More work exploring the policy extension model by implementing a token based authentication schema across binding.ws and binding.jm. No authentication is actually performed here. That is left for users to provide their own policy interceptors. However tokens are passed and security Subjects/Principals are created. This exercise has highlighted some awkwardness in the process of building policy implementations. I'll post about this on the mail list.

git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@695374 13f79535-47bb-0310-9956-ffa450edef68

13 files changed, 530 insertions, 53 deletions

diff --git a/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/SecurityUtil.java b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/SecurityUtil.java
new file mode 100644
index 0000000000..7e32973b9a
--- /dev/null
+++ b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/SecurityUtil.java
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * 
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.    
+ */
+package org.apache.tuscany.sca.policy;
+
+import java.security.Principal;
+
+import javax.security.auth.Subject;
+
+import org.apache.tuscany.sca.invocation.Message;
+import org.apache.tuscany.sca.policy.authentication.basic.BasicAuthenticationPrincipal;
+
+
+/**
+ *
+ * @version $Rev$ $Date$
+ */
+public class SecurityUtil {
+    
+    public static Subject getSubject(Message msg){
+        Subject subject = (Subject)msg.getQoSContext().get(Message.QOS_CTX_SECURITY_SUBJECT);
+        
+        if (subject == null){
+            subject = new Subject(); 
+            msg.getQoSContext().put(Message.QOS_CTX_SECURITY_SUBJECT, subject); 
+        }
+        
+        return subject;
+    }
+    
+    public static <T> T getPrincipal(Subject subject, Class<T> clazz){
+        for (Principal msgPrincipal : subject.getPrincipals() ){
+            if (clazz.isInstance(msgPrincipal)){
+                return clazz.cast(msgPrincipal);
+            }
+        }
+        
+        return null;
+    }
+}
diff --git a/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationPolicy.java b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationPolicy.java
index 14bff2dca6..c4909d6bd8 100644
--- a/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationPolicy.java
+++ b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationPolicy.java
@@ -31,7 +31,7 @@ import org.apache.tuscany.sca.policy.Policy;
  */
 public class BasicAuthenticationPolicy implements Policy {
     public static final QName BASIC_AUTHENTICATION_POLICY_QNAME = new QName(Constants.SCA10_TUSCANY_NS, "basicAuthentication");
-    public static final String BASIC_AUTHENTICATION_USERNAME = "username";
+    public static final String BASIC_AUTHENTICATION_USERNAME = "userName";
     public static final String BASIC_AUTHENTICATION_PASSWORD = "password";
 
     private String userName;
diff --git a/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationPolicyProcessor.java b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationPolicyProcessor.java
index 082dfc9fdb..4e605ec2dc 100644
--- a/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationPolicyProcessor.java
+++ b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationPolicyProcessor.java
@@ -43,10 +43,6 @@ import org.apache.tuscany.sca.monitor.Monitor;
  */
 public class BasicAuthenticationPolicyProcessor implements StAXArtifactProcessor<BasicAuthenticationPolicy> {
     
-    private static final String USER_NAME = "userName";
-    private static final String PASSWORD = "password";
-
-    
     public QName getArtifactType() {
         return BasicAuthenticationPolicy.BASIC_AUTHENTICATION_POLICY_QNAME;
     }
@@ -67,9 +63,9 @@ public class BasicAuthenticationPolicyProcessor implements StAXArtifactProcessor
                     name = reader.getName();
                     if ( name.equals(getArtifactType()) ) {
                         // no attributes at the moment
-                    } else if ( USER_NAME.equals(name.getLocalPart()) ) {
+                    } else if ( BasicAuthenticationPolicy.BASIC_AUTHENTICATION_USERNAME.equals(name.getLocalPart()) ) {
                         policy.setUserName(reader.getElementText());
-                    } else if ( PASSWORD.equals(name.getLocalPart()) ) {
+                    } else if ( BasicAuthenticationPolicy.BASIC_AUTHENTICATION_PASSWORD.equals(name.getLocalPart()) ) {
                         policy.setPassword(reader.getElementText());
                     }
                     break;
@@ -101,7 +97,7 @@ public class BasicAuthenticationPolicyProcessor implements StAXArtifactProcessor
 
         if ( policy.getUserName() != null ) {
             writer.writeStartElement(prefix, 
-                                     USER_NAME,
+                                     BasicAuthenticationPolicy.BASIC_AUTHENTICATION_USERNAME,
                                      getArtifactType().getNamespaceURI());
             writer.writeCharacters(policy.getUserName());
             writer.writeEndElement();
@@ -109,7 +105,7 @@ public class BasicAuthenticationPolicyProcessor implements StAXArtifactProcessor
         
         if ( policy.getPassword() != null ) {
             writer.writeStartElement(prefix, 
-                                     PASSWORD,
+                                     BasicAuthenticationPolicy.BASIC_AUTHENTICATION_PASSWORD,
                                      getArtifactType().getNamespaceURI());
             writer.writeCharacters(policy.getPassword());
             writer.writeEndElement();
diff --git a/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationPrincipal.java b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationPrincipal.java
new file mode 100644
index 0000000000..3ab9cb656d
--- /dev/null
+++ b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationPrincipal.java
@@ -0,0 +1,80 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * 
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.    
+ */
+package org.apache.tuscany.sca.policy.authentication.basic;
+
+import java.security.Principal;
+
+
+/**
+ *
+ * @version $Rev$ $Date$
+ */
+public class BasicAuthenticationPrincipal implements Principal {
+
+    private String name;
+    private String password;
+
+    public BasicAuthenticationPrincipal(String name, String password){
+        if (name == null) {
+            throw new IllegalArgumentException("name cannot be null");
+        }
+        
+        this.name = name;
+        this.password = password;
+    }
+    
+    public String getName() {
+        return name;
+    }  
+    
+    public String getPassword() {
+        return password;
+    }
+    
+    @Override
+    public int hashCode() {
+        return name.hashCode();
+    }
+    
+    @Override
+    public String toString() {
+        return name;
+    }
+    
+    
+    @Override
+    public boolean equals(Object principal) {
+        if (principal == null)
+            return false;
+        if (this == principal)
+            return true;
+        if (getClass() != principal.getClass())
+            return false;
+        final BasicAuthenticationPrincipal other = (BasicAuthenticationPrincipal)principal;
+        if (name == null) {
+            if (other.name != null)
+                return false;
+        } else if (!name.equals(other.name)){
+            return false;
+        }
+            
+        return true;
+    }
+   
+}
diff --git a/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationReferencePolicyInterceptor.java b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationReferencePolicyInterceptor.java
index 83b1d20e9e..2576fe56ad 100644
--- a/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationReferencePolicyInterceptor.java
+++ b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationReferencePolicyInterceptor.java
@@ -18,11 +18,13 @@
  */
 package org.apache.tuscany.sca.policy.authentication.basic;
 
+import java.security.Principal;
 import java.util.logging.ConsoleHandler;
 import java.util.logging.Handler;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.security.auth.Subject;
 import javax.xml.namespace.QName;
 
 import org.apache.tuscany.sca.assembly.xml.Constants;
@@ -32,15 +34,13 @@ import org.apache.tuscany.sca.invocation.Invoker;
 import org.apache.tuscany.sca.invocation.Message;
 import org.apache.tuscany.sca.policy.Policy;
 import org.apache.tuscany.sca.policy.PolicySet;
+import org.apache.tuscany.sca.policy.SecurityUtil;
 
 /**
- * Policy handler to handle PolicySet related to Logging with the QName
- * {http://tuscany.apache.org/xmlns/sca/1.0/impl/java}LoggingPolicy
  *
  * @version $Rev$ $Date$
  */
 public class BasicAuthenticationReferencePolicyInterceptor implements Interceptor {
-    public static final QName policySetQName = new QName(Constants.SCA10_TUSCANY_NS, "wsBasicAuthentication");
 
     private Invoker next;
     private Operation operation;
@@ -68,11 +68,26 @@ public class BasicAuthenticationReferencePolicyInterceptor implements Intercepto
     }
 
     public Message invoke(Message msg) {
-        // could call out here to some 3rd part system to get credentials
-        msg.getQoSContext().put(BasicAuthenticationPolicy.BASIC_AUTHENTICATION_USERNAME,
-                                policy.getUserName());
-        msg.getQoSContext().put(BasicAuthenticationPolicy.BASIC_AUTHENTICATION_PASSWORD,
-                                policy.getPassword());
+        
+        // get the security context
+        Subject subject = SecurityUtil.getSubject(msg);
+        BasicAuthenticationPrincipal principal = SecurityUtil.getPrincipal(subject, 
+                                                                           BasicAuthenticationPrincipal.class);
+
+        // if no credentials propogated from the reference then use 
+        // the ones from the policy
+        if (principal == null && 
+            policy.getUserName() != null && 
+            !policy.getUserName().equals("")) {
+            principal = new BasicAuthenticationPrincipal(policy.getUserName(),
+                                                         policy.getPassword());
+            subject.getPrincipals().add(principal);
+        }
+
+        if (principal == null){
+            // alternatively we could call out here to some 3rd party system to get credentials
+            // or convert from some other security principal
+        }
         
         return getNext().invoke(msg);
     }
diff --git a/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationServicePolicyInterceptor.java b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationServicePolicyInterceptor.java
index 1b8ceb1515..c3591d1a40 100644
--- a/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationServicePolicyInterceptor.java
+++ b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/basic/BasicAuthenticationServicePolicyInterceptor.java
@@ -19,6 +19,9 @@
 package org.apache.tuscany.sca.policy.authentication.basic;
 
 
+import java.security.Principal;
+
+import javax.security.auth.Subject;
 import javax.xml.namespace.QName;
 
 import org.apache.tuscany.sca.assembly.xml.Constants;
@@ -27,6 +30,9 @@ import org.apache.tuscany.sca.invocation.Interceptor;
 import org.apache.tuscany.sca.invocation.Invoker;
 import org.apache.tuscany.sca.invocation.Message;
 import org.apache.tuscany.sca.policy.PolicySet;
+import org.apache.tuscany.sca.policy.SecurityUtil;
+
+import com.ibm.security.auth.JAASPrincipal;
 
 /**
  * Policy handler to handle PolicySet related to Logging with the QName
@@ -35,8 +41,6 @@ import org.apache.tuscany.sca.policy.PolicySet;
  * @version $Rev$ $Date$
  */
 public class BasicAuthenticationServicePolicyInterceptor implements Interceptor {
-    public static final QName policySetQName = new QName(Constants.SCA10_TUSCANY_NS, "wsBasicAuthentication");
-
     private Invoker next;
     private Operation operation;
     private PolicySet policySet = null;
@@ -64,16 +68,20 @@ public class BasicAuthenticationServicePolicyInterceptor implements Interceptor
 
     public Message invoke(Message msg) {
         
-        String username = (String)msg.getQoSContext().get(BasicAuthenticationPolicy.BASIC_AUTHENTICATION_USERNAME);
-        String password = (String)msg.getQoSContext().get(BasicAuthenticationPolicy.BASIC_AUTHENTICATION_PASSWORD);
-        
-        if (username != null) {
+        Subject subject = SecurityUtil.getSubject(msg);
+        BasicAuthenticationPrincipal principal =  SecurityUtil.getPrincipal(subject, 
+                                                                            BasicAuthenticationPrincipal.class);
+
+        if (principal != null){
             
-            System.out.println("Username: " + username + " Password: " + password);
-            // could call out here to some 3rd part system to do whatever you 
-            // need to turn credentials into a principal            
+            System.out.println("Username: " + 
+                               principal.getName() + 
+                               " Password: " + 
+                               principal.getPassword());
             
-            msg.getQoSContext().put(Message.QOS_CTX_SECURITY_PRINCIPAL, username);             
+            // could call out here to some 3rd party system to do whatever you 
+            // need to do do with username and password
+           
         }
     
         return getNext().invoke(msg);
diff --git a/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/token/TokenPrincipal.java b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/token/TokenPrincipal.java
new file mode 100644
index 0000000000..147b863c01
--- /dev/null
+++ b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/authentication/token/TokenPrincipal.java
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * 
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.    
+ */
+package org.apache.tuscany.sca.policy.authentication.token;
+
+import java.security.Principal;
+
+
+/**
+ *
+ * @version $Rev$ $Date$
+ */
+public class TokenPrincipal implements Principal {
+
+    private String name;
+
+    public TokenPrincipal(String name){
+        if (name == null) {
+            throw new IllegalArgumentException("name cannot be null");
+        }
+        
+        this.name = name;
+    }
+    
+    public String getName() {
+        return name;
+    }    
+    
+    @Override
+    public int hashCode() {
+        return name.hashCode();
+    }
+    
+    @Override
+    public String toString() {
+        return name;
+    }
+    
+    
+    @Override
+    public boolean equals(Object principal) {
+        if (principal == null)
+            return false;
+        if (this == principal)
+            return true;
+        if (getClass() != principal.getClass())
+            return false;
+        final TokenPrincipal other = (TokenPrincipal)principal;
+        if (name == null) {
+            if (other.name != null)
+                return false;
+        } else if (!name.equals(other.name)){
+            return false;
+        }
+            
+        return true;
+    }
+   
+}
diff --git a/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/identity/SecurityIdentityImplementationPolicyInterceptor.java b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/identity/SecurityIdentityImplementationPolicyInterceptor.java
new file mode 100644
index 0000000000..1559e22cb9
--- /dev/null
+++ b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/identity/SecurityIdentityImplementationPolicyInterceptor.java
@@ -0,0 +1,80 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * 
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.    
+ */
+
+package org.apache.tuscany.sca.policy.identity;
+
+import java.security.Principal;
+import java.util.List;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.LoginContext;
+
+import org.apache.tuscany.sca.invocation.Interceptor;
+import org.apache.tuscany.sca.invocation.Invoker;
+import org.apache.tuscany.sca.invocation.Message;
+import org.apache.tuscany.sca.policy.SecurityUtil;
+import org.osoa.sca.ServiceRuntimeException;
+
+/**
+ * @version $Rev$ $Date$
+ */
+public class SecurityIdentityImplementationPolicyInterceptor implements Interceptor {
+    private List<SecurityIdentityPolicy> securityIdentityPolicies;
+    private Invoker next;
+
+    public SecurityIdentityImplementationPolicyInterceptor(List<SecurityIdentityPolicy> securityIdentityPolicies) {
+        super();
+        this.securityIdentityPolicies = securityIdentityPolicies;
+    }
+
+    /**
+     * @see org.apache.tuscany.sca.invocation.Interceptor#getNext()
+     */
+    public Invoker getNext() {
+        return next;
+    }
+
+    /**
+     * @see org.apache.tuscany.sca.invocation.Interceptor#setNext(org.apache.tuscany.sca.invocation.Invoker)
+     */
+    public void setNext(Invoker next) {
+        this.next = next;
+    }
+
+    /**
+     * @see org.apache.tuscany.sca.invocation.Invoker#invoke(org.apache.tuscany.sca.invocation.Message)
+     */
+    public Message invoke(Message msg) {
+        try {
+            
+            Subject subject = SecurityUtil.getSubject(msg);
+                
+            // May do some selection here based on runAs settings.
+            // by default though there is nothing to do as the implementation
+            // assumes the callers user credentials
+            
+
+        } catch (Exception e) {
+            throw new ServiceRuntimeException(e);
+        }
+        return getNext().invoke(msg);
+    }
+
+}
diff --git a/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/identity/SecurityIdentityImplementationPolicyProvider.java b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/identity/SecurityIdentityImplementationPolicyProvider.java
new file mode 100644
index 0000000000..aa52e0bc41
--- /dev/null
+++ b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/identity/SecurityIdentityImplementationPolicyProvider.java
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * 
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.    
+ */
+package org.apache.tuscany.sca.policy.identity;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.tuscany.sca.assembly.ConfiguredOperation;
+import org.apache.tuscany.sca.assembly.Implementation;
+import org.apache.tuscany.sca.assembly.OperationsConfigurator;
+import org.apache.tuscany.sca.interfacedef.Operation;
+import org.apache.tuscany.sca.invocation.Interceptor;
+import org.apache.tuscany.sca.invocation.Phase;
+import org.apache.tuscany.sca.policy.PolicySet;
+import org.apache.tuscany.sca.provider.PolicyProvider;
+import org.apache.tuscany.sca.runtime.RuntimeComponent;
+
+/**
+ * @version $Rev$ $Date$
+ */
+public class SecurityIdentityImplementationPolicyProvider implements PolicyProvider {
+    private RuntimeComponent component;
+    private Implementation implementation;
+
+    public SecurityIdentityImplementationPolicyProvider(RuntimeComponent component, Implementation implementation) {
+        super();
+        this.component = component;
+        this.implementation = implementation;
+    }
+
+    private List<SecurityIdentityPolicy> findPolicies(Operation op) {
+        List<SecurityIdentityPolicy> polices = new ArrayList<SecurityIdentityPolicy>();
+        // FIXME: How do we get a list of effective policySets for a given operation?
+        if (implementation instanceof OperationsConfigurator) {
+            OperationsConfigurator operationsConfigurator = (OperationsConfigurator)implementation;
+            for (ConfiguredOperation cop : operationsConfigurator.getConfiguredOperations()) {
+                if (cop.getName().equals(op.getName())) {
+                    for (PolicySet ps : cop.getPolicySets()) {
+                        for (Object p : ps.getPolicies()) {
+                            if (SecurityIdentityPolicy.class.isInstance(p)) {
+                                polices.add((SecurityIdentityPolicy)p);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        
+        List<PolicySet> policySets = component.getPolicySets();
+        for (PolicySet ps : policySets) {
+            for (Object p : ps.getPolicies()) {
+                if (SecurityIdentityPolicy.class.isInstance(p)) {
+                    polices.add((SecurityIdentityPolicy)p);
+                }
+            }
+        }
+        return polices;
+    }
+
+    public Interceptor createInterceptor(Operation operation) {
+        List<SecurityIdentityPolicy> policies = findPolicies(operation);
+        if (policies == null || policies.isEmpty()) {
+            return null;
+        } else {
+            return new SecurityIdentityImplementationPolicyInterceptor(findPolicies(operation));
+        }
+    }
+
+    public String getPhase() {
+        return Phase.IMPLEMENTATION_POLICY;
+    }
+}
diff --git a/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/identity/SecurityIdentityPolicyProviderFactory.java b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/identity/SecurityIdentityPolicyProviderFactory.java
new file mode 100644
index 0000000000..a20f314a2a
--- /dev/null
+++ b/java/sca/modules/policy-security/src/main/java/org/apache/tuscany/sca/policy/identity/SecurityIdentityPolicyProviderFactory.java
@@ -0,0 +1,75 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * 
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.    
+ */
+
+package org.apache.tuscany.sca.policy.identity;
+
+import org.apache.tuscany.sca.assembly.Binding;
+import org.apache.tuscany.sca.assembly.Implementation;
+import org.apache.tuscany.sca.core.ExtensionPointRegistry;
+import org.apache.tuscany.sca.provider.PolicyProvider;
+import org.apache.tuscany.sca.provider.PolicyProviderFactory;
+import org.apache.tuscany.sca.runtime.RuntimeComponent;
+import org.apache.tuscany.sca.runtime.RuntimeComponentReference;
+import org.apache.tuscany.sca.runtime.RuntimeComponentService;
+
+/**
+ * @version $Rev$ $Date$
+ */
+public class SecurityIdentityPolicyProviderFactory implements PolicyProviderFactory<SecurityIdentityPolicy> {
+    private ExtensionPointRegistry registry;
+    
+    public SecurityIdentityPolicyProviderFactory(ExtensionPointRegistry registry) {
+        super();
+        this.registry = registry;
+    }
+
+    /**
+     * @see org.apache.tuscany.sca.provider.PolicyProviderFactory#createImplementationPolicyProvider(org.apache.tuscany.sca.runtime.RuntimeComponent, org.apache.tuscany.sca.assembly.Implementation)
+     */
+    public PolicyProvider createImplementationPolicyProvider(RuntimeComponent component, Implementation implementation) {
+        return new SecurityIdentityImplementationPolicyProvider(component, implementation);
+    }
+
+    /**
+     * @see org.apache.tuscany.sca.provider.PolicyProviderFactory#createReferencePolicyProvider(org.apache.tuscany.sca.runtime.RuntimeComponent, org.apache.tuscany.sca.runtime.RuntimeComponentReference, org.apache.tuscany.sca.assembly.Binding)
+     */
+    public PolicyProvider createReferencePolicyProvider(RuntimeComponent component,
+                                                        RuntimeComponentReference reference,
+                                                        Binding binding) {
+        return null; 
+    }
+
+    /**
+     * @see org.apache.tuscany.sca.provider.PolicyProviderFactory#createServicePolicyProvider(org.apache.tuscany.sca.runtime.RuntimeComponent, org.apache.tuscany.sca.runtime.RuntimeComponentService, org.apache.tuscany.sca.assembly.Binding)
+     */
+    public PolicyProvider createServicePolicyProvider(RuntimeComponent component,
+                                                      RuntimeComponentService service,
+                                                      Binding binding) {
+        return null; 
+    }
+
+    /**
+     * @see org.apache.tuscany.sca.provider.ProviderFactory#getModelType()
+     */
+    public Class getModelType() {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+}
diff --git a/java/sca/modules/policy-security/src/main/resources/META-INF/services/org.apache.tuscany.sca.contribution.processor.StAXArtifactProcessor b/java/sca/modules/policy-security/src/main/resources/META-INF/services/org.apache.tuscany.sca.contribution.processor.StAXArtifactProcessor
index 3a514e6088..bf8e4d11b4 100644
--- a/java/sca/modules/policy-security/src/main/resources/META-INF/services/org.apache.tuscany.sca.contribution.processor.StAXArtifactProcessor
+++ b/java/sca/modules/policy-security/src/main/resources/META-INF/services/org.apache.tuscany.sca.contribution.processor.StAXArtifactProcessor
@@ -1,26 +1,27 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-# 
-#   http://www.apache.org/licenses/LICENSE-2.0
-# 
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License. 
-
-# Implementation class for the artifact processor extension
-org.apache.tuscany.sca.policy.authorization.AuthorizationPolicyProcessor;qname=http://www.osoa.org/xmlns/sca/1.0#authorization,model=org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy
-org.apache.tuscany.sca.policy.authorization.AuthorizationPolicyProcessor;qname=http://www.osoa.org/xmlns/sca/1.0#allow,model=org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy
-org.apache.tuscany.sca.policy.authorization.AuthorizationPolicyProcessor;qname=http://www.osoa.org/xmlns/sca/1.0#permitAll,model=org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy
-org.apache.tuscany.sca.policy.authorization.AuthorizationPolicyProcessor;qname=http://www.osoa.org/xmlns/sca/1.0#denyAll,model=org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy
-org.apache.tuscany.sca.policy.identity.SecurityIdentityPolicyProcessor;qname=http://www.osoa.org/xmlns/sca/1.0#securityIdentity,model=org.apache.tuscany.sca.policy.identity.SecurityIdentityPolicy
-org.apache.tuscany.sca.policy.identity.SecurityIdentityPolicyProcessor;qname=http://www.osoa.org/xmlns/sca/1.0#runAs,model=org.apache.tuscany.sca.policy.identity.SecurityIdentityPolicy
-org.apache.tuscany.sca.policy.security.jaas.JaasAuthenticationPolicyProcessor;qname=http://tuscany.apache.org/xmlns/sca/1.0#jaasAuthentication,model=org.apache.tuscany.sca.policy.security.jaas.JaasAuthenticationPolicy
-org.apache.tuscany.sca.policy.authentication.basic.BasicAuthenticationPolicyProcessor;qname=http://tuscany.apache.org/xmlns/sca/1.0#basicAuthentication,model=org.apache.tuscany.sca.policy.authentication.basic.BasicAuthenticationPolicy
+# Licensed to the Apache Software Foundation (ASF) under one

+# or more contributor license agreements.  See the NOTICE file

+# distributed with this work for additional information

+# regarding copyright ownership.  The ASF licenses this file

+# to you under the Apache License, Version 2.0 (the

+# "License"); you may not use this file except in compliance

+# with the License.  You may obtain a copy of the License at

+# 

+#   http://www.apache.org/licenses/LICENSE-2.0

+# 

+# Unless required by applicable law or agreed to in writing,

+# software distributed under the License is distributed on an

+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

+# KIND, either express or implied.  See the License for the

+# specific language governing permissions and limitations

+# under the License. 

+

+# Implementation class for the artifact processor extension

+org.apache.tuscany.sca.policy.authorization.AuthorizationPolicyProcessor;qname=http://www.osoa.org/xmlns/sca/1.0#authorization,model=org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy

+org.apache.tuscany.sca.policy.authorization.AuthorizationPolicyProcessor;qname=http://www.osoa.org/xmlns/sca/1.0#allow,model=org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy

+org.apache.tuscany.sca.policy.authorization.AuthorizationPolicyProcessor;qname=http://www.osoa.org/xmlns/sca/1.0#permitAll,model=org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy

+org.apache.tuscany.sca.policy.authorization.AuthorizationPolicyProcessor;qname=http://www.osoa.org/xmlns/sca/1.0#denyAll,model=org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy

+org.apache.tuscany.sca.policy.identity.SecurityIdentityPolicyProcessor;qname=http://www.osoa.org/xmlns/sca/1.0#runAs,model=org.apache.tuscany.sca.policy.identity.SecurityIdentityPolicy

+org.apache.tuscany.sca.policy.identity.SecurityIdentityPolicyProcessor;qname=http://www.osoa.org/xmlns/sca/1.0#securityIdentity,model=org.apache.tuscany.sca.policy.identity.SecurityIdentityPolicy

+org.apache.tuscany.sca.policy.identity.SecurityIdentityPolicyProcessor;qname=http://tuscany.apache.org/xmlns/sca/1.0#securityIdentity,model=org.apache.tuscany.sca.policy.identity.SecurityIdentityPolicy

+org.apache.tuscany.sca.policy.security.jaas.JaasAuthenticationPolicyProcessor;qname=http://tuscany.apache.org/xmlns/sca/1.0#jaasAuthentication,model=org.apache.tuscany.sca.policy.security.jaas.JaasAuthenticationPolicy

+org.apache.tuscany.sca.policy.authentication.basic.BasicAuthenticationPolicyProcessor;qname=http://tuscany.apache.org/xmlns/sca/1.0#basicAuthentication,model=org.apache.tuscany.sca.policy.authentication.basic.BasicAuthenticationPolicy

diff --git a/java/sca/modules/policy-security/src/main/resources/META-INF/services/org.apache.tuscany.sca.provider.PolicyProviderFactory b/java/sca/modules/policy-security/src/main/resources/META-INF/services/org.apache.tuscany.sca.provider.PolicyProviderFactory
index 95263b8836..0363fbd981 100644
--- a/java/sca/modules/policy-security/src/main/resources/META-INF/services/org.apache.tuscany.sca.provider.PolicyProviderFactory
+++ b/java/sca/modules/policy-security/src/main/resources/META-INF/services/org.apache.tuscany.sca.provider.PolicyProviderFactory
@@ -18,3 +18,4 @@
 # Implementation class for the policy extension

 org.apache.tuscany.sca.policy.security.jaas.JaasAuthenticationPolicyProviderFactory;model=org.apache.tuscany.sca.policy.security.jaas.JaasAuthenticationPolicy

 org.apache.tuscany.sca.policy.authentication.basic.BasicAuthenticationPolicyProviderFactory;model=org.apache.tuscany.sca.policy.authentication.basic.BasicAuthenticationPolicy

+org.apache.tuscany.sca.policy.identity.SecurityIdentityPolicyProviderFactory;model=org.apache.tuscany.sca.policy.identity.SecurityIdentityPolicy

diff --git a/java/sca/modules/policy-security/src/main/resources/org/apache/tuscany/sca/policy/security/tuscany_definitions.xml b/java/sca/modules/policy-security/src/main/resources/org/apache/tuscany/sca/policy/security/tuscany_definitions.xml
index f5b79af7ee..afd04a3444 100644
--- a/java/sca/modules/policy-security/src/main/resources/org/apache/tuscany/sca/policy/security/tuscany_definitions.xml
+++ b/java/sca/modules/policy-security/src/main/resources/org/apache/tuscany/sca/policy/security/tuscany_definitions.xml
@@ -20,6 +20,10 @@
 <definitions xmlns="http://www.osoa.org/xmlns/sca/1.0" targetNamespace="http://tuscany.apache.org/xmlns/sca/1.0"
     xmlns:sca="http://www.osoa.org/xmlns/sca/1.0" xmlns:tuscany="http://tuscany.apache.org/xmlns/sca/1.0">
 
+    <intent name="identity" constrains="sca:implementation.java">
+        <description>All invocations are must have an identity set</description>
+    </intent>
+
     <intent name="jaasAuthentication" constrains="sca:implementation.java">
         <description>All invocations to be authenticated</description>
     </intent>