org.apache.ws.security.WSConstants Java Examples

private SecurityToken createSecurityToken(
    AssertionWrapper assertionWrapper
) {
    SecurityToken token = new SecurityToken(assertionWrapper.getId());

    SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
    if (subjectKeyInfo != null) {
        token.setSecret(subjectKeyInfo.getSecret());
        X509Certificate[] certs = subjectKeyInfo.getCerts();
        if (certs != null && certs.length > 0) {
            token.setX509Certificate(certs[0], null);
        }
    }
    if (assertionWrapper.getSaml1() != null) {
        token.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
    } else if (assertionWrapper.getSaml2() != null) {
        token.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
    }
    token.setToken(assertionWrapper.getElement());

    return token;
}
 

/**
 * Return true if the given id was encrypted
 */
private boolean isIdEncrypted(String sigId, List<WSSecurityEngineResult> results) {
    for (WSSecurityEngineResult wser : results) {
        Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
        if (actInt.intValue() == WSConstants.ENCR) {
            List<WSDataRef> el = 
                CastUtils.cast((List<?>)wser.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (el != null) {
                for (WSDataRef r : el) {
                    Element protectedElement = r.getProtectedElement();
                    if (protectedElement != null) {
                        String id = protectedElement.getAttribute("Id");
                        String wsuId = protectedElement.getAttributeNS(WSConstants.WSU_NS, "Id");
                        if (sigId.equals(id) || sigId.equals(wsuId)) {
                            return true;
                        }
                    }
                }
            }
        }
    }
    return false;
}
 

protected String getIDFromSTR(Element el) {
    Element child = DOMUtils.getFirstElement(el);
    if (child == null) {
        return null;
    }
    QName elName = DOMUtils.getElementQName(child);
    if (elName.equals(new QName(WSConstants.SIG_NS, "KeyInfo"))
        || elName.equals(new QName(WSConstants.WSSE_NS, "KeyIdentifier"))) {
        return DOMUtils.getContent(child);
    } else if (elName.equals(Reference.TOKEN)) {
        return child.getAttribute("URI");
    } else if (elName.equals(new QName(STSUtils.SCT_NS_05_02, "Identifier"))
               || elName.equals(new QName(STSUtils.SCT_NS_05_12, "Identifier"))) {
        return DOMUtils.getContent(child);
    }
    return null;
}
 

protected void addLifetime(XMLStreamWriter writer) throws XMLStreamException {
    Date creationTime = new Date();
    Date expirationTime = new Date();
    expirationTime.setTime(creationTime.getTime() + ((long)ttl * 1000L));

    XmlSchemaDateFormat fmt = new XmlSchemaDateFormat();
    writer.writeStartElement("wst", "Lifetime", namespace);
    writer.writeNamespace("wsu", WSConstants.WSU_NS);
    writer.writeStartElement("wsu", "Created", WSConstants.WSU_NS);
    writer.writeCharacters(fmt.format(creationTime));
    writer.writeEndElement();

    writer.writeStartElement("wsu", "Expires", WSConstants.WSU_NS);
    writer.writeCharacters(fmt.format(expirationTime));
    writer.writeEndElement();
    writer.writeEndElement();
}
 

private List<WSSecurityEngineResult> findKerberosResults(
    List<WSSecurityEngineResult> wsSecEngineResults
) {
    List<WSSecurityEngineResult> results = new ArrayList<WSSecurityEngineResult>();
    for (WSSecurityEngineResult wser : wsSecEngineResults) {
        Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
        if (actInt.intValue() == WSConstants.BST) {
            BinarySecurity binarySecurity = 
                (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
            if (binarySecurity instanceof KerberosSecurity) {
                results.add(wser);
            }
        }
    }
    return results;
}
 

/**
 * Store a SAML Assertion as a SecurityToken
 */
protected void storeAssertionAsSecurityToken(AssertionWrapper assertion) {
    String id = findIDFromSamlToken(assertion.getElement());
    if (id == null) {
        return;
    }
    SecurityToken secToken = new SecurityToken(id);
    if (assertion.getSaml2() != null) {
        secToken.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
    } else {
        secToken.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
    }
    secToken.setToken(assertion.getElement());
    getTokenStore().add(secToken);
    message.setContextualProperty(SecurityConstants.TOKEN_ID, secToken.getId());
}
 

protected String getIDFromSTR(Element el) {
    Element child = DOMUtils.getFirstElement(el);
    if (child == null) {
        return null;
    }
    QName elName = DOMUtils.getElementQName(child);
    if (elName.equals(new QName(WSConstants.SIG_NS, "KeyInfo"))
        || elName.equals(new QName(WSConstants.WSSE_NS, "KeyIdentifier"))) {
        return DOMUtils.getContent(child);
    } else if (elName.equals(Reference.TOKEN)) {
        return child.getAttribute("URI");
    } else if (elName.equals(new QName(STSUtils.SCT_NS_05_02, "Identifier"))
               || elName.equals(new QName(STSUtils.SCT_NS_05_12, "Identifier"))) {
        return DOMUtils.getContent(child);
    }
    return null;
}
 

void writeLifetime(
    W3CDOMStreamWriter writer,
    Date created,
    Date expires,
    String prefix,
    String namespace
) throws Exception {
    XmlSchemaDateFormat fmt = new XmlSchemaDateFormat();
    writer.writeStartElement(prefix, "Lifetime", namespace);
    writer.writeNamespace("wsu", WSConstants.WSU_NS);
    writer.writeStartElement("wsu", "Created", WSConstants.WSU_NS);
    writer.writeCharacters(fmt.format(created.getTime()));
    writer.writeEndElement();
    
    writer.writeStartElement("wsu", "Expires", WSConstants.WSU_NS);
    writer.writeCharacters(fmt.format(expires.getTime()));
    writer.writeEndElement();
    writer.writeEndElement();
}
 

public static String getRequestEncryptedKeyId(List<WSHandlerResult> results) {
    
    for (WSHandlerResult rResult : results) {
        List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
        /*
         * Scan the results for the first Signature action. Use the
         * certificate of this Signature to set the certificate for the
         * encryption action :-).
         */
        for (WSSecurityEngineResult wser : wsSecEngineResults) {
            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
            String encrKeyId = (String)wser.get(WSSecurityEngineResult.TAG_ID);
            if (actInt.intValue() == WSConstants.ENCR && encrKeyId != null) {
                return encrKeyId;
            }
        }
    }
    
    return null;
}
 

protected String findID(Element rar, Element rur, Element rst) {
    String id = null;
    if (rst != null) {
        QName elName = DOMUtils.getElementQName(rst);
        if (elName.equals(new QName(WSConstants.SAML_NS, "Assertion"))
            && rst.hasAttributeNS(null, "AssertionID")) {
            id = rst.getAttributeNS(null, "AssertionID");
        } else if (elName.equals(new QName(WSConstants.SAML2_NS, "Assertion"))
            && rst.hasAttributeNS(null, "ID")) {
            id = rst.getAttributeNS(null, "ID");
        }
        if (id == null) {
            id = this.getIDFromSTR(rst);
        }
    }
    if (id == null && rar != null) {
        id = this.getIDFromSTR(rar);
    }
    if (id == null && rur != null) {
        id = this.getIDFromSTR(rur);
    }
    if (id == null && rst != null) {
        id = rst.getAttributeNS(WSConstants.WSU_NS, "Id");
    }
    return id;
}
 

void writeLifetime(
    W3CDOMStreamWriter writer,
    Date created,
    Date expires,
    String prefix,
    String namespace
) throws Exception {
    XmlSchemaDateFormat fmt = new XmlSchemaDateFormat();
    writer.writeStartElement(prefix, "Lifetime", namespace);
    writer.writeNamespace("wsu", WSConstants.WSU_NS);
    writer.writeStartElement("wsu", "Created", WSConstants.WSU_NS);
    writer.writeCharacters(fmt.format(created.getTime()));
    writer.writeEndElement();
    
    writer.writeStartElement("wsu", "Expires", WSConstants.WSU_NS);
    writer.writeCharacters(fmt.format(expires.getTime()));
    writer.writeEndElement();
    writer.writeEndElement();
}
 

protected void verifyWss4jEncResults(SoapMessage inmsg) {
    //
    // There should be exactly 1 (WSS4J) HandlerResult
    //
    final List<WSHandlerResult> handlerResults = 
        CastUtils.cast((List<?>)inmsg.get(WSHandlerConstants.RECV_RESULTS));
    assertNotNull(handlerResults);
    assertSame(handlerResults.size(), 1);

    List<WSSecurityEngineResult> protectionResults = new Vector<WSSecurityEngineResult>();
    WSSecurityUtil.fetchAllActionResults(handlerResults.get(0).getResults(),
            WSConstants.ENCR, protectionResults);
    assertNotNull(protectionResults);
    
    //
    // This result should contain a reference to the decrypted element
    //
    final Map<String, Object> result = protectionResults
            .get(0);
    final List<WSDataRef> protectedElements = 
        CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
    assertNotNull(protectedElements);
}
 

private SecurityToken createSecurityToken(
    AssertionWrapper assertionWrapper
) {
    SecurityToken token = new SecurityToken(assertionWrapper.getId());

    SAMLKeyInfo subjectKeyInfo = assertionWrapper.getSubjectKeyInfo();
    if (subjectKeyInfo != null) {
        token.setSecret(subjectKeyInfo.getSecret());
        X509Certificate[] certs = subjectKeyInfo.getCerts();
        if (certs != null && certs.length > 0) {
            token.setX509Certificate(certs[0], null);
        }
    }
    if (assertionWrapper.getSaml1() != null) {
        token.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
    } else if (assertionWrapper.getSaml2() != null) {
        token.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
    }
    token.setToken(assertionWrapper.getElement());

    return token;
}
 

private List<WSSecurityEngineResult> findKerberosResults(
    List<WSSecurityEngineResult> wsSecEngineResults
) {
    List<WSSecurityEngineResult> results = new ArrayList<WSSecurityEngineResult>();
    for (WSSecurityEngineResult wser : wsSecEngineResults) {
        Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
        if (actInt.intValue() == WSConstants.BST) {
            BinarySecurity binarySecurity = 
                (BinarySecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
            if (binarySecurity instanceof KerberosSecurity) {
                results.add(wser);
            }
        }
    }
    return results;
}
 

/**
 * Scan through <code>WSHandlerResult<code> list for a Username token and return
 * the username if a Username Token found 
 * @param results
 * @return
 */
public static String getUsername(List<WSHandlerResult> results) {
    /*
     * Scan the results for a matching actor. Use results only if the
     * receiving Actor and the sending Actor match.
     */
    for (WSHandlerResult rResult : results) {
        List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
        /*
         * Scan the results for a username token. Use the username
         * of this token to set the alias for the encryption user
         */
        for (WSSecurityEngineResult wser : wsSecEngineResults) {
            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
            if (actInt.intValue() == WSConstants.UT) {
                WSUsernameTokenPrincipal principal 
                    = (WSUsernameTokenPrincipal)wser.get(WSSecurityEngineResult.TAG_PRINCIPAL);
                return principal.getName();
            }
        }
    }
     
    return null;
}
 

private static X509Certificate getReqSigCert(List<WSHandlerResult> results) {
    /*
    * Scan the results for a matching actor. Use results only if the
    * receiving Actor and the sending Actor match.
    */
    for (WSHandlerResult rResult : results) {
        List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
        /*
        * Scan the results for the first Signature action. Use the
        * certificate of this Signature to set the certificate for the
        * encryption action :-).
        */
        for (WSSecurityEngineResult wser : wsSecEngineResults) {
            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
            if (actInt.intValue() == WSConstants.SIGN) {
                return (X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
            }
        }
    }
    
    return null;
}
 

/**
 * Check to see if encryption was applied before signature.
 * Note that results are stored in the reverse order.
 */
private boolean isEncryptedBeforeSigned(List<WSSecurityEngineResult> results) {
    boolean encrypted = false;
    for (WSSecurityEngineResult result : results) {
        Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
        List<WSDataRef> el = 
            CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
        
        if (actInt.intValue() == WSConstants.ENCR && el != null) {
            encrypted = true;
        }
        // Don't count an endorsing signature
        if (actInt.intValue() == WSConstants.SIGN && el != null
            && !(el.size() == 1 && el.get(0).getName().equals(SIG_QNAME))) {
            if (encrypted) {
                return true;
            }
            return false;
        }
    }
    return false;
}
 

/**
 * Check to see if encryption was applied before signature.
 * Note that results are stored in the reverse order.
 */
private boolean isEncryptedBeforeSigned(List<WSSecurityEngineResult> results) {
    boolean encrypted = false;
    for (WSSecurityEngineResult result : results) {
        Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
        List<WSDataRef> el = 
            CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
        
        if (actInt.intValue() == WSConstants.ENCR && el != null) {
            encrypted = true;
        }
        // Don't count an endorsing signature
        if (actInt.intValue() == WSConstants.SIGN && el != null
            && !(el.size() == 1 && el.get(0).getName().equals(SIG_QNAME))) {
            if (encrypted) {
                return true;
            }
            return false;
        }
    }
    return false;
}
 

private Header findSecurityHeader(SoapMessage message, boolean create) {
    for (Header h : message.getHeaders()) {
        QName n = h.getName();
        if (n.getLocalPart().equals("Security")
            && (n.getNamespaceURI().equals(WSConstants.WSSE_NS) 
                || n.getNamespaceURI().equals(WSConstants.WSSE11_NS))) {
            return h;
        }
    }
    if (!create) {
        return null;
    }
    Document doc = DOMUtils.createDocument();
    Element el = doc.createElementNS(WSConstants.WSSE_NS, "wsse:Security");
    el.setAttributeNS(WSConstants.XMLNS_NS, "xmlns:wsse", WSConstants.WSSE_NS);
    SoapHeader sh = new SoapHeader(new QName(WSConstants.WSSE_NS, "Security"), el);
    sh.setMustUnderstand(true);
    message.getHeaders().add(sh);
    return sh;
}
 

private void writeProofToken(
    W3CDOMStreamWriter writer,
    String prefix, 
    String namespace,
    byte[] key
) throws Exception {
    // RequestedProofToken
    writer.writeStartElement(prefix, "RequestedProofToken", namespace);
    
    // EncryptedKey
    writer.writeStartElement(WSConstants.ENC_PREFIX, "EncryptedKey", WSConstants.ENC_NS);
    writer.writeStartElement(WSConstants.ENC_PREFIX, "EncryptionMethod", WSConstants.ENC_NS);
    writer.writeAttribute("Algorithm", namespace + "/spnego#GSS_Wrap");
    writer.writeEndElement();
    writer.writeStartElement(WSConstants.ENC_PREFIX, "CipherData", WSConstants.ENC_NS);
    writer.writeStartElement(WSConstants.ENC_PREFIX, "CipherValue", WSConstants.ENC_NS);

    writer.writeCharacters(Base64.encode(key));
    
    writer.writeEndElement();
    writer.writeEndElement();
    writer.writeEndElement();
    
    writer.writeEndElement();
}
 

protected String getIDFromSTR(Element el) {
    Element child = DOMUtils.getFirstElement(el);
    if (child == null) {
        return null;
    }
    QName elName = DOMUtils.getElementQName(child);
    if (elName.equals(new QName(WSConstants.SIG_NS, "KeyInfo"))
        || elName.equals(new QName(WSConstants.WSSE_NS, "KeyIdentifier"))) {
        return DOMUtils.getContent(child);
    } else if (elName.equals(Reference.TOKEN)) {
        return child.getAttribute("URI");
    } else if (elName.equals(new QName(STSUtils.SCT_NS_05_02, "Identifier"))
               || elName.equals(new QName(STSUtils.SCT_NS_05_12, "Identifier"))) {
        return DOMUtils.getContent(child);
    }
    return null;
}
 

/**
 * Return true if the given id was encrypted
 */
private boolean isIdEncrypted(String sigId, List<WSSecurityEngineResult> results) {
    for (WSSecurityEngineResult wser : results) {
        Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
        if (actInt.intValue() == WSConstants.ENCR) {
            List<WSDataRef> el = 
                CastUtils.cast((List<?>)wser.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
            if (el != null) {
                for (WSDataRef r : el) {
                    Element protectedElement = r.getProtectedElement();
                    if (protectedElement != null) {
                        String id = protectedElement.getAttribute("Id");
                        String wsuId = protectedElement.getAttributeNS(WSConstants.WSU_NS, "Id");
                        if (sigId.equals(id) || sigId.equals(wsuId)) {
                            return true;
                        }
                    }
                }
            }
        }
    }
    return false;
}
 

@Test
public void testPKIPath() throws Exception {
    Map<String, String> outProperties = new HashMap<String, String>();
    outProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
    outProperties.put(WSHandlerConstants.USER, "alice");
    outProperties.put(WSHandlerConstants.SIG_PROP_FILE, "alice.properties");
    outProperties.put(
        WSHandlerConstants.PW_CALLBACK_CLASS, KeystorePasswordCallback.class.getName()
    );
    outProperties.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
    outProperties.put(WSHandlerConstants.USE_SINGLE_CERTIFICATE, "false");
    
    Map<String, String> inProperties = new HashMap<String, String>();
    inProperties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
    inProperties.put(WSHandlerConstants.SIG_PROP_FILE, "cxfca.properties");
    
    List<String> xpaths = new ArrayList<String>();
    xpaths.add("//wsse:Security");
    xpaths.add("//wsse:Security/ds:Signature");

    List<WSHandlerResult> handlerResults = 
        getResults(makeInvocation(outProperties, xpaths, inProperties));
    WSSecurityEngineResult actionResult =
        WSSecurityUtil.fetchActionResult(handlerResults.get(0).getResults(), WSConstants.SIGN);
     
    X509Certificate[] certificates = 
        (X509Certificate[]) actionResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
    assertNotNull(certificates);
    assertEquals(certificates.length, 2);
}
 

public static void validateSAMLResults(
    List<WSSecurityEngineResult> results,
    Message message,
    Element body
) throws WSSecurityException {
    List<WSSecurityEngineResult> samlResults = new ArrayList<WSSecurityEngineResult>();
    WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_SIGNED, samlResults);
    WSSecurityUtil.fetchAllActionResults(results, WSConstants.ST_UNSIGNED, samlResults);
    
    if (samlResults.isEmpty()) {
        return;
    }
    
    List<WSSecurityEngineResult> signedResults = new ArrayList<WSSecurityEngineResult>();
    WSSecurityUtil.fetchAllActionResults(results, WSConstants.SIGN, signedResults);
    WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_SIGN, signedResults);
    
    for (WSSecurityEngineResult samlResult : samlResults) {
        AssertionWrapper assertionWrapper = 
            (AssertionWrapper)samlResult.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
        
        TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
        Certificate[] tlsCerts = null;
        if (tlsInfo != null) {
            tlsCerts = tlsInfo.getPeerCertificates();
        }
        if (!SAMLUtils.checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
            LOG.warning("Assertion fails holder-of-key requirements");
            throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
        }
        if (!SAMLUtils.checkSenderVouches(assertionWrapper, tlsCerts, body, signedResults)) {
            LOG.warning("Assertion fails sender-vouches requirements");
            throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
        }
    }
    
}
 

private String getIdFromToken(Element token) {
    if (token != null) {
        // Try to find the "Id" on the token.
        if (token.hasAttributeNS(WSConstants.WSU_NS, "Id")) {
            return token.getAttributeNS(WSConstants.WSU_NS, "Id");
        } else if (token.hasAttributeNS(null, "ID")) {
            return token.getAttributeNS(null, "ID");
        } else if (token.hasAttributeNS(null, "AssertionID")) {
            return token.getAttributeNS(null, "AssertionID");
        }
    }
    return "";
}
 

protected byte[] decryptKey(Element child) throws TrustException, WSSecurityException {
    String encryptionAlgorithm = X509Util.getEncAlgo(child);
    // For the SPNEGO case just return the decoded cipher value and decrypt it later
    if (encryptionAlgorithm != null && encryptionAlgorithm.endsWith("spnego#GSS_Wrap")) {
        // Get the CipherValue
        Element tmpE = 
            WSSecurityUtil.getDirectChildElement(child, "CipherData", WSConstants.ENC_NS);
        byte[] cipherValue = null;
        if (tmpE != null) {
            tmpE = 
                WSSecurityUtil.getDirectChildElement(tmpE, "CipherValue", WSConstants.ENC_NS);
            if (tmpE != null) {
                String content = DOMUtils.getContent(tmpE);
                cipherValue = Base64.decode(content);
            }
        }
        if (cipherValue == null) {
            throw new WSSecurityException(WSSecurityException.INVALID_SECURITY, "noCipher");
        }
        return cipherValue;
    } else {
        try {
            EncryptedKeyProcessor proc = new EncryptedKeyProcessor();
            WSDocInfo docInfo = new WSDocInfo(child.getOwnerDocument());
            RequestData data = new RequestData();
            data.setWssConfig(WSSConfig.getNewInstance());
            data.setDecCrypto(createCrypto(true));
            data.setCallbackHandler(createHandler());
            List<WSSecurityEngineResult> result =
                proc.handleToken(child, data, docInfo);
            return 
                (byte[])result.get(0).get(
                    WSSecurityEngineResult.TAG_SECRET
                );
        } catch (IOException e) {
            throw new TrustException("ENCRYPTED_KEY_ERROR", LOG, e);
        }
    }
}
 

/**
 * Get a security result representing an EncryptedKey that matches the parameter.
 */
private WSSecurityEngineResult getMatchingEncryptedKey(X509Certificate cert) {
    for (WSSecurityEngineResult wser : results) {
        Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
        if (actInt.intValue() == WSConstants.ENCR) {
            X509Certificate encrCert = 
                (X509Certificate)wser.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
            if (cert.equals(encrCert)) {
                return wser;
            }
        }
    }
    return null;
}
 

@Test
public void testUsernameTokenText() throws Exception {
    SOAPMessage saaj = readSAAJDocument("wsse-request-clean.xml");

    WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor();
    PhaseInterceptor<SoapMessage> handler = ohandler.createEndingInterceptor();

    SoapMessage msg = new SoapMessage(new MessageImpl());
    Exchange ex = new ExchangeImpl();
    ex.setInMessage(msg);

    msg.setContent(SOAPMessage.class, saaj);

    msg.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
    msg.put(WSHandlerConstants.SIG_PROP_FILE, "outsecurity.properties");
    msg.put(WSHandlerConstants.USER, "username");
    msg.put("password", "myAliasPassword");
    msg.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
    handler.handleMessage(msg);

    SOAPPart doc = saaj.getSOAPPart();
    assertValid("//wsse:Security", doc);
    assertValid("//wsse:Security/wsse:UsernameToken", doc);
    assertValid("//wsse:Security/wsse:UsernameToken/wsse:Username[text()='username']", doc);
    // Test to see that the plaintext password is used in the header
    assertValid("//wsse:Security/wsse:UsernameToken/wsse:Password[text()='myAliasPassword']", doc);
}
 

public final java.util.List<WSSecurityEngineResult> 
handleToken(
    final org.w3c.dom.Element elem, 
    final RequestData data, 
    final WSDocInfo wsDocInfo 
) throws WSSecurityException {
    final WSSecurityEngineResult result = 
        new WSSecurityEngineResult(WSConstants.SIGN);
    result.put("foo", this);
    return java.util.Collections.singletonList(result);
}
 

public boolean validatePolicy(
    AssertionInfoMap aim,
    Message message,
    Element soapBody,
    List<WSSecurityEngineResult> results,
    List<WSSecurityEngineResult> signedResults
) {
    Collection<AssertionInfo> ais = aim.get(SP12Constants.USERNAME_TOKEN);
    if (ais == null || ais.isEmpty()) {
        return true;
    }
    
    List<WSSecurityEngineResult> utResults = new ArrayList<WSSecurityEngineResult>();
    WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT, utResults);
    WSSecurityUtil.fetchAllActionResults(results, WSConstants.UT_NOPASSWORD, utResults);
    
    for (AssertionInfo ai : ais) {
        org.apache.cxf.ws.security.policy.model.UsernameToken usernameTokenPolicy = 
            (org.apache.cxf.ws.security.policy.model.UsernameToken)ai.getAssertion();
        ai.setAsserted(true);

        if (!isTokenRequired(usernameTokenPolicy, message)) {
            continue;
        }

        if (utResults.isEmpty()) {
            ai.setNotAsserted(
                "The received token does not match the token inclusion requirement"
            );
            continue;
        }

        if (!checkTokens(usernameTokenPolicy, ai, utResults)) {
            continue;
        }
    }
    return true;
}