ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1607692 [1/2] - in /webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax: ./ assertionStates/
Date Thu, 03 Jul 2014 16:34:45 GMT
Author: coheigea
Date: Thu Jul  3 16:34:44 2014
New Revision: 1607692

URL: http://svn.apache.org/r1607692
Log:
Introducing a new PolicyAsserter interface to allow third-party SOAP stacks to assert policies directly

Added:
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/DummyPolicyAsserter.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyAsserter.java
Modified:
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/AlgorithmSuiteAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ContentEncryptedElementsAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedElementsAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedPartsAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IncludeTimeStampAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KerberosTokenAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KeyValueTokenAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ProtectionOrderAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RelTokenAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RequiredElementsAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RequiredPartsAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SamlTokenAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SecureConversationTokenAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SecurityContextTokenAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureConfirmationAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureProtectionAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignedElementsAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignedPartsAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/UsernameTokenAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/X509TokenAssertionState.java

Added: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/DummyPolicyAsserter.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/DummyPolicyAsserter.java?rev=1607692&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/DummyPolicyAsserter.java (added)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/DummyPolicyAsserter.java Thu Jul  3 16:34:44 2014
@@ -0,0 +1,46 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.wss4j.policy.stax;
+
+import javax.xml.namespace.QName;
+
+import org.apache.neethi.Assertion;
+
+/**
+ * A dummy policy asserter
+ */
+public class DummyPolicyAsserter implements PolicyAsserter {
+
+    public void assertPolicy(Assertion assertion) {
+        // Do nothing
+    }
+    
+    public void unassertPolicy(Assertion assertion, String reason) {
+        // Do nothing
+    }
+    
+    public void assertPolicy(QName qName) {
+        // Do nothing
+    }
+    
+    public void unassertPolicy(QName qName, String reason) {
+        // Do nothing
+    }
+    
+}

Added: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyAsserter.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyAsserter.java?rev=1607692&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyAsserter.java (added)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyAsserter.java Thu Jul  3 16:34:44 2014
@@ -0,0 +1,38 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.wss4j.policy.stax;
+
+import javax.xml.namespace.QName;
+
+import org.apache.neethi.Assertion;
+
+/**
+ * A interface that can be used to tell a third-part SOAP stack (e.g. Apache CXF) that WSS4J will
+ * take care of asserting a certain policy, and thus can be marked as "asserted".
+ */
+public interface PolicyAsserter {
+
+    void assertPolicy(Assertion assertion);
+    
+    void unassertPolicy(Assertion assertion, String reason);
+    
+    void assertPolicy(QName qName);
+    
+    void unassertPolicy(QName qName, String reason);
+}

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java Thu Jul  3 16:34:44 2014
@@ -51,6 +51,7 @@ import org.apache.wss4j.policy.model.Htt
 import org.apache.wss4j.policy.model.IssuedToken;
 import org.apache.wss4j.policy.model.KerberosToken;
 import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.model.Layout;
 import org.apache.wss4j.policy.model.RelToken;
 import org.apache.wss4j.policy.model.RequiredElements;
 import org.apache.wss4j.policy.model.RequiredParts;
@@ -62,6 +63,7 @@ import org.apache.wss4j.policy.model.Sig
 import org.apache.wss4j.policy.model.SpnegoContextToken;
 import org.apache.wss4j.policy.model.SupportingTokens;
 import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.model.Wss10;
 import org.apache.wss4j.policy.model.X509Token;
 import org.apache.wss4j.policy.model.Wss11;
 import org.apache.wss4j.policy.stax.assertionStates.AlgorithmSuiteAssertionState;
@@ -133,15 +135,27 @@ public class PolicyEnforcer implements S
     private int attachmentCount;
     private boolean noSecurityHeader;
     private boolean faultOccurred;
-
+    private final PolicyAsserter policyAsserter;
+    
     public PolicyEnforcer(List<OperationPolicy> operationPolicies, String soapAction, boolean initiator,
                           String actorOrRole, int attachmentCount) throws WSSPolicyException {
+        this(operationPolicies, soapAction, initiator, actorOrRole, attachmentCount, null);
+    }
+
+    public PolicyEnforcer(List<OperationPolicy> operationPolicies, String soapAction, boolean initiator,
+                          String actorOrRole, int attachmentCount, PolicyAsserter policyAsserter) throws WSSPolicyException {
         this.operationPolicies = operationPolicies;
         this.initiator = initiator;
         this.actorOrRole = actorOrRole;
         this.attachmentCount = attachmentCount;
         assertionStateMap = new LinkedList<Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>>();
         failedAssertionStateMap = new LinkedList<Map<SecurityEventConstants.Event, Map<Assertion, List<Assertable>>>>();
+        
+        if (policyAsserter == null) {
+            this.policyAsserter = new DummyPolicyAsserter();
+        } else {
+            this.policyAsserter = policyAsserter;
+        }
 
         if (soapAction != null && !soapAction.isEmpty()) {
             effectivePolicy = findPolicyBySOAPAction(operationPolicies, soapAction);
@@ -256,120 +270,157 @@ public class PolicyEnforcer implements S
 
     protected List<Assertable> getAssertableForAssertion(AbstractSecurityAssertion abstractSecurityAssertion) throws WSSPolicyException {
         List<Assertable> assertableList = new LinkedList<Assertable>();
+        boolean tokenRequired = true;
         if (abstractSecurityAssertion instanceof AbstractToken) {
             // Don't return a Token that is not required
             SPConstants.IncludeTokenType includeTokenType = 
                 ((AbstractToken)abstractSecurityAssertion).getIncludeTokenType();
             if (includeTokenType == IncludeTokenType.INCLUDE_TOKEN_NEVER) {
-                return assertableList;
+                tokenRequired = false;
             } else if (initiator && includeTokenType == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT) {
-                return assertableList;
+                tokenRequired = false;
             } else if (initiator && includeTokenType == IncludeTokenType.INCLUDE_TOKEN_ONCE) {
-                return assertableList;
+                tokenRequired = false;
             } else if (!initiator && includeTokenType == IncludeTokenType.INCLUDE_TOKEN_ALWAYS_TO_INITIATOR) {
-                return assertableList;
+                tokenRequired = false;
             }
         }
         
         if (abstractSecurityAssertion instanceof ContentEncryptedElements) {
             //initialized with asserted=true because it could be that parent elements are encrypted and therefore these element are also encrypted
             //the test if it is really encrypted is done via the PolicyInputProcessor which emits EncryptedElementEvents for unencrypted elements with the unencrypted flag
-            assertableList.add(new ContentEncryptedElementsAssertionState(abstractSecurityAssertion, true));
+            assertableList.add(new ContentEncryptedElementsAssertionState(abstractSecurityAssertion, policyAsserter, true));
         } else if (abstractSecurityAssertion instanceof EncryptedParts) {
             //initialized with asserted=true with the same reason as by the EncryptedParts above
-            assertableList.add(new EncryptedPartsAssertionState(abstractSecurityAssertion, true, attachmentCount));
+            assertableList.add(new EncryptedPartsAssertionState(abstractSecurityAssertion, policyAsserter, true, attachmentCount));
         } else if (abstractSecurityAssertion instanceof EncryptedElements) {
             //initialized with asserted=true with the same reason as by the EncryptedParts above
-            assertableList.add(new EncryptedElementsAssertionState(abstractSecurityAssertion, true));
+            assertableList.add(new EncryptedElementsAssertionState(abstractSecurityAssertion, policyAsserter, true));
         } else if (abstractSecurityAssertion instanceof SignedParts) {
             //initialized with asserted=true because it could be that parent elements are signed and therefore these element are also signed
             //the test if it is really signed is done via the PolicyInputProcessor which emits SignedElementEvents for unsigned elements with the unsigned flag
-            assertableList.add(new SignedPartsAssertionState(abstractSecurityAssertion, true, attachmentCount));
+            assertableList.add(new SignedPartsAssertionState(abstractSecurityAssertion, policyAsserter, true, attachmentCount));
         } else if (abstractSecurityAssertion instanceof SignedElements) {
             //initialized with asserted=true with the same reason as by the SignedParts above
-            assertableList.add(new SignedElementsAssertionState(abstractSecurityAssertion, true));
+            assertableList.add(new SignedElementsAssertionState(abstractSecurityAssertion, policyAsserter, true));
         } else if (abstractSecurityAssertion instanceof RequiredElements) {
-            assertableList.add(new RequiredElementsAssertionState(abstractSecurityAssertion, false));
+            assertableList.add(new RequiredElementsAssertionState(abstractSecurityAssertion, policyAsserter, false));
         } else if (abstractSecurityAssertion instanceof RequiredParts) {
-            assertableList.add(new RequiredPartsAssertionState(abstractSecurityAssertion, false));
+            assertableList.add(new RequiredPartsAssertionState(abstractSecurityAssertion, policyAsserter, false));
         } else if (abstractSecurityAssertion instanceof UsernameToken) {
-            assertableList.add(new UsernameTokenAssertionState(abstractSecurityAssertion, false, initiator));
+            assertableList.add(new UsernameTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
         } else if (abstractSecurityAssertion instanceof IssuedToken) {
-            assertableList.add(new IssuedTokenAssertionState(abstractSecurityAssertion, false, initiator));
+            assertableList.add(new IssuedTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
         } else if (abstractSecurityAssertion instanceof X509Token) {
-            assertableList.add(new X509TokenAssertionState(abstractSecurityAssertion, false, initiator));
+            assertableList.add(new X509TokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
         } else if (abstractSecurityAssertion instanceof KerberosToken) {
-            assertableList.add(new KerberosTokenAssertionState(abstractSecurityAssertion, false, initiator));
+            assertableList.add(new KerberosTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
         } else if (abstractSecurityAssertion instanceof SpnegoContextToken) {
-            assertableList.add(new SpnegoContextTokenAssertionState(abstractSecurityAssertion, false, initiator));
+            assertableList.add(new SpnegoContextTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
         } else if (abstractSecurityAssertion instanceof SecureConversationToken) {
-            assertableList.add(new SecureConversationTokenAssertionState(abstractSecurityAssertion, false, initiator));
+            assertableList.add(new SecureConversationTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
         } else if (abstractSecurityAssertion instanceof SecurityContextToken) {
-            assertableList.add(new SecurityContextTokenAssertionState(abstractSecurityAssertion, false, initiator));
+            assertableList.add(new SecurityContextTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
         } else if (abstractSecurityAssertion instanceof SamlToken) {
-            assertableList.add(new SamlTokenAssertionState(abstractSecurityAssertion, false, initiator));
+            assertableList.add(new SamlTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
         } else if (abstractSecurityAssertion instanceof RelToken) {
-            assertableList.add(new RelTokenAssertionState(abstractSecurityAssertion, false, initiator));
+            assertableList.add(new RelTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
         } else if (abstractSecurityAssertion instanceof HttpsToken && !initiator) {
-            assertableList.add(new HttpsTokenAssertionState(abstractSecurityAssertion, false, initiator));
+            assertableList.add(new HttpsTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
         } else if (abstractSecurityAssertion instanceof KeyValueToken) {
-            assertableList.add(new KeyValueTokenAssertionState(abstractSecurityAssertion, false, initiator));
+            assertableList.add(new KeyValueTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
         } else if (abstractSecurityAssertion instanceof AlgorithmSuite) {
             //initialized with asserted=true because we do negative matching
-            assertableList.add(new AlgorithmSuiteAssertionState(abstractSecurityAssertion, true));
+            assertableList.add(new AlgorithmSuiteAssertionState(abstractSecurityAssertion, policyAsserter, true));
         } /*else if (abstractSecurityAssertion instanceof AsymmetricBinding) {
         } else if (abstractSecurityAssertion instanceof SymmetricBinding) {
         } else if (abstractSecurityAssertion instanceof TransportBinding) {
-        } else if (abstractSecurityAssertion instanceof Layout) {
-            assertableList.add(new LayoutAssertionState(abstractSecurityAssertion, true));
-        }*/
-
+        } */ else if (abstractSecurityAssertion instanceof Layout) {
+            //assertableList.add(new LayoutAssertionState(abstractSecurityAssertion, true));
+            String namespace = abstractSecurityAssertion.getName().getNamespaceURI();
+            policyAsserter.assertPolicy(new QName(namespace, SPConstants.LAYOUT_LAX));
+            policyAsserter.assertPolicy(new QName(namespace, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST));
+            policyAsserter.assertPolicy(new QName(namespace, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST));
+            policyAsserter.assertPolicy(new QName(namespace, SPConstants.LAYOUT_STRICT));
+            policyAsserter.assertPolicy(abstractSecurityAssertion);
+        }
         else if (abstractSecurityAssertion instanceof AbstractBinding) {
+            policyAsserter.assertPolicy(abstractSecurityAssertion);
             AbstractBinding abstractBinding = (AbstractBinding) abstractSecurityAssertion;
             if (abstractBinding instanceof AbstractSymmetricAsymmetricBinding) {
                 AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding = (AbstractSymmetricAsymmetricBinding) abstractSecurityAssertion;
-                assertableList.add(new ProtectionOrderAssertionState(abstractSymmetricAsymmetricBinding, true));
-                assertableList.add(new SignatureProtectionAssertionState(abstractSymmetricAsymmetricBinding, true));
+                assertableList.add(new ProtectionOrderAssertionState(abstractSymmetricAsymmetricBinding, policyAsserter, true));
+                assertableList.add(new SignatureProtectionAssertionState(abstractSymmetricAsymmetricBinding, policyAsserter, true));
                 if (abstractSymmetricAsymmetricBinding.isOnlySignEntireHeadersAndBody()) {
                     //initialized with asserted=true because we do negative matching
-                    assertableList.add(new OnlySignEntireHeadersAndBodyAssertionState(abstractSecurityAssertion, true, actorOrRole));
+                    assertableList.add(new OnlySignEntireHeadersAndBodyAssertionState(abstractSecurityAssertion, policyAsserter, true, actorOrRole));
                 }
-                assertableList.add(new TokenProtectionAssertionState(abstractSecurityAssertion, true));
+                assertableList.add(new TokenProtectionAssertionState(abstractSecurityAssertion, policyAsserter, true));
             }
 
             //WSP1.3, 6.2 Timestamp Property
-            assertableList.add(new IncludeTimeStampAssertionState(abstractBinding, true));
+            assertableList.add(new IncludeTimeStampAssertionState(abstractBinding, policyAsserter, true));
             if (abstractBinding.isIncludeTimestamp()) {
                 List<QName> timestampElementPath = new LinkedList<QName>();
                 timestampElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
                 timestampElementPath.add(WSSConstants.TAG_wsu_Timestamp);
-                RequiredElementsAssertionState requiredElementsAssertionState = new RequiredElementsAssertionState(abstractBinding, false);
+                RequiredElementsAssertionState requiredElementsAssertionState = 
+                    new RequiredElementsAssertionState(abstractBinding, policyAsserter, false);
                 requiredElementsAssertionState.addElement(timestampElementPath);
                 assertableList.add(requiredElementsAssertionState);
 
-                SignedElementsAssertionState signedElementsAssertionState = new SignedElementsAssertionState(abstractSecurityAssertion, true);
+                SignedElementsAssertionState signedElementsAssertionState = 
+                    new SignedElementsAssertionState(abstractSecurityAssertion, policyAsserter, true);
                 signedElementsAssertionState.addElement(timestampElementPath);
                 assertableList.add(signedElementsAssertionState);
             }
-        } else if (abstractSecurityAssertion instanceof Wss11) {
-            Wss11 wss11 = (Wss11)abstractSecurityAssertion;
-
-            if (initiator) {
-                //9 WSS: SOAP Message Security Options [Signature Confirmation]
-                assertableList.add(new SignatureConfirmationAssertionState(wss11, true));
+        } else if (abstractSecurityAssertion instanceof Wss10) {
+            Wss10 wss10 = (Wss10)abstractSecurityAssertion;
+            String namespace = wss10.getName().getNamespaceURI();
+            policyAsserter.assertPolicy(abstractSecurityAssertion);
+            
+            if (wss10.isMustSupportRefEmbeddedToken()) {
+                policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN));
+            }
+            if (wss10.isMustSupportRefExternalURI()) {
+                policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI));
+            }
+            if (wss10.isMustSupportRefIssuerSerial()) {
+                policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL));
+            }
+            if (wss10.isMustSupportRefKeyIdentifier()) {
+                policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER));
+            }
+            
+            if (abstractSecurityAssertion instanceof Wss11) {
+                Wss11 wss11 = (Wss11)abstractSecurityAssertion;
+                if (wss11.isMustSupportRefEncryptedKey()) {
+                    policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY));
+                }
+                if (wss11.isMustSupportRefThumbprint()) {
+                    policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_THUMBPRINT));
+                }
                 if (wss11.isRequireSignatureConfirmation()) {
-                    List<QName> signatureConfirmationElementPath = new LinkedList<QName>();
-                    signatureConfirmationElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
-                    signatureConfirmationElementPath.add(WSSConstants.TAG_wsse11_SignatureConfirmation);
-                    RequiredElementsAssertionState requiredElementsAssertionState = new RequiredElementsAssertionState(wss11, false);
-                    requiredElementsAssertionState.addElement(signatureConfirmationElementPath);
-                    assertableList.add(requiredElementsAssertionState);
-
-                    SignedElementsAssertionState signedElementsAssertionState = new SignedElementsAssertionState(wss11, true);
-                    signedElementsAssertionState.addElement(signatureConfirmationElementPath);
-                    assertableList.add(signedElementsAssertionState);
+                    assertableList.add(new SignatureConfirmationAssertionState(wss11, policyAsserter, true));
+                    if (initiator) {
+                        //9 WSS: SOAP Message Security Options [Signature Confirmation]
+                        List<QName> signatureConfirmationElementPath = new LinkedList<QName>();
+                        signatureConfirmationElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+                        signatureConfirmationElementPath.add(WSSConstants.TAG_wsse11_SignatureConfirmation);
+                        RequiredElementsAssertionState requiredElementsAssertionState = 
+                            new RequiredElementsAssertionState(wss11, policyAsserter, false);
+                        requiredElementsAssertionState.addElement(signatureConfirmationElementPath);
+                        assertableList.add(requiredElementsAssertionState);
+
+                        SignedElementsAssertionState signedElementsAssertionState = 
+                            new SignedElementsAssertionState(wss11, policyAsserter, true);
+                        signedElementsAssertionState.addElement(signatureConfirmationElementPath);
+                        assertableList.add(signedElementsAssertionState);
+                    }
                 }
             }
+        } else {
+            policyAsserter.assertPolicy(abstractSecurityAssertion);
         }
 
         return assertableList;

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/AlgorithmSuiteAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/AlgorithmSuiteAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/AlgorithmSuiteAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/AlgorithmSuiteAssertionState.java Thu Jul  3 16:34:44 2014
@@ -18,11 +18,15 @@
  */
 package org.apache.wss4j.policy.stax.assertionStates;
 
+import javax.xml.namespace.QName;
+
 import org.apache.wss4j.policy.AssertionState;
 import org.apache.wss4j.common.WSSPolicyException;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.AlgorithmSuite;
 import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.ext.WSSConstants;
 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
 import org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent;
@@ -34,8 +38,25 @@ import org.apache.xml.security.stax.secu
  */
 public class AlgorithmSuiteAssertionState extends AssertionState implements Assertable {
 
-    public AlgorithmSuiteAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
+    private PolicyAsserter policyAsserter;
+    
+    public AlgorithmSuiteAssertionState(AbstractSecurityAssertion assertion, 
+                                        PolicyAsserter policyAsserter,
+                                        boolean asserted) {
         super(assertion, asserted);
+        
+        this.policyAsserter = policyAsserter;
+        if (this.policyAsserter == null) {
+            this.policyAsserter = new DummyPolicyAsserter();
+        }
+        
+        if (asserted) {
+            AlgorithmSuite algorithmSuite = (AlgorithmSuite) getAssertion();
+            policyAsserter.assertPolicy(getAssertion());
+            String namespace = algorithmSuite.getAlgorithmSuiteType().getNamespace();
+            String name = algorithmSuite.getAlgorithmSuiteType().getName();
+            policyAsserter.assertPolicy(new QName(namespace, name));
+        }
     }
 
     @Override
@@ -56,6 +77,7 @@ public class AlgorithmSuiteAssertionStat
                     && !algorithmSuite.getSymmetricSignature().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
                 setAsserted(false);
                 setErrorMessage("Symmetric signature algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
             }
             if (algorithmSuite.getAlgorithmSuiteType() != null) {
                 if (!algorithmSuiteSecurityEvent.isDerivedKey()
@@ -63,10 +85,12 @@ public class AlgorithmSuiteAssertionStat
                     || algorithmSuite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength() < algorithmSuiteSecurityEvent.getKeyLength())) {
                     setAsserted(false);
                     setErrorMessage("Symmetric signature algorithm key length " + algorithmSuiteSecurityEvent.getKeyLength() + " does not meet policy");
+                    policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
                 } else if (algorithmSuiteSecurityEvent.isDerivedKey()
                         && algorithmSuite.getAlgorithmSuiteType().getSignatureDerivedKeyLength() != algorithmSuiteSecurityEvent.getKeyLength()) {
                     setAsserted(false);
                     setErrorMessage("Symmetric signature algorithm derived key length " + algorithmSuiteSecurityEvent.getKeyLength() + " does not meet policy");
+                    policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
                 }
             }
         } else if (WSSConstants.Asym_Sig.equals(keyUsage)) {
@@ -74,24 +98,28 @@ public class AlgorithmSuiteAssertionStat
                     && !algorithmSuite.getAsymmetricSignature().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
                 setAsserted(false);
                 setErrorMessage("Asymmetric algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
             }
             if (algorithmSuite.getAlgorithmSuiteType() != null
                     && (algorithmSuite.getAlgorithmSuiteType().getMinimumAsymmetricKeyLength() > algorithmSuiteSecurityEvent.getKeyLength()
                     || algorithmSuite.getAlgorithmSuiteType().getMaximumAsymmetricKeyLength() < algorithmSuiteSecurityEvent.getKeyLength())) {
                 setAsserted(false);
                 setErrorMessage("Asymmetric signature algorithm key length " + algorithmSuiteSecurityEvent.getKeyLength() + " does not meet policy");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
             }
         } else if (WSSConstants.SigDig.equals(keyUsage)) {
             if (algorithmSuite.getAlgorithmSuiteType() != null
                     && !algorithmSuite.getAlgorithmSuiteType().getDigest().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
                 setAsserted(false);
                 setErrorMessage("Digest algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
             }
         } else if (WSSConstants.Enc.equals(keyUsage)) {
             if (algorithmSuite.getAlgorithmSuiteType() != null
                     && !algorithmSuite.getAlgorithmSuiteType().getEncryption().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
                 setAsserted(false);
                 setErrorMessage("Encryption algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
             }
             if (algorithmSuite.getAlgorithmSuiteType() != null) {
                 if (!algorithmSuiteSecurityEvent.isDerivedKey()
@@ -99,10 +127,12 @@ public class AlgorithmSuiteAssertionStat
                     || algorithmSuite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength() < algorithmSuiteSecurityEvent.getKeyLength())) {
                     setAsserted(false);
                     setErrorMessage("Symmetric encryption algorithm key length " + algorithmSuiteSecurityEvent.getKeyLength() + " does not meet policy");
+                    policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
                 } else if (algorithmSuiteSecurityEvent.isDerivedKey()
                         && algorithmSuite.getAlgorithmSuiteType().getEncryptionDerivedKeyLength() != algorithmSuiteSecurityEvent.getKeyLength()) {
                     setAsserted(false);
                     setErrorMessage("Symmetric encryption algorithm derived key length " + algorithmSuiteSecurityEvent.getKeyLength() + " does not meet policy");
+                    policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
                 }
             }
         } else if (WSSConstants.Sym_Key_Wrap.equals(keyUsage)) {
@@ -110,48 +140,56 @@ public class AlgorithmSuiteAssertionStat
                     && !algorithmSuite.getAlgorithmSuiteType().getSymmetricKeyWrap().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
                 setAsserted(false);
                 setErrorMessage("Symmetric key wrap algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
             }
             if (algorithmSuite.getAlgorithmSuiteType() != null
                     && (algorithmSuite.getAlgorithmSuiteType().getMinimumSymmetricKeyLength() > algorithmSuiteSecurityEvent.getKeyLength()
                     || algorithmSuite.getAlgorithmSuiteType().getMaximumSymmetricKeyLength() < algorithmSuiteSecurityEvent.getKeyLength())) {
                 setAsserted(false);
                 setErrorMessage("Symmetric key wrap algorithm key length " + algorithmSuiteSecurityEvent.getKeyLength() + " does not meet policy");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
             }
         } else if (WSSConstants.Asym_Key_Wrap.equals(keyUsage)) {
             if (algorithmSuite.getAlgorithmSuiteType() != null
                     && !algorithmSuite.getAlgorithmSuiteType().getAsymmetricKeyWrap().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
                 setAsserted(false);
                 setErrorMessage("Asymmetric key wrap algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
             }
             if (algorithmSuite.getAlgorithmSuiteType() != null
                     && (algorithmSuite.getAlgorithmSuiteType().getMinimumAsymmetricKeyLength() > algorithmSuiteSecurityEvent.getKeyLength()
                     || algorithmSuite.getAlgorithmSuiteType().getMaximumAsymmetricKeyLength() < algorithmSuiteSecurityEvent.getKeyLength())) {
                 setAsserted(false);
                 setErrorMessage("Asymmetric key wrap algorithm key length " + algorithmSuiteSecurityEvent.getKeyLength() + " does not meet policy");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
             }
         } else if (WSSConstants.Comp_Key.equals(keyUsage)) {
             if (algorithmSuite.getComputedKey() != null
                     && !algorithmSuite.getComputedKey().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
                 setAsserted(false);
                 setErrorMessage("Computed key algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
             }
         } else if (WSSConstants.Enc_KD.equals(keyUsage)) {
             if (algorithmSuite.getAlgorithmSuiteType() != null
                     && !algorithmSuite.getAlgorithmSuiteType().getEncryptionKeyDerivation().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
                 setAsserted(false);
                 setErrorMessage("Encryption key derivation algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
             }
         } else if (WSSConstants.Sig_KD.equals(keyUsage)) {
             if (algorithmSuite.getAlgorithmSuiteType() != null
                     && !algorithmSuite.getAlgorithmSuiteType().getSignatureKeyDerivation().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
                 setAsserted(false);
                 setErrorMessage("Signature key derivation algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
             }
         } else if (WSSConstants.SigC14n.equals(keyUsage)) {
             if (algorithmSuite.getC14n() != null
                     && !algorithmSuite.getC14n().getValue().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
                 setAsserted(false);
                 setErrorMessage("C14N algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
             }
         } else if (WSSConstants.SigTransform.equals(keyUsage)) {
             if (algorithmSuite.getC14n() != null
@@ -161,25 +199,37 @@ public class AlgorithmSuiteAssertionStat
                 && !WSSConstants.SWA_ATTACHMENT_COMPLETE_SIG_TRANS.equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
                 setAsserted(false);
                 setErrorMessage("Transform C14N algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
             }
         } else if (WSSConstants.Soap_Norm.equals(keyUsage)) {
             if (algorithmSuite.getSoapNormType() != null
                     && !algorithmSuite.getSoapNormType().getValue().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
                 setAsserted(false);
                 setErrorMessage("Soap normalization algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
             }
         } else if (WSSConstants.STR_Trans.equals(keyUsage)) {
             if (algorithmSuite.getStrType() != null
                     && !algorithmSuite.getStrType().getValue().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
                 setAsserted(false);
                 setErrorMessage("STR transformation algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
             }
         } else if (WSSConstants.XPath.equals(keyUsage) &&
             algorithmSuite.getXPathType() != null && 
             !algorithmSuite.getXPathType().getValue().equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
             setAsserted(false);
             setErrorMessage("XPath algorithm " + algorithmSuiteSecurityEvent.getAlgorithmURI() + " does not meet policy");
+            policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
+        }
+        
+        if (isAsserted()) {
+            policyAsserter.assertPolicy(getAssertion());
+            String namespace = algorithmSuite.getAlgorithmSuiteType().getNamespace();
+            String name = algorithmSuite.getAlgorithmSuiteType().getName();
+            policyAsserter.assertPolicy(new QName(namespace, name));
         }
+        
         return isAsserted();
     }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ContentEncryptedElementsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ContentEncryptedElementsAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ContentEncryptedElementsAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ContentEncryptedElementsAssertionState.java Thu Jul  3 16:34:44 2014
@@ -27,11 +27,14 @@ import org.apache.xml.security.stax.secu
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.policy.stax.PolicyUtils;
 import org.apache.wss4j.stax.ext.WSSUtils;
 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
 
 import javax.xml.namespace.QName;
+
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
@@ -42,8 +45,11 @@ import java.util.List;
 public class ContentEncryptedElementsAssertionState extends AssertionState implements Assertable {
 
     private final List<List<QName>> pathElements = new ArrayList<List<QName>>();
+    private PolicyAsserter policyAsserter;
 
-    public ContentEncryptedElementsAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
+    public ContentEncryptedElementsAssertionState(AbstractSecurityAssertion assertion,
+                                                  PolicyAsserter policyAsserter,
+                                                  boolean asserted) {
         super(assertion, asserted);
 
         ContentEncryptedElements contentEncryptedElements = (ContentEncryptedElements) assertion;
@@ -52,6 +58,15 @@ public class ContentEncryptedElementsAss
             List<QName> elements = PolicyUtils.getElementPath(xPath);
             pathElements.add(elements);
         }
+        
+        this.policyAsserter = policyAsserter;
+        if (this.policyAsserter == null) {
+            this.policyAsserter = new DummyPolicyAsserter();
+        }
+        
+        if (asserted) {
+            policyAsserter.assertPolicy(getAssertion());
+        }
     }
 
     @Override
@@ -71,16 +86,19 @@ public class ContentEncryptedElementsAss
             if (WSSUtils.pathMatches(pathElements, contentEncryptedElementSecurityEvent.getElementPath(), true, false)) {
                 if (contentEncryptedElementSecurityEvent.isEncrypted()) {
                     setAsserted(true);
+                    policyAsserter.assertPolicy(getAssertion());
                     return true;
                 } else {
                     //an element must be encrypted but isn't
                     setAsserted(false);
                     setErrorMessage("Content of element " + WSSUtils.pathAsString(contentEncryptedElementSecurityEvent.getElementPath()) + " must be encrypted");
+                    policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
                     return false;
                 }
             }
         }
         //if we return false here other encrypted elements will trigger a PolicyViolationException
+        policyAsserter.assertPolicy(getAssertion());
         return true;
     }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedElementsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedElementsAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedElementsAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedElementsAssertionState.java Thu Jul  3 16:34:44 2014
@@ -27,6 +27,8 @@ import org.apache.xml.security.stax.secu
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.policy.stax.PolicyUtils;
 import org.apache.wss4j.stax.ext.WSSUtils;
 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
@@ -43,8 +45,11 @@ import java.util.List;
 public class EncryptedElementsAssertionState extends AssertionState implements Assertable {
 
     private final List<List<QName>> pathElements = new ArrayList<List<QName>>();
+    private PolicyAsserter policyAsserter;
 
-    public EncryptedElementsAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
+    public EncryptedElementsAssertionState(AbstractSecurityAssertion assertion, 
+                                           PolicyAsserter policyAsserter,
+                                           boolean asserted) {
         super(assertion, asserted);
 
         EncryptedElements encryptedElements = (EncryptedElements) assertion;
@@ -53,6 +58,15 @@ public class EncryptedElementsAssertionS
             List<QName> elements = PolicyUtils.getElementPath(xPath);
             pathElements.add(elements);
         }
+        
+        this.policyAsserter = policyAsserter;
+        if (this.policyAsserter == null) {
+            this.policyAsserter = new DummyPolicyAsserter();
+        }
+        
+        if (asserted) {
+            policyAsserter.assertPolicy(getAssertion());
+        }
     }
 
     @Override
@@ -74,16 +88,19 @@ public class EncryptedElementsAssertionS
             if (WSSUtils.pathMatches(pathElements, encryptedElementSecurityEvent.getElementPath(), true, false)) {
                 if (encryptedElementSecurityEvent.isEncrypted()) {
                     setAsserted(true);
+                    policyAsserter.assertPolicy(getAssertion());
                     return true;
                 } else {
                     //an element must be encrypted but isn't
                     setAsserted(false);
                     setErrorMessage("Element " + WSSUtils.pathAsString(encryptedElementSecurityEvent.getElementPath()) + " must be encrypted");
+                    policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
                     return false;
                 }
             }
         }
         //if we return false here other encrypted elements will trigger a PolicyViolationException
+        policyAsserter.assertPolicy(getAssertion());
         return true;
     }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedPartsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedPartsAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedPartsAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/EncryptedPartsAssertionState.java Thu Jul  3 16:34:44 2014
@@ -26,6 +26,8 @@ import org.apache.wss4j.policy.model.Hea
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.ext.WSSConstants;
 import org.apache.wss4j.stax.ext.WSSUtils;
 import org.apache.wss4j.stax.securityEvent.EncryptedPartSecurityEvent;
@@ -44,11 +46,23 @@ public class EncryptedPartsAssertionStat
     private int attachmentCount;
     private int encryptedAttachmentCount;
     private boolean encryptedAttachmentRequired;
+    private PolicyAsserter policyAsserter;
 
     public EncryptedPartsAssertionState(
-        AbstractSecurityAssertion assertion, boolean asserted, int attachmentCount) {
+        AbstractSecurityAssertion assertion, 
+        PolicyAsserter policyAsserter,
+        boolean asserted, int attachmentCount) {
         super(assertion, asserted);
         this.attachmentCount = attachmentCount;
+        
+        this.policyAsserter = policyAsserter;
+        if (this.policyAsserter == null) {
+            this.policyAsserter = new DummyPolicyAsserter();
+        }
+        
+        if (asserted) {
+            policyAsserter.assertPolicy(getAssertion());
+        }
     }
 
     @Override
@@ -69,6 +83,7 @@ public class EncryptedPartsAssertionStat
             if (encryptedPartSecurityEvent.isAttachment()) {
                 encryptedAttachmentCount++;
                 setAsserted(true);
+                policyAsserter.assertPolicy(getAssertion());
                 return true;
             }
         }
@@ -77,10 +92,12 @@ public class EncryptedPartsAssertionStat
         if (encryptedParts.isBody() && WSSUtils.isInSOAPBody(encryptedPartSecurityEvent.getElementPath())) {
             if (encryptedPartSecurityEvent.isEncrypted()) {
                 setAsserted(true);
+                policyAsserter.assertPolicy(getAssertion());
                 return true;
             } else {
                 setAsserted(false);
                 setErrorMessage("SOAP-Body must be encrypted");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
                 return false;
             }
         }
@@ -96,16 +113,19 @@ public class EncryptedPartsAssertionStat
             if (WSSUtils.pathMatches(header11Path, encryptedPartSecurityEvent.getElementPath(), true, header.getName() == null)) {
                 if (encryptedPartSecurityEvent.isEncrypted()) {
                     setAsserted(true);
+                    policyAsserter.assertPolicy(getAssertion());
                     return true;
                 } else {
                     setAsserted(false);
                     setErrorMessage("Element " + WSSUtils.pathAsString(encryptedPartSecurityEvent.getElementPath()) + " must be encrypted");
+                    policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
                     return false;
                 }
             }
         }
 
         //if we return false here other encrypted elements will trigger a PolicyViolationException
+        policyAsserter.assertPolicy(getAssertion());
         return true;
     }
     

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/HttpsTokenAssertionState.java Thu Jul  3 16:34:44 2014
@@ -18,10 +18,14 @@
  */
 package org.apache.wss4j.policy.stax.assertionStates;
 
+import javax.xml.namespace.QName;
+
 import org.apache.wss4j.common.WSSPolicyException;
+import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.HttpsToken;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
 import org.apache.xml.security.stax.securityToken.SecurityToken;
@@ -34,8 +38,17 @@ import org.apache.wss4j.stax.securityEve
 
 public class HttpsTokenAssertionState extends TokenAssertionState {
 
-    public HttpsTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
-        super(assertion, asserted, initiator);
+    public HttpsTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
+                                    PolicyAsserter policyAsserter, boolean initiator) {
+        super(assertion, asserted, policyAsserter, initiator);
+        
+        if (asserted) {
+            HttpsToken token = (HttpsToken) getAssertion();
+            String namespace = token.getName().getNamespaceURI();
+            if (token.getAuthenticationType() != null) {
+                getPolicyAsserter().assertPolicy(new QName(namespace, token.getAuthenticationType().name()));
+            }
+        }
     }
 
     @Override
@@ -57,30 +70,44 @@ public class HttpsTokenAssertionState ex
 
         if (httpsToken.getIssuerName() != null && !httpsToken.getIssuerName().equals(httpsTokenSecurityEvent.getIssuerName())) {
             setErrorMessage("IssuerName in Policy (" + httpsToken.getIssuerName() + ") didn't match with the one in the HttpsToken (" + httpsTokenSecurityEvent.getIssuerName() + ")");
+            getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
             return false;
         }
         if (httpsToken.getAuthenticationType() != null) {
+            String namespace = getAssertion().getName().getNamespaceURI();
+            
             switch (httpsToken.getAuthenticationType()) {
                 case HttpBasicAuthentication:
                     if (httpsTokenSecurityEvent.getAuthenticationType() != HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication) {
                         setErrorMessage("Policy enforces HttpBasicAuthentication but we got " + httpsTokenSecurityEvent.getAuthenticationType());
+                        getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.HTTP_BASIC_AUTHENTICATION),
+                                                         getErrorMessage());
                         return false;
                     }
+                    getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.HTTP_BASIC_AUTHENTICATION));
                     break;
                 case HttpDigestAuthentication:
                     if (httpsTokenSecurityEvent.getAuthenticationType() != HttpsTokenSecurityEvent.AuthenticationType.HttpDigestAuthentication) {
                         setErrorMessage("Policy enforces HttpDigestAuthentication but we got " + httpsTokenSecurityEvent.getAuthenticationType());
+                        getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.HTTP_DIGEST_AUTHENTICATION),
+                                                           getErrorMessage());
                         return false;
                     }
+                    getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.HTTP_DIGEST_AUTHENTICATION));
                     break;
                 case RequireClientCertificate:
                     if (httpsTokenSecurityEvent.getAuthenticationType() != HttpsTokenSecurityEvent.AuthenticationType.HttpsClientCertificateAuthentication) {
                         setErrorMessage("Policy enforces HttpClientCertificateAuthentication but we got " + httpsTokenSecurityEvent.getAuthenticationType());
+                        getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.REQUIRE_CLIENT_CERTIFICATE),
+                                                           getErrorMessage());
                         return false;
                     }
+                    getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_CLIENT_CERTIFICATE));
                     break;
             }
         }
+        
+        getPolicyAsserter().assertPolicy(getAssertion());
         return true;
     }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IncludeTimeStampAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IncludeTimeStampAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IncludeTimeStampAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IncludeTimeStampAssertionState.java Thu Jul  3 16:34:44 2014
@@ -18,21 +18,39 @@
  */
 package org.apache.wss4j.policy.stax.assertionStates;
 
+import javax.xml.namespace.QName;
+
 import org.apache.wss4j.policy.AssertionState;
+import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractBinding;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
 
 /**
  * WSP1.3, 6.2 Timestamp Property
  */
 public class IncludeTimeStampAssertionState extends AssertionState implements Assertable {
+    
+    private PolicyAsserter policyAsserter;
 
-    public IncludeTimeStampAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
+    public IncludeTimeStampAssertionState(AbstractSecurityAssertion assertion, 
+                                          PolicyAsserter policyAsserter,
+                                          boolean asserted) {
         super(assertion, asserted);
+        this.policyAsserter = policyAsserter;
+        if (this.policyAsserter == null) {
+            this.policyAsserter = new DummyPolicyAsserter();
+        }
+        
+        if (asserted) {
+            String namespace = getAssertion().getName().getNamespaceURI();
+            policyAsserter.assertPolicy(new QName(namespace, SPConstants.INCLUDE_TIMESTAMP));
+        }
     }
 
     @Override
@@ -47,11 +65,15 @@ public class IncludeTimeStampAssertionSt
         // TimestampSecurityEvent timestampSecurityEvent = (TimestampSecurityEvent) securityEvent;
         boolean isIncludeTimestamp = ((AbstractBinding) getAssertion()).isIncludeTimestamp();
 
+        String namespace = getAssertion().getName().getNamespaceURI();
         if (isIncludeTimestamp) {
             setAsserted(true);
+            policyAsserter.assertPolicy(new QName(namespace, SPConstants.INCLUDE_TIMESTAMP));
         } else {
             setAsserted(false);
             setErrorMessage("Timestamp must not be present");
+            policyAsserter.unassertPolicy(new QName(namespace, SPConstants.INCLUDE_TIMESTAMP), 
+                getErrorMessage());
         }
         return isAsserted();
     }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/IssuedTokenAssertionState.java Thu Jul  3 16:34:44 2014
@@ -24,6 +24,7 @@ import org.apache.wss4j.common.WSSPolicy
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.IssuedToken;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.ext.WSSConstants;
 import org.apache.wss4j.stax.securityEvent.KerberosTokenSecurityEvent;
 import org.apache.wss4j.stax.securityEvent.SamlTokenSecurityEvent;
@@ -53,8 +54,9 @@ public class IssuedTokenAssertionState e
     private static final String DEFAULT_CLAIMS_NAMESPACE = 
         "http://schemas.xmlsoap.org/ws/2005/05/identity";
 
-    public IssuedTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
-        super(assertion, asserted, initiator);
+    public IssuedTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
+                                     PolicyAsserter policyAsserter, boolean initiator) {
+        super(assertion, asserted, policyAsserter, initiator);
     }
 
     @Override

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KerberosTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KerberosTokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KerberosTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KerberosTokenAssertionState.java Thu Jul  3 16:34:44 2014
@@ -18,10 +18,14 @@
  */
 package org.apache.wss4j.policy.stax.assertionStates;
 
+import javax.xml.namespace.QName;
+
 import org.apache.wss4j.common.WSSPolicyException;
+import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.KerberosToken;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.securityToken.KerberosServiceSecurityToken;
 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
@@ -36,8 +40,20 @@ import org.apache.wss4j.stax.securityEve
 
 public class KerberosTokenAssertionState extends TokenAssertionState {
 
-    public KerberosTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
-        super(assertion, asserted, initiator);
+    public KerberosTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
+                                       PolicyAsserter policyAsserter, boolean initiator) {
+        super(assertion, asserted, policyAsserter, initiator);
+        
+        if (asserted) {
+            KerberosToken token = (KerberosToken) getAssertion();
+            String namespace = token.getName().getNamespaceURI();
+            if (token.isRequireKeyIdentifierReference()) {
+                getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+            }
+            if (token.getApReqTokenType() != null) {
+                getPolicyAsserter().assertPolicy(new QName(namespace, token.getApReqTokenType().name()));
+            }
+        }
     }
 
     @Override
@@ -61,31 +77,46 @@ public class KerberosTokenAssertionState
         if (kerberosToken.getIssuerName() != null &&
             !kerberosToken.getIssuerName().equals(kerberosTokenSecurityEvent.getIssuerName())) {
             setErrorMessage("IssuerName in Policy (" + kerberosToken.getIssuerName() + ") didn't match with the one in the IssuedToken (" + kerberosTokenSecurityEvent.getIssuerName() + ")");
+            getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
             return false;
         }
-        if (kerberosToken.isRequireKeyIdentifierReference() &&
-                !WSSecurityTokenConstants.KeyIdentifier_EmbeddedKeyIdentifierRef.equals(kerberosServiceSecurityToken.getKeyIdentifier())) {
-            setErrorMessage("Policy enforces KeyIdentifierReference but we got " + kerberosServiceSecurityToken.getKeyIdentifier());
-            return false;
+        
+        String namespace = getAssertion().getName().getNamespaceURI();
+        if (kerberosToken.isRequireKeyIdentifierReference()) {
+            if (!WSSecurityTokenConstants.KeyIdentifier_EmbeddedKeyIdentifierRef.equals(kerberosServiceSecurityToken.getKeyIdentifier())) {
+                setErrorMessage("Policy enforces KeyIdentifierReference but we got " + kerberosServiceSecurityToken.getKeyIdentifier());
+                getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE),
+                                                 getErrorMessage());
+                return false;
+            } else {
+                getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+            }
         }
         if (kerberosToken.getApReqTokenType() != null) {
             switch (kerberosToken.getApReqTokenType()) {
                 case WssKerberosV5ApReqToken11:
                     if (!kerberosTokenSecurityEvent.isKerberosV5ApReqToken11()) {
                         setErrorMessage("Policy enforces " + kerberosToken.getApReqTokenType());
+                        getPolicyAsserter().unassertPolicy(new QName(namespace, "WssKerberosV5ApReqToken11"),
+                                                           getErrorMessage());
                         return false;
                     }
+                    getPolicyAsserter().assertPolicy(new QName(namespace, "WssKerberosV5ApReqToken11"));
                     break;
                 case WssGssKerberosV5ApReqToken11:
                     if (!kerberosTokenSecurityEvent.isGssKerberosV5ApReqToken11()) {
                         setErrorMessage("Policy enforces " + kerberosToken.getApReqTokenType());
+                        getPolicyAsserter().unassertPolicy(new QName(namespace, "WssGssKerberosV5ApReqToken11"),
+                                                           getErrorMessage());
                         return false;
                     }
+                    getPolicyAsserter().assertPolicy(new QName(namespace, "WssGssKerberosV5ApReqToken11"));
                     break;
             }
         }
         //always return true to prevent false alarm in case additional tokens with the same usage
         //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+        getPolicyAsserter().assertPolicy(getAssertion());
         return true;
     }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KeyValueTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KeyValueTokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KeyValueTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KeyValueTokenAssertionState.java Thu Jul  3 16:34:44 2014
@@ -18,10 +18,14 @@
  */
 package org.apache.wss4j.policy.stax.assertionStates;
 
+import javax.xml.namespace.QName;
+
 import org.apache.wss4j.common.WSSPolicyException;
+import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.KeyValueToken;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.securityToken.RsaKeyValueSecurityToken;
 import org.apache.wss4j.stax.securityEvent.KeyValueTokenSecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
@@ -35,8 +39,17 @@ import org.apache.wss4j.stax.securityEve
 
 public class KeyValueTokenAssertionState extends TokenAssertionState {
 
-    public KeyValueTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
-        super(assertion, asserted, initiator);
+    public KeyValueTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
+                                       PolicyAsserter policyAsserter, boolean initiator) {
+        super(assertion, asserted, policyAsserter, initiator);
+        
+        if (asserted) {
+            KeyValueToken token = (KeyValueToken) getAssertion();
+            String namespace = token.getName().getNamespaceURI();
+            if (token.isRsaKeyValue()) {
+                getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.RSA_KEY_VALUE));
+            }
+        }
     }
 
     @Override
@@ -55,13 +68,22 @@ public class KeyValueTokenAssertionState
 
         KeyValueTokenSecurityEvent keyValueTokenSecurityEvent = (KeyValueTokenSecurityEvent) tokenSecurityEvent;
         KeyValueToken keyValueToken = (KeyValueToken) abstractToken;
-        if (keyValueToken.isRsaKeyValue() && !(keyValueTokenSecurityEvent.getSecurityToken() instanceof RsaKeyValueSecurityToken)) {
-            setErrorMessage("Policy enforces that a RsaKeyValue must be present in the KeyValueToken but we got a " +
+        
+        String namespace = getAssertion().getName().getNamespaceURI();
+        if (keyValueToken.isRsaKeyValue()) {
+            if (!(keyValueTokenSecurityEvent.getSecurityToken() instanceof RsaKeyValueSecurityToken)) {
+                setErrorMessage("Policy enforces that a RsaKeyValue must be present in the KeyValueToken but we got a " +
                     keyValueTokenSecurityEvent.getSecurityToken().getClass().getSimpleName());
-            return false;
+                getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.RSA_KEY_VALUE),
+                                                   getErrorMessage());
+                return false;
+            } else {
+                getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.RSA_KEY_VALUE));
+            }
         }
         //always return true to prevent false alarm in case additional tokens with the same usage
         //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+        getPolicyAsserter().assertPolicy(getAssertion());
         return true;
     }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java Thu Jul  3 16:34:44 2014
@@ -19,16 +19,20 @@
 package org.apache.wss4j.policy.stax.assertionStates;
 
 import org.apache.wss4j.policy.AssertionState;
+import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.common.WSSPolicyException;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.ext.WSSUtils;
 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
 
 import javax.xml.namespace.QName;
+
 import java.util.List;
 
 /**
@@ -37,10 +41,24 @@ import java.util.List;
 public class OnlySignEntireHeadersAndBodyAssertionState extends AssertionState implements Assertable {
 
     private String roleOrActor;
+    private PolicyAsserter policyAsserter;
 
-    public OnlySignEntireHeadersAndBodyAssertionState(AbstractSecurityAssertion assertion, boolean asserted, String roleOrActor) {
+    public OnlySignEntireHeadersAndBodyAssertionState(AbstractSecurityAssertion assertion, 
+                                                      PolicyAsserter policyAsserter,
+                                                      boolean asserted, 
+                                                      String roleOrActor) {
         super(assertion, asserted);
         this.roleOrActor = roleOrActor;
+        
+        this.policyAsserter = policyAsserter;
+        if (this.policyAsserter == null) {
+            this.policyAsserter = new DummyPolicyAsserter();
+        }
+        
+        if (asserted) {
+            String namespace = getAssertion().getName().getNamespaceURI();
+            policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
+        }
     }
 
     @Override
@@ -53,25 +71,34 @@ public class OnlySignEntireHeadersAndBod
 
     @Override
     public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
+        String namespace = getAssertion().getName().getNamespaceURI();
+        
         AbstractSecuredElementSecurityEvent abstractSecuredElementSecurityEvent = (AbstractSecuredElementSecurityEvent) securityEvent;
         if (abstractSecuredElementSecurityEvent.isSigned() && !abstractSecuredElementSecurityEvent.isAttachment()) {
             List<QName> elementPath = abstractSecuredElementSecurityEvent.getElementPath();
             if (elementPath.size() == 4 && WSSUtils.isInSecurityHeader(abstractSecuredElementSecurityEvent.getXmlSecEvent(), elementPath, roleOrActor)) {
                 setAsserted(true);
+                policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
                 return true;
             }
             if (elementPath.size() == 3 && WSSUtils.isInSOAPHeader(elementPath)) {
                 setAsserted(true);
+                policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
                 return true;
             }
             if (elementPath.size() == 2 && WSSUtils.isInSOAPBody(elementPath)) {
                 setAsserted(true);
+                policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
                 return true;
             }
             setAsserted(false);
             setErrorMessage("OnlySignEntireHeadersAndBody not fulfilled, offending element: " + WSSUtils.pathAsString(elementPath));
+            policyAsserter.unassertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY),
+                                          getErrorMessage());
             return false;
         }
+        
+        policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
         return true;
     }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ProtectionOrderAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ProtectionOrderAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ProtectionOrderAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/ProtectionOrderAssertionState.java Thu Jul  3 16:34:44 2014
@@ -19,10 +19,13 @@
 package org.apache.wss4j.policy.stax.assertionStates;
 
 import org.apache.wss4j.policy.AssertionState;
+import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.common.WSSPolicyException;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
 import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.ext.WSSUtils;
 import org.apache.wss4j.stax.securityEvent.*;
 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
@@ -33,6 +36,7 @@ import org.apache.xml.security.stax.secu
 import org.apache.xml.security.stax.securityEvent.SignedElementSecurityEvent;
 
 import javax.xml.namespace.QName;
+
 import java.util.List;
 
 /**
@@ -41,8 +45,31 @@ import java.util.List;
 
 public class ProtectionOrderAssertionState extends AssertionState implements Assertable {
 
-    public ProtectionOrderAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
+    private PolicyAsserter policyAsserter;
+    
+    public ProtectionOrderAssertionState(AbstractSecurityAssertion assertion,
+                                         PolicyAsserter policyAsserter,
+                                         boolean asserted) {
         super(assertion, asserted);
+        this.policyAsserter = policyAsserter;
+        if (this.policyAsserter == null) {
+            this.policyAsserter = new DummyPolicyAsserter();
+        }
+        
+        if (asserted) {
+            String namespace = getAssertion().getName().getNamespaceURI();
+            AbstractSymmetricAsymmetricBinding.ProtectionOrder protectionOrder = ((AbstractSymmetricAsymmetricBinding) getAssertion()).getProtectionOrder();
+            switch (protectionOrder) {
+            case SignBeforeEncrypting: {
+                policyAsserter.assertPolicy(new QName(namespace, SPConstants.SIGN_BEFORE_ENCRYPTING));
+                break;
+            }
+            case EncryptBeforeSigning: {
+                policyAsserter.assertPolicy(new QName(namespace, SPConstants.ENCRYPT_BEFORE_SIGNING));
+            }
+                break;
+            }
+        }
     }
 
     @Override
@@ -100,6 +127,8 @@ public class ProtectionOrderAssertionSta
     }
 
     private void testProtectionOrder(AbstractSymmetricAsymmetricBinding.ProtectionOrder protectionOrder, List<XMLSecurityConstants.ContentType> contentTypes, List<QName> elementPath) {
+        String namespace = getAssertion().getName().getNamespaceURI();
+        
         switch (protectionOrder) {
             case SignBeforeEncrypting: {
                 int lastSignature = contentTypes.lastIndexOf(XMLSecurityConstants.ContentType.SIGNATURE);
@@ -107,6 +136,10 @@ public class ProtectionOrderAssertionSta
                 if (firstEncryption >= 0 && firstEncryption < lastSignature) {
                     setAsserted(false);
                     setErrorMessage("Policy enforces " + protectionOrder + " but the " + WSSUtils.pathAsString(elementPath) + " was encrypted and then signed");
+                    policyAsserter.unassertPolicy(new QName(namespace, SPConstants.SIGN_BEFORE_ENCRYPTING),
+                                                  getErrorMessage());
+                } else {
+                    policyAsserter.assertPolicy(new QName(namespace, SPConstants.SIGN_BEFORE_ENCRYPTING));
                 }
                 break;
             }
@@ -116,6 +149,10 @@ public class ProtectionOrderAssertionSta
                 if (firstSignature >= 0 && firstSignature < lastEncryption) {
                     setAsserted(false);
                     setErrorMessage("Policy enforces " + protectionOrder + " but the " + WSSUtils.pathAsString(elementPath) + " was signed and then encrypted");
+                    policyAsserter.unassertPolicy(new QName(namespace, SPConstants.ENCRYPT_BEFORE_SIGNING),
+                                                  getErrorMessage());
+                } else {
+                    policyAsserter.assertPolicy(new QName(namespace, SPConstants.ENCRYPT_BEFORE_SIGNING));
                 }
                 break;
             }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RelTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RelTokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RelTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RelTokenAssertionState.java Thu Jul  3 16:34:44 2014
@@ -22,6 +22,7 @@ import org.apache.wss4j.common.WSSPolicy
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.RelToken;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
 import org.apache.xml.security.stax.securityToken.SecurityToken;
@@ -34,8 +35,9 @@ import org.apache.wss4j.stax.securityEve
 
 public class RelTokenAssertionState extends TokenAssertionState {
 
-    public RelTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
-        super(assertion, asserted, initiator);
+    public RelTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, 
+                                  PolicyAsserter policyAsserter, boolean initiator) {
+        super(assertion, asserted, policyAsserter, initiator);
     }
 
     @Override
@@ -57,6 +59,7 @@ public class RelTokenAssertionState exte
 
         if (relToken.getIssuerName() != null && !relToken.getIssuerName().equals(relTokenSecurityEvent.getIssuerName())) {
             setErrorMessage("IssuerName in Policy (" + relToken.getIssuerName() + ") didn't match with the one in the RelToken (" + relTokenSecurityEvent.getIssuerName() + ")");
+            getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
             return false;
         }
 
@@ -64,6 +67,7 @@ public class RelTokenAssertionState exte
         //todo WssRelV*
         //always return true to prevent false alarm in case additional tokens with the same usage
         //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+        getPolicyAsserter().assertPolicy(getAssertion());
         return true;
     }
 }



Mime
View raw message