ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gi...@apache.org
Subject svn commit: r1295267 [2/11] - in /webservices/wss4j/branches/swssf: rampart-policy/src/main/java/org/apache/ws/secpolicy/builders/ streaming-ws-policy/src/main/java/org/swssf/policy/ streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ s...
Date Wed, 29 Feb 2012 20:54:56 GMT
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ContentEncryptedElementsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ContentEncryptedElementsAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ContentEncryptedElementsAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ContentEncryptedElementsAssertionState.java Wed Feb 29 20:54:51 2012
@@ -24,11 +24,14 @@ import org.apache.ws.secpolicy.model.Abs
 import org.apache.ws.secpolicy.model.ContentEncryptedElements;
 import org.apache.ws.secpolicy.model.XPath;
 import org.swssf.policy.Assertable;
+import org.swssf.policy.PolicyUtils;
+import org.swssf.wss.ext.WSSUtils;
 import org.swssf.wss.securityEvent.ContentEncryptedElementSecurityEvent;
 import org.swssf.wss.securityEvent.SecurityEvent;
 
 import javax.xml.namespace.QName;
 import java.util.ArrayList;
+import java.util.Iterator;
 import java.util.List;
 
 /**
@@ -37,7 +40,7 @@ import java.util.List;
  */
 public class ContentEncryptedElementsAssertionState extends AssertionState implements Assertable {
 
-    private List<QName> elements = new ArrayList<QName>();
+    private List<List<QName>> pathElements = new ArrayList<List<QName>>();
 
     public ContentEncryptedElementsAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
         super(assertion, asserted);
@@ -45,17 +48,8 @@ public class ContentEncryptedElementsAss
         ContentEncryptedElements contentEncryptedElements = (ContentEncryptedElements) assertion;
         for (int i = 0; i < contentEncryptedElements.getXPaths().size(); i++) {
             XPath xPath = contentEncryptedElements.getXPaths().get(i);
-            String[] xPathElements = xPath.getXPath().split("/");
-            String[] xPathElement = xPathElements[xPathElements.length - 1].split(":");
-            if (xPathElement.length == 2) {
-                String ns = xPath.getPrefixNamespaceMap().get(xPathElement[0]);
-                if (ns == null) {
-                    throw new IllegalArgumentException("Namespace not declared");
-                }
-                elements.add(new QName(ns, xPathElement[1]));
-            } else {
-                elements.add(new QName(xPathElement[1]));
-            }
+            List<QName> elements = PolicyUtils.getElementPath(xPath);
+            pathElements.add(elements);
         }
     }
 
@@ -69,23 +63,23 @@ public class ContentEncryptedElementsAss
     @Override
     public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent = (ContentEncryptedElementSecurityEvent) securityEvent;
-        //todo better matching until we have a streaming xpath evaluation engine (work in progress)
 
-        for (int i = 0; i < elements.size(); i++) {
-            QName qName = elements.get(i);
-            if (qName.equals(contentEncryptedElementSecurityEvent.getElement())) {
+        Iterator<List<QName>> pathElementIterator = pathElements.iterator();
+        while (pathElementIterator.hasNext()) {
+            List<QName> pathElements = pathElementIterator.next();
+            if (WSSUtils.pathMatches(pathElements, contentEncryptedElementSecurityEvent.getElementPath(), true, false)) {
                 if (contentEncryptedElementSecurityEvent.isEncrypted()) {
                     setAsserted(true);
                     return true;
                 } else {
-                    //an element must be signed but isn't
+                    //an element must be encrypted but isn't
                     setAsserted(false);
-                    setErrorMessage("content of element " + contentEncryptedElementSecurityEvent.getElement() + " must be encrypted");
+                    setErrorMessage("content of element " + WSSUtils.pathAsString(contentEncryptedElementSecurityEvent.getElementPath()) + " must be encrypted");
                     return false;
                 }
             }
         }
-        //if we return false here other signed elements will trigger a PolicyViolationException
+        //if we return false here other encrypted elements will trigger a PolicyViolationException
         return true;
     }
 }

Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedElementsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedElementsAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedElementsAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedElementsAssertionState.java Wed Feb 29 20:54:51 2012
@@ -24,11 +24,14 @@ import org.apache.ws.secpolicy.model.Abs
 import org.apache.ws.secpolicy.model.EncryptedElements;
 import org.apache.ws.secpolicy.model.XPath;
 import org.swssf.policy.Assertable;
+import org.swssf.policy.PolicyUtils;
+import org.swssf.wss.ext.WSSUtils;
 import org.swssf.wss.securityEvent.EncryptedElementSecurityEvent;
 import org.swssf.wss.securityEvent.SecurityEvent;
 
 import javax.xml.namespace.QName;
 import java.util.ArrayList;
+import java.util.Iterator;
 import java.util.List;
 
 /**
@@ -37,7 +40,7 @@ import java.util.List;
  */
 public class EncryptedElementsAssertionState extends AssertionState implements Assertable {
 
-    private List<QName> elements = new ArrayList<QName>();
+    private List<List<QName>> pathElements = new ArrayList<List<QName>>();
 
     public EncryptedElementsAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
         super(assertion, asserted);
@@ -45,17 +48,8 @@ public class EncryptedElementsAssertionS
         EncryptedElements encryptedElements = (EncryptedElements) assertion;
         for (int i = 0; i < encryptedElements.getXPaths().size(); i++) {
             XPath xPath = encryptedElements.getXPaths().get(i);
-            String[] xPathElements = xPath.getXPath().split("/");
-            String[] xPathElement = xPathElements[xPathElements.length - 1].split(":");
-            if (xPathElement.length == 2) {
-                String ns = xPath.getPrefixNamespaceMap().get(xPathElement[0]);
-                if (ns == null) {
-                    throw new IllegalArgumentException("Namespace not declared");
-                }
-                elements.add(new QName(ns, xPathElement[1]));
-            } else {
-                elements.add(new QName(xPathElement[1]));
-            }
+            List<QName> elements = PolicyUtils.getElementPath(xPath);
+            pathElements.add(elements);
         }
     }
 
@@ -69,23 +63,23 @@ public class EncryptedElementsAssertionS
     @Override
     public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
         EncryptedElementSecurityEvent encryptedElementSecurityEvent = (EncryptedElementSecurityEvent) securityEvent;
-        //todo better matching until we have a streaming xpath evaluation engine (work in progress)
 
-        for (int i = 0; i < elements.size(); i++) {
-            QName qName = elements.get(i);
-            if (qName.equals(encryptedElementSecurityEvent.getElement())) {
+        Iterator<List<QName>> pathElementIterator = pathElements.iterator();
+        while (pathElementIterator.hasNext()) {
+            List<QName> pathElements = pathElementIterator.next();
+            if (WSSUtils.pathMatches(pathElements, encryptedElementSecurityEvent.getElementPath(), true, false)) {
                 if (encryptedElementSecurityEvent.isEncrypted()) {
                     setAsserted(true);
                     return true;
                 } else {
-                    //an element must be signed but isn't
+                    //an element must be encrypted but isn't
                     setAsserted(false);
-                    setErrorMessage("Element " + encryptedElementSecurityEvent.getElement() + " must be encrypted");
+                    setErrorMessage("Element " + WSSUtils.pathAsString(encryptedElementSecurityEvent.getElementPath()) + " must be encrypted");
                     return false;
                 }
             }
         }
-        //if we return false here other signed elements will trigger a PolicyViolationException
+        //if we return false here other encrypted elements will trigger a PolicyViolationException
         return true;
     }
 }

Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedPartsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedPartsAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedPartsAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/EncryptedPartsAssertionState.java Wed Feb 29 20:54:51 2012
@@ -24,10 +24,15 @@ import org.apache.ws.secpolicy.model.Abs
 import org.apache.ws.secpolicy.model.EncryptedParts;
 import org.apache.ws.secpolicy.model.Header;
 import org.swssf.policy.Assertable;
-import org.swssf.policy.PolicyConstants;
+import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSUtils;
 import org.swssf.wss.securityEvent.EncryptedPartSecurityEvent;
 import org.swssf.wss.securityEvent.SecurityEvent;
 
+import javax.xml.namespace.QName;
+import java.util.LinkedList;
+import java.util.List;
+
 /**
  * @author $Author$
  * @version $Revision$ $Date$
@@ -53,28 +58,33 @@ public class EncryptedPartsAssertionStat
         EncryptedPartSecurityEvent encryptedPartSecurityEvent = (EncryptedPartSecurityEvent) securityEvent;
         EncryptedParts encryptedParts = (EncryptedParts) getAssertion();
 
-        if (encryptedParts.isBody() && (encryptedPartSecurityEvent.getElement().equals(PolicyConstants.TAG_soap11_Body)
-                || encryptedPartSecurityEvent.getElement().equals(PolicyConstants.TAG_soap12_Body))) {
+        if (encryptedParts.isBody()
+                && (WSSUtils.pathMatches(WSSConstants.SOAP_11_BODY_PATH, encryptedPartSecurityEvent.getElementPath(), true, false))) {
             if (encryptedPartSecurityEvent.isEncrypted()) {
                 setAsserted(true);
                 return true;
             } else {
                 setAsserted(false);
-                setErrorMessage("Element " + encryptedPartSecurityEvent.getElement() + " must be encrypted");
+                setErrorMessage("Element " + WSSUtils.pathAsString(encryptedPartSecurityEvent.getElementPath()) + " must be encrypted");
                 return false;
             }
         }
         //body processed above. so this must be a header element
         for (int i = 0; i < encryptedParts.getHeaders().size(); i++) {
             Header header = encryptedParts.getHeaders().get(i);
-            if (header.getNamespace().equals(encryptedPartSecurityEvent.getElement().getNamespaceURI())
-                    && (header.getName() == null //== wildcard
-                    || header.getName().equals(encryptedPartSecurityEvent.getElement().getLocalPart()))) {
+            QName headerQName = new QName(header.getNamespace(), header.getName() == null ? "" : header.getName());
+
+            List<QName> header11Path = new LinkedList<QName>();
+            header11Path.addAll(WSSConstants.SOAP_11_HEADER_PATH);
+            header11Path.add(headerQName);
+
+            if (WSSUtils.pathMatches(header11Path, encryptedPartSecurityEvent.getElementPath(), true, header.getName() == null)) {
                 if (encryptedPartSecurityEvent.isEncrypted()) {
                     setAsserted(true);
                     return true;
                 } else {
-                    setErrorMessage("Element " + encryptedPartSecurityEvent.getElement() + " must be encrypted");
+                    setAsserted(false);
+                    setErrorMessage("Element " + WSSUtils.pathAsString(encryptedPartSecurityEvent.getElementPath()) + " must be encrypted");
                     return false;
                 }
             }

Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java Wed Feb 29 20:54:51 2012
@@ -23,8 +23,8 @@ import org.apache.ws.secpolicy.WSSPolicy
 import org.apache.ws.secpolicy.model.AbstractSecurityAssertion;
 import org.apache.ws.secpolicy.model.AbstractSymmetricAsymmetricBinding;
 import org.swssf.policy.Assertable;
-import org.swssf.policy.PolicyConstants;
 import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSUtils;
 import org.swssf.wss.securityEvent.SecurityEvent;
 import org.swssf.wss.securityEvent.SignedPartSecurityEvent;
 
@@ -54,14 +54,13 @@ public class OnlySignEntireHeadersAndBod
             return true;
         }
         if (abstractSymmetricAsymmetricBinding.isOnlySignEntireHeadersAndBody()
-                && (signedPartSecurityEvent.getElement().equals(PolicyConstants.TAG_soap11_Body)
-                || signedPartSecurityEvent.getElement().equals(PolicyConstants.TAG_soap12_Body))) {
+                && WSSUtils.pathMatches(signedPartSecurityEvent.getElementPath(), WSSConstants.SOAP_11_BODY_PATH, true, false)) {
             if (signedPartSecurityEvent.isSigned()) {
                 setAsserted(true);
                 return true;
             } else {
                 setAsserted(false);
-                setErrorMessage("Element " + signedPartSecurityEvent.getElement() + " must be signed");
+                setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath()) + " must be signed");
                 return false;
             }
         }
@@ -72,12 +71,12 @@ public class OnlySignEntireHeadersAndBod
                     //for a rewriting attack! If the Security Header is not signed then all child
                     //elements must be signed!
                     // @see http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securitypolicy-1.3-spec-os.html#_Toc212617840
-                    || signedPartSecurityEvent.getElement().equals(WSSConstants.TAG_wsse_Security)) {
+                    || WSSUtils.pathMatches(signedPartSecurityEvent.getElementPath(), WSSConstants.WSSE_SECURITY_HEADER_PATH, true, false)) {
                 setAsserted(true);
                 return true;
             } else {
                 setAsserted(false);
-                setErrorMessage("Element " + signedPartSecurityEvent.getElement() + " must be signed");
+                setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath()) + " must be signed");
                 return false;
             }
         }

Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ProtectionOrderAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ProtectionOrderAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ProtectionOrderAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ProtectionOrderAssertionState.java Wed Feb 29 20:54:51 2012
@@ -18,21 +18,15 @@
  */
 package org.swssf.policy.assertionStates;
 
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.xml.namespace.QName;
-
 import org.apache.ws.secpolicy.AssertionState;
 import org.apache.ws.secpolicy.WSSPolicyException;
 import org.apache.ws.secpolicy.model.AbstractSecurityAssertion;
 import org.swssf.policy.Assertable;
-import org.swssf.wss.securityEvent.ContentEncryptedElementSecurityEvent;
-import org.swssf.wss.securityEvent.EncryptedElementSecurityEvent;
-import org.swssf.wss.securityEvent.EncryptedPartSecurityEvent;
-import org.swssf.wss.securityEvent.SecurityEvent;
-import org.swssf.wss.securityEvent.SignedElementSecurityEvent;
-import org.swssf.wss.securityEvent.SignedPartSecurityEvent;
+import org.swssf.wss.securityEvent.*;
+
+import javax.xml.namespace.QName;
+import java.util.ArrayList;
+import java.util.List;
 
 /**
  * @author $Author$
@@ -41,8 +35,8 @@ import org.swssf.wss.securityEvent.Signe
 
 public class ProtectionOrderAssertionState extends AssertionState implements Assertable {
 
-    private List<QName> signedElements = new ArrayList<QName>();
-    private List<QName> encryptedElements = new ArrayList<QName>();
+    private List<List<QName>> signedElements = new ArrayList<List<QName>>();
+    private List<List<QName>> encryptedElements = new ArrayList<List<QName>>();
 
     public ProtectionOrderAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
         super(assertion, asserted);
@@ -69,40 +63,35 @@ public class ProtectionOrderAssertionSta
                 if (!signedElementSecurityEvent.isSigned()) {
                     return true;
                 }
-                if (!encryptedElements.contains(signedElementSecurityEvent.getElement())) {
-                    signedElements.add(signedElementSecurityEvent.getElement());
+                if (!encryptedElements.contains(signedElementSecurityEvent.getElementPath())) {
+                    signedElements.add(signedElementSecurityEvent.getElementPath());
                 } else {
 
                 }
-                System.out.println("Sig: " + signedElementSecurityEvent.getElement());
                 break;
             case SignedPart:
                 SignedPartSecurityEvent signedPartSecurityEvent = (SignedPartSecurityEvent) securityEvent;
                 if (!signedPartSecurityEvent.isSigned()) {
                     return true;
                 }
-                System.out.println("Sig: " + signedPartSecurityEvent.getElement());
                 break;
             case EncryptedElement:
                 EncryptedElementSecurityEvent encryptedElementSecurityEvent = (EncryptedElementSecurityEvent) securityEvent;
                 if (!encryptedElementSecurityEvent.isEncrypted()) {
                     return true;
                 }
-                System.out.println("Enc: " + encryptedElementSecurityEvent.getElement() + " signed: " + encryptedElementSecurityEvent.isSignedContent());
                 break;
             case EncryptedPart:
                 EncryptedPartSecurityEvent encryptedPartSecurityEvent = (EncryptedPartSecurityEvent) securityEvent;
                 if (!encryptedPartSecurityEvent.isEncrypted()) {
                     return true;
                 }
-                System.out.println("Enc: " + encryptedPartSecurityEvent.getElement() + " signed: " + encryptedPartSecurityEvent.isSignedContent());
                 break;
             case ContentEncrypted:
                 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent = (ContentEncryptedElementSecurityEvent) securityEvent;
                 if (!contentEncryptedElementSecurityEvent.isEncrypted()) {
                     return true;
                 }
-                System.out.println("Enc: " + contentEncryptedElementSecurityEvent.getElement() + " signed: " + contentEncryptedElementSecurityEvent.isSignedContent());
                 break;
         }
 

Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredElementsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredElementsAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredElementsAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredElementsAssertionState.java Wed Feb 29 20:54:51 2012
@@ -24,12 +24,15 @@ import org.apache.ws.secpolicy.model.Abs
 import org.apache.ws.secpolicy.model.RequiredElements;
 import org.apache.ws.secpolicy.model.XPath;
 import org.swssf.policy.Assertable;
+import org.swssf.policy.PolicyUtils;
+import org.swssf.wss.ext.WSSUtils;
 import org.swssf.wss.securityEvent.RequiredElementSecurityEvent;
 import org.swssf.wss.securityEvent.SecurityEvent;
 
 import javax.xml.namespace.QName;
 import java.util.HashMap;
 import java.util.Iterator;
+import java.util.List;
 import java.util.Map;
 
 /**
@@ -38,7 +41,7 @@ import java.util.Map;
  */
 public class RequiredElementsAssertionState extends AssertionState implements Assertable {
 
-    private Map<QName, Boolean> elements = new HashMap<QName, Boolean>();
+    private Map<List<QName>, Boolean> pathElements = new HashMap<List<QName>, Boolean>();
 
     public RequiredElementsAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
         super(assertion, asserted);
@@ -47,23 +50,14 @@ public class RequiredElementsAssertionSt
             RequiredElements requiredElements = (RequiredElements) assertion;
             for (int i = 0; i < requiredElements.getXPaths().size(); i++) {
                 XPath xPath = requiredElements.getXPaths().get(i);
-                String[] xPathElements = xPath.getXPath().split("/");
-                String[] xPathElement = xPathElements[xPathElements.length - 1].split(":");
-                if (xPathElement.length == 2) {
-                    String ns = xPath.getPrefixNamespaceMap().get(xPathElement[0]);
-                    if (ns == null) {
-                        throw new IllegalArgumentException("Namespace not declared");
-                    }
-                    elements.put(new QName(ns, xPathElement[1]), Boolean.FALSE);
-                } else {
-                    elements.put(new QName(xPathElement[1]), Boolean.FALSE);
-                }
+                List<QName> elements = PolicyUtils.getElementPath(xPath);
+                pathElements.put(elements, Boolean.FALSE);
             }
         }
     }
 
-    public void addElement(QName element) {
-        this.elements.put(element, Boolean.FALSE);
+    public void addElement(List<QName> pathElement) {
+        this.pathElements.put(pathElement, Boolean.FALSE);
     }
 
     @Override
@@ -76,13 +70,12 @@ public class RequiredElementsAssertionSt
     @Override
     public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
         RequiredElementSecurityEvent requiredElementSecurityEvent = (RequiredElementSecurityEvent) securityEvent;
-        //todo better matching until we have a streaming xpath evaluation engine (work in progress)
 
-        Iterator<Map.Entry<QName, Boolean>> elementMapIterator = elements.entrySet().iterator();
+        Iterator<Map.Entry<List<QName>, Boolean>> elementMapIterator = pathElements.entrySet().iterator();
         while (elementMapIterator.hasNext()) {
-            Map.Entry<QName, Boolean> next = elementMapIterator.next();
-            QName qName = next.getKey();
-            if (qName.equals(requiredElementSecurityEvent.getElement())) {
+            Map.Entry<List<QName>, Boolean> next = elementMapIterator.next();
+            List<QName> qNameList = next.getKey();
+            if (WSSUtils.pathMatches(qNameList, requiredElementSecurityEvent.getElementPath(), true, false)) {
                 next.setValue(Boolean.TRUE);
                 break;
             }
@@ -93,11 +86,11 @@ public class RequiredElementsAssertionSt
 
     @Override
     public boolean isAsserted() {
-        Iterator<Map.Entry<QName, Boolean>> elementMapIterator = elements.entrySet().iterator();
+        Iterator<Map.Entry<List<QName>, Boolean>> elementMapIterator = pathElements.entrySet().iterator();
         while (elementMapIterator.hasNext()) {
-            Map.Entry<QName, Boolean> next = elementMapIterator.next();
+            Map.Entry<List<QName>, Boolean> next = elementMapIterator.next();
             if (Boolean.FALSE.equals(next.getValue())) {
-                setErrorMessage("Element " + next.getKey().toString() + " must be present");
+                setErrorMessage("Element " + WSSUtils.pathAsString(next.getKey()) + " must be present");
                 return false;
             }
         }

Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredPartsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredPartsAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredPartsAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/RequiredPartsAssertionState.java Wed Feb 29 20:54:51 2012
@@ -24,12 +24,13 @@ import org.apache.ws.secpolicy.model.Abs
 import org.apache.ws.secpolicy.model.Header;
 import org.apache.ws.secpolicy.model.RequiredParts;
 import org.swssf.policy.Assertable;
+import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSUtils;
 import org.swssf.wss.securityEvent.RequiredPartSecurityEvent;
 import org.swssf.wss.securityEvent.SecurityEvent;
 
-import java.util.HashMap;
-import java.util.Iterator;
-import java.util.Map;
+import javax.xml.namespace.QName;
+import java.util.*;
 
 /**
  * @author $Author$
@@ -59,15 +60,18 @@ public class RequiredPartsAssertionState
     @Override
     public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
         RequiredPartSecurityEvent requiredPartSecurityEvent = (RequiredPartSecurityEvent) securityEvent;
-        //todo better matching until we have a streaming xpath evaluation engine (work in progress)
 
         Iterator<Map.Entry<Header, Boolean>> elementMapIterator = headers.entrySet().iterator();
         while (elementMapIterator.hasNext()) {
             Map.Entry<Header, Boolean> next = elementMapIterator.next();
             Header header = next.getKey();
-            if (header.getNamespace().equals(requiredPartSecurityEvent.getElement().getNamespaceURI())
-                    && (header.getName() == null //== wildcard
-                    || header.getName().equals(requiredPartSecurityEvent.getElement().getLocalPart()))) {
+            QName headerQName = new QName(header.getNamespace(), header.getName() == null ? "" : header.getName());
+
+            List<QName> header11Path = new LinkedList<QName>();
+            header11Path.addAll(WSSConstants.SOAP_11_HEADER_PATH);
+            header11Path.add(headerQName);
+
+            if (WSSUtils.pathMatches(header11Path, requiredPartSecurityEvent.getElementPath(), true, header.getName() == null)) {
                 next.setValue(Boolean.TRUE);
                 break;
             }

Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SamlTokenAssertionState.java Wed Feb 29 20:54:51 2012
@@ -28,6 +28,7 @@ import org.swssf.wss.impl.securityToken.
 import org.swssf.wss.securityEvent.SamlTokenSecurityEvent;
 import org.swssf.wss.securityEvent.SecurityEvent;
 import org.swssf.wss.securityEvent.TokenSecurityEvent;
+import org.swssf.xmlsec.ext.XMLSecurityException;
 
 /**
  * @author $Author$
@@ -48,7 +49,7 @@ public class SamlTokenAssertionState ext
     }
 
     @Override
-    public boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException {
+    public boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException, XMLSecurityException {
         if (!(tokenSecurityEvent instanceof SamlTokenSecurityEvent)) {
             throw new WSSPolicyException("Expected a SamlTokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
         }
@@ -64,30 +65,32 @@ public class SamlTokenAssertionState ext
             setAsserted(false);
             setErrorMessage("Policy enforces KeyIdentifierReference but we got " + samlTokenSecurityEvent.getSecurityToken().getTokenType());
         }
-        switch (samlToken.getSamlTokenType()) {
-            case WssSamlV11Token10:
-                if (samlTokenSecurityEvent.getSamlVersion() != SAMLVersion.VERSION_10) {
+        if (samlToken.getSamlTokenType() != null) {
+            switch (samlToken.getSamlTokenType()) {
+                case WssSamlV11Token10:
+                    if (samlTokenSecurityEvent.getSamlVersion() != SAMLVersion.VERSION_10) {
+                        setAsserted(false);
+                        setErrorMessage("Policy enforces SamlVersion11Profile10 but we got " + samlTokenSecurityEvent.getSamlVersion());
+                    }
+                    break;
+                case WssSamlV11Token11:
+                    if (samlTokenSecurityEvent.getSamlVersion() != SAMLVersion.VERSION_11) {
+                        setAsserted(false);
+                        setErrorMessage("Policy enforces SamlVersion11Profile11 but we got " + samlTokenSecurityEvent.getSamlVersion());
+                    }
+                    break;
+                case WssSamlV20Token11:
+                    if (samlTokenSecurityEvent.getSamlVersion() != SAMLVersion.VERSION_20) {
+                        setAsserted(false);
+                        setErrorMessage("Policy enforces SamlVersion20Profile11 but we got " + samlTokenSecurityEvent.getSamlVersion());
+                    }
+                    break;
+                case WssSamlV10Token10:
+                case WssSamlV10Token11:
                     setAsserted(false);
-                    setErrorMessage("Policy enforces SamlVersion11Profile10 but we got " + samlTokenSecurityEvent.getSamlVersion());
-                }
-                break;
-            case WssSamlV11Token11:
-                if (samlTokenSecurityEvent.getSamlVersion() != SAMLVersion.VERSION_11) {
-                    setAsserted(false);
-                    setErrorMessage("Policy enforces SamlVersion11Profile11 but we got " + samlTokenSecurityEvent.getSamlVersion());
-                }
-                break;
-            case WssSamlV20Token11:
-                if (samlTokenSecurityEvent.getSamlVersion() != SAMLVersion.VERSION_20) {
-                    setAsserted(false);
-                    setErrorMessage("Policy enforces SamlVersion20Profile11 but we got " + samlTokenSecurityEvent.getSamlVersion());
-                }
-                break;
-            case WssSamlV10Token10:
-            case WssSamlV10Token11:
-                setAsserted(false);
-                setErrorMessage("Unsupported token type: " + samlToken.getSamlTokenType());
-                break;
+                    setErrorMessage("Unsupported token type: " + samlToken.getSamlTokenType());
+                    break;
+            }
         }
         return isAsserted();
     }

Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignatureProtectionAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignatureProtectionAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignatureProtectionAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignatureProtectionAssertionState.java Wed Feb 29 20:54:51 2012
@@ -24,11 +24,14 @@ import org.apache.ws.secpolicy.model.Abs
 import org.apache.ws.secpolicy.model.AbstractSymmetricAsymmetricBinding;
 import org.swssf.policy.Assertable;
 import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSUtils;
 import org.swssf.wss.securityEvent.EncryptedElementSecurityEvent;
 import org.swssf.wss.securityEvent.SecurityEvent;
 
 import javax.xml.namespace.QName;
 import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.LinkedList;
 import java.util.List;
 
 /**
@@ -37,13 +40,21 @@ import java.util.List;
  */
 public class SignatureProtectionAssertionState extends AssertionState implements Assertable {
 
-    private List<QName> elements = new ArrayList<QName>();
+    private List<List<QName>> elementPaths = new ArrayList<List<QName>>();
 
     public SignatureProtectionAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
         super(assertion, asserted);
-
-        elements.add(WSSConstants.TAG_dsig_Signature);
-        elements.add(WSSConstants.TAG_wsse11_SignatureConfirmation);
+        List<QName> signature11Path = new LinkedList<QName>();
+        signature11Path.addAll(WSSConstants.SOAP_11_HEADER_PATH);
+        signature11Path.add(WSSConstants.TAG_wsse_Security);
+        signature11Path.add(WSSConstants.TAG_dsig_Signature);
+        elementPaths.add(signature11Path);
+
+        List<QName> signatureConfirmation11Path = new LinkedList<QName>();
+        signatureConfirmation11Path.addAll(WSSConstants.SOAP_11_HEADER_PATH);
+        signatureConfirmation11Path.add(WSSConstants.TAG_wsse_Security);
+        signatureConfirmation11Path.add(WSSConstants.TAG_wsse11_SignatureConfirmation);
+        elementPaths.add(signatureConfirmation11Path);
     }
 
     @Override
@@ -59,22 +70,23 @@ public class SignatureProtectionAssertio
         AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding = (AbstractSymmetricAsymmetricBinding) getAssertion();
         //todo better matching until we have a streaming xpath evaluation engine (work in progress)
 
-        for (int i = 0; i < elements.size(); i++) {
-            QName qName = elements.get(i);
-            if (qName.equals(encryptedElementSecurityEvent.getElement())) {
+        Iterator<List<QName>> pathElementsIterator = elementPaths.iterator();
+        while (pathElementsIterator.hasNext()) {
+            List<QName> qNameList = pathElementsIterator.next();
+            if (WSSUtils.pathMatches(qNameList, encryptedElementSecurityEvent.getElementPath(), true, false)) {
                 if (encryptedElementSecurityEvent.isEncrypted()) {
                     if (abstractSymmetricAsymmetricBinding.isEncryptSignature()) {
                         setAsserted(true);
                         return true;
                     } else {
                         setAsserted(false);
-                        setErrorMessage("Element " + encryptedElementSecurityEvent.getElement() + " must not be encrypted");
+                        setErrorMessage("Element " + WSSUtils.pathAsString(encryptedElementSecurityEvent.getElementPath()) + " must not be encrypted");
                         return false;
                     }
                 } else {
                     if (abstractSymmetricAsymmetricBinding.isEncryptSignature()) {
                         setAsserted(false);
-                        setErrorMessage("Element " + encryptedElementSecurityEvent.getElement() + " must be encrypted");
+                        setErrorMessage("Element " + WSSUtils.pathAsString(encryptedElementSecurityEvent.getElementPath()) + " must be encrypted");
                         return false;
                     } else {
                         setAsserted(true);

Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedElementsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedElementsAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedElementsAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedElementsAssertionState.java Wed Feb 29 20:54:51 2012
@@ -24,11 +24,14 @@ import org.apache.ws.secpolicy.model.Abs
 import org.apache.ws.secpolicy.model.SignedElements;
 import org.apache.ws.secpolicy.model.XPath;
 import org.swssf.policy.Assertable;
+import org.swssf.policy.PolicyUtils;
+import org.swssf.wss.ext.WSSUtils;
 import org.swssf.wss.securityEvent.SecurityEvent;
 import org.swssf.wss.securityEvent.SignedElementSecurityEvent;
 
 import javax.xml.namespace.QName;
 import java.util.ArrayList;
+import java.util.Iterator;
 import java.util.List;
 
 /**
@@ -37,7 +40,7 @@ import java.util.List;
  */
 public class SignedElementsAssertionState extends AssertionState implements Assertable {
 
-    private List<QName> elements = new ArrayList<QName>();
+    private List<List<QName>> pathElements = new ArrayList<List<QName>>();
 
     public SignedElementsAssertionState(AbstractSecurityAssertion assertion, boolean asserted) {
         super(assertion, asserted);
@@ -46,17 +49,8 @@ public class SignedElementsAssertionStat
             SignedElements signedElements = (SignedElements) assertion;
             for (int i = 0; i < signedElements.getXPaths().size(); i++) {
                 XPath xPath = signedElements.getXPaths().get(i);
-                String[] xPathElements = xPath.getXPath().split("/");
-                String[] xPathElement = xPathElements[xPathElements.length - 1].split(":");
-                if (xPathElement.length == 2) {
-                    String ns = xPath.getPrefixNamespaceMap().get(xPathElement[0]);
-                    if (ns == null) {
-                        throw new IllegalArgumentException("Namespace not declared");
-                    }
-                    elements.add(new QName(ns, xPathElement[1]));
-                } else {
-                    elements.add(new QName(xPathElement[1]));
-                }
+                List<QName> elements = PolicyUtils.getElementPath(xPath);
+                pathElements.add(elements);
             }
         }
     }
@@ -68,25 +62,25 @@ public class SignedElementsAssertionStat
         };
     }
 
-    public void addElement(QName element) {
-        this.elements.add(element);
+    public void addElement(List<QName> pathElement) {
+        this.pathElements.add(pathElement);
     }
 
     @Override
     public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
         SignedElementSecurityEvent signedElementSecurityEvent = (SignedElementSecurityEvent) securityEvent;
-        //todo better matching until we have a streaming xpath evaluation engine (work in progress)
 
-        for (int i = 0; i < elements.size(); i++) {
-            QName qName = elements.get(i);
-            if (qName.equals(signedElementSecurityEvent.getElement())) {
+        Iterator<List<QName>> pathElementIterator = pathElements.iterator();
+        while (pathElementIterator.hasNext()) {
+            List<QName> pathElements = pathElementIterator.next();
+            if (WSSUtils.pathMatches(pathElements, signedElementSecurityEvent.getElementPath(), true, false)) {
                 if (signedElementSecurityEvent.isSigned()) {
                     setAsserted(true);
                     return true;
                 } else {
                     //an element must be signed but isn't
                     setAsserted(false);
-                    setErrorMessage("Element " + signedElementSecurityEvent.getElement() + " must be signed");
+                    setErrorMessage("Element " + WSSUtils.pathAsString(signedElementSecurityEvent.getElementPath()) + " must be signed");
                     return false;
                 }
             }

Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedPartsAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedPartsAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedPartsAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/SignedPartsAssertionState.java Wed Feb 29 20:54:51 2012
@@ -24,10 +24,15 @@ import org.apache.ws.secpolicy.model.Abs
 import org.apache.ws.secpolicy.model.Header;
 import org.apache.ws.secpolicy.model.SignedParts;
 import org.swssf.policy.Assertable;
-import org.swssf.policy.PolicyConstants;
+import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSUtils;
 import org.swssf.wss.securityEvent.SecurityEvent;
 import org.swssf.wss.securityEvent.SignedPartSecurityEvent;
 
+import javax.xml.namespace.QName;
+import java.util.LinkedList;
+import java.util.List;
+
 /**
  * @author $Author$
  * @version $Revision$ $Date$
@@ -53,14 +58,14 @@ public class SignedPartsAssertionState e
         SignedPartSecurityEvent signedPartSecurityEvent = (SignedPartSecurityEvent) securityEvent;
         SignedParts signedParts = (SignedParts) getAssertion();
 
-        if (signedParts.isBody() && (signedPartSecurityEvent.getElement().equals(PolicyConstants.TAG_soap11_Body)
-                || signedPartSecurityEvent.getElement().equals(PolicyConstants.TAG_soap12_Body))) {
+        if (signedParts.isBody()
+                && (WSSUtils.pathMatches(WSSConstants.SOAP_11_BODY_PATH, signedPartSecurityEvent.getElementPath(), true, false))) {
             if (signedPartSecurityEvent.isSigned()) {
                 setAsserted(true);
                 return true;
             } else {
                 setAsserted(false);
-                setErrorMessage("Element " + signedPartSecurityEvent.getElement() + " must be signed");
+                setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath()) + " must be signed");
                 return false;
             }
         }
@@ -71,21 +76,25 @@ public class SignedPartsAssertionState e
                 return true;
             } else {
                 setAsserted(false);
-                setErrorMessage("Element " + signedPartSecurityEvent.getElement() + " must be signed");
+                setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath()) + " must be signed");
                 return false;
             }
         } else {
             for (int i = 0; i < signedParts.getHeaders().size(); i++) {
                 Header header = signedParts.getHeaders().get(i);
-                if (header.getNamespace().equals(signedPartSecurityEvent.getElement().getNamespaceURI())
-                        && (header.getName() == null //== wildcard
-                        || header.getName().equals(signedPartSecurityEvent.getElement().getLocalPart()))) {
+                QName headerQName = new QName(header.getNamespace(), header.getName() == null ? "" : header.getName());
+
+                List<QName> header11Path = new LinkedList<QName>();
+                header11Path.addAll(WSSConstants.SOAP_11_HEADER_PATH);
+                header11Path.add(headerQName);
+
+                if (WSSUtils.pathMatches(header11Path, signedPartSecurityEvent.getElementPath(), true, header.getName() == null)) {
                     if (signedPartSecurityEvent.isSigned()) {
                         setAsserted(true);
                         return true;
                     } else {
                         setAsserted(false);
-                        setErrorMessage("Element " + signedPartSecurityEvent.getElement() + " must be signed");
+                        setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath()) + " must be signed");
                         return false;
                     }
                 }

Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/TokenAssertionState.java Wed Feb 29 20:54:51 2012
@@ -23,8 +23,11 @@ import org.apache.ws.secpolicy.SPConstan
 import org.apache.ws.secpolicy.WSSPolicyException;
 import org.apache.ws.secpolicy.model.*;
 import org.swssf.policy.Assertable;
+import org.swssf.wss.ext.WSSConstants;
 import org.swssf.wss.securityEvent.SecurityEvent;
 import org.swssf.wss.securityEvent.TokenSecurityEvent;
+import org.swssf.xmlsec.ext.SecurityToken;
+import org.swssf.xmlsec.ext.XMLSecurityException;
 
 /**
  * @author $Author$
@@ -44,13 +47,15 @@ public abstract class TokenAssertionStat
     }
 
     @Override
-    public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
+    public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException, XMLSecurityException {
 
         TokenSecurityEvent tokenSecurityEvent = (TokenSecurityEvent) securityEvent;
         AbstractToken abstractToken = (AbstractToken) getAssertion();
 
         final AbstractSecurityAssertion parentAssertion = abstractToken.getParentAssertion();
-        switch (tokenSecurityEvent.getTokenUsage()) {
+        //todo what todo with the other usages if there are any? What when a sig and enc derives from the same source token?
+        SecurityToken.TokenUsage tokenUsage = tokenSecurityEvent.getSecurityToken().getTokenUsages().get(0);
+        switch (tokenUsage) {
             case MainSignature:
                 if (!(parentAssertion instanceof InitiatorToken)
                         && !(parentAssertion instanceof InitiatorSignatureToken)
@@ -81,6 +86,12 @@ public abstract class TokenAssertionStat
                 if (!(parentAssertion instanceof SupportingTokens)) {
                     return true;
                 }
+                SupportingTokens supportingTokens = (SupportingTokens) parentAssertion;
+                if (supportingTokens.getSupportingTokenType().getName().getLocalPart().equals(SPConstants.SIGNED_SUPPORTING_TOKENS)
+                        && !tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(SecurityToken.TokenUsage.SignedSupportingTokens)) {
+                    return true;
+                }
+                //todo the supporting token types...
                 break;
         }
 
@@ -91,8 +102,48 @@ public abstract class TokenAssertionStat
             return false;
         }
 
+        boolean hasDerivedKeys = false;
+        hasDerivedKeys = hasDerivedKeys(tokenSecurityEvent.getSecurityToken());
+        if (abstractToken.getDerivedKeys() != null) {
+            AbstractToken.DerivedKeys derivedKeys = abstractToken.getDerivedKeys();
+            switch (derivedKeys) {
+                case RequireDerivedKeys:
+                case RequireExplicitDerivedKeys:
+                case RequireImpliedDerivedKeys:
+                    if (!hasDerivedKeys) {
+                        setAsserted(false);
+                        setErrorMessage("Derived key must be used");
+                    }
+            }
+        } else {
+            if (hasDerivedKeys) {
+                setAsserted(false);
+                setErrorMessage("Derived key must not be used");
+            }
+        }
+
         return assertToken(tokenSecurityEvent, abstractToken);
     }
 
-    public abstract boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException;
+    public abstract boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException, XMLSecurityException;
+
+    protected boolean hasDerivedKeys(SecurityToken securityToken) throws XMLSecurityException {
+        if (securityToken == null) {
+            return false;
+        } else if (securityToken.getTokenType() == WSSConstants.DerivedKeyToken) {
+            return true;
+        }
+
+        if (securityToken.getWrappedTokens().size() == 0) {
+            return false;
+        }
+
+        //all wrapped tokens must be derived!:
+        boolean hasDerivedKeys = true;
+        for (int i = 0; i < securityToken.getWrappedTokens().size(); i++) {
+            SecurityToken wrappedSecurityToken = securityToken.getWrappedTokens().get(i);
+            hasDerivedKeys &= hasDerivedKeys(wrappedSecurityToken);
+        }
+        return hasDerivedKeys;
+    }
 }

Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/UsernameTokenAssertionState.java Wed Feb 29 20:54:51 2012
@@ -27,6 +27,7 @@ import org.swssf.wss.impl.securityToken.
 import org.swssf.wss.securityEvent.SecurityEvent;
 import org.swssf.wss.securityEvent.TokenSecurityEvent;
 import org.swssf.wss.securityEvent.UsernameTokenSecurityEvent;
+import org.swssf.xmlsec.ext.XMLSecurityException;
 
 /**
  * @author $Author$
@@ -47,7 +48,7 @@ public class UsernameTokenAssertionState
     }
 
     @Override
-    public boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException {
+    public boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException, XMLSecurityException {
         if (!(tokenSecurityEvent instanceof UsernameTokenSecurityEvent)) {
             throw new WSSPolicyException("Expected a UsernameSecurityTokenEvent but got " + tokenSecurityEvent.getClass().getName());
         }

Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/X509TokenAssertionState.java Wed Feb 29 20:54:51 2012
@@ -51,7 +51,7 @@ public class X509TokenAssertionState ext
     }
 
     @Override
-    public boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException {
+    public boolean assertToken(TokenSecurityEvent tokenSecurityEvent, AbstractToken abstractToken) throws WSSPolicyException, XMLSecurityException {
         if (!(tokenSecurityEvent instanceof X509TokenSecurityEvent)) {
             throw new WSSPolicyException("Expected a X509TokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
         }

Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AbstractPolicyTestBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AbstractPolicyTestBase.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AbstractPolicyTestBase.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AbstractPolicyTestBase.java Wed Feb 29 20:54:51 2012
@@ -22,7 +22,11 @@ import org.apache.ws.secpolicy.SPConstan
 import org.apache.ws.secpolicy.WSSPolicyException;
 import org.swssf.policy.PolicyEnforcer;
 import org.swssf.policy.PolicyEnforcerFactory;
+import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.impl.securityToken.X509SecurityToken;
 import org.swssf.wss.test.AbstractTestBase;
+import org.swssf.xmlsec.ext.XMLSecurityConstants;
+import org.swssf.xmlsec.ext.XMLSecurityException;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
@@ -34,6 +38,11 @@ import javax.xml.parsers.DocumentBuilder
 import javax.xml.parsers.ParserConfigurationException;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
 
 /**
  * @author $Author$
@@ -58,4 +67,52 @@ public class AbstractPolicyTestBase exte
 
         return policyEnforcer;
     }
+
+    public X509SecurityToken getX509Token(WSSConstants.TokenType tokenType) throws Exception {
+
+        final KeyStore keyStore = KeyStore.getInstance("jks");
+        keyStore.load(this.getClass().getClassLoader().getResourceAsStream("transmitter.jks"), "default".toCharArray());
+
+        return new X509SecurityToken(tokenType, null, null, null, "", WSSConstants.KeyIdentifierType.THUMBPRINT_IDENTIFIER) {
+            @Override
+            protected String getAlias() throws XMLSecurityException {
+                return "transmitter";
+            }
+
+            @Override
+            public Key getSecretKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage) throws XMLSecurityException {
+                try {
+                    return keyStore.getKey("transmitter", "default".toCharArray());
+                } catch (Exception e) {
+                    throw new XMLSecurityException(e.getMessage(), e);
+                }
+            }
+
+            @Override
+            public PublicKey getPublicKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage) throws XMLSecurityException {
+                try {
+                    return keyStore.getCertificate("transmitter").getPublicKey();
+                } catch (Exception e) {
+                    throw new XMLSecurityException(e.getMessage(), e);
+                }
+            }
+
+            @Override
+            public X509Certificate[] getX509Certificates() throws XMLSecurityException {
+                Certificate[] certificates;
+                try {
+                    certificates = keyStore.getCertificateChain("transmitter");
+                } catch (Exception e) {
+                    throw new XMLSecurityException(e.getMessage(), e);
+                }
+
+                X509Certificate[] x509Certificates = new X509Certificate[certificates.length];
+                for (int i = 0; i < certificates.length; i++) {
+                    Certificate certificate = certificates[i];
+                    x509Certificates[i] = (X509Certificate) certificate;
+                }
+                return x509Certificates;
+            }
+        };
+    }
 }

Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AsymmetricBindingIntegrationTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AsymmetricBindingIntegrationTest.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AsymmetricBindingIntegrationTest.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AsymmetricBindingIntegrationTest.java Wed Feb 29 20:54:51 2012
@@ -1711,7 +1711,11 @@ public class AsymmetricBindingIntegratio
                         "                    <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
                         "                </sp:SignedParts>\n" +
                         "                <sp:SignedElements>\n" +
-                        "                    <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
+                        "                    <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
+                        "                       xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
+                        "                       xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
+                        "                       /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
+                        "                    </sp:XPath>\n" +
                         "                </sp:SignedElements>\n" +
                         "                <sp:EncryptedParts>\n" +
                         "                    <sp:Body/>\n" +
@@ -1719,10 +1723,18 @@ public class AsymmetricBindingIntegratio
                         "                    <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
                         "                </sp:EncryptedParts>\n" +
                         "                <sp:EncryptedElements>\n" +
-                        "                    <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
+                        "                    <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
+                        "                       xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
+                        "                       xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
+                        "                       /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
+                        "                    </sp:XPath>\n" +
                         "                </sp:EncryptedElements>\n" +
                         "                <sp:ContentEncryptedElements>\n" +
-                        "                    <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
+                        "                    <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
+                        "                       xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
+                        "                       xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
+                        "                       /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Expires" +
+                        "                    </sp:XPath>\n" +
                         "                </sp:ContentEncryptedElements>\n" +
                         "            </wsp:All>\n" +
                         "        </wsp:ExactlyOne>";
@@ -1992,7 +2004,7 @@ public class AsymmetricBindingIntegratio
     }
 
     @Test
-    public void testSamlToken() throws Exception {
+    public void testTokenScenario() throws Exception {
 
         String policyString =
                 "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
@@ -2002,7 +2014,7 @@ public class AsymmetricBindingIntegratio
                         "                    <wsp:Policy>\n" +
                         "                        <sp:InitiatorToken>\n" +
                         "                            <wsp:Policy>\n" +
-                        "                               <sp:SamlToken>\n" +
+                        "                               <sp:SamlToken IncludeToken=\" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always\">\n" +
                         "                                  <sp:IssuerName>www.example.com</sp:IssuerName>\n" +
                         "                                    <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
                         "                                        <sp:WssSamlV20Token11/>\n" +
@@ -2015,6 +2027,7 @@ public class AsymmetricBindingIntegratio
                         "                              <sp:X509Token IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
                         "                                  <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
                         "                                  <wsp:Policy>\n" +
+                        "                                      <sp:RequireDerivedKeys/>\n" +
                         "                                      <sp:WssX509V3Token11/>\n" +
                         "                                  </wsp:Policy>\n" +
                         "                              </sp:X509Token>\n" +
@@ -2028,13 +2041,22 @@ public class AsymmetricBindingIntegratio
                         "                        <sp:IncludeTimestamp/>\n" +
                         "                    </wsp:Policy>\n" +
                         "                </sp:AsymmetricBinding>\n" +
+                        "                <sp:SignedSupportingTokens>\n" +
+                        "                   <wsp:Policy>\n" +
+                        "                     <sp:UsernameToken IncludeToken=\" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\"/>\n" +
+                        "                   </wsp:Policy>\n" +
+                        "                </sp:SignedSupportingTokens>\n" +
                         "                <sp:SignedParts>\n" +
                         "                    <sp:Body/>\n" +
                         "                    <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
                         "                    <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
                         "                </sp:SignedParts>\n" +
                         "                <sp:SignedElements>\n" +
-                        "                    <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
+                        "                    <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
+                        "                       xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
+                        "                       xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
+                        "                       /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
+                        "                    </sp:XPath>\n" +
                         "                </sp:SignedElements>\n" +
                         "                <sp:EncryptedParts>\n" +
                         "                    <sp:Body/>\n" +
@@ -2042,16 +2064,24 @@ public class AsymmetricBindingIntegratio
                         "                    <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
                         "                </sp:EncryptedParts>\n" +
                         "                <sp:EncryptedElements>\n" +
-                        "                    <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
+                        "                    <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
+                        "                       xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
+                        "                       xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
+                        "                       /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
+                        "                    </sp:XPath>\n" +
                         "                </sp:EncryptedElements>\n" +
                         "                <sp:ContentEncryptedElements>\n" +
-                        "                    <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
+                        "                    <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
+                        "                       xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
+                        "                       xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
+                        "                       /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Expires" +
+                        "                    </sp:XPath>\n" +
                         "                </sp:ContentEncryptedElements>\n" +
                         "            </wsp:All>\n" +
                         "        </wsp:ExactlyOne>";
 
         WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
-        WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.SAML_TOKEN_SIGNED, WSSConstants.ENCRYPT_WITH_DERIVED_KEY};
+        WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.TIMESTAMP, WSSConstants.USERNAMETOKEN, WSSConstants.SAML_TOKEN_SIGNED, WSSConstants.ENCRYPT_WITH_DERIVED_KEY};
         outSecurityProperties.setOutAction(actions);
         CallbackHandlerImpl callbackHandler = new CallbackHandlerImpl();
         callbackHandler.setSamlVersion(SAMLVersion.VERSION_20);
@@ -2069,12 +2099,18 @@ public class AsymmetricBindingIntegratio
         cryptoType.setAlias("transmitter");
         callbackHandler.setCerts(crypto.getX509Certificates(cryptoType));
         outSecurityProperties.setCallbackHandler(callbackHandler);
+        outSecurityProperties.setTokenUser("tester");
         outSecurityProperties.setSignatureKeyIdentifierType(WSSConstants.KeyIdentifierType.EMBEDDED_KEYIDENTIFIER_REF);
         outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
         outSecurityProperties.setSignatureUser("transmitter");
+        outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_soap_Body_LocalName, WSSConstants.NS_SOAP11, SecurePart.Modifier.Element));
+        outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_wsse_UsernameToken.getLocalPart(), WSSConstants.TAG_wsse_UsernameToken.getNamespaceURI(), SecurePart.Modifier.Element));
+        outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_wsu_Timestamp.getLocalPart(), WSSConstants.TAG_wsu_Timestamp.getNamespaceURI(), SecurePart.Modifier.Element));
         outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
         outSecurityProperties.setEncryptionUser("receiver");
         outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_soap_Body_LocalName, WSSConstants.NS_SOAP11, SecurePart.Modifier.Content));
+        outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_wsu_Created.getLocalPart(), WSSConstants.TAG_wsu_Created.getNamespaceURI(), SecurePart.Modifier.Element));
+        outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_wsu_Expires.getLocalPart(), WSSConstants.TAG_wsu_Expires.getNamespaceURI(), SecurePart.Modifier.Content));
 
         InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
         ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
@@ -2085,8 +2121,126 @@ public class AsymmetricBindingIntegratio
         inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
 
         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
-        inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, null));
+        inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
+        Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
+
+        //read the whole stream:
+        Transformer transformer = TransformerFactory.newInstance().newTransformer();
+        transformer.transform(new DOMSource(document), new StreamResult(
+                new OutputStream() {
+                    @Override
+                    public void write(int b) throws IOException {
+                        // > /dev/null
+                    }
+                }
+        ));
+    }
+
+    @Test
+    public void testTokenScenarioLateEncryption() throws Exception {
+
+        String policyString =
+                "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
+                        "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
+                        "            <wsp:All>\n" +
+                        "                <sp:AsymmetricBinding>\n" +
+                        "                    <wsp:Policy>\n" +
+                        "                        <sp:InitiatorToken>\n" +
+                        "                            <wsp:Policy>\n" +
+                        "                               <sp:SamlToken IncludeToken=\" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always\">\n" +
+                        "                                  <sp:IssuerName>www.example.com</sp:IssuerName>\n" +
+                        "                                    <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
+                        "                                        <sp:WssSamlV20Token11/>\n" +
+                        "                                    </wsp:Policy>\n" +
+                        "                                </sp:SamlToken>\n" +
+                        "                            </wsp:Policy>\n" +
+                        "                        </sp:InitiatorToken>\n" +
+                        "                        <sp:RecipientToken>\n" +
+                        "                            <wsp:Policy>\n" +
+                        "                              <sp:X509Token IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
+                        "                                  <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
+                        "                                  <wsp:Policy>\n" +
+                        "                                      <sp:RequireDerivedKeys/>\n" +
+                        "                                      <sp:WssX509V3Token11/>\n" +
+                        "                                  </wsp:Policy>\n" +
+                        "                              </sp:X509Token>\n" +
+                        "                            </wsp:Policy>\n" +
+                        "                         </sp:RecipientToken>\n" +
+                        "                        <sp:AlgorithmSuite>\n" +
+                        "                            <wsp:Policy>\n" +
+                        "                                <sp:Basic256/>\n" +
+                        "                            </wsp:Policy>\n" +
+                        "                        </sp:AlgorithmSuite>\n" +
+                        "                        <sp:IncludeTimestamp/>\n" +
+                        "                    </wsp:Policy>\n" +
+                        "                </sp:AsymmetricBinding>\n" +
+                        "                <sp:SignedSupportingTokens>\n" +
+                        "                   <wsp:Policy>\n" +
+                        "                     <sp:UsernameToken IncludeToken=\" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\"/>\n" +
+                        "                   </wsp:Policy>\n" +
+                        "                </sp:SignedSupportingTokens>\n" +
+                        "                <sp:SignedParts>\n" +
+                        "                    <sp:Body/>\n" +
+                        "                    <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
+                        "                    <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
+                        "                </sp:SignedParts>\n" +
+                        "                <sp:SignedElements>\n" +
+                        "                    <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
+                        "                       xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" " +
+                        "                       xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
+                        "                       /soap:Envelope/soap:Header/wsse:Security/wsu:Timestamp/wsu:Created" +
+                        "                    </sp:XPath>\n" +
+                        "                </sp:SignedElements>\n" +
+                        "                <sp:EncryptedElements>\n" +
+                        "                    <sp:XPath xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" " +
+                        "                       xmlns:wsdl=\"http://schemas.xmlsoap.org/wsdl/\" " +
+                        "                       xmlns:xsd=\"http://www.w3.org/1999/XMLSchema\">" +
+                        "                       /soap:Envelope/soap:Body/wsdl:definitions/wsdl:types/xsd:schema/xsd:simpleType" +
+                        "                    </sp:XPath>\n" +
+                        "                </sp:EncryptedElements>\n" +
+                        "            </wsp:All>\n" +
+                        "        </wsp:ExactlyOne>";
 
+        WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
+        WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.TIMESTAMP, WSSConstants.USERNAMETOKEN, WSSConstants.SAML_TOKEN_SIGNED, WSSConstants.ENCRYPT_WITH_DERIVED_KEY};
+        outSecurityProperties.setOutAction(actions);
+        CallbackHandlerImpl callbackHandler = new CallbackHandlerImpl();
+        callbackHandler.setSamlVersion(SAMLVersion.VERSION_20);
+        callbackHandler.setStatement(CallbackHandlerImpl.Statement.AUTHN);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
+        callbackHandler.setIssuer("www.example.com");
+        byte[] secret = new byte[128 / 8];
+        WSSConstants.secureRandom.nextBytes(secret);
+        callbackHandler.setSecret(secret);
+        KeyStore keyStore = KeyStore.getInstance("jks");
+        keyStore.load(this.getClass().getClassLoader().getResourceAsStream("transmitter.jks"), "default".toCharArray());
+        Merlin crypto = new Merlin();
+        crypto.setKeyStore(keyStore);
+        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+        cryptoType.setAlias("transmitter");
+        callbackHandler.setCerts(crypto.getX509Certificates(cryptoType));
+        outSecurityProperties.setCallbackHandler(callbackHandler);
+        outSecurityProperties.setTokenUser("tester");
+        outSecurityProperties.setSignatureKeyIdentifierType(WSSConstants.KeyIdentifierType.EMBEDDED_KEYIDENTIFIER_REF);
+        outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+        outSecurityProperties.setSignatureUser("transmitter");
+        outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_soap_Body_LocalName, WSSConstants.NS_SOAP11, SecurePart.Modifier.Element));
+        outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_wsse_UsernameToken.getLocalPart(), WSSConstants.TAG_wsse_UsernameToken.getNamespaceURI(), SecurePart.Modifier.Element));
+        outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_wsu_Timestamp.getLocalPart(), WSSConstants.TAG_wsu_Timestamp.getNamespaceURI(), SecurePart.Modifier.Element));
+        outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+        outSecurityProperties.setEncryptionUser("receiver");
+        outSecurityProperties.addEncryptionPart(new SecurePart("simpleType", "http://www.w3.org/1999/XMLSchema", SecurePart.Modifier.Element));
+
+        InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+        ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
+
+        WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
+        inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+        inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+        inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+
+        PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
+        inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
         Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
 
         //read the whole stream:



Mime
View raw message