cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [4/4] cxf git commit: Picking up latest WSS4J changes
Date Fri, 03 Apr 2015 11:35:35 GMT
Picking up latest WSS4J changes


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f7a64ca9
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f7a64ca9
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f7a64ca9

Branch: refs/heads/master
Commit: f7a64ca9f12fa2523c35bc5add4be3e979a7604f
Parents: 102df12
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Apr 2 21:48:49 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Apr 3 12:33:57 2015 +0100

----------------------------------------------------------------------
 .../IssuedTokenInterceptorProvider.java         | 19 +++---
 .../KerberosTokenInterceptorProvider.java       |  2 +-
 .../wss4j/PolicyBasedWSS4JInInterceptor.java    | 66 +++++++++++---------
 .../ws/security/wss4j/WSS4JInInterceptor.java   |  2 +-
 .../policyhandlers/AbstractBindingBuilder.java  | 12 ++--
 .../AbstractBindingPolicyValidator.java         | 15 +++--
 .../AbstractSupportingTokenPolicyValidator.java | 26 ++++----
 .../AlgorithmSuitePolicyValidator.java          |  5 +-
 .../AsymmetricBindingPolicyValidator.java       | 13 ++--
 .../IssuedTokenPolicyValidator.java             |  5 +-
 .../KerberosTokenPolicyValidator.java           |  3 +-
 .../policyvalidators/LayoutPolicyValidator.java | 55 ++++++++++------
 .../PolicyValidatorParameters.java              |  8 +--
 .../SecurityContextTokenPolicyValidator.java    |  5 +-
 .../SymmetricBindingPolicyValidator.java        | 13 ++--
 .../policyvalidators/WSS11PolicyValidator.java  |  7 +--
 .../X509TokenPolicyValidator.java               | 20 +++---
 .../wss4j/AbstractPolicySecurityTest.java       | 21 ++++---
 .../cxf/ws/security/wss4j/CustomProcessor.java  |  1 +
 .../security/wss4j/SecurityActionTokenTest.java |  7 +--
 .../cxf/ws/security/wss4j/WSS4JInOutTest.java   | 13 ++--
 .../ws/security/wss4j/saml/SamlTokenTest.java   | 25 ++++----
 .../cxf/sts/operation/AbstractOperation.java    |  9 ++-
 .../cxf/sts/token/canceller/SCTCanceller.java   | 14 ++---
 .../cxf/sts/token/renewer/SAMLTokenRenewer.java | 12 ++--
 .../transformation/DoubleItPortTypeImpl.java    |  3 +-
 26 files changed, 194 insertions(+), 187 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
index 7014a77..c6f12b0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java
@@ -49,7 +49,6 @@ import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
@@ -178,19 +177,19 @@ public class IssuedTokenInterceptorProvider extends AbstractPolicyInterceptorPro
             PolicyValidatorParameters parameters = new PolicyValidatorParameters();
             parameters.setAssertionInfoMap(message.get(AssertionInfoMap.class));
             parameters.setMessage(message);
-            parameters.setResults(rResult.getResults());
+            parameters.setResults(rResult);
             
-            final List<Integer> actions = new ArrayList<>(1);
-            actions.add(WSConstants.SIGN);
             List<WSSecurityEngineResult> signedResults = 
-                WSSecurityUtil.fetchAllActionResults(rResult.getResults(), actions);
+                rResult.getActionResults().get(WSConstants.SIGN);
             parameters.setSignedResults(signedResults);
             
-            final List<Integer> samlActions = new ArrayList<>(2);
-            samlActions.add(WSConstants.ST_SIGNED);
-            samlActions.add(WSConstants.ST_UNSIGNED);
-            List<WSSecurityEngineResult> samlResults = 
-                WSSecurityUtil.fetchAllActionResults(rResult.getResults(), samlActions);
+            List<WSSecurityEngineResult> samlResults = new ArrayList<>();
+            if (rResult.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
+                samlResults.addAll(rResult.getActionResults().get(WSConstants.ST_SIGNED));
+            }
+            if (rResult.getActionResults().containsKey(WSConstants.ST_UNSIGNED)) {
+                samlResults.addAll(rResult.getActionResults().get(WSConstants.ST_UNSIGNED));
+            }
             parameters.setSamlResults(samlResults);
             
             SecurityPolicyValidator issuedValidator = new IssuedTokenPolicyValidator();

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
index 03fe704..7d3bc51 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java
@@ -196,7 +196,7 @@ public class KerberosTokenInterceptorProvider extends AbstractPolicyInterceptorP
             PolicyValidatorParameters parameters = new PolicyValidatorParameters();
             parameters.setAssertionInfoMap(message.get(AssertionInfoMap.class));
             parameters.setMessage(message);
-            parameters.setResults(rResult.getResults());
+            parameters.setResults(rResult);
             
             SecurityPolicyValidator kerberosValidator = new KerberosTokenPolicyValidator();
             kerberosValidator.validatePolicies(parameters, ais);

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index 683ea34..59c73f0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -82,7 +82,6 @@ import org.apache.wss4j.dom.handler.RequestData;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.dom.message.token.Timestamp;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SP13Constants;
@@ -603,12 +602,16 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
         //
         // Pre-fetch various results
         //
-        final List<Integer> actions = new ArrayList<>(3);
-        actions.add(WSConstants.SIGN);
-        actions.add(WSConstants.UT_SIGN);
-        actions.add(WSConstants.ST_SIGNED);
-        List<WSSecurityEngineResult> signedResults = 
-            WSSecurityUtil.fetchAllActionResults(results.getResults(), actions);
+        List<WSSecurityEngineResult> signedResults = new ArrayList<>();
+        if (results.getActionResults().containsKey(WSConstants.SIGN)) {
+            signedResults.addAll(results.getActionResults().get(WSConstants.SIGN));
+        }
+        if (results.getActionResults().containsKey(WSConstants.UT_SIGN)) {
+            signedResults.addAll(results.getActionResults().get(WSConstants.UT_SIGN));
+        }
+        if (results.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
+            signedResults.addAll(results.getActionResults().get(WSConstants.ST_SIGNED));
+        }
         Collection<WSDataRef> signed = new HashSet<>();
         for (WSSecurityEngineResult result : signedResults) {
             List<WSDataRef> sl = 
@@ -620,15 +623,16 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
             }
         }
         
-        List<WSSecurityEngineResult> encryptResults = 
-            WSSecurityUtil.fetchAllActionResults(results.getResults(), WSConstants.ENCR);
+        List<WSSecurityEngineResult> encryptResults = results.getActionResults().get(WSConstants.ENCR);
         Collection<WSDataRef> encrypted = new HashSet<>();
-        for (WSSecurityEngineResult result : encryptResults) {
-            List<WSDataRef> sl = 
-                CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
-            if (sl != null) {
-                for (WSDataRef r : sl) {
-                    encrypted.add(r);
+        if (encryptResults != null) {
+            for (WSSecurityEngineResult result : encryptResults) {
+                List<WSDataRef> sl = 
+                    CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+                if (sl != null) {
+                    for (WSDataRef r : sl) {
+                        encrypted.add(r);
+                    }
                 }
             }
         }
@@ -645,28 +649,34 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
         parameters.setAssertionInfoMap(aim);
         parameters.setMessage(msg);
         parameters.setSoapBody(soapBody);
-        parameters.setResults(results.getResults());
+        parameters.setResults(results);
         parameters.setSignedResults(signedResults);
         parameters.setEncryptedResults(encryptResults);
         parameters.setUtWithCallbacks(utWithCallbacks);
         
-        final List<Integer> utActions = new ArrayList<>(2);
-        utActions.add(WSConstants.UT);
-        utActions.add(WSConstants.UT_NOPASSWORD);
-        List<WSSecurityEngineResult> utResults = 
-            WSSecurityUtil.fetchAllActionResults(results.getResults(), utActions);
+        List<WSSecurityEngineResult> utResults = new ArrayList<>();
+        if (results.getActionResults().containsKey(WSConstants.UT)) {
+            utResults.addAll(results.getActionResults().get(WSConstants.UT));
+        }
+        if (results.getActionResults().containsKey(WSConstants.UT_NOPASSWORD)) {
+            utResults.addAll(results.getActionResults().get(WSConstants.UT_NOPASSWORD));
+        }
         parameters.setUsernameTokenResults(utResults);
         
-        final List<Integer> samlActions = new ArrayList<>(2);
-        samlActions.add(WSConstants.ST_SIGNED);
-        samlActions.add(WSConstants.ST_UNSIGNED);
-        List<WSSecurityEngineResult> samlResults = 
-            WSSecurityUtil.fetchAllActionResults(results.getResults(), samlActions);
+        List<WSSecurityEngineResult> samlResults = new ArrayList<>();
+        if (results.getActionResults().containsKey(WSConstants.ST_SIGNED)) {
+            samlResults.addAll(results.getActionResults().get(WSConstants.ST_SIGNED));
+        }
+        if (results.getActionResults().containsKey(WSConstants.ST_UNSIGNED)) {
+            samlResults.addAll(results.getActionResults().get(WSConstants.ST_UNSIGNED));
+        }
         parameters.setSamlResults(samlResults);
         
         // Store the timestamp element
-        WSSecurityEngineResult tsResult = 
-            WSSecurityUtil.fetchActionResult(results.getResults(), WSConstants.TS);
+        WSSecurityEngineResult tsResult = null;
+        if (results.getActionResults().containsKey(WSConstants.TS)) {
+            tsResult = results.getActionResults().get(WSConstants.TS).get(0);
+        }
         Element timestamp = null;
         if (tsResult != null) {
             Timestamp ts = (Timestamp)tsResult.get(WSSecurityEngineResult.TAG_TIMESTAMP);

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
index aa4794b..78a7647 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
@@ -282,7 +282,7 @@ public class WSS4JInInterceptor extends AbstractWSS4JInterceptor {
             if (!(wsResult.getResults() == null || wsResult.getResults().isEmpty())) { 
                 // security header found
                 if (reqData.getWssConfig().isEnableSignatureConfirmation()) {
-                    checkSignatureConfirmation(reqData, wsResult.getResults());
+                    checkSignatureConfirmation(reqData, wsResult);
                 }
 
                 checkActions(msg, reqData, wsResult.getResults(), actions, SAAJUtils.getBody(doc));

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index 8b902a0..a866496 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -2093,13 +2093,13 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
          * signature results in the signatureActions list
          */
         List<WSSecurityEngineResult> signatureActions = new ArrayList<>();
-        final List<Integer> signedActions = new ArrayList<>(2);
-        signedActions.add(WSConstants.SIGN);
-        signedActions.add(WSConstants.UT_SIGN);
         for (WSHandlerResult wshResult : results) {
-            signatureActions.addAll(
-                WSSecurityUtil.fetchAllActionResults(wshResult.getResults(), signedActions)
-            );
+            if (wshResult.getActionResults().containsKey(WSConstants.SIGN)) {
+                signatureActions.addAll(wshResult.getActionResults().get(WSConstants.SIGN));
+            }
+            if (wshResult.getActionResults().containsKey(WSConstants.UT_SIGN)) {
+                signatureActions.addAll(wshResult.getActionResults().get(WSConstants.UT_SIGN));
+            }
         }
         
         sigConfList = new ArrayList<>();

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
index 5dda038..d79470f 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractBindingPolicyValidator.java
@@ -26,7 +26,6 @@ import java.util.List;
 import javax.xml.namespace.QName;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.message.Message;
@@ -41,8 +40,8 @@ import org.apache.wss4j.common.token.X509Security;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDataRef;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.dom.message.token.Timestamp;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
 import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding.ProtectionOrder;
@@ -72,18 +71,18 @@ public abstract class AbstractBindingPolicyValidator implements SecurityPolicyVa
     protected boolean validateTimestamp(
         boolean includeTimestamp,
         boolean transportBinding,
-        List<WSSecurityEngineResult> results,
+        WSHandlerResult results,
         List<WSSecurityEngineResult> signedResults,
         Message message
     ) {
         List<WSSecurityEngineResult> timestampResults = 
-            WSSecurityUtil.fetchAllActionResults(results, WSConstants.TS);
+            results.getActionResults().get(WSConstants.TS);
         
         // Check whether we received a timestamp and compare it to the policy
-        if (includeTimestamp && timestampResults.size() != 1) {
+        if (includeTimestamp && (timestampResults == null || timestampResults.size() != 1)) {
             return false;
         } else if (!includeTimestamp) {
-            if (timestampResults.isEmpty()) {
+            if (timestampResults == null || timestampResults.isEmpty()) {
                 return true;
             }
             return false;
@@ -154,7 +153,7 @@ public abstract class AbstractBindingPolicyValidator implements SecurityPolicyVa
         AbstractSymmetricAsymmetricBinding binding, 
         AssertionInfo ai,
         AssertionInfoMap aim,
-        List<WSSecurityEngineResult> results,
+        WSHandlerResult results,
         List<WSSecurityEngineResult> signedResults,
         Message message
     ) {
@@ -177,7 +176,7 @@ public abstract class AbstractBindingPolicyValidator implements SecurityPolicyVa
         PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
         
         // Check whether the signatures were encrypted or not
-        if (binding.isEncryptSignature() && !isSignatureEncrypted(results)) {
+        if (binding.isEncryptSignature() && !isSignatureEncrypted(results.getResults())) {
             ai.setNotAsserted("The signature is not protected");
             return false;
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
index f74b2db..74cf2c0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
@@ -114,7 +114,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
                 byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                 if (secret != null) {
                     WSSecurityEngineResult dktResult = 
-                        getMatchingDerivedKey(secret, parameters.getResults());
+                        getMatchingDerivedKey(secret, parameters.getResults().getResults());
                     if (dktResult != null) {
                         tokenResults.add(dktResult);
                     }
@@ -174,7 +174,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
      */
     protected boolean processKerberosTokens(PolicyValidatorParameters parameters, boolean derived) {
         List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
-        for (WSSecurityEngineResult wser : parameters.getResults()) {
+        for (WSSecurityEngineResult wser : parameters.getResults().getResults()) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.BST) {
                 BinarySecurity binarySecurity = 
@@ -204,7 +204,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
             for (WSSecurityEngineResult wser : tokenResults) {
                 byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                 WSSecurityEngineResult dktResult = 
-                    getMatchingDerivedKey(secret, parameters.getResults());
+                    getMatchingDerivedKey(secret, parameters.getResults().getResults());
                 if (dktResult != null) {
                     dktResults.add(dktResult);
                 }
@@ -232,7 +232,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
      */
     protected boolean processX509Tokens(PolicyValidatorParameters parameters, boolean derived) {
         List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
-        for (WSSecurityEngineResult wser : parameters.getResults()) {
+        for (WSSecurityEngineResult wser : parameters.getResults().getResults()) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.BST) {
                 BinarySecurity binarySecurity = 
@@ -262,7 +262,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
             List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
             for (WSSecurityEngineResult wser : tokenResults) {
                 WSSecurityEngineResult resultToStore = 
-                    processX509DerivedTokenResult(wser, parameters.getResults());
+                    processX509DerivedTokenResult(wser, parameters.getResults().getResults());
                 if (resultToStore != null) {
                     dktResults.add(resultToStore);
                 }
@@ -360,7 +360,7 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
      */
     protected boolean processSCTokens(PolicyValidatorParameters parameters, boolean derived) {
         List<WSSecurityEngineResult> tokenResults = new ArrayList<>();
-        for (WSSecurityEngineResult wser : parameters.getResults()) {
+        for (WSSecurityEngineResult wser : parameters.getResults().getResults()) {
             Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
             if (actInt.intValue() == WSConstants.SCT) {
                 tokenResults.add(wser);
@@ -385,7 +385,8 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
             List<WSSecurityEngineResult> dktResults = new ArrayList<>(tokenResults.size());
             for (WSSecurityEngineResult wser : tokenResults) {
                 byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
-                WSSecurityEngineResult dktResult = getMatchingDerivedKey(secret, parameters.getResults());
+                WSSecurityEngineResult dktResult = 
+                    getMatchingDerivedKey(secret, parameters.getResults().getResults());
                 if (dktResult != null) {
                     dktResults.add(dktResult);
                 }
@@ -859,12 +860,11 @@ public abstract class AbstractSupportingTokenPolicyValidator extends AbstractSec
         for (WSSecurityEngineResult result : encryptedResults) {
             List<WSDataRef> dataRefs = 
                 CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
-            if (dataRefs == null) {
-                return false;
-            }
-            for (WSDataRef dataRef : dataRefs) {
-                if (token == dataRef.getProtectedElement()) {
-                    return true;
+            if (dataRefs != null) {
+                for (WSDataRef dataRef : dataRefs) {
+                    if (token == dataRef.getProtectedElement()) {
+                        return true;
+                    }
                 }
             }
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
index b8ca765..706e0a5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
@@ -35,6 +35,7 @@ import org.apache.wss4j.common.principal.WSDerivedKeyTokenPrincipal;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDataRef;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.dom.transform.STRTransform;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
@@ -87,10 +88,10 @@ public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidat
     }
     
     private boolean validatePolicy(
-        AssertionInfo ai, AlgorithmSuite algorithmPolicy, List<WSSecurityEngineResult> results
+        AssertionInfo ai, AlgorithmSuite algorithmPolicy, WSHandlerResult results
     ) {
         boolean success = true;
-        for (WSSecurityEngineResult result : results) {
+        for (WSSecurityEngineResult result : results.getResults()) {
             Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
             if (WSConstants.SIGN == actInt 
                 && !checkSignatureAlgorithms(result, algorithmPolicy, ai)) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
index 3bd9eac..2c12a30 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AsymmetricBindingPolicyValidator.java
@@ -61,21 +61,16 @@ public class AsymmetricBindingPolicyValidator extends AbstractBindingPolicyValid
      * Validate policies.
      */
     public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
-        boolean hasDerivedKeys = false;
-        for (WSSecurityEngineResult result : parameters.getResults()) {
-            Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
-            if (actInt.intValue() == WSConstants.DKT) {
-                hasDerivedKeys = true;
-                break;
-            }
-        }
+        boolean hasDerivedKeys = 
+            parameters.getResults().getActionResults().containsKey(WSConstants.DKT);
         
         for (AssertionInfo ai : ais) {
             AsymmetricBinding binding = (AsymmetricBinding)ai.getAssertion();
             ai.setAsserted(true);
 
             // Check the protection order
-            if (!checkProtectionOrder(binding, parameters.getAssertionInfoMap(), ai, parameters.getResults())) {
+            if (!checkProtectionOrder(binding, parameters.getAssertionInfoMap(), ai, 
+                                      parameters.getResults().getResults())) {
                 continue;
             }
             

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
index 3335d88..dcac606 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/IssuedTokenPolicyValidator.java
@@ -22,7 +22,6 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.List;
 
 import javax.xml.namespace.QName;
@@ -41,7 +40,6 @@ import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.common.token.BinarySecurity;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
@@ -90,8 +88,7 @@ public class IssuedTokenPolicyValidator extends AbstractSamlPolicyValidator {
         }
         
         List<WSSecurityEngineResult> bstResults = 
-            WSSecurityUtil.fetchAllActionResults(parameters.getResults(), 
-                                                 Collections.singletonList(WSConstants.BST));
+            parameters.getResults().getActionResults().get(WSConstants.BST);
             
         if (bstResults != null) {
             for (WSSecurityEngineResult bstResult : bstResults) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
index f7710fb..6c05801 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/KerberosTokenPolicyValidator.java
@@ -68,7 +68,8 @@ public class KerberosTokenPolicyValidator extends AbstractSecurityPolicyValidato
      * Validate policies.
      */
     public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
-        List<WSSecurityEngineResult> kerberosResults = findKerberosResults(parameters.getResults());
+        List<WSSecurityEngineResult> kerberosResults = 
+            findKerberosResults(parameters.getResults().getResults());
         
         for (WSSecurityEngineResult kerberosResult : kerberosResults) {
             KerberosSecurity kerberosToken = 

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
index a0b1b4b..b74025a 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/LayoutPolicyValidator.java
@@ -75,7 +75,8 @@ public class LayoutPolicyValidator extends AbstractSecurityPolicyValidator {
             ai.setAsserted(true);
             assertToken(layout, parameters.getAssertionInfoMap());
             
-            if (!validatePolicy(layout, parameters.getResults(), parameters.getSignedResults())) {
+            if (!validatePolicy(layout, parameters.getResults().getResults(), 
+                                parameters.getSignedResults())) {
                 String error = "Layout does not match the requirements";
                 ai.setNotAsserted(error);
             }
@@ -119,7 +120,7 @@ public class LayoutPolicyValidator extends AbstractSecurityPolicyValidator {
             }
         } else if (strict && (!validateStrictSignaturePlacement(results, signedResults) 
             || !validateStrictSignatureTokenPlacement(results)
-            || !checkSignatureIsSignedPlacement(signedResults))) {
+            || !checkSignatureIsSignedPlacement(results, signedResults))) {
             return false;
         }
         
@@ -184,9 +185,11 @@ public class LayoutPolicyValidator extends AbstractSecurityPolicyValidator {
         return true;
     }
     
-    private boolean checkSignatureIsSignedPlacement(List<WSSecurityEngineResult> signedResults) {
-        for (int i = 0; i < signedResults.size(); i++) {
-            WSSecurityEngineResult signedResult = signedResults.get(i);
+    private boolean checkSignatureIsSignedPlacement(
+        List<WSSecurityEngineResult> results,
+        List<WSSecurityEngineResult> signedResults
+    ) {
+        for (WSSecurityEngineResult signedResult : signedResults) {
             List<WSDataRef> sl =
                 CastUtils.cast((List<?>)signedResult.get(
                     WSSecurityEngineResult.TAG_DATA_REF_URIS
@@ -196,21 +199,9 @@ public class LayoutPolicyValidator extends AbstractSecurityPolicyValidator {
                     QName signedQName = dataRef.getName();
                     if (WSSecurityEngine.SIGNATURE.equals(signedQName)) {
                         Element protectedElement = dataRef.getProtectedElement();
-                        boolean endorsingSigFound = false;
-                        // Results are stored in reverse order
-                        for (WSSecurityEngineResult result : signedResults) {
-                            if (result == signedResult) {
-                                endorsingSigFound = true;
-                            }
-                            Element resultElement = 
-                                (Element)result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
-                            if (resultElement == protectedElement) {
-                                if (endorsingSigFound) {
-                                    break;
-                                } else {
-                                    return false;
-                                }
-                            }
+                        if (!isEndorsingSignatureInCorrectPlace(results, signedResult,
+                                                                protectedElement)) {
+                            return false;
                         }
                     }
                 }
@@ -219,6 +210,30 @@ public class LayoutPolicyValidator extends AbstractSecurityPolicyValidator {
         return true;
     }
     
+    private boolean isEndorsingSignatureInCorrectPlace(List<WSSecurityEngineResult> results,
+                                              WSSecurityEngineResult signedResult,
+                                              Element protectedElement) {
+        boolean endorsingSigFound = false;
+        // Results are stored in reverse order
+        for (WSSecurityEngineResult result : results) {
+            Integer action = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+            if (WSConstants.SIGN == action || WSConstants.ST_SIGNED == action
+                || WSConstants.UT_SIGN == action) {
+                if (result == signedResult) {
+                    endorsingSigFound = true;
+                }
+                Element resultElement = 
+                    (Element)result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+                if (endorsingSigFound && resultElement == protectedElement) {
+                    return true;
+                } else if (resultElement == protectedElement) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+    
     /**
      * Find the index of the token corresponding to either the X509Certificate or PublicKey used 
      * to sign the "signatureResult" argument.

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/PolicyValidatorParameters.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/PolicyValidatorParameters.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/PolicyValidatorParameters.java
index 24f3d13..5c032e5 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/PolicyValidatorParameters.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/PolicyValidatorParameters.java
@@ -22,10 +22,10 @@ package org.apache.cxf.ws.security.wss4j.policyvalidators;
 import java.util.List;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
 
 /**
  * Holds various parameters to the policy validators
@@ -34,7 +34,7 @@ public class PolicyValidatorParameters {
     private AssertionInfoMap assertionInfoMap;
     private Message message;
     private Element soapBody;
-    private List<WSSecurityEngineResult> results;
+    private WSHandlerResult results;
     private List<WSSecurityEngineResult> signedResults;
     private List<WSSecurityEngineResult> encryptedResults;
     private List<WSSecurityEngineResult> usernameTokenResults;
@@ -58,11 +58,11 @@ public class PolicyValidatorParameters {
         this.soapBody = soapBody;
     }
     
-    public List<WSSecurityEngineResult> getResults() {
+    public WSHandlerResult getResults() {
         return results;
     }
     
-    public void setResults(List<WSSecurityEngineResult> results) {
+    public void setResults(WSHandlerResult results) {
         this.results = results;
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
index 2b58882..9c6444e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SecurityContextTokenPolicyValidator.java
@@ -27,7 +27,6 @@ import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.model.SecurityContextToken;
@@ -56,7 +55,7 @@ public class SecurityContextTokenPolicyValidator extends AbstractSecurityPolicyV
      */
     public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
         List<WSSecurityEngineResult> sctResults = 
-            WSSecurityUtil.fetchAllActionResults(parameters.getResults(), WSConstants.SCT);
+            parameters.getResults().getActionResults().get(WSConstants.SCT);
 
         for (AssertionInfo ai : ais) {
             SecurityContextToken sctPolicy = (SecurityContextToken)ai.getAssertion();
@@ -67,7 +66,7 @@ public class SecurityContextTokenPolicyValidator extends AbstractSecurityPolicyV
                 continue;
             }
 
-            if (sctResults.isEmpty()) {
+            if (sctResults == null || sctResults.isEmpty()) {
                 ai.setNotAsserted(
                     "The received token does not match the token inclusion requirement"
                 );

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
index 2c6d355..08b1699 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/SymmetricBindingPolicyValidator.java
@@ -59,21 +59,16 @@ public class SymmetricBindingPolicyValidator extends AbstractBindingPolicyValida
      * Validate policies.
      */
     public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
-        boolean hasDerivedKeys = false;
-        for (WSSecurityEngineResult result : parameters.getResults()) {
-            Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
-            if (actInt.intValue() == WSConstants.DKT) {
-                hasDerivedKeys = true;
-                break;
-            }
-        }
+        boolean hasDerivedKeys = 
+            parameters.getResults().getActionResults().containsKey(WSConstants.DKT);
         
         for (AssertionInfo ai : ais) {
             SymmetricBinding binding = (SymmetricBinding)ai.getAssertion();
             ai.setAsserted(true);
 
             // Check the protection order
-            if (!checkProtectionOrder(binding, parameters.getAssertionInfoMap(), ai, parameters.getResults())) {
+            if (!checkProtectionOrder(binding, parameters.getAssertionInfoMap(), ai, 
+                                      parameters.getResults().getResults())) {
                 continue;
             }
             

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
index 68c54c5..14e4180 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/WSS11PolicyValidator.java
@@ -30,7 +30,6 @@ import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.policy.PolicyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
@@ -60,7 +59,7 @@ public class WSS11PolicyValidator extends AbstractSecurityPolicyValidator {
      */
     public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
         List<WSSecurityEngineResult> scResults =
-            WSSecurityUtil.fetchAllActionResults(parameters.getResults(), WSConstants.SC);
+            parameters.getResults().getActionResults().get(WSConstants.SC);
         
         for (AssertionInfo ai : ais) {
             Wss11 wss11 = (Wss11)ai.getAssertion();
@@ -71,8 +70,8 @@ public class WSS11PolicyValidator extends AbstractSecurityPolicyValidator {
                 continue;
             }
             
-            if ((wss11.isRequireSignatureConfirmation() && scResults.isEmpty())
-                || (!wss11.isRequireSignatureConfirmation() && !scResults.isEmpty())) {
+            if ((wss11.isRequireSignatureConfirmation() && (scResults == null || scResults.isEmpty()))
+                || (!wss11.isRequireSignatureConfirmation() && !(scResults == null || scResults.isEmpty()))) {
                 ai.setNotAsserted(
                     "Signature Confirmation policy validation failed"
                 );

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
index f3d9195..20ffd2a 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
@@ -41,7 +41,6 @@ import org.apache.wss4j.common.util.XMLUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.str.STRParser;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SP11Constants;
 import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.SPConstants;
@@ -77,7 +76,7 @@ public class X509TokenPolicyValidator extends AbstractSecurityPolicyValidator {
      */
     public void validatePolicies(PolicyValidatorParameters parameters, Collection<AssertionInfo> ais) {
         List<WSSecurityEngineResult> bstResults = 
-            WSSecurityUtil.fetchAllActionResults(parameters.getResults(), WSConstants.BST);
+            parameters.getResults().getActionResults().get(WSConstants.BST);
         
         for (AssertionInfo ai : ais) {
             X509Token x509TokenPolicy = (X509Token)ai.getAssertion();
@@ -88,7 +87,7 @@ public class X509TokenPolicyValidator extends AbstractSecurityPolicyValidator {
                 continue;
             }
 
-            if (bstResults.isEmpty() && parameters.getSignedResults().isEmpty()) {
+            if ((bstResults == null || bstResults.isEmpty()) && parameters.getSignedResults().isEmpty()) {
                 ai.setNotAsserted(
                     "The received token does not match the token inclusion requirement"
                 );
@@ -134,7 +133,7 @@ public class X509TokenPolicyValidator extends AbstractSecurityPolicyValidator {
         List<WSSecurityEngineResult> bstResults,
         List<WSSecurityEngineResult> signedResults
     ) {
-        if (bstResults.isEmpty() && signedResults.isEmpty()) {
+        if ((bstResults == null || bstResults.isEmpty()) && signedResults.isEmpty()) {
             return false;
         }
 
@@ -148,16 +147,15 @@ public class X509TokenPolicyValidator extends AbstractSecurityPolicyValidator {
             v3certRequired = true;
         }
 
-        for (WSSecurityEngineResult result : bstResults) {
-            BinarySecurity binarySecurityToken = 
-                (BinarySecurity)result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
-            if (binarySecurityToken != null) {
-                String type = binarySecurityToken.getValueType();
-                if (requiredType.equals(type)) {
+        if (bstResults != null) {
+            for (WSSecurityEngineResult result : bstResults) {
+                BinarySecurity binarySecurityToken = 
+                    (BinarySecurity)result.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
+                if (binarySecurityToken != null && requiredType.equals(binarySecurityToken.getValueType())) {
                     if (v3certRequired && binarySecurityToken instanceof X509Security) {
                         try {
                             X509Certificate cert = 
-                                 ((X509Security)binarySecurityToken).getX509Certificate(null);
+                                ((X509Security)binarySecurityToken).getX509Certificate(null);
                             if (cert != null && cert.getVersion() == 3) {
                                 return true;
                             }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
index 2a36ab9..45d7277 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
@@ -73,7 +73,6 @@ import org.apache.wss4j.dom.WSDataRef;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SP12Constants;
 import org.apache.wss4j.policy.model.AsymmetricBinding;
 
@@ -437,8 +436,8 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest {
         assertTrue(results != null && results.size() == 1);
         
         List<WSSecurityEngineResult> signatureResults = 
-            WSSecurityUtil.fetchAllActionResults(results.get(0).getResults(), WSConstants.SIGN);
-        assertTrue(!signatureResults.isEmpty());
+            results.get(0).getActionResults().get(WSConstants.SIGN);
+        assertTrue(!(signatureResults == null || signatureResults.isEmpty()));
     }
     
     protected void verifyWss4jEncResults(SoapMessage inmsg) {
@@ -451,16 +450,22 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest {
         assertSame(handlerResults.size(), 1);
 
         final List<WSSecurityEngineResult> protectionResults = 
-            WSSecurityUtil.fetchAllActionResults(handlerResults.get(0).getResults(), WSConstants.ENCR);
+            handlerResults.get(0).getActionResults().get(WSConstants.ENCR);
         assertNotNull(protectionResults);
         
         //
         // This result should contain a reference to the decrypted element
         //
-        final Map<String, Object> result = protectionResults.get(0);
-        final List<WSDataRef> protectedElements = 
-            CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
-        assertNotNull(protectedElements);
+        boolean foundReferenceList = false;
+        for (Map<String, Object> result : protectionResults) {
+            final List<WSDataRef> protectedElements = 
+                CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+            if (protectedElements != null) {
+                foundReferenceList = true;
+                break;
+            }
+        }
+        assertTrue(foundReferenceList);
     }
     
     // TODO: This method can be removed when runOutInterceptorAndValidateAsymmetricBinding

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomProcessor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomProcessor.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomProcessor.java
index b820be0..7dfc971 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomProcessor.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomProcessor.java
@@ -39,6 +39,7 @@ public class CustomProcessor implements Processor {
         final WSSecurityEngineResult result = 
             new WSSecurityEngineResult(WSConstants.SIGN);
         result.put("foo", this);
+        wsDocInfo.addResult(result);
         return java.util.Collections.singletonList(result);
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityActionTokenTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityActionTokenTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityActionTokenTest.java
index 43d9dd3..6540449 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityActionTokenTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/SecurityActionTokenTest.java
@@ -53,7 +53,6 @@ import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.handler.HandlerAction;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.junit.Test;
 
 
@@ -70,11 +69,11 @@ public class SecurityActionTokenTest extends AbstractSecurityTest {
         List<HandlerAction> actions = 
             Collections.singletonList(new HandlerAction(WSConstants.SIGN, actionToken));
         
-        Map<String, Object> outProperties = new HashMap<String, Object>();
+        Map<String, Object> outProperties = new HashMap<>();
         outProperties.put(WSHandlerConstants.HANDLER_ACTIONS, actions);
         outProperties.put(WSHandlerConstants.PW_CALLBACK_REF, new TestPwdCallback());
         
-        Map<String, String> inProperties = new HashMap<String, String>();
+        Map<String, String> inProperties = new HashMap<>();
         inProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
         inProperties.put(WSHandlerConstants.SIG_VER_PROP_FILE, "insecurity.properties");
         
@@ -85,7 +84,7 @@ public class SecurityActionTokenTest extends AbstractSecurityTest {
         List<WSHandlerResult> handlerResults = 
             getResults(makeInvocation(outProperties, xpaths, inProperties));
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.SIGN);
+            handlerResults.get(0).getActionResults().get(WSConstants.SIGN).get(0);
          
         X509Certificate certificate = 
             (X509Certificate) actionResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
index c07ab6c..d298905 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
@@ -61,7 +61,6 @@ import org.apache.wss4j.dom.WSDataRef;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.junit.Test;
 
 
@@ -109,7 +108,7 @@ public class WSS4JInOutTest extends AbstractSecurityTest {
         List<WSHandlerResult> handlerResults = 
             getResults(makeInvocation(outProperties, xpaths, inProperties));
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.SIGN);
+            handlerResults.get(0).getActionResults().get(WSConstants.SIGN).get(0);
          
         X509Certificate certificate = 
             (X509Certificate) actionResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
@@ -137,7 +136,7 @@ public class WSS4JInOutTest extends AbstractSecurityTest {
         List<WSHandlerResult> handlerResults = 
             getResults(makeInvocation(outProperties, xpaths, inProperties));
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.SIGN);
+            handlerResults.get(0).getActionResults().get(WSConstants.SIGN).get(0);
          
         X509Certificate certificate = 
             (X509Certificate) actionResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
@@ -342,8 +341,8 @@ public class WSS4JInOutTest extends AbstractSecurityTest {
         List<WSHandlerResult> results = getResults(inmsg);
         assertTrue(results != null && results.size() == 1);
         List<WSSecurityEngineResult> signatureResults = 
-            WSSecurityUtil.fetchAllActionResults(results.get(0).getResults(), WSConstants.SIGN);
-        assertTrue(signatureResults.size() == 0);
+            results.get(0).getActionResults().get(WSConstants.SIGN);
+        assertTrue(signatureResults == null || signatureResults.size() == 0);
     }
     
     @Test
@@ -416,7 +415,7 @@ public class WSS4JInOutTest extends AbstractSecurityTest {
         List<WSHandlerResult> results = getResults(inmsg);
         assertTrue(results != null && results.size() == 1);
         List<WSSecurityEngineResult> signatureResults = 
-            WSSecurityUtil.fetchAllActionResults(results.get(0).getResults(), WSConstants.SIGN);
+            results.get(0).getActionResults().get(WSConstants.SIGN);
         assertTrue(signatureResults.size() == 1);
         
         Object obj = signatureResults.get(0).get("foo");
@@ -447,7 +446,7 @@ public class WSS4JInOutTest extends AbstractSecurityTest {
         List<WSHandlerResult> handlerResults = 
             getResults(makeInvocation(outProperties, xpaths, inProperties));
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.SIGN);
+            handlerResults.get(0).getActionResults().get(WSConstants.SIGN).get(0);
          
         X509Certificate[] certificates = 
             (X509Certificate[]) actionResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
index 1e021ea..6103b6e 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/SamlTokenTest.java
@@ -62,7 +62,6 @@ import org.apache.wss4j.dom.WSSecurityEngine;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.junit.Test;
 
 /**
@@ -119,7 +118,7 @@ public class SamlTokenTest extends AbstractSecurityTest {
             CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
         
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_UNSIGNED);
+            handlerResults.get(0).getActionResults().get(WSConstants.ST_UNSIGNED).get(0);
         SamlAssertionWrapper receivedAssertion = 
             (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml1() != null);
@@ -164,7 +163,7 @@ public class SamlTokenTest extends AbstractSecurityTest {
             CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
         
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_UNSIGNED);
+            handlerResults.get(0).getActionResults().get(WSConstants.ST_UNSIGNED).get(0);
         SamlAssertionWrapper receivedAssertion = 
             (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml1() != null);
@@ -204,7 +203,7 @@ public class SamlTokenTest extends AbstractSecurityTest {
             CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
         
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_UNSIGNED);
+            handlerResults.get(0).getActionResults().get(WSConstants.ST_UNSIGNED).get(0);
         SamlAssertionWrapper receivedAssertion = 
             (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml2() != null);
@@ -249,7 +248,7 @@ public class SamlTokenTest extends AbstractSecurityTest {
             CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
         
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_UNSIGNED);
+            handlerResults.get(0).getActionResults().get(WSConstants.ST_UNSIGNED).get(0);
         SamlAssertionWrapper receivedAssertion = 
             (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml2() != null);
@@ -305,14 +304,13 @@ public class SamlTokenTest extends AbstractSecurityTest {
             CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
         
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_SIGNED);
+            handlerResults.get(0).getActionResults().get(WSConstants.ST_SIGNED).get(0);
         SamlAssertionWrapper receivedAssertion = 
             (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml1() != null);
         assert receivedAssertion.isSigned();
         
-        actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.SIGN);
+        actionResult = handlerResults.get(0).getActionResults().get(WSConstants.SIGN).get(0);
         assertTrue(actionResult != null);
     }
     
@@ -372,14 +370,13 @@ public class SamlTokenTest extends AbstractSecurityTest {
             CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
         
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_SIGNED);
+            handlerResults.get(0).getActionResults().get(WSConstants.ST_SIGNED).get(0);
         SamlAssertionWrapper receivedAssertion = 
             (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml2() != null);
         assert receivedAssertion.isSigned();
         
-        actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.SIGN);
+        actionResult = handlerResults.get(0).getActionResults().get(WSConstants.SIGN).get(0);
         assertTrue(actionResult != null);
     }
     
@@ -436,7 +433,7 @@ public class SamlTokenTest extends AbstractSecurityTest {
         assertTrue(sc.isUserInRole("admin"));
         
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_SIGNED);
+            handlerResults.get(0).getActionResults().get(WSConstants.ST_SIGNED).get(0);
         SamlAssertionWrapper receivedAssertion = 
             (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml2() != null);
@@ -496,7 +493,7 @@ public class SamlTokenTest extends AbstractSecurityTest {
         assertTrue(sc.isUserInRole("admin"));
         
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_SIGNED);
+            handlerResults.get(0).getActionResults().get(WSConstants.ST_SIGNED).get(0);
         SamlAssertionWrapper receivedAssertion = 
             (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml2() != null);
@@ -555,7 +552,7 @@ public class SamlTokenTest extends AbstractSecurityTest {
         assertTrue(sc.isUserInRole("admin"));
         
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.ST_SIGNED);
+            handlerResults.get(0).getActionResults().get(WSConstants.ST_SIGNED).get(0);
         SamlAssertionWrapper receivedAssertion = 
             (SamlAssertionWrapper) actionResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
         assertTrue(receivedAssertion != null && receivedAssertion.getSaml1() != null);

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
index 0ee5a6c..5837b71 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
@@ -543,11 +543,10 @@ public abstract class AbstractOperation {
         // DOM
         if (results != null) {
             for (WSHandlerResult rResult : results) {
-                List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
-                for (WSSecurityEngineResult wser : wsSecEngineResults) {
-                    int wserAction = 
-                        ((java.lang.Integer)wser.get(WSSecurityEngineResult.TAG_ACTION)).intValue();
-                    if (wserAction == WSConstants.SIGN) {
+                List<WSSecurityEngineResult> signedResults = 
+                    rResult.getActionResults().get(WSConstants.SIGN);
+                if (signedResults != null) {
+                    for (WSSecurityEngineResult wser : signedResults) {
                         X509Certificate cert = 
                             (X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
                         if (cert != null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
index 7d146f7..e8685db 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
@@ -156,17 +156,17 @@ public class SCTCanceller implements TokenCanceller {
 
         if (handlerResults != null && handlerResults.size() > 0) {
             WSHandlerResult handlerResult = handlerResults.get(0);
-            List<WSSecurityEngineResult> engineResults = handlerResult.getResults();
+            List<WSSecurityEngineResult> signedResults = 
+                handlerResult.getActionResults().get(WSConstants.SIGN);
 
-            for (WSSecurityEngineResult engineResult : engineResults) {
-                Integer action = (Integer)engineResult.get(WSSecurityEngineResult.TAG_ACTION);
-                if (action.equals(WSConstants.SIGN)) {
+            if (signedResults != null) {
+                for (WSSecurityEngineResult engineResult : signedResults) {
                     byte[] receivedKey = (byte[])engineResult.get(WSSecurityEngineResult.TAG_SECRET);
                     if (Arrays.equals(secretToMatch, receivedKey)) {
                         LOG.log(
-                            Level.FINE, 
-                            "Verification of the proof of possession of the key associated with "
-                            + "the security context successful."
+                                Level.FINE, 
+                                "Verification of the proof of possession of the key associated with "
+                                + "the security context successful."
                         );
                         return true;
                     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
index ea6b016..7325520 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/renewer/SAMLTokenRenewer.java
@@ -67,7 +67,6 @@ import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.dom.saml.DOMSAMLUtil;
 import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.xml.security.stax.impl.util.IDGenerator;
 import org.joda.time.DateTime;
 import org.opensaml.saml.common.SAMLVersion;
@@ -555,12 +554,13 @@ public class SAMLTokenRenewer extends AbstractSAMLTokenProvider implements Token
             List<WSSecurityEngineResult> signedResults = new ArrayList<>();
             if (handlerResults != null && handlerResults.size() > 0) {
                 WSHandlerResult handlerResult = handlerResults.get(0);
-                List<WSSecurityEngineResult> results = handlerResult.getResults();
-                final List<Integer> signedActions = new ArrayList<>(2);
-                signedActions.add(WSConstants.SIGN);
-                signedActions.add(WSConstants.UT_SIGN);
                 
-                signedResults.addAll(WSSecurityUtil.fetchAllActionResults(results, signedActions));
+                if (handlerResult.getActionResults().containsKey(WSConstants.SIGN)) {
+                    signedResults.addAll(handlerResult.getActionResults().get(WSConstants.SIGN));
+                }
+                if (handlerResult.getActionResults().containsKey(WSConstants.UT_SIGN)) {
+                    signedResults.addAll(handlerResult.getActionResults().get(WSConstants.UT_SIGN));
+                }
             }
             
             TLSSessionInfo tlsInfo = (TLSSessionInfo)messageContext.get(TLSSessionInfo.class.getName());

http://git-wip-us.apache.org/repos/asf/cxf/blob/f7a64ca9/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/transformation/DoubleItPortTypeImpl.java
----------------------------------------------------------------------
diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/transformation/DoubleItPortTypeImpl.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/transformation/DoubleItPortTypeImpl.java
index 270a8f7..9b995b7 100644
--- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/transformation/DoubleItPortTypeImpl.java
+++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/transformation/DoubleItPortTypeImpl.java
@@ -32,7 +32,6 @@ import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.example.contract.doubleit.DoubleItPortType;
 import org.junit.Assert;
 
@@ -53,7 +52,7 @@ public class DoubleItPortTypeImpl implements DoubleItPortType {
         final List<WSHandlerResult> handlerResults = 
             CastUtils.cast((List<?>)context.get(WSHandlerConstants.RECV_RESULTS));
         WSSecurityEngineResult actionResult =
-            WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.UT);
+            handlerResults.get(0).getActionResults().get(WSConstants.UT).get(0);
         SamlAssertionWrapper assertion = 
             (SamlAssertionWrapper)actionResult.get(WSSecurityEngineResult.TAG_TRANSFORMED_TOKEN);
         Assert.assertTrue(assertion != null && "DoubleItSTSIssuer".equals(assertion.getIssuerString()));


Mime
View raw message