cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/2] cxf git commit: Introducing new security constants to be shared between SOAP + REST code
Date Tue, 14 Apr 2015 13:42:44 GMT
Introducing new security constants to be shared between SOAP + REST code


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5faf1822
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5faf1822
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5faf1822

Branch: refs/heads/master
Commit: 5faf182264c64bd3c0abc0addc9746b64492c864
Parents: 5f5db64
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Apr 14 14:41:59 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Apr 14 14:41:59 2015 +0100

----------------------------------------------------------------------
 .../grants/saml/Saml2BearerGrantHandler.java    |   2 +-
 .../saml/sso/AbstractServiceProviderFilter.java |   5 +-
 rt/rs/security/xml/pom.xml                      |   8 +-
 .../cxf/rs/security/common/CryptoLoader.java    |   5 +-
 .../cxf/rs/security/common/SecurityUtils.java   |  19 +-
 .../rs/security/saml/AbstractSamlInHandler.java |  30 ++-
 .../apache/cxf/rs/security/saml/SAMLUtils.java  |   2 +-
 .../security/xml/AbstractXmlEncInHandler.java   |   3 +-
 .../security/xml/AbstractXmlSigInHandler.java   |   2 +-
 .../rs/security/xml/XmlEncOutInterceptor.java   |   6 +-
 .../rs/security/xml/XmlSecInInterceptor.java    |   2 +-
 .../rs/security/xml/XmlSecOutInterceptor.java   |   5 +-
 .../rs/security/xml/XmlSigOutInterceptor.java   |   3 +-
 .../cxf/rt/security/SecurityConstants.java      | 211 +++++++++++++++++++
 .../cxf/rt/security/utils/SecurityUtils.java    |  12 ++
 .../cxf/ws/security/SecurityConstants.java      | 166 ++-------------
 .../cxf/ws/security/kerberos/KerberosUtils.java |   2 +-
 .../SpnegoContextTokenInInterceptor.java        |   2 +-
 .../SpnegoContextTokenOutInterceptor.java       |   2 +-
 .../ws/security/trust/AbstractSTSClient.java    |   3 +
 .../trust/AuthPolicyValidatingInterceptor.java  |   3 +-
 .../cxf/ws/security/trust/STSLoginModule.java   |   4 +-
 .../delegation/WSSUsernameCallbackHandler.java  |   4 +-
 .../wss4j/AbstractTokenInterceptor.java         |   2 +-
 .../wss4j/AbstractWSS4JInterceptor.java         |  16 +-
 .../wss4j/AbstractWSS4JStaxInterceptor.java     |   9 +-
 .../wss4j/BinarySecurityTokenInterceptor.java   |   2 +-
 .../wss4j/PolicyBasedWSS4JInInterceptor.java    |  26 +--
 .../PolicyBasedWSS4JStaxInInterceptor.java      |  25 +--
 .../PolicyBasedWSS4JStaxOutInterceptor.java     |  25 +--
 .../ws/security/wss4j/SamlTokenInterceptor.java |  14 +-
 .../wss4j/StaxSecurityContextInInterceptor.java |   5 +-
 .../wss4j/UsernameTokenInterceptor.java         |  10 +-
 .../ws/security/wss4j/WSS4JInInterceptor.java   |  44 ++--
 .../security/wss4j/WSS4JStaxInInterceptor.java  |  13 +-
 .../security/wss4j/WSS4JStaxOutInterceptor.java |   9 +-
 .../policyhandlers/AbstractBindingBuilder.java  |  47 +++--
 .../AbstractStaxBindingHandler.java             |  11 +-
 .../StaxAsymmetricBindingHandler.java           |   6 +-
 .../StaxSymmetricBindingHandler.java            |   6 +-
 .../policyhandlers/TransportBindingHandler.java |   4 +-
 .../crypto/provider/CryptoProviderUtils.java    |   2 +-
 .../security/saml/SamlCallbackHandler.java      |   2 +-
 43 files changed, 469 insertions(+), 310 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
index 6a29910..94d49aa 100644
--- a/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2-saml/src/main/java/org/apache/cxf/rs/security/oauth2/grants/saml/Saml2BearerGrantHandler.java
@@ -52,11 +52,11 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 import org.apache.cxf.rs.security.saml.authorization.SecurityContextProvider;
 import org.apache.cxf.rs.security.saml.authorization.SecurityContextProviderImpl;
+import org.apache.cxf.rt.security.SecurityConstants;
 import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.staxutils.StaxUtils;
-import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.saml.SAMLKeyInfo;
 import org.apache.wss4j.common.saml.SAMLUtil;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
index b4afac4..ac64188 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractServiceProviderFilter.java
@@ -54,11 +54,12 @@ import org.apache.cxf.rs.security.saml.SAMLUtils;
 import org.apache.cxf.rs.security.saml.assertion.Subject;
 import org.apache.cxf.rs.security.saml.sso.state.RequestState;
 import org.apache.cxf.rs.security.saml.sso.state.ResponseState;
+import org.apache.cxf.rt.security.SecurityConstants;
 import org.apache.cxf.rt.security.claims.ClaimCollection;
 import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
+import org.apache.cxf.rt.security.utils.SecurityUtils;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.staxutils.StaxUtils;
-import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.saml.OpenSAMLUtil;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.opensaml.saml.saml2.core.AuthnRequest;
@@ -188,7 +189,7 @@ public abstract class AbstractServiceProviderFilter extends AbstractSSOSpHandler
         
         if (name != null) {
             String roleAttributeName = 
-                (String)m.getContextualProperty(SecurityConstants.SAML_ROLE_ATTRIBUTENAME);
+                (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, m);
             if (roleAttributeName == null || roleAttributeName.length() == 0) {
                 roleAttributeName = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role";
             }

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/pom.xml
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/pom.xml b/rt/rs/security/xml/pom.xml
index 6b7589c..9f23405 100644
--- a/rt/rs/security/xml/pom.xml
+++ b/rt/rs/security/xml/pom.xml
@@ -46,11 +46,15 @@
             <artifactId>cxf-rt-frontend-jaxrs</artifactId>
             <version>${project.version}</version>
         </dependency>
-        <!-- replace with wss4j, santario and opensaml deps -->
         <dependency>
             <groupId>org.apache.cxf</groupId>
-            <artifactId>cxf-rt-ws-security</artifactId>
+            <artifactId>cxf-rt-security-saml</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.wss4j</groupId>
+            <artifactId>wss4j-ws-security-dom</artifactId>
+            <version>${cxf.wss4j.version}</version>
+        </dependency>
     </dependencies>
 </project>

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/CryptoLoader.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/CryptoLoader.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/CryptoLoader.java
index 62dae7b..005940f 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/CryptoLoader.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/CryptoLoader.java
@@ -52,12 +52,13 @@ public class CryptoLoader {
                             String cryptoKey, 
                             String propKey) 
         throws IOException, WSSecurityException {
-        Crypto crypto = (Crypto)message.getContextualProperty(cryptoKey);
+        Crypto crypto = 
+            (Crypto)org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(cryptoKey, message);
         if (crypto != null) {
             return crypto;
         }
         
-        Object o = message.getContextualProperty(propKey);
+        Object o = org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(propKey, message);
         if (o == null) {
             return null;
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java
index 06b3462..d8db9ed 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/common/SecurityUtils.java
@@ -33,7 +33,7 @@ import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
-import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.rt.security.SecurityConstants;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.crypto.CryptoType;
 import org.apache.wss4j.common.crypto.Merlin;
@@ -56,9 +56,16 @@ public final class SecurityUtils {
         
         Message requestMessage = outMessage != null && MessageUtils.isRequestor(outMessage) 
             ? outMessage : m;
+        
+        Object encryptionProperties = 
+            org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(
+            SecurityConstants.ENCRYPT_PROPERTIES, m);
+        Object signatureProperties = 
+            org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(
+            SecurityConstants.SIGNATURE_PROPERTIES, m);
+        
         return "POST".equals((String)requestMessage.get(Message.HTTP_REQUEST_METHOD))
-            && m.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES) != null 
-            && m.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES) != null;
+            && encryptionProperties != null && signatureProperties != null;
     }
     
     public static X509Certificate loadX509Certificate(Crypto crypto, Element certNode) 
@@ -108,7 +115,8 @@ public final class SecurityUtils {
     }
     
     public static String getUserName(Message message, Crypto crypto, String userNameKey) {
-        String user = (String)message.getContextualProperty(userNameKey);
+        String user = 
+            (String)org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(userNameKey, message);
         return getUserName(crypto, user);
     }
     
@@ -151,7 +159,8 @@ public final class SecurityUtils {
                                                      Class<?> callingClass,
                                                      String callbackProperty) throws WSSecurityException {
         //Then try to get the password from the given callback handler
-        Object o = message.getContextualProperty(callbackProperty);
+        Object o = 
+            org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(callbackProperty, message);
     
         try {
             return org.apache.cxf.rt.security.utils.SecurityUtils.getCallbackHandler(o);

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
index 1e87629..9b672e0 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/AbstractSamlInHandler.java
@@ -41,17 +41,15 @@ import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.jaxrs.utils.ExceptionUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.rs.security.common.CryptoLoader;
 import org.apache.cxf.rs.security.common.SecurityUtils;
 import org.apache.cxf.rs.security.saml.authorization.SecurityContextProvider;
 import org.apache.cxf.rs.security.saml.authorization.SecurityContextProviderImpl;
 import org.apache.cxf.rs.security.xml.AbstractXmlSecInHandler;
+import org.apache.cxf.rt.security.SecurityConstants;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.security.transport.TLSSessionInfo;
 import org.apache.cxf.staxutils.StaxUtils;
-import org.apache.cxf.ws.security.SecurityConstants;
-import org.apache.wss4j.common.ConfigurationConstants;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.crypto.WSProviderConfig;
 import org.apache.wss4j.common.ext.WSSecurityException;
@@ -142,8 +140,16 @@ public abstract class AbstractSamlInHandler implements ContainerRequestFilter {
                 } catch (IOException ex) {
                     throwFault("Crypto can not be loaded", ex);
                 }
-                data.setEnableRevocation(MessageUtils.isTrue(
-                    message.getContextualProperty(ConfigurationConstants.ENABLE_REVOCATION)));
+                
+                boolean enableRevocation = false;
+                String enableRevocationStr = 
+                    (String)org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(
+                        SecurityConstants.ENABLE_REVOCATION, message);
+                if (enableRevocationStr != null) {
+                    enableRevocation = Boolean.parseBoolean(enableRevocationStr);
+                }
+                data.setEnableRevocation(enableRevocation);
+                
                 Signature sig = assertion.getSignature();
                 WSDocInfo docInfo = new WSDocInfo(sig.getDOM().getOwnerDocument());
                 
@@ -184,12 +190,16 @@ public abstract class AbstractSamlInHandler implements ContainerRequestFilter {
     
     protected void configureAudienceRestriction(Message msg, RequestData reqData) {
         // Add Audience Restrictions for SAML
-        boolean enableAudienceRestriction = 
-            MessageUtils.getContextualBoolean(msg, 
-                                              SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION, 
-                                              false);
+        boolean enableAudienceRestriction = false;
+        String audRestrStr = 
+            (String)org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(
+                SecurityConstants.AUDIENCE_RESTRICTION_VALIDATION, msg);
+        if (audRestrStr != null) {
+            enableAudienceRestriction = Boolean.parseBoolean(audRestrStr);
+        }
+        
         if (enableAudienceRestriction) {
-            List<String> audiences = new ArrayList<String>();
+            List<String> audiences = new ArrayList<>();
             if (msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) {
                 audiences.add((String)msg.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL));
             }

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
index 7660337..52fc057 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/saml/SAMLUtils.java
@@ -31,7 +31,7 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.rs.security.common.CryptoLoader;
 import org.apache.cxf.rs.security.common.SecurityUtils;
 import org.apache.cxf.rs.security.saml.assertion.Subject;
-import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.rt.security.SecurityConstants;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.saml.SAMLCallback;

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlEncInHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlEncInHandler.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlEncInHandler.java
index 31e0431..70025d8 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlEncInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlEncInHandler.java
@@ -32,16 +32,15 @@ import javax.xml.stream.XMLStreamReader;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
-
 import org.apache.cxf.common.util.Base64Exception;
 import org.apache.cxf.common.util.Base64Utility;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.rs.security.common.CryptoLoader;
 import org.apache.cxf.rs.security.common.SecurityUtils;
 import org.apache.cxf.rs.security.common.TrustValidator;
+import org.apache.cxf.rt.security.SecurityConstants;
 import org.apache.cxf.staxutils.StaxUtils;
 import org.apache.cxf.staxutils.W3CDOMStreamReader;
-import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.util.KeyUtils;

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
index 9d52f58..88d7270 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/AbstractXmlSigInHandler.java
@@ -37,9 +37,9 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.rs.security.common.CryptoLoader;
 import org.apache.cxf.rs.security.common.SecurityUtils;
 import org.apache.cxf.rs.security.common.TrustValidator;
+import org.apache.cxf.rt.security.SecurityConstants;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.staxutils.W3CDOMStreamReader;
-import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.util.XMLUtils;
 import org.apache.xml.security.exceptions.XMLSecurityException;

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
index c2aa6ef..9753f43 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
@@ -41,7 +41,7 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.rs.security.common.CryptoLoader;
 import org.apache.cxf.rs.security.common.SecurityUtils;
-import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.rt.security.SecurityConstants;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.token.DOMX509Data;
@@ -111,7 +111,9 @@ public class XmlEncOutInterceptor extends AbstractXmlSecOutInterceptor {
         if (encryptSymmetricKey) {
             X509Certificate receiverCert = null;
             
-            String userName = (String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME);
+            String userName = 
+                (String)org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(
+                    SecurityConstants.ENCRYPT_USERNAME, message);
             if (SecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(userName)
                 && !MessageUtils.isRequestor(message)) {
                 receiverCert = 

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
index 9576bb9..1e76b85 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
@@ -49,8 +49,8 @@ import org.apache.cxf.phase.Phase;
 import org.apache.cxf.rs.security.common.CryptoLoader;
 import org.apache.cxf.rs.security.common.SecurityUtils;
 import org.apache.cxf.rs.security.common.TrustValidator;
+import org.apache.cxf.rt.security.SecurityConstants;
 import org.apache.cxf.staxutils.StaxUtils;
-import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.crypto.CryptoType;
 import org.apache.wss4j.common.ext.WSPasswordCallback;

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java
index 41be15a..123f59f 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecOutInterceptor.java
@@ -46,7 +46,7 @@ import org.apache.cxf.phase.AbstractPhaseInterceptor;
 import org.apache.cxf.phase.Phase;
 import org.apache.cxf.rs.security.common.CryptoLoader;
 import org.apache.cxf.rs.security.common.SecurityUtils;
-import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.rt.security.SecurityConstants;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.ext.WSSecurityException;
@@ -159,7 +159,8 @@ public class XmlSecOutInterceptor extends AbstractPhaseInterceptor<Message> {
         if (encryptSymmetricKey) {
             X509Certificate sendingCert = null;
             String userName = 
-                (String)message.getContextualProperty(SecurityConstants.ENCRYPT_USERNAME);
+                (String)org.apache.cxf.rt.security.utils.SecurityUtils.getSecurityPropertyValue(
+                    SecurityConstants.ENCRYPT_USERNAME, message);
             if (SecurityUtils.USE_REQUEST_SIGNATURE_CERT.equals(userName)
                 && !MessageUtils.isRequestor(message)) {
                 sendingCert = 

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java
index 05800c6..e7891db 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java
@@ -36,14 +36,13 @@ import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.rs.security.common.CryptoLoader;
 import org.apache.cxf.rs.security.common.SecurityUtils;
-import org.apache.cxf.ws.security.SecurityConstants;
+import org.apache.cxf.rt.security.SecurityConstants;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.xml.security.signature.XMLSignature;
 import org.apache.xml.security.transforms.Transforms;
 import org.apache.xml.security.utils.Constants;
-
 import org.opensaml.xmlsec.signature.support.SignatureConstants;
 
 //TODO: Make sure that enveloped signatures can be applied to individual

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
new file mode 100644
index 0000000..4ad1e1b
--- /dev/null
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/SecurityConstants.java
@@ -0,0 +1,211 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.rt.security;
+
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * This class contains some configuration tags that can be used to configure various security properties. These
+ * tags are shared between the SOAP stack (WS-SecurityPolicy configuration), as well as the REST stack (JAX-RS
+ * XML Security). 
+ * 
+ * The configuration tags largely relate to properties for signing, encryption as well as SAML tokens. Most of
+ * the signing/encryption tags refer to Apache WSS4J "Crypto" objects, which are used by both stacks to control
+ * how certificates/keys are retrieved, etc.
+ * 
+ * More specific configuration tags for WS-SecurityPolicy are configured in the SecurityConstants 
+ * class in the cxf-rt-ws-security module, which extends this class.
+ */
+public class SecurityConstants {
+    
+    //
+    // User properties
+    //
+    
+    /**
+     * The user's name. It is used as follows:
+     * a) As the name in the UsernameToken for WS-Security.
+     * b) As the alias name in the keystore to get the user's cert and private key for signature
+     *    if {@link SIGNATURE_USERNAME} is not set.
+     * c) As the alias name in the keystore to get the user's public key for encryption if 
+     *    {@link ENCRYPT_USERNAME} is not set.
+     */
+    public static final String USERNAME = "security.username";
+    
+    /**
+     * The user's password when a {@link CALLBACK_HANDLER} is not defined.
+     */
+    public static final String PASSWORD = "security.password";
+    
+    /**
+     * The user's name for signature. It is used as the alias name in the keystore to get the user's cert 
+     * and private key for signature. If this is not defined, then {@link USERNAME} is used instead. If 
+     * that is also not specified, it uses the the default alias set in the properties file referenced by
+     * {@link SIGNATURE_PROPERTIES}. If that's also not set, and the keystore only contains a single key, 
+     * that key will be used. 
+     */
+    public static final String SIGNATURE_USERNAME = "security.signature.username";
+    
+    /**
+     * The user's name for encryption. It is used as the alias name in the keystore to get the user's public 
+     * key for encryption. If this is not defined, then {@link USERNAME} is used instead. If 
+     * that is also not specified, it uses the the default alias set in the properties file referenced by
+     * {@link ENCRYPT_PROPERTIES}. If that's also not set, and the keystore only contains a single key, 
+     * that key will be used.
+     * 
+     * For the WS-Security web service provider, the "useReqSigCert" keyword can be used to accept (encrypt to) 
+     * any client whose public key is in the service's truststore (defined in {@link ENCRYPT_PROPERTIES}).
+     */
+    public static final String ENCRYPT_USERNAME = "security.encryption.username";
+    
+    //
+    // Callback class and Crypto properties
+    //
+    
+    /**
+     * The CallbackHandler implementation class used to obtain passwords, for both outbound and inbound 
+     * requests. The value of this tag must be either:
+     * a) The class name of a {@link javax.security.auth.callback.CallbackHandler} instance, which must
+     * be accessible via the classpath.
+     * b) A {@link javax.security.auth.callback.CallbackHandler} instance.
+     */
+    public static final String CALLBACK_HANDLER = "security.callback-handler";
+    
+    /**
+     * The SAML CallbackHandler implementation class used to construct SAML Assertions. The value of this 
+     * tag must be either:
+     * a) The class name of a {@link javax.security.auth.callback.CallbackHandler} instance, which must
+     * be accessible via the classpath.
+     * b) A {@link javax.security.auth.callback.CallbackHandler} instance.
+     */
+    public static final String SAML_CALLBACK_HANDLER = "security.saml-callback-handler";
+    
+    /**
+     * The Crypto property configuration to use for signature, if {@link SIGNATURE_CRYPTO} is not set instead.
+     * The value of this tag must be either:
+     * a) A Java Properties object that contains the Crypto configuration.
+     * b) The path of the Crypto property file that contains the Crypto configuration.
+     * c) A URL that points to the Crypto property file that contains the Crypto configuration.
+     */
+    public static final String SIGNATURE_PROPERTIES = "security.signature.properties";
+    
+    /**
+     * The Crypto property configuration to use for encryption, if {@link ENCRYPT_CRYPTO} is not set instead.
+     * The value of this tag must be either:
+     * a) A Java Properties object that contains the Crypto configuration.
+     * b) The path of the Crypto property file that contains the Crypto configuration.
+     * c) A URL that points to the Crypto property file that contains the Crypto configuration.
+     */
+    public static final String ENCRYPT_PROPERTIES = "security.encryption.properties";
+    
+    /**
+     * A Crypto object to be used for signature. If this is not defined then the 
+     * {@link SIGNATURE_PROPERTIES} is used instead.
+     */
+    public static final String SIGNATURE_CRYPTO = "security.signature.crypto";
+    
+    /**
+     * A Crypto object to be used for encryption. If this is not defined then the 
+     * {@link ENCRYPT_PROPERTIES} is used instead.
+     */
+    public static final String ENCRYPT_CRYPTO = "security.encryption.crypto";
+    
+    /**
+     * A message property for prepared X509 certificate to be used for encryption. 
+     * If this is not defined, then the certificate will be either loaded from the 
+     * keystore {@link ENCRYPT_PROPERTIES} or extracted from request (when WS-Security is used and
+     * if {@link ENCRYPT_USERNAME} has value "useReqSigCert").
+     */
+    public static final String ENCRYPT_CERT = "security.encryption.certificate";
+    
+    //
+    // Boolean Security configuration tags, e.g. the value should be "true" or "false".
+    //
+    
+    /**
+     * Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust 
+     * in a certificate. The default value is "false".
+     */
+    public static final String ENABLE_REVOCATION = "security.enableRevocation";
+    
+    /**
+     * Whether to allow unsigned saml assertions as SecurityContext Principals. The default is false.
+     */
+    public static final String ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL = 
+            "security.enable.unsigned-saml-assertion.principal";
+    
+    /**
+     * Whether to validate the SubjectConfirmation requirements of a received SAML Token
+     * (sender-vouches or holder-of-key). The default is true.
+     */
+    public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION = 
+        "security.validate.saml.subject.conf";
+    
+    /**
+     * Set this to "false" if security context must not be created from JAAS Subject.
+     *
+     * The default value is "true".
+     */
+    public static final String SC_FROM_JAAS_SUBJECT = "security.sc.jaas-subject";
+    
+    /**
+     * Enable SAML AudienceRestriction validation. If this is set to "true", then IF the
+     * SAML Token contains Audience Restriction URIs, one of them must match either the
+     * request URL or the Service QName. The default is "true".
+     */
+    public static final String AUDIENCE_RESTRICTION_VALIDATION = "security.validate.audience-restriction";
+    
+    //
+    // Non-boolean WS-Security Configuration parameters
+    //
+    
+    /**
+     * The attribute URI of the SAML AttributeStatement where the role information is stored.
+     * The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".
+     */
+    public static final String SAML_ROLE_ATTRIBUTENAME = "security.saml-role-attributename";
+    
+    /**
+     * A comma separated String of regular expressions which will be applied to the subject DN of 
+     * the certificate used for signature validation, after trust verification of the certificate 
+     * chain associated with the  certificate.
+     */
+    public static final String SUBJECT_CERT_CONSTRAINTS = "security.subject.cert.constraints";
+    
+    public static final Set<String> COMMON_PROPERTIES;
+    
+    static {
+        Set<String> s = new HashSet<>(Arrays.asList(new String[] {
+            USERNAME, PASSWORD, SIGNATURE_USERNAME, ENCRYPT_USERNAME,
+            CALLBACK_HANDLER, SAML_CALLBACK_HANDLER, SIGNATURE_PROPERTIES, 
+            SIGNATURE_CRYPTO, ENCRYPT_PROPERTIES, ENCRYPT_CRYPTO,
+            ENABLE_REVOCATION, SUBJECT_CERT_CONSTRAINTS, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL,
+            AUDIENCE_RESTRICTION_VALIDATION
+        }));
+        COMMON_PROPERTIES = Collections.unmodifiableSet(s);
+    }
+    
+    protected SecurityConstants() {
+        // complete
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
----------------------------------------------------------------------
diff --git a/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java b/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
index d86f115..2c040fc 100644
--- a/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
+++ b/rt/security/src/main/java/org/apache/cxf/rt/security/utils/SecurityUtils.java
@@ -161,4 +161,16 @@ public final class SecurityUtils {
         
         return null;
     }
+    
+    /**
+     * Get the security property value for the given property. It also checks for the older "ws-"* property
+     * values.
+     */
+    public static Object getSecurityPropertyValue(String property, Message message) {
+        Object value = message.getContextualProperty(property);
+        if (value != null) {
+            return value;
+        }
+        return message.getContextualProperty("ws-" + property);
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
index 805d69e..4080167 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java
@@ -28,116 +28,19 @@ import java.util.Set;
  * Configuration tags used to configure the WS-SecurityPolicy layer. Some of them are also 
  * used by the non WS-SecurityPolicy approach in the WSS4J(Out|In)Interceptors.
  */
-public final class SecurityConstants {
+public final class SecurityConstants extends org.apache.cxf.rt.security.SecurityConstants {
     
     //
     // User properties
     //
     
     /**
-     * The user's name. It is used differently by each of the WS-Security functions:
-     * a) It is used as the name in the UsernameToken
-     * b) It is used as the alias name in the keystore to get the user's cert and private key for signature
-     *    if {@link SIGNATURE_USERNAME} is not set.
-     * c) It is used as the alias name in the keystore to get the user's public key for encryption if 
-     *    {@link ENCRYPT_USERNAME} is not set.
-     */
-    public static final String USERNAME = "ws-security.username";
-    
-    /**
-     * The user's password when a {@link CALLBACK_HANDLER} is not defined. It is currently only used for 
-     * the case of adding a password to a UsernameToken.
-     */
-    public static final String PASSWORD = "ws-security.password";
-    
-    /**
-     * The user's name for signature. It is used as the alias name in the keystore to get the user's cert 
-     * and private key for signature. If this is not defined, then {@link USERNAME} is used instead. If 
-     * that is also not specified, it uses the the default alias set in the properties file referenced by
-     * {@link SIGNATURE_PROPERTIES}. If that's also not set, and the keystore only contains a single key, 
-     * that key will be used. 
-     */
-    public static final String SIGNATURE_USERNAME = "ws-security.signature.username";
-    
-    /**
-     * The user's name for encryption. It is used as the alias name in the keystore to get the user's public 
-     * key for encryption. If this is not defined, then {@link USERNAME} is used instead. If 
-     * that is also not specified, it uses the the default alias set in the properties file referenced by
-     * {@link ENCRYPT_PROPERTIES}. If that's also not set, and the keystore only contains a single key, 
-     * that key will be used.
-     * 
-     * For the web service provider, the "useReqSigCert" keyword can be used to accept (encrypt to) any 
-     * client whose public key is in the service's truststore (defined in {@link ENCRYPT_PROPERTIES}).
-     */
-    public static final String ENCRYPT_USERNAME = "ws-security.encryption.username";
-    
-    /**
      * The actor or role name of the wsse:Security header. If this parameter 
      * is omitted, the actor name is not set.
      */
     public static final String ACTOR = "ws-security.actor";
     
     //
-    // Callback class and Crypto properties
-    //
-    
-    /**
-     * The CallbackHandler implementation class used to obtain passwords, for both outbound and inbound 
-     * requests. The value of this tag must be either:
-     * a) The class name of a {@link javax.security.auth.callback.CallbackHandler} instance, which must
-     * be accessible via the classpath.
-     * b) A {@link javax.security.auth.callback.CallbackHandler} instance.
-     */
-    public static final String CALLBACK_HANDLER = "ws-security.callback-handler";
-    
-    /**
-     * The SAML CallbackHandler implementation class used to construct SAML Assertions. The value of this 
-     * tag must be either:
-     * a) The class name of a {@link javax.security.auth.callback.CallbackHandler} instance, which must
-     * be accessible via the classpath.
-     * b) A {@link javax.security.auth.callback.CallbackHandler} instance.
-     */
-    public static final String SAML_CALLBACK_HANDLER = "ws-security.saml-callback-handler";
-    
-    /**
-     * The Crypto property configuration to use for signature, if {@link SIGNATURE_CRYPTO} is not set instead.
-     * The value of this tag must be either:
-     * a) A Java Properties object that contains the Crypto configuration.
-     * b) The path of the Crypto property file that contains the Crypto configuration.
-     * c) A URL that points to the Crypto property file that contains the Crypto configuration.
-     */
-    public static final String SIGNATURE_PROPERTIES = "ws-security.signature.properties";
-    
-    /**
-     * The Crypto property configuration to use for encryption, if {@link ENCRYPT_CRYPTO} is not set instead.
-     * The value of this tag must be either:
-     * a) A Java Properties object that contains the Crypto configuration.
-     * b) The path of the Crypto property file that contains the Crypto configuration.
-     * c) A URL that points to the Crypto property file that contains the Crypto configuration.
-     */
-    public static final String ENCRYPT_PROPERTIES = "ws-security.encryption.properties";
-    
-    /**
-     * A Crypto object to be used for signature. If this is not defined then the 
-     * {@link SIGNATURE_PROPERTIES} is used instead.
-     */
-    public static final String SIGNATURE_CRYPTO = "ws-security.signature.crypto";
-    
-    /**
-     * A Crypto object to be used for encryption. If this is not defined then the 
-     * {@link ENCRYPT_PROPERTIES} is used instead.
-     */
-    public static final String ENCRYPT_CRYPTO = "ws-security.encryption.crypto";
-    
-    /**
-     * A message property for prepared X509 certificate to be used for encryption. 
-     * If this is not defined, then the certificate will be either loaded from the 
-     * keystore {@link ENCRYPT_PROPERTIES} or extracted from request 
-     * (if {@link ENCRYPT_USERNAME} has value "useReqSigCert").
-     */
-    public static final String ENCRYPT_CERT = "ws-security.encryption.certificate";
-    
-    //
     // Boolean WS-Security configuration tags, e.g. the value should be "true" or "false".
     //
     
@@ -146,12 +49,6 @@ public final class SecurityConstants {
      */
     public static final String VALIDATE_TOKEN = "ws-security.validate.token";
     
-    /**
-     * Whether to enable Certificate Revocation List (CRL) checking or not when verifying trust 
-     * in a certificate. The default value is "false".
-     */
-    public static final String ENABLE_REVOCATION = "ws-security.enableRevocation";
-    
     // WebLogic and WCF always encrypt UsernameTokens whenever possible
     //See:  http://e-docs.bea.com/wls/docs103/webserv_intro/interop.html
     //Be default, we will encrypt as well for interop reasons.  However, this
@@ -170,12 +67,6 @@ public final class SecurityConstants {
     public static final String IS_BSP_COMPLIANT = "ws-security.is-bsp-compliant";
     
     /**
-     * Whether to allow unsigned saml assertions as SecurityContext Principals. The default is false.
-     */
-    public static final String ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL = 
-            "ws-security.enable.unsigned-saml-assertion.principal";
-    
-    /**
      * Whether to cache UsernameToken nonces. The default value is "true" for message recipients, and 
      * "false" for message initiators. Set it to true to cache for both cases. Set this to "false" to
      * not cache UsernameToken nonces. Note that caching only applies when either a UsernameToken
@@ -194,22 +85,6 @@ public final class SecurityConstants {
     public static final String ENABLE_TIMESTAMP_CACHE = "ws-security.enable.timestamp.cache";
     
     /**
-     * Whether to cache SAML2 Token Identifiers, if the token contains a "OneTimeUse" Condition.
-     * The default value is "true" for message recipients, and "false" for message initiators.
-     * Set it to true to cache for both cases. Set this to "false" to not cache SAML2 Token Identifiers.
-     * Note that caching only applies when either a "SamlToken" policy is in effect, or
-     * else that a SAML action has been configured for the non-security-policy case.
-     */
-    public static final String ENABLE_SAML_ONE_TIME_USE_CACHE = "ws-security.enable.saml.cache";
-    
-    /**
-     * Whether to validate the SubjectConfirmation requirements of a received SAML Token
-     * (sender-vouches or holder-of-key). The default is true.
-     */
-    public static final String VALIDATE_SAML_SUBJECT_CONFIRMATION = 
-        "ws-security.validate.saml.subject.conf";
-    
-    /**
      * Whether to enable streaming WS-Security. If set to false (the default), the old DOM
      * implementation is used. If set to true, the new streaming (StAX) implementation is used.
      */
@@ -231,21 +106,16 @@ public final class SecurityConstants {
      * The default value is "true" which included the SOAP mustUnderstand header.
      */
     public static final String MUST_UNDERSTAND = "ws-security.must-understand";
-
-    /**
-     * Set this to "false" if security context must not be created from JAAS Subject.
-     *
-     * The default value is "true".
-     */
-    public static final String SC_FROM_JAAS_SUBJECT = "ws-security.sc.jaas-subject";
     
     /**
-     * Enable SAML AudienceRestriction validation. If this is set to "true", then IF the
-     * SAML Token contains Audience Restriction URIs, one of them must match either the
-     * request URL or the Service QName. The default is "true".
+     * Whether to cache SAML2 Token Identifiers, if the token contains a "OneTimeUse" Condition.
+     * The default value is "true" for message recipients, and "false" for message initiators.
+     * Set it to true to cache for both cases. Set this to "false" to not cache SAML2 Token Identifiers.
+     * Note that caching only applies when either a "SamlToken" policy is in effect, or
+     * else that a SAML action has been configured for the non-security-policy case.
      */
-    public static final String AUDIENCE_RESTRICTION_VALIDATION = "ws-security.validate.audience-restriction";
-    
+    public static final String ENABLE_SAML_ONE_TIME_USE_CACHE = "ws-security.enable.saml.cache";
+
     //
     // Non-boolean WS-Security Configuration parameters
     //
@@ -277,12 +147,6 @@ public final class SecurityConstants {
     public static final String USERNAMETOKEN_FUTURE_TTL = "ws-security.usernametoken.futureTimeToLive";
     
     /**
-     * The attribute URI of the SAML AttributeStatement where the role information is stored.
-     * The default is "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role".
-     */
-    public static final String SAML_ROLE_ATTRIBUTENAME = "ws-security.saml-role-attributename";
-    
-    /**
      * The SpnegoClientAction implementation to use for SPNEGO. This allows the user to plug in
      * a different implementation to obtain a service ticket.
      */
@@ -306,8 +170,7 @@ public final class SecurityConstants {
      * This holds a reference to a ReplayCache instance used to cache SAML2 Token Identifiers, when
      * the token has a "OneTimeUse" Condition. The default instance that is used is the EHCacheReplayCache.
      */
-    public static final String SAML_ONE_TIME_USE_CACHE_INSTANCE = 
-        "ws-security.saml.cache.instance";
+    public static final String SAML_ONE_TIME_USE_CACHE_INSTANCE = "ws-security.saml.cache.instance";
     
     /**
      * Set this property to point to a configuration file for the underlying caching implementation.
@@ -336,13 +199,6 @@ public final class SecurityConstants {
     public static final String CACHE_IDENTIFIER = "ws-security.cache.identifier";
 
     /**
-     * A comma separated String of regular expressions which will be applied to the subject DN of 
-     * the certificate used for signature validation, after trust verification of the certificate 
-     * chain associated with the  certificate.
-     */
-    public static final String SUBJECT_CERT_CONSTRAINTS = "ws-security.subject.cert.constraints";
-    
-    /**
      * The Subject Role Classifier to use. If one of the WSS4J Validators returns a JAAS Subject
      * from Validation, then the WSS4JInInterceptor will attempt to create a SecurityContext
      * based on this Subject. If this value is not specified, then it tries to get roles using
@@ -661,6 +517,10 @@ public final class SecurityConstants {
             KERBEROS_REQUEST_CREDENTIAL_DELEGATION, ENABLE_UNSIGNED_SAML_ASSERTION_PRINCIPAL,
             AUDIENCE_RESTRICTION_VALIDATION, POLICY_VALIDATOR_MAP
         }));
+        for (String commonProperty : COMMON_PROPERTIES) {
+            s.add(commonProperty);
+            s.add("ws-" + commonProperty);
+        }
         ALL_PROPERTIES = Collections.unmodifiableSet(s);
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java
index f5e9c28..6cb4955 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/kerberos/KerberosUtils.java
@@ -49,7 +49,7 @@ public final class KerberosUtils {
             try {
                 CallbackHandler callbackHandler = 
                     SecurityUtils.getCallbackHandler(
-                        message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER)
+                        SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, message)
                     );
                 client.setCallbackHandler(callbackHandler);
             } catch (Exception ex) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
index d7346a6..ff630d7 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
@@ -296,7 +296,7 @@ class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessa
                 (String)message.getContextualProperty(SecurityConstants.KERBEROS_SPN);
             CallbackHandler callbackHandler = 
                 SecurityUtils.getCallbackHandler(
-                    message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER)
+                    SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, message)
                 );
 
             SpnegoTokenContext spnegoToken = new SpnegoTokenContext();

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
index a2608b1..57d9b90 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenOutInterceptor.java
@@ -112,7 +112,7 @@ class SpnegoContextTokenOutInterceptor extends AbstractPhaseInterceptor<SoapMess
         try {
             CallbackHandler callbackHandler = 
                 SecurityUtils.getCallbackHandler(
-                    message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER)
+                    SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, message)
                 );
             
             spnegoToken.retrieveServiceTicket(jaasContext, callbackHandler, kerberosSpn);

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
index 3603a46..a9678a1 100755
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
@@ -1554,6 +1554,9 @@ public abstract class AbstractSTSClient implements Configurable, InterceptorProv
 
     protected CallbackHandler createHandler() {
         Object o = getProperty(SecurityConstants.CALLBACK_HANDLER);
+        if (o == null) {
+            o = getProperty("ws-" + SecurityConstants.CALLBACK_HANDLER);
+        }
         try {
             return SecurityUtils.getCallbackHandler(o);
         } catch (Exception e) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
index 061febd..c1613c4 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AuthPolicyValidatingInterceptor.java
@@ -35,6 +35,7 @@ import org.apache.cxf.phase.Phase;
 import org.apache.cxf.rt.security.claims.ClaimCollection;
 import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
 import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
+import org.apache.cxf.rt.security.utils.SecurityUtils;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor;
@@ -133,7 +134,7 @@ public class AuthPolicyValidatingInterceptor extends AbstractPhaseInterceptor<Me
         }
         if (samlAssertion != null) {
             String roleAttributeName = 
-                (String)msg.getContextualProperty(SecurityConstants.SAML_ROLE_ATTRIBUTENAME);
+                (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, msg);
             if (roleAttributeName == null || roleAttributeName.length() == 0) {
                 roleAttributeName = WSS4JInInterceptor.SAML_ROLE_ATTRIBUTENAME_DEFAULT;
             }

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
index 0410e49..3793f18 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSLoginModule.java
@@ -54,6 +54,7 @@ import org.apache.cxf.message.Message;
 import org.apache.cxf.phase.PhaseInterceptorChain;
 import org.apache.cxf.rt.security.claims.ClaimCollection;
 import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
+import org.apache.cxf.rt.security.utils.SecurityUtils;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.cxf.ws.security.tokenstore.EHCacheTokenStore;
 import org.apache.cxf.ws.security.tokenstore.TokenStore;
@@ -365,7 +366,8 @@ public class STSLoginModule implements LoginModule {
             String roleAttributeName = null;
             if (msg != null) {
                 roleAttributeName = 
-                    (String)msg.getContextualProperty(SecurityConstants.SAML_ROLE_ATTRIBUTENAME);
+                    (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_ROLE_ATTRIBUTENAME, 
+                                                                   msg);
             }
             if (roleAttributeName == null || roleAttributeName.length() == 0) {
                 roleAttributeName = WSS4JInInterceptor.SAML_ROLE_ATTRIBUTENAME_DEFAULT;

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java
index a954ee2..a7c0559 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java
@@ -27,9 +27,9 @@ import javax.security.auth.callback.UnsupportedCallbackException;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
-
 import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.message.Message;
+import org.apache.cxf.rt.security.utils.SecurityUtils;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.dom.message.token.UsernameToken;
 
@@ -48,7 +48,7 @@ public class WSSUsernameCallbackHandler implements CallbackHandler {
                 Message message = callback.getCurrentMessage();
                 
                 String username = 
-                    (String)message.getContextualProperty(SecurityConstants.USERNAME);
+                    (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message);
                 if (username != null) {
                     Node contentNode = message.getContent(Node.class);
                     Document doc = null;

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
index 5bd393a..489e0c2 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractTokenInterceptor.java
@@ -177,7 +177,7 @@ public abstract class AbstractTokenInterceptor extends AbstractSoapInterceptor {
         //Then try to get the password from the given callback handler
         CallbackHandler handler = null;
         try {
-            Object o = message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER);
+            Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, message);
             handler = SecurityUtils.getCallbackHandler(o);
             if (handler == null) {
                 policyNotAsserted(info, "No callback handler and no password available", message);

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
index 5d96f2d..58a38b1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JInterceptor.java
@@ -33,6 +33,7 @@ import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
 import org.apache.cxf.phase.PhaseInterceptor;
+import org.apache.cxf.rt.security.utils.SecurityUtils;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.ConfigurationConstants;
 import org.apache.wss4j.common.crypto.Crypto;
@@ -98,7 +99,7 @@ public abstract class AbstractWSS4JInterceptor extends WSHandler implements Soap
     }
 
     public Object getProperty(Object msgContext, String key) {
-        Object obj = ((Message)msgContext).getContextualProperty(key);
+        Object obj = SecurityUtils.getSecurityPropertyValue(key, (Message)msgContext);
         if (obj == null) {
             obj = getOption(key);
         }
@@ -173,16 +174,19 @@ public abstract class AbstractWSS4JInterceptor extends WSHandler implements Soap
         }
         
         String certConstraints = 
-            (String)msg.getContextualProperty(SecurityConstants.SUBJECT_CERT_CONSTRAINTS);
+            (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SUBJECT_CERT_CONSTRAINTS, msg);
         if (certConstraints != null) {
             msg.put(WSHandlerConstants.SIG_SUBJECT_CERT_CONSTRAINTS, certConstraints);
         }
         
         // Now set SAML SenderVouches + Holder Of Key requirements
-        boolean validateSAMLSubjectConf = 
-            MessageUtils.getContextualBoolean(
-                msg, SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, true
-            );
+        String valSAMLSubjectConf = 
+            (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION,
+                                                           msg);
+        boolean validateSAMLSubjectConf = true;
+        if (valSAMLSubjectConf != null) {
+            validateSAMLSubjectConf = Boolean.parseBoolean(valSAMLSubjectConf);
+        }
         msg.put(
             WSHandlerConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION, 
             Boolean.toString(validateSAMLSubjectConf)

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
index bed078f..46de15d 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
@@ -146,14 +146,15 @@ public abstract class AbstractWSS4JStaxInterceptor implements SoapInterceptor,
         }
         
         String certConstraints = 
-            (String)msg.getContextualProperty(SecurityConstants.SUBJECT_CERT_CONSTRAINTS);
+            (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.SUBJECT_CERT_CONSTRAINTS, msg);
         if (certConstraints != null && !"".equals(certConstraints)) {
             securityProperties.setSubjectCertConstraints(convertCertConstraints(certConstraints));
         }
         
         // Now set SAML SenderVouches + Holder Of Key requirements
         String validateSAMLSubjectConf = 
-            (String)msg.getContextualProperty(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION);
+            (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.VALIDATE_SAML_SUBJECT_CONFIRMATION,
+                                                           msg);
         if (validateSAMLSubjectConf != null) {
             securityProperties.setValidateSamlSubjectConfirmation(Boolean.valueOf(validateSAMLSubjectConf));
         }
@@ -192,7 +193,7 @@ public abstract class AbstractWSS4JStaxInterceptor implements SoapInterceptor,
     protected void configureCallbackHandler(
         SoapMessage soapMessage, WSSSecurityProperties securityProperties
     ) throws WSSecurityException {
-        Object o = soapMessage.getContextualProperty(SecurityConstants.CALLBACK_HANDLER);
+        Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, soapMessage);
         CallbackHandler callbackHandler = null;
         try {
             callbackHandler = SecurityUtils.getCallbackHandler(o);
@@ -266,7 +267,7 @@ public abstract class AbstractWSS4JStaxInterceptor implements SoapInterceptor,
     }
 
     public Object getProperty(Object msgContext, String key) {
-        Object obj = ((Message)msgContext).getContextualProperty(key);
+        Object obj = SecurityUtils.getSecurityPropertyValue(key, (Message)msgContext);
         if (obj == null) {
             obj = getOption(key);
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java
index e57780a..d086673 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java
@@ -104,7 +104,7 @@ public class BinarySecurityTokenInterceptor extends AbstractTokenInterceptor {
         throws WSSecurityException {
         WSDocInfo wsDocInfo = new WSDocInfo(tokenElement.getOwnerDocument());
         RequestData data = new CXFRequestData();
-        Object o = message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER);
+        Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, message);
         try {
             data.setCallbackHandler(SecurityUtils.getCallbackHandler(o));
         } catch (Exception ex) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index 6b09107..f271d28 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -30,11 +30,11 @@ import javax.xml.soap.SOAPException;
 import javax.xml.stream.XMLStreamException;
 
 import org.w3c.dom.Element;
-
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rt.security.utils.SecurityUtils;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
@@ -119,13 +119,13 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
         
         action = addToAction(action, "Signature", true);
         action = addToAction(action, "Encrypt", true);
-        Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO);
+        Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message);
         if (s == null) {
-            s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
+            s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message);
         }
-        Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO);
+        Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message);
         if (e == null) {
-            e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+            e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message);
         }
         
         Crypto encrCrypto = getEncryptionCrypto(e, message, data);
@@ -157,13 +157,13 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
     ) throws WSSecurityException {
         action = addToAction(action, "Signature", true);
         action = addToAction(action, "Encrypt", true);
-        Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO);
+        Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message);
         if (s == null) {
-            s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
+            s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message);
         }
-        Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO);
+        Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message);
         if (e == null) {
-            e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+            e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message);
         }
         
         Crypto encrCrypto = getEncryptionCrypto(e, message, data);
@@ -264,13 +264,13 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
         
         action = addToAction(action, "Signature", true);
         action = addToAction(action, "Encrypt", true);
-        Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO);
+        Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message);
         if (s == null) {
-            s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
+            s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message);
         }
-        Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO);
+        Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message);
         if (e == null) {
-            e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+            e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message);
         }
         
         Crypto encrCrypto = getEncryptionCrypto(e, message, data);

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
index 2a133ce..f75f3c0 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
@@ -36,6 +36,7 @@ import org.apache.cxf.endpoint.Endpoint;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rt.security.utils.SecurityUtils;
 import org.apache.cxf.service.model.BindingInfo;
 import org.apache.cxf.service.model.BindingOperationInfo;
 import org.apache.cxf.service.model.EndpointInfo;
@@ -92,13 +93,13 @@ public class PolicyBasedWSS4JStaxInInterceptor extends WSS4JStaxInInterceptor {
             return;
         }
         
-        Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO);
+        Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message);
         if (s == null) {
-            s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
+            s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message);
         }
-        Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO);
+        Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message);
         if (e == null) {
-            e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+            e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message);
         }
         
         Crypto encrCrypto = getEncryptionCrypto(e, message, securityProperties);
@@ -149,13 +150,13 @@ public class PolicyBasedWSS4JStaxInInterceptor extends WSS4JStaxInInterceptor {
             securityEvents.add(httpsTokenSecurityEvent);
         }
         
-        Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO);
+        Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message);
         if (s == null) {
-            s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
+            s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message);
         }
-        Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO);
+        Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message);
         if (e == null) {
-            e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+            e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message);
         }
 
         Crypto encrCrypto = getEncryptionCrypto(e, message, securityProperties);
@@ -197,13 +198,13 @@ public class PolicyBasedWSS4JStaxInInterceptor extends WSS4JStaxInInterceptor {
             return;
         }
         
-        Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO);
+        Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message);
         if (s == null) {
-            s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
+            s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message);
         }
-        Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO);
+        Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message);
         if (e == null) {
-            e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+            e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message);
         }
         
         Crypto encrCrypto = getEncryptionCrypto(e, message, securityProperties);

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxOutInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxOutInterceptor.java
index 9ec4040..640bcb2 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxOutInterceptor.java
@@ -22,6 +22,7 @@ package org.apache.cxf.ws.security.wss4j;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rt.security.utils.SecurityUtils;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.cxf.ws.security.SecurityConstants;
@@ -62,13 +63,13 @@ public class PolicyBasedWSS4JStaxOutInterceptor extends WSS4JStaxOutInterceptor
     private void checkAsymmetricBinding(
         SoapMessage message, WSSSecurityProperties securityProperties
     ) throws WSSecurityException {
-        Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO);
+        Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message);
         if (s == null) {
-            s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
+            s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message);
         }
-        Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO);
+        Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message);
         if (e == null) {
-            e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+            e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message);
         }
         
         Crypto encrCrypto = getEncryptionCrypto(e, message, securityProperties);
@@ -93,13 +94,13 @@ public class PolicyBasedWSS4JStaxOutInterceptor extends WSS4JStaxOutInterceptor
     private void checkTransportBinding(
         SoapMessage message, WSSSecurityProperties securityProperties
     ) throws WSSecurityException {
-        Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO);
+        Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message);
         if (s == null) {
-            s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
+            s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message);
         }
-        Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO);
+        Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message);
         if (e == null) {
-            e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+            e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message);
         }
         
         Crypto encrCrypto = getEncryptionCrypto(e, message, securityProperties);
@@ -124,13 +125,13 @@ public class PolicyBasedWSS4JStaxOutInterceptor extends WSS4JStaxOutInterceptor
     private void checkSymmetricBinding(
         SoapMessage message, WSSSecurityProperties securityProperties
     ) throws WSSecurityException {
-        Object s = message.getContextualProperty(SecurityConstants.SIGNATURE_CRYPTO);
+        Object s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_CRYPTO, message);
         if (s == null) {
-            s = message.getContextualProperty(SecurityConstants.SIGNATURE_PROPERTIES);
+            s = SecurityUtils.getSecurityPropertyValue(SecurityConstants.SIGNATURE_PROPERTIES, message);
         }
-        Object e = message.getContextualProperty(SecurityConstants.ENCRYPT_CRYPTO);
+        Object e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_CRYPTO, message);
         if (e == null) {
-            e = message.getContextualProperty(SecurityConstants.ENCRYPT_PROPERTIES);
+            e = SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_PROPERTIES, message);
         }
         
         Crypto encrCrypto = getEncryptionCrypto(e, message, securityProperties);

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
index 526e96d..409ef76 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/SamlTokenInterceptor.java
@@ -172,7 +172,7 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
         WSDocInfo wsDocInfo = new WSDocInfo(tokenElement.getOwnerDocument());
         
         RequestData data = new CXFRequestData();
-        Object o = message.getContextualProperty(SecurityConstants.CALLBACK_HANDLER);
+        Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, message);
         try {
             data.setCallbackHandler(SecurityUtils.getCallbackHandler(o));
         } catch (Exception ex) {
@@ -228,7 +228,8 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
         //
         // Get the SAML CallbackHandler
         //
-        Object o = message.getContextualProperty(SecurityConstants.SAML_CALLBACK_HANDLER);
+        Object o = 
+            SecurityUtils.getSecurityPropertyValue(SecurityConstants.SAML_CALLBACK_HANDLER, message);
 
         CallbackHandler handler = null;
         if (o instanceof CallbackHandler) {
@@ -265,11 +266,12 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
             String issuerName = samlCallback.getIssuerKeyName();
             if (issuerName == null) {
                 String userNameKey = SecurityConstants.SIGNATURE_USERNAME;
-                issuerName = (String)message.getContextualProperty(userNameKey);
+                issuerName = (String)SecurityUtils.getSecurityPropertyValue(userNameKey, message);
             }
             String password = samlCallback.getIssuerKeyPassword();
             if (password == null) {
-                password = (String)message.getContextualProperty(SecurityConstants.PASSWORD);
+                password = 
+                    (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.PASSWORD, message);
                 if (StringUtils.isEmpty(password)) {
                     password = 
                         getPassword(issuerName, token, WSPasswordCallback.SIGNATURE, message);
@@ -301,12 +303,12 @@ public class SamlTokenInterceptor extends AbstractTokenInterceptor {
         String propKey,
         SoapMessage message
     ) throws WSSecurityException {
-        Crypto crypto = (Crypto)message.getContextualProperty(cryptoKey);
+        Crypto crypto = (Crypto)SecurityUtils.getSecurityPropertyValue(cryptoKey, message);
         if (crypto != null) {
             return crypto;
         }
 
-        Object o = message.getContextualProperty(propKey);
+        Object o = SecurityUtils.getSecurityPropertyValue(propKey, message);
         if (o == null) {
             return null;
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/5faf1822/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
index 9f7d7b1..2249335 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/StaxSecurityContextInInterceptor.java
@@ -35,6 +35,7 @@ import org.apache.cxf.phase.Phase;
 import org.apache.cxf.rt.security.claims.ClaimCollection;
 import org.apache.cxf.rt.security.saml.claims.SAMLSecurityContext;
 import org.apache.cxf.rt.security.saml.utils.SAMLUtils;
+import org.apache.cxf.rt.security.utils.SecurityUtils;
 import org.apache.cxf.security.SecurityContext;
 import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.wss4j.common.ext.WSSecurityException;
@@ -118,8 +119,8 @@ public class StaxSecurityContextInInterceptor extends AbstractPhaseInterceptor<S
                     Object receivedAssertion = null;
                     
                     if (event.getSecurityEventType() == WSSecurityEventConstants.SamlToken) {
-                        String roleAttributeName = (String)msg.getContextualProperty(
-                                SecurityConstants.SAML_ROLE_ATTRIBUTENAME);
+                        String roleAttributeName = (String)SecurityUtils.getSecurityPropertyValue(
+                                SecurityConstants.SAML_ROLE_ATTRIBUTENAME, msg);
                         if (roleAttributeName == null || roleAttributeName.length() == 0) {
                             roleAttributeName = SAML_ROLE_ATTRIBUTENAME_DEFAULT;
                         }


Mime
View raw message