ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gi...@apache.org
Subject svn commit: r1295267 [5/11] - in /webservices/wss4j/branches/swssf: rampart-policy/src/main/java/org/apache/ws/secpolicy/builders/ streaming-ws-policy/src/main/java/org/swssf/policy/ streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/ s...
Date Wed, 29 Feb 2012 20:54:56 GMT
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSConstants.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSConstants.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSConstants.java Wed Feb 29 20:54:51 2012
@@ -23,9 +23,7 @@ import org.swssf.xmlsec.ext.XMLSecurityC
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBException;
 import javax.xml.namespace.QName;
-import java.util.EnumSet;
-import java.util.HashMap;
-import java.util.Map;
+import java.util.*;
 
 /**
  * WSSConstants for global use
@@ -47,6 +45,8 @@ public class WSSConstants extends XMLSec
     protected WSSConstants() {
     }
 
+    public static final String TRANSPORT_SECURITY_ACTIVE = "transportSecurityActive";
+
     public static final String TIMESTAMP_PROCESSED = "TimestampProcessed";
 
     public static final String NS_WSSE10 = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
@@ -295,6 +295,192 @@ public class WSSConstants extends XMLSec
         }
     }
 
+    public static final List<QName> SOAP_11_BODY_PATH = new LinkedList<QName>();
+    public static final List<QName> SOAP_11_HEADER_PATH = new LinkedList<QName>();
+    public static final List<QName> WSSE_SECURITY_HEADER_PATH = new LinkedList<QName>();
+
+    static {
+        SOAP_11_BODY_PATH.add(WSSConstants.TAG_soap11_Envelope);
+        SOAP_11_BODY_PATH.add(WSSConstants.TAG_soap11_Body);
+
+        SOAP_11_HEADER_PATH.add(WSSConstants.TAG_soap11_Envelope);
+        SOAP_11_HEADER_PATH.add(WSSConstants.TAG_soap11_Header);
+
+        WSSE_SECURITY_HEADER_PATH.addAll(SOAP_11_HEADER_PATH);
+        WSSE_SECURITY_HEADER_PATH.add(WSSConstants.TAG_wsse_Security);
+
+    }
+
+    public enum BSPRule {
+        R3203("A TIMESTAMP MUST contain exactly one CREATED"),
+        R3224("Any TIMESTAMP MUST NOT contain more than one EXPIRES"),
+        R3221("Any TIMESTAMP containing an EXPIRES MUST contain a CREATED that precedes its sibling EXPIRES"),
+        R3222("Any TIMESTAMP MUST NOT contain anything other than CREATED or EXPIRES elements"),
+        R3220("Any CREATED SHOULD NOT contain a seconds value with more than three digits to the right of the decimal (milliseconds)"),
+        R3229("Any EXPIRES SHOULD NOT contain a seconds value with more than three digits to the right of the decimal (milliseconds)"),
+        R3213("Any CREATED containing second values MUST specify seconds values less than 60"),
+        R3215("Any EXPIRES containing second values MUST specify seconds values less than 60"),
+        R3225("Any CREATED MUST NOT include a ValueType attribute"),
+        R3226("Any EXPIRES MUST NOT include a ValueType attribute"),
+        R3217("Any CREATED MUST contain time values in UTC format as specified by the XML Schema type (dateTime)"),
+        R3223("Any EXPIRES MUST contain time values in UTC format as specified by the XML Schema type (dateTime)"),
+
+        R3061("A SECURITY_TOKEN_REFERENCE MUST provide exactly one token reference"),
+        R3074("Any wsse:11:TokenType Attribute in a SECURITY_TOKEN_REFERENCE MUST specify a value that a TokenType specified by a security token profile for the referenced SECURITY_TOKEN"),
+        R3057("Any STR_REFERENCE MUST NOT reference a SECURITY_TOKEN_REFERENCE"),
+        R3064("Any STR_REFERENCE MUST NOT reference an STR_EMBEDDED"),
+        R3059("Any STR_REFERENCE MUST specify a ValueType attribute with the exception of STR_REFERENCE pointing to a SAML_V2_0_TOKEN or a KERBEROS_TOKEN or an ENCRYPTED_KEY_TOKEN"),
+        R3058("Any STR_REFERENCE ValueType attribute MUST contain a value for the referenced SECURITY_TOKEN specified by the corresponding security token profile"),
+        R3062("Any STR_REFERENCE MUST specify a URI attribute"),
+        R3027("Any SECURITY_TOKEN_REFERENCE MUST NOT contain an STR_KEY_NAME"),
+        R3054("Any STR_KEY_IDENTIFIER MUST specify a ValueType attribute"),
+        R3063("Any STR_KEY_IDENTIFIER ValueType attribute MUST contain a value specified within the security token profile associated with the referenced SECURITY_TOKEN"),
+        R3070("Any STR_KEY_IDENTIFIER that refers to a SECURITY_TOKEN other than a SAML_TOKEN MUST specify an EncodingType attribute"),
+        R3071("Any STR_KEY_IDENTIFIER EncodingType attribute MUST have a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\""),
+        R3060("Any STR_EMBEDDED MUST contain only a single child element which is an INTERNAL_SECURITY_TOKEN"),
+        R3025("Any INTERNAL_SECURITY_TOKEN contained in an STR_EMBEDDED MUST be in the same format as if it were a child of a SECURITY_HEADER"),
+        R3056("Any STR_EMBEDDED MUST NOT contain a wsse:SecurityTokenReference child element"),
+        R3022("Any SECURITY_TOKEN_REFERENCE that references an INTERNAL_SECURITY_TOKEN which has a wsu:Id attribute MUST contain an STR_REFERENCE or STR_EMBEDDED"),
+        R3023("Any SECURITY_TOKEN_REFERENCE that references an INTERNAL_SECURITY_TOKEN that is referenced several times SHOULD contain an STR_REFERENCE rather than an STR_EMBEDDED"),
+        R5204("Any STR_REFERENCE to an INTERNAL_SECURITY_TOKEN having an ID attribute MUST contain a URI attribute with a Shorthand XPointer value"),
+        R5205("Any INTERNAL_SECURITY_TOKEN that is not contained in an STR_EMBEDDED MUST precede all SECURITY_TOKEN_REFERENCE elements that reference it in the SOAP_ENVELOPE"),
+        R3066("Any STR_REFERENCE that is a descendant of a SECURITY_HEADER MUST NOT use a Shorthand XPointer to refer to an INTERNAL_SECURITY_TOKEN located in a SECURITY_HEADER other than the SECURITY_HEADER that contains the STR_REFERENCE"),
+        R3067("Any STR_REFERENCE that is a descendant of an ENCRYPTED_DATA MUST NOT use a Shorthand XPointer to refer to an INTERNAL_SECURITY_TOKEN located in a SECURITY_HEADER other than the SECURITY_HEADER containing a reference (EK_REFERENCE_LIST or an ENC_REFERENCE_LIST) to the ENCRYPTED_DATA"),
+        R3024("Any EXTERNAL_TOKEN_REFERENCE that can use an STR_REFERENCE MUST contain an STR_REFERENCE"),
+        R3211("Any SECURITY_TOKEN_REFERENCE MUST NOT reference a ds:KeyInfo element"),
+
+        R3102("A SIGNATURE MUST NOT be an Enveloping Signature as defined by the XML Signature specification"),
+        R3104("A SIGNATURE SHOULD NOT be an Enveloped Signature as defined by the XML Signature specification"),
+        R3103("A SIGNATURE SHOULD be a Detached Signature as defined by the XML Signature specification"),
+        R3001("Any SIG_REFERENCE SHOULD contain a URI attribute containing a Shorthand XPointer"),
+        R3003("Any SIG_REFERENCE to a SIGNATURE or descendant of a SIGNATURE MUST contain a URI attribute with a reference value that is a Shorthand XPointer to Local ID attribute defined by XML Signature"),
+        R3004("Any SIG_REFERENCE to an element defined in XML Encryption MUST contain a URI attribute with a reference value that is a Shorthand XPointer to Local ID attribute defined by XML Encryption"),
+        R3005("Any SIG_REFERENCE to an element that is not defined in XML Encryption, a SIGNATURE, or a descendant of a SIGNATURE SHOULD contain a URI attribute with a reference value that is a Shorthand XPointer to a wsu:Id attribute"),
+        R3002("Any SIG_REFERENCE to an element that does not have an ID attribute MUST contain a TRANSFORM with an Algorithm attribute value of \"http://www.w3.org/2002/06/xmldsig-filter2\""),
+        R5416("Any SIG_REFERENCE MUST contain a SIG_TRANSFORMS child element"),
+        R5411("Any SIG_TRANSFORMS MUST contain at least one SIG_TRANSFORM child element"),
+        R5423("Any SIG_TRANSFORM Algorithm attribute MUST have a value of \"http://www.w3.org/2001/10/xml-exc-c14n#\" or \"http://www.w3.org/2002/06/xmldsig-filter2\" or \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform\" or \"http://www.w3.org/2000/09/xmldsig#enveloped-signature\" or \"http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform\" or \"http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete-Signature-Transform\""),
+        R5412("Any SIG_TRANSFORMS MUST contain as its last child a SIG_TRANSFORM with an Algorithm attribute with a value of \"http://www.w3.org/2001/10/xml-exc-c14n#\" or \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform\" or \"http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform\" or \"http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Complete-Signature-Transform\""),
+        R5407("Any SIG_TRANSFORM with an Algorithm attribute with a value of \"http://www.w3.org/2001/10/xml-exc-c14n#\" MUST contain an INCLUSIVE_NAMESPACES with an PrefixList attribute unless the PrefixList is empty"),
+        R5413("Any SIG_TRANSFORM with an Algorithm attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform\" MUST have an INCLUSIVE_NAMESPACES with an PrefixList attribute unless the PrefixList is empty"),
+        R3065("Any SIG_TRANSFORM with an Algorithm attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform\" MUST contain a child wsse:TransformationParameters element containing a child ds:CanonicalizationMethod element"),
+        R5404("Any CANONICALIZATION_METHOD Algorithm attribute MUST have a value of \"http://www.w3.org/2001/10/xml-exc-c14n#\" indicating that it uses Exclusive C14N without comments for canonicalization"),
+        R5406("Any CANONICALIZATION_METHOD MUST contain an INCLUSIVE_NAMESPACES with a PrefixList attribute unless the PrefixList is empty"),
+        R5414("A RECEIVER MUST be capable of accepting and processing an INCLUSIVE_NAMESPACES PrefixList attribute containing prefixes in any order within the string"),
+        R5415("A RECEIVER MUST be capable of accepting and processing an INCLUSIVE_NAMESPACES PrefixList attribute containing arbitrary whitespace before, after and between the prefixes within the string"),
+        R5405("Any INCLUSIVE_NAMESPACES MUST contain the prefix of all namespaces that are in-scope and desired to be protected, but not visibly utilized, for the element being signed and its descendants, per Exclusive XML Canonicalization Version 1.0"),
+        R5408("Any INCLUSIVE_NAMESPACES MUST contain the string \"#default\" if a default namespace is in-scope and desired to be protected, but not visibly utilized, for the element being signed and its descendants, per Exclusive XML Canonicalization Version 1.0"),
+        R5420("Any DIGEST_METHOD Algorithm attribute SHOULD have the value \"http://www.w3.org/2000/09/xmldsig#sha1\""),
+        R5421("Any SIGNATURE_METHOD Algorithm attribute SHOULD have a value of \"http://www.w3.org/2000/09/xmldsig#hmac-sha1\" or \"http://www.w3.org/2000/09/xmldsig#rsa-sha1\""),
+        R5401("Any SIGNATURE_METHOD MUST NOT contain a ds:HMACOutputLength child element"),
+        R5402("Any SIG_KEY_INFO MUST contain exactly one child element"),
+        R5417("Any SIG_KEY_INFO MUST contain a SECURITY_TOKEN_REFERENCE child element"),
+        R5403("A SIGNATURE MUST NOT contain a ds:Manifest descendant element"),
+        R5440("A SIGNATURE MUST NOT have any xenc:EncryptedData elements amongst its descendants"),
+        R5441("A SIGNATURE_CONFIRMATION MUST contain a wsu:Id attribute"),
+
+        R3228("A soap:Header element in a SECURE_ENVELOPE MUST NOT contain any child ENCRYPTED_DATA"),
+        R3299("A soap:Header element in a SECURE_ENVELOPE MAY contain ENCRYPTED_HEADER children"),
+        R3230("An ENCRYPTED_HEADER MUST NOT contain any children other than a single required ENCRYPTED_DATA"),
+        R3232("In cases where a wsu:Id does exist on the ENCRYPTED_HEADER, the child ENCRYPTED_DATA MAY contain an Id attribute"),
+        R3205("Any ENC_REFERENCE_LIST produced as part of an encryption step MUST use a single key"),
+        R3231("Any ENC_REFERENCE_LIST MUST contain an xenc:DataReference element for each ENCRYPTED_DATA produced in the associated encryption step"),
+        R3214("Any EK_REFERENCE_LIST MUST contain a xenc:DataReference for each ENCRYPTED_DATA produced in the associated encryption step"),
+        R3208("Any ENCRYPTED_KEY MUST precede any ENCRYPTED_DATA in the same SECURITY_HEADER referenced by the associated EK_REFERENCE_LIST"),
+        R3209("Any ENCRYPTED_KEY MUST NOT specify a Type attribute"),
+        R5622("Any ENCRYPTED_KEY MUST NOT specify a MimeType attribute"),
+        R5623("Any ENCRYPTED_KEY MUST NOT specify a Encoding attribute"),
+        R5602("Any ENCRYPTED_KEY MUST NOT contain a Recipient attribute"),
+        R5603("Any ENCRYPTED_KEY MUST contain an xenc:EncryptionMethod child element"),
+        R5629("An ENCRYPTED_DATA which is not referenced from an ENCRYPTED_KEY MUST contain a ds:KeyInfo"),
+        R5624("In cases where a wsu:Id does not exist on the ENCRYPTED_HEADER, the child ENCRYPTED_DATA MUST contain an ID attribute"),
+        R5627("In cases where an ID does not exist on the ENCRYPTED_DATA, the parent ENCRYPTED_HEADER MUST contain a wsu:Id attribute"),
+        R5601("Any ENCRYPTED_DATA MUST contain an xenc:EncryptionMethod child element"),
+        R5424("Any ENC_KEY_INFO MUST have exactly one child element"),
+        R5426("Any ENC_KEY_INFO MUST contain a child SECURITY_TOKEN_REFERENCE"),
+        R5608("Any ENC_DATA_REFERENCE MUST contain a URI attribute containing a Shorthand XPointer reference value based on either the Id attribute of the referenced ENCRYPTED_DATA or the wsu:Id attribute of the referenced ENCRYPTED_HEADER"),
+        R3006("Any EK_DATA_REFERENCE MUST contain a URI attribute containing a Shorthand XPointer reference value based on either the Id attribute of the referenced ENCRYPTED_DATA or the wsu:Id attribute of the referenced ENCRYPTED_HEADER"),
+        R5613("Any ENC_KEY_REFERENCE MUST contain a URI attribute containing a Shorthand XPointer reference value based on the Id attribute of the referred to ENCRYPTED_KEY"),
+        R3007("Any EK_KEY_REFERENCE MUST contain a URI attribute containing a Shorthand XPointer reference value based on the Id attribute of the referred to ENCRYPTED_KEY"),
+        R5620("Any ED_ENCRYPTION_METHOD Algorithm attribute MUST have a value of \"http://www.w3.org/2001/04/xmlenc#tripledes-cbc\", \"http://www.w3.org/2001/04/xmlenc#aes128-cbc\" or \"http://www.w3.org/2001/04/xmlenc#aes256-cbc\""),
+        R5621("When used for Key Transport, any EK_ENCRYPTION_METHOD Algorithm attribute MUST have a value of \"http://www.w3.org/2001/04/xmlenc#rsa-1_5\" or \"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\""),
+        R5625("When used for Key Wrap, any EK_ENCRYPTION_METHOD Algorithm attribute MUST have a value of \"http://www.w3.org/2001/04/xmlenc#kw-tripledes\", \"http://www.w3.org/2001/04/xmlenc#kw-aes128\", or \"http://www.w3.org/2001/04/xmlenc#kw-aes256\""),
+        R5626("Any EK_ENCRYPTION_METHOD Algorithm attribute MUST have a value of \"http://www.w3.org/2001/04/xmlenc#rsa-1_5\" or \"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\" or \"http://www.w3.org/2001/04/xmlenc#kw-tripledes\" or \"http://www.w3.org/2001/04/xmlenc#kw-aes128\" or \"http://www.w3.org/2001/04/xmlenc#kw-aes256\""),
+        R5614("A HEADER encrypted as a result of an encryption step MUST be replaced by a corresponding ENCRYPTED_HEADER"),
+        R5606("Any encrypted element or element content within a SECURE_ENVELOPE, encrypted as a result of an encryption step, MUST be replaced by a corresponding ENCRYPTED_DATA, unless the element is a HEADER_ELEMENT"),
+
+        R3029("Any BINARY_SECURITY_TOKEN MUST specify an EncodingType attribute"),
+        R3030("Any BINARY_SECURITY_TOKEN EncodingType attribute MUST have a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\""),
+        R3031("Any BINARY_SECURITY_TOKEN MUST specify an ValueType attribute"),
+        R3032("Any BINARY_SECURITY_TOKEN ValueType attribute MUST have a value specified by the related security token profile"),
+
+        R4222("Any USERNAME_TOKEN MUST NOT have more than one PASSWORD"),
+        R4201("Any PASSWORD MUST specify a Type attribute"),
+        R4212("Any PASSWORD with a Type attribute value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest\" MUST have its value computed using the following formula, where \"+\" indicates concatenation: Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) ). That is, concatenate the text forms of the nonce, creation time, and the password (or shared secret or password equivalent), digest the combination using the SHA-1 hash algorithm, then include the Base64 encoding of that result as the password (digest). Any elements that are not present are simply omitted from the concatenation"),
+        R4216("When a SECURITY_TOKEN_REFERENCE, within a SIGNATURE or ENCRYPTED_KEY, refers to a SECURITY_TOKEN named wsse:UsernameToken to derive a key, the key MUST be derived using the algorithm specified in Section 4 of Web Services Security: UsernameToken Profile 1.1"),
+        R4217("When a SECURITY_TOKEN_REFERENCE, within a SIGNATURE or ENCRYPTED_KEY, refers to a SECURITY_TOKEN named wsse:UsernameToken to derive a key, the SECURITY_TOKEN MUST contain a wsse11:Salt child element"),
+        R4218("When a SECURITY_TOKEN_REFERENCE, within a SIGNATURE or ENCRYPTED_KEY, refers to a SECURITY_TOKEN named wsse:UsernameToken to derive a key, the SECURITY_TOKEN MUST contain a wsse11:Iteration child element with a value greater than or equal to 1000"),
+        R4223("Any USERNAME_TOKEN MUST NOT have more than one CREATED"),
+        R4225("Any USERNAME_TOKEN MUST NOT have more than one NONCE"),
+        R4220("Any NONCE MUST specify an EncodingType attribute"),
+        R4221("Any NONCE EncodingType attribute MUST have a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\""),
+        R4214("Any STR_REFERENCE to a USERNAME_TOKEN MUST have a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken\""),
+        R4215("Any SECURITY_TOKEN_REFERENCE to a USERNAME_TOKEN MUST NOT contain an STR_KEY_IDENTIFIER"),
+
+        R3033("Any X509_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3\""),
+        R5201("Any BINARY_SECURITY_TOKEN containing an X.509 Certificate Path MUST be either a PKCS7_TOKEN or a PKIPATH_TOKEN"),
+        R5202("Any BINARY_SECURITY_TOKEN containing an X.509 Certificate Path SHOULD be a PKIPATH_TOKEN"),
+        R5211("Any PKCS7_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7\""),
+        R5218("Any STR_REFERENCE to a X509_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3\""),
+        R5212("Any SECURITY_TOKEN_REFERENCE to a PKCS7_TOKEN MUST contain a wsse11:TokenType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7\""),
+        R5213("Any STR_REFERENCE to a PKCS7_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#PKCS7\""),
+        R5214("Any PKIPATH_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1\""),
+        R5215("Any SECURITY_TOKEN_REFERENCE to a PKIPATH_TOKEN MUST contain a wsse11:TokenType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1\""),
+        R5216("Any STR_REFERENCE to a PKIPATH_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1\""),
+        R5209("When a SECURITY_TOKEN_REFERENCE references an EXTERNAL_SECURITY_TOKEN that cannot be referred to using an STR_REFERENCE but can be referred to using an STR_KEY_IDENTIFIER or STR_ISSUER_SERIAL, an STR_KEY_IDENTIFIER or STR_ISSUER_SERIAL MUST be used"),
+        R5206("Any STR_KEY_IDENTIFIER that references an X509_TOKEN MUST have a ValueType attribute with the value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier\" or \"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1\""),
+        R5208("Any STR_KEY_IDENTIFIER that references an X509_TOKEN and has a ValueType attribute with the value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier\" MUST contain the value of the token's SubjectKeyIdentifier extension"),
+        R5210("Any STR_KEY_IDENTIFIER that references an X509_TOKEN which does not contain a SubjectKeyIdentifier extension MUST have a ValueType attribute with the value of \"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1\" and MUST contain the value of the SHA1 of the raw octets of the X509_TOKEN that is referenced"),
+        R5409("Any STR_ISSUER_SERIAL MUST contain a value following the encoding rules specified in the XML Signature specification for DNames"),
+
+        R6304("Any STR_REFERENCE to a REL_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license\""),
+        R6301("Any STR_REFERENCE to a INTERNAL_SECURITY_TOKEN that is an REL_TOKEN containing a wsu:Id attribute, MUST NOT use a licenseId reference"),
+        R6302("Any SECURITY_HEADER child elements MUST be ordered so that any SIGNATURE necessary to verify the issuance of an REL_TOKEN precedes the first SECURITY_TOKEN_REFERENCE that refers to that REL_TOKEN"),
+
+        R6902("Any KERBEROS_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ\""),
+        R6903("Any KERBEROS_TOKEN MUST be an INTERNAL_SECURITY_TOKEN in the initial SECURE_ENVELOPE of an authenticated message exchange between a SENDER and RECEIVER"),
+        R6904("Any KERBEROS_TOKEN MUST be an EXTERNAL_SECURITY_TOKEN in each SECURE_ENVELOPE after the initial SECURE_ENVELOPE of an authenticated message exchange between a SENDER and RECEIVER"),
+        R6907("Any SECURITY_TOKEN_REFERENCE to a KERBEROS_TOKEN MUST contain a wsse11:TokenType attribute with a value of \"http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ\""),
+        R6906("Any STR_KEY_IDENTIFIER to a KERBEROS_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/oasis-wss-kerberos-tokenprofile-1.1#Kerberosv5APREQSHA1\""),
+        R6905("Any SECURITY_TOKEN_REFERENCE to an EXTERNAL_SECURITY_TOKEN which is a KERBEROS_TOKEN MUST contain an STR_KEY_IDENTIFIER"),
+
+        R6601("Any SAML_SC_KEY_INFO MUST NOT contain a reference to a SAML_TOKEN"),
+        R6611("Any SECURITY_TOKEN_REFERENCE to a SAML_V1_1_TOKEN MUST contain a wsse11:TokenType attribute with a value of \"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1\""),
+        R6617("Any SECURITY_TOKEN_REFERENCE to a SAML_V2_0_TOKEN MUST contain a wsse11:TokenType attribute with a value of \"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0\""),
+        R6614("Any SECURITY_TOKEN_REFERENCE that references an INTERNAL_SAML_V2_0_TOKEN using a STR_REFERENCE MUST NOT contain a ValueType attribute"),
+        R6602("Any STR_KEY_IDENTIFIER that references a INTERNAL_SAML_TOKEN MUST include a ValueType attribute"),
+        R6609("Any STR_KEY_IDENTIFIER that references a EXTERNAL_SAML_TOKEN MUST include a ValueType attribute"),
+        R6603("Any STR_KEY_IDENTIFIER ValueType attribute that references a SAML_V1_1_TOKEN MUST have a value of \"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID\""),
+        R6616("Any STR_KEY_IDENTIFIER ValueType attribute that references a SAML_V2_0_TOKEN MUST have a value of \"http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID\""),
+        R6604("Any STR_KEY_IDENTIFIER that references a SAML_TOKEN MUST NOT include an EncodingType attribute"),
+        R6605("Any STR_KEY_IDENTIFIER that references a SAML_TOKEN MUST have a value encoded as an xs:string"),
+        R6610("Any SECURITY_TOKEN_REFERENCE that references an INTERNAL_SAML_TOKEN that has an ID attribute, the reference MUST contain an STR_REFERENCE or an STR_EMBEDDED"),
+        R6612("Any SIG_REFERENCE to a SECURITY_TOKEN_REFERENCE which contains an STR_EMBEDDED which contains an INTERNAL_SAML_V2_0_TOKEN MUST NOT include a SIG_TRANSFORM with an Algorithm attribute value of \"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform\""),
+        R6606("Any SECURITY_TOKEN_REFERENCE that references an EXTERNAL_SAML_TOKEN MUST contain a SAML_AUTHORITY_BINDING"),
+        R6607("Any AuthorityKind attribute of a SAML_AUTHORITY_BINDING MUST have a value of saml:AssertionIDReference"),
+        R6608("Any SECURITY_TOKEN_REFERENCE that references an INTERNAL_SAML_TOKEN MUST NOT contain a SAML_AUTHORITY_BINDING"),
+        R6613("Any SECURITY_TOKEN_REFERENCE to an EXTERNAL_SAML_V2_0_TOKEN MUST contain an STR_REFERENCE"),
+
+        R3069("Any SECURITY_TOKEN_REFERENCE to a ENCRYPTED_KEY_TOKEN MUST contain a wsse11:TokenType attribute with a value of \"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey\""),
+        R3072("Any STR_KEY_IDENTIFIER element in a SECURITY_TOKEN_REFERENCE that refers to an ENCRYPTED_KEY_TOKEN MUST contain a ValueType attribute with a value of \"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1\"");
+
+        private String msg;
+
+        private BSPRule(String msg) {
+            this.msg = msg;
+        }
+    }
+
 
     /****************************************************************************
      * Fault codes defined in the WSS 1.1 spec under section 12, Error handling

Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSUtils.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSUtils.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSUtils.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSUtils.java Wed Feb 29 20:54:51 2012
@@ -337,7 +337,7 @@ public class WSSUtils extends XMLSecurit
         abstractOutputProcessor.createEndElementAndOutputAsEvent(outputProcessorChain, WSSConstants.TAG_wsse_Reference);
     }
 
-    public static TokenSecurityEvent createTokenSecurityEvent(SecurityToken securityToken) throws WSSecurityException {
+    public static TokenSecurityEvent createTokenSecurityEvent(final SecurityToken securityToken) throws WSSecurityException {
         WSSConstants.TokenType tokenType = (WSSConstants.TokenType) securityToken.getTokenType();
 
         TokenSecurityEvent tokenSecurityEvent;
@@ -378,4 +378,43 @@ public class WSSUtils extends XMLSecurit
         tokenSecurityEvent.setSecurityToken(securityToken);
         return tokenSecurityEvent;
     }
+
+    public static boolean pathMatches(List<QName> path1, List<QName> path2, boolean matchAnySoapNS, boolean lastElementWildCard) {
+        //todo remove these null checks! paths must not be null!
+        if (path1 == null || path2 == null || path1.size() != path2.size()) {
+            return false;
+        }
+        Iterator<QName> path1Iterator = path1.iterator();
+        Iterator<QName> path2Iterator = path2.iterator();
+        while (path1Iterator.hasNext()) {
+            QName qName1 = path1Iterator.next();
+            QName qName2 = path2Iterator.next();
+            if (matchAnySoapNS && (WSSConstants.NS_SOAP11.equals(qName1.getNamespaceURI())
+                    || WSSConstants.NS_SOAP12.equals(qName1.getNamespaceURI()))) {
+                if (!qName1.getLocalPart().equals(qName2.getLocalPart())) {
+                    return false;
+                }
+            } else if (!qName1.equals(qName2)) {
+                if (!path1Iterator.hasNext() && lastElementWildCard) {
+                    if (!qName1.getNamespaceURI().equals(qName2.getNamespaceURI())) {
+                        return false;
+                    }
+                } else {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
+    public static String pathAsString(List<QName> path) {
+        StringBuilder stringBuilder = new StringBuilder();
+        Iterator<QName> pathIterator = path.iterator();
+        while (pathIterator.hasNext()) {
+            QName qName = pathIterator.next();
+            stringBuilder.append('/');
+            stringBuilder.append(qName.toString());
+        }
+        return stringBuilder.toString();
+    }
 }

Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityContext.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityContext.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityContext.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityContext.java Wed Feb 29 20:54:51 2012
@@ -36,7 +36,7 @@ public interface WSSecurityContext exten
      *
      * @param securityEventListener The SecurityEventListener
      */
-    public void setSecurityEventListener(SecurityEventListener securityEventListener);
+    public void addSecurityEventListener(SecurityEventListener securityEventListener);
 
     /**
      * Registers a SecurityEvent which will be forwarded to the registered SecurityEventListener

Added: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityToken.java?rev=1295267&view=auto
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityToken.java (added)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSecurityToken.java Wed Feb 29 20:54:51 2012
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.swssf.wss.ext;
+
+import org.swssf.xmlsec.ext.SecurityToken;
+
+import javax.xml.namespace.QName;
+import java.util.List;
+
+/**
+ * @author $Author: giger $
+ * @version $Revision: 1228829 $ $Date: 2012-01-08 12:44:13 +0100 (Sun, 08 Jan 2012) $
+ */
+public interface WSSecurityToken extends SecurityToken {
+
+    List<QName> getElementPath();
+
+    void setElementPath(List<QName> elementPath);
+}

Copied: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/InboundWSSecurityContextImpl.java (from r1235883, webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java)
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/InboundWSSecurityContextImpl.java?p2=webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/InboundWSSecurityContextImpl.java&p1=webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java&r1=1235883&r2=1295267&rev=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/InboundWSSecurityContextImpl.java Wed Feb 29 20:54:51 2012
@@ -19,11 +19,18 @@
 package org.swssf.wss.impl;
 
 
-import org.swssf.wss.ext.WSSecurityContext;
+import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSUtils;
 import org.swssf.wss.ext.WSSecurityException;
-import org.swssf.wss.securityEvent.SecurityEvent;
-import org.swssf.wss.securityEvent.SecurityEventListener;
-import org.swssf.xmlsec.impl.SecurityContextImpl;
+import org.swssf.wss.securityEvent.*;
+import org.swssf.xmlsec.ext.SecurityToken;
+import org.swssf.xmlsec.ext.XMLSecurityException;
+
+import javax.xml.namespace.QName;
+import java.util.Deque;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
 
 /**
  * Concrete security context implementation
@@ -31,18 +38,389 @@ import org.swssf.xmlsec.impl.SecurityCon
  * @author $Author$
  * @version $Revision$ $Date$
  */
-public class WSSecurityContextImpl extends SecurityContextImpl implements WSSecurityContext {
-
-    private SecurityEventListener securityEventListener;
+public class InboundWSSecurityContextImpl extends WSSecurityContextImpl {
 
-    public void setSecurityEventListener(SecurityEventListener securityEventListener) {
-        this.securityEventListener = securityEventListener;
-    }
+    private Deque<SecurityEvent> securityEventQueue = new LinkedList<SecurityEvent>();
+    private boolean operationSecurityEventOccured = false;
+    private boolean messageEncryptionTokenOccured = false;
 
     public synchronized void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException {
-        if (securityEventListener == null) {
+
+        if (operationSecurityEventOccured) {
+            if (!this.messageEncryptionTokenOccured) {
+                if (securityEvent instanceof TokenSecurityEvent) {
+                    TokenSecurityEvent tokenSecurityEvent = ((TokenSecurityEvent) securityEvent);
+                    if (tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(SecurityToken.TokenUsage.Encryption)) {
+                        SecurityToken securityToken = tokenSecurityEvent.getSecurityToken();
+
+                        try {
+                            while (securityToken.getKeyWrappingToken() != null) {
+                                securityToken = securityToken.getKeyWrappingToken();
+                            }
+                            TokenSecurityEvent newTokenSecurityEvent = WSSUtils.createTokenSecurityEvent(securityToken);
+                            setTokenUsage(newTokenSecurityEvent, SecurityToken.TokenUsage.MainEncryption);
+                            forwardSecurityEvent(newTokenSecurityEvent);
+                        } catch (XMLSecurityException e) {
+                            throw new WSSecurityException(e.getMessage(), e);
+                        }
+                        this.messageEncryptionTokenOccured = true;
+                    }
+                }
+            }
+
+            forwardSecurityEvent(securityEvent);
             return;
         }
-        securityEventListener.registerSecurityEvent(securityEvent);
+
+        if (securityEvent.getSecurityEventType() == SecurityEvent.Event.Operation) {
+            operationSecurityEventOccured = true;
+
+            try {
+                identifySecurityTokenDepenedenciesAndUsage(securityEventQueue);
+            } catch (XMLSecurityException e) {
+                throw new WSSecurityException(e.getMessage(), e);
+            }
+
+            //forward operation security event
+            forwardSecurityEvent(securityEvent);
+
+            Iterator<SecurityEvent> securityEventIterator = securityEventQueue.descendingIterator();
+            while (securityEventIterator.hasNext()) {
+                SecurityEvent prevSecurityEvent = securityEventIterator.next();
+                forwardSecurityEvent(prevSecurityEvent);
+            }
+            securityEventQueue.clear();
+            return;
+        }
+
+        securityEventQueue.push(securityEvent);
+    }
+
+    private void identifySecurityTokenDepenedenciesAndUsage(
+            Deque<SecurityEvent> securityEventDeque) throws XMLSecurityException {
+
+        List<TokenSecurityEvent> messageSignatureTokens = new LinkedList<TokenSecurityEvent>();
+        List<TokenSecurityEvent> messageEncryptionTokens = new LinkedList<TokenSecurityEvent>();
+        List<TokenSecurityEvent> supportingTokens = new LinkedList<TokenSecurityEvent>();
+        List<TokenSecurityEvent> signedSupportingTokens = new LinkedList<TokenSecurityEvent>();
+        List<TokenSecurityEvent> endorsingSupportingTokens = new LinkedList<TokenSecurityEvent>();
+        List<TokenSecurityEvent> signedEndorsingSupportingTokens = new LinkedList<TokenSecurityEvent>();
+        List<TokenSecurityEvent> signedEncryptedSupportingTokens = new LinkedList<TokenSecurityEvent>();
+        List<TokenSecurityEvent> endorsingEncryptedSupportingTokens = new LinkedList<TokenSecurityEvent>();
+        List<TokenSecurityEvent> signedEndorsingEncryptedSupportingTokens = new LinkedList<TokenSecurityEvent>();
+
+        HttpsTokenSecurityEvent httpsTokenSecurityEvent = null;
+
+        List<TokenSecurityEvent> tokenSecurityEvents = new LinkedList<TokenSecurityEvent>();
+        Iterator<SecurityEvent> securityEventIterator = securityEventDeque.iterator();
+        while (securityEventIterator.hasNext()) {
+            SecurityEvent securityEvent = securityEventIterator.next();
+            if (securityEvent instanceof TokenSecurityEvent) {
+                if (securityEvent.getSecurityEventType() == SecurityEvent.Event.HttpsToken) {
+                    HttpsTokenSecurityEvent actHttpsTokenSecurityEvent = (HttpsTokenSecurityEvent) securityEvent;
+                    actHttpsTokenSecurityEvent.getSecurityToken().getTokenUsages().clear();
+                    actHttpsTokenSecurityEvent.getSecurityToken().addTokenUsage(SecurityToken.TokenUsage.MainSignature);
+                    messageSignatureTokens.add(actHttpsTokenSecurityEvent);
+                    HttpsTokenSecurityEvent clonedHttpsTokenSecurityEvent = new HttpsTokenSecurityEvent();
+                    clonedHttpsTokenSecurityEvent.setAuthenticationType(actHttpsTokenSecurityEvent.getAuthenticationType());
+                    clonedHttpsTokenSecurityEvent.setIssuerName(actHttpsTokenSecurityEvent.getIssuerName());
+                    clonedHttpsTokenSecurityEvent.setSecurityToken(actHttpsTokenSecurityEvent.getSecurityToken());
+                    clonedHttpsTokenSecurityEvent.getSecurityToken().addTokenUsage(SecurityToken.TokenUsage.MainEncryption);
+                    messageEncryptionTokens.add(clonedHttpsTokenSecurityEvent);
+                    httpsTokenSecurityEvent = clonedHttpsTokenSecurityEvent;
+                    continue;
+                }
+                tokenSecurityEvents.add((TokenSecurityEvent) securityEvent);
+            }
+        }
+
+        Iterator<TokenSecurityEvent> tokenSecurityEventIterator = tokenSecurityEvents.iterator();
+        while (tokenSecurityEventIterator.hasNext()) {
+            TokenSecurityEvent tokenSecurityEvent = tokenSecurityEventIterator.next();
+            SecurityToken securityToken = tokenSecurityEvent.getSecurityToken();
+            if (securityToken.getKeyWrappingToken() == null) {
+                supportingTokens.add(tokenSecurityEvent);
+            } else {
+                while (securityToken.getKeyWrappingToken() != null) {
+                    securityToken = securityToken.getKeyWrappingToken();
+                }
+                if (!containsSecurityToken(supportingTokens, securityToken)) {
+                    TokenSecurityEvent newTokenSecurityEvent = WSSUtils.createTokenSecurityEvent(securityToken);
+                    supportingTokens.add(newTokenSecurityEvent);
+                    securityEventDeque.offer(newTokenSecurityEvent);
+                }
+            }
+        }
+
+        Iterator<TokenSecurityEvent> supportingTokensIterator = supportingTokens.iterator();
+        while (supportingTokensIterator.hasNext()) {
+            TokenSecurityEvent tokenSecurityEvent = supportingTokensIterator.next();
+            List<SecurityToken> signingSecurityTokens = isSignedToken(tokenSecurityEvent, securityEventDeque, httpsTokenSecurityEvent);
+
+            List<QName> signatureElementPath = new LinkedList<QName>();
+            signatureElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+            signatureElementPath.add(WSSConstants.TAG_dsig_Signature);
+            boolean signsSignature = signsElement(tokenSecurityEvent, signatureElementPath, securityEventDeque);
+            boolean encryptsSignature = encryptsElement(tokenSecurityEvent, signatureElementPath, securityEventDeque);
+
+            List<QName> signatureConfirmationElementPath = new LinkedList<QName>();
+            signatureConfirmationElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+            signatureConfirmationElementPath.add(WSSConstants.TAG_wsse11_SignatureConfirmation);
+            boolean signsSignatureConfirmation = signsElement(tokenSecurityEvent, signatureConfirmationElementPath, securityEventDeque);
+            boolean encryptsSignatureConfirmation = encryptsElement(tokenSecurityEvent, signatureConfirmationElementPath, securityEventDeque);
+
+            List<QName> timestampElementPath = new LinkedList<QName>();
+            timestampElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+            timestampElementPath.add(WSSConstants.TAG_wsu_Timestamp);
+            boolean signsTimestamp = signsElement(tokenSecurityEvent, timestampElementPath, securityEventDeque);
+
+            List<QName> usernameTokenElementPath = new LinkedList<QName>();
+            timestampElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+            timestampElementPath.add(WSSConstants.TAG_wsse_UsernameToken);
+            boolean encryptsUsernameToken = encryptsElement(tokenSecurityEvent, usernameTokenElementPath, securityEventDeque);
+
+            boolean transportSecurityActive = Boolean.TRUE == get(WSSConstants.TRANSPORT_SECURITY_ACTIVE);
+
+            if (!transportSecurityActive && signsSignatureConfirmation && signsTimestamp) {
+                supportingTokensIterator.remove();
+                messageSignatureTokens.add(tokenSecurityEvent);
+            } else if (!transportSecurityActive && signsSignatureConfirmation) {
+                supportingTokensIterator.remove();
+                messageSignatureTokens.add(tokenSecurityEvent);
+            } else if (!transportSecurityActive && signsTimestamp) {
+                supportingTokensIterator.remove();
+                messageSignatureTokens.add(tokenSecurityEvent);
+            } else if (signsSignature && signingSecurityTokens.size() > 0) {
+                supportingTokensIterator.remove();
+                signedEndorsingSupportingTokens.add(tokenSecurityEvent);
+            } else if (signsSignature) {
+                supportingTokensIterator.remove();
+                endorsingSupportingTokens.add(tokenSecurityEvent);
+            } else if (signingSecurityTokens.size() > 0) {
+                supportingTokensIterator.remove();
+                signedSupportingTokens.add(tokenSecurityEvent);
+            } else if (!transportSecurityActive &&
+                    (encryptsSignature || encryptsSignatureConfirmation || encryptsUsernameToken)) {
+                messageEncryptionTokens.add(tokenSecurityEvent);
+            }
+        }
+
+        if (messageSignatureTokens.size() == 0) {
+            SecurityToken messageSignatureToken = getSupportingTokenSigningToken(
+                    signedSupportingTokens,
+                    signedEndorsingSupportingTokens,
+                    signedEncryptedSupportingTokens,
+                    signedEndorsingEncryptedSupportingTokens,
+                    securityEventDeque);
+
+            TokenSecurityEvent tokenSecurityEvent = getTokenSecurityEvent(messageSignatureToken, tokenSecurityEvents);
+            if (tokenSecurityEvent != null) {
+                supportingTokens.remove(tokenSecurityEvent);
+                signedSupportingTokens.remove(tokenSecurityEvent);
+                endorsingSupportingTokens.remove(tokenSecurityEvent);
+                signedEndorsingSupportingTokens.remove(tokenSecurityEvent);
+                signedEncryptedSupportingTokens.remove(tokenSecurityEvent);
+                endorsingEncryptedSupportingTokens.remove(tokenSecurityEvent);
+                signedEndorsingEncryptedSupportingTokens.remove(tokenSecurityEvent);
+                messageSignatureTokens.add(tokenSecurityEvent);
+            }
+        }
+
+        if (messageSignatureTokens.size() == 0) {
+            for (Iterator<TokenSecurityEvent> iterator = supportingTokens.iterator(); iterator.hasNext(); ) {
+                TokenSecurityEvent supportingToken = iterator.next();
+                if (supportingToken.getSecurityToken().getTokenUsages().contains(SecurityToken.TokenUsage.Signature)) {
+                    iterator.remove();
+                    messageSignatureTokens.add(supportingToken);
+                    break;
+                }
+            }
+        }
+
+        if (messageEncryptionTokens.size() == 0) {
+            for (Iterator<TokenSecurityEvent> iterator = supportingTokens.iterator(); iterator.hasNext(); ) {
+                TokenSecurityEvent supportingToken = iterator.next();
+                if (supportingToken.getSecurityToken().getTokenUsages().contains(SecurityToken.TokenUsage.Encryption)) {
+                    iterator.remove();
+                    messageEncryptionTokens.add(supportingToken);
+                    break;
+                }
+            }
+        }
+
+        if (messageEncryptionTokens.size() > 0) {
+            this.messageEncryptionTokenOccured = true;
+        }
+
+        setTokenUsage(messageSignatureTokens, SecurityToken.TokenUsage.MainSignature);
+        setTokenUsage(messageEncryptionTokens, SecurityToken.TokenUsage.MainEncryption);
+        setTokenUsage(supportingTokens, SecurityToken.TokenUsage.SupportingToken);
+        setTokenUsage(signedSupportingTokens, SecurityToken.TokenUsage.SignedSupportingTokens);
+        setTokenUsage(endorsingSupportingTokens, SecurityToken.TokenUsage.EndorsingSupportingTokens);
+        setTokenUsage(signedEndorsingSupportingTokens, SecurityToken.TokenUsage.SignedEndorsingSupportingTokens);
+        setTokenUsage(signedEncryptedSupportingTokens, SecurityToken.TokenUsage.SignedEncryptedSupportingTokens);
+        setTokenUsage(endorsingEncryptedSupportingTokens, SecurityToken.TokenUsage.EndorsingEncryptedSupportingTokens);
+        setTokenUsage(signedEndorsingEncryptedSupportingTokens, SecurityToken.TokenUsage.SignedEndorsingEncryptedSupportingTokens);
+    }
+
+    private boolean containsSecurityToken(List<TokenSecurityEvent> supportingTokens, SecurityToken securityToken) {
+        for (int i = 0; i < supportingTokens.size(); i++) {
+            TokenSecurityEvent tokenSecurityEvent = supportingTokens.get(i);
+            if (tokenSecurityEvent.getSecurityToken() == securityToken) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private TokenSecurityEvent getTokenSecurityEvent(SecurityToken securityToken, List<TokenSecurityEvent> tokenSecurityEvents) throws XMLSecurityException {
+        for (int i = 0; i < tokenSecurityEvents.size(); i++) {
+            TokenSecurityEvent tokenSecurityEvent = tokenSecurityEvents.get(i);
+            if (tokenSecurityEvent.getSecurityToken() == securityToken) {
+                return tokenSecurityEvent;
+            }
+        }
+        return null;
+    }
+
+    private SecurityToken getSupportingTokenSigningToken(
+            List<TokenSecurityEvent> signedSupportingTokens,
+            List<TokenSecurityEvent> signedEndorsingSupportingTokens,
+            List<TokenSecurityEvent> signedEncryptedSupportingTokens,
+            List<TokenSecurityEvent> signedEndorsingEncryptedSupportingTokens,
+            Deque<SecurityEvent> securityEventDeque
+    ) throws XMLSecurityException {
+
+        //todo we have to check if the signingTokens also cover the other supporting tokens!
+        for (int i = 0; i < signedSupportingTokens.size(); i++) {
+            TokenSecurityEvent tokenSecurityEvent = signedSupportingTokens.get(i);
+            List<SecurityToken> signingSecurityTokens = getSigningToken(tokenSecurityEvent, securityEventDeque);
+            if (signingSecurityTokens.size() == 1) {
+                return signingSecurityTokens.get(0);
+            }
+        }
+        for (int i = 0; i < signedEndorsingSupportingTokens.size(); i++) {
+            TokenSecurityEvent tokenSecurityEvent = signedEndorsingSupportingTokens.get(i);
+            List<SecurityToken> signingSecurityTokens = getSigningToken(tokenSecurityEvent, securityEventDeque);
+            if (signingSecurityTokens.size() == 1) {
+                return signingSecurityTokens.get(0);
+            }
+        }
+        for (int i = 0; i < signedEncryptedSupportingTokens.size(); i++) {
+            TokenSecurityEvent tokenSecurityEvent = signedEncryptedSupportingTokens.get(i);
+            List<SecurityToken> signingSecurityTokens = getSigningToken(tokenSecurityEvent, securityEventDeque);
+            if (signingSecurityTokens.size() == 1) {
+                return signingSecurityTokens.get(0);
+            }
+        }
+        for (int i = 0; i < signedEndorsingEncryptedSupportingTokens.size(); i++) {
+            TokenSecurityEvent tokenSecurityEvent = signedEndorsingEncryptedSupportingTokens.get(i);
+            List<SecurityToken> signingSecurityTokens = getSigningToken(tokenSecurityEvent, securityEventDeque);
+            if (signingSecurityTokens.size() == 1) {
+                return signingSecurityTokens.get(0);
+            }
+        }
+        return null;
+    }
+
+    private List<SecurityToken> getSigningToken(TokenSecurityEvent tokenSecurityEvent, Deque<SecurityEvent> securityEventDeque) throws XMLSecurityException {
+        List<SecurityToken> signingSecurityTokens = new LinkedList<SecurityToken>();
+
+        for (Iterator<SecurityEvent> iterator = securityEventDeque.iterator(); iterator.hasNext(); ) {
+            SecurityEvent securityEvent = iterator.next();
+            if (securityEvent.getSecurityEventType() == SecurityEvent.Event.SignedElement) {
+                SignedElementSecurityEvent signedElementSecurityEvent = (SignedElementSecurityEvent) securityEvent;
+                if (signedElementSecurityEvent.isSigned()
+                        && WSSUtils.pathMatches(signedElementSecurityEvent.getElementPath(), tokenSecurityEvent.getSecurityToken().getElementPath(), true, false)) {
+                    signingSecurityTokens.add(signedElementSecurityEvent.getSecurityToken());
+                }
+            }
+        }
+        return signingSecurityTokens;
+    }
+
+    private void setTokenUsage(List<TokenSecurityEvent> tokenSecurityEvents, SecurityToken.TokenUsage tokenUsage) throws XMLSecurityException {
+        Iterator<TokenSecurityEvent> tokenSecurityEventIterator = tokenSecurityEvents.iterator();
+        while (tokenSecurityEventIterator.hasNext()) {
+            TokenSecurityEvent tokenSecurityEvent = tokenSecurityEventIterator.next();
+            setTokenUsage(tokenSecurityEvent, tokenUsage);
+        }
+    }
+
+    private void setTokenUsage(TokenSecurityEvent tokenSecurityEvent, SecurityToken.TokenUsage tokenUsage) throws XMLSecurityException {
+        if (tokenUsage == SecurityToken.TokenUsage.MainSignature) {
+            tokenSecurityEvent.getSecurityToken().getTokenUsages().remove(SecurityToken.TokenUsage.SupportingToken);
+            tokenSecurityEvent.getSecurityToken().getTokenUsages().remove(SecurityToken.TokenUsage.Signature);
+        } else if (tokenUsage == SecurityToken.TokenUsage.MainEncryption) {
+            tokenSecurityEvent.getSecurityToken().getTokenUsages().remove(SecurityToken.TokenUsage.SupportingToken);
+            tokenSecurityEvent.getSecurityToken().getTokenUsages().remove(SecurityToken.TokenUsage.Encryption);
+        }
+        tokenSecurityEvent.getSecurityToken().addTokenUsage(tokenUsage);
+    }
+
+    private List<SecurityToken> isSignedToken(TokenSecurityEvent tokenSecurityEvent,
+                                              Deque<SecurityEvent> securityEventDeque,
+                                              HttpsTokenSecurityEvent httpsTokenSecurityEvent) throws XMLSecurityException {
+        List<SecurityToken> securityTokenList = new LinkedList<SecurityToken>();
+        if (httpsTokenSecurityEvent != null) {
+            securityTokenList.add(httpsTokenSecurityEvent.getSecurityToken());
+            return securityTokenList;
+        }
+        for (Iterator<SecurityEvent> iterator = securityEventDeque.iterator(); iterator.hasNext(); ) {
+            SecurityEvent securityEvent = iterator.next();
+            if (securityEvent.getSecurityEventType() == SecurityEvent.Event.SignedElement) {
+                SignedElementSecurityEvent signedElementSecurityEvent = (SignedElementSecurityEvent) securityEvent;
+                if (signedElementSecurityEvent.isSigned()
+                        && tokenSecurityEvent.getSecurityToken() != null
+                        && WSSUtils.pathMatches(
+                        tokenSecurityEvent.getSecurityToken().getElementPath(),
+                        signedElementSecurityEvent.getElementPath(), true, false)) {
+
+                    if (!securityTokenList.contains(signedElementSecurityEvent.getSecurityToken())) {
+                        securityTokenList.add(signedElementSecurityEvent.getSecurityToken());
+                    }
+                }
+            }
+        }
+        return securityTokenList;
+    }
+
+    private boolean signsElement(TokenSecurityEvent tokenSecurityEvent, List<QName> elementPath,
+                                 Deque<SecurityEvent> securityEventDeque) throws XMLSecurityException {
+        for (Iterator<SecurityEvent> iterator = securityEventDeque.iterator(); iterator.hasNext(); ) {
+            SecurityEvent securityEvent = iterator.next();
+            if (securityEvent.getSecurityEventType() == SecurityEvent.Event.SignedElement) {
+                SignedElementSecurityEvent signedElementSecurityEvent = (SignedElementSecurityEvent) securityEvent;
+                if (signedElementSecurityEvent.isSigned()
+                        && signedElementSecurityEvent.getSecurityToken() == tokenSecurityEvent.getSecurityToken()
+                        && WSSUtils.pathMatches(elementPath, signedElementSecurityEvent.getElementPath(), true, false)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    private boolean encryptsElement(TokenSecurityEvent tokenSecurityEvent, List<QName> elementPath,
+                                    Deque<SecurityEvent> securityEventDeque) throws XMLSecurityException {
+        for (Iterator<SecurityEvent> iterator = securityEventDeque.iterator(); iterator.hasNext(); ) {
+            SecurityEvent securityEvent = iterator.next();
+            if (securityEvent.getSecurityEventType() == SecurityEvent.Event.EncryptedElement) {
+                EncryptedElementSecurityEvent encryptedElementSecurityEvent = (EncryptedElementSecurityEvent) securityEvent;
+                if (encryptedElementSecurityEvent.isEncrypted()
+                        && encryptedElementSecurityEvent.getSecurityToken() == tokenSecurityEvent.getSecurityToken()
+                        && WSSUtils.pathMatches(elementPath, encryptedElementSecurityEvent.getElementPath(), true, false)) {
+                    return true;
+                }
+            } else if (securityEvent.getSecurityEventType() == SecurityEvent.Event.ContentEncrypted) {
+                ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent = (ContentEncryptedElementSecurityEvent) securityEvent;
+                if (contentEncryptedElementSecurityEvent.isEncrypted()
+                        && contentEncryptedElementSecurityEvent.getSecurityToken() == tokenSecurityEvent.getSecurityToken()
+                        && WSSUtils.pathMatches(elementPath, contentEncryptedElementSecurityEvent.getElementPath(), true, false)) {
+                    return true;
+                }
+            }
+        }
+        return false;
     }
 }

Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/InboundWSSecurityContextImpl.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSDocumentContextImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSDocumentContextImpl.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSDocumentContextImpl.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSDocumentContextImpl.java Wed Feb 29 20:54:51 2012
@@ -20,6 +20,7 @@ package org.swssf.wss.impl;
 
 import org.swssf.wss.ext.WSSConstants;
 import org.swssf.wss.ext.WSSDocumentContext;
+import org.swssf.xmlsec.impl.DocumentContextImpl;
 
 import javax.xml.namespace.QName;
 import java.util.ArrayList;
@@ -31,7 +32,7 @@ import java.util.List;
  * @author $Author$
  * @version $Revision$ $Date$
  */
-public class WSSDocumentContextImpl extends org.swssf.xmlsec.impl.DocumentContextImpl implements WSSDocumentContext {
+public class WSSDocumentContextImpl extends DocumentContextImpl implements WSSDocumentContext {
 
     public String getSOAPMessageVersionNamespace() {
         if (getPath().size() >= 1 && getPath().get(0).equals(WSSConstants.TAG_soap11_Envelope)) {

Added: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java?rev=1295267&view=auto
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java (added)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java Wed Feb 29 20:54:51 2012
@@ -0,0 +1,56 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.swssf.wss.impl;
+
+import org.swssf.wss.ext.WSSecurityContext;
+import org.swssf.wss.ext.WSSecurityException;
+import org.swssf.wss.securityEvent.SecurityEvent;
+import org.swssf.wss.securityEvent.SecurityEventListener;
+import org.swssf.xmlsec.impl.SecurityContextImpl;
+
+import java.util.LinkedList;
+import java.util.List;
+
+/**
+ * Concrete security context implementation
+ *
+ * @author $Author$
+ * @version $Revision$ $Date$
+ */
+public class WSSecurityContextImpl extends SecurityContextImpl implements WSSecurityContext {
+
+    private List<SecurityEventListener> securityEventListeners = new LinkedList<SecurityEventListener>();
+
+    public void addSecurityEventListener(SecurityEventListener securityEventListener) {
+        if (securityEventListener != null) {
+            this.securityEventListeners.add(securityEventListener);
+        }
+    }
+
+    public synchronized void registerSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException {
+        forwardSecurityEvent(securityEvent);
+    }
+
+    protected void forwardSecurityEvent(SecurityEvent securityEvent) throws WSSecurityException {
+        for (int i = 0; i < securityEventListeners.size(); i++) {
+            SecurityEventListener securityEventListener = securityEventListeners.get(i);
+            securityEventListener.registerSecurityEvent(securityEvent);
+        }
+    }
+}

Propchange: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/WSSecurityContextImpl.java
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision

Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/BinarySecurityTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/BinarySecurityTokenInputHandler.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/BinarySecurityTokenInputHandler.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/BinarySecurityTokenInputHandler.java Wed Feb 29 20:54:51 2012
@@ -19,15 +19,18 @@
 package org.swssf.wss.impl.processor.input;
 
 import org.swssf.binding.wss10.BinarySecurityTokenType;
+import org.swssf.wss.ext.WSSecurityContext;
+import org.swssf.wss.ext.WSSecurityToken;
 import org.swssf.wss.impl.securityToken.SecurityTokenFactoryImpl;
+import org.swssf.wss.securityEvent.X509TokenSecurityEvent;
 import org.swssf.xmlsec.crypto.Crypto;
 import org.swssf.xmlsec.ext.*;
 
 import javax.xml.bind.JAXBElement;
+import javax.xml.namespace.QName;
 import javax.xml.stream.events.XMLEvent;
 import java.util.Deque;
-import java.util.HashMap;
-import java.util.Map;
+import java.util.List;
 import java.util.UUID;
 
 /**
@@ -49,23 +52,32 @@ public class BinarySecurityTokenInputHan
             binarySecurityTokenType.setId(UUID.randomUUID().toString());
         }
 
+        final List<QName> elementPath = getElementPath(inputProcessorChain.getDocumentContext(), eventQueue);
+
         SecurityTokenProvider securityTokenProvider = new SecurityTokenProvider() {
 
-            private Map<Crypto, SecurityToken> securityTokens = new HashMap<Crypto, SecurityToken>();
+            private WSSecurityToken binarySecurityToken = null;
 
-            public SecurityToken getSecurityToken(Crypto crypto) throws XMLSecurityException {
-                SecurityToken securityToken = securityTokens.get(crypto);
-                if (securityToken != null) {
-                    return securityToken;
+            public SecurityToken getSecurityToken() throws XMLSecurityException {
+                if (this.binarySecurityToken != null) {
+                    return this.binarySecurityToken;
+                }
+                Crypto crypto = null;
+                try {
+                    crypto = securityProperties.getSignatureVerificationCrypto();
+                } catch (XMLSecurityConfigurationException e) {
+                    //ignore
                 }
-                securityToken = SecurityTokenFactoryImpl.getSecurityToken(
+                if (crypto == null) {
+                    crypto = securityProperties.getDecryptionCrypto();
+                }
+                this.binarySecurityToken = SecurityTokenFactoryImpl.getSecurityToken(
                         binarySecurityTokenType,
                         inputProcessorChain.getSecurityContext(),
                         crypto,
-                        securityProperties.getCallbackHandler(),
-                        null);
-                securityTokens.put(crypto, securityToken);
-                return securityToken;
+                        securityProperties.getCallbackHandler());
+                this.binarySecurityToken.setElementPath(elementPath);
+                return this.binarySecurityToken;
             }
 
             public String getId() {
@@ -74,5 +86,10 @@ public class BinarySecurityTokenInputHan
         };
 
         inputProcessorChain.getSecurityContext().registerSecurityTokenProvider(binarySecurityTokenType.getId(), securityTokenProvider);
+
+        //fire a tokenSecurityEvent
+        X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
+        x509TokenSecurityEvent.setSecurityToken(securityTokenProvider.getSecurityToken());
+        ((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(x509TokenSecurityEvent);
     }
 }

Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DecryptInputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DecryptInputProcessor.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DecryptInputProcessor.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DecryptInputProcessor.java Wed Feb 29 20:54:51 2012
@@ -56,18 +56,18 @@ public class DecryptInputProcessor exten
     protected void handleEncryptedContent(
             InputProcessorChain inputProcessorChain, XMLEvent xmlEvent, SecurityToken securityToken) throws XMLSecurityException {
 
-        QName parentElement = inputProcessorChain.getDocumentContext().getParentElement(xmlEvent.getEventType());
+        List<QName> parentElementPath = inputProcessorChain.getDocumentContext().getParentElementPath(xmlEvent.getEventType());
         if (inputProcessorChain.getDocumentContext().getDocumentLevel() == 3
                 && ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSOAPBody()) {
             //soap:body content encryption counts as EncryptedPart
             EncryptedPartSecurityEvent encryptedPartSecurityEvent =
                     new EncryptedPartSecurityEvent(securityToken, true, isInSignedContent(inputProcessorChain));
-            encryptedPartSecurityEvent.setElement(parentElement);
+            encryptedPartSecurityEvent.setElementPath(parentElementPath);
             ((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(encryptedPartSecurityEvent);
         } else {
             ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
                     new ContentEncryptedElementSecurityEvent(securityToken, true, isInSignedContent(inputProcessorChain));
-            contentEncryptedElementSecurityEvent.setElement(parentElement);
+            contentEncryptedElementSecurityEvent.setElementPath(parentElementPath);
             ((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(contentEncryptedElementSecurityEvent);
         }
     }
@@ -83,21 +83,13 @@ public class DecryptInputProcessor exten
                 securityToken);
     }
 
+    //todo remove me?
     @Override
-    protected void handleSecurityToken(
-            SecurityToken securityToken, SecurityContext securityContext, EncryptedDataType encryptedDataType) throws XMLSecurityException {
+    protected void handleSecurityToken(SecurityToken securityToken, SecurityContext securityContext,
+                                       EncryptedDataType encryptedDataType) throws XMLSecurityException {
+        securityToken.addTokenUsage(SecurityToken.TokenUsage.Encryption);
         TokenSecurityEvent tokenSecurityEvent = WSSUtils.createTokenSecurityEvent(securityToken);
-        tokenSecurityEvent.setTokenUsage(TokenSecurityEvent.TokenUsage.Encryption);
         ((WSSecurityContext) securityContext).registerSecurityEvent(tokenSecurityEvent);
-
-        /*AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = new AlgorithmSuiteSecurityEvent();
-       algorithmSuiteSecurityEvent.setAlgorithmURI(encryptedDataType.getEncryptionMethod().getAlgorithm());
-       if (securityToken.isAsymmetric()) {
-           algorithmSuiteSecurityEvent.setKeyUsage(WSSConstants.Asym_Key_Wrap);
-       } else {
-           algorithmSuiteSecurityEvent.setKeyUsage(WSSConstants.Sym_Key_Wrap);
-       }
-       ((WSSecurityContext) securityContext).registerSecurityEvent(algorithmSuiteSecurityEvent);*/
     }
 
     /*
@@ -138,12 +130,12 @@ public class DecryptInputProcessor exten
                     && ((WSSDocumentContext) inputProcessorChain.getDocumentContext()).isInSOAPHeader()) {
                 EncryptedPartSecurityEvent encryptedPartSecurityEvent =
                         new EncryptedPartSecurityEvent(securityToken, true, isInSignedContent(inputProcessorChain));
-                encryptedPartSecurityEvent.setElement(xmlEvent.asStartElement().getName());
+                encryptedPartSecurityEvent.setElementPath(inputProcessorChain.getDocumentContext().getPath());
                 ((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(encryptedPartSecurityEvent);
             } else {
                 EncryptedElementSecurityEvent encryptedElementSecurityEvent =
                         new EncryptedElementSecurityEvent(securityToken, true, isInSignedContent(inputProcessorChain));
-                encryptedElementSecurityEvent.setElement(xmlEvent.asStartElement().getName());
+                encryptedElementSecurityEvent.setElementPath(inputProcessorChain.getDocumentContext().getPath());
                 ((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(encryptedElementSecurityEvent);
             }
         }

Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DerivedKeyTokenInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DerivedKeyTokenInputHandler.java?rev=1295267&r1=1295266&r2=1295267&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DerivedKeyTokenInputHandler.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/impl/processor/input/DerivedKeyTokenInputHandler.java Wed Feb 29 20:54:51 2012
@@ -27,18 +27,18 @@ import org.swssf.wss.impl.securityToken.
 import org.swssf.wss.impl.securityToken.SAMLSecurityToken;
 import org.swssf.wss.impl.securityToken.SecurityTokenFactoryImpl;
 import org.swssf.wss.impl.securityToken.UsernameSecurityToken;
+import org.swssf.wss.securityEvent.DerivedKeyTokenSecurityEvent;
 import org.swssf.xmlsec.config.JCEAlgorithmMapper;
-import org.swssf.xmlsec.crypto.Crypto;
 import org.swssf.xmlsec.ext.*;
 
 import javax.crypto.spec.SecretKeySpec;
 import javax.xml.bind.JAXBElement;
+import javax.xml.namespace.QName;
 import javax.xml.stream.events.XMLEvent;
 import java.security.Key;
 import java.security.PublicKey;
 import java.util.Deque;
-import java.util.HashMap;
-import java.util.Map;
+import java.util.List;
 import java.util.UUID;
 
 /**
@@ -63,28 +63,38 @@ public class DerivedKeyTokenInputHandler
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, "noReference");
         }
 
+        final List<QName> elementPath = getElementPath(inputProcessorChain.getDocumentContext(), eventQueue);
+
         SecurityTokenProvider securityTokenProvider = new SecurityTokenProvider() {
 
-            private Map<Crypto, SecurityToken> securityTokens = new HashMap<Crypto, SecurityToken>();
+            private AbstractSecurityToken derivedKeySecurityToken = null;
 
-            public SecurityToken getSecurityToken(Crypto crypto) throws XMLSecurityException {
+            public SecurityToken getSecurityToken() throws XMLSecurityException {
 
-                SecurityToken securityToken = securityTokens.get(crypto);
-                if (securityToken != null) {
-                    return securityToken;
+                if (this.derivedKeySecurityToken != null) {
+                    return this.derivedKeySecurityToken;
                 }
 
-                final SecurityToken referencedSecurityToken = SecurityTokenFactoryImpl.getSecurityToken(
-                        derivedKeyTokenType.getSecurityTokenReference(),
-                        securityProperties.getDecryptionCrypto(),
-                        securityProperties.getCallbackHandler(),
-                        inputProcessorChain.getSecurityContext(),
-                        null
-                );
-
-                securityToken = new AbstractSecurityToken(
+                this.derivedKeySecurityToken = new AbstractSecurityToken(
                         (WSSecurityContext) inputProcessorChain.getSecurityContext(), null, null,
-                        derivedKeyTokenType.getId(), null, null) {
+                        derivedKeyTokenType.getId(), null) {
+
+                    private SecurityToken referencedSecurityToken = null;
+
+                    private SecurityToken getReferencedSecurityToken() throws XMLSecurityException {
+                        if (this.referencedSecurityToken != null) {
+                            return referencedSecurityToken;
+                        }
+
+                        this.referencedSecurityToken = SecurityTokenFactoryImpl.getSecurityToken(
+                                derivedKeyTokenType.getSecurityTokenReference(),
+                                securityProperties.getDecryptionCrypto(),
+                                securityProperties.getCallbackHandler(),
+                                inputProcessorChain.getSecurityContext()
+                        );
+                        this.referencedSecurityToken.addWrappedToken(this);
+                        return this.referencedSecurityToken;
+                    }
 
                     public boolean isAsymmetric() {
                         return false;
@@ -92,6 +102,7 @@ public class DerivedKeyTokenInputHandler
 
                     protected Key getKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage) throws XMLSecurityException {
                         byte[] secret;
+                        SecurityToken referencedSecurityToken = getReferencedSecurityToken();
                         if (referencedSecurityToken != null) {
                             if (referencedSecurityToken instanceof UsernameSecurityToken) {
                                 UsernameSecurityToken usernameSecurityToken = (UsernameSecurityToken) referencedSecurityToken;
@@ -104,13 +115,6 @@ public class DerivedKeyTokenInputHandler
                                 SAMLSecurityToken samlSecurityToken = (SAMLSecurityToken) referencedSecurityToken;
                                 secret = samlSecurityToken.getSamlKeyInfo().getSecret();
                             } else {
-                                //todo is this the correct algo and KeyUsage?
-                                WSSConstants.KeyUsage newKeyUsage;
-                                if (keyUsage == WSSConstants.Sym_Sig || keyUsage == WSSConstants.Asym_Sig || keyUsage == WSSConstants.Sig_KD) {
-                                    newKeyUsage = WSSConstants.Sig_KD;
-                                } else {
-                                    newKeyUsage = WSSConstants.Enc_KD;
-                                }
                                 secret = referencedSecurityToken.getSecretKey(algorithmURI, keyUsage).getEncoded();
                             }
                         } else {
@@ -128,6 +132,7 @@ public class DerivedKeyTokenInputHandler
                                 nonce,
                                 derivedKeyTokenType.getOffset().intValue()
                         );
+                        //todo algo sec event here!
                         String algo = JCEAlgorithmMapper.translateURItoJCEID(algorithmURI);
                         return new SecretKeySpec(keyBytes, algo);
                     }
@@ -137,21 +142,16 @@ public class DerivedKeyTokenInputHandler
                         return null;
                     }
 
-                    public SecurityToken getKeyWrappingToken() {
-                        return referencedSecurityToken;
-                    }
-
-                    public String getKeyWrappingTokenAlgorithm() {
-                        //todo?
-                        return null;
+                    public SecurityToken getKeyWrappingToken() throws XMLSecurityException {
+                        return getReferencedSecurityToken();
                     }
 
                     public WSSConstants.TokenType getTokenType() {
                         return WSSConstants.DerivedKeyToken;
                     }
                 };
-                securityTokens.put(crypto, securityToken);
-                return securityToken;
+                this.derivedKeySecurityToken.setElementPath(elementPath);
+                return this.derivedKeySecurityToken;
             }
 
             public String getId() {
@@ -159,5 +159,10 @@ public class DerivedKeyTokenInputHandler
             }
         };
         inputProcessorChain.getSecurityContext().registerSecurityTokenProvider(derivedKeyTokenType.getId(), securityTokenProvider);
+
+        //fire a tokenSecurityEvent
+        DerivedKeyTokenSecurityEvent derivedKeyTokenSecurityEvent = new DerivedKeyTokenSecurityEvent();
+        derivedKeyTokenSecurityEvent.setSecurityToken(securityTokenProvider.getSecurityToken());
+        ((WSSecurityContext) inputProcessorChain.getSecurityContext()).registerSecurityEvent(derivedKeyTokenSecurityEvent);
     }
 }



Mime
View raw message