You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-commits@axis.apache.org by bi...@apache.org on 2020/04/15 16:08:35 UTC
[axis-axis2-java-rampart] branch 1_4 created (now 9c5767a)
This is an automated email from the ASF dual-hosted git repository.
billblough pushed a change to branch 1_4
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git.
at 9c5767a Moving axis svn, part of TLP move INFRA-2441
This branch includes the following new commits:
new 9c5767a Moving axis svn, part of TLP move INFRA-2441
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[axis-axis2-java-rampart] 01/01: Moving axis svn,
part of TLP move INFRA-2441
Posted by bi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
billblough pushed a commit to branch 1_4
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
commit 9c5767ae42c40a55fcdf364e149c7da28bbfd4ef
Author: Gavin McDonald <gm...@apache.org>
AuthorDate: Sat Feb 13 14:03:45 2010 +0000
Moving axis svn, part of TLP move INFRA-2441
---
build.xml | 160 +++
legal/opensaml-LICENSE.txt | 202 +++
legal/wss4j-LICENSE.txt | 202 +++
legal/xmlsec-LICENSE.txt | 202 +++
modules/distribution/bin.xml | 68 +
modules/distribution/pom.xml | 119 ++
modules/distribution/src.xml | 34 +
modules/documentation/pom.xml | 32 +
.../src/site/resources/images/message-builder.jpg | Bin 0 -> 24213 bytes
.../src/site/resources/images/rampart-engine.jpg | Bin 0 -> 20540 bytes
.../src/site/resources/images/rampart-handlers.jpg | Bin 0 -> 22455 bytes
.../src/site/resources/images/rampart-trust.jpg | Bin 0 -> 29532 bytes
.../src/site/resources/images/security-stack.jpg | Bin 0 -> 16687 bytes
.../src/site/resources/rampart-config.xsd | 38 +
modules/documentation/src/site/site.xml | 74 +
modules/documentation/src/site/xdoc/articles.xml | 73 +
.../src/site/xdoc/developer-guide.xml | 191 +++
modules/documentation/src/site/xdoc/download.xml | 71 +
.../src/site/xdoc/download/1.1/download.cgi | 6 +
.../src/site/xdoc/download/1.1/download.xml | 125 ++
.../src/site/xdoc/download/1.2/download.cgi | 6 +
.../src/site/xdoc/download/1.2/download.xml | 125 ++
.../src/site/xdoc/download/1.3/download.cgi | 6 +
.../src/site/xdoc/download/1.3/download.xml | 125 ++
modules/documentation/src/site/xdoc/index.xml | 45 +
.../documentation/src/site/xdoc/quick-start.xml | 97 ++
.../src/site/xdoc/rampartconfig-guide.xml | 55 +
modules/documentation/src/site/xdoc/siteHowTo.xml | 60 +
modules/documentation/src/site/xdoc/svn.xml | 114 ++
modules/rampart-core/pom.xml | 64 +
.../org.apache.neethi.builders.AssertionBuilder | 3 +
.../java/org/apache/rampart/MessageBuilder.java | 188 +++
.../rampart/PolicyBasedResultsValidator.java | 850 +++++++++++
.../rampart/PolicyValidatorCallbackHandler.java | 44 +
.../src/main/java/org/apache/rampart/Rampart.java | 55 +
.../java/org/apache/rampart/RampartConstants.java | 9 +
.../java/org/apache/rampart/RampartEngine.java | 268 ++++
.../java/org/apache/rampart/RampartException.java | 101 ++
.../org/apache/rampart/RampartMessageData.java | 682 +++++++++
.../org/apache/rampart/TokenCallbackHandler.java | 103 ++
.../java/org/apache/rampart/ValidatorData.java | 87 ++
.../rampart/builder/AsymmetricBindingBuilder.java | 732 ++++++++++
.../org/apache/rampart/builder/BindingBuilder.java | 781 +++++++++++
.../rampart/builder/SymmetricBindingBuilder.java | 918 ++++++++++++
.../rampart/builder/TransportBindingBuilder.java | 640 +++++++++
.../main/java/org/apache/rampart/errors.properties | 94 ++
.../handler/PostDispatchVerificationHandler.java | 178 +++
.../apache/rampart/handler/RampartReceiver.java | 178 +++
.../org/apache/rampart/handler/RampartSender.java | 97 ++
.../org/apache/rampart/handler/WSDoAllHandler.java | 210 +++
.../apache/rampart/handler/WSDoAllReceiver.java | 383 +++++
.../org/apache/rampart/handler/WSDoAllSender.java | 270 ++++
.../rampart/handler/WSSHandlerConstants.java | 153 ++
.../handler/config/InflowConfiguration.java | 181 +++
.../handler/config/OutflowConfiguration.java | 600 ++++++++
.../rampart/policy/RampartPolicyBuilder.java | 358 +++++
.../apache/rampart/policy/RampartPolicyData.java | 876 ++++++++++++
.../policy/builders/CryptoConfigBuilder.java | 75 +
.../policy/builders/OptimizePartsBuilder.java | 83 ++
.../policy/builders/RampartConfigBuilder.java | 139 ++
.../rampart/policy/builders/SSLConfigBuilder.java | 68 +
.../apache/rampart/policy/model/CryptoConfig.java | 118 ++
.../rampart/policy/model/OptimizePartsConfig.java | 128 ++
.../apache/rampart/policy/model/RampartConfig.java | 412 ++++++
.../org/apache/rampart/policy/model/SSLConfig.java | 75 +
.../java/org/apache/rampart/util/Axis2Util.java | 296 ++++
.../rampart/util/HandlerParameterDecoder.java | 292 ++++
.../org/apache/rampart/util/MessageOptimizer.java | 130 ++
.../java/org/apache/rampart/util/RampartUtil.java | 1479 ++++++++++++++++++++
.../extensions/jpam/JPAMCallbackHandler.java | 49 +
modules/rampart-integration/pom.xml | 729 ++++++++++
.../org/apache/axis2/integration/TestingUtils.java | 56 +
.../org/apache/axis2/integration/UtilServer.java | 244 ++++
.../axis2/integration/UtilServerBasedTestCase.java | 68 +
.../apache/axis2/integration/UtilsTCPServer.java | 99 ++
.../src/main/java/org/apache/rahas/PWCallback.java | 195 +++
.../src/main/java/org/apache/rahas/Service.java | 29 +
.../src/main/java/org/apache/rahas/TestClient.java | 186 +++
.../main/java/org/apache/rampart/PWCallback.java | 193 +++
.../src/main/java/org/apache/rampart/Service.java | 29 +
.../src/main/resources/ping/ping.wsdl | 68 +
.../apache/axis2/oasis/ping/PingPortSkeleton.java | 74 +
.../axis2/security/InteropScenarioClient.java | 180 +++
.../src/org/apache/axis2/security/PWCallback.java | 185 +++
.../axis2/security/AddressingMTOMSecurityTest.java | 125 ++
.../org/apache/axis2/security/InteropTestBase.java | 239 ++++
.../axis2/security/MTOMOptimizedSecurityTest.java | 119 ++
.../org/apache/axis2/security/Scenario1Test.java | 68 +
.../org/apache/axis2/security/Scenario2Test.java | 105 ++
.../org/apache/axis2/security/Scenario2aTest.java | 99 ++
.../org/apache/axis2/security/Scenario3Test.java | 119 ++
.../org/apache/axis2/security/Scenario4Test.java | 119 ++
.../org/apache/axis2/security/Scenario5Test.java | 113 ++
.../org/apache/axis2/security/Scenario6Test.java | 114 ++
.../org/apache/axis2/security/Scenario7Test.java | 141 ++
.../apache/rahas/RahasSAMLTokenAttributeTest.java | 104 ++
.../apache/rahas/RahasSAMLTokenCertForHoKTest.java | 139 ++
.../rahas/RahasSAMLTokenCertForHoKV1205Test.java | 153 ++
.../java/org/apache/rahas/RahasSAMLTokenTest.java | 133 ++
.../rahas/RahasSAMLTokenUTForBearerTest.java | 124 ++
.../rahas/RahasSAMLTokenUTForBearerV1205Test.java | 127 ++
.../apache/rahas/RahasSAMLTokenUTForHoKTest.java | 121 ++
.../rahas/RahasSAMLTokenUTForHoKV1205Test.java | 254 ++++
.../org/apache/rahas/RahasSAMLTokenV1205Test.java | 135 ++
.../java/org/apache/rahas/SAMLDataProvider.java | 31 +
.../test/java/org/apache/rampart/RampartTest.java | 159 +++
.../src/test/resources/conf/axis2.xml | 280 ++++
.../src/test/resources/interop.properties | 5 +
.../src/test/resources/interop2.jks | Bin 0 -> 4857 bytes
.../src/test/resources/rahas/issuer.properties | 4 +
.../rahas/policy/service-policy-symm-binding.xml | 70 +
.../policy/service-policy-transport-binding.xml | 73 +
.../src/test/resources/rahas/policy/store.jks | Bin 0 -> 6377 bytes
.../rahas/policy/sts-policy-asymm-binding.xml | 66 +
.../rahas/policy/sts-policy-symm-binding.xml | 73 +
.../rahas/policy/sts-policy-transport-binding.xml | 63 +
.../src/test/resources/rahas/rahas-sec.properties | 5 +
.../src/test/resources/rahas/rahas-sts.jks | Bin 0 -> 6377 bytes
.../src/test/resources/rahas/s1-services.xml | 74 +
.../src/test/resources/rahas/s3-services.xml | 70 +
.../src/test/resources/rahas/s5-services.xml | 70 +
.../src/test/resources/rahas/saml.s1.properties | 9 +
.../src/test/resources/rahas/samlIssuer.properties | 4 +
.../src/test/resources/rahas/sec.jks | Bin 0 -> 6377 bytes
.../src/test/resources/rampart/issuer.properties | 4 +
.../src/test/resources/rampart/policy/1.xml | 52 +
.../src/test/resources/rampart/policy/10.xml | 69 +
.../src/test/resources/rampart/policy/11.xml | 101 ++
.../src/test/resources/rampart/policy/12.xml | 84 ++
.../src/test/resources/rampart/policy/13.xml | 31 +
.../src/test/resources/rampart/policy/14.xml | 92 ++
.../src/test/resources/rampart/policy/15.xml | 58 +
.../src/test/resources/rampart/policy/16.xml | 76 +
.../src/test/resources/rampart/policy/17.xml | 68 +
.../src/test/resources/rampart/policy/18.xml | 69 +
.../src/test/resources/rampart/policy/19.xml | 72 +
.../src/test/resources/rampart/policy/2.xml | 69 +
.../src/test/resources/rampart/policy/20.xml | 72 +
.../src/test/resources/rampart/policy/3.xml | 73 +
.../src/test/resources/rampart/policy/4.xml | 74 +
.../src/test/resources/rampart/policy/5.xml | 75 +
.../src/test/resources/rampart/policy/6.xml | 72 +
.../src/test/resources/rampart/policy/7.xml | 74 +
.../src/test/resources/rampart/policy/8.xml | 74 +
.../src/test/resources/rampart/policy/9.xml | 74 +
.../src/test/resources/rampart/policy/sc-1.xml | 123 ++
.../src/test/resources/rampart/policy/sc-2.xml | 131 ++
.../src/test/resources/rampart/policy/sc-3.xml | 98 ++
.../src/test/resources/rampart/services-1.xml | 50 +
.../src/test/resources/rampart/services-10.xml | 76 +
.../src/test/resources/rampart/services-11.xml | 114 ++
.../src/test/resources/rampart/services-12.xml | 96 ++
.../src/test/resources/rampart/services-13.xml | 50 +
.../src/test/resources/rampart/services-14.xml | 105 ++
.../src/test/resources/rampart/services-15.xml | 72 +
.../src/test/resources/rampart/services-16.xml | 90 ++
.../src/test/resources/rampart/services-17.xml | 82 ++
.../src/test/resources/rampart/services-18.xml | 83 ++
.../src/test/resources/rampart/services-19.xml | 85 ++
.../src/test/resources/rampart/services-2.xml | 76 +
.../src/test/resources/rampart/services-20.xml | 85 ++
.../src/test/resources/rampart/services-3.xml | 88 ++
.../src/test/resources/rampart/services-4.xml | 89 ++
.../src/test/resources/rampart/services-5.xml | 89 ++
.../src/test/resources/rampart/services-6.xml | 86 ++
.../src/test/resources/rampart/services-7.xml | 89 ++
.../src/test/resources/rampart/services-8.xml | 89 ++
.../src/test/resources/rampart/services-9.xml | 88 ++
.../src/test/resources/rampart/services-sc-1.xml | 176 +++
.../src/test/resources/rampart/services-sc-2.xml | 186 +++
.../src/test/resources/rampart/services-sc-3.xml | 154 ++
.../src/test/resources/rampart/store.jks | Bin 0 -> 6377 bytes
.../src/test/resources/rampart/sts.jks | Bin 0 -> 6377 bytes
.../src/test/resources/sctIssuer.properties | 4 +
.../rampart-integration/src/test/resources/sec.jks | Bin 0 -> 5467 bytes
.../src/test/resources/sec.properties | 5 +
.../resources/security/complete.client.axis2.xml | 133 ++
.../resources/security/complete.service.axis2.xml | 147 ++
.../test/resources/security/complete.service.xml | 31 +
.../test/resources/security/s1.client.axis2.xml | 109 ++
.../test/resources/security/s1.service.axis2.xml | 139 ++
.../src/test/resources/security/s1.service.xml | 15 +
.../test/resources/security/s2.client.axis2.xml | 118 ++
.../test/resources/security/s2.service.axis2.xml | 139 ++
.../src/test/resources/security/s2.service.xml | 16 +
.../test/resources/security/s2a.client.axis2.xml | 116 ++
.../test/resources/security/s2a.service.axis2.xml | 138 ++
.../src/test/resources/security/s2a.service.xml | 16 +
.../test/resources/security/s3.client.axis2.xml | 127 ++
.../test/resources/security/s3.service.axis2.xml | 138 ++
.../src/test/resources/security/s3.service.xml | 31 +
.../test/resources/security/s4.client.axis2.xml | 124 ++
.../test/resources/security/s4.service.axis2.xml | 139 ++
.../src/test/resources/security/s4.service.xml | 30 +
.../test/resources/security/s5.client.axis2.xml | 122 ++
.../test/resources/security/s5.service.axis2.xml | 140 ++
.../src/test/resources/security/s5.service.xml | 16 +
.../test/resources/security/s6.client.axis2.xml | 125 ++
.../test/resources/security/s6.service.axis2.xml | 140 ++
.../src/test/resources/security/s6.service.xml | 29 +
.../test/resources/security/s7.client.axis2.xml | 125 ++
.../test/resources/security/s7.service.axis2.xml | 141 ++
.../src/test/resources/security/s7.service.xml | 31 +
.../test/resources/security/sST1.client.axis2.xml | 109 ++
.../test/resources/security/sST1.service.axis2.xml | 140 ++
.../src/test/resources/security/sST1.service.xml | 14 +
.../src/test/resources/security/sc/s1-services.xml | 84 ++
.../src/test/resources/security/sc/s2-services.xml | 64 +
.../src/test/resources/security/sc/s3-services.xml | 66 +
.../src/test/resources/security/sc/s4-services.xml | 67 +
.../resources/security/sc/sctIssuer.properties | 4 +
.../src/test/resources/security/sc/sec.jks | Bin 0 -> 5467 bytes
.../src/test/resources/security/sc/sec.properties | 5 +
.../src/test/resources/security/sc/sts.jks | Bin 0 -> 4759 bytes
.../resources/security/secMtom.client.axis2.xml | 126 ++
.../resources/security/secMtom.service.axis2.xml | 141 ++
.../test/resources/security/secMtom.service.xml | 31 +
.../rampart-integration/src/test/resources/sts.jks | Bin 0 -> 4759 bytes
modules/rampart-mar/module.xml | 46 +
modules/rampart-mar/pom.xml | 109 ++
modules/rampart-policy/pom.xml | 52 +
.../org.apache.neethi.builders.AssertionBuilder | 47 +
.../java/org/apache/ws/secpolicy/Constants.java | 435 ++++++
.../org/apache/ws/secpolicy/SP11Constants.java | 293 ++++
.../org/apache/ws/secpolicy/SP12Constants.java | 352 +++++
.../java/org/apache/ws/secpolicy/SPConstants.java | 425 ++++++
.../apache/ws/secpolicy/WSSPolicyException.java | 31 +
.../AbstractConfigurableSecurityAssertion.java | 45 +
.../secpolicy/model/AbstractSecurityAssertion.java | 73 +
.../apache/ws/secpolicy/model/AlgorithmSuite.java | 522 +++++++
.../ws/secpolicy/model/AlgorithmWrapper.java | 23 +
.../ws/secpolicy/model/AsymmetricBinding.java | 225 +++
.../org/apache/ws/secpolicy/model/Binding.java | 90 ++
.../secpolicy/model/ContentEncryptedElements.java | 130 ++
.../apache/ws/secpolicy/model/EncryptionToken.java | 119 ++
.../java/org/apache/ws/secpolicy/model/Header.java | 49 +
.../org/apache/ws/secpolicy/model/HttpsToken.java | 82 ++
.../apache/ws/secpolicy/model/InitiatorToken.java | 102 ++
.../org/apache/ws/secpolicy/model/IssuedToken.java | 223 +++
.../java/org/apache/ws/secpolicy/model/Layout.java | 112 ++
.../apache/ws/secpolicy/model/ProtectionToken.java | 127 ++
.../apache/ws/secpolicy/model/RecipientToken.java | 104 ++
.../ws/secpolicy/model/RequiredElements.java | 134 ++
.../apache/ws/secpolicy/model/RequiredParts.java | 98 ++
.../secpolicy/model/SecureConversationToken.java | 186 +++
.../ws/secpolicy/model/SecurityContextToken.java | 96 ++
.../apache/ws/secpolicy/model/SignatureToken.java | 120 ++
.../secpolicy/model/SignedEncryptedElements.java | 149 ++
.../ws/secpolicy/model/SignedEncryptedParts.java | 164 +++
.../apache/ws/secpolicy/model/SupportingToken.java | 296 ++++
.../model/SymmetricAsymmetricBindingBase.java | 100 ++
.../ws/secpolicy/model/SymmetricBinding.java | 244 ++++
.../java/org/apache/ws/secpolicy/model/Token.java | 91 ++
.../apache/ws/secpolicy/model/TokenWrapper.java | 22 +
.../ws/secpolicy/model/TransportBinding.java | 191 +++
.../apache/ws/secpolicy/model/TransportToken.java | 108 ++
.../org/apache/ws/secpolicy/model/Trust10.java | 204 +++
.../org/apache/ws/secpolicy/model/Trust13.java | 247 ++++
.../apache/ws/secpolicy/model/UsernameToken.java | 174 +++
.../java/org/apache/ws/secpolicy/model/Wss10.java | 157 +++
.../java/org/apache/ws/secpolicy/model/Wss11.java | 154 ++
.../org/apache/ws/secpolicy/model/X509Token.java | 208 +++
.../builders/AlgorithmSuiteBuilder.java | 48 +
.../builders/AsymmetricBindingBuilder.java | 105 ++
.../builders/EncryptedElementsBuilder.java | 69 +
.../builders/EncryptedPartsBuilder.java | 71 +
.../builders/InitiatorTokenBuilder.java | 68 +
.../secpolicy11/builders/IssuedTokenBuilder.java | 118 ++
.../ws/secpolicy11/builders/LayoutBuilder.java | 73 +
.../builders/ProtectionTokenBuilder.java | 61 +
.../builders/RecipientTokenBuilder.java | 72 +
.../builders/RequiredElementsBuilder.java | 67 +
.../builders/SecureConversationTokenBuilder.java | 82 ++
.../builders/SecurityContextTokenBuilder.java | 69 +
.../builders/SignedElementsBuilder.java | 66 +
.../secpolicy11/builders/SignedPartsBuilder.java | 69 +
.../builders/SupportingTokensBuilder.java | 106 ++
.../builders/SymmetricBindingBuilder.java | 92 ++
.../builders/TransportBindingBuilder.java | 88 ++
.../builders/TransportTokenBuilder.java | 74 +
.../ws/secpolicy11/builders/Trust10Builder.java | 71 +
.../secpolicy11/builders/UsernameTokenBuilder.java | 85 ++
.../ws/secpolicy11/builders/WSS10Builder.java | 81 ++
.../ws/secpolicy11/builders/WSS11Builder.java | 89 ++
.../ws/secpolicy11/builders/X509TokenBuilder.java | 122 ++
.../builders/AlgorithmSuiteBuilder.java | 48 +
.../builders/AsymmetricBindingBuilder.java | 106 ++
.../builders/ContentEncryptedElementsBuilder.java | 67 +
.../builders/EncryptedElementsBuilder.java | 69 +
.../builders/EncryptedPartsBuilder.java | 71 +
.../builders/InitiatorTokenBuilder.java | 68 +
.../secpolicy12/builders/IssuedTokenBuilder.java | 119 ++
.../ws/secpolicy12/builders/LayoutBuilder.java | 71 +
.../builders/ProtectionTokenBuilder.java | 61 +
.../builders/RecipientTokenBuilder.java | 72 +
.../builders/RequiredElementsBuilder.java | 68 +
.../secpolicy12/builders/RequiredPartsBuilder.java | 68 +
.../builders/SecureConversationTokenBuilder.java | 86 ++
.../builders/SecurityContextTokenBuilder.java | 68 +
.../builders/SignedElementsBuilder.java | 67 +
.../secpolicy12/builders/SignedPartsBuilder.java | 71 +
.../builders/SupportingTokensBuilder.java | 127 ++
.../builders/SymmetricBindingBuilder.java | 92 ++
.../builders/TransportBindingBuilder.java | 88 ++
.../builders/TransportTokenBuilder.java | 80 ++
.../ws/secpolicy12/builders/Trust13Builder.java | 79 ++
.../secpolicy12/builders/UsernameTokenBuilder.java | 94 ++
.../ws/secpolicy12/builders/WSS10Builder.java | 81 ++
.../ws/secpolicy12/builders/WSS11Builder.java | 89 ++
.../ws/secpolicy12/builders/X509TokenBuilder.java | 126 ++
modules/rampart-samples/README.txt | 17 +
modules/rampart-samples/basic/README.txt | 44 +
modules/rampart-samples/basic/build.xml | 248 ++++
modules/rampart-samples/basic/sample01/README.txt | 6 +
.../basic/sample01/client.axis2.xml | 453 ++++++
.../rampart-samples/basic/sample01/services.xml | 27 +
.../apache/rampart/samples/sample01/Client.java | 62 +
.../rampart/samples/sample01/SimpleService.java | 24 +
modules/rampart-samples/basic/sample02/README.txt | 10 +
.../basic/sample02/client.axis2.xml | 464 ++++++
.../rampart-samples/basic/sample02/services.xml | 33 +
.../apache/rampart/samples/sample02/Client.java | 62 +
.../rampart/samples/sample02/PWCBHandler.java | 40 +
.../rampart/samples/sample02/SimpleService.java | 25 +
modules/rampart-samples/basic/sample03/README.txt | 12 +
.../basic/sample03/client.axis2.xml | 465 ++++++
.../rampart-samples/basic/sample03/services.xml | 33 +
.../apache/rampart/samples/sample03/Client.java | 62 +
.../rampart/samples/sample03/PWCBHandler.java | 51 +
.../rampart/samples/sample03/SimpleService.java | 36 +
modules/rampart-samples/basic/sample04/README.txt | 7 +
.../basic/sample04/client.axis2.xml | 473 +++++++
.../rampart-samples/basic/sample04/services.xml | 44 +
.../apache/rampart/samples/sample04/Client.java | 62 +
.../rampart/samples/sample04/PWCBHandler.java | 43 +
.../rampart/samples/sample04/SimpleService.java | 25 +
modules/rampart-samples/basic/sample05/README.txt | 7 +
.../basic/sample05/client.axis2.xml | 472 +++++++
.../rampart-samples/basic/sample05/services.xml | 45 +
.../apache/rampart/samples/sample05/Client.java | 62 +
.../rampart/samples/sample05/PWCBHandler.java | 43 +
.../rampart/samples/sample05/SimpleService.java | 25 +
modules/rampart-samples/basic/sample06/README.txt | 8 +
.../basic/sample06/client.axis2.xml | 478 +++++++
.../rampart-samples/basic/sample06/services.xml | 47 +
.../apache/rampart/samples/sample06/Client.java | 62 +
.../rampart/samples/sample06/PWCBHandler.java | 43 +
.../rampart/samples/sample06/SimpleService.java | 25 +
modules/rampart-samples/basic/sample07/README.txt | 8 +
.../basic/sample07/client.axis2.xml | 477 +++++++
.../rampart-samples/basic/sample07/services.xml | 46 +
.../apache/rampart/samples/sample07/Client.java | 62 +
.../rampart/samples/sample07/PWCBHandler.java | 43 +
.../rampart/samples/sample07/SimpleService.java | 25 +
modules/rampart-samples/basic/sample08/README.txt | 10 +
.../basic/sample08/client.axis2.xml | 478 +++++++
.../rampart-samples/basic/sample08/services.xml | 35 +
.../apache/rampart/samples/sample08/Client.java | 62 +
.../rampart/samples/sample08/PWCBHandler.java | 43 +
.../rampart/samples/sample08/SimpleService.java | 25 +
modules/rampart-samples/basic/sample09/README.txt | 8 +
.../basic/sample09/client.axis2.xml | 476 +++++++
.../rampart-samples/basic/sample09/services.xml | 46 +
.../apache/rampart/samples/sample09/Client.java | 62 +
.../rampart/samples/sample09/PWCBHandler.java | 50 +
.../rampart/samples/sample09/SimpleService.java | 25 +
modules/rampart-samples/basic/sample10/README.txt | 8 +
.../basic/sample10/client.axis2.xml | 481 +++++++
.../rampart-samples/basic/sample10/services.xml | 47 +
.../apache/rampart/samples/sample10/Client.java | 62 +
.../rampart/samples/sample10/PWCBHandler.java | 43 +
.../rampart/samples/sample10/SimpleService.java | 25 +
modules/rampart-samples/build.xml | 49 +
modules/rampart-samples/keys/client.jks | Bin 0 -> 2676 bytes
modules/rampart-samples/keys/client.properties | 4 +
modules/rampart-samples/keys/service.jks | Bin 0 -> 2675 bytes
modules/rampart-samples/keys/service.properties | 4 +
modules/rampart-samples/keys/sts.jks | Bin 0 -> 2677 bytes
modules/rampart-samples/policy/build.xml | 266 ++++
.../rampart-samples/policy/sample-tomcat/README | 37 +
.../rampart-samples/policy/sample-tomcat/build.xml | 143 ++
.../policy/sample-tomcat/policy.xml | 42 +
.../policy/sample-tomcat/services.xml | 65 +
.../org/apache/rampart/tomcat/sample/Client.java | 79 ++
.../apache/rampart/tomcat/sample/PWCBHandler.java | 49 +
.../rampart/tomcat/sample/SimpleService.java | 26 +
modules/rampart-samples/policy/sample01/README.txt | 8 +
modules/rampart-samples/policy/sample01/policy.xml | 54 +
.../rampart-samples/policy/sample01/services.xml | 65 +
.../rampart/samples/policy/sample01/Client.java | 77 +
.../samples/policy/sample01/PWCBHandler.java | 49 +
.../samples/policy/sample01/SimpleService.java | 24 +
modules/rampart-samples/policy/sample02/README.txt | 7 +
modules/rampart-samples/policy/sample02/policy.xml | 83 ++
.../rampart-samples/policy/sample02/services.xml | 94 ++
.../rampart/samples/policy/sample02/Client.java | 77 +
.../samples/policy/sample02/PWCBHandler.java | 42 +
.../samples/policy/sample02/SimpleService.java | 24 +
modules/rampart-samples/policy/sample03/README.txt | 9 +
modules/rampart-samples/policy/sample03/policy.xml | 94 ++
.../rampart-samples/policy/sample03/services.xml | 105 ++
.../rampart/samples/policy/sample03/Client.java | 77 +
.../samples/policy/sample03/PWCBHandler.java | 42 +
.../samples/policy/sample03/SimpleService.java | 24 +
modules/rampart-samples/policy/sample04/README.txt | 15 +
modules/rampart-samples/policy/sample04/policy.xml | 150 ++
.../rampart-samples/policy/sample04/services.xml | 198 +++
.../rampart/samples/policy/sample04/Client.java | 85 ++
.../samples/policy/sample04/PWCBHandler.java | 42 +
.../samples/policy/sample04/SimpleService.java | 24 +
modules/rampart-samples/policy/sample05/README.txt | 8 +
modules/rampart-samples/policy/sample05/policy.xml | 88 ++
.../rampart-samples/policy/sample05/services.xml | 233 +++
.../rampart/samples/policy/sample05/Client.java | 124 ++
.../samples/policy/sample05/PWCBHandler.java | 42 +
.../samples/policy/sample05/SimpleService.java | 24 +
.../rampart-samples/policy/sample05/sts_policy.xml | 83 ++
modules/rampart-samples/policy/sample06/README.txt | 5 +
.../rampart-samples/policy/sample06/mex_policy.xml | 51 +
modules/rampart-samples/policy/sample06/policy.xml | 110 ++
.../rampart-samples/policy/sample06/services.xml | 255 ++++
.../rampart/samples/policy/sample06/Client.java | 109 ++
.../samples/policy/sample06/MexService.java | 52 +
.../samples/policy/sample06/PWCBHandler.java | 44 +
.../samples/policy/sample06/SimpleService.java | 24 +
.../rampart-samples/policy/sample06/sts_policy.xml | 66 +
modules/rampart-tests/pom.xml | 72 +
.../org/apache/rahas/SimpleTokenStoreTest.java | 150 ++
.../src/test/java/org/apache/rahas/TempIssuer.java | 58 +
.../rahas/TokenRequestDispatcherConfigTest.java | 86 ++
.../rampart/AsymmetricBindingBuilderTest.java | 250 ++++
.../org/apache/rampart/MessageBuilderTestBase.java | 124 ++
.../java/org/apache/rampart/RampartEngineTest.java | 48 +
.../rampart/SymmetricBindingBuilderTest.java | 210 +++
.../java/org/apache/rampart/TestCBHandler.java | 174 +++
.../rampart/TransportBindingBuilderTest.java | 128 ++
.../handler/config/InflowConfigurationTest.java | 73 +
.../handler/config/OutflowConfigurationTest.java | 194 +++
.../rampart/policy/model/RampartPolicyTest.java | 87 ++
.../ws/secpolicy/model/SecpolicyModelTest.java | 94 ++
.../rampart-tests/test-resources/PWCallback.java | 185 +++
modules/rampart-tests/test-resources/axis2.xml | 98 ++
.../rampart-tests/test-resources/keys/interop2.jks | Bin 0 -> 4857 bytes
.../test-resources/policy-asymm-binding.xml | 46 +
.../test-resources/policy-symm-binding.xml | 53 +
.../test-resources/policy-transport-binding.xml | 43 +
.../policy/SecurityPolicyBindings.xml | 50 +
.../policy/SecurityPolicyBindingsSymm.xml | 43 +
.../test-resources/policy/SecurityPolicyMsg.xml | 19 +
.../policy/rampart-asymm-binding-1.xml | 75 +
.../policy/rampart-asymm-binding-2-sig-dk.xml | 76 +
.../policy/rampart-asymm-binding-3-dk.xml | 77 +
.../policy/rampart-asymm-binding-4-dk-ebs.xml | 85 ++
.../policy/rampart-asymm-binding-5-ebs.xml | 81 ++
.../policy/rampart-asymm-binding-6-3des-r15.xml | 74 +
.../policy/rampart-asymm-binding-7-3des-r15-DK.xml | 76 +
.../test-resources/policy/rampart-policy-1.xml | 15 +
.../policy/rampart-symm-binding-1.xml | 76 +
.../policy/rampart-symm-binding-2-dk.xml | 76 +
.../policy/rampart-symm-binding-3-dk-es.xml | 77 +
.../policy/rampart-symm-binding-4-ebs.xml | 77 +
.../policy/rampart-symm-binding-5-dk-ebs.xml | 78 ++
.../policy/rampart-transport-binding-dk.xml | 68 +
.../policy/rampart-transport-binding-no-bst.xml | 64 +
.../policy/rampart-transport-binding.xml | 64 +
.../test-resources/policy/soapmessage.xml | 57 +
.../trust/dispatcher.config.invalid.1.xml | 6 +
.../trust/dispatcher.config.invalid.2.xml | 6 +
.../test-resources/trust/dispatcher.config.xml | 6 +
.../trust/impl/sct-issuer-config.xml | 4 +
.../test-resources/trust/impl/sctIssuer.properties | 4 +
.../test-resources/trust/impl/sts-services.xml | 29 +
.../test-resources/trust/impl/sts.jks | Bin 0 -> 2989 bytes
.../trust/impl/token-dispatcher-configuration.xml | 6 +
modules/rampart-trust-mar/module.xml | 52 +
modules/rampart-trust-mar/pom.xml | 110 ++
modules/rampart-trust/pom.xml | 60 +
.../java/org/apache/rahas/EncryptedKeyToken.java | 62 +
.../main/java/org/apache/rahas/RahasConstants.java | 129 ++
.../src/main/java/org/apache/rahas/RahasData.java | 542 +++++++
.../java/org/apache/rahas/STSMessageReceiver.java | 71 +
.../java/org/apache/rahas/SimpleTokenStore.java | 234 ++++
.../src/main/java/org/apache/rahas/Token.java | 338 +++++
.../main/java/org/apache/rahas/TokenCanceler.java | 73 +
.../main/java/org/apache/rahas/TokenIssuer.java | 79 ++
.../main/java/org/apache/rahas/TokenRenewer.java | 66 +
.../org/apache/rahas/TokenRequestDispatcher.java | 140 ++
.../apache/rahas/TokenRequestDispatcherConfig.java | 421 ++++++
.../main/java/org/apache/rahas/TokenStorage.java | 87 ++
.../main/java/org/apache/rahas/TokenValidator.java | 66 +
.../main/java/org/apache/rahas/TrustException.java | 131 ++
.../src/main/java/org/apache/rahas/TrustUtil.java | 558 ++++++++
.../java/org/apache/rahas/client/STSClient.java | 773 ++++++++++
.../main/java/org/apache/rahas/errors.properties | 88 ++
.../apache/rahas/impl/AbstractIssuerConfig.java | 81 ++
.../org/apache/rahas/impl/SAMLTokenIssuer.java | 585 ++++++++
.../apache/rahas/impl/SAMLTokenIssuerConfig.java | 393 ++++++
.../org/apache/rahas/impl/SAMLTokenRenewer.java | 199 +++
.../org/apache/rahas/impl/SAMLTokenValidator.java | 250 ++++
.../main/java/org/apache/rahas/impl/SCTIssuer.java | 220 +++
.../org/apache/rahas/impl/SCTIssuerConfig.java | 82 ++
.../org/apache/rahas/impl/TokenCancelerConfig.java | 80 ++
.../org/apache/rahas/impl/TokenCancelerImpl.java | 200 +++
.../org/apache/rahas/impl/TokenIssuerUtil.java | 164 +++
.../rahas/impl/util/SAMLAttributeCallback.java | 36 +
.../org/apache/rahas/impl/util/SAMLCallback.java | 25 +
.../rahas/impl/util/SAMLCallbackHandler.java | 28 +
.../impl/util/SAMLNameIdentifierCallback.java | 47 +
.../rampart-trust/sts-aar-resources/rahas-sts.jks | Bin 0 -> 6377 bytes
.../sts-aar-resources/saml-issuer-config.xml | 46 +
.../sts-aar-resources/sct-issuer-config.xml | 29 +
.../rampart-trust/sts-aar-resources/services.xml | 89 ++
.../sts-aar-resources/token-canceler-config.xml | 3 +
.../token-dispatcher-configuration.xml | 17 +
pom.xml | 542 +++++++
release-docs/ChangeLog.txt | 134 ++
release-docs/LICENSE.txt | 203 +++
release-docs/NOTICE.txt | 12 +
release-docs/README.txt | 103 ++
release-docs/build.xml | 50 +
release-docs/release-notes.html | 75 +
521 files changed, 60636 insertions(+)
diff --git a/build.xml b/build.xml
new file mode 100644
index 0000000..84a7528
--- /dev/null
+++ b/build.xml
@@ -0,0 +1,160 @@
+<project name="Apache Rampart release build" default="dist">
+
+ <property name="rampart.version" value="SNAPSHOT"/>
+ <property name="rampart.bin.dist" value="rampart"/>
+ <property name="rampart.src.dist" value="rampart-src"/>
+ <property name="rampart.docs.dist" value="rampart-docs"/>
+
+ <property name="dir.dist" value="dist"/>
+ <property name="dir.dist.bin" value="${dir.dist}/bin/${rampart.bin.dist}-${rampart.version}"/>
+ <property name="dir.dist.src" value="${dir.dist}/src/${rampart.src.dist}-${rampart.version}"/>
+ <property name="dir.dist.docs" value="${dir.dist}/docs/${rampart.docs.dist}-${rampart.version}"/>
+
+ <property name="dir.mvn2.repo" value="${user.home}/.m2/repository"/>
+
+ <property name="version.bcprov13" value="132"/>
+ <property name="version.bcprov15" value="132"/>
+
+ <property name="version.xmlsec" value="1.4.0"/>
+ <property name="version.opensaml" value="1.1"/>
+ <property name="version.wss4j" value="SNAPSHOT"/>
+
+
+ <condition property="jdk14.present">
+ <equals arg1="${ant.java.version}" arg2="1.4"/>
+ </condition>
+
+ <target name="init">
+ <mkdir dir="${dir.dist}"/>
+ </target>
+
+ <target name="dist" depends="clean, bin-dist, src-dist, docs-dist">
+ <copy todir="${dir.dist}" file="modules/rampart-mar/target/rampart-${rampart.version}.mar"/>
+ <copy todir="${dir.dist}" file="modules/rampart-trust-mar/target/rahas-${rampart.version}.mar"/>
+ <copy todir="${dir.dist}" file="modules/rampart-core/target/rampart-core-${rampart.version}.jar"/>
+ <copy todir="${dir.dist}" file="modules/rampart-policy/target/rampart-policy-${rampart.version}.jar"/>
+ <copy todir="${dir.dist}" file="modules/rampart-trust/target/rampart-trust-${rampart.version}.jar"/>
+ </target>
+
+ <target name="bin-dist" depends="init">
+
+ <mkdir dir="${dir.dist.bin}"/>
+
+ <copy todir="${dir.dist.bin}">
+ <fileset dir="release-docs">
+ </fileset>
+ </copy>
+
+ <!-- Modules -->
+ <echo>Copying mars in to modules</echo>
+ <copy todir="${dir.dist.bin}" file="modules/rampart-mar/target/rampart-${rampart.version}.mar"/>
+ <copy todir="${dir.dist.bin}" file="modules/rampart-trust-mar/target/rahas-${rampart.version}.mar"/>
+
+ <!-- All dep jars -->
+ <echo>Copying dependencies into lib</echo>
+ <mkdir dir="${dir.dist.bin}/lib"/>
+
+ <copy todir="${dir.dist.bin}/lib" file="modules/rampart-core/target/rampart-core-${rampart.version}.jar"/>
+ <copy todir="${dir.dist.bin}/lib" file="modules/rampart-policy/target/rampart-policy-${rampart.version}.jar"/>
+ <copy todir="${dir.dist.bin}/lib" file="modules/rampart-trust/target/rampart-trust-${rampart.version}.jar"/>
+ <copy todir="${dir.dist.bin}/lib" file="${dir.mvn2.repo}/org/apache/santuario/xmlsec/${version.xmlsec}/xmlsec-${version.xmlsec}.jar"/>
+ <copy todir="${dir.dist.bin}/lib" file="${dir.mvn2.repo}/opensaml/opensaml/${version.opensaml}/opensaml-${version.opensaml}.jar"/>
+ <copy todir="${dir.dist.bin}/lib" file="${dir.mvn2.repo}/org/apache/ws/security/wss4j/${version.wss4j}/wss4j-${version.wss4j}.jar"/>
+ <antcall target="copy-bc-jar-14" />
+ <antcall target="copy-bc-jar-15" />
+
+ <echo>Copying samples</echo>
+ <!-- copy samples -->
+ <mkdir dir="${dir.dist.bin}/samples"/>
+
+ <copy todir="${dir.dist.bin}/samples">
+ <fileset dir="modules/rampart-samples/">
+ </fileset>
+ </copy>
+
+ <zip destfile="${dir.dist}/${rampart.bin.dist}-${rampart.version}.zip">
+ <zipfileset dir="${dir.dist.bin}/../"/>
+ </zip>
+
+ <delete dir="${dir.dist.bin}/../"/>
+
+ </target>
+
+ <target name="copy-bc-jar-14" if="${jdk14.present}">
+ <copy todir="${dir.dist.bin}/lib" file="${dir.mvn2.repo}/bouncycastle/bcprov-jdk13/${version.bcprov13}/bcprov-jdk13-${version.bcprov13}.jar"/>
+ </target>
+
+ <target name="copy-bc-jar-15" unless="${jdk14.present}">
+ <copy todir="${dir.dist.bin}/lib" file="${dir.mvn2.repo}/bouncycastle/bcprov-jdk15/${version.bcprov15}/bcprov-jdk15-${version.bcprov15}.jar"/>
+ </target>
+
+ <target name="src-dist" depends="init">
+
+ <mkdir dir="${dir.dist.src}"/>
+
+ <copy todir="${dir.dist.src}">
+ <fileset dir="release-docs">
+ <exclude name="build.xml"/>
+ <exclude name="README.txt"/>
+ </fileset>
+ </copy>
+
+ <copy todir="${dir.dist.src}">
+ <fileset dir="modules">
+ <include name="rampart-core/**/*"/>
+ <include name="rampart-policy/**/*"/>
+ <include name="rampart-trust/**/*"/>
+ <include name="rampart-samples/**/*"/>
+ <exclude name=".svn"/>
+ </fileset>
+ </copy>
+
+ <zip destfile="${dir.dist}/${rampart.src.dist}-${rampart.version}.zip">
+ <zipfileset dir="${dir.dist.src}/../"/>
+ </zip>
+
+ <delete dir="${dir.dist.src}/../"/>
+ </target>
+
+ <target name="docs-dist">
+
+ <mkdir dir="${dir.dist.docs}"/>
+
+ <copy todir="${dir.dist.docs}">
+ <fileset dir="release-docs">
+ <exclude name="build.xml"/>
+ <exclude name="README.txt"/>
+ </fileset>
+ </copy>
+
+ <mkdir dir="${dir.dist.docs}/core"/>
+ <mkdir dir="${dir.dist.docs}/policy"/>
+ <mkdir dir="${dir.dist.docs}/trust"/>
+
+ <copy todir="${dir.dist.docs}/core">
+ <fileset dir="modules/rampart-core/target/site/apidocs/">
+ </fileset>
+ </copy>
+
+ <copy todir="${dir.dist.docs}/policy">
+ <fileset dir="modules/rampart-policy/target/site/apidocs/">
+ </fileset>
+ </copy>
+
+ <copy todir="${dir.dist.docs}/trust">
+ <fileset dir="modules/rampart-trust/target/site/apidocs/">
+ </fileset>
+ </copy>
+
+ <zip destfile="${dir.dist}/${rampart.docs.dist}-${rampart.version}.zip">
+ <zipfileset dir="${dir.dist.docs}/../"/>
+ </zip>
+
+ <delete dir="${dir.dist.docs}/../"/>
+ </target>
+
+ <target name="clean">
+ <delete dir="${dir.dist}"/>
+ </target>
+
+</project>
diff --git a/legal/opensaml-LICENSE.txt b/legal/opensaml-LICENSE.txt
new file mode 100644
index 0000000..57bc88a
--- /dev/null
+++ b/legal/opensaml-LICENSE.txt
@@ -0,0 +1,202 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
diff --git a/legal/wss4j-LICENSE.txt b/legal/wss4j-LICENSE.txt
new file mode 100644
index 0000000..57bc88a
--- /dev/null
+++ b/legal/wss4j-LICENSE.txt
@@ -0,0 +1,202 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
diff --git a/legal/xmlsec-LICENSE.txt b/legal/xmlsec-LICENSE.txt
new file mode 100644
index 0000000..57bc88a
--- /dev/null
+++ b/legal/xmlsec-LICENSE.txt
@@ -0,0 +1,202 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+
diff --git a/modules/distribution/bin.xml b/modules/distribution/bin.xml
new file mode 100644
index 0000000..d17c3de
--- /dev/null
+++ b/modules/distribution/bin.xml
@@ -0,0 +1,68 @@
+<assembly>
+ <id>bin</id>
+ <includeBaseDirectory>false</includeBaseDirectory>
+ <formats>
+ <format>zip</format>
+ </formats>
+ <dependencySets>
+ <dependencySet>
+ <outputDirectory>${dist.dir}/modules</outputDirectory>
+ <includes>
+ <include>org.apache.rampart:rampart:mar</include>
+ <include>org.apache.rampart:rahas:mar</include>
+ </includes>
+ </dependencySet>
+ <dependencySet>
+ <outputDirectory>${dist.dir}/lib</outputDirectory>
+ <includes>
+ <include>org.apache.santuario:xmlsec:jar</include>
+ <include>opensaml:opensaml:jar</include>
+ <include>org.apache.ws.security:wss4j:jar</include>
+ <include>org.apache.rampart:rampart-core:jar</include>
+ <include>org.apache.rampart:rampart-policy:jar</include>
+ <include>org.apache.rampart:rampart-trust:jar</include>
+ </includes>
+ </dependencySet>
+ </dependencySets>
+ <fileSets>
+ <fileSet>
+ <directory>target/apidocs</directory>
+ <outputDirectory>${dist.dir}/docs/apidocs</outputDirectory>
+ </fileSet>
+ <fileSet>
+ <directory>../documentation/target/site</directory>
+ <outputDirectory>${dist.dir}/docs</outputDirectory>
+ </fileSet>
+ <fileSet>
+ <directory>../rampart-samples</directory>
+ <outputDirectory>${dist.dir}/samples</outputDirectory>
+ </fileSet>
+ <fileSet>
+ <directory>../../legal</directory>
+ <outputDirectory>${dist.dir}/lib</outputDirectory>
+ </fileSet>
+ </fileSets>
+
+ <files>
+ <file>
+ <source>../../release-docs/README.txt</source>
+ <outputDirectory>${dist.dir}</outputDirectory>
+ <destName>README</destName>
+ </file>
+ <file>
+ <source>../../release-docs/LICENSE.txt</source>
+ <outputDirectory>${dist.dir}</outputDirectory>
+ <destName>LICENSE</destName>
+ </file>
+ <file>
+ <source>../../release-docs/NOTICE.txt</source>
+ <outputDirectory>${dist.dir}</outputDirectory>
+ <destName>NOTICE</destName>
+ </file>
+ <file>
+ <source>../../release-docs/release-notes.html</source>
+ <outputDirectory>${dist.dir}</outputDirectory>
+ </file>
+ </files>
+
+</assembly>
diff --git a/modules/distribution/pom.xml b/modules/distribution/pom.xml
new file mode 100644
index 0000000..0f9df4f
--- /dev/null
+++ b/modules/distribution/pom.xml
@@ -0,0 +1,119 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+ <parent>
+ <groupId>org.apache.rampart</groupId>
+ <artifactId>rampart-project</artifactId>
+ <version>1.4</version>
+ </parent>
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>rampart-dist</artifactId>
+ <packaging>pom</packaging>
+ <name>Rampart - Distribution</name>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-antrun-plugin</artifactId>
+ <version>1.1</version>
+ <executions>
+ <execution>
+ <id>build-javadoc</id>
+ <phase>package</phase>
+ <configuration>
+ <tasks>
+ <javadoc packagenames="org.apache.rampart.*,org.apache.rahas.*"
+ destdir="target/apidocs"
+ author="true"
+ breakiterator="true"
+ version="true"
+ use="true"
+ windowtitle="Apache Rampart API">
+
+ <sourcepath>
+ <dirset dir="../..">
+ <include name="**/rampart-core/src/main/java"/>
+ <include name="**/rampart-policy/src/main/java"/>
+ <include name="**/rampart-trust/src/main/java"/>
+ </dirset>
+ </sourcepath>
+
+ <classpath refid="maven.dependency.classpath"/>
+ <classpath refid="maven.compile.classpath"/>
+ <classpath refid="maven.runtime.classpath"/>
+
+ </javadoc>
+ </tasks>
+ </configuration>
+ <goals>
+ <goal>run</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-assembly-plugin</artifactId>
+ <version>2.2-beta-1</version>
+ <executions>
+ <execution>
+ <id>distribution-package</id>
+ <phase>package</phase>
+ <goals>
+ <goal>attached</goal>
+ </goals>
+ <configuration>
+ <descriptors>
+ <descriptor>bin.xml</descriptor>
+ <descriptor>src.xml</descriptor>
+ </descriptors>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.rampart</groupId>
+ <artifactId>rampart</artifactId>
+ <version>${rampart.mar.version}</version>
+ <type>mar</type>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.rampart</groupId>
+ <artifactId>rahas</artifactId>
+ <version>${rahas.mar.version}</version>
+ <type>mar</type>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.rampart</groupId>
+ <artifactId>rampart-core</artifactId>
+ <version>${pom.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.rampart</groupId>
+ <artifactId>rampart-policy</artifactId>
+ <version>${pom.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.rampart</groupId>
+ <artifactId>rampart-trust</artifactId>
+ <version>${pom.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>bouncycastle</groupId>
+ <artifactId>bcprov-jdk13</artifactId>
+ <version>${bcprov.jdk13.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>bouncycastle</groupId>
+ <artifactId>bcprov-jdk15</artifactId>
+ <version>${bcprov.jdk15.version}</version>
+ </dependency>
+ </dependencies>
+
+</project>
\ No newline at end of file
diff --git a/modules/distribution/src.xml b/modules/distribution/src.xml
new file mode 100644
index 0000000..4b7737b
--- /dev/null
+++ b/modules/distribution/src.xml
@@ -0,0 +1,34 @@
+<assembly>
+ <id>src</id>
+ <includeBaseDirectory>false</includeBaseDirectory>
+ <formats>
+ <format>zip</format>
+ </formats>
+
+ <fileSets>
+ <fileSet>
+ <directory>../..</directory>
+ <outputDirectory>rampart-src-${rampart.version}</outputDirectory>
+ <includes>
+ <include>**/modules/**/*</include>
+ <include>**/pom.xml</include>
+ <include>src</include>
+ <include>release-docs/*</include>
+ </includes>
+ <excludes>
+ <exclude>**/target</exclude>
+ <exclude>**/target/**/*</exclude>
+ <exclude>**/build</exclude>
+ <exclude>**/build/**/*</exclude>
+ <exclude>**/.settings</exclude>
+ <exclude>**/.classpath</exclude>
+ <exclude>**/.project</exclude>
+ <exclude>**/.wtpmodules</exclude>
+ <exclude>**/*.iml</exclude>
+ <exclude>**/.settings</exclude>
+ <exclude>**/.settings/**/*</exclude>
+ <exclude>**/.svn/**</exclude>
+ </excludes>
+ </fileSet>
+ </fileSets>
+</assembly>
diff --git a/modules/documentation/pom.xml b/modules/documentation/pom.xml
new file mode 100644
index 0000000..526f92d
--- /dev/null
+++ b/modules/documentation/pom.xml
@@ -0,0 +1,32 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+ <parent>
+ <groupId>org.apache.rampart</groupId>
+ <artifactId>rampart-project</artifactId>
+ <version>1.4</version>
+ </parent>
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>rampart-documentaion</artifactId>
+ <packaging>pom</packaging>
+ <name>Rampart - Documentation</name>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-site-plugin</artifactId>
+ <version>2.0-beta-5</version>
+ <inherited>false</inherited>
+ <executions>
+ <execution>
+ <phase>install</phase>
+ <goals>
+ <goal>site</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+</project>
\ No newline at end of file
diff --git a/modules/documentation/src/site/resources/images/message-builder.jpg b/modules/documentation/src/site/resources/images/message-builder.jpg
new file mode 100644
index 0000000..922fcce
Binary files /dev/null and b/modules/documentation/src/site/resources/images/message-builder.jpg differ
diff --git a/modules/documentation/src/site/resources/images/rampart-engine.jpg b/modules/documentation/src/site/resources/images/rampart-engine.jpg
new file mode 100644
index 0000000..9c10718
Binary files /dev/null and b/modules/documentation/src/site/resources/images/rampart-engine.jpg differ
diff --git a/modules/documentation/src/site/resources/images/rampart-handlers.jpg b/modules/documentation/src/site/resources/images/rampart-handlers.jpg
new file mode 100644
index 0000000..5a84e2b
Binary files /dev/null and b/modules/documentation/src/site/resources/images/rampart-handlers.jpg differ
diff --git a/modules/documentation/src/site/resources/images/rampart-trust.jpg b/modules/documentation/src/site/resources/images/rampart-trust.jpg
new file mode 100644
index 0000000..8c32f0a
Binary files /dev/null and b/modules/documentation/src/site/resources/images/rampart-trust.jpg differ
diff --git a/modules/documentation/src/site/resources/images/security-stack.jpg b/modules/documentation/src/site/resources/images/security-stack.jpg
new file mode 100644
index 0000000..502f31e
Binary files /dev/null and b/modules/documentation/src/site/resources/images/security-stack.jpg differ
diff --git a/modules/documentation/src/site/resources/rampart-config.xsd b/modules/documentation/src/site/resources/rampart-config.xsd
new file mode 100644
index 0000000..17546de
--- /dev/null
+++ b/modules/documentation/src/site/resources/rampart-config.xsd
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ramp="http://ws.apache.org/rampart/policy" targetNamespace="http://ws.apache.org/rampart/policy" elementFormDefault="qualified" attributeFormDefault="unqualified">
+ <xs:element name="RampartConfig">
+ <xs:annotation>
+ <xs:documentation>http://ws.apache.org/rampart/rampartconfig-guide.html</xs:documentation>
+ </xs:annotation>
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element name="user" type="xs:string"/>
+ <xs:element name="userCertAlias" type="xs:string" minOccurs="0"/>
+ <xs:element name="encryptionUser" type="xs:string" minOccurs="0"/>
+ <xs:element name="passwordCallbackClass" type="xs:string" minOccurs="0"/>
+ <xs:element name="policyValidatorCbClass" type="xs:string" minOccurs="0"/>
+ <xs:element name="signatureCrypto" type="ramp:crypto" minOccurs="0"/>
+ <xs:element name="encryptionCypto" type="ramp:crypto" minOccurs="0"/>
+ <xs:element name="decryptionCrypto" type="ramp:crypto" minOccurs="0"/>
+ <xs:element name="timestampTTL" type="xs:integer"/>
+ <xs:element name="timestampMaxSkew" type="xs:integer" minOccurs="0"/>
+ <xs:element name="tokenStoreClass" type="xs:string" minOccurs="0"/>
+ <xs:element name="sslConfig" type="ssl" minOccurs="0"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:complexType name="crypto">
+ <xs:annotation>
+ <xs:documentation>http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/components/crypto/Crypto.html</xs:documentation>
+ </xs:annotation>
+ <xs:sequence maxOccurs="unbounded">
+ <xs:element name="property" type="xs:string"/>
+ </xs:sequence>
+ <xs:attribute name="provider"/>
+ </xs:complexType>
+ <xs:complexType name="ssl">
+ <xs:sequence maxOccurs="unbounded">
+ <xs:element name="property" type="xs:string"/>
+ </xs:sequence>
+ </xs:complexType>
+</xs:schema>
\ No newline at end of file
diff --git a/modules/documentation/src/site/site.xml b/modules/documentation/src/site/site.xml
new file mode 100644
index 0000000..9e5db22
--- /dev/null
+++ b/modules/documentation/src/site/site.xml
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+
+<project name="Apache Rampart">
+
+ <bannerLeft>
+ <name>Apache Rampart</name>
+ <href>ws.apache.org/rampart/</href>
+ </bannerLeft>
+
+ <skin>
+ <groupId>org.apache.maven.skins</groupId>
+ <artifactId>maven-default-skin</artifactId>
+ <version>1.0</version>
+ </skin>
+
+ <publishDate format="dd MMM yyyy"/>
+
+ <body>
+ <links>
+ <item name="Apache" href="http://www.apache.org/"/>
+ <item name="WebServices" href="http://ws.apache.org/"/>
+ <item name="Axis2/Java" href="http://ws.apache.org/axis2" />
+ </links>
+
+ <menu name="Apache Rampart">
+ <item name="Home" href="index.html" />
+ </menu>
+ <menu name="Downloads">
+ <item name="Releases" href="download.html"/>
+ <item name="Source Code" href="source-repository.html"/>
+ <item name="Checkout the Source" href="svn.html" />
+ </menu>
+ <menu name="Documentation">
+ <item name="Quick Start Guide" href="quick-start.html"/>
+ <item name="Rampart Configuration" href="rampartconfig-guide.html"/>
+ <item name="Developer Guide" href="developer-guide.html"/>
+ <item name="Build the Site" href="siteHowTo.html" />
+ </menu>
+ <menu name="Resources">
+ <item name="Articles" href="articles.html" />
+ <item name="Specifications"></item>
+ <item name="Online Javadocs"></item>
+ </menu>
+ <menu name="Project Information">
+ <item name="Project Team" href="team-list.html" />
+ <item name="Issue Tracking" href="http://issues.apache.org/jira/browse/Rampart" />
+ <item name="Mailing Lists" href="mail-lists.html"/>
+ <item name="Source Code"
+ href="http://svn.apache.org/viewcvs.cgi/webservices/rampart/trunk/?root=Apache-SVN" />
+ <item name="Dependencies" href="dependencies.html"/>
+ <item name="License"
+ href="http://www.apache.org/licenses/LICENSE-2.0.html" />
+ </menu>
+
+ </body>
+</project>
diff --git a/modules/documentation/src/site/xdoc/articles.xml b/modules/documentation/src/site/xdoc/articles.xml
new file mode 100644
index 0000000..9bb0f02
--- /dev/null
+++ b/modules/documentation/src/site/xdoc/articles.xml
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+ "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Apache Rampart References</title>
+</head>
+<body>
+<h1>Apache Rampart Knowledge Base</h1>
+<p>This page contains articles, tutorials, presentations and
+question and answers published on various Web sites on the Apache
+Rampart. </p>
+<h2>Articles:</h2>
+<ul>
+<li><a href="http://wso2.org/library/240">
+UsernameToken Authentication with Rampart</a>- By Ruchith Ferenando</li>
+<li><a href="http://www.xml.com/pub/a/2007/05/02/sure-reliable-web-services-with-apache.html">
+Secure, Reliable Web Services with Apache</a>- By Kyle Gabhart</li>
+<li><a href="http://wso2.org/library/3132">
+Understanding WS - Security Policy Language</a>- By Nandana Mihindukulasooriya</li>
+<li><a href="http://wso2.org/library/1027">
+Integrating WS-Security and WS-SecureConversation Implementations with Apache Sandesha2 </a>- By Chamikara Jayalath</li>
+</ul>
+
+<h2>Tutorials</h2>
+<ul>
+<li><a href="http://wso2.org/library/140">Secure Message Exchanges with Multiple Users</a>- By
+Ruchith Fernando</li>
+<li><a href="http://wso2.org/library/174">Setting Up Keystores for a Client and a Service</a>- By
+Ruchith Fernando</li>
+<li><a href="http://wso2.org/library/3190">Web Services Security with Apache Rampart - Part 1 ( Transport Level Security )</a>- By
+Nandana Mihindukulasooriya</li>
+</ul>
+
+<h2>Presentations</h2>
+<ul>
+<li><a href="http://wso2.org/library/136">Secure Web Services with Apache Rampart</a>- By
+Ruchith Fernando</li>
+<li><a href="http://wso2.org/library/2534">Apache Rahas</a>- By
+Ruchith Fernando</li>
+</ul>
+<h2>Interviews</h2>
+<ul>
+<li><a href="http://wso2.org/library/695">Secure Messaging with Apache Rampart/Java</a>- By
+Ruchith Fernando</li>
+</ul>
+<h2>Questions and Answers</h2>
+<ul>
+<li><a href="http://wso2.org/library/2507">Timestamp validation fails! Why?</a></li>
+<li><a href="http://wso2.org/library/2506">How can I convert an LLOM AXIOM tree into a DOOM AXIOM tree?</a></li>
+<li><a href="http://wso2.org/library/169">How can I obtain UsernameToken information at the service?</a></li>
+<li><a href="http://wso2.org/library/116">Unexpected number of X509Data: for Signature. Why?</a></li>
+</ul>
+</body>
+</html>
diff --git a/modules/documentation/src/site/xdoc/developer-guide.xml b/modules/documentation/src/site/xdoc/developer-guide.xml
new file mode 100644
index 0000000..a6258e1
--- /dev/null
+++ b/modules/documentation/src/site/xdoc/developer-guide.xml
@@ -0,0 +1,191 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+ "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+ <title>Apache Rampart - Source Repository</title>
+</head>
+ <body >
+<h2>Getting Involved in Rampart</h2>
+
+<h3>Introduction</h3>
+
+Components of Rampart
+<ul>
+ <li>Rampart Core</li>
+ <li>Rampart Policy</li>
+ <li>Rampart Trust</li>
+</ul>
+
+<p></p>
+<img alt="Rampart Components and WS-Security Stack"
+title="Rampart Components and WS-Security Stack" src="images/security-stack.jpg" align="middle" />
+
+<p><strong><em>Figure 1 : Rampart Components and WS-Security
+Stack</em></strong></p>
+
+<h3>Building Rampart</h3>
+<ol>
+ <li>Install maven2. Refer to the <a
+ href="http://maven.apache.org/guides/getting-started/maven-in-five-minutes.html">Installation
+ guide</a>.</li>
+ <li>Install SVN on your machine. (The Rampart repository uses SVN.) Please
+ read the ASF <a
+ href="http://www.apache.org/dev/version-control.html">Source Code
+ Repositories page.</a></li>
+ <li>Download the source code.
+ <ul>
+ <li>Anon Checkout <a
+ href="http://svn.apache.org/repos/asf/webservices/rampart/trunk/java/">http://svn.apache.org/repos/asf/webservices/rampart/trunk/java/</a></li>
+ <li>Committers <a
+ href="https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/">https://svn.apache.org/repos/asf/webservices/rampart/trunk/java/</a></li>
+ </ul>
+ </li>
+ <li>The Rampart project has 8 modules under it. They are:
+ <ul>
+ <li>rampart-policy contains security policy assertions.</li>
+ <li>rampart-core has core components that process and enforce
+ security.</li>
+ <li>rampart-trust contains trust components.</li>
+ <li>rampart-mar builds the rampart.mar that is deployed in the
+ "modules" directory of the Axis2 repository.</li>
+ <li>rampart-trust-mar builds the rahas.mar that adds WS-Trust into
+ Axis2.</li>
+ <li>rampart-test has a set of unit test cases.</li>
+ <li>integration-test has functional tests.</li>
+ <li>rampart-samples consist of samples provided with the
+ distribution.</li>
+ </ul>
+ </li>
+ <li>Build by typing <code>$mvn clean install</code></li>
+</ol>
+
+<p>When deploying rampart.mar and rampart-trust.mar in the Axis2 repository,
+you may notice that they do not contain any dependencies. Therefore all the
+dependencies must be in the classpath.</p>
+
+<h3>Rampart in Axis2</h3>
+
+<p>Rampart is deployed as a module in Axis2, in the security phase. The
+security phase is right after the transport phase. The Rampart module
+introduces a couple of handlers -
+"org.apache.rampart.handler.RampartReciever" and
+"org.apache.rampart.handler.RampartSender" to the security phase.</p>
+
+<p></p>
+<img alt="DOOM" title="Rampart in Axis2" src="images/rampart-handlers.jpg"
+align="middle" />
+
+<p><strong><em>Figure 2 : Rampart in Axis2</em></strong></p>
+
+<p>The "RampartReciver" handler intercepts the incoming message. Then Rampart
+validates the security of the incoming message, and checks whether it is
+in-line with the specified security policy. All security actions such as
+decryption of the message, validating the digital signature, validating the
+timestamp, and authenticating the user happens inside the Rampart module.</p>
+
+<p>"RampartSender" is the last handler in the outflow. The outgoing message
+is intercepted by this handler and Rampart takes the security actions. For
+example SOAP message can be encrypted, digitally signed, and security tokens
+are included according to the security policy.</p>
+
+<h3>Rampart, WSS4J, and DOOM</h3>
+
+<p>Rampart uses WSS4J for securing SOAP messages. WSS4J is an Apache project
+which implements the WS-Security specification. SOAP messages are signed and
+encrypted according to the <a href="http://www.w3.org/TR/xmlenc-core/">XML
+Encryption</a> and <a href="http://www.w3.org/TR/xmldsig-core/">XML Digital
+Signature</a> specifications, but the WS-Security specification introduces an
+additional set of rules. Therefore WSS4J ensures that SOAP messages are
+singed according to all the rules defined in the specifications. WSS4J uses
+Apache's <a href="http://santuario.apache.org/Java/index.html">xmlsec
+libraries</a> for XML Encryption and XML Digital Signature.</p>
+
+<p>Rather than re-inventing the wheel, it was decided to use WSS4J for SOAP
+message security in Rampart but there was a fundamental problem. WSS4J and
+all the incorporating XML security libraries use "DOM" for parsing and
+generating XML, while Axis2 uses "AXIOM" as the object model. This was
+resolved by using a new object model named "DOOM". DOOM is both AXIOM and DOM
+implementations. Therefore you can manipulate/access a DOOM object structure
+through DOM interfaces and AXIOM interfaces.</p>
+
+<p>When Rampart is engaged and configured, the incoming SOAP messages are
+converted to DOOM. Since DOOM implements the DOM interface it is possible for
+WSS4J to process messages. After performing the security validations, before
+flushing the message down the message inflow, the DOOM SOAP message is
+converted back to OM. At the outgoing flow, the message is converted to DOOM
+and then the security functions are performed using WSS4J.</p>
+
+<h3>Rampart Core</h3>
+
+<p>Rampart core drives security enforcement and validation on SOAP messages.
+It binds all components together to create the final product. The important
+components of Rampart core are,</p>
+<ul>
+ <li>org.apache.rampart.RampartEngine</li>
+ <li>org.apache.rampart.MessageBuilder</li>
+</ul>
+
+<p><strong>SOAP Message Inflow</strong></p>
+
+<p>Incoming messages are intercepted by RampartReciver and handed over to the
+RampartEngine. RampartEngine is responsible for handling validation of
+security in the incoming SOAP message.</p>
+<img alt="Rampart Engine" title="Rampart Engine"
+src="images/rampart-engine.jpg" align="middle" />
+
+<p><strong><em>Figure 3: Control flow in RampartEngine</em></strong></p>
+
+<p><strong>Note</strong>: RampartMessageData stores
+"org.apache.rampart.policy.RampartPolicyData", which contains security policy
+in the manner required by "RampartEngine" and "MessageBuilder".</p>
+
+<p><strong>SOAP Message Outflow</strong></p>
+
+<p>Outgoing messages are intercepted by RampartSender and handed over to
+org.apache.rampart.RampartMessageBuilder. It is responsible for enforcing
+security on an outgoing SOAP message.</p>
+<img alt="Message Builder" title="Message Builder"
+src="images/message-builder.jpg" align="middle" />
+
+<p><strong><em>Figure 4: Control flow in MessageBuilder</em></strong></p>
+
+<h3>Rampart Policy</h3>
+
+<p>WS - Security Policy is an extension of WS-Policy specification.
+Corresponding to this, the implementation of the security policy in Rampart
+is based on "Neethi", which is the Apache implementation of WS Policy
+specification. For each policy assertion introduced in the WS-Security
+Policy, there is an "Assertion Builder" and an "Assertion Model" defined in
+Rampart-policy.</p>
+
+<p>Apache Neethi is a highly extensible framework. When reading a security
+policy file, these builders and models in Rampart Policy are picked up by the
+Neethi framework using the "Jar file Service Provider Mechanism". All Rampart
+builders are listed in the
+META-INF/services/org.apache.neethi.builders.AssertionBuilder file. When
+adding a new Policy assertion it requires only a builder, assertion model,
+and an entry in the file.</p>
+
+<p>The RampartPolicyBuilder creates a RampartPolicyData given a "Policy"
+object created using the Rampart-policy and Neethi frameworks.</p>
+
+<h3>Rampart Trust</h3>
+
+<p>Rampart Trust implements the WS-Trust specification, which can be used
+in-conjunction with the Rampart Core and Rampart Policy modules. Rampart
+Trust defines a framework that can be used to issue, cancel, renew, and
+validate tokens, i.e., it defines a set of interfaces that must be
+implemented by different token issuing parties. Basically, Rampart Trust
+provides the functionality needed to host a STS - Security Token Service.</p>
+<img alt="Rampart Trust" title="Rampart Trust" src="images/rampart-trust.jpg"
+align="middle" />
+
+<p><strong><em>Figure 5: Control flow in Rampart Trust</em></strong></p>
+
+<p></p>
+
+<p></p>
+
+<p></p>
+ </body>
+</html>
diff --git a/modules/documentation/src/site/xdoc/download.xml b/modules/documentation/src/site/xdoc/download.xml
new file mode 100644
index 0000000..5600356
--- /dev/null
+++ b/modules/documentation/src/site/xdoc/download.xml
@@ -0,0 +1,71 @@
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+ <body>
+ <h2>Apache Rampart Releases</h2>
+ <p>This page provides links to the release versions of Apache Rampart Java.</p>
+ <table border="1" style="border-collapse: collapse" width="93%" id="table1">
+ <tbody>
+ <tr>
+ <th>Version</th>
+ <th>Date</th>
+ <th>Description</th>
+ </tr>
+ <tr>
+ <td>
+ <a href="download/1.3/download.cgi">
+ <strong>1.3</strong>
+ </a>
+ </td>
+ <td></td>
+ <td>1.3 Release (Mirrored)</td>
+ </tr>
+ <tr>
+ <td>
+ <a href="download/1.2/download.cgi">
+ <strong>1.2</strong>
+ </a>
+ </td>
+ <td></td>
+ <td>1.2 Release (Mirrored)</td>
+ </tr>
+ <tr>
+ <td>
+ <a href="download/1.1/download.cgi">
+ <strong>1.1</strong>
+ </a>
+ </td>
+ <td></td>
+ <td>1.1 Release (Mirrored)</td>
+ </tr>
+ </tbody>
+ </table>
+ <p>
+ <strong>Apache Rampart Distributions : <a href="http://people.apache.org/~ruchithf/rampart/SNAPSHOT">Nightly builds</a>
+ </strong>
+ </p>
+ <p>
+ <strong>Maven Repository: <a href="http://people.apache.org/repo/m2-ibiblio-rsync-repository/">Released Apache Rampart jars</a> | <a href="http://people.apache.org/repo/m2-snapshot-repository/">Nightly SNAPSHOT</a>
+ <a href=""></a>
+ </strong>
+ </p>
+ </body>
+</html>
diff --git a/modules/documentation/src/site/xdoc/download/1.1/download.cgi b/modules/documentation/src/site/xdoc/download/1.1/download.cgi
new file mode 100644
index 0000000..8bdb438
--- /dev/null
+++ b/modules/documentation/src/site/xdoc/download/1.1/download.cgi
@@ -0,0 +1,6 @@
+#!/bin/sh
+# Wrapper script around mirrors.cgi script
+# (we must change to that directory in order for python to pick up the
+# python includes correctly)
+cd /www/www.apache.org/dyn/mirrors
+/www/www.apache.org/dyn/mirrors/mirrors.cgi $*
\ No newline at end of file
diff --git a/modules/documentation/src/site/xdoc/download/1.1/download.xml b/modules/documentation/src/site/xdoc/download/1.1/download.xml
new file mode 100644
index 0000000..73113dc
--- /dev/null
+++ b/modules/documentation/src/site/xdoc/download/1.1/download.xml
@@ -0,0 +1,125 @@
+<!--
+~ Licensed to the Apache Software Foundation (ASF) under one
+~ or more contributor license agreements. See the NOTICE file
+~ distributed with this work for additional information
+~ regarding copyright ownership. The ASF licenses this file
+~ to you under the Apache License, Version 2.0 (the
+~ "License"); you may not use this file except in compliance
+~ with the License. You may obtain a copy of the License at
+~
+~ http://www.apache.org/licenses/LICENSE-2.0
+~
+~ Unless required by applicable law or agreed to in writing,
+~ software distributed under the License is distributed on an
+~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+~ KIND, either express or implied. See the License for the
+~ specific language governing permissions and limitations
+~ under the License.
+-->
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta name="generator" content=
+"HTML Tidy for Windows (vers 14 June 2007), see www.w3.org" />
+<meta http-equiv="content-type" content="" />
+<title>Apache Rampart 1.1 Release</title>
+</head>
+<body>
+<!--Google Anayitcs tracking code-->
+<script type="text/javascript" src=
+"http://www.google-analytics.com/urchin.js">
+</script><script type="text/javascript">
+//<![CDATA[
+_uacct = "UA-1954378-3";
+urchinTracker();
+//]]>
+</script>
+<!--End of Google Anayitcs tracking code-->
+<h2>Apache Rampart 1.1 Release</h2>
+<div>
+<table border="1" cellpadding="1">
+<tbody>
+<tr>
+<th scope="col">Distribution Name</th>
+<th scope="col">Description</th>
+<!--<th scope="col">Items</th>-->
+<th scope="col">Download</th>
+</tr>
+<tr>
+<td><a name="std-bin" id="std-bin"></a><strong>Standard Binary
+Distribution</strong></td>
+<td>This is the complete version of Apache Rampart and will contain samples
+as well.</td>
+<td><a href="[preferred]/ws/rampart/1_1/rampart-1.1.zip" title=
+"[preferred]/ws/rampart/1_1/rampart-1.1.zip" onClick=
+"javascript:urchinTracker ('/downloads/rampart-1.1.zip');">zip</a>
+<a href="http://www.apache.org/dist/ws/rampart/1_1/rampart-1.1.zip.md5"
+title="http://www.apache.org/dist/ws/rampart/1_1/rampart-1.1.zip.md5">MD5</a>
+<a href="http://www.apache.org/dist/ws/rampart/1_1/rampart-1.1.zip.asc"
+title="http://www.apache.org/dist/ws/rampart/1_1/rampart-1.1.zip.asc">PGP</a></td>
+</tr>
+<tr>
+<td><a name="src" id="src"></a> <strong>Source
+Distribution</strong></td>
+<td>This will contain the sources of Apache Rampart distribution.</td>
+<td><a href="[preferred]/ws/rampart/1_1/rampart-1.1-src.zip" title=
+"[preferred]/ws/rampart/1_1/rampart-1.1-src.zip" onClick=
+"javascript:urchinTracker ('/downloads/rampart-1.1-src.zip');">zip</a>
+<a href=
+"http://www.apache.org/dist/ws/rampart/1_1/rampart-1.1-src.zip.md5"
+title=
+"http://www.apache.org/dist/ws/rampart/1_1/rampart-1.1-src.zip.md5">MD5</a>
+<a href=
+"http://www.apache.org/dist/ws/rampart/1_1/rampart-1.1-src.zip.asc"
+title=
+"http://www.apache.org/dist/ws/rampart/1_1/rampart-1.1-src.zip.asc">PGP</a></td>
+</tr>
+<tr>
+<td><strong>Documents Distribution</strong></td>
+<td>This will contain all the documentation in one package.</td>
+<td><a href="[preferred]/ws/rampart/1_1/rampart-1.1-docs.zip" title=
+"[preferred]/ws/rampart/1_1/rampart-1.1-docs.zip" onClick=
+"javascript:urchinTracker ('/downloads/rampart-1.1-docs.zip');">zip</a>
+<a href=
+"http://www.apache.org/dist/ws/rampart/1_1/rampart-1.1-docs.zip.md5"
+title=
+"http://www.apache.org/dist/ws/rampart/1_1/rampart-1.1-docs.zip.md5">MD5</a>
+<a href=
+"http://www.apache.org/dist/ws/rampart/1_1/rampart-1.1-docs.zip.asc"
+title=
+"http://www.apache.org/dist/ws/rampart/1_1/rampart-1.1-docs.zip.asc">PGP</a></td>
+</tr>
+</tbody>
+</table>
+</div>
+<div align="left"><br />
+<p>[if-any logo] <a href="[link]"><img align="right" src="[logo]"
+border="0" /></a>[end] The currently selected mirror is
+<b>[preferred]</b>. If you encounter a problem with this mirror,
+please select another mirror. If all mirrors are failing, there are
+<i>backup</i> mirrors (at the end of the mirrors list) that should
+be available.</p>
+<form action="[location]" method="get" id="SelectMirror" name=
+"SelectMirror">Other mirrors: <select name="Preferred">
+<option value="[http]" selected="selected">[http]</option>
+<option value="[ftp]">[ftp]</option>
+<option value="[backup]">[backup] (backup)</option>
+</select> <input type="submit" value="Change" /></form>
+<p>You may also consult the <a href=
+"http://www.apache.org/mirrors/">complete list of mirrors</a>.</p>
+<p><strong>Note:</strong> when downloading from a mirror please
+check the <a href=
+"http://www.apache.org/dev/release-signing#md5">md5sum</a> and
+verify the <a href=
+"http://www.apache.org/dev/release-signing#openpgp">OpenPGP</a>
+compatible signature from the main Apache site. These can be
+downloaded by following the links above. This <a href=
+"http://www.apache.org/dist/ws/axis2/KEYS">KEYS</a> file contains
+the public keys that can be used for verifying signatures. It is
+recommended that (when possible)a <a href=
+"http://www.apache.org/dev/release-signing#web-of-trust">Web of
+trust</a> is used to confirm the identity of these keys.</p>
+</div>
+</body>
+</html>
diff --git a/modules/documentation/src/site/xdoc/download/1.2/download.cgi b/modules/documentation/src/site/xdoc/download/1.2/download.cgi
new file mode 100644
index 0000000..8bdb438
--- /dev/null
+++ b/modules/documentation/src/site/xdoc/download/1.2/download.cgi
@@ -0,0 +1,6 @@
+#!/bin/sh
+# Wrapper script around mirrors.cgi script
+# (we must change to that directory in order for python to pick up the
+# python includes correctly)
+cd /www/www.apache.org/dyn/mirrors
+/www/www.apache.org/dyn/mirrors/mirrors.cgi $*
\ No newline at end of file
diff --git a/modules/documentation/src/site/xdoc/download/1.2/download.xml b/modules/documentation/src/site/xdoc/download/1.2/download.xml
new file mode 100644
index 0000000..3919f15
--- /dev/null
+++ b/modules/documentation/src/site/xdoc/download/1.2/download.xml
@@ -0,0 +1,125 @@
+<!--
+~ Licensed to the Apache Software Foundation (ASF) under one
+~ or more contributor license agreements. See the NOTICE file
+~ distributed with this work for additional information
+~ regarding copyright ownership. The ASF licenses this file
+~ to you under the Apache License, Version 2.0 (the
+~ "License"); you may not use this file except in compliance
+~ with the License. You may obtain a copy of the License at
+~
+~ http://www.apache.org/licenses/LICENSE-2.0
+~
+~ Unless required by applicable law or agreed to in writing,
+~ software distributed under the License is distributed on an
+~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+~ KIND, either express or implied. See the License for the
+~ specific language governing permissions and limitations
+~ under the License.
+-->
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta name="generator" content=
+"HTML Tidy for Windows (vers 14 June 2007), see www.w3.org" />
+<meta http-equiv="content-type" content="" />
+<title>Apache Rampart 1.2 Release</title>
+</head>
+<body>
+<!--Google Anayitcs tracking code-->
+<script type="text/javascript" src=
+"http://www.google-analytics.com/urchin.js">
+</script><script type="text/javascript">
+//<![CDATA[
+_uacct = "UA-1954378-3";
+urchinTracker();
+//]]>
+</script>
+<!--End of Google Anayitcs tracking code-->
+<h2>Apache Rampart 1.2 Release</h2>
+<div>
+<table border="1" cellpadding="1">
+<tbody>
+<tr>
+<th scope="col">Distribution Name</th>
+<th scope="col">Description</th>
+<!--<th scope="col">Items</th>-->
+<th scope="col">Download</th>
+</tr>
+<tr>
+<td><a name="std-bin" id="std-bin"></a><strong>Standard Binary
+Distribution</strong></td>
+<td>This is the complete version of Apache Rampart and will contain samples
+as well.</td>
+<td><a href="[preferred]/ws/rampart/1_2/rampart-1.2.zip" title=
+"[preferred]/ws/rampart/1_2/rampart-1.2.zip" onClick=
+"javascript:urchinTracker ('/downloads/rampart-1.2.zip');">zip</a>
+<a href="http://www.apache.org/dist/ws/rampart/1_2/rampart-1.2.zip.md5"
+title="http://www.apache.org/dist/ws/rampart/1_2/rampart-1.2.zip.md5">MD5</a>
+<a href="http://www.apache.org/dist/ws/rampart/1_2/rampart-1.2.zip.asc"
+title="http://www.apache.org/dist/ws/rampart/1_2/rampart-1.2.zip.asc">PGP</a></td>
+</tr>
+<tr>
+<td><a name="src" id="src"></a> <strong>Source
+Distribution</strong></td>
+<td>This will contain the sources of Apache Rampart distribution.</td>
+<td><a href="[preferred]/ws/rampart/1_2/rampart-1.2-src.zip" title=
+"[preferred]/ws/rampart/1_2/rampart-1.2-src.zip" onClick=
+"javascript:urchinTracker ('/downloads/rampart-1.2-src.zip');">zip</a>
+<a href=
+"http://www.apache.org/dist/ws/rampart/1_2/rampart-1.2-src.zip.md5"
+title=
+"http://www.apache.org/dist/ws/rampart/1_2/rampart-1.2-src.zip.md5">MD5</a>
+<a href=
+"http://www.apache.org/dist/ws/rampart/1_2/rampart-1.2-src.zip.asc"
+title=
+"http://www.apache.org/dist/ws/rampart/1_2/rampart-1.2-src.zip.asc">PGP</a></td>
+</tr>
+<tr>
+<td><strong>Documents Distribution</strong></td>
+<td>This will contain all the documentation in one package.</td>
+<td><a href="[preferred]/ws/rampart/1_2/rampart-1.2-docs.zip" title=
+"[preferred]/ws/rampart/1_2/rampart-1.2-docs.zip" onClick=
+"javascript:urchinTracker ('/downloads/rampart-1.2-docs.zip');">zip</a>
+<a href=
+"http://www.apache.org/dist/ws/rampart/1_2/rampart-1.2-docs.zip.md5"
+title=
+"http://www.apache.org/dist/ws/rampart/1_2/rampart-1.2-docs.zip.md5">MD5</a>
+<a href=
+"http://www.apache.org/dist/ws/rampart/1_2/rampart-1.2-docs.zip.asc"
+title=
+"http://www.apache.org/dist/ws/rampart/1_2/rampart-1.2-docs.zip.asc">PGP</a></td>
+</tr>
+</tbody>
+</table>
+</div>
+<div align="left"><br />
+<p>[if-any logo] <a href="[link]"><img align="right" src="[logo]"
+border="0" /></a>[end] The currently selected mirror is
+<b>[preferred]</b>. If you encounter a problem with this mirror,
+please select another mirror. If all mirrors are failing, there are
+<i>backup</i> mirrors (at the end of the mirrors list) that should
+be available.</p>
+<form action="[location]" method="get" id="SelectMirror" name=
+"SelectMirror">Other mirrors: <select name="Preferred">
+<option value="[http]" selected="selected">[http]</option>
+<option value="[ftp]">[ftp]</option>
+<option value="[backup]">[backup] (backup)</option>
+</select> <input type="submit" value="Change" /></form>
+<p>You may also consult the <a href=
+"http://www.apache.org/mirrors/">complete list of mirrors</a>.</p>
+<p><strong>Note:</strong> when downloading from a mirror please
+check the <a href=
+"http://www.apache.org/dev/release-signing#md5">md5sum</a> and
+verify the <a href=
+"http://www.apache.org/dev/release-signing#openpgp">OpenPGP</a>
+compatible signature from the main Apache site. These can be
+downloaded by following the links above. This <a href=
+"http://www.apache.org/dist/ws/axis2/KEYS">KEYS</a> file contains
+the public keys that can be used for verifying signatures. It is
+recommended that (when possible)a <a href=
+"http://www.apache.org/dev/release-signing#web-of-trust">Web of
+trust</a> is used to confirm the identity of these keys.</p>
+</div>
+</body>
+</html>
diff --git a/modules/documentation/src/site/xdoc/download/1.3/download.cgi b/modules/documentation/src/site/xdoc/download/1.3/download.cgi
new file mode 100644
index 0000000..8bdb438
--- /dev/null
+++ b/modules/documentation/src/site/xdoc/download/1.3/download.cgi
@@ -0,0 +1,6 @@
+#!/bin/sh
+# Wrapper script around mirrors.cgi script
+# (we must change to that directory in order for python to pick up the
+# python includes correctly)
+cd /www/www.apache.org/dyn/mirrors
+/www/www.apache.org/dyn/mirrors/mirrors.cgi $*
\ No newline at end of file
diff --git a/modules/documentation/src/site/xdoc/download/1.3/download.xml b/modules/documentation/src/site/xdoc/download/1.3/download.xml
new file mode 100644
index 0000000..b06fe22
--- /dev/null
+++ b/modules/documentation/src/site/xdoc/download/1.3/download.xml
@@ -0,0 +1,125 @@
+<!--
+~ Licensed to the Apache Software Foundation (ASF) under one
+~ or more contributor license agreements. See the NOTICE file
+~ distributed with this work for additional information
+~ regarding copyright ownership. The ASF licenses this file
+~ to you under the Apache License, Version 2.0 (the
+~ "License"); you may not use this file except in compliance
+~ with the License. You may obtain a copy of the License at
+~
+~ http://www.apache.org/licenses/LICENSE-2.0
+~
+~ Unless required by applicable law or agreed to in writing,
+~ software distributed under the License is distributed on an
+~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+~ KIND, either express or implied. See the License for the
+~ specific language governing permissions and limitations
+~ under the License.
+-->
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta name="generator" content=
+"HTML Tidy for Windows (vers 14 June 2007), see www.w3.org" />
+<meta http-equiv="content-type" content="" />
+<title>Apache Rampart 1.3 Release</title>
+</head>
+<body>
+<!--Google Anayitcs tracking code-->
+<script type="text/javascript" src=
+"http://www.google-analytics.com/urchin.js">
+</script><script type="text/javascript">
+//<![CDATA[
+_uacct = "UA-1954378-3";
+urchinTracker();
+//]]>
+</script>
+<!--End of Google Anayitcs tracking code-->
+<h2>Apache Rampart 1.3 Release</h2>
+<div>
+<table border="1" cellpadding="1">
+<tbody>
+<tr>
+<th scope="col">Distribution Name</th>
+<th scope="col">Description</th>
+<!--<th scope="col">Items</th>-->
+<th scope="col">Download</th>
+</tr>
+<tr>
+<td><a name="std-bin" id="std-bin"></a><strong>Standard Binary
+Distribution</strong></td>
+<td>This is the complete version of Apache Rampart and will contain samples
+as well.</td>
+<td><a href="[preferred]/ws/rampart/1_3/rampart-1.3.zip" title=
+"[preferred]/ws/rampart/1_3/rampart-1.3.zip" onClick=
+"javascript:urchinTracker ('/downloads/rampart-1.3.zip');">zip</a>
+<a href="http://www.apache.org/dist/ws/rampart/1_3/rampart-1.3.zip.md5"
+title="http://www.apache.org/dist/ws/rampart/1_3/rampart-1.3.zip.md5">MD5</a>
+<a href="http://www.apache.org/dist/ws/rampart/1_3/rampart-1.3.zip.asc"
+title="http://www.apache.org/dist/ws/rampart/1_3/rampart-1.3.zip.asc">PGP</a></td>
+</tr>
+<tr>
+<td><a name="src" id="src"></a> <strong>Source
+Distribution</strong></td>
+<td>This will contain the sources of Apache Rampart distribution.</td>
+<td><a href="[preferred]/ws/rampart/1_3/rampart-1.3-src.zip" title=
+"[preferred]/ws/rampart/1_3/rampart-1.3-src.zip" onClick=
+"javascript:urchinTracker ('/downloads/rampart-1.3-src.zip');">zip</a>
+<a href=
+"http://www.apache.org/dist/ws/rampart/1_3/rampart-1.3-src.zip.md5"
+title=
+"http://www.apache.org/dist/ws/rampart/1_3/rampart-1.3-src.zip.md5">MD5</a>
+<a href=
+"http://www.apache.org/dist/ws/rampart/1_3/rampart-1.3-src.zip.asc"
+title=
+"http://www.apache.org/dist/ws/rampart/1_3/rampart-1.3-src.zip.asc">PGP</a></td>
+</tr>
+<tr>
+<td><strong>Documents Distribution</strong></td>
+<td>This will contain all the documentation in one package.</td>
+<td><a href="[preferred]/ws/rampart/1_3/rampart-1.3-docs.zip" title=
+"[preferred]/ws/rampart/1_3/rampart-1.3-docs.zip" onClick=
+"javascript:urchinTracker ('/downloads/rampart-1.3-docs.zip');">zip</a>
+<a href=
+"http://www.apache.org/dist/ws/rampart/1_3/rampart-1.3-docs.zip.md5"
+title=
+"http://www.apache.org/dist/ws/rampart/1_3/rampart-1.3-docs.zip.md5">MD5</a>
+<a href=
+"http://www.apache.org/dist/ws/rampart/1_3/rampart-1.3-docs.zip.asc"
+title=
+"http://www.apache.org/dist/ws/rampart/1_3/rampart-1.3-docs.zip.asc">PGP</a></td>
+</tr>
+</tbody>
+</table>
+</div>
+<div align="left"><br />
+<p>[if-any logo] <a href="[link]"><img align="right" src="[logo]"
+border="0" /></a>[end] The currently selected mirror is
+<b>[preferred]</b>. If you encounter a problem with this mirror,
+please select another mirror. If all mirrors are failing, there are
+<i>backup</i> mirrors (at the end of the mirrors list) that should
+be available.</p>
+<form action="[location]" method="get" id="SelectMirror" name=
+"SelectMirror">Other mirrors: <select name="Preferred">
+<option value="[http]" selected="selected">[http]</option>
+<option value="[ftp]">[ftp]</option>
+<option value="[backup]">[backup] (backup)</option>
+</select> <input type="submit" value="Change" /></form>
+<p>You may also consult the <a href=
+"http://www.apache.org/mirrors/">complete list of mirrors</a>.</p>
+<p><strong>Note:</strong> when downloading from a mirror please
+check the <a href=
+"http://www.apache.org/dev/release-signing#md5">md5sum</a> and
+verify the <a href=
+"http://www.apache.org/dev/release-signing#openpgp">OpenPGP</a>
+compatible signature from the main Apache site. These can be
+downloaded by following the links above. This <a href=
+"http://www.apache.org/dist/ws/axis2/KEYS">KEYS</a> file contains
+the public keys that can be used for verifying signatures. It is
+recommended that (when possible)a <a href=
+"http://www.apache.org/dev/release-signing#web-of-trust">Web of
+trust</a> is used to confirm the identity of these keys.</p>
+</div>
+</body>
+</html>
diff --git a/modules/documentation/src/site/xdoc/index.xml b/modules/documentation/src/site/xdoc/index.xml
new file mode 100644
index 0000000..51ed4d3
--- /dev/null
+++ b/modules/documentation/src/site/xdoc/index.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="ISO-8859-1" ?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+
+<document>
+
+ <properties>
+ <title>Apache Rampart</title>
+ </properties>
+
+ <body>
+
+ <section name="Apache Rampart">
+ <p>Rampart is the security module of Axis2. It secures SOAP messages
+according to specifications in the WS-Security stack. Rampart implements the
+following specifications:</p>
+ <ul>
+ <li>WS - Security 1.0</li>
+ <li>WS - Security 1.1</li>
+ <li>WS - Secure Conversation - February 2005</li>
+ <li>WS - Security Policy - 1.1 - July 2005</li>
+ <li>WS - Security Policy - 1.2 </li>
+ <li>WS - Trust - February 2005</li>
+ <li>WS - Trust - WS-SX spec - EXPERIMENTAL</li>
+ </ul>
+ </section>
+
+ </body>
+</document>
diff --git a/modules/documentation/src/site/xdoc/quick-start.xml b/modules/documentation/src/site/xdoc/quick-start.xml
new file mode 100644
index 0000000..ef289e5
--- /dev/null
+++ b/modules/documentation/src/site/xdoc/quick-start.xml
@@ -0,0 +1,97 @@
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+ "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+ <head>
+ <title>Apache Rampart - Source Repository</title>
+ </head>
+ <body>
+ <h2>Rampart Quick Start Guide</h2>
+
+ <h3>Installing Rampart in Axis2</h3>
+ <p>Steps to install</p>
+ <ol>
+ <li>If you haven't installed Axis2, then download and extract the standard binary distribution. Make sure you have set the AXIS2_HOME environment variable</li>
+ <li>Run ant from the "samples" directory to copy the required libraries and modules to relevant directories in AXIS2_HOME.</li>
+ <li>Download xalan-2.7.0.jar from <a href="http://www.apache.org/dist/java-repository/xalan/jars/">here</a> and put under AXIS2_HOME\lib folder, if you use JDK 1.5.</li>
+ <li>Download log4j.jar from <a href="http://people.apache.org/repo/m1-ibiblio-rsync-repository/log4j/jars/">here</a> and put under AXIS2_HOME\lib</li>
+ </ol>
+ <p></p>
+ <h3>Running Samples</h3>
+ <p>Now we'll look at how to run the first sample inside samples/policy folder.</p>
+ <ol>
+ <li>Open a console and change the directory to sample/policy and give the following command. This will start the server at port 8080</li>
+ <pre>
+<code>$ant service.01</code>
+ </pre>
+ <li>Open a new console and change the directory to sample/policy and type the following command.</li>
+ <pre>
+<code>$ant client.01</code>
+ </pre>
+ </ol>
+ <p>Congratulations! Now you have executed the first sample. Rest of the samples can be run by changing the sample number.</p>
+
+ <h3>Understanding the first sample</h3>
+
+ <ul>
+ <li>Engaging Rampart</li>
+ </ul>
+ <p>When securing a SOAP message, the sender must know the security actions to be performed on the message and the receiver must know enough details to process and validate the security of the message. Therefore when using Rampart with Axis2, it must be engaged at both ends.</p>
+ <p>Observe how module has been engaged in server side by opening samples/policy/sample01/services.xml. The following line has engaged the module.</p>
+ <p>Engaging Rampart at client side is done programatically as follows.</p>
+ <pre>
+ServiceClient client = new ServiceClient(ctx, null);<br/>
+client.engageModule("rampart");
+</pre>
+ <ul>
+ <li>Understanding policy</li>
+ </ul>
+ <p>WS-Security Policy can be used to indicate what security actions that needs be performed on SOAP messages and and what actions should be validated. The file 'samples/policy/sample01/policy.xml' configures Rampart to add Username Token with Timestamp to this message. The element <RampartConfig> in policy.xml defines Rampart specific configurations. </p>
+ <p>Policy at serverside is included in samples/policy/sample01/services.xml file. This configures Rampart module at serverside to validate the message for Username Token an Timestamp.</p>
+ <p>More details on RampartConfig can be found <a href="rampartconfig-guide.html">here</a>.</p>
+
+ <ul>
+ <li>Viewing the Message on wire</li>
+ </ul>
+ <p>It is interesting to view the secured SOAP message on the wire using TCP monitor. Change the "client.port" property in samples/policy/build.xml file to the listening port of TCP monitor. This will send all the messages through TCP monitor when you execute the ant script. Observe the <wsse:Security> header in the SOAP message.</p>
+
+ <h3>Setting up a Security Token Service</h3>
+ <p>Security Token Service can be set up as per WS-Trust specification using Rampart. The default security token service shipped with the rampart distribution is contained in the rampart-trust.mar module. It can issue SCT tokens and SAML tokens. Sample05 contains a client that connects to the default STS and obtain a SAML token. The services.xml in the sample contains "saml-issuer-config" parameter that is used to configure the default SAML issuer.</p>
+ <strong>STS with a custom issuer</strong>
+ <p>First the default rampart.mar has to be removed from the modules. Then write you own issuer implementing the <code>"org.apache.rahas.TokenIssuer"</code> interface. Let's say that your issuer is <code>"org.custom.MyIssuer"</code>. Then create a Axis2 service archive with the following in the services.xml. Drop the archive into the repository and you have a STS with a CustomToken issuer.</p>
+
+ <pre>
+
+<module ref="rampart" />
+
+<operation name="IssueToken"
+ mep="http://www.w3.org/2006/01/wsdl/in-out">
+ <messageReceiver
+ class="org.apache.rahas.STSMessageReceiver"/>
+
+ <!-- Action mapping to accept RST requests -->
+ <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</actionMapping>
+ <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</actionMapping>
+ <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew</actionMapping>
+ <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel</actionMapping>
+ <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel</actionMapping>
+ <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate</actionMapping>
+
+ <parameter name="token-dispatcher-configuration">
+ <token-dispatcher-configuration>
+ <!-- Issuers. You may have many issuers. -->
+ <issuer class="org.custom.MyIssuer" default="true">
+ <configuration
+ type="parameter">saml-issuer-config</configuration>
+ <tokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</tokenType>
+ </issuer>
+ </token-dispatcher-configuration>
+ </parameter>
+
+</operation>
+
+</pre>
+
+ </body>
+</html>
+
diff --git a/modules/documentation/src/site/xdoc/rampartconfig-guide.xml b/modules/documentation/src/site/xdoc/rampartconfig-guide.xml
new file mode 100644
index 0000000..24e8e9c
--- /dev/null
+++ b/modules/documentation/src/site/xdoc/rampartconfig-guide.xml
@@ -0,0 +1,55 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+ "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Apache Rampart - Configuration Guide</title>
+ </head>
+ <body>
+
+<h2>Rampart Configurations</h2>
+<p>RampartConfig element can have any of the following child elements. Schema is available <a href="rampart-config.xsd">here</a></p>
+<table class="bodyTable"><tbody>
+ <tr class="a"><td><b>Parameter</b></td><td><b>Description</b></td><td><b>Example</b></td></tr>
+
+ <tr class="b"><td>user</td><td>The user's name</td><td>Set username of UsernameToken to be used <br></br>
+ <user> bob</user></td></tr>
+ <tr class="a"><td>userCertAlias</td><td>The user's cert alias</td><td>Set alias of the key to be used to sign<br></br>
+ <userCertAlias> bob</userCertAlias></td></tr>
+ <tr class="b"><td>encryptionUser</td><td>The user's name for encryption.</td><td><br></br>
+ <encryptionUser>alice</encryptionUser></td></tr>
+ <tr class="a"><td>passwordCallbackClass</td><td>Callback class used to provide the password required to create the
+ UsernameToken or to sign the message</td><td><passwordCallbackClass>
+ org.apache.axis2.security.PWCallback</passwordCallbackClass></td></tr>
+ <tr class="b"><td>policyValidatorCbClass</td><td>Callback class used to provide custom validater </td><td><policyValidatorCbClass>
+ org.apache.axis2.security.CustomPolicyValidater</policyValidatorCbClass></td></tr>
+
+ <tr class="a"><td>signatureCrypto</td><td>properties to needed perform signature, such as crypto
+ provider, keystore and its password</td><td>
+<pre>
+<signatureCrypto>
+ <crypto provider="org.apache.ws.security.components.crypto.Merlin">
+ <property name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</property>
+ <property name="org.apache.ws.security.crypto.merlin.file">client.jks</property>
+ <property name="org.apache.ws.security.crypto.merlin.keystore.password">apache</property>
+ </crypto>
+<signatureCrypto>
+</pre>
+ </td></tr>
+ <tr class="b"><td>encryptionCypto</td><td>properties to needed perform signature, such as crypto
+ provider, keystore and its password</td><td><encryptionCypto>....crypto element ......</encryptionCypto></td></tr>
+ <tr class="a"><td>decryptionCrypto</td><td>properties to needed perform signature, such as crypto
+ provider, keystore and its password</td><td><decryptionCrypto>....crypto element ......</decryptionCrypto></td></tr>
+ <tr class="b"><td>timestampTTL</td><td>Time to live of Timestamp</td><td>The default timestamp time to live is 300 seconds</td></tr>
+ <tr class="a"><td>timestampMaxSkew</td><td>The maximum tolerence limit for timeskew of the timestamp</td><td>Rampart allows timestamps created slightly ahead of the reciever's time.<br/> This parameter allows to specify the tolerence limit</td></tr>
+ <tr class="b"><td>tokenStoreClass</td><td></td><td></td></tr>
+ <tr class="a"><td>sslConfig</td><td>SSL Configuration need for Transportbinding</td><td>Can specify the properties such as "javax.net.ssl.trustStore" and "javax.net.ssl.trustStorePassword". Please see below for more information.</td></tr>
+ </tbody></table>
+<h3>Crypto Provider</h3>
+ <p>org.apache.ws.security.crypto.provider defines the implementation of
+the org.apache.ws.security.components.crypto.Crypto interface to provide the
+crypto information required by WSS4J. The other properties defined are the
+configuration properties used by the implementation class
+(org.apache.ws.security.components.crypto.Merlin). <a name="ref"></a><a name="references"></a></p>
+<a name="References"></a><h3>References</h3>1. <a href="http://ws.apache.org/wss4j">Apache WSS4J -Home</a>
+ </body>
+</html>
diff --git a/modules/documentation/src/site/xdoc/siteHowTo.xml b/modules/documentation/src/site/xdoc/siteHowTo.xml
new file mode 100644
index 0000000..c862cef
--- /dev/null
+++ b/modules/documentation/src/site/xdoc/siteHowTo.xml
@@ -0,0 +1,60 @@
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>How To Build Axis Project's Website</title>
+</head>
+<body>
+<h1>How to Build the Rampart Project's Website</h1>
+<h2>Installing Maven2</h2>
+<p>The Apache Rampart website build system solely depends on <a href=
+"http://maven.apache.org/">Maven2</a>. The build has been
+specifically tested to work with Maven version 2.0.7. To install
+Maven, download the distributions and follow the instructions in
+the documentation. Make sure you don't forget to add MAVEN_HOME/bin
+directory in the path.</p>
+<h2>Checking out Apache Rampart</h2>
+<p>Checkout the <a href=
+"http://svn.apache.org/repos/asf/webservices/rampart/trunk/java">latest
+source</a> using your favorite SVN client. If you are a committer,
+get a <a href=
+"https://svn.apache.org/repos/asf/webservices/rampart/trunk/java">commiter
+check out.</a></p>
+<h2>Building the Site</h2>
+<p>cd to modules/documentation and type <i>mvn install</i> The built
+site will be available under target/site.</p>
+<h2>FAQ</h2>
+<ol>
+<li>How can I update a document in the site ?<br />
+Get a commiter check out. All the documents are in XHTML format
+under the modules/documentation/src/site/xdoc folder, and you can change only the documents found
+under this folder. Change the relevant file and run <i>mvn
+install</i>. New documentation will be available under
+the target folder.</li>
+<li>How can I add a new document?<br />
+Add the new document in the xdoc folder. Change the site.xml
+found under the modules/documentation/src/site folder by adding a link to the newly added
+document. Re-generate the site.<br />
+Please make sure you have not included any of the illegal
+characters and your document should be well formed.</li>
+</ol>
+</body>
+</html>
diff --git a/modules/documentation/src/site/xdoc/svn.xml b/modules/documentation/src/site/xdoc/svn.xml
new file mode 100644
index 0000000..a61dfcb
--- /dev/null
+++ b/modules/documentation/src/site/xdoc/svn.xml
@@ -0,0 +1,114 @@
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Developing Apache Rampart</title>
+</head>
+<body lang="en" xml:lang="en">
+<h1>Developing Apache Rampart</h1>
+<p>This document provides information on how to use SVN to get an
+SVN checkout/update, make commits to the repository, etc., in the
+process of contributing to Apache projects (specifically Apache Rampart).
+Instructions on configuring IDEs for development and using Maven to
+build the project is also included here.</p>
+<h2>Content</h2>
+<ul>
+<li><a href="#svn">Working with Subversion (SVN)</a></li>
+<li><a href="#checkout">Checkout Axis2 from Subversion</a></li>
+<li><a href="#maven">Installing Maven 2</a></li>
+<li><a href="#ide">Configuring your IDE</a></li>
+</ul>
+<a name="svn" id="svn"></a>
+<h2>Working with Subversion (SVN)</h2>
+<p>The Rampart development team uses Subversion (SVN) for source
+control. Subversion is a compelling replacement for CVS, developed
+under the auspices of the Tigris community and licensed under an
+Apache compatible license. To learn more about Subversion or to
+download the latest distribution, visit the <a href=
+"http:///subversion.tigris.org" target="_blank">Subversion project
+site</a>. If you are looking for guidance on setting up and
+installing Subversion, please read the ASF <a href=
+"http://www.apache.org/dev/version-control.html" target=
+"_blank">Source Code Repositories page</a>.</p>
+<a name="checkout" id="checkout"></a>
+<h2>Checkout Axis2 from Subversion</h2>
+<p>To check out the latest version of Rampart from the Foundation's
+Subversion repository, you must use one of the following URLs
+depending on your level of access to the Rampart source code:</p>
+<ul>
+<li><b>If you are not a committer:</b> <a href=
+"http://svn.apache.org/repos/asf/webservices/rampart/trunk/java"
+target=
+"_blank">http://svn.apache.org/repos/asf/webservices/rampart/trunk/java</a></li>
+<li><b>If you are a committer:</b> <a href=
+"https://svn.apache.org/repos/asf/webservices/rampart/trunk/java"
+target=
+"_blank">https://svn.apache.org/repos/asf/webservices/rampart/trunk/java</a></li>
+</ul>
+If you are a committer, make sure that you have selected an
+svnpasswd. To do this, you must log into svn.apache.org. For more
+information, please read the ASF <a href=
+"http://www.apache.org/dev/version-control.html" target=
+"_blank">Source Code Repositories page</a>.
+<p>Once you have successfully installed Subversion, you can check
+out Rampart trunk by following these steps:</p>
+<ol type="1">
+<li>Run <strong>svn co <repository URL> axis2</strong> where
+the repository URL is one of the URLs from the previous list.</li>
+<li>This step will check out the latest version of the Rampart Java
+codebase to a directory named "rampart". The second parameter to the
+<strong>svn co</strong> selects a directory to create on your local
+machine. If you want to checkout Rampart to a different directory,
+feel free to change rampart to any other directory name.</li>
+<li>To update your working copy to the latest version from the
+repository, execute the <strong>svn update</strong> command.</li>
+<li>If you would like to submit a patch, you can execute
+<strong>svn diff</strong> to create a unified diff for submission
+to the Rampart JIRA issue tracker.</li>
+</ol>
+<a name="maven" id="maven"></a>
+<h2>Installing Maven 2</h2>
+<p>Rampart's build is based on Maven 2. Maven is a build system that
+allows for the reuse of common build projects across multiple
+projects. For information about obtaining, installing, and
+configuring Maven 2, please see the <a href=
+"http://maven.apache.org" target="_blank">Maven project page</a>.
+To use Maven to build the Axis2 project, Please install <a href="http://maven.apache.org/download.html" target=
+"_blank">Maven2</a> and follow instructions here - <a href="maven-help.html">Quick Guide to Maven for Axis 2.0</a></p>.
+<a name="ide" id="ide"></a>
+<h2>Configuring your IDE</h2>
+<p>The Rampart development team uses a variety of development tools
+from vi to emacs to eclipse to Intellij/IDEA. The following section
+is not an endorsement of a specific set of tools, it is simply
+meant as a pointer to ease the process of getting started with
+Rampart development.</p>
+<ul>
+<li><strong>Intellij IDEA</strong> - type <strong>mvn
+idea:idea</strong>. Generates the necessary IDEA .ipr, .iml
+and .iws project files</li>
+<li><strong>Eclipse</strong>- type <strong>mvn eclipse:eclipse</strong>. Then in Eclipse, setup a Classpath Variable
+for MAVEN_REPO, and select File > Import > Existing Projects
+into Workspace > Select root directory. Selecting the root of
+the Rampart source discovers all the modules and allows them to be
+imported as individual projects at once.</li>
+</ul>
+</body>
+</html>
diff --git a/modules/rampart-core/pom.xml b/modules/rampart-core/pom.xml
new file mode 100644
index 0000000..2a4f739
--- /dev/null
+++ b/modules/rampart-core/pom.xml
@@ -0,0 +1,64 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+ <parent>
+ <groupId>org.apache.rampart</groupId>
+ <artifactId>rampart-project</artifactId>
+ <version>1.4</version>
+ </parent>
+
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>rampart-core</artifactId>
+ <packaging>jar</packaging>
+ <name>Rampart - Core</name>
+
+ <build>
+ <sourceDirectory>src/main/java</sourceDirectory>
+ <testSourceDirectory>src/main/java</testSourceDirectory>
+ <resources>
+ <resource>
+ <directory>src/main/java</directory>
+ <excludes>
+ <exclude>**/*.java</exclude>
+ </excludes>
+ </resource>
+ </resources>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <configuration>
+ <source>1.4</source>
+ <target>1.4</target>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.rampart</groupId>
+ <artifactId>rampart-policy</artifactId>
+ <version>${pom.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.rampart</groupId>
+ <artifactId>rampart-trust</artifactId>
+ <version>${pom.version}</version>
+ </dependency>
+ </dependencies>
+
+ <reporting>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-site-plugin</artifactId>
+ <configuration>
+ <templateDirectory>${basedir}</templateDirectory>
+ <menu ref="parent"/>
+ </configuration>
+ </plugin>
+ </plugins>
+ </reporting>
+</project>
diff --git a/modules/rampart-core/src/main/java/META-INF/services/org.apache.neethi.builders.AssertionBuilder b/modules/rampart-core/src/main/java/META-INF/services/org.apache.neethi.builders.AssertionBuilder
new file mode 100644
index 0000000..34900b9
--- /dev/null
+++ b/modules/rampart-core/src/main/java/META-INF/services/org.apache.neethi.builders.AssertionBuilder
@@ -0,0 +1,3 @@
+org.apache.rampart.policy.builders.CryptoConfigBuilder
+org.apache.rampart.policy.builders.RampartConfigBuilder
+org.apache.rampart.policy.builders.SSLConfigBuilder
\ No newline at end of file
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/MessageBuilder.java b/modules/rampart-core/src/main/java/org/apache/rampart/MessageBuilder.java
new file mode 100644
index 0000000..40f9563
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/MessageBuilder.java
@@ -0,0 +1,188 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart;
+
+import org.apache.axiom.om.OMElement;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.Constants;
+import org.apache.axis2.addressing.AddressingConstants;
+import org.apache.axis2.addressing.AddressingConstants.Final;
+import org.apache.axis2.addressing.AddressingConstants.Submission;
+import org.apache.axis2.context.MessageContext;
+import org.apache.axis2.context.OperationContext;
+import org.apache.axis2.util.XMLUtils;
+import org.apache.axis2.wsdl.WSDLConstants;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.rahas.RahasConstants;
+import org.apache.rahas.TrustUtil;
+import org.apache.rampart.builder.AsymmetricBindingBuilder;
+import org.apache.rampart.builder.SymmetricBindingBuilder;
+import org.apache.rampart.builder.TransportBindingBuilder;
+import org.apache.rampart.policy.RampartPolicyData;
+import org.apache.rampart.policy.model.OptimizePartsConfig;
+import org.apache.rampart.util.Axis2Util;
+import org.apache.rampart.util.MessageOptimizer;
+import org.apache.rampart.util.RampartUtil;
+import org.apache.ws.secpolicy.WSSPolicyException;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.message.token.SecurityContextToken;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+
+import javax.xml.namespace.QName;
+
+public class MessageBuilder {
+
+ private static Log log = LogFactory.getLog(MessageBuilder.class);
+
+ public void build(MessageContext msgCtx) throws WSSPolicyException,
+ RampartException, WSSecurityException, AxisFault {
+
+ Axis2Util.useDOOM(true);
+
+ RampartMessageData rmd = new RampartMessageData(msgCtx, true);
+
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+ if(rpd == null || isSecurityValidationFault(msgCtx) ||
+ !RampartUtil.isSecHeaderRequired(rpd, rmd.isInitiator(),false)) {
+
+ Document doc = rmd.getDocument();
+ WSSecHeader secHeader = rmd.getSecHeader();
+
+ if ( secHeader != null && secHeader.isEmpty(doc) ) {
+ secHeader.removeSecurityHeader(doc);
+ }
+
+ return;
+ }
+
+ //Copy the RECV_RESULTS if available
+ if(!rmd.isInitiator()) {
+ OperationContext opCtx = msgCtx.getOperationContext();
+ MessageContext inMsgCtx;
+ if(opCtx != null &&
+ (inMsgCtx = opCtx.getMessageContext(WSDLConstants.MESSAGE_LABEL_IN_VALUE)) != null) {
+ msgCtx.setProperty(WSHandlerConstants.RECV_RESULTS,
+ inMsgCtx.getProperty(WSHandlerConstants.RECV_RESULTS));
+ }
+ }
+
+
+ String isCancelreq = (String)msgCtx.getProperty(RampartMessageData.CANCEL_REQUEST);
+ if(isCancelreq != null && Constants.VALUE_TRUE.equals(isCancelreq)) {
+ try {
+
+ String cancelAction = TrustUtil.getWSTNamespace(rmd.getWstVersion()) + RahasConstants.RST_ACTION_CANCEL_SCT;
+ //Set action
+ msgCtx.getOptions().setAction(cancelAction);
+
+ //Change the wsa:Action header
+ String wsaNs = Final.WSA_NAMESPACE;
+ Object addressingVersionFromCurrentMsgCtxt = msgCtx.getProperty(AddressingConstants.WS_ADDRESSING_VERSION);
+ if (Submission.WSA_NAMESPACE.equals(addressingVersionFromCurrentMsgCtxt)) {
+ wsaNs = Submission.WSA_NAMESPACE;
+ }
+ OMElement header = msgCtx.getEnvelope().getHeader();
+ if(header != null) {
+ OMElement actionElem = header.getFirstChildWithName(new QName(wsaNs, AddressingConstants.WSA_ACTION));
+ if(actionElem != null) {
+ actionElem.setText(cancelAction);
+ }
+ }
+
+ //set payload to a cancel request
+ String ctxIdKey = RampartUtil.getContextIdentifierKey(msgCtx);
+ String tokenId = (String)RampartUtil.getContextMap(msgCtx).get(ctxIdKey);
+
+ if(tokenId != null && RampartUtil.isTokenValid(rmd, tokenId)) {
+ OMElement bodyElem = msgCtx.getEnvelope().getBody();
+ OMElement child = bodyElem.getFirstElement();
+ SecurityContextToken sct = new SecurityContextToken(
+ (Element) rmd.getTokenStorage().getToken(tokenId)
+ .getToken());
+ OMElement newChild = TrustUtil.createCancelRequest(sct
+ .getIdentifier(), rmd.getWstVersion());
+ Element newDomChild = XMLUtils.toDOM(newChild);
+ Node importedNode = rmd.getDocument().importNode((Element) newDomChild, true);
+ ((Element) bodyElem).replaceChild(importedNode, (Element) child);
+ } else {
+ throw new RampartException("tokenToBeCancelledInvalid");
+ }
+
+ } catch (Exception e) {
+ e.printStackTrace();
+ throw new RampartException("errorInTokenCancellation");
+ }
+ }
+
+ if(rpd.isTransportBinding()) {
+ log.debug("Building transport binding");
+ TransportBindingBuilder building = new TransportBindingBuilder();
+ building.build(rmd);
+ } else if(rpd.isSymmetricBinding()) {
+ log.debug("Building SymmetricBinding");
+ SymmetricBindingBuilder builder = new SymmetricBindingBuilder();
+ builder.build(rmd);
+ } else {
+ AsymmetricBindingBuilder builder = new AsymmetricBindingBuilder();
+ builder.build(rmd);
+ }
+
+ //TODO remove following check, we don't need this check here as we do a check to see whether
+ // security header required
+
+ Document doc = rmd.getDocument();
+ WSSecHeader secHeader = rmd.getSecHeader();
+
+ if ( secHeader != null && secHeader.isEmpty(doc) ) {
+ secHeader.removeSecurityHeader(doc);
+ }
+
+ /*
+ * Checking whether MTOMSerializable is there. If so set optimizeElement.
+ * */
+ if(rpd.isMTOMSerialize()){
+ msgCtx.setProperty(Constants.Configuration.ENABLE_MTOM, Constants.VALUE_TRUE);
+ OptimizePartsConfig config= rpd.getOptimizePartsConfig();
+ if(config != null){
+ MessageOptimizer.optimize(msgCtx.getEnvelope(), config.getExpressions(), config.getNamespaces());
+ }
+ }
+
+ }
+
+ private boolean isSecurityValidationFault(MessageContext msgCtx) throws AxisFault {
+
+ OperationContext opCtx = msgCtx.getOperationContext();
+ MessageContext inMsgCtx;
+ if(opCtx != null &&
+ (inMsgCtx = opCtx.getMessageContext(WSDLConstants.MESSAGE_LABEL_IN_VALUE)) != null) {
+ Boolean secErrorFlag = (Boolean) inMsgCtx.getProperty(RampartConstants.SEC_FAULT);
+
+ if (secErrorFlag != null && secErrorFlag.equals(Boolean.TRUE)) {
+ return true;
+ }
+ }
+
+ return false;
+ }
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java b/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
new file mode 100644
index 0000000..6f28ee6
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
@@ -0,0 +1,850 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart;
+
+import org.apache.axiom.soap.SOAPEnvelope;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.rampart.policy.RampartPolicyData;
+import org.apache.rampart.util.RampartUtil;
+import org.apache.ws.secpolicy.SPConstants;
+import org.apache.ws.secpolicy.model.HttpsToken;
+import org.apache.ws.secpolicy.model.IssuedToken;
+import org.apache.ws.secpolicy.model.SignedEncryptedParts;
+import org.apache.ws.secpolicy.model.SupportingToken;
+import org.apache.ws.secpolicy.model.Token;
+import org.apache.ws.secpolicy.model.UsernameToken;
+import org.apache.ws.secpolicy.model.X509Token;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDataRef;
+import org.apache.ws.security.WSEncryptionPart;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.message.token.Timestamp;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+
+import java.math.BigInteger;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Calendar;
+import java.util.Iterator;
+import java.util.Set;
+import java.util.Vector;
+
+import javax.xml.namespace.QName;
+
+public class PolicyBasedResultsValidator implements PolicyValidatorCallbackHandler {
+
+ private static Log log = LogFactory.getLog(PolicyBasedResultsValidator.class);
+
+ /**
+ * {@inheritDoc}
+ */
+ public void validate(ValidatorData data, Vector results)
+ throws RampartException {
+
+ RampartMessageData rmd = data.getRampartMessageData();
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+
+ //If there's Security policy present and no results
+ //then we should throw an error
+ if(rpd != null && results == null) {
+ throw new RampartException("noSecurityResults");
+ }
+
+ //Check presence of timestamp
+ WSSecurityEngineResult tsResult = null;
+ if(rpd != null && rpd.isIncludeTimestamp()) {
+ tsResult =
+ WSSecurityUtil.fetchActionResult(results, WSConstants.TS);
+ if(tsResult == null) {
+ throw new RampartException("timestampMissing");
+ }
+
+ }
+
+ //sig/encr
+ Vector encryptedParts = RampartUtil.getEncryptedParts(rmd);
+ if(rpd != null && rpd.isSignatureProtection() && isSignatureRequired(rmd)) {
+
+ String sigId = RampartUtil.getSigElementId(rmd);
+
+ encryptedParts.add(new WSEncryptionPart(WSConstants.SIG_LN,
+ WSConstants.SIG_NS, "Element"));
+ }
+
+ Vector signatureParts = RampartUtil.getSignedParts(rmd);
+
+ //Timestamp is not included in sig parts
+ if(rpd != null && rpd.isIncludeTimestamp() && !rpd.isTransportBinding()) {
+ signatureParts.add(new WSEncryptionPart("timestamp"));
+ }
+
+ if(!rmd.isInitiator()) {
+
+ //Just an indicator for EndorsingSupportingToken signature
+ SupportingToken endSupportingToken = rpd.getEndorsingSupportingTokens();
+ if(endSupportingToken != null) {
+ SignedEncryptedParts endSignedParts = endSupportingToken.getSignedParts();
+ if((endSignedParts != null &&
+ (endSignedParts.isBody() ||
+ endSignedParts.getHeaders().size() > 0)) ||
+ rpd.isIncludeTimestamp()) {
+ signatureParts.add(
+ new WSEncryptionPart("EndorsingSupportingTokens"));
+ }
+ }
+ //Just an indicator for SignedEndorsingSupportingToken signature
+ SupportingToken sgndEndSupportingToken = rpd.getSignedEndorsingSupportingTokens();
+ if(sgndEndSupportingToken != null) {
+ SignedEncryptedParts sgndEndSignedParts = sgndEndSupportingToken.getSignedParts();
+ if((sgndEndSignedParts != null &&
+ (sgndEndSignedParts.isBody() ||
+ sgndEndSignedParts.getHeaders().size() > 0)) ||
+ rpd.isIncludeTimestamp()) {
+ signatureParts.add(
+ new WSEncryptionPart("SignedEndorsingSupportingTokens"));
+ }
+ }
+ }
+
+ validateEncrSig(data,encryptedParts, signatureParts, results);
+
+ if(!rpd.isTransportBinding()) {
+ validateProtectionOrder(data, results);
+ }
+
+ if(rpd.isTransportBinding() && !rmd.isInitiator()){
+ if (rpd.getTransportToken() instanceof HttpsToken) {
+ String incomingTransport = rmd.getMsgContext().getIncomingTransportName();
+ if(!incomingTransport.equals(org.apache.axis2.Constants.TRANSPORT_HTTPS)){
+ throw new RampartException("invalidTransport",
+ new String[]{incomingTransport});
+ }
+ }
+ }
+
+ validateEncryptedParts(data, encryptedParts, results);
+
+ validateSignedPartsHeaders(data, signatureParts, results);
+
+ validateRequiredElements(data);
+
+ //Supporting tokens
+ if(!rmd.isInitiator()) {
+ validateSupportingTokens(data, results);
+ }
+
+ /*
+ * Now we can check the certificate used to sign the message. In the
+ * following implementation the certificate is only trusted if either it
+ * itself or the certificate of the issuer is installed in the keystore.
+ *
+ * Note: the method verifyTrust(X509Certificate) allows custom
+ * implementations with other validation algorithms for subclasses.
+ */
+
+ // Extract the signature action result from the action vector
+ WSSecurityEngineResult actionResult = WSSecurityUtil.fetchActionResult(
+ results, WSConstants.SIGN);
+
+ if (actionResult != null) {
+ X509Certificate returnCert = (X509Certificate) actionResult
+ .get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+
+ if (returnCert != null) {
+ if (!verifyTrust(returnCert, rmd)) {
+ throw new RampartException ("trustVerificationError");
+ }
+ }
+ }
+
+ /*
+ * Perform further checks on the timestamp that was transmitted in the
+ * header.
+ * In the following implementation the timestamp is valid if :
+ * Timestamp->Created < 'now' < Timestamp->Expires (Last test already handled by WSS4J)
+ *
+ * Note: the method verifyTimestamp(Timestamp) allows custom
+ * implementations with other validation algorithms for subclasses.
+ */
+
+ // Extract the timestamp action result from the action vector
+ actionResult = WSSecurityUtil.fetchActionResult(results, WSConstants.TS);
+
+ if (actionResult != null) {
+ Timestamp timestamp = (Timestamp) actionResult
+ .get(WSSecurityEngineResult.TAG_TIMESTAMP);
+
+ if (timestamp != null) {
+ if (!verifyTimestamp(timestamp, rmd)) {
+ throw new RampartException("cannotValidateTimestamp");
+ }
+ }
+ }
+ }
+
+ /**
+ * @param encryptedParts
+ * @param signatureParts
+ */
+ protected void validateEncrSig(ValidatorData data,Vector encryptedParts, Vector signatureParts, Vector results)
+ throws RampartException {
+ ArrayList actions = getSigEncrActions(results);
+ boolean sig = false;
+ boolean encr = false;
+ for (Iterator iter = actions.iterator(); iter.hasNext();) {
+ Integer act = (Integer) iter.next();
+ if(act.intValue() == WSConstants.SIGN) {
+ sig = true;
+ } else if(act.intValue() == WSConstants.ENCR) {
+ encr = true;
+ }
+ }
+
+ RampartPolicyData rpd = data.getRampartMessageData().getPolicyData();
+
+ SupportingToken sgndSupTokens = rpd.getSignedSupportingTokens();
+ SupportingToken sgndEndorSupTokens = rpd.getSignedEndorsingSupportingTokens();
+
+ if(sig && signatureParts.size() == 0
+ && (sgndSupTokens == null || sgndSupTokens.getTokens().size() == 0)
+ && (sgndEndorSupTokens == null || sgndEndorSupTokens.getTokens().size() == 0)) {
+
+ //Unexpected signature
+ throw new RampartException("unexprectedSignature");
+ } else if(!sig && signatureParts.size() > 0) {
+
+ //required signature missing
+ throw new RampartException("signatureMissing");
+ }
+
+ if(encr && encryptedParts.size() == 0) {
+
+ //Check whether its just an encrypted key
+ ArrayList list = this.getResults(results, WSConstants.ENCR);
+ boolean encrDataFound = false;
+ for (Iterator iter = list.iterator(); iter.hasNext();) {
+ WSSecurityEngineResult result = (WSSecurityEngineResult) iter.next();
+ ArrayList dataRefURIs = (ArrayList)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
+ if ( dataRefURIs != null && dataRefURIs.size() != 0) {
+ encrDataFound = true;
+ }
+ }
+ //TODO check whether the encrptedDataFound is an UsernameToken
+ if(encrDataFound && !isUsernameTokenPresent(data)) {
+ //Unexpected encryption
+ throw new RampartException("unexprectedEncryptedPart");
+ }
+ } else if(!encr && encryptedParts.size() > 0) {
+
+ //required signature missing
+ throw new RampartException("encryptionMissing");
+ }
+ }
+
+ /**
+ * @param data
+ * @param results
+ */
+ protected void validateSupportingTokens(ValidatorData data, Vector results)
+ throws RampartException {
+
+ //Check for UsernameToken
+ RampartPolicyData rpd = data.getRampartMessageData().getPolicyData();
+ SupportingToken suppTok = rpd.getSupportingTokens();
+ handleSupportingTokens(results, suppTok);
+ SupportingToken signedSuppToken = rpd.getSignedSupportingTokens();
+ handleSupportingTokens(results, signedSuppToken);
+ SupportingToken signedEndSuppToken = rpd.getSignedEndorsingSupportingTokens();
+ handleSupportingTokens(results, signedEndSuppToken);
+ SupportingToken endSuppToken = rpd.getEndorsingSupportingTokens();
+ handleSupportingTokens(results, endSuppToken);
+ }
+
+ /**
+ * @param results
+ * @param suppTok
+ * @throws RampartException
+ */
+ protected void handleSupportingTokens(Vector results, SupportingToken suppTok) throws RampartException {
+
+ if(suppTok == null) {
+ return;
+ }
+
+ ArrayList tokens = suppTok.getTokens();
+ for (Iterator iter = tokens.iterator(); iter.hasNext();) {
+ Token token = (Token) iter.next();
+ if(token instanceof UsernameToken) {
+ //Check presence of a UsernameToken
+ WSSecurityEngineResult utResult = WSSecurityUtil.fetchActionResult(results, WSConstants.UT);
+ if(utResult == null) {
+ throw new RampartException("usernameTokenMissing");
+ }
+
+ } else if ( token instanceof IssuedToken ) {
+ //TODO is is enough to check for ST_UNSIGNED results ??
+ WSSecurityEngineResult samlResult = WSSecurityUtil.fetchActionResult(results, WSConstants.ST_UNSIGNED);
+ if(samlResult == null) {
+ throw new RampartException("samlTokenMissing");
+ }
+ } else if ( token instanceof X509Token) {
+ WSSecurityEngineResult x509Result = WSSecurityUtil.fetchActionResult(results, WSConstants.BST);
+ if(x509Result == null) {
+ throw new RampartException("binaryTokenMissing");
+ }
+ }
+ }
+ }
+
+
+
+
+ /**
+ * @param data
+ * @param results
+ */
+ protected void validateProtectionOrder(ValidatorData data, Vector results)
+ throws RampartException {
+
+ String protectionOrder = data.getRampartMessageData().getPolicyData().getProtectionOrder();
+ ArrayList sigEncrActions = this.getSigEncrActions(results);
+
+ if(sigEncrActions.size() < 2) {
+ //There are no results to COMPARE
+ return;
+ }
+
+ boolean sigNotPresent = true;
+ boolean encrNotPresent = true;
+
+ for (Iterator iter = sigEncrActions.iterator(); iter.hasNext();) {
+ Integer act = (Integer) iter.next();
+ if(act.intValue() == WSConstants.SIGN) {
+ sigNotPresent = false;
+ } else if(act.intValue() == WSConstants.ENCR) {
+ encrNotPresent = false;
+ }
+ }
+
+ // Only one action is present, so there is no order to check
+ if ( sigNotPresent || encrNotPresent ) {
+ return;
+ }
+
+
+ boolean done = false;
+ if(SPConstants.SIGN_BEFORE_ENCRYPTING.equals(protectionOrder)) {
+
+ boolean sigFound = false;
+ for (Iterator iter = sigEncrActions.iterator();
+ iter.hasNext() || !done;) {
+ Integer act = (Integer) iter.next();
+ if(act.intValue() == WSConstants.ENCR && ! sigFound ) {
+ // We found ENCR and SIGN has not been found - break and fail
+ break;
+ }
+ if(act.intValue() == WSConstants.SIGN) {
+ sigFound = true;
+ } else if(sigFound) {
+ //We have an ENCR action after sig
+ done = true;
+ }
+ }
+
+ } else {
+ boolean encrFound = false;
+ for (Iterator iter = sigEncrActions.iterator(); iter.hasNext();) {
+ Integer act = (Integer) iter.next();
+ if(act.intValue() == WSConstants.SIGN && ! encrFound ) {
+ // We found SIGN and ENCR has not been found - break and fail
+ break;
+ }
+ if(act.intValue() == WSConstants.ENCR) {
+ encrFound = true;
+ } else if(encrFound) {
+ //We have an ENCR action after sig
+ done = true;
+ }
+ }
+ }
+
+ if(!done) {
+ throw new RampartException("protectionOrderMismatch");
+ }
+ }
+
+
+ protected ArrayList getSigEncrActions(Vector results) {
+ ArrayList sigEncrActions = new ArrayList();
+ for (Iterator iter = results.iterator(); iter.hasNext();) {
+ Integer actInt = (Integer) ((WSSecurityEngineResult) iter.next())
+ .get(WSSecurityEngineResult.TAG_ACTION);
+ int action = actInt.intValue();
+ if(WSConstants.SIGN == action || WSConstants.ENCR == action) {
+ sigEncrActions.add(new Integer(action));
+ }
+
+ }
+ return sigEncrActions;
+ }
+
+ protected void validateEncryptedParts(ValidatorData data, Vector encryptedParts, Vector results)
+ throws RampartException {
+
+ RampartMessageData rmd = data.getRampartMessageData();
+
+ ArrayList encrRefs = getEncryptedReferences(results);
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+
+ //Check for encrypted body
+ if(rpd.isEncryptBody()) {
+
+ if( !isRefIdPresent(encrRefs, data.getBodyEncrDataId())){
+ throw new RampartException("encryptedPartMissing",
+ new String[]{data.getBodyEncrDataId()});
+ }
+ }
+
+ for (int i = 0 ; i < encryptedParts.size() ; i++) {
+
+ WSEncryptionPart encPart = (WSEncryptionPart)encryptedParts.get(i);
+
+ //This is the encrypted Body and we already checked encrypted body
+ if (encPart.getType() == WSConstants.PART_TYPE_BODY) {
+ continue;
+ }
+
+ if ((WSConstants.SIG_LN.equals(encPart.getName()) &&
+ WSConstants.SIG_NS.equals(encPart.getNamespace()))
+ || encPart.getType() == WSConstants.PART_TYPE_HEADER ) {
+ if (!isRefIdPresent(encrRefs, new QName(encPart.getNamespace(),encPart.getName()))) {
+ throw new RampartException("encryptedPartMissing",
+ new String[]{encPart.getNamespace()+":"+encPart.getName()});
+ }
+ continue;
+ }
+
+ if (encPart.getEncId() == null) {
+ throw new RampartException("encryptedPartMissing",
+ new String[]{encPart.getNamespace()+":"+encPart.getName()});
+ } else if (!isRefIdPresent(encrRefs, encPart.getEncId())) {
+ throw new RampartException("encryptedPartMissing",
+ new String[]{encPart.getNamespace()+":"+encPart.getName()});
+ }
+
+ }
+
+ }
+
+ public void validateRequiredElements(ValidatorData data) throws RampartException {
+
+ RampartMessageData rmd = data.getRampartMessageData();
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+
+ SOAPEnvelope envelope = rmd.getMsgContext().getEnvelope();
+
+ Iterator elementsIter = rpd.getRequiredElements().iterator();
+
+ while (elementsIter.hasNext()) {
+
+ String expression = (String) elementsIter.next();
+
+ if ( !RampartUtil.checkRequiredElements(envelope, rpd.getDeclaredNamespaces(), expression)) {
+ throw new RampartException("requiredElementsMissing", new String[] { expression } );
+ }
+ }
+
+ }
+
+ protected void validateSignedPartsHeaders(ValidatorData data, Vector signatureParts, Vector results)
+ throws RampartException {
+
+ RampartMessageData rmd = data.getRampartMessageData();
+
+ Node envelope = rmd.getDocument().getFirstChild();
+
+ WSSecurityEngineResult actionResult = WSSecurityUtil.fetchActionResult(
+ results, WSConstants.SIGN);
+
+ // Find elements that are signed
+ Vector actuallySigned = new Vector();
+ if( actionResult != null ) {
+ Set signedIDs = (Set)actionResult.get(WSSecurityEngineResult.TAG_SIGNED_ELEMENT_IDS);
+ for (Iterator i = signedIDs.iterator(); i.hasNext();) {
+ String e = (String) i.next();
+
+ Element element = WSSecurityUtil.findElementById(envelope, e, WSConstants.WSU_NS);
+ actuallySigned.add( element );
+ }
+ }
+
+ for(int i=0; i<signatureParts.size(); i++) {
+ WSEncryptionPart wsep = (WSEncryptionPart) signatureParts.get( i );
+
+ Element headerElement = (Element) WSSecurityUtil.findElement(
+ envelope, wsep.getName(), wsep.getNamespace() );
+ if( headerElement == null ) {
+ // The signedpart header we are checking is not present in Soap header - this is allowed
+ continue;
+ }
+
+ // header element present - verify that it is part of signature
+ if( actuallySigned.contains( headerElement) ) {
+ continue;
+ }
+
+ // header defined in policy is present but not signed
+ throw new RampartException("signedPartHeaderNotSigned", new String[] { wsep.getName() });
+ }
+ }
+
+
+ protected boolean isSignatureRequired(RampartMessageData rmd) {
+ RampartPolicyData rpd = rmd.getPolicyData();
+ return (rpd.isSymmetricBinding() && rpd.getSignatureToken() != null) ||
+ (!rpd.isSymmetricBinding() && !rpd.isTransportBinding() &&
+ ((rpd.getInitiatorToken() != null && rmd.isInitiator())
+ || rpd.getRecipientToken() != null && !rmd.isInitiator()));
+ }
+
+
+ /*
+ * Verify that ts->Created is before 'now'
+ * - testing that timestamp has not expired ('now' is before ts->Expires) is handled earlier by WSS4J
+ */
+ protected boolean verifyTimestamp(Timestamp timestamp, RampartMessageData rmd) throws RampartException {
+
+ Calendar cre = timestamp.getCreated();
+ if (cre != null) {
+ long now = Calendar.getInstance().getTimeInMillis();
+
+ // adjust 'now' with allowed timeskew
+ long maxSkew = RampartUtil.getTimestampMaxSkew( rmd );
+ if( maxSkew > 0 ) {
+ now += (maxSkew * 1000);
+ }
+
+ // fail if ts->Created is after 'now'
+ if( cre.getTimeInMillis() > now ) {
+ return false;
+ }
+ }
+
+ return true;
+ }
+
+ /**
+ * Evaluate whether a given certificate should be trusted.
+ * Hook to allow subclasses to implement custom validation methods however they see fit.
+ * <p/>
+ * Policy used in this implementation:
+ * 1. Search the keystore for the transmitted certificate
+ * 2. Search the keystore for a connection to the transmitted certificate
+ * (that is, search for certificate(s) of the issuer of the transmitted certificate
+ * 3. Verify the trust path for those certificates found because the search for the issuer might be fooled by a phony DN (String!)
+ *
+ * @param cert the certificate that should be validated against the keystore
+ * @return true if the certificate is trusted, false if not (AxisFault is thrown for exceptions during CertPathValidation)
+ * @throws WSSecurityException
+ */
+ protected boolean verifyTrust(X509Certificate cert, RampartMessageData rmd) throws RampartException {
+
+ // If no certificate was transmitted, do not trust the signature
+ if (cert == null) {
+ return false;
+ }
+
+ String[] aliases = null;
+ String alias = null;
+ X509Certificate[] certs;
+
+ String subjectString = cert.getSubjectDN().getName();
+ String issuerString = cert.getIssuerDN().getName();
+ BigInteger issuerSerial = cert.getSerialNumber();
+
+ boolean doDebug = log.isDebugEnabled();
+
+ if (doDebug) {
+ log.debug("WSHandler: Transmitted certificate has subject " +
+ subjectString);
+ log.debug("WSHandler: Transmitted certificate has issuer " +
+ issuerString + " (serial " + issuerSerial + ")");
+ }
+
+ // FIRST step
+ // Search the keystore for the transmitted certificate
+
+ // Search the keystore for the alias of the transmitted certificate
+ try {
+ alias = RampartUtil.getSignatureCrypto(
+ rmd.getPolicyData().getRampartConfig(),
+ rmd.getCustomClassLoader()).getAliasForX509Cert(
+ issuerString, issuerSerial);
+ } catch (WSSecurityException ex) {
+ throw new RampartException("cannotFindAliasForCert", new String[]{subjectString}, ex);
+ }
+
+ if (alias != null) {
+ // Retrieve the certificate for the alias from the keystore
+ try {
+ certs = RampartUtil.getSignatureCrypto(
+ rmd.getPolicyData().getRampartConfig(),
+ rmd.getCustomClassLoader()).getCertificates(alias);
+ } catch (WSSecurityException ex) {
+ throw new RampartException("noCertForAlias", new String[] {alias}, ex);
+ }
+
+ // If certificates have been found, the certificates must be compared
+ // to ensure againgst phony DNs (compare encoded form including signature)
+ if (certs != null && certs.length > 0 && cert.equals(certs[0])) {
+ if (doDebug) {
+ log.debug("Direct trust for certificate with " + subjectString);
+ }
+ return true;
+ }
+ } else {
+ if (doDebug) {
+ log.debug("No alias found for subject from issuer with " + issuerString + " (serial " + issuerSerial + ")");
+ }
+ }
+
+ // SECOND step
+ // Search for the issuer of the transmitted certificate in the keystore
+
+ // Search the keystore for the alias of the transmitted certificates issuer
+ try {
+ aliases = RampartUtil.getSignatureCrypto(
+ rmd.getPolicyData().getRampartConfig(),
+ rmd.getCustomClassLoader()).getAliasesForDN(issuerString);
+ } catch (WSSecurityException ex) {
+ throw new RampartException("cannotFindAliasForCert", new String[]{issuerString}, ex);
+ }
+
+ // If the alias has not been found, the issuer is not in the keystore
+ // As a direct result, do not trust the transmitted certificate
+ if (aliases == null || aliases.length < 1) {
+ if (doDebug) {
+ log.debug("No aliases found in keystore for issuer " + issuerString + " of certificate for " + subjectString);
+ }
+ return false;
+ }
+
+ // THIRD step
+ // Check the certificate trust path for every alias of the issuer found in the keystore
+ for (int i = 0; i < aliases.length; i++) {
+ alias = aliases[i];
+
+ if (doDebug) {
+ log.debug("Preparing to validate certificate path with alias " + alias + " for issuer " + issuerString);
+ }
+
+ // Retrieve the certificate(s) for the alias from the keystore
+ try {
+ certs = RampartUtil.getSignatureCrypto(
+ rmd.getPolicyData().getRampartConfig(),
+ rmd.getCustomClassLoader()).getCertificates(alias);
+ } catch (WSSecurityException ex) {
+ throw new RampartException("noCertForAlias", new String[] {alias}, ex);
+ }
+
+ // If no certificates have been found, there has to be an error:
+ // The keystore can find an alias but no certificate(s)
+ if (certs == null || certs.length < 1) {
+ throw new RampartException("noCertForAlias", new String[] {alias});
+ }
+
+ // Form a certificate chain from the transmitted certificate
+ // and the certificate(s) of the issuer from the keystore
+ // First, create new array
+ X509Certificate[] x509certs = new X509Certificate[certs.length + 1];
+ // Then add the first certificate ...
+ x509certs[0] = cert;
+ // ... and the other certificates
+ for (int j = 0; j < certs.length; j++) {
+ cert = certs[j];
+ x509certs[j + 1] = cert;
+ }
+ certs = x509certs;
+
+ // Use the validation method from the crypto to check whether the subjects certificate was really signed by the issuer stated in the certificate
+ try {
+ if (RampartUtil.getSignatureCrypto(
+ rmd.getPolicyData().getRampartConfig(),
+ rmd.getCustomClassLoader()).validateCertPath(certs)) {
+ if (doDebug) {
+ log.debug("WSHandler: Certificate path has been verified for certificate with subject " + subjectString);
+ }
+ return true;
+ }
+ } catch (WSSecurityException ex) {
+ throw new RampartException("certPathVerificationFailed", new String[]{subjectString}, ex);
+ }
+ }
+
+ log.debug("WSHandler: Certificate path could not be verified for certificate with subject " + subjectString);
+ return false;
+ }
+
+
+ protected ArrayList getEncryptedReferences(Vector results) {
+
+ //there can be multiple ref lists
+ ArrayList encrResults = getResults(results, WSConstants.ENCR);
+
+ ArrayList refs = new ArrayList();
+
+ for (Iterator iter = encrResults.iterator(); iter.hasNext();) {
+ WSSecurityEngineResult engineResult = (WSSecurityEngineResult) iter.next();
+ ArrayList dataRefUris = (ArrayList) engineResult
+ .get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
+
+ //take only the ref list processing results
+ if(dataRefUris != null) {
+ for (Iterator iterator = dataRefUris.iterator(); iterator
+ .hasNext();) {
+ WSDataRef uri = (WSDataRef) iterator.next();
+ refs.add(uri);
+ }
+ }
+ }
+
+ return refs;
+ }
+
+
+
+ protected ArrayList getResults(Vector results, int action) {
+
+ ArrayList list = new ArrayList();
+
+ for (int i = 0; i < results.size(); i++) {
+ // Check the result of every action whether it matches the given
+ // action
+ Integer actInt = (Integer)((WSSecurityEngineResult) results.get(i)).get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt.intValue() == action) {
+ list.add((WSSecurityEngineResult) results.get(i));
+ }
+ }
+
+ return list;
+ }
+
+ protected boolean isUsernameTokenPresent(ValidatorData data) {
+
+ //TODO This can be integrated with supporting token processing
+ // which also checks whether Username Tokens present
+
+ RampartPolicyData rpd = data.getRampartMessageData().getPolicyData();
+
+ SupportingToken suppTok = rpd.getSupportingTokens();
+ if(isUsernameTokenPresent(suppTok)){
+ return true;
+ }
+
+ SupportingToken signedSuppToken = rpd.getSignedSupportingTokens();
+ if(isUsernameTokenPresent(signedSuppToken)) {
+ return true;
+ }
+
+ SupportingToken signedEndSuppToken = rpd.getSignedEndorsingSupportingTokens();
+ if(isUsernameTokenPresent(signedEndSuppToken)) {
+ return true;
+ }
+
+ SupportingToken endSuppToken = rpd.getEndorsingSupportingTokens();
+ if(isUsernameTokenPresent(endSuppToken)){
+ return true;
+ }
+
+ return false;
+
+
+ }
+
+ protected boolean isUsernameTokenPresent(SupportingToken suppTok) {
+
+ if(suppTok == null) {
+ return false;
+ }
+
+ ArrayList tokens = suppTok.getTokens();
+ for (Iterator iter = tokens.iterator(); iter.hasNext();) {
+ Token token = (Token) iter.next();
+ if(token instanceof UsernameToken) {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+ private boolean isRefIdPresent(ArrayList refList , String id) {
+
+ for (int i = 0; i < refList.size() ; i++) {
+ WSDataRef dataRef = (WSDataRef)refList.get(i);
+
+ //ArrayList can contain null elements
+ if(dataRef == null) {
+ continue;
+ }
+ //Try to get the wsuId of the decrypted element
+ String dataRefUri = dataRef.getWsuId();
+ //If not found, try the reference Id of encrypted element ( we set the same Id when we
+ // decrypted element in WSS4J)
+ if (dataRefUri == null) {
+ dataRefUri = dataRef.getDataref();
+ }
+ if (dataRefUri != null && dataRefUri.equals(id)) {
+ return true;
+ }
+ }
+
+ return false;
+
+ }
+
+ private boolean isRefIdPresent(ArrayList refList , QName qname) {
+
+ for (int i = 0; i < refList.size() ; i++) {
+ WSDataRef dataRef = (WSDataRef)refList.get(i);
+
+ //ArrayList can contain null elements
+ if(dataRef == null) {
+ continue;
+ }
+ //QName of the decrypted element
+ QName dataRefQName = dataRef.getName();
+
+ if ( dataRefQName != null && dataRefQName.equals(qname)) {
+ return true;
+ }
+
+ }
+
+ return false;
+
+ }
+
+
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/PolicyValidatorCallbackHandler.java b/modules/rampart-core/src/main/java/org/apache/rampart/PolicyValidatorCallbackHandler.java
new file mode 100644
index 0000000..725af1c
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/PolicyValidatorCallbackHandler.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.rampart;
+
+import java.util.Vector;
+
+/**
+ * Callback handler interface to allow different implementations of policy based results validation.
+ * Default implementation is <code>org.apache.rampart.PolicyBasedResultsValidator</code>.
+ * Custom implementations could be provided in rampart config as shown in below example.
+ *
+ * Example:
+ * <PRE>
+ * <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
+ * <ramp:policyValidatorCbClass>xx.yy.CustomPolicyValidator</ramp:policyValidatorCbClass>
+ * ...
+ * </ramp:RampartConfig>
+ * </PRE>
+ */
+
+public interface PolicyValidatorCallbackHandler {
+ /**
+ * Validate policy based results.
+ *
+ * @param data validator data
+ * @param results policy based ws-security results
+ * @throws RampartException Rampart exception
+ */
+ public abstract void validate(ValidatorData data, Vector results) throws RampartException;
+
+}
\ No newline at end of file
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/Rampart.java b/modules/rampart-core/src/main/java/org/apache/rampart/Rampart.java
new file mode 100644
index 0000000..4e477a1
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/Rampart.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart;
+
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.context.ConfigurationContext;
+import org.apache.axis2.description.AxisDescription;
+import org.apache.axis2.description.AxisModule;
+import org.apache.axis2.modules.Module;
+import org.apache.axis2.wsdl.codegen.extension.ModulePolicyExtension;
+import org.apache.axis2.wsdl.codegen.extension.PolicyExtension;
+import org.apache.neethi.Assertion;
+import org.apache.neethi.Policy;
+
+public class Rampart implements Module, ModulePolicyExtension {
+
+ public void init(ConfigurationContext configContext, AxisModule module)
+ throws AxisFault {
+ }
+
+ public void engageNotify(AxisDescription axisDescription) throws AxisFault {
+ //Nothing to do here, since RampartMessageData will pick up the
+ //effective policy from the message context
+ }
+
+ public void shutdown(ConfigurationContext configurationContext) throws AxisFault {
+ // at the moment, nothing needs to be done ..
+ }
+
+ public PolicyExtension getPolicyExtension() {
+ throw new UnsupportedOperationException("TODO");
+ }
+
+ public void applyPolicy(Policy policy, AxisDescription axisDescription) throws AxisFault {
+ //Do not do anything
+ }
+
+ public boolean canSupportAssertion(Assertion assertion) {
+ return true;
+ }
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/RampartConstants.java b/modules/rampart-core/src/main/java/org/apache/rampart/RampartConstants.java
new file mode 100644
index 0000000..a21c048
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/RampartConstants.java
@@ -0,0 +1,9 @@
+package org.apache.rampart;
+
+public class RampartConstants {
+
+ public static final String TIME_LOG = "org.apache.rampart.TIME";
+ public static final String MESSAGE_LOG = "org.apache.rampart.MESSAGE";
+ public static final String SEC_FAULT = "SECURITY_VALIDATION_FAILURE";
+
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java b/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
new file mode 100644
index 0000000..2a888c4
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/RampartEngine.java
@@ -0,0 +1,268 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart;
+
+import org.apache.axiom.om.OMElement;
+import org.apache.axiom.soap.SOAP11Constants;
+import org.apache.axiom.soap.SOAP12Constants;
+import org.apache.axiom.soap.SOAPEnvelope;
+import org.apache.axiom.soap.SOAPFault;
+import org.apache.axiom.soap.SOAPFaultCode;
+import org.apache.axiom.soap.SOAPFaultSubCode;
+import org.apache.axiom.soap.SOAPFaultValue;
+import org.apache.axiom.soap.SOAPHeader;
+import org.apache.axiom.soap.SOAPHeaderBlock;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.context.MessageContext;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.rahas.Token;
+import org.apache.rahas.TokenStorage;
+import org.apache.rampart.policy.RampartPolicyData;
+import org.apache.rampart.util.Axis2Util;
+import org.apache.rampart.util.RampartUtil;
+import org.apache.ws.secpolicy.WSSPolicyException;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.saml.SAMLKeyInfo;
+import org.apache.ws.security.saml.SAMLUtil;
+import org.opensaml.SAMLAssertion;
+
+import javax.xml.namespace.QName;
+
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.Iterator;
+import java.util.Vector;
+
+public class RampartEngine {
+
+ private static Log log = LogFactory.getLog(RampartEngine.class);
+ private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG);
+
+ public Vector process(MessageContext msgCtx) throws WSSPolicyException,
+ RampartException, WSSecurityException, AxisFault {
+
+ boolean doDebug = log.isDebugEnabled();
+ boolean dotDebug = tlog.isDebugEnabled();
+
+ if(doDebug){
+ log.debug("Enter process(MessageContext msgCtx)");
+ }
+
+ RampartMessageData rmd = new RampartMessageData(msgCtx, false);
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+
+ msgCtx.setProperty(RampartMessageData.RAMPART_POLICY_DATA, rpd);
+
+ //If there is no policy information or if the message is a security fault or no security
+ // header required by the policy
+ if(rpd == null || isSecurityFault(rmd) || !RampartUtil.isSecHeaderRequired(rpd,rmd.isInitiator(),true)) {
+ SOAPEnvelope env = Axis2Util.getSOAPEnvelopeFromDOMDocument(rmd.getDocument(), true);
+
+ //Convert back to llom since the inflow cannot use llom
+ msgCtx.setEnvelope(env);
+ Axis2Util.useDOOM(false);
+ if(doDebug){
+ log.debug("Return process MessageContext msgCtx)");
+ }
+ return null;
+ }
+
+
+ Vector results = null;
+
+ WSSecurityEngine engine = new WSSecurityEngine();
+
+ ValidatorData data = new ValidatorData(rmd);
+
+ SOAPHeader header = rmd.getMsgContext().getEnvelope().getHeader();
+ if(header == null) {
+ throw new RampartException("missingSOAPHeader");
+ }
+
+ ArrayList headerBlocks = header.getHeaderBlocksWithNSURI(WSConstants.WSSE_NS);
+ SOAPHeaderBlock secHeader = null;
+ //Issue is axiom - a returned collection must not be null
+ if(headerBlocks != null) {
+ Iterator headerBlocksIterator = headerBlocks.iterator();
+ while (headerBlocksIterator.hasNext()) {
+ SOAPHeaderBlock elem = (SOAPHeaderBlock) headerBlocksIterator.next();
+ if(elem.getLocalName().equals(WSConstants.WSSE_LN)) {
+ secHeader = elem;
+ break;
+ }
+ }
+ }
+
+ if(secHeader == null) {
+ throw new RampartException("missingSecurityHeader");
+ }
+
+ long t0=0, t1=0, t2=0, t3=0;
+ if(dotDebug){
+ t0 = System.currentTimeMillis();
+ }
+
+ String actorValue = secHeader.getAttributeValue(new QName(rmd
+ .getSoapConstants().getEnvelopeURI(), "actor"));
+
+ Crypto signatureCrypto = RampartUtil.getSignatureCrypto(rpd.getRampartConfig(),
+ msgCtx.getAxisService().getClassLoader());
+ TokenCallbackHandler tokenCallbackHandler = new TokenCallbackHandler(rmd.getTokenStorage(), RampartUtil.getPasswordCB(rmd));
+ if(rpd.isSymmetricBinding()) {
+ //Here we have to create the CB handler to get the tokens from the
+ //token storage
+ if(doDebug){
+ log.debug("Processing security header using SymetricBinding");
+ }
+
+ results = engine.processSecurityHeader(rmd.getDocument(),
+ actorValue,
+ tokenCallbackHandler,
+ signatureCrypto);
+ } else {
+ if(doDebug){
+ log.debug("Processing security header in normal path");
+ }
+ results = engine.processSecurityHeader(rmd.getDocument(),
+ actorValue,
+ tokenCallbackHandler,
+ signatureCrypto,
+ RampartUtil.getEncryptionCrypto(rpd.getRampartConfig(),
+ msgCtx.getAxisService().getClassLoader()));
+ }
+
+ if(dotDebug){
+ t1 = System.currentTimeMillis();
+ }
+
+ //Store symm tokens
+ //Pick the first SAML token
+ //TODO : This is a hack , MUST FIX
+ //get the sec context id from the req msg ctx
+
+ for (int j = 0; j < results.size(); j++) {
+ WSSecurityEngineResult wser = (WSSecurityEngineResult) results.get(j);
+ final Integer actInt =
+ (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+ if(WSConstants.ST_UNSIGNED == actInt.intValue()) {
+ final SAMLAssertion assertion =
+ ((SAMLAssertion) wser
+ .get(WSSecurityEngineResult.TAG_SAML_ASSERTION));
+ String id = assertion.getId();
+ Date created = assertion.getNotBefore();
+ Date expires = assertion.getNotOnOrAfter();
+ SAMLKeyInfo samlKi = SAMLUtil.getSAMLKeyInfo(assertion,
+ signatureCrypto, tokenCallbackHandler);
+ try {
+ TokenStorage store = rmd.getTokenStorage();
+ if(store.getToken(id) == null) {
+ Token token = new Token(id, (OMElement)assertion.toDOM(), created, expires);
+ token.setSecret(samlKi.getSecret());
+ store.add(token);
+ }
+ } catch (Exception e) {
+ throw new RampartException(
+ "errorInAddingTokenIntoStore", e);
+ }
+
+ }
+
+ }
+
+ SOAPEnvelope env = Axis2Util.getSOAPEnvelopeFromDOMDocument(rmd.getDocument(), true);
+
+ if(dotDebug){
+ t2 = System.currentTimeMillis();
+ }
+
+ //Convert back to llom since the inflow cannot use DOOM
+ msgCtx.setEnvelope(env);
+ Axis2Util.useDOOM(false);
+
+ PolicyValidatorCallbackHandler validator = RampartUtil.getPolicyValidatorCB(msgCtx, rpd);
+
+ validator.validate(data, results);
+
+ if(dotDebug){
+ t3 = System.currentTimeMillis();
+ tlog.debug("processHeader by WSSecurityEngine took : " + (t1 - t0) +
+ ", DOOM conversion took :" + (t2 - t1) +
+ ", PolicyBasedResultsValidattor took " + (t3 - t2));
+ }
+
+ if(doDebug){
+ log.debug("Return process(MessageContext msgCtx)");
+ }
+ return results;
+ }
+
+ // Check whether this a soap fault because of failure in processing the security header
+ //and if so, we don't expect the security header
+ //
+ //
+
+
+ private boolean isSecurityFault(RampartMessageData rmd) {
+
+ SOAPEnvelope soapEnvelope = rmd.getMsgContext().getEnvelope();
+
+ SOAPFault soapFault = soapEnvelope.getBody().getFault();
+
+ // This is not a soap fault
+ if (soapFault == null) {
+ return false;
+ }
+
+ String soapVersionURI = rmd.getMsgContext().getEnvelope().getNamespace().getNamespaceURI();
+
+ if (soapVersionURI.equals(SOAP11Constants.SOAP_ENVELOPE_NAMESPACE_URI) ) {
+
+ SOAPFaultCode faultCode = soapFault.getCode();
+
+ // This is a fault processing the security header
+ if (faultCode.getTextAsQName().getNamespaceURI().equals(WSConstants.WSSE_NS)) {
+ return true;
+ }
+
+
+ } else if (soapVersionURI.equals(SOAP12Constants.SOAP_ENVELOPE_NAMESPACE_URI)) {
+
+ //TODO AXIOM API returns only one fault sub code, there can be many
+ SOAPFaultSubCode faultSubCode = soapFault.getCode().getSubCode();
+
+ if (faultSubCode != null) {
+ SOAPFaultValue faultSubCodeValue = faultSubCode.getValue();
+
+ // This is a fault processing the security header
+ if (faultSubCodeValue != null &&
+ faultSubCodeValue.getTextAsQName().getNamespaceURI().equals(WSConstants.WSSE_NS)) {
+ return true;
+ }
+ }
+
+ }
+
+ return false;
+ }
+
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/RampartException.java b/modules/rampart-core/src/main/java/org/apache/rampart/RampartException.java
new file mode 100644
index 0000000..f76de9c
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/RampartException.java
@@ -0,0 +1,101 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart;
+
+import java.text.MessageFormat;
+import java.util.MissingResourceException;
+import java.util.ResourceBundle;
+
+public class RampartException extends Exception {
+
+ private static final long serialVersionUID = 8674795537585339704L;
+
+ private static ResourceBundle resources;
+
+ private String faultCode;
+ private String faultString;
+
+ static {
+ try {
+ resources = ResourceBundle.getBundle("org.apache.rampart.errors");
+ } catch (MissingResourceException e) {
+ throw new RuntimeException(e.getMessage());
+ }
+ }
+
+ public RampartException(String faultCode, Object[] args) {
+ super(getMessage(faultCode, args));
+ this.faultCode = getFaultCode(faultCode);
+ this.faultString = getMessage(faultCode, args);
+ }
+
+ /**
+ * Construct the fault properly code for the standard faults
+ * @param faultCode2
+ * @return
+ */
+ private String getFaultCode(String code) {
+ //TODO check for spec specific error codes
+ return code;
+ }
+
+ public RampartException(String faultCode) {
+ this(faultCode, (Object[])null);
+ }
+
+ public RampartException(String faultCode, Object[] args, Throwable e) {
+ super(getMessage(faultCode, args),e);
+ this.faultCode = faultCode;
+ this.faultString = getMessage(faultCode, args);
+ }
+
+ public RampartException(String faultCode, Throwable e) {
+ this(faultCode, null, e);
+ }
+
+ /**
+ * get the message from resource bundle.
+ * <p/>
+ *
+ * @return the message translated from the property (message) file.
+ */
+ protected static String getMessage(String faultCode, Object[] args) {
+ String msg = null;
+ try {
+ msg = MessageFormat.format(resources.getString(faultCode), args);
+ } catch (MissingResourceException e) {
+ throw new RuntimeException("Undefined '" + faultCode + "' resource property");
+ }
+ return msg;
+ }
+
+ /**
+ * @return Returns the faultCode.
+ */
+ protected String getFaultCode() {
+ return faultCode;
+ }
+
+ /**
+ * @return Returns the faultString.
+ */
+ protected String getFaultString() {
+ return faultString;
+ }
+
+
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java b/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
new file mode 100644
index 0000000..e0918f5
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/RampartMessageData.java
@@ -0,0 +1,682 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart;
+
+import org.apache.axiom.om.OMElement;
+import org.apache.axiom.soap.SOAPEnvelope;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.context.MessageContext;
+import org.apache.axis2.context.OperationContext;
+import org.apache.axis2.description.AxisService;
+import org.apache.axis2.description.Parameter;
+import org.apache.axis2.wsdl.WSDLConstants;
+import org.apache.neethi.Policy;
+import org.apache.neethi.PolicyEngine;
+import org.apache.rahas.RahasConstants;
+import org.apache.rahas.SimpleTokenStore;
+import org.apache.rahas.TokenStorage;
+import org.apache.rahas.TrustException;
+import org.apache.rahas.TrustUtil;
+import org.apache.rampart.handler.WSSHandlerConstants;
+import org.apache.rampart.policy.RampartPolicyBuilder;
+import org.apache.rampart.policy.RampartPolicyData;
+import org.apache.rampart.policy.model.RampartConfig;
+import org.apache.rampart.util.Axis2Util;
+import org.apache.rampart.util.RampartUtil;
+import org.apache.ws.secpolicy.WSSPolicyException;
+import org.apache.ws.security.SOAPConstants;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.conversation.ConversationConstants;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.message.token.SecurityContextToken;
+import org.apache.ws.security.util.Loader;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.opensaml.SAMLAssertion;
+import org.w3c.dom.Document;
+
+import java.util.List;
+import java.util.Vector;
+
+public class RampartMessageData {
+
+ /**
+ * Axis2 parameter name to be used in the client's axis2 xml
+ */
+ public final static String KEY_RAMPART_POLICY = "rampartPolicy";
+
+ /**
+ * Key to hold the populated RampartPolicyData object
+ */
+ public final static String RAMPART_POLICY_DATA = "rampartPolicyData";
+
+ public final static String RAMPART_STS_POLICY = "rampartStsPolicy";
+
+ /**
+ * Key to hold the custom issued token identifier
+ */
+ public final static String KEY_CUSTOM_ISSUED_TOKEN = "customIssuedToken";
+
+ /**
+ * Key to hold the WS-Trust version
+ */
+ public final static String KEY_WST_VERSION = "wstVersion";
+
+ public final static String PARAM_CLIENT_SIDE = "CLIENT_SIDE";
+
+ /**
+ * Key to hold the WS-SecConv version
+ */
+ public final static String KEY_WSSC_VERSION = "wscVersion";
+
+ public static final String KEY_SCT_ISSUER_POLICY = "sct-issuer-policy";
+
+ public final static String CANCEL_REQUEST = "cancelrequest";
+
+ public final static String SCT_ID = "sctID";
+
+ private MessageContext msgContext = null;
+
+ private RampartPolicyData policyData = null;
+
+ private WSSecHeader secHeader = null;
+
+ private WSSConfig config = null;
+
+ private int timeToLive = 300;
+
+ private int timestampMaxSkew = 0;
+
+ private String timestampId;
+
+ private Document document;
+
+ private TokenStorage tokenStorage;
+
+ /**
+ * WS-Trust version to use.
+ *
+ * Possible values:
+ * RahasConstants.VERSION_05_02
+ * RahasConstants.VERSION_05_12
+ */
+
+ private int wstVersion = RahasConstants.VERSION_05_02;
+
+ private int secConvVersion = ConversationConstants.DEFAULT_VERSION;
+
+ /*
+ * IssuedTokens or SecurityContextTokens can be used
+ * as the encryption token, signature token
+ */
+ private String issuedEncryptionTokenId;
+
+ private String issuedSignatureTokenId;
+
+ /**
+ * The service policy extracted from the message context.
+ * If policy is specified in the RampartConfig <b>this</b> will take precedence
+ */
+ private Policy servicePolicy;
+
+ private boolean isInitiator;
+
+ private boolean sender;
+
+ private ClassLoader customClassLoader;
+
+ private SOAPConstants soapConstants;
+
+ public RampartMessageData(MessageContext msgCtx, boolean sender) throws RampartException {
+
+ this.msgContext = msgCtx;
+
+ try {
+
+ /*
+ * First get the SOAP envelope as document, then create a security
+ * header and insert into the document (Envelope)
+ */
+ this.document = Axis2Util.getDocumentFromSOAPEnvelope(msgCtx.getEnvelope(), true);
+ msgCtx.setEnvelope((SOAPEnvelope)this.document.getDocumentElement());
+
+ this.soapConstants = WSSecurityUtil.getSOAPConstants(this.document.getDocumentElement());
+
+ //Extract known properties from the msgCtx
+
+ if(msgCtx.getProperty(KEY_WST_VERSION) != null) {
+ this.wstVersion = TrustUtil.getWSTVersion((String)msgCtx.getProperty(KEY_WST_VERSION));
+ }
+
+ if(msgCtx.getProperty(KEY_WSSC_VERSION) != null) {
+ this.secConvVersion = TrustUtil.getWSTVersion((String)msgCtx.getProperty(KEY_WSSC_VERSION));
+ }
+
+ // First obtain the axis service as we have to do a null check, there can be situations
+ // where Axis Service is null
+ AxisService axisService = msgCtx.getAxisService();
+
+ if(axisService != null && axisService.getParameter(PARAM_CLIENT_SIDE) != null) {
+ this.isInitiator = true;
+ } else {
+ this.isInitiator = !msgCtx.isServerSide();
+ //TODO if Axis Service is null at this point, do we have to create a dummy one ??
+ if(this.isInitiator && axisService != null ) {
+ Parameter clientSideParam = new Parameter();
+ clientSideParam.setName(PARAM_CLIENT_SIDE);
+ clientSideParam.setLocked(true);
+ msgCtx.getAxisService().addParameter(clientSideParam);
+ }
+ }
+
+ if(msgCtx.getProperty(KEY_RAMPART_POLICY) != null) {
+ this.servicePolicy = (Policy)msgCtx.getProperty(KEY_RAMPART_POLICY);
+ }
+
+ /*
+ * Init policy:
+ * When creating the RampartMessageData instance we
+ * extract the service policy is set in the msgCtx.
+ * If it is missing then try to obtain from the configuration files.
+ */
+
+ if(this.servicePolicy == null) {
+ this.servicePolicy = msgCtx.getEffectivePolicy();
+ }
+
+ if(this.servicePolicy == null) {
+ Parameter param = msgCtx.getParameter(RampartMessageData.KEY_RAMPART_POLICY);
+ if(param != null) {
+ OMElement policyElem = param.getParameterElement().getFirstElement();
+ this.servicePolicy = PolicyEngine.getPolicy(policyElem);
+ }
+ }
+
+
+ if(this.servicePolicy != null){
+ List it = (List)this.servicePolicy.getAlternatives().next();
+
+ //Process policy and build policy data
+ this.policyData = RampartPolicyBuilder.build(it);
+ }
+
+
+ if(this.policyData != null) {
+
+ //Check for RST and RSTR for an SCT
+ if((WSSHandlerConstants.RST_ACTON_SCT.equals(msgContext.getWSAAction())
+ || WSSHandlerConstants.RSTR_ACTON_SCT.equals(msgContext.getWSAAction())) &&
+ this.policyData.getIssuerPolicy() != null) {
+
+ this.servicePolicy = this.policyData.getIssuerPolicy();
+
+ RampartConfig rampartConfig = policyData.getRampartConfig();
+ if(rampartConfig != null) {
+ /*
+ * Copy crypto info into the new issuer policy
+ */
+ RampartConfig rc = new RampartConfig();
+ rc.setEncrCryptoConfig(rampartConfig.getEncrCryptoConfig());
+ rc.setSigCryptoConfig(rampartConfig.getSigCryptoConfig());
+ rc.setDecCryptoConfig(rampartConfig.getDecCryptoConfig());
+ rc.setUser(rampartConfig.getUser());
+ rc.setEncryptionUser(rampartConfig.getEncryptionUser());
+ rc.setPwCbClass(rampartConfig.getPwCbClass());
+ rc.setSSLConfig(rampartConfig.getSSLConfig());
+
+ this.servicePolicy.addAssertion(rc);
+ }
+
+ List it = (List)this.servicePolicy.getAlternatives().next();
+
+ //Process policy and build policy data
+ this.policyData = RampartPolicyBuilder.build(it);
+ }
+ }
+
+
+ this.sender = sender;
+
+ OperationContext opCtx = this.msgContext.getOperationContext();
+
+ if(!this.isInitiator && this.sender) {
+ //Get hold of the incoming msg ctx
+ MessageContext inMsgCtx;
+ if (opCtx != null
+ && (inMsgCtx = opCtx
+ .getMessageContext(WSDLConstants.MESSAGE_LABEL_IN_VALUE)) != null
+ && msgContext.getProperty(WSHandlerConstants.RECV_RESULTS) == null) {
+ msgContext.setProperty(WSHandlerConstants.RECV_RESULTS,
+ inMsgCtx.getProperty(WSHandlerConstants.RECV_RESULTS));
+
+ //If someone set the sct_id externally use it at the receiver
+ msgContext.setProperty(SCT_ID, inMsgCtx.getProperty(SCT_ID));
+ }
+ }
+
+ if(this.isInitiator && !this.sender) {
+ MessageContext outMsgCtx;
+ if (opCtx != null
+ && (outMsgCtx = opCtx
+ .getMessageContext(WSDLConstants.MESSAGE_LABEL_OUT_VALUE)) != null) {
+
+ //If someone set the sct_id externally use it at the receiver
+ msgContext.setProperty(SCT_ID, outMsgCtx.getProperty(SCT_ID));
+ }
+ }
+
+ // Check whether RampartConfig is present
+ if (this.policyData != null && this.policyData.getRampartConfig() != null) {
+
+ boolean timestampPrecisionInMilliseconds = Boolean.valueOf(this.policyData
+ .getRampartConfig().getTimestampPrecisionInMilliseconds()).booleanValue();
+
+ // This is not the default behavior, we clone the default WSSConfig to prevent this
+ // affecting globally
+ if (timestampPrecisionInMilliseconds == WSSConfig.getDefaultWSConfig()
+ .isPrecisionInMilliSeconds()) {
+ this.config = WSSConfig.getDefaultWSConfig();
+ } else {
+ this.config = RampartUtil.getWSSConfigInstance();
+ this.config.setPrecisionInMilliSeconds(timestampPrecisionInMilliseconds);
+ }
+ } else {
+ this.config = WSSConfig.getDefaultWSConfig();
+ }
+
+
+
+
+ this.customClassLoader = msgCtx.getAxisService().getClassLoader();
+
+ if(this.sender && this.policyData != null) {
+ this.secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(this.document);
+ }
+
+ } catch (TrustException e) {
+ throw new RampartException("errorInExtractingMsgProps", e);
+ } catch (AxisFault e) {
+ throw new RampartException("errorInExtractingMsgProps", e);
+ } catch (WSSPolicyException e) {
+ throw new RampartException("errorInExtractingMsgProps", e);
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInExtractingMsgProps", e);
+ }
+
+ }
+
+ /**
+ * @return Returns the document.
+ */
+ public Document getDocument() {
+ return document;
+ }
+
+ /**
+ * @param document The document to set.
+ * @deprecated document is derived from MessageContext passed in constructor
+ */
+ public void setDocument(Document document) {
+ this.document = document;
+ }
+
+ /**
+ * @return Returns the timeToLive.
+ */
+ public int getTimeToLive() {
+ return timeToLive;
+ }
+
+ /**
+ * @param timeToLive The timeToLive to set.
+ */
+ public void setTimeToLive(int timeToLive) {
+ this.timeToLive = timeToLive;
+ }
+
+ /**
+ * @return Returns the timestampMaxSkew.
+ */
+ public int getTimestampMaxSkew() {
+ return timestampMaxSkew;
+ }
+
+ /**
+ * @param timestampMaxSkew The timestampMaxSkew to set.
+ */
+ public void setTimestampMaxSkew(int timestampMaxSkew) {
+ this.timestampMaxSkew = timestampMaxSkew;
+ }
+
+ /**
+ * @return Returns the config.
+ */
+ public WSSConfig getConfig() {
+ return config;
+ }
+
+ /**
+ * @param config
+ * The config to set.
+ */
+ public void setConfig(WSSConfig config) {
+ this.config = config;
+ }
+
+ /**
+ * @return Returns the msgContext.
+ */
+ public MessageContext getMsgContext() {
+ return msgContext;
+ }
+
+ /**
+ * @param msgContext The msgContext to set.
+ * @deprecated MessageContext is set in constructor
+ */
+ public void setMsgContext(MessageContext msgContext) {
+ this.msgContext = msgContext;
+ }
+
+ /**
+ * @return Returns the policyData.
+ */
+ public RampartPolicyData getPolicyData() {
+ return policyData;
+ }
+
+ /**
+ * @param policyData The policyData to set.
+ * @deprecated Policy data determined within constructor
+ */
+ public void setPolicyData(RampartPolicyData policyData) throws RampartException {
+ this.policyData = policyData;
+
+ try {
+ //if client side then check whether sig conf enabled
+ //and get hold of the stored signature values
+ if(this.isInitiator && !this.sender && policyData.isSignatureConfirmation()) {
+ OperationContext opCtx = msgContext.getOperationContext();
+ MessageContext outMsgCtx = opCtx
+ .getMessageContext(WSDLConstants.MESSAGE_LABEL_OUT_VALUE);
+ msgContext.setProperty(WSHandlerConstants.SEND_SIGV, outMsgCtx
+ .getProperty(WSHandlerConstants.SEND_SIGV));
+ }
+ } catch (AxisFault e) {
+ throw new RampartException("errorGettingSignatureValuesForSigconf", e);
+ }
+ }
+
+ /**
+ * @return Returns the secHeader.
+ */
+ public WSSecHeader getSecHeader() {
+ return secHeader;
+ }
+
+ /**
+ * @param secHeader
+ * The secHeader to set.
+ */
+ public void setSecHeader(WSSecHeader secHeader) {
+ this.secHeader = secHeader;
+ }
+
+ /**
+ * @return Returns the issuedEncryptionTokenId.
+ */
+ public String getIssuedEncryptionTokenId() {
+ return issuedEncryptionTokenId;
+ }
+
+ /**
+ * @param issuedEncryptionTokenId The issuedEncryptionTokenId to set.
+ */
+ public void setIssuedEncryptionTokenId(String issuedEncryptionTokenId) {
+ this.issuedEncryptionTokenId = issuedEncryptionTokenId;
+ }
+
+ /**
+ * @return Returns the issuedSignatureTokenId.
+ */
+ public String getIssuedSignatureTokenId() {
+ if(this.isInitiator) {
+ return issuedSignatureTokenId;
+ } else {
+ //Pick the first SAML token
+ //TODO : This is a hack , MUST FIX
+ //get the sec context id from the req msg ctx
+ Vector results = (Vector)this.msgContext.getProperty(WSHandlerConstants.RECV_RESULTS);
+ for (int i = 0; i < results.size(); i++) {
+ WSHandlerResult rResult = (WSHandlerResult) results.get(i);
+ Vector wsSecEngineResults = rResult.getResults();
+
+ for (int j = 0; j < wsSecEngineResults.size(); j++) {
+ WSSecurityEngineResult wser = (WSSecurityEngineResult) wsSecEngineResults
+ .get(j);
+ final Integer actInt =
+ (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+ if(WSConstants.ST_UNSIGNED == actInt.intValue()) {
+ final SAMLAssertion assertion =
+ ((SAMLAssertion) wser
+ .get(WSSecurityEngineResult.TAG_SAML_ASSERTION));
+ return assertion.getId();
+ }
+
+ }
+ }
+ return null;
+ }
+ }
+
+ /**
+ * @param issuedSignatureTokenId The issuedSignatureTokenId to set.
+ */
+ public void setIssuedSignatureTokenId(String issuedSignatureTokenId) {
+ this.issuedSignatureTokenId = issuedSignatureTokenId;
+ }
+
+ /**
+ * @return Returns the secConvTokenId.
+ */
+ public String getSecConvTokenId() {
+ String id = null;
+
+ if(this.isInitiator) {
+ String contextIdentifierKey = RampartUtil.getContextIdentifierKey(this.msgContext);
+ id = (String) RampartUtil.getContextMap(this.msgContext).get(contextIdentifierKey);
+ } else {
+ //get the sec context id from the req msg ctx
+ Vector results = (Vector)this.msgContext.getProperty(WSHandlerConstants.RECV_RESULTS);
+ for (int i = 0; i < results.size(); i++) {
+ WSHandlerResult rResult = (WSHandlerResult) results.get(i);
+ Vector wsSecEngineResults = rResult.getResults();
+
+ for (int j = 0; j < wsSecEngineResults.size(); j++) {
+ WSSecurityEngineResult wser = (WSSecurityEngineResult) wsSecEngineResults
+ .get(j);
+ final Integer actInt =
+ (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+ if(WSConstants.SCT == actInt.intValue()) {
+ final SecurityContextToken sct =
+ ((SecurityContextToken) wser
+ .get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN));
+ id = sct.getID();
+ }
+
+ }
+ }
+ }
+
+ if(id == null || id.length() == 0) {
+ //If we can't find the sec conv token id up to this point then
+ //check if someone has specified which one to use
+ id = (String)this.msgContext.getProperty(SCT_ID);
+ }
+
+ return id;
+ }
+
+ /**
+ * @param secConvTokenId The secConvTokenId to set.
+ */
+ public void setSecConvTokenId(String secConvTokenId) {
+ String contextIdentifierKey = RampartUtil.getContextIdentifierKey(this.msgContext);
+ RampartUtil.getContextMap(this.msgContext).put(
+ contextIdentifierKey,
+ secConvTokenId);
+ }
+
+
+
+ /**
+ * @return Returns the tokenStorage.
+ */
+ public TokenStorage getTokenStorage() throws RampartException {
+
+ if(this.tokenStorage != null) {
+ return this.tokenStorage;
+ }
+
+ TokenStorage storage = (TokenStorage) this.msgContext.getProperty(
+ TokenStorage.TOKEN_STORAGE_KEY);
+
+ if (storage != null) {
+ this.tokenStorage = storage;
+ } else {
+
+ if (this.policyData.getRampartConfig() != null &&
+ this.policyData.getRampartConfig().getTokenStoreClass() != null) {
+ Class stClass = null;
+ String storageClass = this.policyData.getRampartConfig()
+ .getTokenStoreClass();
+ try {
+ stClass = Loader.loadClass(msgContext.getAxisService()
+ .getClassLoader(), storageClass);
+ } catch (ClassNotFoundException e) {
+ throw new RampartException(
+ "WSHandler: cannot load token storage class: "
+ + storageClass, e);
+ }
+ try {
+ this.tokenStorage = (TokenStorage) stClass.newInstance();
+ } catch (java.lang.Exception e) {
+ throw new RampartException(
+ "Cannot create instance of token storage: "
+ + storageClass, e);
+ }
+ } else {
+ this.tokenStorage = new SimpleTokenStore();
+
+ }
+
+ //Set the storage instance
+ this.msgContext.getConfigurationContext().setProperty(
+ TokenStorage.TOKEN_STORAGE_KEY, this.tokenStorage);
+ }
+
+
+ return tokenStorage;
+ }
+
+ /**
+ * @param tokenStorage The tokenStorage to set.
+ */
+ public void setTokenStorage(TokenStorage tokenStorage) {
+ this.tokenStorage = tokenStorage;
+ }
+
+ /**
+ * @return Returns the wstVersion.
+ */
+ public int getWstVersion() {
+ return wstVersion;
+ }
+
+ /**
+ * @param wstVersion The wstVersion to set.
+ * @deprecated This is defined by the class.
+ */
+ public void setWstVersion(int wstVersion) {
+ this.wstVersion = wstVersion;
+ }
+
+ /**
+ * @return Returns the secConvVersion.
+ */
+ public int getSecConvVersion() {
+ return secConvVersion;
+ }
+
+ /**
+ * @return Returns the servicePolicy.
+ */
+ public Policy getServicePolicy() {
+ return servicePolicy;
+ }
+
+ /**
+ * @param servicePolicy The servicePolicy to set.
+ * @deprecated servicePolicy determined in constructor
+ */
+ public void setServicePolicy(Policy servicePolicy) {
+ this.servicePolicy = servicePolicy;
+ }
+
+ /**
+ * @return Returns the timestampId.
+ */
+ public String getTimestampId() {
+ return timestampId;
+ }
+
+ /**
+ * @param timestampId The timestampId to set.
+ */
+ public void setTimestampId(String timestampId) {
+ this.timestampId = timestampId;
+ }
+
+ /**
+ * @return Returns the Initiator value
+ */
+ public boolean isInitiator() {
+ return isInitiator;
+ }
+
+ /**
+ * Returns the custom class loader if we are using one
+ * @return Returns the custom class loader if we are using one
+ */
+ public ClassLoader getCustomClassLoader() {
+ return customClassLoader;
+ }
+
+ /**
+ * Returns an <code>org.apache.ws.security.SOAPConstants</code> instance
+ * with soap version information of this request.
+ * @return Returns soap version information of this request
+ */
+ public SOAPConstants getSoapConstants() {
+ return soapConstants;
+ }
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/TokenCallbackHandler.java b/modules/rampart-core/src/main/java/org/apache/rampart/TokenCallbackHandler.java
new file mode 100644
index 0000000..d54fd42
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/TokenCallbackHandler.java
@@ -0,0 +1,103 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart;
+
+import org.apache.rahas.EncryptedKeyToken;
+import org.apache.rahas.Token;
+import org.apache.rahas.TokenStorage;
+import org.apache.rahas.TrustException;
+import org.apache.ws.security.WSPasswordCallback;
+import org.w3c.dom.Element;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import java.io.IOException;
+
+
+public class TokenCallbackHandler implements CallbackHandler {
+
+ private TokenStorage store;
+ private CallbackHandler handler;
+
+ public TokenCallbackHandler(TokenStorage store, CallbackHandler handler) {
+ this.store = store;
+ this.handler = handler;
+ }
+
+ public void handle(Callback[] callbacks)
+ throws IOException, UnsupportedCallbackException {
+
+ for (int i = 0; i < callbacks.length; i++) {
+
+ if (callbacks[i] instanceof WSPasswordCallback) {
+ WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
+ String id = pc.getIdentifer();
+
+ if((pc.getUsage() == WSPasswordCallback.SECURITY_CONTEXT_TOKEN ||
+ pc.getUsage() == WSPasswordCallback.CUSTOM_TOKEN) &&
+ this.store != null) {
+ Token tok;
+ try {
+ //Pick up the token from the token store
+ tok = this.store.getToken(id);
+ if(tok != null) {
+ //Get the secret and set it in the callback object
+ pc.setKey(tok.getSecret());
+ pc.setCustomToken((Element)tok.getToken());
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ throw new IOException(e.getMessage());
+ }
+ } else if (pc.getUsage() == WSPasswordCallback.ENCRYPTED_KEY_TOKEN){
+ try {
+ String[] tokenIdentifiers = this.store.getTokenIdentifiers();
+ Token tok;
+ for (int j = 0 ; j < tokenIdentifiers.length ; j++) {
+
+ tok = this.store.getToken(tokenIdentifiers[j]);
+
+ if (tok instanceof EncryptedKeyToken &&
+ ((EncryptedKeyToken)tok).getSHA1().equals(id)){
+ pc.setKey(tok.getSecret());
+ pc.setCustomToken((Element)tok.getToken());
+ }
+ }
+
+ } catch (TrustException e) {
+ e.printStackTrace();
+ throw new IOException(e.getMessage());
+ }
+ } else {
+ //Handle other types of callbacks with the usual handler
+ if(this.handler != null) {
+ handler.handle(new Callback[]{pc});
+ }
+ }
+
+ } else {
+ throw new UnsupportedCallbackException(callbacks[i],
+ "Unrecognized Callback");
+ }
+ }
+ }
+
+
+
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/ValidatorData.java b/modules/rampart-core/src/main/java/org/apache/rampart/ValidatorData.java
new file mode 100644
index 0000000..cd7c76b
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/ValidatorData.java
@@ -0,0 +1,87 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart;
+
+import org.apache.axiom.soap.SOAP11Constants;
+import org.apache.ws.security.WSConstants;
+import org.apache.xml.security.utils.EncryptionConstants;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+
+import java.util.ArrayList;
+
+public class ValidatorData {
+
+ private RampartMessageData rmd;
+ ArrayList encryptedDataRefIds = new ArrayList();
+ private String bodyEncrDataId;
+
+ public ValidatorData(RampartMessageData rmd) {
+ this.rmd = rmd;
+ this.extractEncryptedPartInformation();
+ }
+
+ private void extractEncryptedPartInformation() {
+ Element start = rmd.getDocument().getDocumentElement();
+ if(start != null) {
+ extractEncryptedPartInformation(start);
+ }
+
+ }
+
+ private void extractEncryptedPartInformation(Element parent) {
+
+ NodeList childNodes = parent.getChildNodes();
+ Node node;
+ for (int i = 0; i < childNodes.getLength(); i++) {
+ node = childNodes.item(i);
+ if (node instanceof Element) {
+ Element elem = (Element) node;
+ if (elem.getNamespaceURI() != null
+ && elem.getNamespaceURI().equals(WSConstants.ENC_NS)
+ && elem.getLocalName().equals(
+ EncryptionConstants._TAG_ENCRYPTEDDATA)) {
+ if (parent.getLocalName().equals(
+ SOAP11Constants.BODY_LOCAL_NAME)
+ && parent.getNamespaceURI().equals(
+ rmd.getSoapConstants().getEnvelopeURI())) {
+ this.bodyEncrDataId = elem.getAttribute("Id");
+ } else {
+ encryptedDataRefIds.add(elem.getAttribute("Id"));
+ }
+ break;
+ } else {
+ extractEncryptedPartInformation(elem);
+ }
+ }
+ }
+ }
+
+ public ArrayList getEncryptedDataRefIds() {
+ return encryptedDataRefIds;
+ }
+
+ public RampartMessageData getRampartMessageData() {
+ return rmd;
+ }
+
+ public String getBodyEncrDataId() {
+ return bodyEncrDataId;
+ }
+
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/builder/AsymmetricBindingBuilder.java b/modules/rampart-core/src/main/java/org/apache/rampart/builder/AsymmetricBindingBuilder.java
new file mode 100644
index 0000000..6a9967f
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/builder/AsymmetricBindingBuilder.java
@@ -0,0 +1,732 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart.builder;
+
+import org.apache.axiom.om.OMElement;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.rahas.TrustException;
+import org.apache.rampart.RampartConstants;
+import org.apache.rampart.RampartException;
+import org.apache.rampart.RampartMessageData;
+import org.apache.rampart.policy.RampartPolicyData;
+import org.apache.rampart.policy.model.RampartConfig;
+import org.apache.rampart.util.RampartUtil;
+import org.apache.ws.secpolicy.SPConstants;
+import org.apache.ws.secpolicy.model.AlgorithmSuite;
+import org.apache.ws.secpolicy.model.SupportingToken;
+import org.apache.ws.secpolicy.model.Token;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSEncryptionPart;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.conversation.ConversationException;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.message.WSSecDKEncrypt;
+import org.apache.ws.security.message.WSSecDKSign;
+import org.apache.ws.security.message.WSSecEncrypt;
+import org.apache.ws.security.message.WSSecEncryptedKey;
+import org.apache.ws.security.message.WSSecSignature;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Vector;
+
+public class AsymmetricBindingBuilder extends BindingBuilder {
+
+ private static Log log = LogFactory.getLog(AsymmetricBindingBuilder.class);
+ private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG);
+ private boolean dotDebug = false;
+
+ private Token sigToken;
+
+ private WSSecSignature sig;
+
+ private WSSecEncryptedKey encrKey;
+
+ private String encryptedKeyId;
+
+ private byte[] encryptedKeyValue;
+
+ private Vector signatureValues = new Vector();
+
+ private Element encrTokenElement;
+
+ private Element sigDKTElement;
+
+ private Element encrDKTElement;
+
+ private Vector sigParts = new Vector();
+
+ private Element signatureElement;
+
+ public AsymmetricBindingBuilder(){
+ dotDebug = tlog.isDebugEnabled();
+ }
+
+ public void build(RampartMessageData rmd) throws RampartException {
+ log.debug("AsymmetricBindingBuilder build invoked");
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+ if (rpd.isIncludeTimestamp()) {
+ this.addTimestamp(rmd);
+ }
+
+ if (SPConstants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {
+ this.doEncryptBeforeSig(rmd);
+ } else {
+ this.doSignBeforeEncrypt(rmd);
+ }
+
+ log.debug("AsymmetricBindingBuilder build invoked : DONE");
+ }
+
+ private void doEncryptBeforeSig(RampartMessageData rmd)
+ throws RampartException {
+
+ long t0 = 0, t1 = 0, t2 = 0;
+ if(dotDebug){
+ t0 = System.currentTimeMillis();
+ }
+ RampartPolicyData rpd = rmd.getPolicyData();
+ Document doc = rmd.getDocument();
+ RampartConfig config = rpd.getRampartConfig();
+
+ /*
+ * We need to hold on to these two element to use them as refence in the
+ * case of encypting the signature
+ */
+ Element encrDKTokenElem = null;
+ WSSecEncrypt encr = null;
+ Element refList = null;
+ WSSecDKEncrypt dkEncr = null;
+
+ /*
+ * We MUST use keys derived from the same token
+ */
+ Token encryptionToken = null;
+ if(rmd.isInitiator()) {
+ encryptionToken = rpd.getRecipientToken();
+ } else {
+ encryptionToken = rpd.getInitiatorToken();
+ }
+ Vector encrParts = RampartUtil.getEncryptedParts(rmd);
+
+ //Signed parts are determined before encryption because encrypted signed headers
+ //will not be included otherwise
+ this.sigParts = RampartUtil.getSignedParts(rmd);
+
+ if(encryptionToken == null && encrParts.size() > 0) {
+ throw new RampartException("encryptionTokenMissing");
+ }
+
+ if (encryptionToken != null && encrParts.size() > 0) {
+
+ //Check for RampartConfig assertion
+ if(rpd.getRampartConfig() == null) {
+ //We'er missing the extra info rampart needs
+ throw new RampartException("rampartConigMissing");
+ }
+
+ if (encryptionToken.isDerivedKeys()) {
+ try {
+ this.setupEncryptedKey(rmd, encryptionToken);
+ // Create the DK encryption builder
+ dkEncr = new WSSecDKEncrypt();
+ dkEncr.setParts(encrParts);
+ dkEncr.setExternalKey(this.encryptedKeyValue,
+ this.encryptedKeyId);
+ dkEncr.setDerivedKeyLength(rpd.getAlgorithmSuite().getEncryptionDerivedKeyLength()/8);
+ dkEncr.prepare(doc);
+
+ // Get and add the DKT element
+ this.encrDKTElement = dkEncr.getdktElement();
+ encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd, this.encrDKTElement);
+
+ refList = dkEncr.encryptForExternalRef(null, encrParts);
+
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorCreatingEncryptedKey", e);
+ } catch (ConversationException e) {
+ throw new RampartException("errorInDKEncr", e);
+ }
+ } else {
+ try {
+ encr = new WSSecEncrypt();
+ encr.setParts(encrParts);
+ encr.setWsConfig(rmd.getConfig());
+ encr.setDocument(doc);
+ RampartUtil.setEncryptionUser(rmd, encr);
+ encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
+ RampartUtil.setKeyIdentifierType(rpd,encr, encryptionToken);
+ encr.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
+ encr.prepare(doc, RampartUtil.getEncryptionCrypto(config, rmd.getCustomClassLoader()));
+
+ Element bstElem = encr.getBinarySecurityTokenElement();
+ if (bstElem != null) {
+ RampartUtil.appendChildToSecHeader(rmd, bstElem);
+ }
+
+ this.encrTokenElement = encr.getEncryptedKeyElement();
+ this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
+ encrTokenElement);
+
+ refList = encr.encryptForExternalRef(null, encrParts);
+
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInEncryption", e);
+ }
+ }
+
+ RampartUtil.appendChildToSecHeader(rmd, refList);
+
+ if(dotDebug){
+ t1 = System.currentTimeMillis();
+ }
+
+ this.setInsertionLocation(encrTokenElement);
+
+ RampartUtil.handleEncryptedSignedHeaders(encrParts, this.sigParts, doc);
+
+ HashMap sigSuppTokMap = null;
+ HashMap endSuppTokMap = null;
+ HashMap sgndEndSuppTokMap = null;
+ HashMap sgndEncSuppTokMap = null;
+ HashMap endEncSuppTokMap = null;
+ HashMap sgndEndEncSuppTokMap = null;
+
+ if(this.timestampElement != null){
+ sigParts.add(new WSEncryptionPart(RampartUtil
+ .addWsuIdToElement((OMElement) this.timestampElement)));
+ }
+
+ if (rmd.isInitiator()) {
+
+ // Now add the supporting tokens
+ SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
+ sigSuppTokMap = this.handleSupportingTokens(rmd, sgndSuppTokens);
+
+ SupportingToken endSuppTokens = rpd.getEndorsingSupportingTokens();
+ endSuppTokMap = this.handleSupportingTokens(rmd, endSuppTokens);
+
+ SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens();
+ sgndEndSuppTokMap = this.handleSupportingTokens(rmd, sgndEndSuppTokens);
+
+ SupportingToken sgndEncryptedSuppTokens = rpd.getSignedEncryptedSupportingTokens();
+ sgndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEncryptedSuppTokens);
+
+ SupportingToken endorsingEncryptedSuppTokens = rpd.getEndorsingEncryptedSupportingTokens();
+ endEncSuppTokMap = this.handleSupportingTokens(rmd, endorsingEncryptedSuppTokens);
+
+ SupportingToken sgndEndEncSuppTokens = rpd.getSignedEndorsingEncryptedSupportingTokens();
+ sgndEndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEndEncSuppTokens);
+
+ SupportingToken supportingToks = rpd.getSupportingTokens();
+ this.handleSupportingTokens(rmd, supportingToks);
+
+ SupportingToken encryptedSupportingToks = rpd.getEncryptedSupportingTokens();
+ this.handleSupportingTokens(rmd, encryptedSupportingToks);
+
+ //Setup signature parts
+ sigParts = addSignatureParts(sigSuppTokMap, sigParts);
+ sigParts = addSignatureParts(sgndEncSuppTokMap, sigParts);
+ sigParts = addSignatureParts(sgndEndSuppTokMap, sigParts);
+ sigParts = addSignatureParts(sgndEndEncSuppTokMap, sigParts);
+
+ } else {
+ addSignatureConfirmation(rmd, sigParts);
+ }
+
+ if(( sigParts.size() > 0 &&
+ rmd.isInitiator() && rpd.getInitiatorToken() != null) ||
+ (!rmd.isInitiator() && rpd.getRecipientToken() != null)) {
+ this.doSignature(rmd);
+ }
+
+ if (rmd.isInitiator()) {
+
+ endSuppTokMap.putAll(endEncSuppTokMap);
+ // Do endorsed signatures
+ Vector endSigVals = this.doEndorsedSignatures(rmd,
+ endSuppTokMap);
+ for (Iterator iter = endSigVals.iterator(); iter.hasNext();) {
+ signatureValues.add(iter.next());
+ }
+
+ sgndEndSuppTokMap.putAll(sgndEndEncSuppTokMap);
+ // Do signed endorsing signatures
+ Vector sigEndSigVals = this.doEndorsedSignatures(rmd,
+ sgndEndSuppTokMap);
+ for (Iterator iter = sigEndSigVals.iterator(); iter.hasNext();) {
+ signatureValues.add(iter.next());
+ }
+ }
+
+ if(dotDebug){
+ t2 = System.currentTimeMillis();
+ tlog.debug("Encryption took :" + (t1 - t0)
+ +", Signature tool :" + (t2 - t1) );
+ }
+
+ // Check for signature protection
+ if (rpd.isSignatureProtection() && this.mainSigId != null) {
+ long t3 = 0, t4 = 0;
+ if(dotDebug){
+ t3 = System.currentTimeMillis();
+ }
+ Vector secondEncrParts = new Vector();
+
+ // Now encrypt the signature using the above token
+ secondEncrParts.add(new WSEncryptionPart(this.mainSigId,
+ "Element"));
+
+ if(rmd.isInitiator()) {
+ for (int i = 0 ; i < encryptedTokensIdList.size(); i++) {
+ secondEncrParts.add(new WSEncryptionPart((String)encryptedTokensIdList.get(i),"Element"));
+ }
+ }
+
+ Element secondRefList = null;
+
+ if (encryptionToken.isDerivedKeys()) {
+ try {
+
+ secondRefList = dkEncr.encryptForExternalRef(null,
+ secondEncrParts);
+ RampartUtil.insertSiblingAfter(rmd, encrDKTokenElem,
+ secondRefList);
+
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorCreatingEncryptedKey",
+ e);
+ }
+ } else {
+ try {
+ // Encrypt, get hold of the ref list and add it
+ secondRefList = encr.encryptForExternalRef(null,
+ secondEncrParts);
+
+ // Insert the ref list after the encrypted key elem
+ this.setInsertionLocation(RampartUtil
+ .insertSiblingAfter(rmd, encrTokenElement,
+ secondRefList));
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInEncryption", e);
+ }
+ }
+ if(dotDebug){
+ t4 = System.currentTimeMillis();
+ tlog.debug("Signature protection took :" + (t4 - t3));
+ }
+ }
+ }
+
+
+
+ }
+
+ private void doSignBeforeEncrypt(RampartMessageData rmd)
+ throws RampartException {
+
+ long t0 = 0, t1 = 0, t2 = 0;
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+ Document doc = rmd.getDocument();
+
+ HashMap sigSuppTokMap = null;
+ HashMap endSuppTokMap = null;
+ HashMap sgndEndSuppTokMap = null;
+ HashMap sgndEncSuppTokMap = null;
+ HashMap endEncSuppTokMap = null;
+ HashMap sgndEndEncSuppTokMap = null;
+
+ sigParts = RampartUtil.getSignedParts(rmd);
+
+ //Add timestamp
+ if(this.timestampElement != null){
+ sigParts.add(new WSEncryptionPart(RampartUtil
+ .addWsuIdToElement((OMElement) this.timestampElement)));
+ }else{
+ this.setInsertionLocation(null);
+ }
+
+ if(dotDebug){
+ t0 = System.currentTimeMillis();
+ }
+
+ if (rmd.isInitiator()) {
+
+ // Now add the supporting tokens
+ SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
+ sigSuppTokMap = this.handleSupportingTokens(rmd, sgndSuppTokens);
+
+ SupportingToken endSuppTokens = rpd.getEndorsingSupportingTokens();
+ endSuppTokMap = this.handleSupportingTokens(rmd, endSuppTokens);
+
+ SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens();
+ sgndEndSuppTokMap = this.handleSupportingTokens(rmd, sgndEndSuppTokens);
+
+ SupportingToken sgndEncryptedSuppTokens = rpd.getSignedEncryptedSupportingTokens();
+ sgndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEncryptedSuppTokens);
+
+ SupportingToken endorsingEncryptedSuppTokens = rpd.getEndorsingEncryptedSupportingTokens();
+ endEncSuppTokMap = this.handleSupportingTokens(rmd, endorsingEncryptedSuppTokens);
+
+ SupportingToken sgndEndEncSuppTokens = rpd.getSignedEndorsingEncryptedSupportingTokens();
+ sgndEndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEndEncSuppTokens);
+
+ SupportingToken supportingToks = rpd.getSupportingTokens();
+ this.handleSupportingTokens(rmd, supportingToks);
+
+ SupportingToken encryptedSupportingToks = rpd.getEncryptedSupportingTokens();
+ this.handleSupportingTokens(rmd, encryptedSupportingToks);
+
+ //Setup signature parts
+ sigParts = addSignatureParts(sigSuppTokMap, sigParts);
+ sigParts = addSignatureParts(sgndEncSuppTokMap, sigParts);
+ sigParts = addSignatureParts(sgndEndSuppTokMap, sigParts);
+ sigParts = addSignatureParts(sgndEndEncSuppTokMap, sigParts);
+
+ } else {
+ addSignatureConfirmation(rmd, sigParts);
+ }
+
+ if( sigParts.size() > 0 &&
+ ((rmd.isInitiator() && rpd.getInitiatorToken() != null) ||
+ (!rmd.isInitiator() && rpd.getRecipientToken() != null))) {
+ // Do signature
+ this.doSignature(rmd);
+ }
+
+ //Do endorsed signature
+
+ if (rmd.isInitiator()) {
+
+ // Adding the endorsing encrypted supporting tokens to endorsing supporting tokens
+ endSuppTokMap.putAll(endEncSuppTokMap);
+ // Do endorsed signatures
+ Vector endSigVals = this.doEndorsedSignatures(rmd,
+ endSuppTokMap);
+ for (Iterator iter = endSigVals.iterator(); iter.hasNext();) {
+ signatureValues.add(iter.next());
+ }
+
+ //Adding the signed endorsed encrypted tokens to signed endorsed supporting tokens
+ sgndEndSuppTokMap.putAll(sgndEndEncSuppTokMap);
+ // Do signed endorsing signatures
+ Vector sigEndSigVals = this.doEndorsedSignatures(rmd,
+ sgndEndSuppTokMap);
+ for (Iterator iter = sigEndSigVals.iterator(); iter.hasNext();) {
+ signatureValues.add(iter.next());
+ }
+ }
+
+ if(dotDebug){
+ t1 = System.currentTimeMillis();
+ }
+
+ Vector encrParts = RampartUtil.getEncryptedParts(rmd);
+
+ //Check for signature protection
+ if(rpd.isSignatureProtection() && this.mainSigId != null) {
+ encrParts.add(new WSEncryptionPart(RampartUtil.addWsuIdToElement((OMElement)this.signatureElement), "Element"));
+ }
+
+ if(rmd.isInitiator()) {
+ for (int i = 0 ; i < encryptedTokensIdList.size(); i++) {
+ encrParts.add(new WSEncryptionPart((String)encryptedTokensIdList.get(i),"Element"));
+ }
+ }
+
+ //Do encryption
+ Token encrToken = rpd.getRecipientToken();
+ if(encrToken != null && encrParts.size() > 0) {
+ Element refList = null;
+ AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();
+ if(encrToken.isDerivedKeys()) {
+
+ try {
+ WSSecDKEncrypt dkEncr = new WSSecDKEncrypt();
+
+ if(this.encrKey == null) {
+ this.setupEncryptedKey(rmd, encrToken);
+ }
+
+ dkEncr.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
+ dkEncr.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
+ + WSConstants.ENC_KEY_VALUE_TYPE);
+ dkEncr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());
+ dkEncr.setDerivedKeyLength(algorithmSuite.getEncryptionDerivedKeyLength()/8);
+ dkEncr.prepare(doc);
+
+
+ if(this.encrTokenElement != null) {
+ this.encrDKTElement = RampartUtil.insertSiblingAfter(
+ rmd, this.encrTokenElement, dkEncr.getdktElement());
+ } else {
+ this.encrDKTElement = RampartUtil.insertSiblingBefore(
+ rmd, this.sigDKTElement, dkEncr.getdktElement());
+ }
+
+ refList = dkEncr.encryptForExternalRef(null, encrParts);
+
+ RampartUtil.insertSiblingAfter(rmd,
+ this.encrDKTElement,
+ refList);
+
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInDKEncr", e);
+ } catch (ConversationException e) {
+ throw new RampartException("errorInDKEncr", e);
+ }
+ } else {
+ try {
+
+ WSSecEncrypt encr = new WSSecEncrypt();
+
+ RampartUtil.setKeyIdentifierType(rpd, encr, encrToken);
+
+ encr.setWsConfig(rmd.getConfig());
+
+ encr.setDocument(doc);
+ RampartUtil.setEncryptionUser(rmd, encr);
+ encr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());
+ encr.setKeyEncAlgo(algorithmSuite.getAsymmetricKeyWrap());
+ encr.prepare(doc, RampartUtil.getEncryptionCrypto(rpd
+ .getRampartConfig(), rmd.getCustomClassLoader()));
+
+ if(this.timestampElement != null){
+ this.setInsertionLocation(this.timestampElement);
+ }else{
+ this.setInsertionLocation(null);
+ }
+
+ if(encr.getBSTTokenId() != null) {
+ this.setInsertionLocation(RampartUtil
+ .insertSiblingAfterOrPrepend(rmd,
+ this.getInsertionLocation(),
+ encr.getBinarySecurityTokenElement()));
+ }
+
+
+ Element encryptedKeyElement = encr.getEncryptedKeyElement();
+
+ //Encrypt, get hold of the ref list and add it
+ refList = encr.encryptForInternalRef(null, encrParts);
+
+ //Add internal refs
+ encryptedKeyElement.appendChild(refList);
+
+ this.setInsertionLocation(RampartUtil
+ .insertSiblingAfterOrPrepend(rmd,
+ this.getInsertionLocation(),
+ encryptedKeyElement));
+
+// RampartUtil.insertSiblingAfter(rmd,
+// this.getInsertionLocation(),
+// refList);
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInEncryption", e);
+ }
+ }
+ }
+
+ if(dotDebug){
+ t2 = System.currentTimeMillis();
+ tlog.debug("Signature took :" + (t1 - t0)
+ +", Encryption took :" + (t2 - t1) );
+ }
+
+ }
+
+ private void doSignature(RampartMessageData rmd) throws RampartException {
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+ Document doc = rmd.getDocument();
+
+ long t0 = 0, t1 = 0;
+ if(dotDebug){
+ t0 = System.currentTimeMillis();
+ }
+ if(rmd.isInitiator()) {
+ sigToken = rpd.getInitiatorToken();
+ } else {
+ sigToken = rpd.getRecipientToken();
+ }
+
+ if (sigToken.isDerivedKeys()) {
+ // Set up the encrypted key to use
+ if(this.encrKey == null) {
+ setupEncryptedKey(rmd, sigToken);
+ }
+
+ WSSecDKSign dkSign = new WSSecDKSign();
+ dkSign.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
+
+ // Set the algo info
+ dkSign.setSignatureAlgorithm(rpd.getAlgorithmSuite()
+ .getSymmetricSignature());
+ dkSign.setDerivedKeyLength(rpd.getAlgorithmSuite()
+ .getSignatureDerivedKeyLength() / 8);
+ dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
+ + WSConstants.ENC_KEY_VALUE_TYPE);
+ try {
+ dkSign.prepare(doc, rmd.getSecHeader());
+
+ if (rpd.isTokenProtection()) {
+ sigParts.add(new WSEncryptionPart(encrKey.getId()));
+ }
+
+ dkSign.setParts(sigParts);
+
+ dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
+
+ // Do signature
+ dkSign.computeSignature();
+
+ ;
+ // Add elements to header
+ this.sigDKTElement = RampartUtil.insertSiblingAfter(rmd,
+ this.getInsertionLocation(), dkSign.getdktElement());
+ this.setInsertionLocation(this.sigDKTElement);
+
+ this.setInsertionLocation(RampartUtil.insertSiblingAfter(rmd,
+ this.getInsertionLocation(), dkSign
+ .getSignatureElement()));
+
+ this.mainSigId = RampartUtil
+ .addWsuIdToElement((OMElement) dkSign
+ .getSignatureElement());
+
+ signatureValues.add(dkSign.getSignatureValue());
+
+ signatureElement = dkSign.getSignatureElement();
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInDerivedKeyTokenSignature", e);
+ } catch (ConversationException e) {
+ throw new RampartException("errorInDerivedKeyTokenSignature", e);
+ }
+
+ } else {
+ sig = this.getSignatureBuider(rmd, sigToken);
+ Element bstElem = sig.getBinarySecurityTokenElement();
+ if(bstElem != null) {
+ bstElem = RampartUtil.insertSiblingAfter(rmd, this
+ .getInsertionLocation(), bstElem);
+ this.setInsertionLocation(bstElem);
+ }
+
+ if (rmd.getPolicyData().isTokenProtection()
+ && sig.getBSTTokenId() != null) {
+ sigParts.add(new WSEncryptionPart(sig.getBSTTokenId()));
+ }
+
+ try {
+ sig.addReferencesToSign(sigParts, rmd.getSecHeader());
+ sig.computeSignature();
+
+ signatureElement = sig.getSignatureElement();
+
+ this.setInsertionLocation(RampartUtil.insertSiblingAfter(
+ rmd, this.getInsertionLocation(), signatureElement));
+
+ this.mainSigId = RampartUtil.addWsuIdToElement((OMElement) signatureElement);
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInSignatureWithX509Token", e);
+ }
+ signatureValues.add(sig.getSignatureValue());
+ }
+
+ if(dotDebug){
+ t1 = System.currentTimeMillis();
+ tlog.debug("Signature took :" + (t1 - t0));
+ }
+
+ }
+
+ /**
+ * @param rmd
+ * @throws RampartException
+ */
+ private void setupEncryptedKey(RampartMessageData rmd, Token token)
+ throws RampartException {
+ if(!rmd.isInitiator() && token.isDerivedKeys()) {
+
+ //If we already have them, simply return
+ if(this.encryptedKeyId != null && this.encryptedKeyValue != null) {
+ return;
+ }
+
+ //Use the secret from the incoming EncryptedKey element
+ Object resultsObj = rmd.getMsgContext().getProperty(WSHandlerConstants.RECV_RESULTS);
+ if(resultsObj != null) {
+ encryptedKeyId = RampartUtil.getRequestEncryptedKeyId((Vector)resultsObj);
+ encryptedKeyValue = RampartUtil.getRequestEncryptedKeyValue((Vector)resultsObj);
+
+ //In the case where we don't have the EncryptedKey in the
+ //request, for the control to have reached this state,
+ //the scenario MUST be a case where this is the response
+ //message by a listener created for an async client
+ //Therefor we will create a new EncryptedKey
+ if(encryptedKeyId == null && encryptedKeyValue == null) {
+ createEncryptedKey(rmd, token);
+ }
+ } else {
+ throw new RampartException("noSecurityResults");
+ }
+ } else {
+ createEncryptedKey(rmd, token);
+ }
+
+ }
+
+ /**
+ * Create an encrypted key element
+ * @param rmd
+ * @param token
+ * @throws RampartException
+ */
+ private void createEncryptedKey(RampartMessageData rmd, Token token) throws RampartException {
+ //Set up the encrypted key to use
+ encrKey = this.getEncryptedKeyBuilder(rmd, token);
+
+ Element bstElem = encrKey.getBinarySecurityTokenElement();
+ if (bstElem != null) {
+ // If a BST is available then use it
+ RampartUtil.appendChildToSecHeader(rmd, bstElem);
+ }
+
+ // Add the EncryptedKey
+ encrTokenElement = encrKey.getEncryptedKeyElement();
+ this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
+ encrTokenElement);
+ encryptedKeyValue = encrKey.getEphemeralKey();
+ encryptedKeyId = encrKey.getId();
+
+ //Store the token for client - response verification
+ // and server - response creation
+ try {
+ org.apache.rahas.Token tok = new org.apache.rahas.Token(
+ encryptedKeyId, (OMElement)encrTokenElement , null, null);
+ tok.setSecret(encryptedKeyValue);
+ rmd.getTokenStorage().add(tok);
+ } catch (TrustException e) {
+ throw new RampartException("errorInAddingTokenIntoStore", e);
+ }
+ }
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/builder/BindingBuilder.java b/modules/rampart-core/src/main/java/org/apache/rampart/builder/BindingBuilder.java
new file mode 100644
index 0000000..80e1255
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/builder/BindingBuilder.java
@@ -0,0 +1,781 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart.builder;
+
+import org.apache.axiom.om.OMElement;
+import org.apache.axis2.client.Options;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.rahas.EncryptedKeyToken;
+import org.apache.rahas.SimpleTokenStore;
+import org.apache.rahas.TrustException;
+import org.apache.rampart.RampartException;
+import org.apache.rampart.RampartMessageData;
+import org.apache.rampart.policy.RampartPolicyData;
+import org.apache.rampart.util.RampartUtil;
+import org.apache.ws.secpolicy.Constants;
+import org.apache.ws.secpolicy.SPConstants;
+import org.apache.ws.secpolicy.model.IssuedToken;
+import org.apache.ws.secpolicy.model.SecureConversationToken;
+import org.apache.ws.secpolicy.model.SupportingToken;
+import org.apache.ws.secpolicy.model.Token;
+import org.apache.ws.secpolicy.model.UsernameToken;
+import org.apache.ws.secpolicy.model.X509Token;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSEncryptionPart;
+import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.conversation.ConversationException;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.ws.security.message.WSSecDKSign;
+import org.apache.ws.security.message.WSSecEncryptedKey;
+import org.apache.ws.security.message.WSSecSignature;
+import org.apache.ws.security.message.WSSecSignatureConfirmation;
+import org.apache.ws.security.message.WSSecTimestamp;
+import org.apache.ws.security.message.WSSecUsernameToken;
+import org.apache.ws.security.message.token.SecurityTokenReference;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Set;
+import java.util.Vector;
+import java.util.Map.Entry;
+
+public abstract class BindingBuilder {
+ private static Log log = LogFactory.getLog(BindingBuilder.class);
+
+ private Element insertionLocation;
+
+ protected String mainSigId = null;
+
+ protected ArrayList encryptedTokensIdList = new ArrayList();
+
+ protected Element timestampElement;
+
+ protected Element mainRefListElement;
+
+
+ /**
+ * @param rmd
+ */
+ protected void addTimestamp(RampartMessageData rmd) {
+ log.debug("Adding timestamp");
+
+ WSSecTimestamp timestampBuilder = new WSSecTimestamp();
+ timestampBuilder.setWsConfig(rmd.getConfig());
+
+ timestampBuilder.setTimeToLive(RampartUtil.getTimeToLive(rmd));
+
+ // add the Timestamp to the SOAP Enevelope
+
+ timestampBuilder.build(rmd.getDocument(), rmd
+ .getSecHeader());
+
+ log.debug("Timestamp id: " + timestampBuilder.getId());
+
+ rmd.setTimestampId(timestampBuilder.getId());
+
+ this.timestampElement = timestampBuilder.getElement();
+ log.debug("Adding timestamp: DONE");
+ }
+
+ /**
+ * Add a UsernameToken to the security header
+ * @param rmd
+ * @return The <code>WSSecUsernameToken</code> instance
+ * @throws RampartException
+ */
+ protected WSSecUsernameToken addUsernameToken(RampartMessageData rmd, UsernameToken token) throws RampartException {
+
+ log.debug("Adding a UsernameToken");
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+
+ //Get the user
+ //First try options
+ Options options = rmd.getMsgContext().getOptions();
+ String user = options.getUserName();
+ if(user == null || user.length() == 0) {
+ //Then try RampartConfig
+ if(rpd.getRampartConfig() != null) {
+ user = rpd.getRampartConfig().getUser();
+ }
+ }
+
+ if(user != null && !"".equals(user)) {
+ log.debug("User : " + user);
+
+ // If NoPassword property is set we don't need to set the password
+ if (token.isNoPassword()) {
+ WSSecUsernameToken utBuilder = new WSSecUsernameToken();
+ utBuilder.setUserInfo(user, null);
+ utBuilder.setPasswordType(null);
+ if (rmd.getConfig() != null) {
+ utBuilder.setWsConfig(rmd.getConfig());
+ }
+ return utBuilder;
+ }
+
+ //Get the password
+
+ //First check options object for a password
+ String password = options.getPassword();
+
+ if(password == null || password.length() == 0) {
+
+ //Then try to get the password from the given callback handler
+ CallbackHandler handler = RampartUtil.getPasswordCB(rmd);
+
+ if(handler == null) {
+ //If the callback handler is missing
+ throw new RampartException("cbHandlerMissing");
+ }
+
+ WSPasswordCallback[] cb = { new WSPasswordCallback(user,
+ WSPasswordCallback.USERNAME_TOKEN) };
+ try {
+ handler.handle(cb);
+ } catch (Exception e) {
+ throw new RampartException("errorInGettingPasswordForUser",
+ new String[]{user}, e);
+ }
+
+ //get the password
+ password = cb[0].getPassword();
+ }
+
+ log.debug("Password : " + password);
+
+ if(password != null && !"".equals(password)) {
+ //If the password is available then build the token
+
+ WSSecUsernameToken utBuilder = new WSSecUsernameToken();
+ if(rmd.getConfig() != null) {
+ utBuilder.setWsConfig(rmd.getConfig());
+ }
+ if (token.isHashPassword()) {
+ utBuilder.setPasswordType(WSConstants.PASSWORD_DIGEST);
+ } else {
+ utBuilder.setPasswordType(WSConstants.PASSWORD_TEXT);
+ }
+
+ utBuilder.setUserInfo(user, password);
+
+ return utBuilder;
+ } else {
+ //If there's no password then throw an exception
+ throw new RampartException("noPasswordForUser",
+ new String[]{user});
+ }
+
+ } else {
+ log.debug("No user value specified in the configuration");
+ throw new RampartException("userMissing");
+ }
+
+ }
+
+
+ /**
+ * @param rmd
+ * @param token
+ * @return
+ * @throws WSSecurityException
+ * @throws RampartException
+ */
+ protected WSSecEncryptedKey getEncryptedKeyBuilder(RampartMessageData rmd, Token token) throws RampartException {
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+ Document doc = rmd.getDocument();
+
+ WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
+
+ try {
+ RampartUtil.setKeyIdentifierType(rpd, encrKey, token);
+ RampartUtil.setEncryptionUser(rmd, encrKey);
+ encrKey.setKeySize(rpd.getAlgorithmSuite().getMaximumSymmetricKeyLength());
+ encrKey.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
+
+ encrKey.prepare(doc, RampartUtil.getEncryptionCrypto(rpd.getRampartConfig(), rmd.getCustomClassLoader()));
+
+ return encrKey;
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorCreatingEncryptedKey", e);
+ }
+ }
+
+
+ protected WSSecSignature getSignatureBuider(RampartMessageData rmd, Token token) throws RampartException {
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+
+ WSSecSignature sig = new WSSecSignature();
+ checkForX509PkiPath(sig, token);
+ sig.setWsConfig(rmd.getConfig());
+
+ log.debug("Token inclusion: " + token.getInclusion());
+
+ RampartUtil.setKeyIdentifierType(rpd, sig, token);
+
+ String user = null;
+
+ // Get the user - First check whether userCertAlias present
+ user = rpd.getRampartConfig().getUserCertAlias();
+
+ // If userCertAlias is not present, use user property as Alias
+
+ if (user == null) {
+ user = rpd.getRampartConfig().getUser();
+ }
+
+ String password = null;
+
+ if(user != null && !"".equals(user)) {
+ log.debug("User : " + user);
+
+ //Get the password
+ CallbackHandler handler = RampartUtil.getPasswordCB(rmd);
+
+ if(handler == null) {
+ //If the callback handler is missing
+ throw new RampartException("cbHandlerMissing");
+ }
+
+ WSPasswordCallback[] cb = { new WSPasswordCallback(user,
+ WSPasswordCallback.SIGNATURE) };
+
+ try {
+ handler.handle(cb);
+ if(cb[0].getPassword() != null && !"".equals(cb[0].getPassword())) {
+ password = cb[0].getPassword();
+ log.debug("Password : " + password);
+ } else {
+ //If there's no password then throw an exception
+ throw new RampartException("noPasswordForUser",
+ new String[]{user});
+ }
+ } catch (IOException e) {
+ throw new RampartException("errorInGettingPasswordForUser",
+ new String[]{user}, e);
+ } catch (UnsupportedCallbackException e) {
+ throw new RampartException("errorInGettingPasswordForUser",
+ new String[]{user}, e);
+ }
+
+ } else {
+ log.debug("No user value specified in the configuration");
+ throw new RampartException("userMissing");
+ }
+
+ sig.setUserInfo(user, password);
+ sig.setSignatureAlgorithm(rpd.getAlgorithmSuite().getAsymmetricSignature());
+ sig.setSigCanonicalization(rpd.getAlgorithmSuite().getInclusiveC14n());
+
+ try {
+ sig.prepare(rmd.getDocument(), RampartUtil.getSignatureCrypto(rpd
+ .getRampartConfig(), rmd.getCustomClassLoader()),
+ rmd.getSecHeader());
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInSignatureWithX509Token", e);
+ }
+
+ return sig;
+ }
+
+ /**
+ * @param rmd
+ * @param suppTokens
+ * @throws RampartException
+ */
+ protected HashMap handleSupportingTokens(RampartMessageData rmd, SupportingToken suppTokens)
+ throws RampartException {
+
+ //Create the list to hold the tokens
+ HashMap endSuppTokMap = new HashMap();
+
+ if(suppTokens != null && suppTokens.getTokens() != null &&
+ suppTokens.getTokens().size() > 0) {
+ log.debug("Processing supporting tokens");
+
+ ArrayList tokens = suppTokens.getTokens();
+ for (Iterator iter = tokens.iterator(); iter.hasNext();) {
+ Token token = (Token) iter.next();
+ org.apache.rahas.Token endSuppTok = null;
+ if(token instanceof IssuedToken && rmd.isInitiator()){
+ String id = RampartUtil.getIssuedToken(rmd, (IssuedToken)token);
+ try {
+ endSuppTok = rmd.getTokenStorage().getToken(id);
+ } catch (TrustException e) {
+ throw new RampartException("errorInRetrievingTokenId",
+ new String[]{id}, e);
+ }
+
+ if(endSuppTok == null) {
+ throw new RampartException("errorInRetrievingTokenId",
+ new String[]{id});
+ }
+
+ //Add the token to the header
+ Element siblingElem = RampartUtil
+ .insertSiblingAfter(rmd, this.getInsertionLocation(),
+ (Element) endSuppTok.getToken());
+ this.setInsertionLocation(siblingElem);
+
+ if (suppTokens.isEncryptedToken()) {
+ this.encryptedTokensIdList.add(endSuppTok.getId());
+ }
+
+ //Add the extracted token
+ endSuppTokMap.put(token, endSuppTok);
+
+ } else if(token instanceof X509Token) {
+
+ //We have to use a cert
+ //Prepare X509 signature
+ WSSecSignature sig = this.getSignatureBuider(rmd, token);
+ Element bstElem = sig.getBinarySecurityTokenElement();
+ if(bstElem != null) {
+ bstElem = RampartUtil.insertSiblingAfter(rmd,
+ this.getInsertionLocation(), bstElem);
+ this.setInsertionLocation(bstElem);
+
+ if (suppTokens.isEncryptedToken()) {
+ this.encryptedTokensIdList.add(sig.getBSTTokenId());
+ }
+ }
+ endSuppTokMap.put(token, sig);
+
+ } else if(token instanceof UsernameToken) {
+ WSSecUsernameToken utBuilder = addUsernameToken(rmd, (UsernameToken)token);
+
+ utBuilder.prepare(rmd.getDocument());
+
+ //Add the UT
+ Element elem = utBuilder.getUsernameTokenElement();
+ RampartUtil.insertSiblingAfter(rmd, this.getInsertionLocation(), elem);
+
+ encryptedTokensIdList.add(utBuilder.getId());
+
+ //Move the insert location to the next element
+ this.setInsertionLocation(elem);
+ Date now = new Date();
+ try {
+ org.apache.rahas.Token tempTok = new org.apache.rahas.Token(
+ utBuilder.getId(), (OMElement) elem, now,
+ new Date(now.getTime() + 300000));
+ endSuppTokMap.put(token, tempTok);
+ } catch (TrustException e) {
+ throw new RampartException("errorCreatingRahasToken", e);
+ }
+ }
+ }
+ }
+
+ return endSuppTokMap;
+ }
+ /**
+ * @param tokenMap
+ * @param sigParts
+ * @throws RampartException
+ */
+ protected Vector addSignatureParts(HashMap tokenMap, Vector sigParts) throws RampartException {
+
+ Set entrySet = tokenMap.entrySet();
+
+ for (Iterator iter = entrySet.iterator(); iter.hasNext();) {
+ Object tempTok = ((Entry)iter.next()).getValue();
+ WSEncryptionPart part = null;
+
+ if(tempTok instanceof org.apache.rahas.Token) {
+
+ part = new WSEncryptionPart(
+ ((org.apache.rahas.Token) tempTok).getId());
+
+ } else if(tempTok instanceof WSSecSignature) {
+ WSSecSignature tempSig = (WSSecSignature) tempTok;
+ if(tempSig.getBSTTokenId() != null) {
+ part = new WSEncryptionPart(tempSig.getBSTTokenId());
+ }
+ } else {
+
+ throw new RampartException("UnsupportedTokenInSupportingToken");
+ }
+ sigParts.add(part);
+ }
+
+ return sigParts;
+ }
+
+
+ public Element getInsertionLocation() {
+ return insertionLocation;
+ }
+
+ public void setInsertionLocation(Element insertionLocation) {
+ this.insertionLocation = insertionLocation;
+ }
+
+
+ protected Vector doEndorsedSignatures(RampartMessageData rmd, HashMap tokenMap) throws RampartException {
+
+ Set tokenSet = tokenMap.keySet();
+
+ Vector sigValues = new Vector();
+
+ for (Iterator iter = tokenSet.iterator(); iter.hasNext();) {
+
+ Token token = (Token)iter.next();
+
+ Object tempTok = tokenMap.get(token);
+
+ Vector sigParts = new Vector();
+ sigParts.add(new WSEncryptionPart(this.mainSigId));
+
+ if (tempTok instanceof org.apache.rahas.Token) {
+ org.apache.rahas.Token tok = (org.apache.rahas.Token)tempTok;
+ if(rmd.getPolicyData().isTokenProtection()) {
+ sigParts.add(new WSEncryptionPart(tok.getId()));
+ }
+
+ this.doSymmSignature(rmd, token, (org.apache.rahas.Token)tempTok, sigParts);
+
+ } else if (tempTok instanceof WSSecSignature) {
+ WSSecSignature sig = (WSSecSignature)tempTok;
+ if(rmd.getPolicyData().isTokenProtection() &&
+ sig.getBSTTokenId() != null) {
+ sigParts.add(new WSEncryptionPart(sig.getBSTTokenId()));
+ }
+
+ try {
+ sig.addReferencesToSign(sigParts, rmd.getSecHeader());
+ sig.computeSignature();
+
+ this.setInsertionLocation(RampartUtil.insertSiblingAfter(
+ rmd,
+ this.getInsertionLocation(),
+ sig.getSignatureElement()));
+
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInSignatureWithX509Token", e);
+ }
+ sigValues.add(sig.getSignatureValue());
+ }
+ }
+
+ return sigValues;
+
+ }
+
+
+ protected byte[] doSymmSignature(RampartMessageData rmd, Token policyToken, org.apache.rahas.Token tok, Vector sigParts) throws RampartException {
+
+ Document doc = rmd.getDocument();
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+
+ if(policyToken.isDerivedKeys()) {
+ try {
+ WSSecDKSign dkSign = new WSSecDKSign();
+
+ //Check for whether the token is attached in the message or not
+ boolean attached = false;
+
+ if (SPConstants.INCLUDE_TOEKN_ALWAYS == policyToken.getInclusion() ||
+ SPConstants.INCLUDE_TOKEN_ONCE == policyToken.getInclusion() ||
+ (rmd.isInitiator() && SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
+ == policyToken.getInclusion())) {
+ attached = true;
+ }
+
+ // Setting the AttachedReference or the UnattachedReference according to the flag
+ OMElement ref;
+ if (attached == true) {
+ ref = tok.getAttachedReference();
+ } else {
+ ref = tok.getUnattachedReference();
+ }
+
+ if(ref != null) {
+ dkSign.setExternalKey(tok.getSecret(), (Element)
+ doc.importNode((Element) ref, true));
+ } else if (!rmd.isInitiator() && policyToken.isDerivedKeys()) {
+
+ // If the Encrypted key used to create the derived key is not
+ // attached use key identifier as defined in WSS1.1 section
+ // 7.7 Encrypted Key reference
+ SecurityTokenReference tokenRef = new SecurityTokenReference(doc);
+ if(tok instanceof EncryptedKeyToken) {
+ tokenRef.setKeyIdentifierEncKeySHA1(((EncryptedKeyToken)tok).getSHA1());;
+ }
+ dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
+
+ } else {
+ dkSign.setExternalKey(tok.getSecret(), tok.getId());
+ }
+
+ //Set the algo info
+ dkSign.setSignatureAlgorithm(rpd.getAlgorithmSuite().getSymmetricSignature());
+ dkSign.setDerivedKeyLength(rpd.getAlgorithmSuite().getSignatureDerivedKeyLength()/8);
+ if(tok instanceof EncryptedKeyToken) {
+ //Set the value type of the reference
+ dkSign.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
+ + WSConstants.ENC_KEY_VALUE_TYPE);
+ }
+
+ dkSign.prepare(doc, rmd.getSecHeader());
+
+ if(rpd.isTokenProtection()) {
+
+ //Hack to handle reference id issues
+ //TODO Need a better fix
+ String sigTokId = tok.getId();
+ if(sigTokId.startsWith("#")) {
+ sigTokId = sigTokId.substring(1);
+ }
+ sigParts.add(new WSEncryptionPart(sigTokId));
+ }
+
+ dkSign.setParts(sigParts);
+
+ dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
+
+ //Do signature
+ dkSign.computeSignature();
+
+ //Add elements to header
+
+ if (rpd.getProtectionOrder().equals(SPConstants.ENCRYPT_BEFORE_SIGNING) &&
+ this.getInsertionLocation() == null ) {
+ this.setInsertionLocation(RampartUtil
+
+ .insertSiblingBefore(rmd,
+ this.mainRefListElement,
+ dkSign.getdktElement()));
+
+ this.setInsertionLocation(RampartUtil.insertSiblingAfter(
+ rmd,
+ this.getInsertionLocation(),
+ dkSign.getSignatureElement()));
+ } else {
+ this.setInsertionLocation(RampartUtil
+
+ .insertSiblingAfter(rmd,
+ this.getInsertionLocation(),
+ dkSign.getdktElement()));
+
+ this.setInsertionLocation(RampartUtil.insertSiblingAfter(
+ rmd,
+ this.getInsertionLocation(),
+ dkSign.getSignatureElement()));
+ }
+
+ return dkSign.getSignatureValue();
+
+ } catch (ConversationException e) {
+ throw new RampartException(
+ "errorInDerivedKeyTokenSignature", e);
+ } catch (WSSecurityException e) {
+ throw new RampartException(
+ "errorInDerivedKeyTokenSignature", e);
+ }
+ } else {
+ try {
+ WSSecSignature sig = new WSSecSignature();
+ sig.setWsConfig(rmd.getConfig());
+
+ // If a EncryptedKeyToken is used, set the correct value type to
+ // be used in the wsse:Reference in ds:KeyInfo
+ if(policyToken instanceof X509Token) {
+ if (rmd.isInitiator()) {
+ sig.setCustomTokenValueType(WSConstants.WSS_SAML_NS
+ + WSConstants.ENC_KEY_VALUE_TYPE);
+ sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+ } else {
+ //the tok has to be an EncryptedKey token
+ sig.setEncrKeySha1value(((EncryptedKeyToken)tok).getSHA1());
+ sig.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
+ }
+
+ } else {
+ sig.setCustomTokenValueType(WSConstants.WSS_SAML_NS
+ + WSConstants.SAML_ASSERTION_ID);
+ sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+ }
+
+ String sigTokId;
+
+ if ( policyToken instanceof SecureConversationToken) {
+ OMElement ref = tok.getAttachedReference();
+ if(ref == null) {
+ ref = tok.getUnattachedReference();
+ }
+
+ if (ref != null) {
+ sigTokId = SimpleTokenStore.getIdFromSTR(ref);
+ } else {
+ sigTokId = tok.getId();
+ }
+ } else {
+ sigTokId = tok.getId();
+ }
+
+ //Hack to handle reference id issues
+ //TODO Need a better fix
+ if(sigTokId.startsWith("#")) {
+ sigTokId = sigTokId.substring(1);
+ }
+
+ sig.setCustomTokenId(sigTokId);
+ sig.setSecretKey(tok.getSecret());
+ sig.setSignatureAlgorithm(rpd.getAlgorithmSuite().getAsymmetricSignature());
+ sig.setSignatureAlgorithm(rpd.getAlgorithmSuite().getSymmetricSignature());
+ sig.prepare(rmd.getDocument(), RampartUtil.getSignatureCrypto(rpd
+ .getRampartConfig(), rmd.getCustomClassLoader()),
+ rmd.getSecHeader());
+
+ sig.setParts(sigParts);
+ sig.addReferencesToSign(sigParts, rmd.getSecHeader());
+
+ //Do signature
+ sig.computeSignature();
+
+ if (rpd.getProtectionOrder().equals(SPConstants.ENCRYPT_BEFORE_SIGNING) &&
+ this.getInsertionLocation() == null) {
+ this.setInsertionLocation(RampartUtil.insertSiblingBefore(
+ rmd,
+ this.mainRefListElement,
+ sig.getSignatureElement()));
+ } else {
+ this.setInsertionLocation(RampartUtil.insertSiblingAfter(
+ rmd,
+ this.getInsertionLocation(),
+ sig.getSignatureElement()));
+ }
+
+ return sig.getSignatureValue();
+
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInSignatureWithACustomToken", e);
+ }
+
+ }
+ }
+
+
+ /**
+ * Get hold of the token from the token storage
+ * @param rmd
+ * @param tokenId
+ * @return token from the token storage
+ * @throws RampartException
+ */
+ protected org.apache.rahas.Token getToken(RampartMessageData rmd,
+ String tokenId) throws RampartException {
+ org.apache.rahas.Token tok = null;
+ try {
+ tok = rmd.getTokenStorage().getToken(tokenId);
+ } catch (TrustException e) {
+ throw new RampartException("errorInRetrievingTokenId",
+ new String[]{tokenId}, e);
+ }
+
+ if(tok == null) {
+ throw new RampartException("errorInRetrievingTokenId",
+ new String[]{tokenId});
+ }
+ return tok;
+ }
+
+
+ protected void addSignatureConfirmation(RampartMessageData rmd, Vector sigParts) {
+
+ if(!rmd.getPolicyData().isSignatureConfirmation()) {
+
+ //If we don't require sig confirmation simply go back :-)
+ return;
+ }
+
+ Document doc = rmd.getDocument();
+
+ Vector results = (Vector)rmd.getMsgContext().getProperty(WSHandlerConstants.RECV_RESULTS);
+ /*
+ * loop over all results gathered by all handlers in the chain. For each
+ * handler result get the various actions. After that loop we have all
+ * signature results in the signatureActions vector
+ */
+ Vector signatureActions = new Vector();
+ for (int i = 0; i < results.size(); i++) {
+ WSHandlerResult wshResult = (WSHandlerResult) results.get(i);
+
+ WSSecurityUtil.fetchAllActionResults(wshResult.getResults(),
+ WSConstants.SIGN, signatureActions);
+ WSSecurityUtil.fetchAllActionResults(wshResult.getResults(),
+ WSConstants.ST_SIGNED, signatureActions);
+ WSSecurityUtil.fetchAllActionResults(wshResult.getResults(),
+ WSConstants.UT_SIGN, signatureActions);
+ }
+
+ // prepare a SignatureConfirmation token
+ WSSecSignatureConfirmation wsc = new WSSecSignatureConfirmation();
+ if (signatureActions.size() > 0) {
+ if (log.isDebugEnabled()) {
+ log.debug("Signature Confirmation: number of Signature results: "
+ + signatureActions.size());
+ }
+ for (int i = 0; i < signatureActions.size(); i++) {
+ WSSecurityEngineResult wsr = (WSSecurityEngineResult) signatureActions
+ .get(i);
+ byte[] sigVal = (byte[]) wsr.get(WSSecurityEngineResult.TAG_SIGNATURE_VALUE);
+ wsc.setSignatureValue(sigVal);
+ wsc.prepare(doc);
+ RampartUtil.appendChildToSecHeader(rmd, wsc.getSignatureConfirmationElement());
+ if(sigParts != null) {
+ sigParts.add(new WSEncryptionPart(wsc.getId()));
+ }
+ }
+ } else {
+ //No Sig value
+ wsc.prepare(doc);
+ RampartUtil.appendChildToSecHeader(rmd, wsc.getSignatureConfirmationElement());
+ if(sigParts != null) {
+ sigParts.add(new WSEncryptionPart(wsc.getId()));
+ }
+ }
+ }
+ private void checkForX509PkiPath(WSSecSignature sig, Token token){
+ if (token instanceof X509Token) {
+ X509Token x509Token = (X509Token) token;
+ if (x509Token.getTokenVersionAndType().equals(Constants.WSS_X509_PKI_PATH_V1_TOKEN10)
+ || x509Token.getTokenVersionAndType().equals(Constants.WSS_X509_PKI_PATH_V1_TOKEN11)) {
+ sig.setUseSingleCertificate(false);
+ }
+ }
+ }
+
+
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/builder/SymmetricBindingBuilder.java b/modules/rampart-core/src/main/java/org/apache/rampart/builder/SymmetricBindingBuilder.java
new file mode 100644
index 0000000..eb7d531
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/builder/SymmetricBindingBuilder.java
@@ -0,0 +1,918 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart.builder;
+
+import org.apache.axiom.om.OMElement;
+import org.apache.axis2.context.MessageContext;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.rahas.EncryptedKeyToken;
+import org.apache.rahas.RahasConstants;
+import org.apache.rahas.TrustException;
+import org.apache.rampart.RampartConstants;
+import org.apache.rampart.RampartException;
+import org.apache.rampart.RampartMessageData;
+import org.apache.rampart.policy.RampartPolicyData;
+import org.apache.rampart.util.RampartUtil;
+import org.apache.ws.secpolicy.SPConstants;
+import org.apache.ws.secpolicy.model.AlgorithmSuite;
+import org.apache.ws.secpolicy.model.IssuedToken;
+import org.apache.ws.secpolicy.model.SecureConversationToken;
+import org.apache.ws.secpolicy.model.SupportingToken;
+import org.apache.ws.secpolicy.model.Token;
+import org.apache.ws.secpolicy.model.X509Token;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSEncryptionPart;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.conversation.ConversationException;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.ws.security.message.WSSecDKEncrypt;
+import org.apache.ws.security.message.WSSecEncrypt;
+import org.apache.ws.security.message.WSSecEncryptedKey;
+import org.apache.ws.security.message.token.SecurityTokenReference;
+import org.apache.ws.security.util.Base64;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Vector;
+
+
+public class SymmetricBindingBuilder extends BindingBuilder {
+
+ private static Log log = LogFactory.getLog(SymmetricBindingBuilder.class);
+ private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG);
+ private boolean dotDebug = false;
+
+
+ public SymmetricBindingBuilder(){
+ dotDebug = tlog.isDebugEnabled();
+ }
+
+ public void build(RampartMessageData rmd) throws RampartException {
+
+ log.debug("SymmetricBindingBuilder build invoked");
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+ if(rpd.isIncludeTimestamp()) {
+ this.addTimestamp(rmd);
+ }
+
+ if(rmd.isInitiator()) {
+ //Setup required tokens
+ initializeTokens(rmd);
+ }
+
+
+ if(SPConstants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {
+ this.doEncryptBeforeSig(rmd);
+ } else {
+ this.doSignBeforeEncrypt(rmd);
+ }
+
+
+ log.debug("SymmetricBindingBuilder build invoked : DONE");
+
+ }
+
+ private void doEncryptBeforeSig(RampartMessageData rmd) throws RampartException {
+
+ long t0 = 0, t1 = 0, t2 = 0;
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+
+ Vector signatureValues = new Vector();
+
+ if(dotDebug){
+ t0 = System.currentTimeMillis();
+ }
+
+ Token encryptionToken = rpd.getEncryptionToken();
+ Vector encrParts = RampartUtil.getEncryptedParts(rmd);
+
+ Vector sigParts = RampartUtil.getSignedParts(rmd);
+
+ if(encryptionToken == null && encrParts.size() > 0) {
+ throw new RampartException("encryptionTokenMissing");
+ }
+
+ if(encryptionToken != null && encrParts.size() > 0) {
+ //The encryption token can be an IssuedToken or a
+ //SecureConversationToken
+ String tokenId = null;
+ org.apache.rahas.Token tok = null;
+
+ if(encryptionToken instanceof IssuedToken) {
+ tokenId = rmd.getIssuedEncryptionTokenId();
+ log.debug("Issued EncryptionToken Id : " + tokenId);
+ } else if(encryptionToken instanceof SecureConversationToken) {
+ tokenId = rmd.getSecConvTokenId();
+ log.debug("SCT Id : " + tokenId);
+ } else if (encryptionToken instanceof X509Token) {
+ if (rmd.isInitiator()) {
+ tokenId = setupEncryptedKey(rmd, encryptionToken);
+ } else {
+ tokenId = getEncryptedKey(rmd);
+ }
+ } //TODO SAMLToken
+
+ if(tokenId == null || tokenId.length() == 0) {
+ throw new RampartException("noSecurityToken");
+ }
+
+ //Hack to handle reference id issues
+ //TODO Need a better fix
+ if(tokenId.startsWith("#")) {
+ tokenId = tokenId.substring(1);
+ }
+
+ /*
+ * Get hold of the token from the token storage
+ */
+ tok = this.getToken(rmd, tokenId);
+
+ /*
+ * Attach the token into the message based on token inclusion
+ * values
+ */
+ boolean attached = false;
+ Element encrTokenElement = null;
+ Element refList = null;
+ WSSecDKEncrypt dkEncr = null;
+ WSSecEncrypt encr = null;
+ Element encrDKTokenElem = null;
+
+ if(SPConstants.INCLUDE_TOEKN_ALWAYS == encryptionToken.getInclusion() ||
+ SPConstants.INCLUDE_TOKEN_ONCE == encryptionToken.getInclusion() ||
+ (rmd.isInitiator() && SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT == encryptionToken.getInclusion())) {
+ encrTokenElement = RampartUtil.appendChildToSecHeader(rmd, tok.getToken());
+ attached = true;
+ } else if(encryptionToken instanceof X509Token && rmd.isInitiator()) {
+ encrTokenElement = RampartUtil.appendChildToSecHeader(rmd, tok.getToken());
+ }
+
+ Document doc = rmd.getDocument();
+
+ AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();
+ if(encryptionToken.isDerivedKeys()) {
+ log.debug("Use drived keys");
+
+ dkEncr = new WSSecDKEncrypt();
+
+ if(attached && tok.getAttachedReference() != null) {
+
+ dkEncr.setExternalKey(tok.getSecret(), (Element) doc
+ .importNode((Element) tok.getAttachedReference(),
+ true));
+
+ } else if(tok.getUnattachedReference() != null) {
+ dkEncr.setExternalKey(tok.getSecret(), (Element) doc
+ .importNode((Element) tok.getUnattachedReference(),
+ true));
+ } else {
+ dkEncr.setExternalKey(tok.getSecret(), tok.getId());
+ }
+ try {
+ dkEncr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());
+ dkEncr.setDerivedKeyLength(algorithmSuite.getEncryptionDerivedKeyLength()/8);
+ dkEncr.prepare(doc);
+ encrDKTokenElem = dkEncr.getdktElement();
+ RampartUtil.appendChildToSecHeader(rmd, encrDKTokenElem);
+
+ refList = dkEncr.encryptForExternalRef(null, encrParts);
+
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInDKEncr");
+ } catch (ConversationException e) {
+ throw new RampartException("errorInDKEncr");
+ }
+ } else {
+ log.debug("NO derived keys, use the shared secret");
+ encr = new WSSecEncrypt();
+
+ encr.setWsConfig(rmd.getConfig());
+ encr.setEncKeyId(tokenId);
+ RampartUtil.setEncryptionUser(rmd, encr);
+ encr.setEphemeralKey(tok.getSecret());
+ encr.setDocument(doc);
+ encr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());
+ // SymmKey is already encrypted, no need to do it again
+ encr.setEncryptSymmKey(false);
+ if (!rmd.isInitiator() && tok instanceof EncryptedKeyToken) {
+ encr.setUseKeyIdentifier(true);
+ encr.setCustomReferenceValue(((EncryptedKeyToken)tok).getSHA1());
+ encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
+ }
+
+ try {
+
+ encr.prepare(doc, RampartUtil.getEncryptionCrypto(rpd
+ .getRampartConfig(), rmd.getCustomClassLoader()));
+ //Encrypt, get hold of the ref list and add it
+ refList = encr.encryptForExternalRef(null, encrParts);
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInEncryption", e);
+ }
+ }
+
+ this.mainRefListElement = RampartUtil.appendChildToSecHeader(rmd, refList);
+
+ if(dotDebug){
+ t1 = System.currentTimeMillis();
+ }
+
+ // Sometimes encryption token is not included in the the message
+ if (encrTokenElement != null) {
+ this.setInsertionLocation(encrTokenElement);
+ } else if (timestampElement != null) {
+ this.setInsertionLocation(timestampElement);
+ }
+
+ RampartUtil.handleEncryptedSignedHeaders(encrParts, sigParts, doc);
+
+ HashMap sigSuppTokMap = null;
+ HashMap endSuppTokMap = null;
+ HashMap sgndEndSuppTokMap = null;
+ HashMap sgndEncSuppTokMap = null;
+ HashMap endEncSuppTokMap = null;
+ HashMap sgndEndEncSuppTokMap = null;
+
+
+ if(this.timestampElement != null){
+ sigParts.add(new WSEncryptionPart(RampartUtil
+ .addWsuIdToElement((OMElement) this.timestampElement)));
+ }
+
+ if(rmd.isInitiator()) {
+
+ // Now add the supporting tokens
+ SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
+ sigSuppTokMap = this.handleSupportingTokens(rmd, sgndSuppTokens);
+
+ SupportingToken endSuppTokens = rpd.getEndorsingSupportingTokens();
+ endSuppTokMap = this.handleSupportingTokens(rmd, endSuppTokens);
+
+ SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens();
+ sgndEndSuppTokMap = this.handleSupportingTokens(rmd, sgndEndSuppTokens);
+
+ SupportingToken sgndEncryptedSuppTokens = rpd.getSignedEncryptedSupportingTokens();
+ sgndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEncryptedSuppTokens);
+
+ SupportingToken endorsingEncryptedSuppTokens = rpd.getEndorsingEncryptedSupportingTokens();
+ endEncSuppTokMap = this.handleSupportingTokens(rmd, endorsingEncryptedSuppTokens);
+
+ SupportingToken sgndEndEncSuppTokens = rpd.getSignedEndorsingEncryptedSupportingTokens();
+ sgndEndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEndEncSuppTokens);
+
+ SupportingToken supportingToks = rpd.getSupportingTokens();
+ this.handleSupportingTokens(rmd, supportingToks);
+
+ SupportingToken encryptedSupportingToks = rpd.getEncryptedSupportingTokens();
+ this.handleSupportingTokens(rmd, encryptedSupportingToks);
+
+ //Setup signature parts
+ sigParts = addSignatureParts(sigSuppTokMap, sigParts);
+ sigParts = addSignatureParts(sgndEncSuppTokMap, sigParts);
+ sigParts = addSignatureParts(sgndEndSuppTokMap, sigParts);
+ sigParts = addSignatureParts(sgndEndEncSuppTokMap, sigParts);
+
+ } else {
+ addSignatureConfirmation(rmd, sigParts);
+ }
+
+
+ //Sign the message
+ //We should use the same key in the case of EncryptBeforeSig
+ if ( sigParts.size() > 0) {
+ signatureValues.add(this.doSymmSignature(rmd, encryptionToken, tok, sigParts));
+ this.mainSigId = RampartUtil.addWsuIdToElement((OMElement)this.getInsertionLocation());
+ }
+
+ if(rmd.isInitiator()) {
+
+ endSuppTokMap.putAll(endEncSuppTokMap);
+ //Do endorsed signatures
+ Vector endSigVals = this.doEndorsedSignatures(rmd, endSuppTokMap);
+ for (Iterator iter = endSigVals.iterator(); iter.hasNext();) {
+ signatureValues.add(iter.next());
+ }
+
+ sgndEndSuppTokMap.putAll(sgndEndEncSuppTokMap);
+ //Do signed endorsing signatures
+ Vector sigEndSigVals = this.doEndorsedSignatures(rmd, sgndEndSuppTokMap);
+ for (Iterator iter = sigEndSigVals.iterator(); iter.hasNext();) {
+ signatureValues.add(iter.next());
+ }
+ }
+
+ if(dotDebug){
+ t2 = System.currentTimeMillis();
+ tlog.debug("Encryption took :" + (t1 - t0)
+ +", Signature tool :" + (t2 - t1) );
+ }
+
+ //Check for signature protection and encryption of UsernameToken
+ if(rpd.isSignatureProtection() && this.mainSigId != null ||
+ encryptedTokensIdList.size() > 0 && rmd.isInitiator()) {
+ long t3 = 0, t4 = 0;
+ if(dotDebug){
+ t3 = System.currentTimeMillis();
+ }
+ log.debug("Signature protection");
+ Vector secondEncrParts = new Vector();
+
+ //Now encrypt the signature using the above token
+ if(rpd.isSignatureProtection()) {
+ secondEncrParts.add(new WSEncryptionPart(this.mainSigId, "Element"));
+ }
+
+ if(rmd.isInitiator()) {
+ for (int i = 0 ; i < encryptedTokensIdList.size(); i++) {
+ secondEncrParts.add(new WSEncryptionPart((String)encryptedTokensIdList.get(i),"Element"));
+ }
+ }
+
+ Element secondRefList = null;
+
+ if(encryptionToken.isDerivedKeys()) {
+ try {
+ secondRefList = dkEncr.encryptForExternalRef(null,
+ secondEncrParts);
+ RampartUtil.insertSiblingAfter(
+ rmd,
+ encrDKTokenElem,
+ secondRefList);
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInDKEncr");
+ }
+ } else {
+ try {
+ //Encrypt, get hold of the ref list and add it
+ secondRefList = encr.encryptForExternalRef(null,
+ encrParts);
+ RampartUtil.insertSiblingAfter(
+ rmd,
+ encrTokenElement,
+ secondRefList);
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInEncryption", e);
+ }
+ }
+ if(dotDebug){
+ t4 = System.currentTimeMillis();
+ tlog.debug("Signature protection took :" + (t4 - t3));
+ }
+ }
+
+ } else {
+ throw new RampartException("encryptionTokenMissing");
+ }
+ }
+
+
+ private void doSignBeforeEncrypt(RampartMessageData rmd) throws RampartException {
+
+ long t0 = 0, t1 = 0, t2 = 0;
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+ Document doc = rmd.getDocument();
+
+ if(dotDebug){
+ t0 = System.currentTimeMillis();
+ }
+ Token sigToken = rpd.getSignatureToken();
+
+ String encrTokId = null;
+ String sigTokId = null;
+
+ org.apache.rahas.Token encrTok = null;
+ org.apache.rahas.Token sigTok = null;
+
+ Element sigTokElem = null;
+
+ Vector signatureValues = new Vector();
+
+ if(sigToken != null) {
+ if(sigToken instanceof SecureConversationToken) {
+ sigTokId = rmd.getSecConvTokenId();
+ } else if(sigToken instanceof IssuedToken) {
+ sigTokId = rmd.getIssuedSignatureTokenId();
+ } else if(sigToken instanceof X509Token) {
+ if (rmd.isInitiator()) {
+ sigTokId = setupEncryptedKey(rmd, sigToken);
+ } else {
+ sigTokId = getEncryptedKey(rmd);
+ }
+ }
+ } else {
+ throw new RampartException("signatureTokenMissing");
+ }
+
+ if(sigTokId == null || sigTokId.length() == 0) {
+ throw new RampartException("noSecurityToken");
+ }
+
+ sigTok = this.getToken(rmd, sigTokId);
+
+ if(SPConstants.INCLUDE_TOEKN_ALWAYS == sigToken.getInclusion() ||
+ SPConstants.INCLUDE_TOKEN_ONCE == sigToken.getInclusion() ||
+ (rmd.isInitiator() &&
+ SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT == sigToken.getInclusion())) {
+ sigTokElem = RampartUtil.appendChildToSecHeader(rmd,
+ sigTok.getToken());
+ this.setInsertionLocation(sigTokElem);
+ } else if ( rmd.isInitiator() && sigToken instanceof X509Token) {
+ sigTokElem = RampartUtil.appendChildToSecHeader(rmd, sigTok.getToken());
+
+ //Set the insertion location
+ this.setInsertionLocation(sigTokElem);
+ }
+
+
+ HashMap sigSuppTokMap = null;
+ HashMap endSuppTokMap = null;
+ HashMap sgndEndSuppTokMap = null;
+ HashMap sgndEncSuppTokMap = null;
+ HashMap endEncSuppTokMap = null;
+ HashMap sgndEndEncSuppTokMap = null;
+
+ Vector sigParts = RampartUtil.getSignedParts(rmd);
+
+ if(this.timestampElement != null){
+ sigParts.add(new WSEncryptionPart(RampartUtil
+ .addWsuIdToElement((OMElement) this.timestampElement)));
+ }
+
+ if(rmd.isInitiator()) {
+ // Now add the supporting tokens
+ SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
+ sigSuppTokMap = this.handleSupportingTokens(rmd, sgndSuppTokens);
+
+ SupportingToken endSuppTokens = rpd.getEndorsingSupportingTokens();
+ endSuppTokMap = this.handleSupportingTokens(rmd, endSuppTokens);
+
+ SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens();
+ sgndEndSuppTokMap = this.handleSupportingTokens(rmd, sgndEndSuppTokens);
+
+ SupportingToken sgndEncryptedSuppTokens = rpd.getSignedEncryptedSupportingTokens();
+ sgndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEncryptedSuppTokens);
+
+ SupportingToken endorsingEncryptedSuppTokens = rpd.getEndorsingEncryptedSupportingTokens();
+ endEncSuppTokMap = this.handleSupportingTokens(rmd, endorsingEncryptedSuppTokens);
+
+ SupportingToken sgndEndEncSuppTokens = rpd.getSignedEndorsingEncryptedSupportingTokens();
+ sgndEndEncSuppTokMap = this.handleSupportingTokens(rmd, sgndEndEncSuppTokens);
+
+ SupportingToken supportingToks = rpd.getSupportingTokens();
+ this.handleSupportingTokens(rmd, supportingToks);
+
+ SupportingToken encryptedSupportingToks = rpd.getEncryptedSupportingTokens();
+ this.handleSupportingTokens(rmd, encryptedSupportingToks);
+
+ //Setup signature parts
+ sigParts = addSignatureParts(sigSuppTokMap, sigParts);
+ sigParts = addSignatureParts(sgndEncSuppTokMap, sigParts);
+ sigParts = addSignatureParts(sgndEndSuppTokMap, sigParts);
+ sigParts = addSignatureParts(sgndEndEncSuppTokMap, sigParts);
+
+ } else {
+ addSignatureConfirmation(rmd, sigParts);
+ }
+
+ if (sigParts.size() > 0 ) {
+ //Sign the message
+ signatureValues.add(this.doSymmSignature(rmd, sigToken, sigTok, sigParts));
+
+ this.mainSigId = RampartUtil.addWsuIdToElement((OMElement)this.getInsertionLocation());
+
+ }
+
+ if(rmd.isInitiator()) {
+ // Adding the endorsing encrypted supporting tokens to endorsing supporting tokens
+ endSuppTokMap.putAll(endEncSuppTokMap);
+ //Do endorsed signatures
+ Vector endSigVals = this.doEndorsedSignatures(rmd, endSuppTokMap);
+
+ for (Iterator iter = endSigVals.iterator(); iter.hasNext();) {
+ signatureValues.add(iter.next());
+ }
+
+ //Adding the signed endorsed encrypted tokens to signed endorsed supporting tokens
+ sgndEndSuppTokMap.putAll(sgndEndEncSuppTokMap);
+ //Do signed endorsing signatures
+ Vector sigEndSigVals = this.doEndorsedSignatures(rmd, sgndEndSuppTokMap);
+ for (Iterator iter = sigEndSigVals.iterator(); iter.hasNext();) {
+ signatureValues.add(iter.next());
+ }
+ }
+
+ if(dotDebug){
+ t1 = System.currentTimeMillis();
+ }
+
+ //Encryption
+ Token encrToken = rpd.getEncryptionToken();
+ Element encrTokElem = null;
+ if(sigToken.equals(encrToken)) {
+ //Use the same token
+ encrTokId = sigTokId;
+ encrTok = sigTok;
+ encrTokElem = sigTokElem;
+ } else {
+ encrTokId = rmd.getIssuedEncryptionTokenId();
+ encrTok = this.getToken(rmd, encrTokId);
+
+ if(SPConstants.INCLUDE_TOEKN_ALWAYS == encrToken.getInclusion() ||
+ SPConstants.INCLUDE_TOKEN_ONCE == encrToken.getInclusion() ||
+ (rmd.isInitiator() && SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT == encrToken.getInclusion())) {
+ encrTokElem = (Element)encrTok.getToken();
+
+ //Add the encrToken element before the sigToken element
+ RampartUtil.insertSiblingBefore(rmd, sigTokElem, encrTokElem);
+ }
+
+ }
+
+ Vector encrParts = RampartUtil.getEncryptedParts(rmd);
+
+ //Check for signature protection
+ if(rpd.isSignatureProtection() && this.mainSigId != null) {
+ //Now encrypt the signature using the above token
+ encrParts.add(new WSEncryptionPart(this.mainSigId, "Element"));
+ }
+
+ if(rmd.isInitiator()) {
+ for (int i = 0 ; i < encryptedTokensIdList.size(); i++) {
+ encrParts.add(new WSEncryptionPart((String)encryptedTokensIdList.get(i),"Element"));
+ }
+ }
+
+ Element refList = null;
+ if(encrParts.size() > 0) {
+ //The sec conv token can be used without derived keys
+ if(encrToken.isDerivedKeys()) {
+
+ try {
+ WSSecDKEncrypt dkEncr = new WSSecDKEncrypt();
+
+ if(encrTokElem != null && encrTok.getAttachedReference() != null) {
+
+ dkEncr.setExternalKey(encrTok.getSecret(), (Element) doc
+ .importNode((Element) encrTok.getAttachedReference(),
+ true));
+ } else if(encrTok.getUnattachedReference() != null) {
+ dkEncr.setExternalKey(encrTok.getSecret(), (Element) doc
+ .importNode((Element) encrTok.getUnattachedReference(),
+ true));
+ } else if (!rmd.isInitiator() && encrToken.isDerivedKeys()) {
+
+ // If the Encrypted key used to create the derived key is not
+ // attached use key identifier as defined in WSS1.1 section
+ // 7.7 Encrypted Key reference
+ SecurityTokenReference tokenRef = new SecurityTokenReference(doc);
+ if(encrTok instanceof EncryptedKeyToken) {
+ tokenRef.setKeyIdentifierEncKeySHA1(((EncryptedKeyToken)encrTok).getSHA1());
+ }
+ dkEncr.setExternalKey(encrTok.getSecret(), tokenRef.getElement());
+
+ } else {
+ dkEncr.setExternalKey(encrTok.getSecret(), encrTok.getId());
+ }
+
+ if(encrTok instanceof EncryptedKeyToken) {
+ dkEncr.setCustomValueType(WSConstants.SOAPMESSAGE_NS11 + "#"
+ + WSConstants.ENC_KEY_VALUE_TYPE);
+ }
+
+ dkEncr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
+ dkEncr.setDerivedKeyLength(rpd.getAlgorithmSuite().getEncryptionDerivedKeyLength()/8);
+ dkEncr.prepare(doc);
+ Element encrDKTokenElem = null;
+ encrDKTokenElem = dkEncr.getdktElement();
+ if(encrTokElem != null) {
+ RampartUtil.insertSiblingAfter(rmd, encrTokElem, encrDKTokenElem);
+ } else if (timestampElement != null){
+ RampartUtil.insertSiblingAfter(rmd, this.timestampElement, encrDKTokenElem);
+ } else {
+ RampartUtil.insertSiblingBefore(rmd, this.getInsertionLocation(), encrDKTokenElem);
+ }
+
+ refList = dkEncr.encryptForExternalRef(null, encrParts);
+
+ RampartUtil.insertSiblingAfter(rmd,
+ encrDKTokenElem,
+ refList);
+
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInDKEncr");
+ } catch (ConversationException e) {
+ throw new RampartException("errorInDKEncr");
+ }
+ } else {
+ try {
+
+ WSSecEncrypt encr = new WSSecEncrypt();
+
+ encr.setWsConfig(rmd.getConfig());
+ //Hack to handle reference id issues
+ //TODO Need a better fix
+ if(encrTokId.startsWith("#")) {
+ encrTokId = encrTokId.substring(1);
+ }
+ encr.setEncKeyId(encrTokId);
+
+ encr.setEphemeralKey(encrTok.getSecret());
+ RampartUtil.setEncryptionUser(rmd, encr);
+ encr.setDocument(doc);
+ encr.setEncryptSymmKey(false);
+ encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
+ // Use key identifier in the KeyInfo in server side
+ if (!rmd.isInitiator()) {
+ if(encrTok instanceof EncryptedKeyToken) {
+ encr.setUseKeyIdentifier(true);
+ encr.setCustomReferenceValue(((EncryptedKeyToken)encrTok).getSHA1());
+ encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
+ }
+ }
+ encr.prepare(doc, RampartUtil.getEncryptionCrypto(rpd
+ .getRampartConfig(), rmd.getCustomClassLoader()));
+
+ //Encrypt, get hold of the ref list and add it
+ refList = encr.encryptForExternalRef(null, encrParts);
+
+ if(encrTokElem != null) {
+ RampartUtil.insertSiblingAfter(rmd,
+ encrTokElem,
+ refList);
+ } else {
+ RampartUtil.insertSiblingBeforeOrPrepend(rmd,
+ this.getInsertionLocation(),
+ refList);
+ }
+
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInEncryption", e);
+ }
+ }
+ }
+
+ if(dotDebug){
+ t2 = System.currentTimeMillis();
+ tlog.debug("Signature took :" + (t1 - t0)
+ +", Encryption took :" + (t2 - t1) );
+ }
+
+
+ }
+
+ /**
+ * @param rmd
+ * @param sigToken
+ * @return
+ * @throws RampartException
+ */
+ private String setupEncryptedKey(RampartMessageData rmd, Token sigToken)
+ throws RampartException {
+ try {
+ WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(rmd,
+ sigToken);
+ String id = encrKey.getId();
+ byte[] secret = encrKey.getEphemeralKey();
+ //Create a rahas token from this info and store it so we can use
+ //it in the next steps
+
+ Date created = new Date();
+ Date expires = new Date();
+ //TODO make this lifetime configurable ???
+ expires.setTime(System.currentTimeMillis() + 300000);
+ org.apache.rahas.EncryptedKeyToken tempTok = new org.apache.rahas.EncryptedKeyToken(
+ id,
+ (OMElement) encrKey.getEncryptedKeyElement(),
+ created,
+ expires);
+
+
+ tempTok.setSecret(secret);
+
+ // Set the SHA1 value of the encrypted key, this is used when the encrypted
+ // key is referenced via a key identifier of type EncryptedKeySHA1
+ tempTok.setSHA1(getSHA1(encrKey.getEncryptedEphemeralKey()));
+
+ rmd.getTokenStorage().add(tempTok);
+
+ String bstTokenId = encrKey.getBSTTokenId();
+ //If direct ref is used to refer to the cert
+ //then add the cert to the sec header now
+ if(bstTokenId != null && bstTokenId.length() > 0) {
+ RampartUtil.appendChildToSecHeader(rmd,
+ encrKey.getBinarySecurityTokenElement());
+ }
+
+ return id;
+
+ } catch (TrustException e) {
+ throw new RampartException("errorInAddingTokenIntoStore");
+ }
+ }
+
+ private String getSHA1(byte[] input) throws RampartException{
+
+ MessageDigest sha = null;
+ try {
+ sha = MessageDigest.getInstance("SHA-1");
+ } catch (NoSuchAlgorithmException e1) {
+ throw new RampartException("noSHA1availabe", e1);
+ }
+ sha.reset();
+ sha.update(input);
+ byte[] data = sha.digest();
+
+ return Base64.encode(data);
+ }
+
+ private String getEncryptedKey(RampartMessageData rmd ) throws RampartException {
+
+ Vector results = (Vector)rmd.getMsgContext().getProperty(WSHandlerConstants.RECV_RESULTS);
+
+ for (int i = 0; i < results.size(); i++) {
+ WSHandlerResult rResult =
+ (WSHandlerResult) results.get(i);
+
+ Vector wsSecEngineResults = rResult.getResults();
+
+ for (int j = 0; j < wsSecEngineResults.size(); j++) {
+ WSSecurityEngineResult wser =
+ (WSSecurityEngineResult) wsSecEngineResults.get(j);
+ Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
+ if (actInt.intValue() == WSConstants.ENCR) {
+
+ if (wser.get(WSSecurityEngineResult.TAG_ENCRYPTED_KEY_ID) != null &&
+ ((String)wser.get(WSSecurityEngineResult.TAG_ENCRYPTED_KEY_ID)).length() != 0) {
+
+ try {
+
+ String encryptedKeyID = (String)wser.get(WSSecurityEngineResult.TAG_ENCRYPTED_KEY_ID);
+
+ Date created = new Date();
+ Date expires = new Date();
+ expires.setTime(System.currentTimeMillis() + 300000);
+ EncryptedKeyToken tempTok = new EncryptedKeyToken(encryptedKeyID,created,expires);
+ tempTok.setSecret((byte[])wser.get(WSSecurityEngineResult.TAG_DECRYPTED_KEY));
+ tempTok.setSHA1(getSHA1((byte[])wser.get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY)));
+ rmd.getTokenStorage().add(tempTok);
+
+ return encryptedKeyID;
+
+ } catch (TrustException e) {
+ throw new RampartException("errorInAddingTokenIntoStore");
+ }
+
+ }
+ }
+ }
+ }
+ return null;
+ }
+
+
+ /**
+ * Setup the required tokens
+ * @param rmd
+ * @param rpd
+ * @throws RampartException
+ */
+ private void initializeTokens(RampartMessageData rmd) throws RampartException {
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+
+ MessageContext msgContext = rmd.getMsgContext();
+ if(rpd.isSymmetricBinding() && !msgContext.isServerSide()) {
+ log.debug("Processing symmetric binding: " +
+ "Setting up encryption token and signature token");
+ //Setting up encryption token and signature token
+
+ Token sigTok = rpd.getSignatureToken();
+ Token encrTok = rpd.getEncryptionToken();
+ if(sigTok instanceof IssuedToken) {
+
+ log.debug("SignatureToken is an IssuedToken");
+
+ if(rmd.getIssuedSignatureTokenId() == null) {
+ log.debug("No Issuedtoken found, requesting a new token");
+
+ IssuedToken issuedToken = (IssuedToken)sigTok;
+
+ String id = RampartUtil.getIssuedToken(rmd,
+ issuedToken);
+ rmd.setIssuedSignatureTokenId(id);
+
+ }
+
+ } else if(sigTok instanceof SecureConversationToken) {
+
+ log.debug("SignatureToken is a SecureConversationToken");
+
+ //TODO check for an existing token and use it
+
+ String secConvTokenId = rmd.getSecConvTokenId();
+
+ //The RSTR has to be secured with the cancelled token
+ String action = msgContext.getOptions().getAction();
+ boolean cancelReqResp = action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RSTR_ACTION_CANCEL_SCT) ||
+ action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RSTR_ACTION_CANCEL_SCT) ||
+ action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RST_ACTION_CANCEL_SCT) ||
+ action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RST_ACTION_CANCEL_SCT);
+
+ //In the case of the cancel req or resp we should mark the token as cancelled
+ if(secConvTokenId != null && cancelReqResp) {
+ try {
+ rmd.getTokenStorage().getToken(secConvTokenId).setState(org.apache.rahas.Token.CANCELLED);
+ msgContext.setProperty(RampartMessageData.SCT_ID, secConvTokenId);
+
+ //remove from the local map of contexts
+ String contextIdentifierKey = RampartUtil.getContextIdentifierKey(msgContext);
+ RampartUtil.getContextMap(msgContext).remove(contextIdentifierKey);
+ } catch (TrustException e) {
+ throw new RampartException("errorExtractingToken");
+ }
+ }
+
+ if (secConvTokenId == null
+ || (secConvTokenId != null &&
+ (!RampartUtil.isTokenValid(rmd, secConvTokenId) && !cancelReqResp))) {
+
+ log.debug("No SecureConversationToken found, " +
+ "requesting a new token");
+
+ SecureConversationToken secConvTok =
+ (SecureConversationToken) sigTok;
+
+ try {
+
+ String id = RampartUtil.getSecConvToken(rmd, secConvTok);
+ rmd.setSecConvTokenId(id);
+
+ } catch (TrustException e) {
+ throw new RampartException("errorInObtainingSct", e);
+ }
+ }
+ }
+
+ //If it was the ProtectionToken assertion then sigTok is the
+ //same as encrTok
+ if(sigTok.equals(encrTok) && sigTok instanceof IssuedToken) {
+
+ log.debug("Symmetric binding uses a ProtectionToken, both" +
+ " SignatureToken and EncryptionToken are the same");
+
+ rmd.setIssuedEncryptionTokenId(rmd.getIssuedEncryptionTokenId());
+ } else {
+ //Now we'll have to obtain the encryption token as well :-)
+ //ASSUMPTION: SecureConversationToken is used as a
+ //ProtectionToken therefore we only have to process a issued
+ //token here
+
+ log.debug("Obtaining the Encryption Token");
+ if(rmd.getIssuedEncryptionTokenId() != null) {
+
+ log.debug("EncrytionToken not alredy set");
+
+ IssuedToken issuedToken = (IssuedToken)encrTok;
+
+ String id = RampartUtil.getIssuedToken(rmd,
+ issuedToken);
+ rmd.setIssuedEncryptionTokenId(id);
+
+ }
+
+ }
+ }
+
+ //TODO : Support processing IssuedToken and SecConvToken assertoins
+ //in supporting tokens, right now we only support UsernameTokens and
+ //X.509 Tokens
+ }
+
+
+
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/builder/TransportBindingBuilder.java b/modules/rampart-core/src/main/java/org/apache/rampart/builder/TransportBindingBuilder.java
new file mode 100644
index 0000000..0147d01
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/builder/TransportBindingBuilder.java
@@ -0,0 +1,640 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart.builder;
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.Vector;
+
+import org.apache.axiom.om.OMElement;
+import org.apache.axiom.soap.SOAPEnvelope;
+import org.apache.axis2.context.MessageContext;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.rahas.RahasConstants;
+import org.apache.rahas.TrustException;
+import org.apache.rampart.RampartConstants;
+import org.apache.rampart.RampartException;
+import org.apache.rampart.RampartMessageData;
+import org.apache.rampart.policy.RampartPolicyData;
+import org.apache.rampart.util.RampartUtil;
+import org.apache.ws.secpolicy.SPConstants;
+import org.apache.ws.secpolicy.model.AlgorithmSuite;
+import org.apache.ws.secpolicy.model.Header;
+import org.apache.ws.secpolicy.model.IssuedToken;
+import org.apache.ws.secpolicy.model.SecureConversationToken;
+import org.apache.ws.secpolicy.model.SignedEncryptedParts;
+import org.apache.ws.secpolicy.model.SupportingToken;
+import org.apache.ws.secpolicy.model.Token;
+import org.apache.ws.secpolicy.model.UsernameToken;
+import org.apache.ws.secpolicy.model.X509Token;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSEncryptionPart;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.conversation.ConversationException;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.message.WSSecDKSign;
+import org.apache.ws.security.message.WSSecEncryptedKey;
+import org.apache.ws.security.message.WSSecSignature;
+import org.apache.ws.security.message.WSSecUsernameToken;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+public class TransportBindingBuilder extends BindingBuilder {
+
+ private static Log log = LogFactory.getLog(TransportBindingBuilder.class);
+ private static Log tlog = LogFactory.getLog(RampartConstants.TIME_LOG);
+ private boolean dotDebug = false;
+
+ public TransportBindingBuilder(){
+ dotDebug = tlog.isDebugEnabled();
+ }
+
+ public void build(RampartMessageData rmd) throws RampartException {
+
+ log.debug("TransportBindingBuilder build invoked");
+
+ long t0 = 0, t1 = 0;
+ if(dotDebug){
+ t1 = System.currentTimeMillis();
+ }
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+
+ if (rpd.isIncludeTimestamp()) {
+ addTimestamp(rmd);
+ }
+
+ /*
+ * Process Supporting tokens
+ */
+ if(rmd.isInitiator()) {
+ Vector signatureValues = new Vector();
+
+ SupportingToken sgndSuppTokens = rpd.getSignedSupportingTokens();
+
+ if(sgndSuppTokens != null && sgndSuppTokens.getTokens() != null &&
+ sgndSuppTokens.getTokens().size() > 0) {
+
+ log.debug("Processing signed supporting tokens");
+
+ ArrayList tokens = sgndSuppTokens.getTokens();
+ for (Iterator iter = tokens.iterator(); iter.hasNext();) {
+
+ Token token = (Token) iter.next();
+ if(token instanceof UsernameToken) {
+ WSSecUsernameToken utBuilder = addUsernameToken(rmd,(UsernameToken)token);
+
+ utBuilder.prepare(rmd.getDocument());
+
+ //Add the UT
+ utBuilder.appendToHeader(rmd.getSecHeader());
+
+ } else {
+ throw new RampartException("unsupportedSignedSupportingToken",
+ new String[]{"{" +token.getName().getNamespaceURI()
+ + "}" + token.getName().getLocalPart()});
+ }
+ }
+ }
+
+ SupportingToken sgndEndSuppTokens = rpd.getSignedEndorsingSupportingTokens();
+ if(sgndEndSuppTokens != null && sgndEndSuppTokens.getTokens() != null &&
+ sgndEndSuppTokens.getTokens().size() > 0) {
+
+ log.debug("Processing endorsing signed supporting tokens");
+
+ ArrayList tokens = sgndEndSuppTokens.getTokens();
+ SignedEncryptedParts signdParts = sgndEndSuppTokens.getSignedParts();
+ for (Iterator iter = tokens.iterator(); iter.hasNext();) {
+ Token token = (Token) iter.next();
+ if(token instanceof IssuedToken && rmd.isInitiator()) {
+ signatureValues.add(doIssuedTokenSignature(rmd, token, signdParts));
+ } else if(token instanceof X509Token) {
+ signatureValues.add(doX509TokenSignature(rmd, token, signdParts));
+ }
+ }
+ }
+
+ SupportingToken endSupptokens = rpd.getEndorsingSupportingTokens();
+ if(endSupptokens != null && endSupptokens.getTokens() != null &&
+ endSupptokens.getTokens().size() > 0) {
+ log.debug("Processing endorsing supporting tokens");
+ ArrayList tokens = endSupptokens.getTokens();
+ SignedEncryptedParts signdParts = endSupptokens.getSignedParts();
+ for (Iterator iter = tokens.iterator(); iter.hasNext();) {
+ Token token = (Token) iter.next();
+ if(token instanceof IssuedToken && rmd.isInitiator()){
+ signatureValues.add(doIssuedTokenSignature(rmd, token, signdParts));
+ } else if(token instanceof X509Token) {
+ signatureValues.add(doX509TokenSignature(rmd, token, signdParts));
+ } else if (token instanceof SecureConversationToken) {
+ handleSecureConversationTokens(rmd, (SecureConversationToken)token);
+ signatureValues.add(doSecureConversationSignature(rmd, token, signdParts));
+ }
+ }
+ }
+
+
+ SupportingToken supportingToks = rpd.getSupportingTokens();
+ this.handleSupportingTokens(rmd, supportingToks);
+
+
+ //Store the signature values vector
+ rmd.getMsgContext().setProperty(WSHandlerConstants.SEND_SIGV, signatureValues);
+ } else {
+ addSignatureConfirmation(rmd, null);
+ }
+
+ if(dotDebug){
+ t1 = System.currentTimeMillis();
+ tlog.debug("Transport binding build took "+ (t1 - t0));
+ }
+ }
+
+
+
+ /**
+ * X.509 signature
+ * @param rmd
+ * @param token
+ * @param signdParts
+ */
+ private byte[] doX509TokenSignature(RampartMessageData rmd, Token token, SignedEncryptedParts signdParts) throws RampartException {
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+ Document doc = rmd.getDocument();
+
+ Vector sigParts = new Vector();
+
+ if(this.timestampElement != null){
+ sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
+ }
+
+ if(signdParts != null) {
+ if(signdParts.isBody()) {
+ SOAPEnvelope env = rmd.getMsgContext().getEnvelope();
+ sigParts.add(new WSEncryptionPart(RampartUtil.addWsuIdToElement(env.getBody())));
+ }
+
+ ArrayList headers = signdParts.getHeaders();
+ for (Iterator iterator = headers.iterator(); iterator.hasNext();) {
+ Header header = (Header) iterator.next();
+ WSEncryptionPart wep = new WSEncryptionPart(header.getName(),
+ header.getNamespace(),
+ "Content");
+ sigParts.add(wep);
+ }
+ }
+ if(token.isDerivedKeys()) {
+ //In this case we will have to encrypt the ephmeral key with the
+ //other party's key and then use it as the parent key of the
+ // derived keys
+ try {
+
+ WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(rmd, token);
+
+ Element bstElem = encrKey.getBinarySecurityTokenElement();
+ if(bstElem != null) {
+ RampartUtil.appendChildToSecHeader(rmd, bstElem);
+ }
+
+ encrKey.appendToHeader(rmd.getSecHeader());
+
+ WSSecDKSign dkSig = new WSSecDKSign();
+
+ dkSig.setWsConfig(rmd.getConfig());
+
+ dkSig.setSigCanonicalization(rpd.getAlgorithmSuite().getInclusiveC14n());
+ dkSig.setSignatureAlgorithm(rpd.getAlgorithmSuite().getSymmetricSignature());
+ dkSig.setDerivedKeyLength(rpd.getAlgorithmSuite().getSignatureDerivedKeyLength()/8);
+
+ dkSig.setExternalKey(encrKey.getEphemeralKey(), encrKey.getId());
+
+ dkSig.prepare(doc, rmd.getSecHeader());
+
+
+ if(rpd.isTokenProtection()) {
+ sigParts.add(new WSEncryptionPart(encrKey.getBSTTokenId()));
+ }
+
+ dkSig.setParts(sigParts);
+
+ dkSig.addReferencesToSign(sigParts, rmd.getSecHeader());
+
+ //Do signature
+ dkSig.computeSignature();
+
+ dkSig.appendDKElementToHeader(rmd.getSecHeader());
+
+ dkSig.appendSigToHeader(rmd.getSecHeader());
+
+ return dkSig.getSignatureValue();
+
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInDerivedKeyTokenSignature", e);
+ } catch (ConversationException e) {
+ throw new RampartException("errorInDerivedKeyTokenSignature", e);
+ }
+
+ } else {
+
+ try {
+ WSSecSignature sig = this.getSignatureBuider(rmd, token);
+
+
+ sig.appendBSTElementToHeader(rmd.getSecHeader());
+
+ if (rpd.isTokenProtection()
+ && !(SPConstants.INCLUDE_TOKEN_NEVER == token.getInclusion())) {
+ sigParts.add(new WSEncryptionPart(sig.getBSTTokenId()));
+ }
+
+ sig.addReferencesToSign(sigParts, rmd.getSecHeader());
+
+ sig.appendToHeader(rmd.getSecHeader());
+
+ sig.computeSignature();
+
+ return sig.getSignatureValue();
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInSignatureWithX509Token", e);
+ }
+
+
+ }
+
+ }
+
+
+ /**
+ * IssuedToken signature
+ * @param rmd
+ * @param token
+ * @param signdParts
+ * @throws RampartException
+ */
+ private byte[] doIssuedTokenSignature(RampartMessageData rmd, Token token, SignedEncryptedParts signdParts) throws RampartException {
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+ Document doc= rmd.getDocument();
+
+ //Get the issued token
+ String id = RampartUtil.getIssuedToken(rmd, (IssuedToken)token);
+
+ int inclusion = token.getInclusion();
+ org.apache.rahas.Token tok = null;
+ try {
+ tok = rmd.getTokenStorage().getToken(id);
+ } catch (TrustException e) {
+ throw new RampartException("errorExtractingToken",
+ new String[]{id} ,e);
+ }
+
+ boolean tokenIncluded = false;
+
+ if(inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS ||
+ ((inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
+ || inclusion == SPConstants.INCLUDE_TOKEN_ONCE)
+ && rmd.isInitiator())) {
+
+ //Add the token
+ rmd.getSecHeader().getSecurityHeader().appendChild(
+ doc.importNode((Element) tok.getToken(), true));
+
+ tokenIncluded = true;
+ }
+
+ Vector sigParts = new Vector();
+
+ if(this.timestampElement != null){
+ sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
+ }
+
+
+ if(rpd.isTokenProtection() && tokenIncluded) {
+ sigParts.add(new WSEncryptionPart(id));
+ }
+
+ if(signdParts != null) {
+ if(signdParts.isBody()) {
+ SOAPEnvelope env = rmd.getMsgContext().getEnvelope();
+ sigParts.add(new WSEncryptionPart(RampartUtil.addWsuIdToElement(env.getBody())));
+ }
+
+ ArrayList headers = signdParts.getHeaders();
+ for (Iterator iterator = headers.iterator(); iterator.hasNext();) {
+ Header header = (Header) iterator.next();
+ WSEncryptionPart wep = new WSEncryptionPart(header.getName(),
+ header.getNamespace(),
+ "Content");
+ sigParts.add(wep);
+ }
+ }
+
+ //check for derived keys
+ AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();
+ if(token.isDerivedKeys()) {
+ //Create a derived key and add
+ try {
+
+ //Do Signature with derived keys
+ WSSecDKSign dkSign = new WSSecDKSign();
+
+ // Setting the AttachedReference or the UnattachedReference according to the flag
+ OMElement ref;
+ if (tokenIncluded == true) {
+ ref = tok.getAttachedReference();
+ } else {
+ ref = tok.getUnattachedReference();
+ }
+
+ if(ref != null) {
+ dkSign.setExternalKey(tok.getSecret(), (Element)
+ doc.importNode((Element) ref, true));
+ } else {
+ dkSign.setExternalKey(tok.getSecret(), tok.getId());
+ }
+
+ //Set the algo info
+ dkSign.setSignatureAlgorithm(algorithmSuite.getSymmetricSignature());
+ dkSign.setDerivedKeyLength(algorithmSuite.getSignatureDerivedKeyLength());
+
+ dkSign.prepare(doc);
+
+ dkSign.appendDKElementToHeader(rmd.getSecHeader());
+
+ dkSign.setParts(sigParts);
+
+ dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
+
+ //Do signature
+ dkSign.computeSignature();
+
+ dkSign.appendSigToHeader(rmd.getSecHeader());
+
+ return dkSign.getSignatureValue();
+
+ } catch (ConversationException e) {
+ throw new RampartException(
+ "errorInDerivedKeyTokenSignature", e);
+ } catch (WSSecurityException e) {
+ throw new RampartException(
+ "errorInDerivedKeyTokenSignature", e);
+ }
+
+ } else {
+ try {
+ WSSecSignature sig = new WSSecSignature();
+ sig.setWsConfig(rmd.getConfig());
+ sig.setCustomTokenId(tok.getId().substring(1));
+ sig.setCustomTokenValueType(WSConstants.WSS_SAML_NS +
+ WSConstants.SAML_ASSERTION_ID);
+ sig.setSecretKey(tok.getSecret());
+ sig.setSignatureAlgorithm(algorithmSuite.getAsymmetricSignature());
+ sig.setSignatureAlgorithm(algorithmSuite.getSymmetricSignature());
+ sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+ sig.prepare(rmd.getDocument(), RampartUtil.getSignatureCrypto(rpd
+ .getRampartConfig(), rmd.getCustomClassLoader()),
+ rmd.getSecHeader());
+
+ sig.setParts(sigParts);
+ sig.addReferencesToSign(sigParts, rmd.getSecHeader());
+
+ //Do signature
+ sig.computeSignature();
+
+ //Add elements to header
+ this.setInsertionLocation(RampartUtil.insertSiblingAfter(
+ rmd,
+ this.getInsertionLocation(),
+ sig.getSignatureElement()));
+
+ return sig.getSignatureValue();
+
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInSignatureWithACustomToken", e);
+ }
+ }
+ }
+
+ private byte[] doSecureConversationSignature(RampartMessageData rmd, Token token, SignedEncryptedParts signdParts) throws RampartException {
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+ Document doc= rmd.getDocument();
+
+ //Get the issued token
+ String id = rmd.getSecConvTokenId();
+
+ int inclusion = token.getInclusion();
+ org.apache.rahas.Token tok = null;
+ try {
+ tok = rmd.getTokenStorage().getToken(id);
+ } catch (TrustException e) {
+ throw new RampartException("errorExtractingToken",
+ new String[]{id} ,e);
+ }
+
+ boolean tokenIncluded = false;
+
+ if(inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS ||
+ ((inclusion == SPConstants.INCLUDE_TOEKN_ALWAYS_TO_RECIPIENT
+ || inclusion == SPConstants.INCLUDE_TOKEN_ONCE)
+ && rmd.isInitiator())) {
+
+ //Add the token
+ rmd.getSecHeader().getSecurityHeader().appendChild(
+ doc.importNode((Element) tok.getToken(), true));
+
+ tokenIncluded = true;
+ }
+
+ Vector sigParts = new Vector();
+
+ if(this.timestampElement != null){
+ sigParts.add(new WSEncryptionPart(rmd.getTimestampId()));
+ }
+
+
+ if(rpd.isTokenProtection() && tokenIncluded) {
+ sigParts.add(new WSEncryptionPart(id));
+ }
+
+ if(signdParts != null) {
+ if(signdParts.isBody()) {
+ SOAPEnvelope env = rmd.getMsgContext().getEnvelope();
+ sigParts.add(new WSEncryptionPart(RampartUtil.addWsuIdToElement(env.getBody())));
+ }
+
+ ArrayList headers = signdParts.getHeaders();
+ for (Iterator iterator = headers.iterator(); iterator.hasNext();) {
+ Header header = (Header) iterator.next();
+ WSEncryptionPart wep = new WSEncryptionPart(header.getName(),
+ header.getNamespace(),
+ "Content");
+ sigParts.add(wep);
+ }
+ }
+
+ //check for derived keys
+ AlgorithmSuite algorithmSuite = rpd.getAlgorithmSuite();
+ if(token.isDerivedKeys()) {
+ //Create a derived key and add
+ try {
+
+ //Do Signature with derived keys
+ WSSecDKSign dkSign = new WSSecDKSign();
+
+ // Setting the AttachedReference or the UnattachedReference according to the flag
+ OMElement ref;
+ if (tokenIncluded == true) {
+ ref = tok.getAttachedReference();
+ } else {
+ ref = tok.getUnattachedReference();
+ }
+
+ if(ref != null) {
+ dkSign.setExternalKey(tok.getSecret(), (Element)
+ doc.importNode((Element) ref, true));
+ } else {
+ dkSign.setExternalKey(tok.getSecret(), tok.getId());
+ }
+
+ //Set the algo info
+ dkSign.setSignatureAlgorithm(algorithmSuite.getSymmetricSignature());
+ dkSign.setDerivedKeyLength(algorithmSuite.getSignatureDerivedKeyLength());
+
+ dkSign.prepare(doc);
+
+ dkSign.appendDKElementToHeader(rmd.getSecHeader());
+
+ dkSign.setParts(sigParts);
+
+ dkSign.addReferencesToSign(sigParts, rmd.getSecHeader());
+
+ //Do signature
+ dkSign.computeSignature();
+
+ dkSign.appendSigToHeader(rmd.getSecHeader());
+
+ return dkSign.getSignatureValue();
+
+ } catch (ConversationException e) {
+ throw new RampartException(
+ "errorInDerivedKeyTokenSignature", e);
+ } catch (WSSecurityException e) {
+ throw new RampartException(
+ "errorInDerivedKeyTokenSignature", e);
+ }
+
+ } else {
+ try {
+ WSSecSignature sig = new WSSecSignature();
+ sig.setWsConfig(rmd.getConfig());
+ sig.setCustomTokenId(tok.getId().substring(1));
+ sig.setCustomTokenValueType(WSConstants.WSS_SAML_NS +
+ WSConstants.SAML_ASSERTION_ID);
+ sig.setSecretKey(tok.getSecret());
+ sig.setSignatureAlgorithm(algorithmSuite.getAsymmetricSignature());
+ sig.setSignatureAlgorithm(algorithmSuite.getSymmetricSignature());
+ sig.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+ sig.prepare(rmd.getDocument(), RampartUtil.getSignatureCrypto(rpd
+ .getRampartConfig(), rmd.getCustomClassLoader()),
+ rmd.getSecHeader());
+
+ sig.setParts(sigParts);
+ sig.addReferencesToSign(sigParts, rmd.getSecHeader());
+
+ //Do signature
+ sig.computeSignature();
+
+ //Add elements to header
+ this.setInsertionLocation(RampartUtil.insertSiblingAfter(
+ rmd,
+ this.getInsertionLocation(),
+ sig.getSignatureElement()));
+
+ return sig.getSignatureValue();
+
+ } catch (WSSecurityException e) {
+ throw new RampartException("errorInSignatureWithACustomToken", e);
+ }
+ }
+ }
+
+ private void handleSecureConversationTokens(RampartMessageData rmd,
+ SecureConversationToken secConvTok) throws RampartException {
+
+
+ MessageContext msgContext = rmd.getMsgContext();
+
+ String secConvTokenId = rmd.getSecConvTokenId();
+
+ //The RSTR has to be secured with the cancelled token
+ String action = msgContext.getOptions().getAction();
+ boolean cancelReqResp = action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RSTR_ACTION_CANCEL_SCT) ||
+ action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RSTR_ACTION_CANCEL_SCT) ||
+ action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RST_ACTION_CANCEL_SCT) ||
+ action.equals(RahasConstants.WST_NS_05_02 + RahasConstants.RST_ACTION_CANCEL_SCT);
+
+ //In the case of the cancel req or resp we should mark the token as cancelled
+ if(secConvTokenId != null && cancelReqResp) {
+ try {
+ rmd.getTokenStorage().getToken(secConvTokenId).setState(org.apache.rahas.Token.CANCELLED);
+ msgContext.setProperty(RampartMessageData.SCT_ID, secConvTokenId);
+
+ //remove from the local map of contexts
+ String contextIdentifierKey = RampartUtil.getContextIdentifierKey(msgContext);
+ RampartUtil.getContextMap(msgContext).remove(contextIdentifierKey);
+ } catch (TrustException e) {
+ throw new RampartException("errorExtractingToken",e);
+ }
+ }
+
+ if (secConvTokenId == null
+ || (secConvTokenId != null &&
+ (!RampartUtil.isTokenValid(rmd, secConvTokenId) && !cancelReqResp))) {
+
+ log.debug("No SecureConversationToken found, " +
+ "requesting a new token");
+
+ try {
+
+ secConvTokenId = RampartUtil.getSecConvToken(rmd, secConvTok);
+ rmd.setSecConvTokenId(secConvTokenId);
+
+ } catch (TrustException e) {
+ throw new RampartException("errorInObtainingSct", e);
+ }
+ }
+
+/* org.apache.rahas.Token token;
+ try {
+ token = rmd.getTokenStorage().getToken(secConvTokenId);
+ } catch (TrustException e) {
+ throw new RampartException("errorExtractingToken", e);
+ }
+
+
+ //Add the token to the header
+ Element siblingElem = RampartUtil
+ .insertSiblingAfter(rmd, this.getInsertionLocation(),
+ (Element) token.getToken());
+ this.setInsertionLocation(siblingElem);*/
+
+ }
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties b/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
new file mode 100644
index 0000000..f161313
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
@@ -0,0 +1,94 @@
+# -------------------------------------------------------------------
+# Copyright 2001-2004 The Apache Software Foundation.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# -------------------------------------------------------------------
+
+
+missingConfiguration = Missing or malformed configuration: \"{0}\"
+expectedParameterMissing = Expected parameter missing : \"{0}\"
+missingScopeValue = Missing or incorrect scope value
+canotFindContextIdentifier = Cannot find context identifier
+missingWSAAction = wsa:Action value missing
+missingWSATo = wsa:To address value missing
+cannotCrateCryptoInstance = Cannot create Crypto instance
+noInfoForCBhandler = Cannot obtain a callback handler with available configuration information
+cannotLoadPolicyValidatorCbClass = Cannot load custom policy validator callback class : \"{0}\"
+cannotCreatePolicyValidatorCallbackInstance = Cannot create custom policy validator callback class instance : \"{0}\"
+missingEncryptionUser=Encryption user not specified (The context is created by the initiating party)
+
+missingSignatureCrypto=Signature crypto information not available
+missingEncryptionCrypto=Encryption crypto information not available
+missingCallbackHandler=Password callback handler cannot be located
+errorInObtainingSct=Error in obtaining SCT from \"{0}\"
+errorInObtainingToken=Error in obtaining a token
+errorInExtractingMsgProps = Error in extracting message properties
+userMissing = No user value in the rampart configuration policy
+cbHandlerMissing = Password CallbackHandler not specified in rampart configuration policy or the CallbackHandler instance not available in the MessageContext
+errorInGettingPasswordForUser = Error in getting password for user : \"{0}\"
+noPasswordForUser = No password supplied by the callback handler for the user : \"{0}\"
+unsupportedSignedSupportingToken = Unsupported SignedSupportingToken : \"{0}\"
+errorExtractingToken = Error extracting token : \"{0}\"
+errorInAddingTokenIntoStore = Error in adding token into store
+errorInDerivedKeyTokenSignature = Error in DerivedKeyToken signature
+errorInSignatureWithX509Token = Error in signature with X509Token
+errorInSignatureWithACustomToken = Error in signature with a custom token
+errorCreatingEncryptedKey = Error in creating an encrypted key
+errorGettingSignatureValuesForSigconf = Error in getting signature values for signature confirmation
+cannotLoadPWCBClass = Cannot load password callback class: {0}
+cannotCreatePWCBInstance = Cannot create instance of password callback : {0}
+pwcbFailed = password callback failed
+unknownKeyRefSpeficier = Unknown key reference specifier for X509Token
+errorInRetrievingTokenId = Error in retrieving token : {0}
+errorInEncryption = Error in encryption
+errorInDKEncr = Error in encryption with a derived key
+errorCreatingRahasToken = Error in creating a org.apache.rahas.Token instance
+UnsupportedTokenInSupportingToken = Unsupported token in supporting tokens
+encryptionTokenMissing = Encryption token missing
+signatureTokenMissing = Signature token missing
+errorInEncryption = Error during encryption
+sctIssuerPolicyMissing = sct-issuer-policy parameter missing
+errorInTokenCancellation = Error in canceling token
+tokenToBeCancelledInvalid = Token to be canceled is invalid or expired
+errorCreatingRSTTemplateForSCT=Error in creating RST template for SCT
+noSecurityToken = Missing security token
+noSecurityResults= No security processing results from the incoming message
+missingEncryptedKeyInRequest=There was no EncryptedKey in the request message
+rampartConigMissing = Please include configured RampartConfiguration assertion in policy
+missingSecurityHeader = Missing wsse:Security header in request
+missingSOAPHeader = SOAP header missing
+
+#Errors in processors
+errorProcessingUT = Error in processing UsernameToken
+
+cannotValidateTimestamp = The timestamp could not be validated
+trustVerificationError = The certificate used for the signature is not trusted
+cannotFindAliasForCert = Could not get alias for certificate with {0}
+noCertForAlias = Could not get certificates for alias {0}
+certPathVerificationFailed = Certificate path verification failed for certificate with subject
+
+#Rampart Results Validation Errors
+timestampMissing = Missing Timestamp
+encryptedPartMissing = Missing encryption result for id : {0}
+invalidNumberOfEncryptedParts = Invalid number of encrypted parts
+protectionOrderMismatch = Protection order mismatch
+samlTokenMissing = SAML Token missing in request
+binaryTokenMissing = Binary Security Token missing in request
+usernameTokenMissing = UsernameToken missing in request
+signatureMissing = Message is not signed
+unexprectedEncryptedPart = Unexpected encrypted data found, no encryption required
+encryptionMissing = Expected encrypted part missing
+signedPartHeaderNotSigned = Soap Header must be signed : {0}
+unexprectedSignature = Unexpected signature
+invalidTransport = Expected transport is "https" but incoming transport found : \"{0}\"
+requiredElementsMissing = Required Elements not found in the incoming message : {0}
\ No newline at end of file
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/handler/PostDispatchVerificationHandler.java b/modules/rampart-core/src/main/java/org/apache/rampart/handler/PostDispatchVerificationHandler.java
new file mode 100644
index 0000000..7c919d9
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/handler/PostDispatchVerificationHandler.java
@@ -0,0 +1,178 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart.handler;
+
+import org.apache.axiom.om.OMElement;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.context.MessageContext;
+import org.apache.axis2.description.HandlerDescription;
+import org.apache.axis2.description.Parameter;
+import org.apache.axis2.engine.Handler;
+import org.apache.neethi.Assertion;
+import org.apache.neethi.Policy;
+import org.apache.neethi.PolicyEngine;
+import org.apache.rampart.RampartMessageData;
+import org.apache.rampart.policy.RampartPolicyData;
+import org.apache.rampart.util.HandlerParameterDecoder;
+import org.apache.rampart.util.RampartUtil;
+import org.apache.ws.secpolicy.model.Binding;
+import org.apache.ws.secpolicy.model.SupportingToken;
+import org.apache.ws.security.handler.WSHandlerConstants;
+
+import java.util.Iterator;
+import java.util.List;
+import java.util.Vector;
+
+/**
+ * Handler to verify the message security after dispatch
+ *
+ */
+public class PostDispatchVerificationHandler implements Handler {
+
+ private HandlerDescription handlerDesc;
+
+ /**
+ * @see org.apache.axis2.engine.Handler#cleanup()
+ */
+ public void cleanup() {
+ }
+
+ /**
+ * @see org.apache.axis2.engine.Handler#flowComplete(org.apache.axis2.context.MessageContext)
+ */
+ public void flowComplete(MessageContext msgContext) {
+ }
+
+ /**
+ * @see org.apache.axis2.engine.Handler#getHandlerDesc()
+ */
+ public HandlerDescription getHandlerDesc() {
+ return this.handlerDesc;
+ }
+
+ /**
+ * @see org.apache.axis2.engine.Handler#getName()
+ */
+ public String getName() {
+ return "Post dispatch security verification handler";
+ }
+
+ /**
+ * @see org.apache.axis2.engine.Handler#getParameter(java.lang.String)
+ */
+ public Parameter getParameter(String name) {
+ return this.handlerDesc.getParameter(name);
+ }
+
+ /**
+ * @see org.apache.axis2.engine.Handler#init(org.apache.axis2.description.HandlerDescription)
+ */
+ public void init(HandlerDescription handlerDesc) {
+ this.handlerDesc = handlerDesc;
+ }
+
+ /**
+ * @see org.apache.axis2.engine.Handler#invoke(org.apache.axis2.context.MessageContext)
+ */
+ public InvocationResponse invoke(MessageContext msgContext)
+ throws AxisFault {
+ Policy policy = msgContext.getEffectivePolicy();
+
+
+ if(msgContext.getProperty(RampartMessageData.KEY_RAMPART_POLICY) != null) {
+ policy = (Policy)msgContext.getProperty(RampartMessageData.KEY_RAMPART_POLICY);
+ }
+
+
+ if(policy == null) {
+ policy = msgContext.getEffectivePolicy();
+ }
+
+ if(policy == null) {
+ Parameter param = msgContext.getParameter(RampartMessageData.KEY_RAMPART_POLICY);
+ if(param != null) {
+ OMElement policyElem = param.getParameterElement().getFirstElement();
+ policy = PolicyEngine.getPolicy(policyElem);
+ }
+ }
+
+ if(policy == null) {
+ return InvocationResponse.CONTINUE;
+ }
+
+ Iterator alternatives = policy.getAlternatives();
+
+ boolean securityPolicyPresent = false;
+ if(alternatives.hasNext()) {
+ List assertions = (List)alternatives.next();
+ for (Iterator iterator = assertions.iterator(); iterator.hasNext();) {
+ Assertion assertion = (Assertion) iterator.next();
+ //Check for any *Binding assertion
+ if (assertion instanceof Binding) {
+ securityPolicyPresent = true;
+ break;
+ // There can be security policies containing only supporting tokens
+ } else if (assertion instanceof SupportingToken) {
+ securityPolicyPresent = true;
+ break;
+ }
+ }
+ }
+
+
+
+ if (securityPolicyPresent) {
+ RampartPolicyData rpd = (RampartPolicyData)msgContext.
+ getProperty(RampartMessageData.RAMPART_POLICY_DATA);
+ // Security policy data has not been populated at the time of verification
+ if (rpd == null ) {
+ throw new AxisFault("InvalidSecurity");
+ }
+
+ boolean isInitiator = false;
+ Parameter clientSideParam = msgContext.getAxisService().
+ getParameter(RampartMessageData.PARAM_CLIENT_SIDE);
+ if(clientSideParam != null) {
+ isInitiator = true;
+ }
+
+ //Now check for security processing results if security policy is available
+ if(RampartUtil.isSecHeaderRequired(rpd,isInitiator,true) &&
+ msgContext.getProperty(WSHandlerConstants.RECV_RESULTS) == null) {
+ throw new AxisFault("InvalidSecurity");
+ }
+
+ }
+
+ //Check for an empty security processing results when parameter based
+ //configuration is used
+ if(msgContext.getParameter(WSSHandlerConstants.INFLOW_SECURITY) != null ||
+ msgContext.getProperty(WSSHandlerConstants.INFLOW_SECURITY) != null) {
+ if(msgContext.getProperty(WSHandlerConstants.RECV_RESULTS) == null) {
+ throw new AxisFault("InvalidSecurity");
+ } else {
+ if(((Vector)msgContext.getProperty(WSHandlerConstants.RECV_RESULTS)).size() == 0) {
+ throw new AxisFault("InvalidSecurity");
+ }
+ }
+ }
+
+ return InvocationResponse.CONTINUE;
+
+ }
+
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/handler/RampartReceiver.java b/modules/rampart-core/src/main/java/org/apache/rampart/handler/RampartReceiver.java
new file mode 100644
index 0000000..0a53077
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/handler/RampartReceiver.java
@@ -0,0 +1,178 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart.handler;
+
+import org.apache.axiom.om.OMException;
+import org.apache.axiom.soap.SOAP11Constants;
+import org.apache.axiom.soap.SOAP12Constants;
+import org.apache.axiom.soap.SOAPHeader;
+import org.apache.axiom.soap.SOAPHeaderBlock;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.context.MessageContext;
+import org.apache.axis2.description.HandlerDescription;
+import org.apache.axis2.description.Parameter;
+import org.apache.axis2.engine.Handler;
+import org.apache.axis2.namespace.Constants;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.rampart.RampartConstants;
+import org.apache.rampart.RampartEngine;
+import org.apache.rampart.RampartException;
+import org.apache.ws.secpolicy.WSSPolicyException;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Vector;
+
+import javax.xml.namespace.QName;
+
+/**
+ * Rampart inflow handler.
+ * This processes the incoming message and validates it against the effective
+ * policy.
+ */
+public class RampartReceiver implements Handler {
+
+ private static Log mlog = LogFactory.getLog(RampartConstants.MESSAGE_LOG);
+
+ private static HandlerDescription EMPTY_HANDLER_METADATA =
+ new HandlerDescription("default Handler");
+
+ private HandlerDescription handlerDesc;
+
+ public RampartReceiver() {
+ this.handlerDesc = EMPTY_HANDLER_METADATA;
+ }
+
+ public void cleanup() {
+ }
+
+ public void init(HandlerDescription handlerdesc) {
+ this.handlerDesc = handlerdesc;
+ }
+
+ public void flowComplete(MessageContext msgContext)
+ {
+
+ }
+
+ public InvocationResponse invoke(MessageContext msgContext) throws AxisFault {
+
+ if (!msgContext.isEngaged(WSSHandlerConstants.SECURITY_MODULE_NAME)) {
+ return InvocationResponse.CONTINUE;
+ }
+
+ if(mlog.isDebugEnabled()){
+ mlog.debug("*********************** RampartReceiver received \n"
+ + msgContext.getEnvelope());
+ }
+
+ RampartEngine engine = new RampartEngine();
+ Vector wsResult = null;
+ try {
+ wsResult = engine.process(msgContext);
+
+ } catch (WSSecurityException e) {
+ setFaultCodeAndThrowAxisFault(msgContext, e);
+ } catch (WSSPolicyException e) {
+ setFaultCodeAndThrowAxisFault(msgContext, e);
+ } catch (RampartException e) {
+ setFaultCodeAndThrowAxisFault(msgContext, e);
+ }
+
+ if(wsResult == null) {
+ return InvocationResponse.CONTINUE;
+ }
+
+ Vector results = null;
+ if ((results = (Vector) msgContext
+ .getProperty(WSHandlerConstants.RECV_RESULTS)) == null) {
+ results = new Vector();
+ msgContext.setProperty(WSHandlerConstants.RECV_RESULTS, results);
+ }
+ WSHandlerResult rResult = new WSHandlerResult("", wsResult);
+ results.add(0, rResult);
+
+ SOAPHeader header = null;
+ try {
+ header = msgContext.getEnvelope().getHeader();
+ } catch (OMException ex) {
+ throw new AxisFault(
+ "RampartReceiver: cannot get SOAP header after security processing",
+ ex);
+ }
+
+ Iterator headers = header.getChildElements();
+
+ SOAPHeaderBlock headerBlock = null;
+
+ while (headers.hasNext()) { // Find the wsse header
+ SOAPHeaderBlock hb = (SOAPHeaderBlock) headers.next();
+ if (hb.getLocalName().equals(WSConstants.WSSE_LN)
+ && hb.getNamespace().getNamespaceURI().equals(WSConstants.WSSE_NS)) {
+ headerBlock = hb;
+ break;
+ }
+ }
+
+ if(headerBlock != null) {
+ headerBlock.setProcessed();
+ }
+
+ return InvocationResponse.CONTINUE;
+
+ }
+
+
+ public HandlerDescription getHandlerDesc() {
+ return this.handlerDesc;
+ }
+
+ public String getName() {
+ return "Apache Rampart inflow handler";
+ }
+
+ public Parameter getParameter(String name) {
+ return this.handlerDesc.getParameter(name);
+ }
+
+ private void setFaultCodeAndThrowAxisFault(MessageContext msgContext, Exception e) throws AxisFault {
+
+ msgContext.setProperty(RampartConstants.SEC_FAULT, Boolean.TRUE);
+ String soapVersionURI = msgContext.getEnvelope().getNamespace().getNamespaceURI();
+ QName invalidSecurity = new QName(WSConstants.INVALID_SECURITY.getNamespaceURI(),WSConstants.INVALID_SECURITY.getLocalPart(),"wsse");
+
+ if (soapVersionURI.equals(SOAP11Constants.SOAP_ENVELOPE_NAMESPACE_URI) ) {
+
+ throw new AxisFault(invalidSecurity,e.getMessage(),e);
+
+ } else if (soapVersionURI.equals(SOAP12Constants.SOAP_ENVELOPE_NAMESPACE_URI)) {
+
+ List subfaultCodes = new ArrayList();
+ subfaultCodes.add(invalidSecurity);
+ throw new AxisFault(Constants.FAULT_SOAP12_SENDER,subfaultCodes,e.getMessage(),e);
+
+ }
+
+ }
+
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/handler/RampartSender.java b/modules/rampart-core/src/main/java/org/apache/rampart/handler/RampartSender.java
new file mode 100644
index 0000000..cdc0cc5
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/handler/RampartSender.java
@@ -0,0 +1,97 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart.handler;
+
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.context.MessageContext;
+import org.apache.axis2.description.HandlerDescription;
+import org.apache.axis2.description.Parameter;
+import org.apache.axis2.engine.Handler;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.rampart.MessageBuilder;
+import org.apache.rampart.RampartConstants;
+import org.apache.rampart.RampartException;
+import org.apache.ws.secpolicy.WSSPolicyException;
+import org.apache.ws.security.WSSecurityException;
+
+/**
+ * Rampart outflow handler.
+ * This constructs the secured message according to the effective policy.
+ */
+public class RampartSender implements Handler {
+
+ private static Log mlog = LogFactory.getLog(RampartConstants.MESSAGE_LOG);
+
+ private static HandlerDescription EMPTY_HANDLER_METADATA =
+ new HandlerDescription("default Handler");
+
+ private HandlerDescription handlerDesc;
+
+ public RampartSender() {
+ this.handlerDesc = EMPTY_HANDLER_METADATA;
+ }
+
+ public void cleanup() {
+ }
+
+ public void init(HandlerDescription handlerdesc) {
+ this.handlerDesc = handlerdesc;
+ }
+
+ public InvocationResponse invoke(MessageContext msgContext) throws AxisFault {
+
+ if (!msgContext.isEngaged(WSSHandlerConstants.SECURITY_MODULE_NAME)) {
+ return InvocationResponse.CONTINUE;
+ }
+
+ MessageBuilder builder = new MessageBuilder();
+ try {
+ builder.build(msgContext);
+ } catch (WSSecurityException e) {
+ throw new AxisFault(e.getMessage(), e);
+ } catch (WSSPolicyException e) {
+ throw new AxisFault(e.getMessage(), e);
+ } catch (RampartException e) {
+ throw new AxisFault(e.getMessage(), e);
+ }
+
+ if(mlog.isDebugEnabled()){
+ mlog.debug("*********************** RampartSender sent out \n" +
+ msgContext.getEnvelope());
+ }
+
+ return InvocationResponse.CONTINUE;
+ }
+
+ public void flowComplete(MessageContext msgContext)
+ {
+ }
+
+ public HandlerDescription getHandlerDesc() {
+ return this.handlerDesc;
+ }
+
+ public String getName() {
+ return "Apache Rampart outflow handler";
+ }
+
+ public Parameter getParameter(String name) {
+ return this.handlerDesc.getParameter(name);
+ }
+
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/handler/WSDoAllHandler.java b/modules/rampart-core/src/main/java/org/apache/rampart/handler/WSDoAllHandler.java
new file mode 100644
index 0000000..1c80f50
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/handler/WSDoAllHandler.java
@@ -0,0 +1,210 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart.handler;
+
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.context.MessageContext;
+import org.apache.axis2.description.HandlerDescription;
+import org.apache.axis2.description.Parameter;
+import org.apache.axis2.engine.Handler;
+import org.apache.rampart.util.Axis2Util;
+import org.apache.ws.security.handler.WSHandler;
+
+/**
+ * Class WSDoAllHandler
+ */
+public abstract class WSDoAllHandler extends WSHandler implements Handler {
+
+ /**
+ * Field EMPTY_HANDLER_METADATA
+ */
+ private static HandlerDescription EMPTY_HANDLER_METADATA =
+ new HandlerDescription("default Handler");
+
+ private final static String WSS_PASSWORD = "password";
+
+ private final static String WSS_USERNAME = "username";
+
+ /**
+ * Field handlerDesc
+ */
+ protected HandlerDescription handlerDesc;
+
+ /**
+ * In Axis2, the user cannot set inflow and outflow parameters.
+ * Therefore, we need to map the Axis2 specific inflow and outflow
+ * parameters to WSS4J params,
+ * <p/>
+ * Knowledge of inhandler and out handler is used to get the mapped value.
+ */
+ protected boolean inHandler;
+
+ /**
+ * Constructor AbstractHandler.
+ */
+ public WSDoAllHandler() {
+ handlerDesc = EMPTY_HANDLER_METADATA;
+ }
+
+ public abstract void processMessage(MessageContext msgContext) throws AxisFault;
+
+ /* (non-Javadoc)
+ * @see org.apache.axis2.engine.Handler#invoke(org.apache.axis2.context.MessageContext)
+ */
+ public InvocationResponse invoke(MessageContext msgContext) throws AxisFault {
+ //If the security module is not engaged for this service
+ //do not do any processing
+ if (msgContext.isEngaged(WSSHandlerConstants.SECURITY_MODULE_NAME)) {
+ this.processMessage(msgContext);
+ }
+ return InvocationResponse.CONTINUE;
+ }
+
+ public void flowComplete(MessageContext msgContext)
+ {
+ }
+
+ /**
+ * Method getName.
+ *
+ * @return Returns name.
+ */
+ public String getName() {
+ return handlerDesc.getName();
+ }
+
+ /**
+ * Method cleanup.
+ */
+ public void cleanup() {
+ }
+
+ /**
+ * Method getParameter.
+ *
+ * @param name
+ * @return Returns parameter.
+ */
+ public Parameter getParameter(String name) {
+ return handlerDesc.getParameter(name);
+ }
+
+ /**
+ * Method init.
+ *
+ * @param handlerdesc
+ */
+ public void init(HandlerDescription handlerdesc) {
+ this.handlerDesc = handlerdesc;
+ }
+
+ /**
+ * Gets the handler description.
+ *
+ * @return Returns handler description.
+ */
+ public HandlerDescription getHandlerDesc() {
+ return handlerDesc;
+ }
+
+ /* (non-Javadoc)
+ * @see java.lang.Object#toString()
+ */
+ public String toString() {
+ String name = this.getName();
+ return (name != null) ? name : "";
+ }
+
+
+ public Object getProperty(Object msgContext, String axisKey) {
+
+ int repetition = getCurrentRepetition(msgContext);
+
+ String key = Axis2Util.getKey(axisKey, inHandler, repetition);
+ Object property = ((MessageContext) msgContext).getProperty(key);
+ if (property == null) {
+ //Try the description hierarchy
+ Parameter parameter = ((MessageContext) msgContext).getParameter(key);
+ if (parameter != null) {
+ property = parameter.getValue();
+ }
+ }
+ return property;
+ }
+
+ /**
+ * Returns the repetition number from the message context
+ *
+ * @param msgContext
+ * @return Returns int.
+ */
+ protected int getCurrentRepetition(Object msgContext) {
+ //get the repetition from the message context
+ int repetition = 0;
+ if (!inHandler) {//We only need to repeat the out handler
+ Integer count = (Integer) ((MessageContext) msgContext).getProperty(WSSHandlerConstants.CURRENT_REPETITON);
+ if (count != null) { //When we are repeating the handler
+ repetition = count.intValue();
+ }
+ }
+ return repetition;
+ }
+
+ public String getPassword(Object msgContext) {
+ return (String) ((MessageContext) msgContext).getProperty(WSS_PASSWORD);
+ }
+
+ public void setPassword(Object msgContext, String password) {
+ ((MessageContext) msgContext).setProperty(WSS_PASSWORD, password);
+ }
+
+ public String getUsername(Object msgContext) {
+ return (String) ((MessageContext) msgContext).getProperty(WSS_USERNAME);
+ }
+
+ public void setUsername(Object msgContext, String username) {
+ ((MessageContext) msgContext).setProperty(WSS_USERNAME, username);
+ }
+
+ /**
+ * Gets option. Extracts the configuration values from the service.xml
+ * and/or axis2.xml. Values set in the service.xml takes priority over
+ * values of the axis2.xml
+ */
+ public Object getOption(String axisKey) {
+ Parameter parameter = this.handlerDesc.getParameter(axisKey);
+ return (parameter == null) ? null : parameter.getValue();
+ }
+
+ public void setProperty(Object msgContext, String key, Object value) {
+ ((MessageContext) msgContext).setProperty(key, value);
+ }
+
+ /**
+ * Overrides the class loader used to load the PW callback class.
+ *
+ * @param msgCtx MessageContext
+ * @return Returns class loader.
+ */
+ public java.lang.ClassLoader getClassLoader(Object msgCtx) {
+ try {
+ return ((MessageContext) msgCtx).getAxisService().getClassLoader();
+ } catch (Throwable t) {
+ return super.getClassLoader(msgCtx);
+ }
+ }
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/handler/WSDoAllReceiver.java b/modules/rampart-core/src/main/java/org/apache/rampart/handler/WSDoAllReceiver.java
new file mode 100644
index 0000000..e0dbe00
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/handler/WSDoAllReceiver.java
@@ -0,0 +1,383 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart.handler;
+
+import org.apache.axiom.om.OMElement;
+import org.apache.axiom.om.OMException;
+import org.apache.axiom.soap.SOAPEnvelope;
+import org.apache.axiom.soap.SOAPHeader;
+import org.apache.axiom.soap.SOAPHeaderBlock;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.Constants;
+import org.apache.axis2.addressing.AddressingConstants;
+import org.apache.axis2.context.MessageContext;
+import org.apache.axis2.context.OperationContext;
+import org.apache.axis2.wsdl.WSDLConstants;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.rampart.RampartConstants;
+import org.apache.rampart.util.Axis2Util;
+import org.apache.rampart.util.HandlerParameterDecoder;
+import org.apache.ws.security.SOAPConstants;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.handler.WSHandlerResult;
+import org.apache.ws.security.message.token.Timestamp;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.w3c.dom.Document;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.xml.namespace.QName;
+
+import java.security.cert.X509Certificate;
+import java.util.Iterator;
+import java.util.Vector;
+
+/**
+ * @deprecated
+ */
+public class WSDoAllReceiver extends WSDoAllHandler {
+
+ private static final Log log = LogFactory.getLog(WSDoAllReceiver.class);
+ private static Log mlog = LogFactory.getLog(RampartConstants.MESSAGE_LOG);
+
+ public WSDoAllReceiver() {
+ super();
+ inHandler = true;
+ }
+
+ public void processMessage(MessageContext msgContext) throws AxisFault {
+
+ if(mlog.isDebugEnabled()){
+ mlog.debug("*********************** WSDoAllReceiver recieved \n"+msgContext.getEnvelope());
+ }
+
+ boolean doDebug = log.isDebugEnabled();
+
+ if (doDebug) {
+ log.debug("WSDoAllReceiver: enter invoke() ");
+ }
+
+ String useDoomValue = (String) getProperty(msgContext,
+ WSSHandlerConstants.USE_DOOM);
+ boolean useDoom = useDoomValue != null
+ && Constants.VALUE_TRUE.equalsIgnoreCase(useDoomValue);
+
+ RequestData reqData = new RequestData();
+ try {
+
+ this.processBasic(msgContext, useDoom, reqData);
+ } catch (AxisFault axisFault) {
+ setAddressingInformationOnFault(msgContext);
+ throw axisFault;
+ } catch (Exception e) {
+ setAddressingInformationOnFault(msgContext);
+ throw new AxisFault(e.getMessage(), e);
+ } finally {
+
+ if (reqData != null) {
+ reqData.clear();
+ reqData = null;
+ }
+
+ if (doDebug) {
+ log.debug("WSDoAllReceiver: exit invoke()");
+ }
+ }
+
+ }
+
+ private void processBasic(MessageContext msgContext, boolean useDoom, RequestData reqData)
+ throws Exception {
+
+ // populate the properties
+ try {
+ HandlerParameterDecoder.processParameters(msgContext, true);
+ } catch (Exception e) {
+ throw new AxisFault("Configuration error", e);
+ }
+
+ reqData.setMsgContext(msgContext);
+
+ if (((getOption(WSSHandlerConstants.INFLOW_SECURITY)) == null) &&
+ ((getProperty(msgContext, WSSHandlerConstants.INFLOW_SECURITY)) == null)) {
+
+ if (msgContext.isServerSide() &&
+ ((getOption(WSSHandlerConstants.INFLOW_SECURITY_SERVER)) == null) &&
+ ((getProperty(msgContext, WSSHandlerConstants.INFLOW_SECURITY_SERVER)) == null)) {
+
+ return;
+ } else if (((getOption(WSSHandlerConstants.INFLOW_SECURITY_CLIENT)) == null) &&
+ ((getProperty(msgContext, WSSHandlerConstants.INFLOW_SECURITY_CLIENT)) == null)) {
+
+ return;
+ }
+ }
+
+ Vector actions = new Vector();
+ String action = null;
+ if ((action = (String) getOption(WSSHandlerConstants.ACTION_ITEMS)) == null) {
+ action = (String) getProperty(msgContext,
+ WSSHandlerConstants.ACTION_ITEMS);
+ }
+ if (action == null) {
+ throw new AxisFault("WSDoAllReceiver: No action items defined");
+ }
+ int doAction = WSSecurityUtil.decodeAction(action, actions);
+
+ if (doAction == WSConstants.NO_SECURITY) {
+ return;
+ }
+
+ String actor = (String) getOption(WSHandlerConstants.ACTOR);
+
+ Document doc = null;
+
+ try {
+ doc = Axis2Util.getDocumentFromSOAPEnvelope(msgContext
+ .getEnvelope(), useDoom);
+ } catch (WSSecurityException wssEx) {
+ throw new AxisFault(
+ "WSDoAllReceiver: Error in converting to Document", wssEx);
+ }
+
+ // Do not process faults
+ SOAPConstants soapConstants = WSSecurityUtil.getSOAPConstants(doc
+ .getDocumentElement());
+ if (WSSecurityUtil.findElement(doc.getDocumentElement(), "Fault",
+ soapConstants.getEnvelopeURI()) != null) {
+ return;
+ }
+
+ /*
+ * To check a UsernameToken or to decrypt an encrypted message we need a
+ * password.
+ */
+ CallbackHandler cbHandler = null;
+ if ((doAction & (WSConstants.ENCR | WSConstants.UT)) != 0) {
+ cbHandler = getPasswordCB(reqData);
+ }
+
+ // Copy the WSHandlerConstants.SEND_SIGV over to the new message
+ // context - if it exists, if signatureConfirmation in the response msg
+ String sigConfEnabled = null;
+ if ((sigConfEnabled = (String) getOption(WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION)) == null) {
+ sigConfEnabled = (String) getProperty(msgContext,
+ WSHandlerConstants.ENABLE_SIGNATURE_CONFIRMATION);
+ }
+
+ // To handle sign confirmation of a sync response
+ // TODO Async response
+ if (!msgContext.isServerSide()
+ && !"false".equalsIgnoreCase(sigConfEnabled)) {
+ OperationContext opCtx = msgContext.getOperationContext();
+ MessageContext outMsgCtx = opCtx
+ .getMessageContext(WSDLConstants.MESSAGE_LABEL_OUT_VALUE);
+ if (outMsgCtx != null) {
+ msgContext.setProperty(WSHandlerConstants.SEND_SIGV, outMsgCtx
+ .getProperty(WSHandlerConstants.SEND_SIGV));
+ } else {
+ throw new WSSecurityException(
+ "Cannot obtain request message context");
+ }
+ }
+
+ /*
+ * Get and check the Signature specific parameters first because they
+ * may be used for encryption too.
+ */
+
+ doReceiverAction(doAction, reqData);
+
+ Vector wsResult = null;
+ try {
+ wsResult = secEngine.processSecurityHeader(doc, actor, cbHandler,
+ reqData.getSigCrypto(), reqData.getDecCrypto());
+ } catch (WSSecurityException ex) {
+ throw new AxisFault("WSDoAllReceiver: security processing failed",
+ ex);
+ }
+ if (wsResult == null) { // no security header found
+ if (doAction == WSConstants.NO_SECURITY) {
+ return;
+ } else {
+ throw new AxisFault(
+ "WSDoAllReceiver: Incoming message does not contain required Security header");
+ }
+ }
+
+ if (reqData.getWssConfig().isEnableSignatureConfirmation()
+ && !msgContext.isServerSide()) {
+ checkSignatureConfirmation(reqData, wsResult);
+ }
+
+ /**
+ * Set the new SOAPEnvelope
+ */
+
+ msgContext.setEnvelope(Axis2Util.getSOAPEnvelopeFromDOMDocument(doc, useDoom));
+
+ /*
+ * After setting the new current message, probably modified because of
+ * decryption, we need to locate the security header. That is, we force
+ * Axis (with getSOAPEnvelope()) to parse the string, build the new
+ * header. Then we examine, look up the security header and set the
+ * header as processed.
+ *
+ * Please note: find all header elements that contain the same actor
+ * that was given to processSecurityHeader(). Then check if there is a
+ * security header with this actor.
+ */
+ SOAPHeader header = null;
+ try {
+ header = msgContext.getEnvelope().getHeader();
+ } catch (OMException ex) {
+ throw new AxisFault(
+ "WSDoAllReceiver: cannot get SOAP header after security processing",
+ ex);
+ }
+
+ Iterator headers = header.examineHeaderBlocks(actor);
+
+ SOAPHeaderBlock headerBlock = null;
+
+ while (headers.hasNext()) { // Find the wsse header
+ SOAPHeaderBlock hb = (SOAPHeaderBlock) headers.next();
+ if (hb.getLocalName().equals(WSConstants.WSSE_LN)
+ && hb.getNamespace().getNamespaceURI().equals(WSConstants.WSSE_NS)) {
+ headerBlock = hb;
+ break;
+ }
+ }
+
+ if(headerBlock != null) {
+ headerBlock.setProcessed();
+ }
+
+ /*
+ * Now we can check the certificate used to sign the message. In the
+ * following implementation the certificate is only trusted if either it
+ * itself or the certificate of the issuer is installed in the keystore.
+ *
+ * Note: the method verifyTrust(X509Certificate) allows custom
+ * implementations with other validation algorithms for subclasses.
+ */
+
+ // Extract the signature action result from the action vector
+ WSSecurityEngineResult actionResult = WSSecurityUtil.fetchActionResult(
+ wsResult, WSConstants.SIGN);
+
+ if (actionResult != null) {
+ X509Certificate returnCert = actionResult.getCertificate();
+
+ if (returnCert != null) {
+ if (!verifyTrust(returnCert, reqData)) {
+ throw new AxisFault(
+ "WSDoAllReceiver: The certificate used for the signature is not trusted");
+ }
+ }
+ }
+
+ /*
+ * Perform further checks on the timestamp that was transmitted in the
+ * header. In the following implementation the timestamp is valid if it
+ * was created after (now-ttl), where ttl is set on server side, not by
+ * the client.
+ *
+ * Note: the method verifyTimestamp(Timestamp) allows custom
+ * implementations with other validation algorithms for subclasses.
+ */
+
+ // Extract the timestamp action result from the action vector
+ actionResult = WSSecurityUtil.fetchActionResult(wsResult,
+ WSConstants.TS);
+
+ if (actionResult != null) {
+ Timestamp timestamp = actionResult.getTimestamp();
+
+ if (timestamp != null) {
+ String ttl = null;
+ if ((ttl = (String) getOption(WSHandlerConstants.TTL_TIMESTAMP)) == null) {
+ ttl = (String) getProperty(msgContext,
+ WSHandlerConstants.TTL_TIMESTAMP);
+ }
+ int ttl_i = 0;
+ if (ttl != null) {
+ try {
+ ttl_i = Integer.parseInt(ttl);
+ } catch (NumberFormatException e) {
+ ttl_i = reqData.getTimeToLive();
+ }
+ }
+ if (ttl_i <= 0) {
+ ttl_i = reqData.getTimeToLive();
+ }
+
+ if (!verifyTimestamp(timestamp, ttl_i)) {
+ throw new AxisFault(
+ "WSDoAllReceiver: The timestamp could not be validated");
+ }
+ }
+ }
+
+ /*
+ * now check the security actions: do they match, in right order?
+ */
+ if (!checkReceiverResults(wsResult, actions)) {
+ throw new AxisFault(
+ "WSDoAllReceiver: security processing failed (actions mismatch)");
+
+ }
+ /*
+ * All ok up to this point. Now construct and setup the security result
+ * structure. The service may fetch this and check it. Also the
+ * DoAllSender will use this in certain situations such as:
+ * USE_REQ_SIG_CERT to encrypt
+ */
+ Vector results = null;
+ if ((results = (Vector) getProperty(msgContext,
+ WSHandlerConstants.RECV_RESULTS)) == null) {
+ results = new Vector();
+ msgContext.setProperty(WSHandlerConstants.RECV_RESULTS, results);
+ }
+ WSHandlerResult rResult = new WSHandlerResult(actor, wsResult);
+ results.add(0, rResult);
+ }
+
+ private void setAddressingInformationOnFault(MessageContext msgContext) {
+ SOAPEnvelope env = msgContext.getEnvelope();
+ SOAPHeader header = env.getHeader();
+
+ if (header != null) {
+ OMElement msgIdElem = header.getFirstChildWithName(new QName(
+ AddressingConstants.Final.WSA_NAMESPACE,
+ AddressingConstants.WSA_MESSAGE_ID));
+ if (msgIdElem == null) {
+ msgIdElem = header.getFirstChildWithName(new QName(
+ AddressingConstants.Submission.WSA_NAMESPACE,
+ AddressingConstants.WSA_MESSAGE_ID));
+ }
+ if (msgIdElem != null && msgIdElem.getText() != null) {
+ msgContext.getOptions().setMessageId(msgIdElem.getText());
+ }
+ }
+ }
+
+}
diff --git a/modules/rampart-core/src/main/java/org/apache/rampart/handler/WSDoAllSender.java b/modules/rampart-core/src/main/java/org/apache/rampart/handler/WSDoAllSender.java
new file mode 100644
index 0000000..3a9bf0f
--- /dev/null
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/handler/WSDoAllSender.java
@@ -0,0 +1,270 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart.handler;
+
+import org.apache.axiom.soap.SOAPEnvelope;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.Constants;
+import org.apache.axis2.context.MessageContext;
+import org.apache.axis2.context.OperationContext;
+import org.apache.axis2.wsdl.WSDLConstants;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.rampart.RampartConstants;
+import org.apache.rampart.util.Axis2Util;
+import org.apache.rampart.util.HandlerParameterDecoder;
+import org.apache.rampart.util.MessageOptimizer;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.handler.WSHandlerConstants;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.w3c.dom.Document;
+
+import java.util.Vector;
+
+/**
+ * @deprecated
+ */
+public class WSDoAllSender extends WSDoAllHandler {
+
+ private static final Log log = LogFactory.getLog(WSDoAllSender.class);
+ private static Log mlog = LogFactory.getLog(RampartConstants.MESSAGE_LOG);
+
+
+ public WSDoAllSender() {
+ super();
+ inHandler = false;
+ }
+
+ public void processMessage(MessageContext msgContext) throws AxisFault {
+
+ String useDoomValue = (String) getProperty(msgContext,
+ WSSHandlerConstants.USE_DOOM);
+ boolean useDoom = useDoomValue != null
+ && Constants.VALUE_TRUE.equalsIgnoreCase(useDoomValue);
+
+ RequestData reqData = new RequestData();
+ try {
+ //If the msgs are msgs to an STS then use basic WS-Sec
+ processBasic(msgContext, useDoom, reqData);
+
+ } catch (Exception e) {
+ throw new AxisFault(e.getMessage(), e);
+ }
+ finally {
+ if(reqData != null) {
+ reqData.clear();
+ reqData = null;
+ }
+ }
+
+ if(mlog.isDebugEnabled()){
+ mlog.debug("*********************** WSDoAllSender sent out \n"+msgContext.getEnvelope());
+ }
+ }
+
+ /**
+ * This will carryout the WS-Security related operations.
+ *
+ * @param msgContext
+ * @param useDoom
+ * @throws WSSecurityException
+ * @throws AxisFault
+ */
+ private void processBasic(MessageContext msgContext, boolean useDoom,
+ RequestData reqData) throws WSSecurityException, AxisFault {
+ boolean doDebug = log.isDebugEnabled();
+
+ try {
+ HandlerParameterDecoder.processParameters(msgContext,false);
+ } catch (Exception e) {
+ throw new AxisFault("Configureation error", e);
+ }
+
+ if (doDebug) {
+ log.debug("WSDoAllSender: enter invoke()");
+ }
+
+ /*
+ * Copy the RECV_RESULTS over to the current message context
+ * - IF available
+ */
+ OperationContext opCtx = msgContext.getOperationContext();
+ MessageContext inMsgCtx;
+ if(opCtx != null &&
+ (inMsgCtx = opCtx.getMessageContext(WSDLConstants.MESSAGE_LABEL_IN_VALUE)) != null) {
+ msgContext.setProperty(WSHandlerConstants.RECV_RESULTS,
+ inMsgCtx.getProperty(WSHandlerConstants.RECV_RESULTS));
+ }
+
+
+
+ reqData.setNoSerialization(false);
+ reqData.setMsgContext(msgContext);
+
+ if (((getOption(WSSHandlerConstants.OUTFLOW_SECURITY)) == null) &&
+ ((getProperty(msgContext, WSSHandlerConstants.OUTFLOW_SECURITY)) == null)) {
+
+ if (msgContext.isServerSide() &&
+ ((getOption(WSSHandlerConstants.OUTFLOW_SECURITY_SERVER)) == null) &&
+ ((getProperty(msgContext, WSSHandlerConstants.OUTFLOW_SECURITY_SERVER)) == null)) {
+
+ return;
+ } else if (((getOption(WSSHandlerConstants.OUTFLOW_SECURITY_CLIENT)) == null) &&
+ ((getProperty(msgContext, WSSHandlerConstants.OUTFLOW_SECURITY_CLIENT)) == null)) {
+
+ return;
+ }
+ }
+
+ Vector actions = new Vector();
+ String action = null;
+ if ((action = (String) getOption(WSSHandlerConstants.ACTION_ITEMS)) == null) {
+ action = (String) getProperty(msgContext, WSSHandlerConstants.ACTION_ITEMS);
+ }
+ if (action == null) {
+ throw new AxisFault("WSDoAllReceiver: No action items defined");
+ }
+
+ int doAction = WSSecurityUtil.decodeAction(action, actions);
+ if (doAction == WSConstants.NO_SECURITY) {
+ return;
+ }
+
+ /*
+ * For every action we need a username, so get this now. The
+ * username defined in the deployment descriptor takes precedence.
+ */
+ reqData.setUsername((String) getOption(WSHandlerConstants.USER));
+ if (reqData.getUsername() == null || reqData.getUsername().length() == 0) {
+ String username = (String) getProperty(reqData.getMsgContext(), WSHandlerConstants.USER);
+ if (username != null) {
+ reqData.setUsername(username);
+ }
+ }
+
+ /*
+ * Now we perform some set-up for UsernameToken and Signature
+ * functions. No need to do it for encryption only. Check if
+ * username is available and then get a passowrd.
+ */
+ if ((doAction & (WSConstants.SIGN | WSConstants.UT | WSConstants.UT_SIGN)) != 0) {
+ /*
+ * We need a username - if none throw an AxisFault. For
+ * encryption there is a specific parameter to get a username.
+ */
+ if (reqData.getUsername() == null
+ || reqData.getUsername().length() == 0) {
+ throw new AxisFault(
+ "WSDoAllSender: Empty username for specified action");
+ }
+ }
+
+ /*
+ * Now get the SOAPEvelope from the message context and convert it
+ * into a Document
+ *
+ * Now we can perform our security operations on this request.
+ */
+
+
+ Document doc = null;
+ /*
+ * If the message context property conatins a document then this is
+ * a chained handler.
+ */
+ if ((doc = (Document) ((MessageContext)reqData.getMsgContext())
+ .getProperty(WSHandlerConstants.SND_SECURITY)) == null) {
+ try {
+ doc = Axis2Util.getDocumentFromSOAPEnvelope(msgContext.getEnvelope(), useDoom);
+ } catch (WSSecurityException wssEx) {
+ throw new AxisFault("WSDoAllReceiver: Error in converting to Document", wssEx);
+ }
+ }
+
+
+ doSenderAction(doAction, doc, reqData, actions, !msgContext.isServerSide());
+
+ /*
+ * If noSerialization is false, this handler shall be the last (or
+ * only) one in a handler chain. If noSerialization is true, just
+ * set the processed Document in the transfer property. The next
+ * Axis WSS4J handler takes it and performs additional security
+ * processing steps.
+ *
+ */
+ if (reqData.isNoSerialization()) {
+ ((MessageContext)reqData.getMsgContext()).setProperty(WSHandlerConstants.SND_SECURITY,
+ doc);
+ } else {
+ if(useDoom) {
+ msgContext.setEnvelope((SOAPEnvelope)doc.getDocumentElement());
+ } else {
+ msgContext.setEnvelope(Axis2Util.getSOAPEnvelopeFromDOMDocument(doc, useDoom));
+ }
+ ((MessageContext)reqData.getMsgContext()).setProperty(WSHandlerConstants.SND_SECURITY, null);
+ }
+
+
+ /**
+ * If the optimizeParts parts are set then optimize them
+ */
+ String optimizeParts;
+
+ if((optimizeParts = (String) getOption(WSSHandlerConstants.OPTIMIZE_PARTS)) == null) {
+ optimizeParts = (String)
+ getProperty(reqData.getMsgContext(), WSSHandlerConstants.OPTIMIZE_PARTS);
+ }
+ if(optimizeParts != null) {
+ // Optimize the Envelope
+ MessageOptimizer.optimize(msgContext.getEnvelope(),optimizeParts);
+ }
+
+ //Enable handler repetition
+ Integer repeat;
+ int repeatCount;
+ if ((repeat = (Integer)getOption(WSSHandlerConstants.SENDER_REPEAT_COUNT)) == null) {
+ repeat = (Integer)
+ getProperty(reqData.getMsgContext(), WSSHandlerConstants.SENDER_REPEAT_COUNT);
+ }
+
+ repeatCount = repeat.intValue();
+
+ //Get the current repetition from message context
+ int repetition = this.getCurrentRepetition(msgContext);
+
+ if(repeatCount > 0 && repetition < repeatCount) {
+
+ reqData.clear();
+ reqData = null;
+
+ // Increment the repetition to indicate the next repetition
+ // of the same handler
+ repetition++;
+ msgContext.setProperty(WSSHandlerConstants.CURRENT_REPETITON,
+ new Integer(repetition));
+
+ this.invoke(msgContext);
+ }
+
+ if (doDebug) {
... 54297 lines suppressed ...