ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1607692 [2/2] - in /webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax: ./ assertionStates/
Date Thu, 03 Jul 2014 16:34:45 GMT
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RequiredElementsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RequiredElementsAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RequiredElementsAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RequiredElementsAssertionState.java Thu Jul  3 16:34:44 2014
@@ -26,12 +26,15 @@ import org.apache.wss4j.policy.model.XPa
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.policy.stax.PolicyUtils;
 import org.apache.wss4j.stax.ext.WSSUtils;
 import org.apache.wss4j.stax.securityEvent.RequiredElementSecurityEvent;
 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
 
 import javax.xml.namespace.QName;
+
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
@@ -43,8 +46,11 @@ import java.util.Map;
 public class RequiredElementsAssertionState extends AssertionState implements Assertable {
 
     private final Map<List<QName>, Boolean> pathElements = new HashMap<List<QName>, Boolean>();
+    private PolicyAsserter policyAsserter;
 
-    public RequiredElementsAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
+    public RequiredElementsAssertionState(AbstractSecurityAssertion assertion, 
+                                          PolicyAsserter policyAsserter,
+                                          boolean asserted) {
         super(assertion, asserted);
 
         if (assertion instanceof RequiredElements) {
@@ -55,6 +61,15 @@ public class RequiredElementsAssertionSt
                 pathElements.put(elements, Boolean.FALSE);
             }
         }
+        
+        this.policyAsserter = policyAsserter;
+        if (this.policyAsserter == null) {
+            this.policyAsserter = new DummyPolicyAsserter();
+        }
+        
+        if (asserted) {
+            policyAsserter.assertPolicy(getAssertion());
+        }
     }
 
     public void addElement(List<QName> pathElement) {
@@ -82,6 +97,7 @@ public class RequiredElementsAssertionSt
             }
         }
         //if we return false here other required elements will trigger a PolicyViolationException
+        policyAsserter.assertPolicy(getAssertion());
         return true;
     }
 
@@ -93,9 +109,11 @@ public class RequiredElementsAssertionSt
             Map.Entry<List<QName>, Boolean> next = elementMapIterator.next();
             if (Boolean.FALSE.equals(next.getValue())) {
                 setErrorMessage("Element " + WSSUtils.pathAsString(next.getKey()) + " must be present");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
                 return false;
             }
         }
+        policyAsserter.assertPolicy(getAssertion());
         return true;
     }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RequiredPartsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RequiredPartsAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RequiredPartsAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/RequiredPartsAssertionState.java Thu Jul  3 16:34:44 2014
@@ -26,12 +26,15 @@ import org.apache.wss4j.policy.model.Req
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.ext.WSSConstants;
 import org.apache.wss4j.stax.ext.WSSUtils;
 import org.apache.wss4j.stax.securityEvent.RequiredPartSecurityEvent;
 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
 
 import javax.xml.namespace.QName;
+
 import java.util.*;
 
 /**
@@ -40,8 +43,11 @@ import java.util.*;
 public class RequiredPartsAssertionState extends AssertionState implements Assertable {
 
     private final Map<Header, Boolean> headers = new HashMap<Header, Boolean>();
+    private PolicyAsserter policyAsserter;
 
-    public RequiredPartsAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
+    public RequiredPartsAssertionState(AbstractSecurityAssertion assertion,
+                                       PolicyAsserter policyAsserter,
+                                       boolean asserted) {
         super(assertion, asserted);
 
         RequiredParts requiredParts = (RequiredParts) assertion;
@@ -49,6 +55,15 @@ public class RequiredPartsAssertionState
             Header header = requiredParts.getHeaders().get(i);
             headers.put(header, Boolean.FALSE);
         }
+        
+        this.policyAsserter = policyAsserter;
+        if (this.policyAsserter == null) {
+            this.policyAsserter = new DummyPolicyAsserter();
+        }
+        
+        if (asserted) {
+            policyAsserter.assertPolicy(getAssertion());
+        }
     }
 
     @Override
@@ -78,6 +93,7 @@ public class RequiredPartsAssertionState
             }
         }
         //if we return false here other required elements will trigger a PolicyViolationException
+        policyAsserter.assertPolicy(getAssertion());
         return true;
     }
 
@@ -89,9 +105,11 @@ public class RequiredPartsAssertionState
             Map.Entry<Header, Boolean> next = elementMapIterator.next();
             if (Boolean.FALSE.equals(next.getValue())) {
                 setErrorMessage("Element " + next.getKey().toString() + " must be present");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
                 return false;
             }
         }
+        policyAsserter.assertPolicy(getAssertion());
         return true;
     }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SamlTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SamlTokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SamlTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SamlTokenAssertionState.java Thu Jul  3 16:34:44 2014
@@ -18,11 +18,15 @@
  */
 package org.apache.wss4j.policy.stax.assertionStates;
 
+import javax.xml.namespace.QName;
+
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.common.WSSPolicyException;
+import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.SamlToken;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
 import org.apache.xml.security.exceptions.XMLSecurityException;
 import org.opensaml.common.SAMLVersion;
@@ -38,8 +42,20 @@ import org.apache.xml.security.stax.secu
 
 public class SamlTokenAssertionState extends TokenAssertionState {
 
-    public SamlTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
-        super(assertion, asserted, initiator);
+    public SamlTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, 
+                                   PolicyAsserter policyAsserter, boolean initiator) {
+        super(assertion, asserted, policyAsserter, initiator);
+        
+        if (asserted) {
+            SamlToken token = (SamlToken) getAssertion();
+            String namespace = token.getName().getNamespaceURI();
+            if (token.isRequireKeyIdentifierReference()) {
+                getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+            }
+            if (token.getSamlTokenType() != null) {
+                getPolicyAsserter().assertPolicy(new QName(namespace, token.getSamlTokenType().name()));
+            }
+        }
     }
 
     @Override
@@ -60,12 +76,20 @@ public class SamlTokenAssertionState ext
 
         if (samlToken.getIssuerName() != null && !samlToken.getIssuerName().equals(samlTokenSecurityEvent.getIssuerName())) {
             setErrorMessage("IssuerName in Policy (" + samlToken.getIssuerName() + ") didn't match with the one in the SamlToken (" + samlTokenSecurityEvent.getIssuerName() + ")");
+            getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
             return false;
         }
-        if (samlToken.isRequireKeyIdentifierReference() &&
-                !WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier.equals(samlTokenSecurityEvent.getSecurityToken().getKeyIdentifier())) {
-            setErrorMessage("Policy enforces KeyIdentifierReference but we got " + samlTokenSecurityEvent.getSecurityToken().getTokenType());
-            return false;
+        
+        String namespace = getAssertion().getName().getNamespaceURI();
+        if (samlToken.isRequireKeyIdentifierReference()) {
+            if (!WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier.equals(samlTokenSecurityEvent.getSecurityToken().getKeyIdentifier())) {
+                setErrorMessage("Policy enforces KeyIdentifierReference but we got " + samlTokenSecurityEvent.getSecurityToken().getTokenType());
+                getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE),
+                                                 getErrorMessage());
+                return false;
+            } else {
+                getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+            }
         }
         if (samlToken.getSamlTokenType() != null) {
             final SamlAssertionWrapper samlAssertionWrapper = samlTokenSecurityEvent.getSamlAssertionWrapper();
@@ -73,29 +97,41 @@ public class SamlTokenAssertionState ext
                 case WssSamlV11Token10:
                     if (samlAssertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) {
                         setErrorMessage("Policy enforces SamlVersion11Profile10 but we got " + samlAssertionWrapper.getSamlVersion());
+                        getPolicyAsserter().unassertPolicy(new QName(namespace, samlToken.getSamlTokenType().name()),
+                                                         getErrorMessage());
                         return false;
                     }
+                    getPolicyAsserter().assertPolicy(new QName(namespace, samlToken.getSamlTokenType().name()));
                     break;
                 case WssSamlV11Token11:
                     if (samlAssertionWrapper.getSamlVersion() != SAMLVersion.VERSION_11) {
                         setErrorMessage("Policy enforces SamlVersion11Profile11 but we got " + samlAssertionWrapper.getSamlVersion());
+                        getPolicyAsserter().unassertPolicy(new QName(namespace, samlToken.getSamlTokenType().name()),
+                                                           getErrorMessage());
                         return false;
                     }
+                    getPolicyAsserter().assertPolicy(new QName(namespace, samlToken.getSamlTokenType().name()));
                     break;
                 case WssSamlV20Token11:
                     if (samlAssertionWrapper.getSamlVersion() != SAMLVersion.VERSION_20) {
                         setErrorMessage("Policy enforces SamlVersion20Profile11 but we got " + samlAssertionWrapper.getSamlVersion());
+                        getPolicyAsserter().unassertPolicy(new QName(namespace, samlToken.getSamlTokenType().name()),
+                                                           getErrorMessage());
                         return false;
                     }
+                    getPolicyAsserter().assertPolicy(new QName(namespace, samlToken.getSamlTokenType().name()));
                     break;
                 case WssSamlV10Token10:
                 case WssSamlV10Token11:
                     setErrorMessage("Unsupported token type: " + samlToken.getSamlTokenType());
+                    getPolicyAsserter().unassertPolicy(new QName(namespace, samlToken.getSamlTokenType().name()),
+                                                       getErrorMessage());
                     return false;
             }
         }
         //always return true to prevent false alarm in case additional tokens with the same usage
         //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+        getPolicyAsserter().assertPolicy(getAssertion());
         return true;
     }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SecureConversationTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SecureConversationTokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SecureConversationTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SecureConversationTokenAssertionState.java Thu Jul  3 16:34:44 2014
@@ -19,6 +19,7 @@
 package org.apache.wss4j.policy.stax.assertionStates;
 
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 
@@ -31,8 +32,9 @@ public class SecureConversationTokenAsse
     //todo sp:SC13SecurityContextToken:
     //todo MustNotSendCancel etc...
     
-    public SecureConversationTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
-        super(assertion, asserted, initiator);
+    public SecureConversationTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, 
+                                                 PolicyAsserter policyAsserter, boolean initiator) {
+        super(assertion, asserted, policyAsserter, initiator);
     }
 
     @Override

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SecurityContextTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SecurityContextTokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SecurityContextTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SecurityContextTokenAssertionState.java Thu Jul  3 16:34:44 2014
@@ -18,10 +18,14 @@
  */
 package org.apache.wss4j.policy.stax.assertionStates;
 
+import javax.xml.namespace.QName;
+
 import org.apache.wss4j.common.WSSPolicyException;
+import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.SecurityContextToken;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
 import org.apache.xml.security.stax.securityToken.SecurityToken;
@@ -34,8 +38,23 @@ import org.apache.wss4j.stax.securityEve
 
 public class SecurityContextTokenAssertionState extends TokenAssertionState {
 
-    public SecurityContextTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
-        super(assertion, asserted, initiator);
+    public SecurityContextTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, 
+                                              PolicyAsserter policyAsserter, boolean initiator) {
+        super(assertion, asserted, policyAsserter, initiator);
+        
+        if (asserted) {
+            SecurityContextToken token = (SecurityContextToken) getAssertion();
+            String namespace = token.getName().getNamespaceURI();
+            if (token.isRequireExternalUriReference()) {
+                getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_EXTERNAL_URI_REFERENCE));
+            }
+            if (token.isSc10SecurityContextToken()) {
+                getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.SC10_SECURITY_CONTEXT_TOKEN));
+            }
+            if (token.isSc13SecurityContextToken()) {
+                getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.SC13_SECURITY_CONTEXT_TOKEN));
+            }
+        }
     }
 
     @Override
@@ -56,15 +75,32 @@ public class SecurityContextTokenAsserti
 
         if (securityContextToken.getIssuerName() != null && !securityContextToken.getIssuerName().equals(securityContextTokenSecurityEvent.getIssuerName())) {
             setErrorMessage("IssuerName in Policy (" + securityContextToken.getIssuerName() + ") didn't match with the one in the SecurityContextToken (" + securityContextTokenSecurityEvent.getIssuerName() + ")");
+            getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
             return false;
         }
-        if (securityContextToken.isRequireExternalUriReference() && !securityContextTokenSecurityEvent.isExternalUriRef()) {
-            setErrorMessage("Policy enforces externalUriRef but we didn't got one");
-            return false;
+        
+        String namespace = getAssertion().getName().getNamespaceURI();
+        if (securityContextToken.isRequireExternalUriReference()) {
+            if (!securityContextTokenSecurityEvent.isExternalUriRef()) {
+                setErrorMessage("Policy enforces externalUriRef but we didn't got one");
+                getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.REQUIRE_EXTERNAL_URI_REFERENCE),
+                                                   getErrorMessage());
+                return false;
+            } else {
+                getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_EXTERNAL_URI_REFERENCE));
+            }
         }
         //todo sp:SC13SecurityContextToken:
         //always return true to prevent false alarm in case additional tokens with the same usage
         //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+        if (securityContextToken.isSc10SecurityContextToken()) {
+            getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.SC10_SECURITY_CONTEXT_TOKEN));
+        }
+        if (securityContextToken.isSc13SecurityContextToken()) {
+            getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.SC13_SECURITY_CONTEXT_TOKEN));
+        }
+        
+        getPolicyAsserter().assertPolicy(getAssertion());
         return true;
     }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureConfirmationAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureConfirmationAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureConfirmationAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureConfirmationAssertionState.java Thu Jul  3 16:34:44 2014
@@ -18,19 +18,38 @@
  */
 package org.apache.wss4j.policy.stax.assertionStates;
 
+import javax.xml.namespace.QName;
+
 import org.apache.wss4j.policy.AssertionState;
+import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.common.WSSPolicyException;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.Wss11;
 import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 
 public class SignatureConfirmationAssertionState extends AssertionState implements Assertable {
 
-    public SignatureConfirmationAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
+    private PolicyAsserter policyAsserter;
+    
+    public SignatureConfirmationAssertionState(AbstractSecurityAssertion assertion, 
+                                               PolicyAsserter policyAsserter,
+                                               boolean asserted) {
         super(assertion, asserted);
+        
+        this.policyAsserter = policyAsserter;
+        if (this.policyAsserter == null) {
+            this.policyAsserter = new DummyPolicyAsserter();
+        }
+        
+        if (asserted) {
+            String namespace = getAssertion().getName().getNamespaceURI();
+            policyAsserter.assertPolicy(new QName(namespace, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION));
+        }
     }
 
     @Override
@@ -44,11 +63,15 @@ public class SignatureConfirmationAssert
     public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
         Wss11 wss11 = (Wss11)getAssertion();
 
+        String namespace = getAssertion().getName().getNamespaceURI();
         if (wss11.isRequireSignatureConfirmation()) {
+            policyAsserter.assertPolicy(new QName(namespace, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION));
             setAsserted(true);
         } else {
             setAsserted(false);
             setErrorMessage("Signature confirmation elements must not be used");
+            policyAsserter.unassertPolicy(new QName(namespace, SPConstants.REQUIRE_SIGNATURE_CONFIRMATION),
+                                          getErrorMessage());
         }
         return isAsserted();
     }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureProtectionAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureProtectionAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureProtectionAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignatureProtectionAssertionState.java Thu Jul  3 16:34:44 2014
@@ -19,6 +19,7 @@
 package org.apache.wss4j.policy.stax.assertionStates;
 
 import org.apache.wss4j.policy.AssertionState;
+import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.common.WSSPolicyException;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
@@ -29,6 +30,8 @@ import org.apache.xml.security.stax.secu
 import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
 import org.apache.xml.security.stax.securityToken.SecurityToken;
 import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.ext.WSSConstants;
 import org.apache.wss4j.stax.ext.WSSUtils;
 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
@@ -51,8 +54,11 @@ public class SignatureProtectionAssertio
     private final ArrayList<TokenSecurityEvent<? extends SecurityToken>> tokenSecurityEvents =
             new ArrayList<TokenSecurityEvent<? extends SecurityToken>>();
     private final List<List<QName>> elementPaths = new ArrayList<List<QName>>();
+    private PolicyAsserter policyAsserter;
 
-    public SignatureProtectionAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
+    public SignatureProtectionAssertionState(AbstractSecurityAssertion assertion, 
+                                             PolicyAsserter policyAsserter,
+                                             boolean asserted) {
         super(assertion, asserted);
         List<QName> signature11Path = new LinkedList<QName>();
         signature11Path.addAll(WSSConstants.SOAP_11_HEADER_PATH);
@@ -65,6 +71,16 @@ public class SignatureProtectionAssertio
         signatureConfirmation11Path.add(WSSConstants.TAG_wsse_Security);
         signatureConfirmation11Path.add(WSSConstants.TAG_wsse11_SignatureConfirmation);
         elementPaths.add(signatureConfirmation11Path);
+        
+        this.policyAsserter = policyAsserter;
+        if (this.policyAsserter == null) {
+            this.policyAsserter = new DummyPolicyAsserter();
+        }
+        
+        if (asserted) {
+            String namespace = getAssertion().getName().getNamespaceURI();
+            policyAsserter.assertPolicy(new QName(namespace, SPConstants.ENCRYPT_SIGNATURE));
+        }
     }
 
     @Override
@@ -189,22 +205,30 @@ public class SignatureProtectionAssertio
         AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding = 
             (AbstractSymmetricAsymmetricBinding) getAssertion();
         
+        String namespace = getAssertion().getName().getNamespaceURI();
+        
         if (encryptedElementSecurityEvent.isEncrypted()) {
             if (abstractSymmetricAsymmetricBinding.isEncryptSignature()) {
                 setAsserted(true);
+                policyAsserter.assertPolicy(new QName(namespace, SPConstants.ENCRYPT_SIGNATURE));
                 return true;
             } else {
                 setAsserted(false);
                 setErrorMessage("Element " + WSSUtils.pathAsString(encryptedElementSecurityEvent.getElementPath()) + " must not be encrypted");
+                policyAsserter.unassertPolicy(new QName(namespace, SPConstants.ENCRYPT_SIGNATURE),
+                                              getErrorMessage());
                 return false;
             }
         } else {
             if (abstractSymmetricAsymmetricBinding.isEncryptSignature()) {
                 setAsserted(false);
                 setErrorMessage("Element " + WSSUtils.pathAsString(encryptedElementSecurityEvent.getElementPath()) + " must be encrypted");
+                policyAsserter.unassertPolicy(new QName(namespace, SPConstants.ENCRYPT_SIGNATURE),
+                                            getErrorMessage());
                 return false;
             } else {
                 setAsserted(true);
+                policyAsserter.assertPolicy(new QName(namespace, SPConstants.ENCRYPT_SIGNATURE));
                 return true;
             }
         }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignedElementsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignedElementsAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignedElementsAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignedElementsAssertionState.java Thu Jul  3 16:34:44 2014
@@ -27,6 +27,8 @@ import org.apache.xml.security.stax.secu
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.policy.stax.PolicyUtils;
 import org.apache.wss4j.stax.ext.WSSUtils;
 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
@@ -43,8 +45,11 @@ import java.util.List;
 public class SignedElementsAssertionState extends AssertionState implements Assertable {
 
     private final List<List<QName>> pathElements = new ArrayList<List<QName>>();
+    private PolicyAsserter policyAsserter;
 
-    public SignedElementsAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
+    public SignedElementsAssertionState(AbstractSecurityAssertion assertion, 
+                                        PolicyAsserter policyAsserter,
+                                        boolean asserted) {
         super(assertion, asserted);
 
         if (assertion instanceof SignedElements) {
@@ -55,6 +60,15 @@ public class SignedElementsAssertionStat
                 pathElements.add(elements);
             }
         }
+        
+        this.policyAsserter = policyAsserter;
+        if (this.policyAsserter == null) {
+            this.policyAsserter = new DummyPolicyAsserter();
+        }
+        
+        if (asserted) {
+            policyAsserter.assertPolicy(getAssertion());
+        }
     }
 
     @Override
@@ -79,16 +93,19 @@ public class SignedElementsAssertionStat
             if (WSSUtils.pathMatches(pathElements, signedSecurityEvent.getElementPath(), true, false)) {
                 if (signedSecurityEvent.isSigned()) {
                     setAsserted(true);
+                    policyAsserter.assertPolicy(getAssertion());
                     return true;
                 } else {
                     //an element must be signed but isn't
                     setAsserted(false);
                     setErrorMessage("Element " + WSSUtils.pathAsString(signedSecurityEvent.getElementPath()) + " must be signed");
+                    policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
                     return false;
                 }
             }
         }
         //if we return false here other signed elements will trigger a PolicyViolationException
+        policyAsserter.assertPolicy(getAssertion());
         return true;
     }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignedPartsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignedPartsAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignedPartsAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SignedPartsAssertionState.java Thu Jul  3 16:34:44 2014
@@ -26,6 +26,8 @@ import org.apache.wss4j.policy.model.Sig
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.ext.WSSConstants;
 import org.apache.wss4j.stax.ext.WSSUtils;
 import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
@@ -44,12 +46,23 @@ public class SignedPartsAssertionState e
     private int attachmentCount;
     private int signedAttachmentCount;
     private boolean signedAttachmentRequired;
+    private PolicyAsserter policyAsserter;
 
     public SignedPartsAssertionState(
-        AbstractSecurityAssertion assertion, boolean asserted, int attachmentCount
+        AbstractSecurityAssertion assertion, PolicyAsserter policyAsserter,
+        boolean asserted, int attachmentCount
     ) {
         super(assertion, asserted);
         this.attachmentCount = attachmentCount;
+        
+        this.policyAsserter = policyAsserter;
+        if (this.policyAsserter == null) {
+            this.policyAsserter = new DummyPolicyAsserter();
+        }
+        
+        if (asserted) {
+            policyAsserter.assertPolicy(getAssertion());
+        }
     }
 
     @Override
@@ -70,6 +83,7 @@ public class SignedPartsAssertionState e
             if (signedPartSecurityEvent.isAttachment()) {
                 signedAttachmentCount++;
                 setAsserted(true);
+                policyAsserter.assertPolicy(getAssertion());
                 return true;
             }
         }
@@ -78,10 +92,12 @@ public class SignedPartsAssertionState e
                 && WSSUtils.pathMatches(WSSConstants.SOAP_11_BODY_PATH, signedPartSecurityEvent.getElementPath(), true, false)) {
             if (signedPartSecurityEvent.isSigned()) {
                 setAsserted(true);
+                policyAsserter.assertPolicy(getAssertion());
                 return true;
             } else {
                 setAsserted(false);
                 setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath()) + " must be signed");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
                 return false;
             }
         }
@@ -89,10 +105,12 @@ public class SignedPartsAssertionState e
         if (signedParts.isSignAllHeaders()) {
             if (signedPartSecurityEvent.isSigned()) {
                 setAsserted(true);
+                policyAsserter.assertPolicy(getAssertion());
                 return true;
             } else {
                 setAsserted(false);
                 setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath()) + " must be signed");
+                policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
                 return false;
             }
         } else {
@@ -107,10 +125,12 @@ public class SignedPartsAssertionState e
                 if (WSSUtils.pathMatches(header11Path, signedPartSecurityEvent.getElementPath(), true, header.getName() == null)) {
                     if (signedPartSecurityEvent.isSigned()) {
                         setAsserted(true);
+                        policyAsserter.assertPolicy(getAssertion());
                         return true;
                     } else {
                         setAsserted(false);
                         setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath()) + " must be signed");
+                        policyAsserter.unassertPolicy(getAssertion(), getErrorMessage());
                         return false;
                     }
                 }
@@ -118,6 +138,7 @@ public class SignedPartsAssertionState e
         }
 
         //if we return false here other signed elements will trigger a PolicyViolationException
+        policyAsserter.assertPolicy(getAssertion());
         return true;
     }
     

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/SpnegoContextTokenAssertionState.java Thu Jul  3 16:34:44 2014
@@ -22,6 +22,7 @@ import org.apache.wss4j.common.WSSPolicy
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.SpnegoContextToken;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
 import org.apache.xml.security.stax.securityToken.SecurityToken;
@@ -34,8 +35,9 @@ import org.apache.wss4j.stax.securityEve
 
 public class SpnegoContextTokenAssertionState extends TokenAssertionState {
 
-    public SpnegoContextTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
-        super(assertion, asserted, initiator);
+    public SpnegoContextTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, 
+                                            PolicyAsserter policyAsserter, boolean initiator) {
+        super(assertion, asserted, policyAsserter, initiator);
     }
 
     @Override
@@ -57,11 +59,14 @@ public class SpnegoContextTokenAssertion
         if (spnegoContextToken.getIssuerName() != null
             && !spnegoContextToken.getIssuerName().equals(spnegoContextTokenSecurityEvent.getIssuerName())) {
             setErrorMessage("IssuerName in Policy (" + spnegoContextToken.getIssuerName() + ") didn't match with the one in the IssuedToken (" + spnegoContextTokenSecurityEvent.getIssuerName() + ")");
+            getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
             return false;
         }
+        
         //todo MustNotSend* ?
         //always return true to prevent false alarm in case additional tokens with the same usage
         //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+        getPolicyAsserter().assertPolicy(getAssertion());
         return true;
     }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java Thu Jul  3 16:34:44 2014
@@ -23,6 +23,8 @@ import org.apache.wss4j.policy.SPConstan
 import org.apache.wss4j.common.WSSPolicyException;
 import org.apache.wss4j.policy.model.*;
 import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
 import org.apache.xml.security.exceptions.XMLSecurityException;
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
@@ -33,6 +35,8 @@ import org.apache.xml.security.stax.secu
 import java.util.Iterator;
 import java.util.List;
 
+import javax.xml.namespace.QName;
+
 /**
  * WSP1.3, 5 Token Assertions
  */
@@ -43,10 +47,31 @@ public abstract class TokenAssertionStat
     //todo derived keys?
 
     private boolean initiator;
+    private PolicyAsserter policyAsserter;
 
     public TokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
+        this(assertion, asserted, null, initiator);
+    }
+    
+    public TokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, 
+                               PolicyAsserter policyAsserter, boolean initiator) {
         super(assertion, asserted);
         this.initiator = initiator;
+        
+        this.policyAsserter = policyAsserter;
+        if (this.policyAsserter == null) {
+            this.policyAsserter = new DummyPolicyAsserter();
+        }
+        
+        if (asserted) {
+            AbstractToken token = (AbstractToken)getAssertion();
+            getPolicyAsserter().assertPolicy(token);
+            if (token.getDerivedKeys() != null) {
+                AbstractToken.DerivedKeys derivedKeys = token.getDerivedKeys();
+                String namespace = token.getName().getNamespaceURI();
+                getPolicyAsserter().assertPolicy(new QName(namespace, derivedKeys.name()));
+            }
+        }
     }
 
     @Override
@@ -195,6 +220,7 @@ public abstract class TokenAssertionStat
         //WSP1.3, 5.3 Token Properties
         boolean hasDerivedKeys = false;
         hasDerivedKeys = hasDerivedKeys(tokenSecurityEvent.getSecurityToken());
+        String namespace = getAssertion().getName().getNamespaceURI();
         if (abstractToken.getDerivedKeys() != null) {
             AbstractToken.DerivedKeys derivedKeys = abstractToken.getDerivedKeys();
             switch (derivedKeys) {
@@ -203,8 +229,13 @@ public abstract class TokenAssertionStat
                 case RequireImpliedDerivedKeys:
                     if (!hasDerivedKeys) {
                         setErrorMessage("Derived key must be used");
+                        getPolicyAsserter().unassertPolicy(new QName(namespace, derivedKeys.name()),
+                                                         "Derived key must be used");
                         asserted = false;
+                    } else {
+                        getPolicyAsserter().assertPolicy(new QName(namespace, derivedKeys.name()));
                     }
+                    break;
             }
         } else {
             if (hasDerivedKeys) {
@@ -250,4 +281,8 @@ public abstract class TokenAssertionStat
         }
         return hasDerivedKeys;
     }
+    
+    protected PolicyAsserter getPolicyAsserter() {
+        return policyAsserter;
+    }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java Thu Jul  3 16:34:44 2014
@@ -20,9 +20,12 @@ package org.apache.wss4j.policy.stax.ass
 
 import org.apache.neethi.Assertion;
 import org.apache.wss4j.policy.AssertionState;
+import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.common.WSSPolicyException;
 import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
 import org.apache.wss4j.policy.stax.Assertable;
+import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.ext.WSSConstants;
 import org.apache.wss4j.stax.ext.WSSUtils;
 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
@@ -49,9 +52,22 @@ public class TokenProtectionAssertionSta
     private final ArrayList<SignedElementSecurityEvent> signedElementEvents = new ArrayList<SignedElementSecurityEvent>();
     private final ArrayList<TokenSecurityEvent<? extends SecurityToken>> tokenSecurityEvents =
             new ArrayList<TokenSecurityEvent<? extends SecurityToken>>();
+    private PolicyAsserter policyAsserter;
 
-    public TokenProtectionAssertionState(Assertion assertion, boolean initialAssertionState) {
+    public TokenProtectionAssertionState(Assertion assertion, 
+                                         PolicyAsserter policyAsserter,
+                                         boolean initialAssertionState) {
         super(assertion, initialAssertionState);
+        
+        this.policyAsserter = policyAsserter;
+        if (this.policyAsserter == null) {
+            this.policyAsserter = new DummyPolicyAsserter();
+        }
+        
+        if (initialAssertionState) {
+            String namespace = getAssertion().getName().getNamespaceURI();
+            policyAsserter.assertPolicy(new QName(namespace, SPConstants.PROTECT_TOKENS));
+        }
     }
 
     @Override
@@ -76,6 +92,10 @@ public class TokenProtectionAssertionSta
 
         AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding = (AbstractSymmetricAsymmetricBinding) getAssertion();
         boolean protectTokens = abstractSymmetricAsymmetricBinding.isProtectTokens();
+        String namespace = getAssertion().getName().getNamespaceURI();
+        if (protectTokens) {
+            policyAsserter.assertPolicy(new QName(namespace, SPConstants.PROTECT_TOKENS));
+        }
 
         if (securityEvent instanceof SignedElementSecurityEvent) {
             SignedElementSecurityEvent signedElementSecurityEvent = (SignedElementSecurityEvent) securityEvent;
@@ -100,10 +120,14 @@ public class TokenProtectionAssertionSta
                     if (protectTokens && !signsItsSignatureToken) {
                         setAsserted(false);
                         setErrorMessage("Token " + WSSUtils.pathAsString(((InboundSecurityToken)securityToken).getElementPath()) + " must be signed by its signature.");
+                        policyAsserter.unassertPolicy(new QName(namespace, SPConstants.PROTECT_TOKENS),
+                                                      getErrorMessage());
                         return false;
                     } else if (!protectTokens && signsItsSignatureToken) {
                         setAsserted(false);
                         setErrorMessage("Token " + WSSUtils.pathAsString(((InboundSecurityToken)securityToken).getElementPath()) + " must not be signed by its signature.");
+                        policyAsserter.unassertPolicy(new QName(namespace, SPConstants.PROTECT_TOKENS),
+                                                      getErrorMessage());
                         return false;
                     }
                 }
@@ -112,6 +136,8 @@ public class TokenProtectionAssertionSta
                     //[WSP1.3_8.9b]
                     setAsserted(false);
                     setErrorMessage("Token " + WSSUtils.pathAsString(((InboundSecurityToken)securityToken).getElementPath()) + " must sign the main signature.");
+                    policyAsserter.unassertPolicy(new QName(namespace, SPConstants.PROTECT_TOKENS),
+                                                  getErrorMessage());
                     return false;
                 }
 
@@ -119,6 +145,8 @@ public class TokenProtectionAssertionSta
                         && !signsSignedSupportingTokens(securityToken)) {
                     setAsserted(false);
                     setErrorMessage("Main signature must sign the Signed*Supporting-Tokens.");
+                    policyAsserter.unassertPolicy(new QName(namespace, SPConstants.PROTECT_TOKENS),
+                                                  getErrorMessage());
                     return false;
                 }
             }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/UsernameTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/UsernameTokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/UsernameTokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/UsernameTokenAssertionState.java Thu Jul  3 16:34:44 2014
@@ -18,10 +18,15 @@
  */
 package org.apache.wss4j.policy.stax.assertionStates;
 
+import javax.xml.namespace.QName;
+
 import org.apache.wss4j.common.WSSPolicyException;
+import org.apache.wss4j.policy.SP13Constants;
+import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.UsernameToken;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.ext.WSSConstants;
 import org.apache.wss4j.stax.securityToken.UsernameSecurityToken;
 import org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent;
@@ -37,8 +42,28 @@ import org.apache.xml.security.stax.secu
 
 public class UsernameTokenAssertionState extends TokenAssertionState {
 
-    public UsernameTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
-        super(assertion, asserted, initiator);
+    public UsernameTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
+                                       PolicyAsserter policyAsserter, boolean initiator) {
+        super(assertion, asserted, policyAsserter, initiator);
+        
+        if (asserted) {
+            UsernameToken usernameToken = (UsernameToken) getAssertion();
+            String namespace = usernameToken.getName().getNamespaceURI();
+            if (usernameToken.getPasswordType() != null) {
+                getPolicyAsserter().assertPolicy(new QName(namespace, usernameToken.getPasswordType().name()));
+            }
+            if (usernameToken.isCreated()) {
+                getPolicyAsserter().assertPolicy(SP13Constants.CREATED);
+            }
+            
+            if (usernameToken.isNonce()) {
+                getPolicyAsserter().assertPolicy(SP13Constants.NONCE);
+            }
+            
+            if (usernameToken.getUsernameTokenType() != null) {
+                getPolicyAsserter().assertPolicy(new QName(namespace, usernameToken.getUsernameTokenType().name()));
+            }
+        }
     }
 
     @Override
@@ -58,56 +83,86 @@ public class UsernameTokenAssertionState
         UsernameTokenSecurityEvent usernameTokenSecurityEvent = (UsernameTokenSecurityEvent) tokenSecurityEvent;
         UsernameToken usernameToken = (UsernameToken) abstractToken;
 
+        String namespace = getAssertion().getName().getNamespaceURI();
         if (usernameToken.getPasswordType() != null) {
             switch (usernameToken.getPasswordType()) {
                 case NoPassword:
                     if (usernameTokenSecurityEvent.getUsernameTokenPasswordType() != WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE) {
                         setErrorMessage("UsernameToken contains a password but the policy prohibits it");
+                        getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.NO_PASSWORD),
+                                                           getErrorMessage());
                         return false;
                     }
+                    getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.NO_PASSWORD));
                     break;
                 case HashPassword:
                     if (usernameTokenSecurityEvent.getUsernameTokenPasswordType() != WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
                         setErrorMessage("UsernameToken does not contain a hashed password");
+                        getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.HASH_PASSWORD),
+                                                           getErrorMessage());
                         return false;
                     }
+                    getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.HASH_PASSWORD));
                     break;
             }
         } else if (usernameTokenSecurityEvent.getUsernameTokenPasswordType() == WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE) {
             // We must have a password for the default case
             setErrorMessage("UsernameToken must contain a password");
+            getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
             return false;
         } else if (usernameTokenSecurityEvent.getUsernameTokenPasswordType() == WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
             // We must have a plaintext password for the default case
             setErrorMessage("UsernameToken password must not be hashed");
+            getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
             return false;
         }
-        if (usernameToken.isCreated() && (usernameSecurityToken.getCreatedTime() == null || usernameTokenSecurityEvent.getUsernameTokenPasswordType() != WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT)) {
-            setErrorMessage("UsernameToken does not contain a created timestamp or password is not plain text");
-            return false;
+        if (usernameToken.isCreated()) {
+            if (usernameSecurityToken.getCreatedTime() == null || usernameTokenSecurityEvent.getUsernameTokenPasswordType() != WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT) {
+                setErrorMessage("UsernameToken does not contain a created timestamp or password is not plain text");
+                getPolicyAsserter().unassertPolicy(SP13Constants.CREATED, getErrorMessage());
+                return false;
+            } else {
+                getPolicyAsserter().assertPolicy(SP13Constants.CREATED);
+            }
         }
-        if (usernameToken.isNonce() && (usernameSecurityToken.getNonce() == null || usernameTokenSecurityEvent.getUsernameTokenPasswordType() != WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT)) {
-            setErrorMessage("UsernameToken does not contain a nonce or password is not plain text");
-            return false;
+        
+        if (usernameToken.isNonce()) {
+            if (usernameSecurityToken.getNonce() == null || usernameTokenSecurityEvent.getUsernameTokenPasswordType() != WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT) {
+                setErrorMessage("UsernameToken does not contain a nonce or password is not plain text");
+                getPolicyAsserter().unassertPolicy(SP13Constants.NONCE, getErrorMessage());
+                return false;
+            } else {
+                getPolicyAsserter().assertPolicy(SP13Constants.NONCE);
+            }
         }
-        if (usernameToken.getUsernameTokenType() != null && usernameTokenSecurityEvent.getUsernameTokenProfile() != null) {
+        
+        if (usernameToken.getUsernameTokenType() != null) {
             switch (usernameToken.getUsernameTokenType()) {
                 case WssUsernameToken10:
-                    if (usernameTokenSecurityEvent.getUsernameTokenProfile().equals(WSSConstants.NS_USERNAMETOKEN_PROFILE11)) {
+                    if (usernameTokenSecurityEvent.getUsernameTokenProfile() != null 
+                        && usernameTokenSecurityEvent.getUsernameTokenProfile().equals(WSSConstants.NS_USERNAMETOKEN_PROFILE11)) {
                         setErrorMessage("Policy enforces UsernameToken profile 1.0 but we got 1.1");
+                        getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.USERNAME_TOKEN10),
+                                                           getErrorMessage());
                         return false;
                     }
+                    getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.USERNAME_TOKEN10));
                     break;
                 case WssUsernameToken11:
-                    if (!usernameTokenSecurityEvent.getUsernameTokenProfile().equals(WSSConstants.NS_USERNAMETOKEN_PROFILE11)) {
+                    if (usernameTokenSecurityEvent.getUsernameTokenProfile() != null
+                        && !usernameTokenSecurityEvent.getUsernameTokenProfile().equals(WSSConstants.NS_USERNAMETOKEN_PROFILE11)) {
                         setErrorMessage("Policy enforces UsernameToken profile 1.1 but we got 1.0");
+                        getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.USERNAME_TOKEN11),
+                                                           getErrorMessage());
                         return false;
                     }
+                    getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.USERNAME_TOKEN11));
                     break;
             }
         }
         //always return true to prevent false alarm in case additional tokens with the same usage
         //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+        getPolicyAsserter().assertPolicy(getAssertion());
         return true;
     }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/X509TokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/X509TokenAssertionState.java?rev=1607692&r1=1607691&r2=1607692&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/X509TokenAssertionState.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/X509TokenAssertionState.java Thu Jul  3 16:34:44 2014
@@ -19,9 +19,11 @@
 package org.apache.wss4j.policy.stax.assertionStates;
 
 import org.apache.wss4j.common.WSSPolicyException;
+import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
 import org.apache.wss4j.policy.model.AbstractToken;
 import org.apache.wss4j.policy.model.X509Token;
+import org.apache.wss4j.policy.stax.PolicyAsserter;
 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
 import org.apache.wss4j.stax.securityEvent.X509TokenSecurityEvent;
 import org.apache.xml.security.exceptions.XMLSecurityException;
@@ -31,14 +33,34 @@ import org.apache.xml.security.stax.secu
 
 import java.security.cert.X509Certificate;
 
+import javax.xml.namespace.QName;
+
 /**
  * WSP1.3, 5.4.3 X509Token Assertion
  */
 
 public class X509TokenAssertionState extends TokenAssertionState {
 
-    public X509TokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, boolean initiator) {
-        super(assertion, asserted, initiator);
+    public X509TokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted, 
+                                   PolicyAsserter policyAsserter, boolean initiator) {
+        super(assertion, asserted, policyAsserter, initiator);
+        
+        if (asserted) {
+            X509Token token = (X509Token) getAssertion();
+            String namespace = token.getName().getNamespaceURI();
+            if (token.isRequireKeyIdentifierReference()) {
+                getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+            } else if (token.isRequireIssuerSerialReference()) {
+                getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE));
+            } else if (token.isRequireEmbeddedTokenReference()) {
+                getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE));
+            } else if (token.isRequireThumbprintReference()) {
+                getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_THUMBPRINT_REFERENCE));
+            }
+            if (token.getTokenType() != null) {
+                getPolicyAsserter().assertPolicy(new QName(namespace, token.getTokenType().name()));
+            }
+        }
     }
 
     @Override
@@ -67,35 +89,59 @@ public class X509TokenAssertionState ext
         }
 
         try {
+            String namespace = getAssertion().getName().getNamespaceURI();
+            
             X509Certificate x509Certificate = securityToken.getX509Certificates()[0];
             if (x509Token.getIssuerName() != null) {
                 final String certificateIssuerName = x509Certificate.getIssuerX500Principal().getName();
                 if (!x509Token.getIssuerName().equals(certificateIssuerName)) {
                     setErrorMessage("IssuerName in Policy (" + x509Token.getIssuerName() +
                             ") didn't match with the one in the certificate (" + certificateIssuerName + ")");
+                    getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
                     return false;
                 }
             }
-            if (x509Token.isRequireKeyIdentifierReference() &&
-                    !(WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier.equals(securityToken.getKeyIdentifier())
+            if (x509Token.isRequireKeyIdentifierReference()) {
+                if (!(WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier.equals(securityToken.getKeyIdentifier())
                         || WSSecurityTokenConstants.KeyIdentifier_SkiKeyIdentifier.equals(securityToken.getKeyIdentifier()))) {
-                setErrorMessage("Policy enforces KeyIdentifierReference but we got " + securityToken.getKeyIdentifier());
-                return false;
-            } else if (x509Token.isRequireIssuerSerialReference() &&
-                    !WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(securityToken.getKeyIdentifier())) {
-                setErrorMessage("Policy enforces IssuerSerialReference but we got " + securityToken.getKeyIdentifier());
-                return false;
-            } else if (x509Token.isRequireEmbeddedTokenReference() &&
-                    !WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(securityToken.getKeyIdentifier())) {
-                setErrorMessage("Policy enforces EmbeddedTokenReference but we got " + securityToken.getKeyIdentifier());
-                return false;
-            } else if (x509Token.isRequireThumbprintReference() &&
-                    !WSSecurityTokenConstants.KeyIdentifier_ThumbprintIdentifier.equals(securityToken.getKeyIdentifier())) {
-                setErrorMessage("Policy enforces ThumbprintReference but we got " + securityToken.getKeyIdentifier());
-                return false;
+                    setErrorMessage("Policy enforces KeyIdentifierReference but we got " + securityToken.getKeyIdentifier());
+                    getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE),
+                                                       getErrorMessage());
+                    return false;
+                } else {
+                    getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
+                }
+            } else if (x509Token.isRequireIssuerSerialReference()) {
+                if (!WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(securityToken.getKeyIdentifier())) {
+                    setErrorMessage("Policy enforces IssuerSerialReference but we got " + securityToken.getKeyIdentifier());
+                    getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE),
+                                                     getErrorMessage());
+                    return false;
+                } else {
+                    getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_ISSUER_SERIAL_REFERENCE));
+                }
+            } else if (x509Token.isRequireEmbeddedTokenReference()) {
+                if (!WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(securityToken.getKeyIdentifier())) {
+                    setErrorMessage("Policy enforces EmbeddedTokenReference but we got " + securityToken.getKeyIdentifier());
+                    getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE),
+                                                       getErrorMessage());
+                    return false;
+                } else {
+                    getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_EMBEDDED_TOKEN_REFERENCE));
+                }
+            } else if (x509Token.isRequireThumbprintReference()) {
+                if (!WSSecurityTokenConstants.KeyIdentifier_ThumbprintIdentifier.equals(securityToken.getKeyIdentifier())) {
+                    setErrorMessage("Policy enforces ThumbprintReference but we got " + securityToken.getKeyIdentifier());
+                    getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.REQUIRE_THUMBPRINT_REFERENCE),
+                                                       getErrorMessage());
+                    return false;
+                } else {
+                    getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_THUMBPRINT_REFERENCE));
+                }
             }
             if (x509Certificate.getVersion() == 2) {
                 setErrorMessage("X509Certificate Version " + x509Certificate.getVersion() + " not supported");
+                getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
                 return false;
             }
             if (x509Token.getTokenType() != null) {
@@ -106,37 +152,50 @@ public class X509TokenAssertionState ext
                                 x509Certificate.getVersion() != 3) {
                             setErrorMessage("X509Certificate Version " + x509Certificate.getVersion() +
                                     " mismatch; Policy enforces " + x509Token.getTokenType());
+                            getPolicyAsserter().unassertPolicy(new QName(namespace, x509Token.getTokenType().name()),
+                                                                         getErrorMessage());
                             return false;
                         }
+                        getPolicyAsserter().assertPolicy(new QName(namespace, x509Token.getTokenType().name()));
                         break;
                     case WssX509V1Token11:
                         if (!WSSecurityTokenConstants.X509V1Token.equals(securityToken.getTokenType()) ||
                                 x509Certificate.getVersion() != 1) {
                             setErrorMessage("X509Certificate Version " + x509Certificate.getVersion() +
                                     " mismatch; Policy enforces " + x509Token.getTokenType());
+                            getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.WSS_X509_V1_TOKEN11),
+                                                               getErrorMessage());
                             return false;
                         }
+                        getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.WSS_X509_V1_TOKEN11));
                         break;
                     case WssX509PkiPathV1Token10:
                     case WssX509PkiPathV1Token11:
                         if (!WSSecurityTokenConstants.X509PkiPathV1Token.equals(securityToken.getTokenType())) {
                             setErrorMessage("Policy enforces " + x509Token.getTokenType() +
                                     " but we got " + securityToken.getTokenType());
+                            getPolicyAsserter().unassertPolicy(new QName(namespace, x509Token.getTokenType().name()),
+                                                               getErrorMessage());
                             return false;
                         }
+                        getPolicyAsserter().assertPolicy(new QName(namespace, x509Token.getTokenType().name()));
                         break;
                     case WssX509Pkcs7Token10:
                     case WssX509Pkcs7Token11:
                         setErrorMessage("Unsupported token type: " + securityToken.getTokenType());
+                        getPolicyAsserter().unassertPolicy(new QName(namespace, x509Token.getTokenType().name()),
+                                                           getErrorMessage());
                         return false;
                 }
             }
         } catch (XMLSecurityException e) {
             setErrorMessage(e.getMessage());
+            getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
             return false;
         }
         //always return true to prevent false alarm in case additional tokens with the same usage
         //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
+        getPolicyAsserter().assertPolicy(getAssertion());
         return true;
     }
 }



Mime
View raw message