
-    static {
-        SKIP_METHODS = new HashSet<>();
-        SKIP_METHODS.addAll(Arrays.asList(
-            new String[] {"wait", "notify", "notifyAll", 
-                          "equals", "toString", "hashCode"}));
-    }
-    
-    private Map<String, List<ClaimBean>> claims = new HashMap<>();
-    private Map<String, String> nameAliases = Collections.emptyMap();
-    private Map<String, String> formatAliases = Collections.emptyMap();
-    
-    public ClaimsAuthorizingInterceptor() {
-        super(Phase.PRE_INVOKE);
-    }
-    
-    public void handleMessage(Message message) throws Fault {
-        SecurityContext sc = message.get(SecurityContext.class);
-        if (!(sc instanceof SAMLSecurityContext)) {
-            throw new AccessDeniedException("Security Context is unavailable or unrecognized");
-        }
-        
-        Method method = getTargetMethod(message);
-        
-        if (authorize((SAMLSecurityContext)sc, method)) {
-            return;
-        }
-        
-        throw new AccessDeniedException("Unauthorized");
-    }
-    
-    public void setClaims(Map<String, List<ClaimBean>> claimsMap) {
-        claims.putAll(claimsMap);
-    }
-    
-    protected Method getTargetMethod(Message m) {
-        BindingOperationInfo bop = m.getExchange().get(BindingOperationInfo.class);
-        if (bop != null) {
-            MethodDispatcher md = (MethodDispatcher) 
-                m.getExchange().get(Service.class).get(MethodDispatcher.class.getName());
-            return md.getMethod(bop);
-        } 
-        Method method = (Method)m.get("org.apache.cxf.resource.method");
-        if (method != null) {
-            return method;
-        }
-        throw new AccessDeniedException("Method is not available : Unauthorized");
-    }
-
-    protected boolean authorize(SAMLSecurityContext sc, Method method) {
-        List<ClaimBean> list = claims.get(method.getName());
-        org.apache.cxf.rt.security.claims.ClaimCollection actualClaims = sc.getClaims();
-        
-        for (ClaimBean claimBean : list) {
-            org.apache.cxf.rt.security.claims.Claim claim = claimBean.getClaim();
-            org.apache.cxf.rt.security.claims.Claim matchingClaim = null;
-            for (org.apache.cxf.rt.security.claims.Claim cl : actualClaims) {
-                if (cl instanceof SAMLClaim
-                    && ((SAMLClaim)cl).getName().equals(((SAMLClaim)claim).getName())
-                    && ((SAMLClaim)cl).getNameFormat().equals(((SAMLClaim)claim).getNameFormat())) {
-                    matchingClaim = cl;
-                    break;
-                }
-            }
-            if (matchingClaim == null) {
-                if (claimBean.getClaimMode() == ClaimMode.STRICT) {
-                    return false;
-                } else {
-                    continue;
-                }
-            }
-            List<Object> claimValues = claim.getValues();
-            List<Object> matchingClaimValues = matchingClaim.getValues();
-            if (claimBean.isMatchAll() 
-                && !matchingClaimValues.containsAll(claimValues)) {    
-                return false;
-            } else {
-                boolean matched = false;
-                for (Object value : matchingClaimValues) {
-                    if (claimValues.contains(value)) {
-                        matched = true;    
-                        break;
-                    }
-                }
-                if (!matched) {
-                    return false;
-                }
-            }
-        }
-        return true;
-    }
-    
-    public void setSecuredObject(Object object) {
-        Class<?> cls = ClassHelper.getRealClass(object);
-        findClaims(cls);
-        if (claims.isEmpty()) {
-            LOG.warning("The claims list is empty, the service object is not protected");
-        }
-    }
-
-    protected void findClaims(Class<?> cls) {
-        if (cls == null || cls == Object.class) {
-            return;
-        }
-        List<ClaimBean> clsClaims = 
-            getClaims(cls.getAnnotation(Claims.class), cls.getAnnotation(Claim.class));
-        for (Method m : cls.getMethods()) {
-            if (SKIP_METHODS.contains(m.getName())) {
-                continue;
-            }
-            List<ClaimBean> methodClaims = 
-                getClaims(m.getAnnotation(Claims.class), m.getAnnotation(Claim.class));
-            
-            List<ClaimBean> allClaims = new ArrayList<>(methodClaims);
-            for (ClaimBean bean : clsClaims) {
-                if (isClaimOverridden(bean, methodClaims)) {
-                    continue;
-                }
-                allClaims.add(bean);
-            }
-            
-            claims.put(m.getName(), allClaims);
-        }
-        if (!claims.isEmpty()) {
-            return;
-        }
-        
-        findClaims(cls.getSuperclass());
-        
-        if (!claims.isEmpty()) {
-            return;
-        }
-        
-        for (Class<?> interfaceCls : cls.getInterfaces()) {
-            findClaims(interfaceCls);
-        }
-    }
-    
-    private static boolean isClaimOverridden(ClaimBean bean, List<ClaimBean> mClaims) {
-        for (ClaimBean methodBean : mClaims) {    
-            if (bean.getClaim().getName().equals(methodBean.getClaim().getName())
-                && bean.getClaim().getNameFormat().equals(methodBean.getClaim().getNameFormat())) {
-                return true;
-            }
-        }
-        return false;
-    }
-    
-    private List<ClaimBean> getClaims(
-            Claims claimsAnn, Claim claimAnn) {
-        List<ClaimBean> claimsList = new ArrayList<>();
-        
-        List<Claim> annClaims = new ArrayList<>();
-        if (claimsAnn != null) {
-            annClaims.addAll(Arrays.asList(claimsAnn.value()));
-        } else if (claimAnn != null) {
-            annClaims.add(claimAnn);
-        }
-        for (Claim ann : annClaims) {
-            SAMLClaim claim = new SAMLClaim();
-            
-            String claimName = ann.name();
-            if (nameAliases.containsKey(claimName)) {
-                claimName = nameAliases.get(claimName);
-            }
-            String claimFormat = ann.format();
-            if (formatAliases.containsKey(claimFormat)) {
-                claimFormat = formatAliases.get(claimFormat);
-            }
-            
-            claim.setName(claimName);
-            claim.setNameFormat(claimFormat);
-            for (String value : ann.value()) {
-                claim.addValue(value);
-            }
-            
-            claimsList.add(new ClaimBean(claim, ann.mode(), ann.matchAll()));
-        }
-        return claimsList;
-    }
-
-    public void setNameAliases(Map<String, String> nameAliases) {
-        this.nameAliases = nameAliases;
-    }
-
-    public void setFormatAliases(Map<String, String> formatAliases) {
-        this.formatAliases = formatAliases;
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java b/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java
deleted file mode 100644
index a76747c..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/claims/SAMLClaim.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.claims;
-
-
-/**
- * This represents a Claim that is coupled to a SAML Assertion
- */
-public class SAMLClaim extends Claim {
-    
-    /**
-     * This configuration tag specifies the default attribute name where the roles are present
-     * The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".
-     */
-    public static final String SAML_ROLE_ATTRIBUTENAME_DEFAULT =
-        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
-    
-    private static final long serialVersionUID = 5530712294179589442L;
-
-    private String nameFormat;
-    private String name;
-    private String friendlyName;
-    
-    public String getNameFormat() {
-        return nameFormat;
-    }
-    
-    public void setNameFormat(String nameFormat) {
-        this.nameFormat = nameFormat;
-    }
-    
-    public String getName() {
-        return name;
-    }
-    
-    public void setName(String name) {
-        this.name = name;
-    }
-
-    public String getFriendlyName() {
-        return friendlyName;
-    }
-
-    public void setFriendlyName(String friendlyName) {
-        this.friendlyName = friendlyName;
-    }
-    
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
deleted file mode 100644
index 4287eb2..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLSecurityContext.java
+++ /dev/null
@@ -1,104 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.saml;
-
-import java.security.Principal;
-import java.util.Set;
-
-import org.w3c.dom.Element;
-import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.claims.ClaimsSecurityContext;
-
-public class SAMLSecurityContext implements ClaimsSecurityContext {
-    
-    private final Principal principal;
-    private Set<Principal> roles;
-    private Element assertionElement;
-    private String issuer;
-    private ClaimCollection claims;
-    
-    public SAMLSecurityContext(Principal principal) {
-        this(principal, null);
-    }
-    
-    public SAMLSecurityContext(
-        Principal principal, 
-        Set<Principal> roles
-    ) {
-        this(principal, roles, null);
-    }
-    
-    public SAMLSecurityContext(
-        Principal principal, 
-        Set<Principal> roles,
-        ClaimCollection claims
-    ) {
-        this.principal = principal;
-        this.roles = roles;
-        this.claims = claims;
-    }
-    
-    public ClaimCollection getClaims() {
-        return claims;
-    }
-    
-    public Principal getUserPrincipal() {
-        return principal;
-    }
-
-    public boolean isUserInRole(String role) {
-        if (roles == null) {
-            return false;
-        }
-        for (Principal principalRole : roles) {
-            if (principalRole.getName().equals(role)) {
-                return true;
-            }
-        }
-        return false;
-    }
-    
-    public javax.security.auth.Subject getSubject() {
-        return null;
-    }
-
-    public void setUserRoles(Set<Principal> userRoles) {
-        this.roles = userRoles;
-    }
-    
-    public Set<Principal> getUserRoles() {
-        return roles;
-    }
-    
-    public void setAssertionElement(Element assertionElement) {
-        this.assertionElement = assertionElement;
-    }
-    
-    public Element getAssertionElement() {
-        return assertionElement;
-    }
-    
-    public void setIssuer(String issuer) {
-        this.issuer = issuer;
-    }
-    
-    public String getIssuer() {
-        return issuer;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
deleted file mode 100644
index 8229a07..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/saml/SAMLUtils.java
+++ /dev/null
@@ -1,141 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.saml;
-
-import java.net.URI;
-import java.security.Principal;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import org.w3c.dom.Element;
-import org.apache.cxf.common.security.SimpleGroup;
-import org.apache.cxf.rt.security.claims.Claim;
-import org.apache.cxf.rt.security.claims.ClaimCollection;
-import org.apache.cxf.rt.security.claims.SAMLClaim;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-import org.opensaml.core.xml.XMLObject;
-import org.opensaml.saml.common.SAMLVersion;
-import org.opensaml.saml.saml2.core.Attribute;
-import org.opensaml.saml.saml2.core.AttributeStatement;
-
-public final class SAMLUtils {
-    
-    private SAMLUtils() {
-        
-    }
-    
-    /**
-     * Extract Claims from a SAML Assertion
-     */
-    public static ClaimCollection getClaims(SamlAssertionWrapper assertion) {
-        ClaimCollection claims = new ClaimCollection();
-        
-        if (assertion.getSamlVersion().equals(SAMLVersion.VERSION_20)) {
-            List<AttributeStatement> statements = assertion.getSaml2().getAttributeStatements();
-            for (AttributeStatement as : statements) {
-                for (Attribute atr : as.getAttributes()) {
-                    SAMLClaim claim = new SAMLClaim();
-                    claim.setClaimType(URI.create(atr.getName()));
-                    
-                    claim.setName(atr.getName());
-                    claim.setNameFormat(atr.getNameFormat());
-                    claim.setFriendlyName(atr.getFriendlyName());
-                    
-                    for (XMLObject o : atr.getAttributeValues()) {
-                        String attrValue = o.getDOM().getTextContent();
-                        claim.getValues().add(attrValue);
-                    }
-                    
-                    claims.add(claim);
-                }
-            }
-        } else {
-            List<org.opensaml.saml.saml1.core.AttributeStatement> attributeStatements = 
-                assertion.getSaml1().getAttributeStatements();
-            
-            for (org.opensaml.saml.saml1.core.AttributeStatement statement : attributeStatements) {
-                for (org.opensaml.saml.saml1.core.Attribute atr : statement.getAttributes()) {
-                    SAMLClaim claim = new SAMLClaim();
-                    
-                    String claimType = atr.getAttributeName();
-                    if (atr.getAttributeNamespace() != null) {
-                        claimType = atr.getAttributeNamespace() + "/" + claimType;
-                    }
-                    claim.setClaimType(URI.create(claimType));
-
-                    claim.setName(atr.getAttributeName());
-                    claim.setNameFormat(atr.getAttributeNamespace());
-
-                    for (XMLObject o : atr.getAttributeValues()) {
-                        String attrValue = o.getDOM().getTextContent();
-                        claim.getValues().add(attrValue);
-                    }
-
-                    claims.add(claim);
-                }
-            } 
-        }
-        
-        return claims;
-    }
-    
-    /**
-     * Extract roles from the given Claims
-     */
-    public static Set<Principal> parseRolesFromClaims(
-        ClaimCollection claims,
-        String name,
-        String nameFormat
-    ) {
-        String roleAttributeName = name;
-        if (roleAttributeName == null) {
-            roleAttributeName = SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT;
-        }
-        
-        Set<Principal> roles = new HashSet<>();
-        
-        for (Claim claim : claims) {
-            if (claim instanceof SAMLClaim && ((SAMLClaim)claim).getName().equals(name)
-                && (nameFormat == null 
-                    || claim instanceof SAMLClaim && nameFormat.equals(((SAMLClaim)claim).getNameFormat()))) {
-                for (Object claimValue : claim.getValues()) {
-                    if (claimValue instanceof String) {
-                        roles.add(new SimpleGroup((String)claimValue));
-                    }
-                }
-                if (claim.getValues().size() > 1) {
-                    // Don't search for other attributes with the same name if > 1 claim value
-                    break;
-                }
-            }
-        }
-        
-        return roles;
-    }
-    
-    public static String getIssuer(Object assertion) {
-        return ((SamlAssertionWrapper)assertion).getIssuerString();
-    }
-
-    public static Element getAssertionElement(Object assertion) {
-        return ((SamlAssertionWrapper)assertion).getElement();
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
deleted file mode 100644
index fe109e5..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/AbstractXACMLAuthorizingInterceptor.java
+++ /dev/null
@@ -1,170 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.interceptor.Fault;
-import org.apache.cxf.interceptor.security.AccessDeniedException;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.phase.AbstractPhaseInterceptor;
-import org.apache.cxf.phase.Phase;
-import org.apache.cxf.security.LoginSecurityContext;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.apache.wss4j.common.util.DOM2Writer;
-import org.opensaml.xacml.ctx.DecisionType.DECISION;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResponseType;
-import org.opensaml.xacml.ctx.ResultType;
-import org.opensaml.xacml.ctx.StatusType;
-
-
-/**
- * An abstract interceptor to perform an XACML authorization request to a remote PDP,
- * and make an authorization decision based on the response. It takes the principal and roles
- * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
- * statement. 
- * 
- * This class must be subclassed to actually perform the request to the PDP.
- * 
- * @deprecated: Use XACMLAuthorizingInterceptor instead
- */
-@Deprecated
-public abstract class AbstractXACMLAuthorizingInterceptor extends AbstractPhaseInterceptor<Message> {
-    
-    private static final Logger LOG = LogUtils.getL7dLogger(AbstractXACMLAuthorizingInterceptor.class);
-    
-    private XACMLRequestBuilder requestBuilder = new DefaultXACMLRequestBuilder();
-    
-    public AbstractXACMLAuthorizingInterceptor() {
-        super(Phase.PRE_INVOKE);
-        org.apache.wss4j.common.saml.OpenSAMLUtil.initSamlEngine();
-    }
-    
-    public void handleMessage(Message message) throws Fault {
-        SecurityContext sc = message.get(SecurityContext.class);
-        
-        if (sc instanceof LoginSecurityContext) {
-            Principal principal = sc.getUserPrincipal();
-            
-            LoginSecurityContext loginSecurityContext = (LoginSecurityContext)sc;
-            Set<Principal> principalRoles = loginSecurityContext.getUserRoles();
-            List<String> roles = new ArrayList<>();
-            if (principalRoles != null) {
-                for (Principal p : principalRoles) {
-                    if (p != principal) {
-                        roles.add(p.getName());
-                    }
-                }
-            }
-            
-            try {
-                if (authorize(principal, roles, message)) {
-                    return;
-                }
-            } catch (Exception e) {
-                LOG.log(Level.FINE, "Unauthorized: " + e.getMessage(), e);
-                throw new AccessDeniedException("Unauthorized");
-            }
-        } else {
-            LOG.log(
-                Level.FINE,
-                "The SecurityContext was not an instance of LoginSecurityContext. No authorization "
-                + "is possible as a result"
-            );
-        }
-        
-        throw new AccessDeniedException("Unauthorized");
-    }
-    
-    public XACMLRequestBuilder getRequestBuilder() {
-        return requestBuilder;
-    }
-
-    public void setRequestBuilder(XACMLRequestBuilder requestBuilder) {
-        this.requestBuilder = requestBuilder;
-    }
-
-    /**
-     * Perform a (remote) authorization decision and return a boolean depending on the result
-     */
-    protected boolean authorize(
-        Principal principal, List<String> roles, Message message
-    ) throws Exception {
-        RequestType request = requestBuilder.createRequest(principal, roles, message);
-        if (LOG.isLoggable(Level.FINE)) {
-            Document doc = DOMUtils.createDocument();
-            Element requestElement = OpenSAMLUtil.toDom(request, doc);
-            LOG.log(Level.FINE, DOM2Writer.nodeToString(requestElement));
-        }
-        
-        ResponseType response = performRequest(request, message);
-        
-        List<ResultType> results = response.getResults();
-        
-        if (results == null) {
-            return false;
-        }
-        
-        for (ResultType result : results) {
-            // Handle any Obligations returned by the PDP
-            handleObligations(request, principal, message, result);
-            
-            DECISION decision = result.getDecision() != null ? result.getDecision().getDecision() : DECISION.Deny; 
-            String code = "";
-            String statusMessage = "";
-            if (result.getStatus() != null) {
-                StatusType status = result.getStatus();
-                code = status.getStatusCode() != null ? status.getStatusCode().getValue() : "";
-                statusMessage = status.getStatusMessage() != null ? status.getStatusMessage().getValue() : "";
-            }
-            LOG.fine("XACML authorization result: " + decision + ", code: " + code + ", message: " + statusMessage);
-            return decision == DECISION.Permit;
-        }
-        
-        return false;
-    }
-    
-    public abstract ResponseType performRequest(RequestType request, Message message) throws Exception;
-    
-    /**
-     * Handle any Obligations returned by the PDP
-     */
-    protected void handleObligations(
-        RequestType request,
-        Principal principal,
-        Message message,
-        ResultType result
-    ) throws Exception {
-        // Do nothing by default
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java
deleted file mode 100644
index 5da3359..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/CXFMessageParser.java
+++ /dev/null
@@ -1,97 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.xacml;
-
-import javax.xml.namespace.QName;
-
-import org.w3c.dom.Element;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.SamlAssertionWrapper;
-
-public class CXFMessageParser {
-    private Message message;
-
-    /**
-     * @param message
-     */
-    public CXFMessageParser(Message message) {
-        this.message = message;
-    }
-    
-    public boolean isSOAPService() {
-        return getWSDLOperation() != null;
-    }
-
-    public QName getWSDLOperation() {
-        if (message != null && message.get(Message.WSDL_OPERATION) != null) {
-            return (QName)message.get(Message.WSDL_OPERATION);
-        }
-        return null;
-    }
-    
-    public QName getWSDLService() {
-        if (message != null && message.get(Message.WSDL_SERVICE) != null) {
-            return (QName)message.get(Message.WSDL_SERVICE);
-        }
-        return null;
-    }
-    
-    /**
-     * @param fullRequestURL Whether to send the full Request URL as the resource or not. If set to true, the
-     *        full Request URL will be sent for both a JAX-WS and JAX-RS service. If set to false (the
-     *        default), a JAX-WS service will send the "{namespace}operation" QName, and a JAX-RS service
-     *        will send the RequestURI (i.e. minus the initial https:<ip> prefix)
-     */
-    public String getResourceURI(boolean fullRequestURL) {
-        String property = fullRequestURL ? Message.REQUEST_URL : Message.REQUEST_URI;
-        if (message != null && message.get(property) != null) {
-            return (String)message.get(property);
-        }
-        return null;
-    }
-
-    public String getAction(String defaultSOAPAction) {
-        String actionToUse = defaultSOAPAction;
-        // For REST use the HTTP Verb
-        if (message.get(Message.WSDL_OPERATION) == null && message.get(Message.HTTP_REQUEST_METHOD) != null) {
-            actionToUse = (String)message.get(Message.HTTP_REQUEST_METHOD);
-        }
-        return actionToUse;
-    }
-
-    /**
-     * Get the Issuer of the SAML Assertion
-     */
-    public String getIssuer() throws WSSecurityException {
-        SecurityContext sc = message.get(SecurityContext.class);
-
-        if (sc instanceof SAMLSecurityContext) {
-            Element assertionElement = ((SAMLSecurityContext)sc).getAssertionElement();
-            if (assertionElement != null) {
-                SamlAssertionWrapper wrapper = new SamlAssertionWrapper(assertionElement);
-                return wrapper.getIssuerString();
-            }
-        }
-
-        return null;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java
deleted file mode 100644
index c2bb40b..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/DefaultXACMLRequestBuilder.java
+++ /dev/null
@@ -1,217 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.List;
-
-import javax.xml.namespace.QName;
-
-import org.apache.cxf.message.Message;
-import org.joda.time.DateTime;
-import org.opensaml.xacml.ctx.ActionType;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.AttributeValueType;
-import org.opensaml.xacml.ctx.EnvironmentType;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResourceType;
-import org.opensaml.xacml.ctx.SubjectType;
-
-/**
- * This class constructs an XACML Request given a Principal, list of roles and MessageContext, 
- * following the SAML 2.0 profile of XACML 2.0. The principal name is inserted as the Subject ID,
- * and the list of roles associated with that principal are inserted as Subject roles. The action
- * to send defaults to "execute". 
- * 
- * For a SOAP Service, the resource-id Attribute refers to the 
- * "{serviceNamespace}serviceName#{operationNamespace}operationName" String (shortened to
- * "{serviceNamespace}serviceName#operationName" if the namespaces are identical). The 
- * "{serviceNamespace}serviceName", "{operationNamespace}operationName" and resource URI are also
- * sent to simplify processing at the PDP side.
- * 
- * For a REST service the request URL is the resource. You can also configure the ability to 
- * send the truncated request URI instead for a SOAP or REST service. The current DateTime is 
- * also sent in an Environment, however this can be disabled via configuration.
- */
-public class DefaultXACMLRequestBuilder implements XACMLRequestBuilder {
-
-    private boolean sendDateTime = true;
-    private String action = "execute";
-    private boolean sendFullRequestURL = true;
-
-    /**
-     * Create an XACML Request given a Principal, list of roles and Message.
-     */
-    public RequestType createRequest(Principal principal, List<String> roles, Message message)
-        throws Exception {
-        CXFMessageParser messageParser = new CXFMessageParser(message);
-        String issuer = messageParser.getIssuer();
-        
-        String actionToUse = messageParser.getAction(action);
-
-        SubjectType subjectType = createSubjectType(principal, roles, issuer);
-        ResourceType resourceType = createResourceType(messageParser);
-        AttributeType actionAttribute = createAttribute(XACMLConstants.ACTION_ID, XACMLConstants.XS_STRING,
-                                                        null, actionToUse);
-        ActionType actionType = RequestComponentBuilder.createActionType(Collections.singletonList(actionAttribute));
-
-        return RequestComponentBuilder.createRequestType(Collections.singletonList(subjectType),
-                                                         Collections.singletonList(resourceType), 
-                                                         actionType,
-                                                         createEnvironmentType());
-    }
-
-    private ResourceType createResourceType(CXFMessageParser messageParser) {
-        List<AttributeType> attributes = new ArrayList<>();
-        
-        // Resource-id
-        String resourceId = null;
-        boolean isSoapService = messageParser.isSOAPService();
-        if (isSoapService) {
-            QName serviceName = messageParser.getWSDLService();
-            QName operationName = messageParser.getWSDLOperation();
-            
-            if (serviceName != null) {
-                resourceId = serviceName.toString() + "#";
-                if (serviceName.getNamespaceURI() != null 
-                    && serviceName.getNamespaceURI().equals(operationName.getNamespaceURI())) {
-                    resourceId += operationName.getLocalPart();
-                } else {
-                    resourceId += operationName.toString();
-                }
-            } else {
-                resourceId = operationName.toString();
-            }
-        } else {
-            resourceId = messageParser.getResourceURI(sendFullRequestURL);
-        }
-        
-        attributes.add(createAttribute(XACMLConstants.RESOURCE_ID, XACMLConstants.XS_STRING, null,
-                                           resourceId));
-        
-        if (isSoapService) {
-            // WSDL Service
-            QName wsdlService = messageParser.getWSDLService();
-            if (wsdlService != null) {
-                attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_SERVICE_ID, XACMLConstants.XS_STRING, null,
-                                           wsdlService.toString()));
-            }
-            
-            // WSDL Operation
-            QName wsdlOperation = messageParser.getWSDLOperation();
-            attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_OPERATION_ID, XACMLConstants.XS_STRING, null,
-                                           wsdlOperation.toString()));
-            
-            // WSDL Endpoint
-            String endpointURI = messageParser.getResourceURI(sendFullRequestURL);
-            attributes.add(createAttribute(XACMLConstants.RESOURCE_WSDL_ENDPOINT, XACMLConstants.XS_STRING, null,
-                                           endpointURI));
-        }
-        
-        return RequestComponentBuilder.createResourceType(attributes, null);
-    }
-
-    private EnvironmentType createEnvironmentType() {
-        if (sendDateTime) {
-            List<AttributeType> attributes = new ArrayList<>();
-            AttributeType environmentAttribute = createAttribute(XACMLConstants.CURRENT_DATETIME,
-                                                                 XACMLConstants.XS_DATETIME, null,
-                                                                 new DateTime().toString());
-            attributes.add(environmentAttribute);
-            return RequestComponentBuilder.createEnvironmentType(attributes);
-        }
-        
-        List<AttributeType> attributes = Collections.emptyList();
-        return RequestComponentBuilder.createEnvironmentType(attributes);
-    }
-
-    private SubjectType createSubjectType(Principal principal, List<String> roles, String issuer) {
-        List<AttributeType> attributes = new ArrayList<>();
-        attributes.add(createAttribute(XACMLConstants.SUBJECT_ID, XACMLConstants.XS_STRING, issuer,
-                                       principal.getName()));
-
-        if (roles != null) {
-            List<AttributeValueType> roleAttributes = new ArrayList<>();
-            for (String role : roles) {
-                if (role != null) {
-                    AttributeValueType subjectRoleAttributeValue = 
-                        RequestComponentBuilder.createAttributeValueType(role);
-                    roleAttributes.add(subjectRoleAttributeValue);
-                }
-            }
-
-            if (!roleAttributes.isEmpty()) {
-                AttributeType subjectRoleAttribute = 
-                    createAttribute(
-                        XACMLConstants.SUBJECT_ROLE,
-                        XACMLConstants.XS_ANY_URI,
-                        issuer,
-                        roleAttributes
-                    );
-                attributes.add(subjectRoleAttribute);
-            }
-        }
-
-        return RequestComponentBuilder.createSubjectType(attributes, null);
-    }
-
-    private AttributeType createAttribute(String id, String type, String issuer, List<AttributeValueType> values) {
-        return RequestComponentBuilder.createAttributeType(id, type, issuer, values);
-    }
-    
-    private AttributeType createAttribute(String id, String type, String issuer, String value) {
-        return createAttribute(id, type, issuer, 
-                               Collections.singletonList(RequestComponentBuilder.createAttributeValueType(value)));
-    }
-
-    /**
-     * Set a new Action String to use
-     */
-    public void setAction(String action) {
-        this.action = action;
-    }
-
-    public void setSendDateTime(boolean sendDateTime) {
-        this.sendDateTime = sendDateTime;
-    }
-
-    /**
-     * Whether to send the full Request URL as the resource or not. If set to true,
-     * the full Request URL will be sent for both a JAX-WS and JAX-RS service. If set
-     * to false (the default), a JAX-WS service will send the "{namespace}operation" QName,
-     * and a JAX-RS service will send the RequestURI (i.e. minus the initial https:<ip> prefix).
-     */
-    public void setSendFullRequestURL(boolean sendFullRequestURL) {
-        this.sendFullRequestURL = sendFullRequestURL;
-    }
-
-    @Override
-    public List<String> getResources(Message message) {
-        throw new IllegalAccessError("Deprecated");
-    }
-
-    @Override
-    public String getResource(Message message) {
-        throw new IllegalAccessError("Deprecated");
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java
deleted file mode 100644
index 1086364..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/RequestComponentBuilder.java
+++ /dev/null
@@ -1,183 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.util.List;
-
-import org.opensaml.core.xml.XMLObjectBuilderFactory;
-import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
-import org.opensaml.xacml.XACMLObjectBuilder;
-import org.opensaml.xacml.ctx.ActionType;
-import org.opensaml.xacml.ctx.AttributeType;
-import org.opensaml.xacml.ctx.AttributeValueType;
-import org.opensaml.xacml.ctx.EnvironmentType;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResourceContentType;
-import org.opensaml.xacml.ctx.ResourceType;
-import org.opensaml.xacml.ctx.SubjectType;
-
-/**
- * A set of utility methods to construct XACML 2.0 Request statements
- */
-public final class RequestComponentBuilder {
-    private static volatile XACMLObjectBuilder<AttributeValueType> attributeValueTypeBuilder;
-    
-    private static volatile XACMLObjectBuilder<AttributeType> attributeTypeBuilder;
-    
-    private static volatile XACMLObjectBuilder<SubjectType> subjectTypeBuilder;
-    
-    private static volatile XACMLObjectBuilder<ResourceType> resourceTypeBuilder;
-    
-    private static volatile XACMLObjectBuilder<ActionType> actionTypeBuilder;
-    
-    private static volatile XACMLObjectBuilder<EnvironmentType> environmentTypeBuilder;
-    
-    private static volatile XACMLObjectBuilder<RequestType> requestTypeBuilder;
-    
-    private static volatile XMLObjectBuilderFactory builderFactory = 
-        XMLObjectProviderRegistrySupport.getBuilderFactory();
-    
-    private RequestComponentBuilder() {
-        // complete
-    }
-
-    @SuppressWarnings("unchecked")
-    public static AttributeValueType createAttributeValueType(
-        String value
-    ) {
-        if (attributeValueTypeBuilder == null) {
-            attributeValueTypeBuilder = (XACMLObjectBuilder<AttributeValueType>)
-                builderFactory.getBuilder(AttributeValueType.DEFAULT_ELEMENT_NAME);
-        }
-        AttributeValueType attributeValue = attributeValueTypeBuilder.buildObject();
-        attributeValue.setValue(value);
-        
-        return attributeValue;
-    }
-    
-    @SuppressWarnings("unchecked")
-    public static AttributeType createAttributeType(
-        String attributeId,
-        String dataType,
-        String issuer,
-        List<AttributeValueType> attributeValues
-    ) {
-        if (attributeTypeBuilder == null) {
-            attributeTypeBuilder = (XACMLObjectBuilder<AttributeType>)
-                builderFactory.getBuilder(AttributeType.DEFAULT_ELEMENT_NAME);
-        }
-        AttributeType attributeType = attributeTypeBuilder.buildObject();
-        attributeType.setAttributeID(attributeId);
-        attributeType.setDataType(dataType);
-        attributeType.setIssuer(issuer);
-        attributeType.getAttributeValues().addAll(attributeValues);
-        
-        return attributeType;
-    }
-    
-    @SuppressWarnings("unchecked")
-    public static SubjectType createSubjectType(
-        List<AttributeType> attributes,
-        String subjectCategory
-    ) {
-        if (subjectTypeBuilder == null) {
-            subjectTypeBuilder = (XACMLObjectBuilder<SubjectType>)
-                builderFactory.getBuilder(SubjectType.DEFAULT_ELEMENT_NAME);
-        }
-        SubjectType subject = subjectTypeBuilder.buildObject();
-        if (attributes != null) {
-            subject.getAttributes().addAll(attributes);
-        }
-        subject.setSubjectCategory(subjectCategory);
-        
-        return subject;
-    }
-    
-    @SuppressWarnings("unchecked")
-    public static ResourceType createResourceType(
-        List<AttributeType> attributes,
-        ResourceContentType resourceContent
-    ) {
-        if (resourceTypeBuilder == null) {
-            resourceTypeBuilder = (XACMLObjectBuilder<ResourceType>)
-                builderFactory.getBuilder(ResourceType.DEFAULT_ELEMENT_NAME);
-        }
-        ResourceType resource = resourceTypeBuilder.buildObject();
-        if (attributes != null) {
-            resource.getAttributes().addAll(attributes);
-        }
-        resource.setResourceContent(resourceContent);
-        
-        return resource;
-    }
-    
-    @SuppressWarnings("unchecked")
-    public static ActionType createActionType(
-        List<AttributeType> attributes
-    ) {
-        if (actionTypeBuilder == null) {
-            actionTypeBuilder = (XACMLObjectBuilder<ActionType>)
-                builderFactory.getBuilder(ActionType.DEFAULT_ELEMENT_NAME);
-        }
-        ActionType action = actionTypeBuilder.buildObject();
-        if (attributes != null) {
-            action.getAttributes().addAll(attributes);
-        }
-        
-        return action;
-    }
-    
-    @SuppressWarnings("unchecked")
-    public static EnvironmentType createEnvironmentType(
-        List<AttributeType> attributes
-    ) {
-        if (environmentTypeBuilder == null) {
-            environmentTypeBuilder = (XACMLObjectBuilder<EnvironmentType>)
-                builderFactory.getBuilder(EnvironmentType.DEFAULT_ELEMENT_NAME);
-        }
-        EnvironmentType enviroment = environmentTypeBuilder.buildObject();
-        if (attributes != null) {
-            enviroment.getAttributes().addAll(attributes);
-        }
-        
-        return enviroment;
-    }
-    
-    @SuppressWarnings("unchecked")
-    public static RequestType createRequestType(
-        List<SubjectType> subjects,
-        List<ResourceType> resources,
-        ActionType action,
-        EnvironmentType environment
-    ) {
-        if (requestTypeBuilder == null) {
-            requestTypeBuilder = (XACMLObjectBuilder<RequestType>)
-                builderFactory.getBuilder(RequestType.DEFAULT_ELEMENT_NAME);
-        }
-        RequestType request = requestTypeBuilder.buildObject();
-        request.getSubjects().addAll(subjects);
-        request.getResources().addAll(resources);
-        request.setAction(action);
-        request.setEnvironment(environment);
-        
-        return request;
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java
deleted file mode 100644
index 353815c..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/SamlRequestComponentBuilder.java
+++ /dev/null
@@ -1,118 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.util.UUID;
-
-import org.joda.time.DateTime;
-import org.opensaml.core.xml.XMLObjectBuilderFactory;
-import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
-import org.opensaml.saml.common.SAMLObjectBuilder;
-import org.opensaml.saml.common.SAMLVersion;
-import org.opensaml.saml.saml2.core.Issuer;
-import org.opensaml.xacml.XACMLObjectBuilder;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.profile.saml.SAMLProfileConstants;
-import org.opensaml.xacml.profile.saml.XACMLAuthzDecisionQueryType;
-
-/**
- * A set of utility methods to construct XACML SAML Request statements, based on the
- * SAML 2.0 profile of XACML v2.0 specification.
- */
-public final class SamlRequestComponentBuilder {
-    private static volatile XACMLObjectBuilder<XACMLAuthzDecisionQueryType> xacmlAuthzDecisionQueryTypeBuilder;
-    
-    private static volatile SAMLObjectBuilder<Issuer> issuerBuilder;
-    
-    private static volatile XMLObjectBuilderFactory builderFactory = 
-        XMLObjectProviderRegistrySupport.getBuilderFactory();
-    
-    private SamlRequestComponentBuilder() {
-        // complete
-    }
-    
-    /**
-     * Create an AuthzDecisionQuery using the defaults
-     */
-    public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(
-        String issuerValue,
-        RequestType request,
-        String namespace
-    ) {
-        return createAuthzDecisionQuery(false, false, issuerValue, request, namespace);
-    }
-    
-    @SuppressWarnings("unchecked")
-    public static XACMLAuthzDecisionQueryType createAuthzDecisionQuery(
-        boolean inputContextOnly,
-        boolean returnContext,
-        String issuerValue,
-        RequestType request,
-        String namespace
-    ) {
-        if (xacmlAuthzDecisionQueryTypeBuilder == null) {
-            xacmlAuthzDecisionQueryTypeBuilder = (XACMLObjectBuilder<XACMLAuthzDecisionQueryType>)
-                builderFactory.getBuilder(XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_NAME_XACML20);
-        }
-        XACMLAuthzDecisionQueryType authzQuery = 
-            xacmlAuthzDecisionQueryTypeBuilder.buildObject(
-                namespace,
-                XACMLAuthzDecisionQueryType.DEFAULT_ELEMENT_LOCAL_NAME,
-                SAMLProfileConstants.SAML20XACMLPROTOCOL_PREFIX
-            );
-        authzQuery.setID("_" + UUID.randomUUID().toString());
-        authzQuery.setVersion(SAMLVersion.VERSION_20);
-        authzQuery.setIssueInstant(new DateTime());
-        authzQuery.setInputContextOnly(Boolean.valueOf(inputContextOnly));
-        authzQuery.setReturnContext(Boolean.valueOf(returnContext));
-        
-        if (issuerValue != null) {
-            Issuer issuer = createIssuer(issuerValue);
-            authzQuery.setIssuer(issuer);
-        }
-        
-        authzQuery.setRequest(request);
-        
-        return authzQuery;
-    }
-    
-    
-    /**
-     * Create an Issuer object
-     *
-     * @param issuerValue of type String
-     * @return an Issuer object
-     */
-    @SuppressWarnings("unchecked")
-    public static Issuer createIssuer(String issuerValue) {
-        if (issuerBuilder == null) {
-            issuerBuilder = (SAMLObjectBuilder<Issuer>) 
-                builderFactory.getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
-            
-        }
-        Issuer issuer = issuerBuilder.buildObject();
-        //
-        // The SAML authority that is making the claim(s) in the assertion. The issuer SHOULD 
-        // be unambiguous to the intended relying parties.
-        issuer.setValue(issuerValue);
-        return issuer;
-    }
-
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java
deleted file mode 100644
index 2194908..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLAuthorizingInterceptor.java
+++ /dev/null
@@ -1,87 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import javax.xml.transform.Source;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMResult;
-import javax.xml.transform.dom.DOMSource;
-
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
-import org.w3c.dom.Node;
-
-import org.apache.cxf.helpers.DOMUtils;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.rt.security.xacml.pdp.api.PolicyDecisionPoint;
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.saml.OpenSAMLUtil;
-import org.opensaml.xacml.ctx.RequestType;
-import org.opensaml.xacml.ctx.ResponseType;
-
-/**
- * An interceptor to perform an XACML authorization request to a remote PDP,
- * and make an authorization decision based on the response. It takes the principal and roles
- * from the SecurityContext, and uses the XACMLRequestBuilder to construct an XACML Request
- * statement. 
- */
-@SuppressWarnings("deprecation")
-public class XACMLAuthorizingInterceptor extends AbstractXACMLAuthorizingInterceptor {
-    private PolicyDecisionPoint pdp;
-    
-    public XACMLAuthorizingInterceptor(PolicyDecisionPoint pdp) {
-        super();
-        this.pdp = pdp;
-    }
-
-    @Override
-    public ResponseType performRequest(RequestType request, Message message) throws Exception {
-        Source requestSource = requestType2Source(request);
-        Source responseSource = this.pdp.evaluate(requestSource);
-        return responseSourceToResponseType(responseSource);
-    }
-    
-    private Source requestType2Source(RequestType request) {
-        Document doc = DOMUtils.createDocument();
-        Element requestElement;
-        try {
-            requestElement = OpenSAMLUtil.toDom(request, doc);
-        } catch (WSSecurityException e) {
-            throw new RuntimeException("Error converting PDP RequestType to Dom", e);
-        }
-        return new DOMSource(requestElement);
-    }
-
-    private ResponseType responseSourceToResponseType(Source responseSource) {
-        try {
-            Transformer trans = TransformerFactory.newInstance().newTransformer();
-            DOMResult res = new DOMResult();
-            trans.transform(responseSource, res);
-            Node nd = res.getNode();
-            if (nd instanceof Document) {
-                nd = ((Document)nd).getDocumentElement();
-            }
-            return (ResponseType)OpenSAMLUtil.fromDom((Element)nd);
-        } catch (Exception e) {
-            throw new RuntimeException("Error converting pdp response to ResponseType", e);
-        }
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java
deleted file mode 100644
index 3480d8b..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLConstants.java
+++ /dev/null
@@ -1,206 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-
-
-/**
- * XACML 1.x and 2.0 Constants.
- */
-public final class XACMLConstants {
-    
-    //
-    // Attributes
-    //
-    
-    public static final String CURRENT_TIME = 
-        "urn:oasis:names:tc:xacml:1.0:environment:current-time";
-    public static final String CURRENT_DATE = 
-        "urn:oasis:names:tc:xacml:1.0:environment:current-date";
-    public static final String CURRENT_DATETIME = 
-        "urn:oasis:names:tc:xacml:1.0:environment:current-dateTime";
-
-    //
-    // Identifiers
-    //
-    
-    public static final String SUBJECT_DNS_NAME = 
-        "urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name";
-    public static final String SUBJECT_IP_ADDR = 
-        "urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address";
-    public static final String SUBJECT_AUTHN_METHOD = 
-        "urn:oasis:names:tc:xacml:1.0:subject:authentication-method";
-    public static final String SUBJECT_AUTHN_TIME = 
-        "urn:oasis:names:tc:xacml:1.0:subject:authentication-time";
-    public static final String SUBJECT_KEY_INFO = 
-        "urn:oasis:names:tc:xacml:1.0:subject:key-info";
-    public static final String SUBJECT_REQ_TIME = 
-        "urn:oasis:names:tc:xacml:1.0:subject:request-time";
-    public static final String SUBJECT_START_TIME = 
-        "urn:oasis:names:tc:xacml:1.0:subject:session-start-time";
-    public static final String SUBJECT_ID = 
-        "urn:oasis:names:tc:xacml:1.0:subject:subject-id";
-    public static final String SUBJECT_ID_QUALIFIER = 
-        "urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier";
-    public static final String SUBJECT_CAT_ACCESS_SUBJECT = 
-        "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject";
-    public static final String SUBJECT_CAT_CODEBASE = 
-        "urn:oasis:names:tc:xacml:1.0:subject-category:codebase";
-    public static final String SUBJECT_CAT_INTERMED_SUBJECT = 
-        "urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject";
-    public static final String SUBJECT_CAT_REC_SUBJECT = 
-        "urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject";
-    public static final String SUBJECT_CAT_REQ_MACHINE = 
-        "urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine";
-    public static final String RESOURCE_LOC = 
-        "urn:oasis:names:tc:xacml:1.0:resource:resource-location";
-    public static final String RESOURCE_ID = 
-        "urn:oasis:names:tc:xacml:1.0:resource:resource-id";
-    
-    // Non-standard (CXF-specific) tags for sending information about SOAP services to the PDP
-    public static final String RESOURCE_WSDL_OPERATION_ID = 
-        "urn:cxf:apache:org:wsdl:operation-id";
-    public static final String RESOURCE_WSDL_SERVICE_ID = 
-        "urn:cxf:apache:org:wsdl:service-id";
-    public static final String RESOURCE_WSDL_ENDPOINT = 
-        "urn:cxf:apache:org:wsdl:endpoint";
-
-    public static final String RESOURCE_FILE_NAME = 
-        "urn:oasis:names:tc:xacml:1.0:resource:simple-file-name";
-    public static final String ACTION_ID = 
-        "urn:oasis:names:tc:xacml:1.0:action:action-id";
-    public static final String ACTION_IMPLIED = 
-        "urn:oasis:names:tc:xacml:1.0:action:implied-action";
-    public static final String SUBJECT_ROLE = 
-        "urn:oasis:names:tc:xacml:2.0:subject:role";
-
-
-    //
-    // Datatypes
-    //
-    
-    public static final String XS_STRING = 
-        "http://www.w3.org/2001/XMLSchema#string";
-    public static final String XS_BOOLEAN = 
-        "http://www.w3.org/2001/XMLSchema#boolean";
-    public static final String XS_INT = 
-        "http://www.w3.org/2001/XMLSchema#integer";
-    public static final String XS_DOUBLE = 
-        "http://www.w3.org/2001/XMLSchema#double";
-    public static final String XS_TIME = 
-        "http://www.w3.org/2001/XMLSchema#time";
-    public static final String XS_DATE = 
-        "http://www.w3.org/2001/XMLSchema#date";
-    public static final String XS_DATETIME = 
-        "http://www.w3.org/2001/XMLSchema#dateTime";
-    public static final String XS_ANY_URI = 
-        "http://www.w3.org/2001/XMLSchema#anyURI";
-    public static final String XS_HEX =
-        "http://www.w3.org/2001/XMLSchema#hexBinary";
-    public static final String XS_BASE64 =
-        "http://www.w3.org/2001/XMLSchema#base64Binary";
-    public static final String RFC_822_NAME = 
-        "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name";
-    public static final String X500_NAME = 
-        "urn:oasis:names:tc:xacml:1.0:data-type:x500Name";
-
-    //
-    // Functions
-    //
-    public static final String FUNC_STRING_EQUAL =  
-        "urn:oasis:names:tc:xacml:1.0:function:string-equal";
-    public static final String FUNC_BOOL_EQUAL = 
-        "urn:oasis:names:tc:xacml:1.0:function:boolean-equal";
-    public static final String FUNC_INT_EQUAL =
-        "urn:oasis:names:tc:xacml:1.0:function:integer-equal";
-    public static final String FUNC_DOUBLE_EQUAL =
-        "urn:oasis:names:tc:xacml:1.0:function:double-equal";
-    public static final String FUNC_DATE_EQUAL = 
-        "urn:oasis:names:tc:xacml:1.0:function:date-equal";
-    public static final String FUNC_TIME_EQUAL =
-        "urn:oasis:names:tc:xacml:1.0:function:time-equal";
-    public static final String FUNC_DATETIME_EQUAL =
-        "urn:oasis:names:tc:xacml:1.0:function:dateTime-equal";
-    public static final String FUNC_ANY_URI_EQUAL =
-        "urn:oasis:names:tc:xacml:1.0:function:anyURI-equal";
-    public static final String FUNC_X500_NAME_EQUAL =
-        "urn:oasis:names:tc:xacml:1.0:function:x500Name-equal";
-    public static final String FUNC_RFC_822_NAME_EQUAL =
-        "urn:oasis:names:tc:xacml:1.0:function:rfc822Name-equal";
-    public static final String FUNC_HEX_EQUAL =
-        "urn:oasis:names:tc:xacml:1.0:function:hexBinary-equal";
-    public static final String FUNC_BASE64_EQUAL =
-        "urn:oasis:names:tc:xacml:1.0:function:base64Binary-equal";
- 
-    public static final String FUNC_INT_GT =
-        "urn:oasis:names:tc:xacml:1.0:function:integer-greater-than";
-    public static final String FUNC_INT_GTE =
-        "urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal";
-    public static final String FUNC_INT_LT =
-        "urn:oasis:names:tc:xacml:1.0:function:integer-less-than";
-    public static final String FUNC_INT_LTE =
-        "urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-equal";
-    public static final String FUNC_DOUBLE_GT =
-        "urn:oasis:names:tc:xacml:1.0:function:double-greater-than";
-    public static final String FUNC_DOUBLE_GTE =
-        "urn:oasis:names:tc:xacml:1.0:function:double-greater-than-or-equal";
-    public static final String FUNC_DOUBLE_LT =
-        "urn:oasis:names:tc:xacml:1.0:function:double-less-than";
-    public static final String FUNC_DOUBLE_LTE =
-        "urn:oasis:names:tc:xacml:1.0:function:double-less-than-or-equal";
-
-    public static final String FUNC_STRING_GT =
-        "urn:oasis:names:tc:xacml:1.0:function:string-greater-than";
-    public static final String FUNC_STRING_GTE =
-        "urn:oasis:names:tc:xacml:1.0:function:string-greater-than-or-equal";
-    public static final String FUNC_STRING_LT =
-        "urn:oasis:names:tc:xacml:1.0:function:string-less-than";
-    public static final String FUNC_STRING_LTE =
-        "urn:oasis:names:tc:xacml:1.0:function:string-less-than-or-equal";
-    public static final String FUNC_TIME_GT =
-        "urn:oasis:names:tc:xacml:1.0:function:time-greater-than";
-    public static final String FUNC_TIME_GTE =
-        "urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal";
-    public static final String FUNC_TIME_LT =
-        "urn:oasis:names:tc:xacml:1.0:function:time-less-than";
-    public static final String FUNC_TIME_LTE =
-        "urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal";
-    public static final String FUNC_DATETIME_GT =
-        "urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than";
-    public static final String FUNC_DATETIME_GTE = 
-        "urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal";
-    public static final String FUNC_DATETIME_LT =
-        "urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than";
-    public static final String FUNC_DATETIME_LTE =
-        "urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than-or-equal";
-    public static final String FUNC_DATE_GT =
-        "urn:oasis:names:tc:xacml:1.0:function:date-greater-than";
-    public static final String FUNC_DATE_GTE =
-        "urn:oasis:names:tc:xacml:1.0:function:date-greater-than-or-equal";
-    public static final String FUNC_DATE_LT =
-        "urn:oasis:names:tc:xacml:1.0:function:date-less-than";
-    public static final String FUNC_DATE_LTE =
-        "urn:oasis:names:tc:xacml:1.0:function:date-less-than-or-equal";
-
-    
-    private XACMLConstants() {
-        // complete
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java
deleted file mode 100644
index f3a1e6e..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/XACMLRequestBuilder.java
+++ /dev/null
@@ -1,62 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.cxf.rt.security.xacml;
-
-import java.security.Principal;
-import java.util.List;
-
-import org.apache.cxf.message.Message;
-import org.opensaml.xacml.ctx.RequestType;
-
-
-/**
- * This interface defines a way to create an XACML Request.
- */
-public interface XACMLRequestBuilder {
-    
-    /**
-     * Create an XACML Request given a Principal, list of roles and Message.
-     * 
-     * @param principal The principal to insert into the Subject of the Request
-     * @param roles The list of roles associated with the principal
-     * @param message The Message from which to retrieve the resource
-     * @return An OpenSAML RequestType object
-     * @throws Exception
-     */
-    RequestType createRequest(Principal principal, List<String> roles, Message message) throws Exception;
-    
-    /**
-     * Return the list of Resources that have been inserted into the Request.
-     * 
-     * @param message The Message from which to retrieve the resource
-     * @return the list of Resources that have been inserted into the Request
-     */
-    @Deprecated
-    List<String> getResources(Message message);
-    
-    /**
-     * Return the Resource that has been inserted into the Request.
-     * 
-     * @param message The Message from which to retrieve the resource
-     * @return the Resource that has been inserted into the Request
-     */
-    @Deprecated
-    String getResource(Message message);
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java b/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java
deleted file mode 100644
index c23272f..0000000
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/xacml/pdp/api/PolicyDecisionPoint.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.xacml.pdp.api;
-
-import javax.xml.transform.Source;
-
-/**
- * An interface that describes a PolicyDecisionPoint (PDP).
- */
-public interface PolicyDecisionPoint {
-    
-    /**
-     * Evaluate an XACML Request and return a Response
-     * @param request an XACML Request as a Source
-     * @return the XACML Response as a Source
-     */
-    Source evaluate(Source request);
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/c04c2720/rt/security/src/test/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptorTest.java
----------------------------------------------------------------------
diff --git a/rt/security/src/test/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptorTest.java b/rt/security/src/test/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptorTest.java
deleted file mode 100644
index 4d9e11d..0000000
--- a/rt/security/src/test/java/org/apache/cxf/rt/security/claims/ClaimsAuthorizingInterceptorTest.java
+++ /dev/null
@@ -1,295 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rt.security.claims;
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-import java.security.Principal;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.Set;
-
-import org.apache.cxf.common.security.SimplePrincipal;
-import org.apache.cxf.interceptor.security.AccessDeniedException;
-import org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor;
-import org.apache.cxf.message.ExchangeImpl;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageImpl;
-import org.apache.cxf.rt.security.saml.SAMLSecurityContext;
-import org.apache.cxf.rt.security.saml.SAMLUtils;
-import org.apache.cxf.security.SecurityContext;
-import org.apache.cxf.security.claims.authorization.Claim;
-import org.apache.cxf.security.claims.authorization.ClaimMode;
-import org.apache.cxf.security.claims.authorization.Claims;
-import org.apache.wss4j.common.saml.builder.SAML2Constants;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.Test;
-
-
-public class ClaimsAuthorizingInterceptorTest extends Assert {
-
-    private ClaimsAuthorizingInterceptor interceptor;
-    
-    @Before
-    public void setUp() {
-        interceptor = new ClaimsAuthorizingInterceptor();
-        interceptor.setNameAliases(
-            Collections.singletonMap("authentication", "http://authentication"));
-        interceptor.setFormatAliases(
-                Collections.singletonMap("claims", "http://claims"));
-        interceptor.setSecuredObject(new TestService());
-        
-    }
-    
-    @Test
-    public void testClaimDefaultNameAndFormat() throws Exception {
-        doTestClaims("claimWithDefaultNameAndFormat",
-                createDefaultClaim("admin", "user"), 
-                createClaim("http://authentication", "http://claims", "password"));
-        try {
-            doTestClaims("claimWithDefaultNameAndFormat",
-                    createDefaultClaim("user"), 
-                    createClaim("http://authentication", "http://claims", "password"));
-            fail("AccessDeniedException expected");
-        } catch (AccessDeniedException ex) {
-            // expected
-        }
-    }
-    
-    @Test
-    public void testClaimMatchAll() throws Exception {
-        doTestClaims("claimMatchAll",
-                createDefaultClaim("admin", "manager"), 
-                createClaim("http://authentication", "http://claims", "password"));
-        try {
-            doTestClaims("claimMatchAll",
-                    createDefaultClaim("admin"), 
-                    createClaim("http://authentication", "http://claims", "password"));
-            doTestClaims("claimMatchAll",
-                    createDefaultClaim("manager"), 
-                    createClaim("http://authentication", "http://claims", "password"));
-            fail("AccessDeniedException expected");
-        } catch (AccessDeniedException ex) {
-            // expected
-        }
-    }
-    
-    @Test
-    public void testMissingExpectedClaim() throws Exception {
-        doTestClaims("claimWithDefaultNameAndFormat",
-                createDefaultClaim("admin"), 
-                createClaim("http://authentication", "http://claims", "password"));
-        try {
-            doTestClaims("claimWithDefaultNameAndFormat",
-                    createDefaultClaim("admin"));
-            fail("AccessDeniedException expected");
-        } catch (AccessDeniedException ex) {
-            // expected
-        }
-    }
-    
-    @Test
-    public void testExtraNonExpectedClaim() throws Exception {
-        doTestClaims("claimWithDefaultNameAndFormat",
-                     createDefaultClaim("admin", "user"), 
-                     createClaim("http://authentication", "http://claims", "password"),
-                     createClaim("http://extra/claims", "http://claims", "claim"));
-    }
-    
-    @Test
-    public void testClaimSpecificNameAndFormat() throws Exception {
-        doTestClaims("claimWithSpecificNameAndFormat",
-                createClaim("http://cxf/roles", "http://claims", "admin", "user"), 
-                createClaim("http://authentication", "http://claims", "password"));
-        try {
-            doTestClaims("claimWithSpecificNameAndFormat",
-                    createDefaultClaim("admin", "user"), 
-                    createClaim("http://authentication", "http://claims", "password"));
-            fail("AccessDeniedException expected");
-        } catch (AccessDeniedException ex) {
-            // expected
-        }
-    }
-    
-    @Test
-    public void testClaimLaxMode() throws Exception {
-        doTestClaims("claimLaxMode",
-                createClaim("http://authentication", "http://claims", "password"));
-        doTestClaims("claimLaxMode");
-        try {
-            doTestClaims("claimLaxMode",
-                         createClaim("http://authentication", "http://claims", "smartcard"));
-            fail("AccessDeniedException expected");
-        } catch (AccessDeniedException ex) {
-            // expected
-        }
-    }
-    
-    @Test
-    public void testMultipleClaims() throws Exception {
-        doTestClaims("multipleClaims", 
-                     createDefaultClaim("admin"),
-                     createClaim("http://authentication", "http://claims", "smartcard"),
-                     createClaim("http://location", "http://claims", "UK"));
-        doTestClaims("multipleClaims", 
-                createDefaultClaim("admin"),
-                createClaim("http://authentication", "http://claims", "password"),
-                createClaim("http://location", "http://claims", "USA"));
-        try {
-            doTestClaims("multipleClaims", 
-                    createDefaultClaim("admin"),
-                    createClaim("http://authentication", "http://claims", "unsecuretransport"),
-                    createClaim("http://location", "http://claims", "UK"));
-            fail("AccessDeniedException expected");
-        } catch (AccessDeniedException ex) {
-            // expected
-        }
-    }
-    
-    @Test
-    public void testUserInRoleAndClaims() throws Exception {
-        SecureAnnotationsInterceptor in = new SecureAnnotationsInterceptor();
-        in.setAnnotationClassName(SecureRole.class.getName());
-        in.setSecuredObject(new TestService2());
-        
-        Message m = prepareMessage(TestService2.class, "test", 
-                createDefaultClaim("admin"),
-                createClaim("a", "b", "c"));
-        
-        in.handleMessage(m);
-        
-        ClaimsAuthorizingInterceptor in2 = new ClaimsAuthorizingInterceptor();
-        org.apache.cxf.rt.security.claims.SAMLClaim claim =
-            new org.apache.cxf.rt.security.claims.SAMLClaim();
-        claim.setNameFormat("a");
-        claim.setName("b");
-        claim.addValue("c");
-        in2.setClaims(Collections.singletonMap("test", 
-                Collections.singletonList(
-                   new ClaimBean(claim))));
-        in2.handleMessage(m);
-        
-        try {
-            in.handleMessage(prepareMessage(TestService2.class, "test", 
-                    createDefaultClaim("user")));
-            fail("AccessDeniedException expected");
-        } catch (AccessDeniedException ex) {
-            // expected
-        }
-    }
-    
-    
-    private void doTestClaims(String methodName,
-            org.apache.cxf.rt.security.claims.Claim... claim) 
-        throws Exception {
-        Message m = prepareMessage(TestService.class, methodName, claim);
-        interceptor.handleMessage(m);
-    }
-    
-    private Message prepareMessage(Class<?> cls,
-            String methodName,
-            org.apache.cxf.rt.security.claims.Claim... claim) 
-        throws Exception {
-        ClaimCollection claims = new ClaimCollection();
-        claims.addAll(Arrays.asList(claim));
-        
-        Set<Principal> roles = 
-            SAMLUtils.parseRolesFromClaims(claims, SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT, 
-                                           SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED);
-        
-        SecurityContext sc = new SAMLSecurityContext(new SimplePrincipal("user"), roles, claims);
-        Message m = new MessageImpl();
-        m.setExchange(new ExchangeImpl());
-        m.put(SecurityContext.class, sc);
-        m.put("org.apache.cxf.resource.method", 
-               cls.getMethod(methodName, new Class[]{}));
-        return m;
-    }
-    
-    private org.apache.cxf.rt.security.claims.Claim createDefaultClaim(
-            Object... values) {
-        return createClaim(SAMLClaim.SAML_ROLE_ATTRIBUTENAME_DEFAULT,
-                           SAML2Constants.ATTRNAME_FORMAT_UNSPECIFIED,
-                           values);
-    }
-    
-    private org.apache.cxf.rt.security.claims.Claim createClaim(
-            String name, String format, Object... values) {
-        SAMLClaim claim = new SAMLClaim();
-        claim.setName(name);
-        claim.setNameFormat(format);
-        claim.setValues(Arrays.asList(values));
-        return claim;
-    }
-    
-    @Claim(name = "authentication", format = "claims", 
-           value = "password")
-    public static class TestService {
-        // default name and format are used
-        @Claim({"admin", "manager" })
-        public void claimWithDefaultNameAndFormat() {
-            
-        }
-        
-        // explicit name and format
-        @Claim(name = "http://cxf/roles", format = "http://claims", 
-               value = {"admin", "manager" })
-        public void claimWithSpecificNameAndFormat() {
-            
-        }
-        
-        @Claim(name = "http://authentication", format = "http://claims", 
-               value = "password", mode = ClaimMode.LAX)
-        public void claimLaxMode() {
-             
-        }
-        
-        @Claims({
-            @Claim(name = "http://location", format = "http://claims", 
-                    value = {"UK", "USA" }),
-            @Claim(value = {"admin", "manager" }),
-            @Claim(name = "authentication", format = "claims", 
-                           value = {"password", "smartcard" })
-        })
-        public void multipleClaims() {
-             
-        }
-        
-        // user must have both admin and manager roles, default is 'or'
-        @Claim(value = {"admin", "manager" },
-               matchAll = true)
-        public void claimMatchAll() {
-            
-        }
-    }
-    public static class TestService2 {
-        @SecureRole("admin")
-        public void test() {
-            
-        }
-    }
-    @Target(ElementType.METHOD)
-    @Retention(RetentionPolicy.RUNTIME)
-    public @interface SecureRole {
-        String[] value();
-    }
-}


Mime
View raw message