You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2016/01/20 11:59:41 UTC
svn commit: r1725699 - in /webservices/wss4j/branches/2_1_x-fixes: ./
ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/
ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/
ws-security-stax/src/main/java/org/apac...
Author: coheigea
Date: Wed Jan 20 10:59:41 2016
New Revision: 1725699
URL: http://svn.apache.org/viewvc?rev=1725699&view=rev
Log:
Enabling checkstyle
Modified:
webservices/wss4j/branches/2_1_x-fixes/pom.xml
webservices/wss4j/branches/2_1_x-fixes/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KerberosTokenAssertionState.java
webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java
webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/OutboundWSSec.java
Modified: webservices/wss4j/branches/2_1_x-fixes/pom.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/pom.xml?rev=1725699&r1=1725698&r2=1725699&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/pom.xml (original)
+++ webservices/wss4j/branches/2_1_x-fixes/pom.xml Wed Jan 20 10:59:41 2016
@@ -154,7 +154,6 @@
</execution>
</executions>
</plugin>
-<!--
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
@@ -175,7 +174,6 @@
</execution>
</executions>
</plugin>
--->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KerberosTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KerberosTokenAssertionState.java?rev=1725699&r1=1725698&r2=1725699&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KerberosTokenAssertionState.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/KerberosTokenAssertionState.java Wed Jan 20 10:59:41 2016
@@ -31,6 +31,7 @@ import org.apache.wss4j.stax.securityTok
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
import org.apache.xml.security.stax.securityToken.SecurityToken;
+import org.apache.xml.security.stax.securityToken.SecurityTokenConstants.KeyIdentifier;
import org.apache.wss4j.stax.securityEvent.KerberosTokenSecurityEvent;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
@@ -84,8 +85,9 @@ public class KerberosTokenAssertionState
String namespace = getAssertion().getName().getNamespaceURI();
if (kerberosToken.isRequireKeyIdentifierReference()) {
- if (!WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF.equals(kerberosServiceSecurityToken.getKeyIdentifier())) {
- setErrorMessage("Policy enforces KeyIdentifierReference but we got " + kerberosServiceSecurityToken.getKeyIdentifier());
+ KeyIdentifier kerberosKeyIdentifier = kerberosServiceSecurityToken.getKeyIdentifier();
+ if (!WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF.equals(kerberosKeyIdentifier)) {
+ setErrorMessage("Policy enforces KeyIdentifierReference but we got " + kerberosKeyIdentifier);
getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE),
getErrorMessage());
return false;
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java?rev=1725699&r1=1725698&r2=1725699&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java Wed Jan 20 10:59:41 2016
@@ -141,17 +141,7 @@ public class InboundWSSecurityContextImp
private void identifySecurityTokenDependenciesAndUsage(
Deque<SecurityEvent> securityEventDeque) throws XMLSecurityException {
- List<TokenSecurityEvent<? extends InboundSecurityToken>> messageSignatureTokens = Collections.emptyList();
- List<TokenSecurityEvent<? extends InboundSecurityToken>> messageEncryptionTokens = Collections.emptyList();
- List<TokenSecurityEvent<? extends InboundSecurityToken>> supportingTokens = Collections.emptyList();
- List<TokenSecurityEvent<? extends InboundSecurityToken>> signedSupportingTokens = Collections.emptyList();
- List<TokenSecurityEvent<? extends InboundSecurityToken>> endorsingSupportingTokens = Collections.emptyList();
- List<TokenSecurityEvent<? extends InboundSecurityToken>> signedEndorsingSupportingTokens = Collections.emptyList();
- List<TokenSecurityEvent<? extends InboundSecurityToken>> signedEncryptedSupportingTokens = Collections.emptyList();
- List<TokenSecurityEvent<? extends InboundSecurityToken>> encryptedSupportingTokens = Collections.emptyList();
- List<TokenSecurityEvent<? extends InboundSecurityToken>> endorsingEncryptedSupportingTokens = Collections.emptyList();
- List<TokenSecurityEvent<? extends InboundSecurityToken>> signedEndorsingEncryptedSupportingTokens = Collections.emptyList();
-
+ MessageTokens messageTokens = new MessageTokens();
HttpsTokenSecurityEvent httpsTokenSecurityEvent = null;
List<TokenSecurityEvent<? extends InboundSecurityToken>> tokenSecurityEvents = new ArrayList<>();
@@ -167,13 +157,15 @@ public class InboundWSSecurityContextImp
HttpsTokenSecurityEvent actHttpsTokenSecurityEvent = (HttpsTokenSecurityEvent) tokenSecurityEvent;
actHttpsTokenSecurityEvent.getSecurityToken().getTokenUsages().clear();
actHttpsTokenSecurityEvent.getSecurityToken().addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
- messageSignatureTokens = addTokenSecurityEvent(actHttpsTokenSecurityEvent, messageSignatureTokens);
+ messageTokens.messageSignatureTokens =
+ addTokenSecurityEvent(actHttpsTokenSecurityEvent, messageTokens.messageSignatureTokens);
HttpsTokenSecurityEvent clonedHttpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
clonedHttpsTokenSecurityEvent.setAuthenticationType(actHttpsTokenSecurityEvent.getAuthenticationType());
clonedHttpsTokenSecurityEvent.setIssuerName(actHttpsTokenSecurityEvent.getIssuerName());
clonedHttpsTokenSecurityEvent.setSecurityToken(actHttpsTokenSecurityEvent.getSecurityToken());
clonedHttpsTokenSecurityEvent.getSecurityToken().addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
- messageEncryptionTokens = addTokenSecurityEvent(actHttpsTokenSecurityEvent, messageEncryptionTokens);
+ messageTokens.messageEncryptionTokens =
+ addTokenSecurityEvent(actHttpsTokenSecurityEvent, messageTokens.messageEncryptionTokens);
httpsTokenSecurityEvent = clonedHttpsTokenSecurityEvent;
continue;
}
@@ -186,17 +178,85 @@ public class InboundWSSecurityContextImp
TokenSecurityEvent<? extends InboundSecurityToken> tokenSecurityEvent = tokenSecurityEvents.get(i);
InboundSecurityToken securityToken = WSSUtils.getRootToken(tokenSecurityEvent.getSecurityToken());
- if (!containsSecurityToken(supportingTokens, securityToken)) {
+ if (!containsSecurityToken(messageTokens.supportingTokens, securityToken)) {
TokenSecurityEvent<? extends InboundSecurityToken> newTokenSecurityEvent =
WSSUtils.createTokenSecurityEvent(securityToken, tokenSecurityEvent.getCorrelationID());
- supportingTokens = addTokenSecurityEvent(newTokenSecurityEvent, supportingTokens);
+ messageTokens.supportingTokens = addTokenSecurityEvent(newTokenSecurityEvent, messageTokens.supportingTokens);
securityEventDeque.offer(newTokenSecurityEvent);
}
//remove old TokenSecurityEvent so that only root tokens are in the queue
securityEventDeque.remove(tokenSecurityEvent);
}
- Iterator<TokenSecurityEvent<? extends InboundSecurityToken>> supportingTokensIterator = supportingTokens.iterator();
+ parseSupportingTokens(messageTokens, httpsTokenSecurityEvent, securityEventDeque);
+
+ if (messageTokens.messageSignatureTokens.isEmpty()) {
+ InboundSecurityToken messageSignatureToken = getSupportingTokenSigningToken(messageTokens, securityEventDeque);
+
+ TokenSecurityEvent<? extends InboundSecurityToken> tokenSecurityEvent =
+ getTokenSecurityEvent(messageSignatureToken, tokenSecurityEvents);
+ if (tokenSecurityEvent != null) {
+ removeTokenSecurityEvent(tokenSecurityEvent, messageTokens.supportingTokens);
+ removeTokenSecurityEvent(tokenSecurityEvent, messageTokens.signedSupportingTokens);
+ removeTokenSecurityEvent(tokenSecurityEvent, messageTokens.endorsingSupportingTokens);
+ removeTokenSecurityEvent(tokenSecurityEvent, messageTokens.signedEndorsingSupportingTokens);
+ removeTokenSecurityEvent(tokenSecurityEvent, messageTokens.signedEncryptedSupportingTokens);
+ removeTokenSecurityEvent(tokenSecurityEvent, messageTokens.encryptedSupportingTokens);
+ removeTokenSecurityEvent(tokenSecurityEvent, messageTokens.endorsingEncryptedSupportingTokens);
+ removeTokenSecurityEvent(tokenSecurityEvent, messageTokens.signedEndorsingEncryptedSupportingTokens);
+ messageTokens.messageSignatureTokens = addTokenSecurityEvent(tokenSecurityEvent, messageTokens.messageSignatureTokens);
+ }
+ }
+
+ if (messageTokens.messageSignatureTokens.isEmpty()) {
+ for (Iterator<TokenSecurityEvent<? extends InboundSecurityToken>> iterator =
+ messageTokens.supportingTokens.iterator(); iterator.hasNext();) {
+ TokenSecurityEvent<? extends InboundSecurityToken> supportingToken = iterator.next();
+ if (supportingToken.getSecurityToken().getTokenUsages().contains(WSSecurityTokenConstants.TokenUsage_Signature)) {
+ iterator.remove();
+ messageTokens.messageSignatureTokens = addTokenSecurityEvent(supportingToken, messageTokens.messageSignatureTokens);
+ break;
+ }
+ }
+ }
+
+ if (messageTokens.messageEncryptionTokens.isEmpty()) {
+ for (Iterator<TokenSecurityEvent<? extends InboundSecurityToken>> iterator =
+ messageTokens.supportingTokens.iterator(); iterator.hasNext();) {
+ TokenSecurityEvent<? extends InboundSecurityToken> supportingToken = iterator.next();
+ if (supportingToken.getSecurityToken().getTokenUsages().contains(WSSecurityTokenConstants.TokenUsage_Encryption)) {
+ iterator.remove();
+ messageTokens.messageEncryptionTokens = addTokenSecurityEvent(supportingToken, messageTokens.messageEncryptionTokens);
+ break;
+ }
+ }
+ }
+
+ if (!messageTokens.messageEncryptionTokens.isEmpty()) {
+ this.messageEncryptionTokenOccured = true;
+ }
+
+ setTokenUsage(messageTokens.messageSignatureTokens, WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
+ setTokenUsage(messageTokens.messageEncryptionTokens, WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
+ setTokenUsage(messageTokens.supportingTokens, WSSecurityTokenConstants.TOKENUSAGE_SUPPORTING_TOKENS);
+ setTokenUsage(messageTokens.signedSupportingTokens, WSSecurityTokenConstants.TOKENUSAGE_SIGNED_SUPPORTING_TOKENS);
+ setTokenUsage(messageTokens.endorsingSupportingTokens,
+ WSSecurityTokenConstants.TOKENUSAGE_ENDORSING_SUPPORTING_TOKENS);
+ setTokenUsage(messageTokens.signedEndorsingSupportingTokens,
+ WSSecurityTokenConstants.TOKENUSAGE_SIGNED_ENDORSING_SUPPORTING_TOKENS);
+ setTokenUsage(messageTokens.signedEncryptedSupportingTokens,
+ WSSecurityTokenConstants.TOKENUSAGE_SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
+ setTokenUsage(messageTokens.encryptedSupportingTokens,
+ WSSecurityTokenConstants.TOKENUSAGE_ENCRYPTED_SUPPORTING_TOKENS);
+ setTokenUsage(messageTokens.endorsingEncryptedSupportingTokens,
+ WSSecurityTokenConstants.TOKENUSAGE_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ setTokenUsage(messageTokens.signedEndorsingEncryptedSupportingTokens,
+ WSSecurityTokenConstants.TOKENUSAGE_SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
+ }
+
+ private void parseSupportingTokens(MessageTokens messageTokens, HttpsTokenSecurityEvent httpsTokenSecurityEvent,
+ Deque<SecurityEvent> securityEventDeque) throws XMLSecurityException {
+ Iterator<TokenSecurityEvent<? extends InboundSecurityToken>> supportingTokensIterator = messageTokens.supportingTokens.iterator();
while (supportingTokensIterator.hasNext()) {
TokenSecurityEvent<? extends InboundSecurityToken> tokenSecurityEvent = supportingTokensIterator.next();
List<InboundSecurityToken> signingSecurityTokens =
@@ -238,121 +298,72 @@ public class InboundWSSecurityContextImp
if (!transportSecurityActive && signsSignatureConfirmation && signsTimestamp && !signsSignature) {
supportingTokensIterator.remove();
- messageSignatureTokens = addTokenSecurityEvent(tokenSecurityEvent, messageSignatureTokens);
+ messageTokens.messageSignatureTokens =
+ addTokenSecurityEvent(tokenSecurityEvent, messageTokens.messageSignatureTokens);
if (encryptionUsage) {
- messageEncryptionTokens = addTokenSecurityEvent(tokenSecurityEvent, messageEncryptionTokens);
+ messageTokens.messageEncryptionTokens =
+ addTokenSecurityEvent(tokenSecurityEvent, messageTokens.messageEncryptionTokens);
}
} else if (!transportSecurityActive && signsSignatureConfirmation && !signsSignature) {
supportingTokensIterator.remove();
- messageSignatureTokens = addTokenSecurityEvent(tokenSecurityEvent, messageSignatureTokens);
+ messageTokens.messageSignatureTokens =
+ addTokenSecurityEvent(tokenSecurityEvent, messageTokens.messageSignatureTokens);
if (encryptionUsage) {
- messageEncryptionTokens = addTokenSecurityEvent(tokenSecurityEvent, messageEncryptionTokens);
+ messageTokens.messageEncryptionTokens =
+ addTokenSecurityEvent(tokenSecurityEvent, messageTokens.messageEncryptionTokens);
}
} else if (!transportSecurityActive && signsTimestamp && !signsSignature) {
supportingTokensIterator.remove();
- messageSignatureTokens = addTokenSecurityEvent(tokenSecurityEvent, messageSignatureTokens);
+ messageTokens.messageSignatureTokens =
+ addTokenSecurityEvent(tokenSecurityEvent, messageTokens.messageSignatureTokens);
if (encryptionUsage) {
- messageEncryptionTokens = addTokenSecurityEvent(tokenSecurityEvent, messageEncryptionTokens);
+ messageTokens.messageEncryptionTokens =
+ addTokenSecurityEvent(tokenSecurityEvent, messageTokens.messageEncryptionTokens);
}
} else if (!transportSecurityActive
&& (encryptsSignature || encryptsSignatureConfirmation || encryptsUsernameToken)) {
supportingTokensIterator.remove();
- messageEncryptionTokens = addTokenSecurityEvent(tokenSecurityEvent, messageEncryptionTokens);
+ messageTokens.messageEncryptionTokens =
+ addTokenSecurityEvent(tokenSecurityEvent, messageTokens.messageEncryptionTokens);
} else if (signsSignature && signingSecurityTokens.size() > 0 && encryptingSecurityTokens.size() > 0) {
supportingTokensIterator.remove();
- signedEndorsingEncryptedSupportingTokens =
- addTokenSecurityEvent(tokenSecurityEvent, signedEndorsingEncryptedSupportingTokens);
+ messageTokens.signedEndorsingEncryptedSupportingTokens =
+ addTokenSecurityEvent(tokenSecurityEvent, messageTokens.signedEndorsingEncryptedSupportingTokens);
} else if (transportSecurityActive && signsTimestamp && signingSecurityTokens.size() > 0
&& encryptingSecurityTokens.size() > 0) {
supportingTokensIterator.remove();
- signedEndorsingEncryptedSupportingTokens =
- addTokenSecurityEvent(tokenSecurityEvent, signedEndorsingEncryptedSupportingTokens);
+ messageTokens.signedEndorsingEncryptedSupportingTokens =
+ addTokenSecurityEvent(tokenSecurityEvent, messageTokens.signedEndorsingEncryptedSupportingTokens);
} else if (signsSignature && signingSecurityTokens.size() == 0 && encryptingSecurityTokens.size() > 0) {
supportingTokensIterator.remove();
- endorsingEncryptedSupportingTokens = addTokenSecurityEvent(tokenSecurityEvent, endorsingEncryptedSupportingTokens);
+ messageTokens.endorsingEncryptedSupportingTokens =
+ addTokenSecurityEvent(tokenSecurityEvent, messageTokens.endorsingEncryptedSupportingTokens);
} else if (signsSignature && signingSecurityTokens.size() > 0) {
supportingTokensIterator.remove();
- signedEndorsingSupportingTokens = addTokenSecurityEvent(tokenSecurityEvent, signedEndorsingSupportingTokens);
+ messageTokens.signedEndorsingSupportingTokens =
+ addTokenSecurityEvent(tokenSecurityEvent, messageTokens.signedEndorsingSupportingTokens);
} else if (signatureUsage && signingSecurityTokens.size() > 0) {
supportingTokensIterator.remove();
- signedEndorsingSupportingTokens = addTokenSecurityEvent(tokenSecurityEvent, signedEndorsingSupportingTokens);
+ messageTokens.signedEndorsingSupportingTokens =
+ addTokenSecurityEvent(tokenSecurityEvent, messageTokens.signedEndorsingSupportingTokens);
} else if (signsSignature) {
supportingTokensIterator.remove();
- endorsingSupportingTokens = addTokenSecurityEvent(tokenSecurityEvent, endorsingSupportingTokens);
+ messageTokens.endorsingSupportingTokens =
+ addTokenSecurityEvent(tokenSecurityEvent, messageTokens.endorsingSupportingTokens);
} else if (signingSecurityTokens.size() > 0 && encryptingSecurityTokens.size() > 0) {
supportingTokensIterator.remove();
- signedEncryptedSupportingTokens = addTokenSecurityEvent(tokenSecurityEvent, signedEncryptedSupportingTokens);
+ messageTokens.signedEncryptedSupportingTokens =
+ addTokenSecurityEvent(tokenSecurityEvent, messageTokens.signedEncryptedSupportingTokens);
} else if (signingSecurityTokens.size() > 0) {
supportingTokensIterator.remove();
- signedSupportingTokens = addTokenSecurityEvent(tokenSecurityEvent, signedSupportingTokens);
+ messageTokens.signedSupportingTokens =
+ addTokenSecurityEvent(tokenSecurityEvent, messageTokens.signedSupportingTokens);
} else if (encryptingSecurityTokens.size() > 0) {
supportingTokensIterator.remove();
- encryptedSupportingTokens = addTokenSecurityEvent(tokenSecurityEvent, encryptedSupportingTokens);
+ messageTokens.encryptedSupportingTokens =
+ addTokenSecurityEvent(tokenSecurityEvent, messageTokens.encryptedSupportingTokens);
}
}
-
- if (messageSignatureTokens.isEmpty()) {
- InboundSecurityToken messageSignatureToken = getSupportingTokenSigningToken(
- signedSupportingTokens,
- signedEndorsingSupportingTokens,
- signedEncryptedSupportingTokens,
- signedEndorsingEncryptedSupportingTokens,
- securityEventDeque);
-
- TokenSecurityEvent<? extends InboundSecurityToken> tokenSecurityEvent =
- getTokenSecurityEvent(messageSignatureToken, tokenSecurityEvents);
- if (tokenSecurityEvent != null) {
- removeTokenSecurityEvent(tokenSecurityEvent, supportingTokens);
- removeTokenSecurityEvent(tokenSecurityEvent, signedSupportingTokens);
- removeTokenSecurityEvent(tokenSecurityEvent, endorsingSupportingTokens);
- removeTokenSecurityEvent(tokenSecurityEvent, signedEndorsingSupportingTokens);
- removeTokenSecurityEvent(tokenSecurityEvent, signedEncryptedSupportingTokens);
- removeTokenSecurityEvent(tokenSecurityEvent, encryptedSupportingTokens);
- removeTokenSecurityEvent(tokenSecurityEvent, endorsingEncryptedSupportingTokens);
- removeTokenSecurityEvent(tokenSecurityEvent, signedEndorsingEncryptedSupportingTokens);
- messageSignatureTokens = addTokenSecurityEvent(tokenSecurityEvent, messageSignatureTokens);
- }
- }
-
- if (messageSignatureTokens.isEmpty()) {
- for (Iterator<TokenSecurityEvent<? extends InboundSecurityToken>> iterator =
- supportingTokens.iterator(); iterator.hasNext();) {
- TokenSecurityEvent<? extends InboundSecurityToken> supportingToken = iterator.next();
- if (supportingToken.getSecurityToken().getTokenUsages().contains(WSSecurityTokenConstants.TokenUsage_Signature)) {
- iterator.remove();
- messageSignatureTokens = addTokenSecurityEvent(supportingToken, messageSignatureTokens);
- break;
- }
- }
- }
-
- if (messageEncryptionTokens.isEmpty()) {
- for (Iterator<TokenSecurityEvent<? extends InboundSecurityToken>> iterator =
- supportingTokens.iterator(); iterator.hasNext();) {
- TokenSecurityEvent<? extends InboundSecurityToken> supportingToken = iterator.next();
- if (supportingToken.getSecurityToken().getTokenUsages().contains(WSSecurityTokenConstants.TokenUsage_Encryption)) {
- iterator.remove();
- messageEncryptionTokens = addTokenSecurityEvent(supportingToken, messageEncryptionTokens);
- break;
- }
- }
- }
-
- if (!messageEncryptionTokens.isEmpty()) {
- this.messageEncryptionTokenOccured = true;
- }
-
- setTokenUsage(messageSignatureTokens, WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
- setTokenUsage(messageEncryptionTokens, WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
- setTokenUsage(supportingTokens, WSSecurityTokenConstants.TOKENUSAGE_SUPPORTING_TOKENS);
- setTokenUsage(signedSupportingTokens, WSSecurityTokenConstants.TOKENUSAGE_SIGNED_SUPPORTING_TOKENS);
- setTokenUsage(endorsingSupportingTokens, WSSecurityTokenConstants.TOKENUSAGE_ENDORSING_SUPPORTING_TOKENS);
- setTokenUsage(signedEndorsingSupportingTokens, WSSecurityTokenConstants.TOKENUSAGE_SIGNED_ENDORSING_SUPPORTING_TOKENS);
- setTokenUsage(signedEncryptedSupportingTokens, WSSecurityTokenConstants.TOKENUSAGE_SIGNED_ENCRYPTED_SUPPORTING_TOKENS);
- setTokenUsage(encryptedSupportingTokens, WSSecurityTokenConstants.TOKENUSAGE_ENCRYPTED_SUPPORTING_TOKENS);
- setTokenUsage(endorsingEncryptedSupportingTokens, WSSecurityTokenConstants.TOKENUSAGE_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
- setTokenUsage(signedEndorsingEncryptedSupportingTokens,
- WSSecurityTokenConstants.TOKENUSAGE_SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
}
private void removeTokenSecurityEvent(TokenSecurityEvent<? extends InboundSecurityToken> tokenSecurityEvent,
@@ -404,37 +415,34 @@ public class InboundWSSecurityContextImp
}
private InboundSecurityToken getSupportingTokenSigningToken(
- List<TokenSecurityEvent<? extends InboundSecurityToken>> signedSupportingTokens,
- List<TokenSecurityEvent<? extends InboundSecurityToken>> signedEndorsingSupportingTokens,
- List<TokenSecurityEvent<? extends InboundSecurityToken>> signedEncryptedSupportingTokens,
- List<TokenSecurityEvent<? extends InboundSecurityToken>> signedEndorsingEncryptedSupportingTokens,
+ MessageTokens messageTokens,
Deque<SecurityEvent> securityEventDeque
) throws XMLSecurityException {
//todo we have to check if the signingTokens also cover the other supporting tokens!
- for (int i = 0; i < signedSupportingTokens.size(); i++) {
- TokenSecurityEvent<? extends InboundSecurityToken> tokenSecurityEvent = signedSupportingTokens.get(i);
+ for (int i = 0; i < messageTokens.signedSupportingTokens.size(); i++) {
+ TokenSecurityEvent<? extends InboundSecurityToken> tokenSecurityEvent = messageTokens.signedSupportingTokens.get(i);
List<? extends InboundSecurityToken> signingSecurityTokens = getSigningToken(tokenSecurityEvent, securityEventDeque);
if (signingSecurityTokens.size() == 1) {
return signingSecurityTokens.get(0);
}
}
- for (int i = 0; i < signedEndorsingSupportingTokens.size(); i++) {
- TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent = signedEndorsingSupportingTokens.get(i);
+ for (int i = 0; i < messageTokens.signedEndorsingSupportingTokens.size(); i++) {
+ TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent = messageTokens.signedEndorsingSupportingTokens.get(i);
List<InboundSecurityToken> signingSecurityTokens = getSigningToken(tokenSecurityEvent, securityEventDeque);
if (signingSecurityTokens.size() == 1) {
return signingSecurityTokens.get(0);
}
}
- for (int i = 0; i < signedEncryptedSupportingTokens.size(); i++) {
- TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent = signedEncryptedSupportingTokens.get(i);
+ for (int i = 0; i < messageTokens.signedEncryptedSupportingTokens.size(); i++) {
+ TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent = messageTokens.signedEncryptedSupportingTokens.get(i);
List<InboundSecurityToken> signingSecurityTokens = getSigningToken(tokenSecurityEvent, securityEventDeque);
if (signingSecurityTokens.size() == 1) {
return signingSecurityTokens.get(0);
}
}
- for (int i = 0; i < signedEndorsingEncryptedSupportingTokens.size(); i++) {
- TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent = signedEndorsingEncryptedSupportingTokens.get(i);
+ for (int i = 0; i < messageTokens.signedEndorsingEncryptedSupportingTokens.size(); i++) {
+ TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent = messageTokens.signedEndorsingEncryptedSupportingTokens.get(i);
List<InboundSecurityToken> signingSecurityTokens = getSigningToken(tokenSecurityEvent, securityEventDeque);
if (signingSecurityTokens.size() == 1) {
return signingSecurityTokens.get(0);
@@ -626,4 +634,17 @@ public class InboundWSSecurityContextImp
public void setAllowRSA15KeyTransportAlgorithm(boolean allowRSA15KeyTransportAlgorithm) {
this.allowRSA15KeyTransportAlgorithm = allowRSA15KeyTransportAlgorithm;
}
+
+ private static class MessageTokens {
+ List<TokenSecurityEvent<? extends InboundSecurityToken>> messageSignatureTokens = Collections.emptyList();
+ List<TokenSecurityEvent<? extends InboundSecurityToken>> messageEncryptionTokens = Collections.emptyList();
+ List<TokenSecurityEvent<? extends InboundSecurityToken>> supportingTokens = Collections.emptyList();
+ List<TokenSecurityEvent<? extends InboundSecurityToken>> signedSupportingTokens = Collections.emptyList();
+ List<TokenSecurityEvent<? extends InboundSecurityToken>> endorsingSupportingTokens = Collections.emptyList();
+ List<TokenSecurityEvent<? extends InboundSecurityToken>> signedEndorsingSupportingTokens = Collections.emptyList();
+ List<TokenSecurityEvent<? extends InboundSecurityToken>> signedEncryptedSupportingTokens = Collections.emptyList();
+ List<TokenSecurityEvent<? extends InboundSecurityToken>> encryptedSupportingTokens = Collections.emptyList();
+ List<TokenSecurityEvent<? extends InboundSecurityToken>> endorsingEncryptedSupportingTokens = Collections.emptyList();
+ List<TokenSecurityEvent<? extends InboundSecurityToken>> signedEndorsingEncryptedSupportingTokens = Collections.emptyList();
+ }
}
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/OutboundWSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/OutboundWSSec.java?rev=1725699&r1=1725698&r2=1725699&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/OutboundWSSec.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/OutboundWSSec.java Wed Jan 20 10:59:41 2016
@@ -174,199 +174,26 @@ public class OutboundWSSec {
try {
final SecurityHeaderOutputProcessor securityHeaderOutputProcessor = new SecurityHeaderOutputProcessor();
initializeOutputProcessor(outputProcessorChain, securityHeaderOutputProcessor, null);
- //todo some combinations are not possible atm: eg Action.SIGNATURE and Action.USERNAMETOKEN_SIGNED
- //todo they use the same signature parts
- boolean signatureAction = false;
- boolean encryptionAction = false;
- boolean signedSAML = false;
- boolean kerberos = false;
- boolean signatureKerberos = false;
- boolean encryptionKerberos = false;
- boolean derivedSignature = false;
- boolean derivedEncryption = false;
-
- // Check to see whether we have a derived key signature, but not encryption, using
- // an encrypted key reference (as we only want one encrypted key here...)
- boolean derivedSignatureButNotDerivedEncryption = false;
- if (securityProperties.getDerivedKeyTokenReference() == WSSConstants.DerivedKeyTokenReference.EncryptedKey) {
- for (XMLSecurityConstants.Action action : securityProperties.getActions()) {
- if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
- derivedSignatureButNotDerivedEncryption = true;
- } else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
- derivedSignatureButNotDerivedEncryption = false;
- break;
- }
- }
- }
-
- for (XMLSecurityConstants.Action action : securityProperties.getActions()) {
- if (WSSConstants.TIMESTAMP.equals(action)) {
- final TimestampOutputProcessor timestampOutputProcessor = new TimestampOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, timestampOutputProcessor, action);
-
- } else if (WSSConstants.SIGNATURE.equals(action)) {
- signatureAction = true;
- final BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
- new BinarySecurityTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, binarySecurityTokenOutputProcessor, action);
-
- final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
-
- } else if (WSSConstants.ENCRYPT.equals(action)) {
- encryptionAction = true;
-
- EncryptedKeyOutputProcessor encryptedKeyOutputProcessor = null;
- if (securityProperties.isEncryptSymmetricEncryptionKey()) {
- final BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
- new BinarySecurityTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, binarySecurityTokenOutputProcessor, action);
-
- encryptedKeyOutputProcessor = new EncryptedKeyOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, encryptedKeyOutputProcessor, action);
- }
-
- final EncryptOutputProcessor encryptOutputProcessor = new EncryptOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, encryptOutputProcessor, action);
-
- if (encryptedKeyOutputProcessor == null) {
- final ReferenceListOutputProcessor referenceListOutputProcessor = new ReferenceListOutputProcessor();
- referenceListOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
- initializeOutputProcessor(outputProcessorChain, referenceListOutputProcessor, action);
- }
-
- } else if (WSSConstants.USERNAMETOKEN.equals(action)) {
- final UsernameTokenOutputProcessor usernameTokenOutputProcessor = new UsernameTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, usernameTokenOutputProcessor, action);
-
- } else if (WSSConstants.USERNAMETOKEN_SIGNED.equals(action)) {
- final UsernameTokenOutputProcessor usernameTokenOutputProcessor = new UsernameTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, usernameTokenOutputProcessor, action);
-
- final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
-
- } else if (WSSConstants.SIGNATURE_CONFIRMATION.equals(action)) {
- final SignatureConfirmationOutputProcessor signatureConfirmationOutputProcessor =
- new SignatureConfirmationOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, signatureConfirmationOutputProcessor, action);
-
- } else if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
- if (securityProperties.getDerivedKeyTokenReference() == WSSConstants.DerivedKeyTokenReference.EncryptedKey) {
- if (derivedSignatureButNotDerivedEncryption) {
- final EncryptedKeyOutputProcessor encryptedKeyOutputProcessor = new EncryptedKeyOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, encryptedKeyOutputProcessor, action);
- }
- encryptionAction = true;
- derivedEncryption = true;
- } else if (securityProperties.getDerivedKeyTokenReference()
- == WSSConstants.DerivedKeyTokenReference.SecurityContextToken) {
- final SecurityContextTokenOutputProcessor securityContextTokenOutputProcessor =
- new SecurityContextTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, securityContextTokenOutputProcessor, action);
- signatureAction = true;
- derivedSignature = true;
- } else {
- signatureAction = true;
- derivedSignature = true;
- }
-
- final DerivedKeyTokenOutputProcessor derivedKeyTokenOutputProcessor = new DerivedKeyTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, derivedKeyTokenOutputProcessor, action);
-
- final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
-
- } else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
- encryptionAction = true;
- derivedEncryption = true;
-
- EncryptedKeyOutputProcessor encryptedKeyOutputProcessor = null;
-
- if (securityProperties.getDerivedKeyTokenReference() == WSSConstants.DerivedKeyTokenReference.EncryptedKey) {
- encryptedKeyOutputProcessor = new EncryptedKeyOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, encryptedKeyOutputProcessor, action);
-
- } else if (securityProperties.getDerivedKeyTokenReference()
- == WSSConstants.DerivedKeyTokenReference.SecurityContextToken) {
- final SecurityContextTokenOutputProcessor securityContextTokenOutputProcessor =
- new SecurityContextTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, securityContextTokenOutputProcessor, action);
- }
- final DerivedKeyTokenOutputProcessor derivedKeyTokenOutputProcessor = new DerivedKeyTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, derivedKeyTokenOutputProcessor, action);
-
- final EncryptOutputProcessor encryptOutputProcessor = new EncryptOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, encryptOutputProcessor, action);
-
- if (encryptedKeyOutputProcessor == null) {
- final ReferenceListOutputProcessor referenceListOutputProcessor = new ReferenceListOutputProcessor();
- referenceListOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
- initializeOutputProcessor(outputProcessorChain, referenceListOutputProcessor, action);
- }
- } else if (WSSConstants.SAML_TOKEN_SIGNED.equals(action)) {
- signatureAction = true;
- signedSAML = true;
- final BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
- new BinarySecurityTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, binarySecurityTokenOutputProcessor, action);
-
- final SAMLTokenOutputProcessor samlTokenOutputProcessor = new SAMLTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, samlTokenOutputProcessor, action);
-
- final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
-
- } else if (WSSConstants.SAML_TOKEN_UNSIGNED.equals(action)) {
- final SAMLTokenOutputProcessor samlTokenOutputProcessor = new SAMLTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, samlTokenOutputProcessor, action);
- } else if (WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN.equals(action)) {
- kerberos = true;
- signatureKerberos = true;
- final BinarySecurityTokenOutputProcessor kerberosTokenOutputProcessor =
- new BinarySecurityTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, kerberosTokenOutputProcessor, action);
-
- final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
- } else if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(action)) {
- kerberos = true;
- encryptionKerberos = true;
- final BinarySecurityTokenOutputProcessor kerberosTokenOutputProcessor =
- new BinarySecurityTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, kerberosTokenOutputProcessor, action);
-
- final EncryptOutputProcessor encryptOutputProcessor = new EncryptOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, encryptOutputProcessor, action);
- } else if (WSSConstants.KERBEROS_TOKEN.equals(action)) {
- kerberos = true;
- final BinarySecurityTokenOutputProcessor kerberosTokenOutputProcessor =
- new BinarySecurityTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, kerberosTokenOutputProcessor, action);
- } else if (WSSConstants.CUSTOM_TOKEN.equals(action)) {
- final CustomTokenOutputProcessor unknownTokenOutputProcessor =
- new CustomTokenOutputProcessor();
- initializeOutputProcessor(outputProcessorChain, unknownTokenOutputProcessor, action);
- }
- }
-
+
+ ConfiguredAction configuredAction = configureActions(outputProcessorChain);
+
// Set up appropriate keys
- if (signatureAction) {
- setupSignatureKey(outputProcessorChain, securityProperties, signedSAML);
+ if (configuredAction.signatureAction) {
+ setupSignatureKey(outputProcessorChain, securityProperties, configuredAction.signedSAML);
}
- if (encryptionAction) {
+ if (configuredAction.encryptionAction) {
setupEncryptionKey(outputProcessorChain, securityProperties);
}
- if (kerberos) {
+ if (configuredAction.kerberos) {
setupKerberosKey(outputProcessorChain, securityProperties,
- signatureKerberos, encryptionKerberos);
+ configuredAction.signatureKerberos, configuredAction.encryptionKerberos);
}
- if (derivedSignature) {
+ if (configuredAction.derivedSignature) {
String id =
outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE);
setDerivedIdentifier(outputProcessorChain, id);
}
- if (derivedEncryption) {
+ if (configuredAction.derivedEncryption) {
String id =
outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY);
if (id == null) {
@@ -737,4 +564,189 @@ public class OutboundWSSec {
break;
}
}
+
+ private ConfiguredAction configureActions(OutputProcessorChainImpl outputProcessorChain) throws XMLSecurityException {
+ ConfiguredAction configuredAction = new ConfiguredAction();
+
+ //todo some combinations are not possible atm: eg Action.SIGNATURE and Action.USERNAMETOKEN_SIGNED
+ //todo they use the same signature parts
+
+ // Check to see whether we have a derived key signature, but not encryption, using
+ // an encrypted key reference (as we only want one encrypted key here...)
+ boolean derivedSignatureButNotDerivedEncryption = false;
+ if (securityProperties.getDerivedKeyTokenReference() == WSSConstants.DerivedKeyTokenReference.EncryptedKey) {
+ for (XMLSecurityConstants.Action action : securityProperties.getActions()) {
+ if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
+ derivedSignatureButNotDerivedEncryption = true;
+ } else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
+ derivedSignatureButNotDerivedEncryption = false;
+ break;
+ }
+ }
+ }
+
+ for (XMLSecurityConstants.Action action : securityProperties.getActions()) {
+ if (WSSConstants.TIMESTAMP.equals(action)) {
+ final TimestampOutputProcessor timestampOutputProcessor = new TimestampOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, timestampOutputProcessor, action);
+
+ } else if (WSSConstants.SIGNATURE.equals(action)) {
+ configuredAction.signatureAction = true;
+ final BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
+ new BinarySecurityTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, binarySecurityTokenOutputProcessor, action);
+
+ final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
+
+ } else if (WSSConstants.ENCRYPT.equals(action)) {
+ configuredAction.encryptionAction = true;
+
+ EncryptedKeyOutputProcessor encryptedKeyOutputProcessor = null;
+ if (securityProperties.isEncryptSymmetricEncryptionKey()) {
+ final BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
+ new BinarySecurityTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, binarySecurityTokenOutputProcessor, action);
+
+ encryptedKeyOutputProcessor = new EncryptedKeyOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, encryptedKeyOutputProcessor, action);
+ }
+
+ final EncryptOutputProcessor encryptOutputProcessor = new EncryptOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, encryptOutputProcessor, action);
+
+ if (encryptedKeyOutputProcessor == null) {
+ final ReferenceListOutputProcessor referenceListOutputProcessor = new ReferenceListOutputProcessor();
+ referenceListOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
+ initializeOutputProcessor(outputProcessorChain, referenceListOutputProcessor, action);
+ }
+
+ } else if (WSSConstants.USERNAMETOKEN.equals(action)) {
+ final UsernameTokenOutputProcessor usernameTokenOutputProcessor = new UsernameTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, usernameTokenOutputProcessor, action);
+
+ } else if (WSSConstants.USERNAMETOKEN_SIGNED.equals(action)) {
+ final UsernameTokenOutputProcessor usernameTokenOutputProcessor = new UsernameTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, usernameTokenOutputProcessor, action);
+
+ final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
+
+ } else if (WSSConstants.SIGNATURE_CONFIRMATION.equals(action)) {
+ final SignatureConfirmationOutputProcessor signatureConfirmationOutputProcessor =
+ new SignatureConfirmationOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, signatureConfirmationOutputProcessor, action);
+
+ } else if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
+ if (securityProperties.getDerivedKeyTokenReference() == WSSConstants.DerivedKeyTokenReference.EncryptedKey) {
+ if (derivedSignatureButNotDerivedEncryption) {
+ final EncryptedKeyOutputProcessor encryptedKeyOutputProcessor = new EncryptedKeyOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, encryptedKeyOutputProcessor, action);
+ }
+ configuredAction.encryptionAction = true;
+ configuredAction.derivedEncryption = true;
+ } else if (securityProperties.getDerivedKeyTokenReference()
+ == WSSConstants.DerivedKeyTokenReference.SecurityContextToken) {
+ final SecurityContextTokenOutputProcessor securityContextTokenOutputProcessor =
+ new SecurityContextTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, securityContextTokenOutputProcessor, action);
+ configuredAction.signatureAction = true;
+ configuredAction.derivedSignature = true;
+ } else {
+ configuredAction.signatureAction = true;
+ configuredAction.derivedSignature = true;
+ }
+
+ final DerivedKeyTokenOutputProcessor derivedKeyTokenOutputProcessor = new DerivedKeyTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, derivedKeyTokenOutputProcessor, action);
+
+ final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
+
+ } else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
+ configuredAction.encryptionAction = true;
+ configuredAction.derivedEncryption = true;
+
+ EncryptedKeyOutputProcessor encryptedKeyOutputProcessor = null;
+
+ if (securityProperties.getDerivedKeyTokenReference() == WSSConstants.DerivedKeyTokenReference.EncryptedKey) {
+ encryptedKeyOutputProcessor = new EncryptedKeyOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, encryptedKeyOutputProcessor, action);
+
+ } else if (securityProperties.getDerivedKeyTokenReference()
+ == WSSConstants.DerivedKeyTokenReference.SecurityContextToken) {
+ final SecurityContextTokenOutputProcessor securityContextTokenOutputProcessor =
+ new SecurityContextTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, securityContextTokenOutputProcessor, action);
+ }
+ final DerivedKeyTokenOutputProcessor derivedKeyTokenOutputProcessor = new DerivedKeyTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, derivedKeyTokenOutputProcessor, action);
+
+ final EncryptOutputProcessor encryptOutputProcessor = new EncryptOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, encryptOutputProcessor, action);
+
+ if (encryptedKeyOutputProcessor == null) {
+ final ReferenceListOutputProcessor referenceListOutputProcessor = new ReferenceListOutputProcessor();
+ referenceListOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
+ initializeOutputProcessor(outputProcessorChain, referenceListOutputProcessor, action);
+ }
+ } else if (WSSConstants.SAML_TOKEN_SIGNED.equals(action)) {
+ configuredAction.signatureAction = true;
+ configuredAction.signedSAML = true;
+ final BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
+ new BinarySecurityTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, binarySecurityTokenOutputProcessor, action);
+
+ final SAMLTokenOutputProcessor samlTokenOutputProcessor = new SAMLTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, samlTokenOutputProcessor, action);
+
+ final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
+
+ } else if (WSSConstants.SAML_TOKEN_UNSIGNED.equals(action)) {
+ final SAMLTokenOutputProcessor samlTokenOutputProcessor = new SAMLTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, samlTokenOutputProcessor, action);
+ } else if (WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN.equals(action)) {
+ configuredAction.kerberos = true;
+ configuredAction.signatureKerberos = true;
+ final BinarySecurityTokenOutputProcessor kerberosTokenOutputProcessor =
+ new BinarySecurityTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, kerberosTokenOutputProcessor, action);
+
+ final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
+ } else if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(action)) {
+ configuredAction.kerberos = true;
+ configuredAction.encryptionKerberos = true;
+ final BinarySecurityTokenOutputProcessor kerberosTokenOutputProcessor =
+ new BinarySecurityTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, kerberosTokenOutputProcessor, action);
+
+ final EncryptOutputProcessor encryptOutputProcessor = new EncryptOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, encryptOutputProcessor, action);
+ } else if (WSSConstants.KERBEROS_TOKEN.equals(action)) {
+ configuredAction.kerberos = true;
+ final BinarySecurityTokenOutputProcessor kerberosTokenOutputProcessor =
+ new BinarySecurityTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, kerberosTokenOutputProcessor, action);
+ } else if (WSSConstants.CUSTOM_TOKEN.equals(action)) {
+ final CustomTokenOutputProcessor unknownTokenOutputProcessor =
+ new CustomTokenOutputProcessor();
+ initializeOutputProcessor(outputProcessorChain, unknownTokenOutputProcessor, action);
+ }
+ }
+
+ return configuredAction;
+ }
+
+ private static class ConfiguredAction {
+ boolean signatureAction = false;
+ boolean encryptionAction = false;
+ boolean signedSAML = false;
+ boolean kerberos = false;
+ boolean signatureKerberos = false;
+ boolean encryptionKerberos = false;
+ boolean derivedSignature = false;
+ boolean derivedEncryption = false;
+ }
}