ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gi...@apache.org
Subject svn commit: r1484123 [1/2] - in /webservices/wss4j/trunk/ws-security-stax/src: main/java/org/apache/wss4j/stax/ext/ main/java/org/apache/wss4j/stax/impl/ main/java/org/apache/wss4j/stax/impl/processor/output/ test/java/org/apache/wss4j/stax/test/ test/...
Date Sat, 18 May 2013 14:08:00 GMT
Author: giger
Date: Sat May 18 14:08:00 2013
New Revision: 1484123

URL: http://svn.apache.org/r1484123
Log:
header ordering - WSS-436

Added:
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/SecurityHeaderOrder.java   (with props)
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SecurityHeaderReorderProcessor.java   (with props)
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/HeaderOrderingTest.java   (with props)
Removed:
    webservices/wss4j/trunk/ws-security-stax/src/test/resources/log4j-xmlsec.xml
Modified:
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSUtils.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptEndingOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/KerberosSecurityTokenOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SecurityContextTokenOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SecurityHeaderOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SignatureConfirmationOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/TimestampOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/UsernameTokenOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/WSSSignatureEndingOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/AbstractTestBase.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/EncDecryptionTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/UsernameTokenTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/resources/log4j-wss.xml

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java?rev=1484123&r1=1484122&r2=1484123&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java Sat May 18 14:08:00 2013
@@ -225,6 +225,10 @@ public class OutboundWSSec {
                     initializeOutputProcessor(outputProcessorChain, encryptOutputProcessor, action);
                 }
             }
+            
+            final SecurityHeaderReorderProcessor securityHeaderReorderProcessor = new SecurityHeaderReorderProcessor();
+            initializeOutputProcessor(outputProcessorChain, securityHeaderReorderProcessor, null);
+            
             if (output instanceof OutputStream) {
                 final FinalOutputProcessor finalOutputProcessor = new FinalOutputProcessor((OutputStream) output, encoding);
                 initializeOutputProcessor(outputProcessorChain, finalOutputProcessor, null);

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSUtils.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSUtils.java?rev=1484123&r1=1484122&r2=1484123&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSUtils.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSUtils.java Sat May 18 14:08:00 2013
@@ -19,6 +19,7 @@
 package org.apache.wss4j.stax.ext;
 
 import org.apache.commons.codec.binary.Base64;
+import org.apache.wss4j.stax.impl.SecurityHeaderOrder;
 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
 import org.apache.wss4j.stax.securityEvent.*;
 import org.apache.xml.security.exceptions.XMLSecurityException;
@@ -48,10 +49,7 @@ import java.security.cert.CertificateEnc
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Iterator;
-import java.util.List;
+import java.util.*;
 
 public class WSSUtils extends XMLSecurityUtils {
 
@@ -184,6 +182,43 @@ public class WSSUtils extends XMLSecurit
         return false;
     }
 
+    public static boolean isSecurityHeaderElement(XMLSecEvent xmlSecEvent, String actorOrRole) {
+        if (!xmlSecEvent.isStartElement()) {
+            return false;
+        }
+
+        final List<QName> elementPath = xmlSecEvent.getElementPath();
+        if (elementPath.size() == 3) {
+            final QName secondLevelElementName = elementPath.get(1);
+            return WSSConstants.TAG_wsse_Security.equals(elementPath.get(2))
+                    && isResponsibleActorOrRole(xmlSecEvent.getStartElementAtLevel(3), actorOrRole)
+                    && WSSConstants.TAG_soap_Header_LocalName.equals(secondLevelElementName.getLocalPart())
+                    && elementPath.get(0).getNamespaceURI().equals(secondLevelElementName.getNamespaceURI());
+        }
+        return false;
+    }
+
+    public static void updateSecurityHeaderOrder(
+            OutputProcessorChain outputProcessorChain, QName headerElementName,
+            XMLSecurityConstants.Action action, boolean onTop) {
+
+        final OutboundSecurityContext securityContext = outputProcessorChain.getSecurityContext();
+
+        Map<Object, SecurePart> dynamicSecureParts = securityContext.getAsMap(WSSConstants.ENCRYPTION_PARTS);
+        boolean encrypted = dynamicSecureParts.containsKey(headerElementName);
+
+        List<SecurityHeaderOrder> securityHeaderOrderList = securityContext.getAsList(SecurityHeaderOrder.class);
+        if (securityHeaderOrderList == null) {
+            securityContext.putList(SecurityHeaderOrder.class, Collections.<SecurityHeaderOrder>emptyList());
+            securityHeaderOrderList = securityContext.getAsList(SecurityHeaderOrder.class);
+        }
+        if (onTop) {
+            securityHeaderOrderList.add(0, new SecurityHeaderOrder(headerElementName, action, encrypted));
+        } else {
+            securityHeaderOrderList.add(new SecurityHeaderOrder(headerElementName, action, encrypted));
+        }
+    }
+
     public static boolean isResponsibleActorOrRole(XMLSecStartElement xmlSecStartElement, String responsibleActor) {
         final QName actorRole;
         final String soapVersionNamespace = getSOAPMessageVersionNamespace(xmlSecStartElement);
@@ -477,5 +512,5 @@ public class WSSUtils extends XMLSecurit
             stringBuilder.append(qName.toString());
         }
         return stringBuilder.toString();
-    }
+    }    
 }

Added: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/SecurityHeaderOrder.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/SecurityHeaderOrder.java?rev=1484123&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/SecurityHeaderOrder.java (added)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/SecurityHeaderOrder.java Sat May 18 14:08:00 2013
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.wss4j.stax.impl;
+
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
+
+import javax.xml.namespace.QName;
+
+public class SecurityHeaderOrder {
+    
+    private QName securityHeaderElementName;
+    private XMLSecurityConstants.Action action;
+    private boolean encrypted;
+
+    public SecurityHeaderOrder(QName securityHeaderElementName, XMLSecurityConstants.Action action, boolean encrypted) {
+        this.securityHeaderElementName = securityHeaderElementName;
+        this.action = action;
+        this.encrypted = encrypted;
+    }
+
+    public QName getSecurityHeaderElementName() {
+        return securityHeaderElementName;
+    }
+
+    public XMLSecurityConstants.Action getAction() {
+        return action;
+    }
+
+    public boolean isEncrypted() {
+        return encrypted;
+    }
+}

Propchange: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/SecurityHeaderOrder.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java?rev=1484123&r1=1484122&r2=1484123&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java Sat May 18 14:08:00 2013
@@ -30,7 +30,6 @@ import org.apache.xml.security.exception
 import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
 import org.apache.xml.security.stax.ext.*;
 import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
-import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
 import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
 import org.apache.xml.security.stax.impl.util.IDGenerator;
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
@@ -39,7 +38,6 @@ import org.apache.xml.security.stax.secu
 import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
 
 import javax.crypto.spec.SecretKeySpec;
-import javax.xml.stream.XMLStreamConstants;
 import javax.xml.stream.XMLStreamException;
 import java.security.Key;
 import java.security.cert.X509Certificate;
@@ -142,7 +140,6 @@ public class BinarySecurityTokenOutputPr
                     || WSSConstants.SAML_TOKEN_SIGNED.equals(action)) {
                 outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, bstId);
                 if (WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(getSecurityProperties().getSignatureKeyIdentifier())) {
-                    outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_APPEND_SIGNATURE_ON_THIS_ID, bstId);
                     FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(binarySecurityToken);
                     finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
                     finalBinarySecurityTokenOutputProcessor.setAction(getAction());
@@ -217,20 +214,25 @@ public class BinarySecurityTokenOutputPr
         }
 
         @Override
-        public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
+        public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain)
+                throws XMLStreamException, XMLSecurityException {
+
             outputProcessorChain.processEvent(xmlSecEvent);
-            if (xmlSecEvent.getEventType() == XMLStreamConstants.START_ELEMENT) {
-                XMLSecStartElement xmlSecStartElement = xmlSecEvent.asStartElement();
-                if (xmlSecStartElement.getName().equals(WSSConstants.TAG_wsse_Security)
-                        && WSSUtils.isInSecurityHeader(xmlSecStartElement, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
-                    OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
 
-                    boolean useSingleCertificate = getSecurityProperties().isUseSingleCert();
-                    WSSUtils.createBinarySecurityTokenStructure(this, subOutputProcessorChain, securityToken.getId(), securityToken.getX509Certificates(), useSingleCertificate);
+            if (WSSUtils.isSecurityHeaderElement(xmlSecEvent, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
 
-                    outputProcessorChain.removeProcessor(this);
-                }
+                WSSUtils.updateSecurityHeaderOrder(
+                        outputProcessorChain, WSSConstants.TAG_wsse_BinarySecurityToken, getAction(), false);
+
+                OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
+
+                boolean useSingleCertificate = getSecurityProperties().isUseSingleCert();
+                WSSUtils.createBinarySecurityTokenStructure(
+                        this, subOutputProcessorChain, securityToken.getId(),
+                        securityToken.getX509Certificates(), useSingleCertificate);
+
+                outputProcessorChain.removeProcessor(this);
             }
-        }
+        }        
     }
 }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.java?rev=1484123&r1=1484122&r2=1484123&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.java Sat May 18 14:08:00 2013
@@ -33,14 +33,13 @@ import org.apache.xml.security.stax.conf
 import org.apache.xml.security.stax.ext.*;
 import org.apache.xml.security.stax.ext.stax.XMLSecAttribute;
 import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
-import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
 import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
 import org.apache.xml.security.stax.impl.util.IDGenerator;
 import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
 import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
 
 import javax.crypto.spec.SecretKeySpec;
-import javax.xml.stream.XMLStreamConstants;
+import javax.xml.namespace.QName;
 import javax.xml.stream.XMLStreamException;
 import java.io.UnsupportedEncodingException;
 import java.security.Key;
@@ -164,7 +163,6 @@ public class DerivedKeyTokenOutputProces
 
             if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
                 outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, wsuIdDKT);
-                outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_APPEND_SIGNATURE_ON_THIS_ID, wsuIdDKT);
             } else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
                 outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, wsuIdDKT);
             }
@@ -199,34 +197,37 @@ public class DerivedKeyTokenOutputProces
         }
 
         @Override
-        public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
+        public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain)
+                throws XMLStreamException, XMLSecurityException {
+
             outputProcessorChain.processEvent(xmlSecEvent);
-            if (xmlSecEvent.getEventType() == XMLStreamConstants.START_ELEMENT) {
-                XMLSecStartElement xmlSecStartElement = xmlSecEvent.asStartElement();
-                if (xmlSecStartElement.getName().equals(WSSConstants.TAG_wsse_Security)
-                        && WSSUtils.isInSecurityHeader(xmlSecStartElement, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
-                    OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
-
-                    List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(1);
-                    attributes.add(createAttribute(WSSConstants.ATT_wsu_Id, securityToken.getId()));
-                    createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_DerivedKeyToken, true, attributes);
-
-                    createSecurityTokenReferenceStructureForDerivedKey(subOutputProcessorChain, securityToken,
-                            ((WSSSecurityProperties) getSecurityProperties()).getDerivedKeyKeyIdentifier(),
-                            ((WSSSecurityProperties) getSecurityProperties()).getDerivedKeyTokenReference(), getSecurityProperties().isUseSingleCert());
-                    createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Offset, false, null);
-                    createCharactersAndOutputAsEvent(subOutputProcessorChain, "" + offset);
-                    createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Offset);
-                    createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Length, false, null);
-                    createCharactersAndOutputAsEvent(subOutputProcessorChain, "" + length);
-                    createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Length);
-                    createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Nonce, false, null);
-                    createCharactersAndOutputAsEvent(subOutputProcessorChain, nonce);
-                    createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Nonce);
-                    createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_DerivedKeyToken);
 
-                    outputProcessorChain.removeProcessor(this);
-                }
+            if (WSSUtils.isSecurityHeaderElement(xmlSecEvent, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
+
+                final QName headerElementName = WSSConstants.TAG_wsc0502_DerivedKeyToken;
+                WSSUtils.updateSecurityHeaderOrder(outputProcessorChain, headerElementName, getAction(), false);
+
+                OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
+
+                List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(1);
+                attributes.add(createAttribute(WSSConstants.ATT_wsu_Id, securityToken.getId()));
+                createStartElementAndOutputAsEvent(subOutputProcessorChain, headerElementName, true, attributes);
+
+                createSecurityTokenReferenceStructureForDerivedKey(subOutputProcessorChain, securityToken,
+                        ((WSSSecurityProperties) getSecurityProperties()).getDerivedKeyKeyIdentifier(),
+                        ((WSSSecurityProperties) getSecurityProperties()).getDerivedKeyTokenReference(), getSecurityProperties().isUseSingleCert());
+                createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Offset, false, null);
+                createCharactersAndOutputAsEvent(subOutputProcessorChain, "" + offset);
+                createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Offset);
+                createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Length, false, null);
+                createCharactersAndOutputAsEvent(subOutputProcessorChain, "" + length);
+                createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Length);
+                createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Nonce, false, null);
+                createCharactersAndOutputAsEvent(subOutputProcessorChain, nonce);
+                createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Nonce);
+                createEndElementAndOutputAsEvent(subOutputProcessorChain, headerElementName);
+
+                outputProcessorChain.removeProcessor(this);
             }
         }
 

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptEndingOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptEndingOutputProcessor.java?rev=1484123&r1=1484122&r2=1484123&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptEndingOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptEndingOutputProcessor.java Sat May 18 14:08:00 2013
@@ -18,16 +18,15 @@
  */
 package org.apache.wss4j.stax.impl.processor.output;
 
+import org.apache.wss4j.stax.impl.SecurityHeaderOrder;
 import org.apache.xml.security.exceptions.XMLSecurityException;
 import org.apache.xml.security.stax.ext.OutputProcessorChain;
 import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
-import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
 import org.apache.xml.security.stax.impl.processor.output.AbstractEncryptEndingOutputProcessor;
 import org.apache.wss4j.stax.ext.WSSConstants;
 import org.apache.wss4j.stax.ext.WSSSecurityProperties;
 import org.apache.wss4j.stax.ext.WSSUtils;
 
-import javax.xml.namespace.QName;
 import javax.xml.stream.XMLStreamConstants;
 import javax.xml.stream.XMLStreamException;
 import java.util.*;
@@ -37,17 +36,6 @@ import java.util.*;
  */
 public class EncryptEndingOutputProcessor extends AbstractEncryptEndingOutputProcessor {
 
-    private static final List<QName> appendAfterOneOfThisAttributes;
-
-    static {
-        List<QName> list = new ArrayList<QName>(5);
-        list.add(WSSConstants.ATT_wsu_Id);
-        list.add(WSSConstants.ATT_NULL_Id);
-        list.add(WSSConstants.ATT_NULL_AssertionID);
-        list.add(WSSConstants.ATT_NULL_ID);
-        appendAfterOneOfThisAttributes = Collections.unmodifiableList(list);
-    }
-
     public EncryptEndingOutputProcessor() throws XMLSecurityException {
         super();
         this.addAfterProcessor(EncryptOutputProcessor.class.getName());
@@ -63,12 +51,7 @@ public class EncryptEndingOutputProcesso
     }
 
     @Override
-    protected List<QName> getAppendAfterOneOfThisAttributes() {
-        return appendAfterOneOfThisAttributes;
-    }
-
-    @Override
-    public void flushBufferAndCallbackAfterTokenID(OutputProcessorChain outputProcessorChain,
+    public void flushBufferAndCallbackAfterHeader(OutputProcessorChain outputProcessorChain,
                                                    Deque<XMLSecEvent> xmlSecEventDeque)
             throws XMLStreamException, XMLSecurityException {
 
@@ -80,12 +63,26 @@ public class EncryptEndingOutputProcesso
             XMLSecEvent xmlSecEvent = xmlSecEventDeque.pop();
             switch (xmlSecEvent.getEventType()) {
                 case XMLStreamConstants.START_ELEMENT:
-                    XMLSecStartElement xmlSecStartElement = xmlSecEvent.asStartElement();
-                    if (xmlSecStartElement.getName().equals(WSSConstants.TAG_wsse_Security)
-                            && WSSUtils.isResponsibleActorOrRole(
-                            xmlSecStartElement, actor)) {
+                    if (WSSUtils.isSecurityHeaderElement(xmlSecEvent, actor)) {
+
+                        if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(getAction())) {
+                            WSSUtils.updateSecurityHeaderOrder(
+                                    outputProcessorChain, WSSConstants.TAG_xenc_ReferenceList, getAction(), true);                            
+                        }
+                        List<SecurityHeaderOrder> securityHeaderOrderList = 
+                                outputProcessorChain.getSecurityContext().getAsList(SecurityHeaderOrder.class);
+                        List<SecurityHeaderOrder> tmpList = null;
+                        if (securityHeaderOrderList != null) {
+                            tmpList = new ArrayList<SecurityHeaderOrder>(securityHeaderOrderList);
+                            securityHeaderOrderList.clear();
+                        }
+                        
                         outputProcessorChain.reset();
                         outputProcessorChain.processEvent(xmlSecEvent);
+                        
+                        if (securityHeaderOrderList != null) {
+                            securityHeaderOrderList.addAll(tmpList);
+                        }
                         break loop;
                     }
                     break;
@@ -93,6 +90,6 @@ public class EncryptEndingOutputProcesso
             outputProcessorChain.reset();
             outputProcessorChain.processEvent(xmlSecEvent);
         }
-        super.flushBufferAndCallbackAfterTokenID(outputProcessorChain, xmlSecEventDeque);
+        super.flushBufferAndCallbackAfterHeader(outputProcessorChain, xmlSecEventDeque);
     }
 }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java?rev=1484123&r1=1484122&r2=1484123&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java Sat May 18 14:08:00 2013
@@ -29,7 +29,6 @@ import org.apache.xml.security.stax.conf
 import org.apache.xml.security.stax.ext.*;
 import org.apache.xml.security.stax.ext.stax.XMLSecAttribute;
 import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
-import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
 import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
 import org.apache.xml.security.stax.impl.util.IDGenerator;
 import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
@@ -41,7 +40,7 @@ import javax.crypto.KeyGenerator;
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.spec.OAEPParameterSpec;
 import javax.crypto.spec.PSource;
-import javax.xml.stream.XMLStreamConstants;
+import javax.xml.namespace.QName;
 import javax.xml.stream.XMLStreamException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
@@ -180,130 +179,133 @@ public class EncryptedKeyOutputProcessor
         */
 
         @Override
-        public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
+        public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain)
+                throws XMLStreamException, XMLSecurityException {
+
             outputProcessorChain.processEvent(xmlSecEvent);
-            if (xmlSecEvent.getEventType() == XMLStreamConstants.START_ELEMENT) {
-                XMLSecStartElement xmlSecStartElement = xmlSecEvent.asStartElement();
-                if (xmlSecStartElement.getName().equals(WSSConstants.TAG_wsse_Security)
-                        && WSSUtils.isInSecurityHeader(xmlSecStartElement, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
-                    OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
-
-                    final X509Certificate x509Certificate = securityToken.getKeyWrappingToken().getX509Certificates()[0];
-                    final String encryptionKeyTransportAlgorithm = getSecurityProperties().getEncryptionKeyTransportAlgorithm();
-
-                    List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(1);
-                    attributes.add(createAttribute(WSSConstants.ATT_NULL_Id, securityToken.getId()));
-                    createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_EncryptedKey, true, attributes);
-
-                    attributes = new ArrayList<XMLSecAttribute>(1);
-                    attributes.add(createAttribute(WSSConstants.ATT_NULL_Algorithm, encryptionKeyTransportAlgorithm));
-                    createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_EncryptionMethod, false, attributes);
 
-                    final String encryptionKeyTransportMGFAlgorithm = getSecurityProperties().getEncryptionKeyTransportMGFAlgorithm();
+            if (WSSUtils.isSecurityHeaderElement(xmlSecEvent, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
+
+                final QName headerElementName = WSSConstants.TAG_xenc_EncryptedKey;
+                WSSUtils.updateSecurityHeaderOrder(outputProcessorChain, headerElementName, getAction(), false);
+
+                OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
+
+                final X509Certificate x509Certificate = securityToken.getKeyWrappingToken().getX509Certificates()[0];
+                final String encryptionKeyTransportAlgorithm = getSecurityProperties().getEncryptionKeyTransportAlgorithm();
+
+                List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(1);
+                attributes.add(createAttribute(WSSConstants.ATT_NULL_Id, securityToken.getId()));
+                createStartElementAndOutputAsEvent(subOutputProcessorChain, headerElementName, true, attributes);
+
+                attributes = new ArrayList<XMLSecAttribute>(1);
+                attributes.add(createAttribute(WSSConstants.ATT_NULL_Algorithm, encryptionKeyTransportAlgorithm));
+                createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_EncryptionMethod, false, attributes);
+
+                final String encryptionKeyTransportMGFAlgorithm = getSecurityProperties().getEncryptionKeyTransportMGFAlgorithm();
+
+                if (XMLSecurityConstants.NS_XENC11_RSAOAEP.equals(encryptionKeyTransportAlgorithm) ||
+                        XMLSecurityConstants.NS_XENC_RSAOAEPMGF1P.equals(encryptionKeyTransportAlgorithm)) {
+
+                    byte[] oaepParams = getSecurityProperties().getEncryptionKeyTransportOAEPParams();
+                    if (oaepParams != null) {
+                        createStartElementAndOutputAsEvent(subOutputProcessorChain, XMLSecurityConstants.TAG_xenc_OAEPparams, false, null);
+                        createCharactersAndOutputAsEvent(subOutputProcessorChain, Base64.encodeBase64String(oaepParams));
+                        createEndElementAndOutputAsEvent(subOutputProcessorChain, XMLSecurityConstants.TAG_xenc_OAEPparams);
+                    }
+
+                    String encryptionKeyTransportDigestAlgorithm = getSecurityProperties().getEncryptionKeyTransportDigestAlgorithm();
+                    if (encryptionKeyTransportDigestAlgorithm != null) {
+                        attributes = new ArrayList<XMLSecAttribute>(1);
+                        attributes.add(createAttribute(XMLSecurityConstants.ATT_NULL_Algorithm, encryptionKeyTransportDigestAlgorithm));
+                        createStartElementAndOutputAsEvent(subOutputProcessorChain, XMLSecurityConstants.TAG_dsig_DigestMethod, true, attributes);
+                        createEndElementAndOutputAsEvent(subOutputProcessorChain, XMLSecurityConstants.TAG_dsig_DigestMethod);
+                    }
+
+                    if (encryptionKeyTransportMGFAlgorithm != null) {
+                        attributes = new ArrayList<XMLSecAttribute>(1);
+                        attributes.add(createAttribute(XMLSecurityConstants.ATT_NULL_Algorithm, encryptionKeyTransportMGFAlgorithm));
+                        createStartElementAndOutputAsEvent(subOutputProcessorChain, XMLSecurityConstants.TAG_xenc11_MGF, true, attributes);
+                        createEndElementAndOutputAsEvent(subOutputProcessorChain, XMLSecurityConstants.TAG_xenc11_MGF);
+                    }
+                }
+
+                createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_EncryptionMethod);
+                createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_dsig_KeyInfo, true, null);
+                createSecurityTokenReferenceStructureForEncryptedKey(
+                        subOutputProcessorChain, securityToken,
+                        ((WSSSecurityProperties) getSecurityProperties()).getEncryptionKeyIdentifier(),
+                        getSecurityProperties().isUseSingleCert()
+                );
+                createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_dsig_KeyInfo);
+                createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_CipherData, false, null);
+                createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_CipherValue, false, null);
+
+                try {
+                    //encrypt the symmetric session key with the public key from the receiver:
+                    String jceid = JCEAlgorithmMapper.translateURItoJCEID(encryptionKeyTransportAlgorithm);
+                    Cipher cipher = Cipher.getInstance(jceid);
 
+                    AlgorithmParameterSpec algorithmParameterSpec = null;
                     if (XMLSecurityConstants.NS_XENC11_RSAOAEP.equals(encryptionKeyTransportAlgorithm) ||
                             XMLSecurityConstants.NS_XENC_RSAOAEPMGF1P.equals(encryptionKeyTransportAlgorithm)) {
 
-                        byte[] oaepParams = getSecurityProperties().getEncryptionKeyTransportOAEPParams();
-                        if (oaepParams != null) {
-                            createStartElementAndOutputAsEvent(outputProcessorChain, XMLSecurityConstants.TAG_xenc_OAEPparams, false, null);
-                            createCharactersAndOutputAsEvent(outputProcessorChain, Base64.encodeBase64String(oaepParams));
-                            createEndElementAndOutputAsEvent(outputProcessorChain, XMLSecurityConstants.TAG_xenc_OAEPparams);
-                        }
-
+                        String jceDigestAlgorithm = "SHA-1";
                         String encryptionKeyTransportDigestAlgorithm = getSecurityProperties().getEncryptionKeyTransportDigestAlgorithm();
                         if (encryptionKeyTransportDigestAlgorithm != null) {
-                            attributes = new ArrayList<XMLSecAttribute>(1);
-                            attributes.add(createAttribute(XMLSecurityConstants.ATT_NULL_Algorithm, encryptionKeyTransportDigestAlgorithm));
-                            createStartElementAndOutputAsEvent(outputProcessorChain, XMLSecurityConstants.TAG_dsig_DigestMethod, true, attributes);
-                            createEndElementAndOutputAsEvent(outputProcessorChain, XMLSecurityConstants.TAG_dsig_DigestMethod);
+                            jceDigestAlgorithm = JCEAlgorithmMapper.translateURItoJCEID(encryptionKeyTransportDigestAlgorithm);
                         }
 
-                        if (encryptionKeyTransportMGFAlgorithm != null) {
-                            attributes = new ArrayList<XMLSecAttribute>(1);
-                            attributes.add(createAttribute(XMLSecurityConstants.ATT_NULL_Algorithm, encryptionKeyTransportMGFAlgorithm));
-                            createStartElementAndOutputAsEvent(outputProcessorChain, XMLSecurityConstants.TAG_xenc11_MGF, true, attributes);
-                            createEndElementAndOutputAsEvent(outputProcessorChain, XMLSecurityConstants.TAG_xenc11_MGF);
+                        PSource.PSpecified pSource = PSource.PSpecified.DEFAULT;
+                        byte[] oaepParams = getSecurityProperties().getEncryptionKeyTransportOAEPParams();
+                        if (oaepParams != null) {
+                            pSource = new PSource.PSpecified(oaepParams);
                         }
-                    }
 
-                    createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_EncryptionMethod);
-                    createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_dsig_KeyInfo, true, null);
-                    createSecurityTokenReferenceStructureForEncryptedKey(
-                            subOutputProcessorChain, securityToken,
-                            ((WSSSecurityProperties) getSecurityProperties()).getEncryptionKeyIdentifier(),
-                            getSecurityProperties().isUseSingleCert()
-                    );
-                    createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_dsig_KeyInfo);
-                    createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_CipherData, false, null);
-                    createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_CipherValue, false, null);
-
-                    try {
-                        //encrypt the symmetric session key with the public key from the receiver:
-                        String jceid = JCEAlgorithmMapper.translateURItoJCEID(encryptionKeyTransportAlgorithm);
-                        Cipher cipher = Cipher.getInstance(jceid);
-
-                        AlgorithmParameterSpec algorithmParameterSpec = null;
-                        if (XMLSecurityConstants.NS_XENC11_RSAOAEP.equals(encryptionKeyTransportAlgorithm) ||
-                                XMLSecurityConstants.NS_XENC_RSAOAEPMGF1P.equals(encryptionKeyTransportAlgorithm)) {
-
-                            String jceDigestAlgorithm = "SHA-1";
-                            String encryptionKeyTransportDigestAlgorithm = getSecurityProperties().getEncryptionKeyTransportDigestAlgorithm();
-                            if (encryptionKeyTransportDigestAlgorithm != null) {
-                                jceDigestAlgorithm = JCEAlgorithmMapper.translateURItoJCEID(encryptionKeyTransportDigestAlgorithm);
-                            }
-
-                            PSource.PSpecified pSource = PSource.PSpecified.DEFAULT;
-                            byte[] oaepParams = getSecurityProperties().getEncryptionKeyTransportOAEPParams();
-                            if (oaepParams != null) {
-                                pSource = new PSource.PSpecified(oaepParams);
-                            }
-
-                            MGF1ParameterSpec mgfParameterSpec = new MGF1ParameterSpec("SHA-1");
-                            if (encryptionKeyTransportMGFAlgorithm != null) {
-                                String jceMGFAlgorithm = JCEAlgorithmMapper.translateURItoJCEID(encryptionKeyTransportMGFAlgorithm);
-                                mgfParameterSpec = new MGF1ParameterSpec(jceMGFAlgorithm);
-                            }
-                            algorithmParameterSpec = new OAEPParameterSpec(jceDigestAlgorithm, "MGF1", mgfParameterSpec, pSource);
+                        MGF1ParameterSpec mgfParameterSpec = new MGF1ParameterSpec("SHA-1");
+                        if (encryptionKeyTransportMGFAlgorithm != null) {
+                            String jceMGFAlgorithm = JCEAlgorithmMapper.translateURItoJCEID(encryptionKeyTransportMGFAlgorithm);
+                            mgfParameterSpec = new MGF1ParameterSpec(jceMGFAlgorithm);
                         }
+                        algorithmParameterSpec = new OAEPParameterSpec(jceDigestAlgorithm, "MGF1", mgfParameterSpec, pSource);
+                    }
 
-                        cipher.init(Cipher.WRAP_MODE, x509Certificate.getPublicKey(), algorithmParameterSpec);
+                    cipher.init(Cipher.WRAP_MODE, x509Certificate.getPublicKey(), algorithmParameterSpec);
 
-                        Key secretKey = securityToken.getSecretKey("");
+                    Key secretKey = securityToken.getSecretKey("");
 
-                        int blockSize = cipher.getBlockSize();
-                        if (blockSize > 0 && blockSize < secretKey.getEncoded().length) {
-                            throw new WSSecurityException(
-                                    WSSecurityException.ErrorCode.FAILURE,
-                                    "unsupportedKeyTransp",
-                                    "public key algorithm too weak to encrypt symmetric key"
-                            );
-                        }
-                        byte[] encryptedEphemeralKey = cipher.wrap(secretKey);
+                    int blockSize = cipher.getBlockSize();
+                    if (blockSize > 0 && blockSize < secretKey.getEncoded().length) {
+                        throw new WSSecurityException(
+                                WSSecurityException.ErrorCode.FAILURE,
+                                "unsupportedKeyTransp",
+                                "public key algorithm too weak to encrypt symmetric key"
+                        );
+                    }
+                    byte[] encryptedEphemeralKey = cipher.wrap(secretKey);
 
-                        createCharactersAndOutputAsEvent(subOutputProcessorChain, new Base64(76, new byte[]{'\n'}).encodeToString(encryptedEphemeralKey));
+                    createCharactersAndOutputAsEvent(subOutputProcessorChain, new Base64(76, new byte[]{'\n'}).encodeToString(encryptedEphemeralKey));
 
-                    } catch (NoSuchPaddingException e) {
-                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
-                    } catch (NoSuchAlgorithmException e) {
-                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
-                    } catch (InvalidKeyException e) {
-                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
-                    } catch (IllegalBlockSizeException e) {
-                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
-                    } catch (InvalidAlgorithmParameterException e) {
-                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
-                    }
+                } catch (NoSuchPaddingException e) {
+                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+                } catch (NoSuchAlgorithmException e) {
+                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+                } catch (InvalidKeyException e) {
+                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+                } catch (IllegalBlockSizeException e) {
+                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+                } catch (InvalidAlgorithmParameterException e) {
+                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+                }
 
-                    createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_CipherValue);
-                    createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_CipherData);
+                createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_CipherValue);
+                createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_CipherData);
 
-                    if (WSSConstants.ENCRYPT.equals(getAction())) {
-                        WSSUtils.createReferenceListStructureForEncryption(this, subOutputProcessorChain);
-                    }
-                    createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_EncryptedKey);
-                    outputProcessorChain.removeProcessor(this);
+                if (WSSConstants.ENCRYPT.equals(getAction())) {
+                    WSSUtils.createReferenceListStructureForEncryption(this, subOutputProcessorChain);
                 }
+                createEndElementAndOutputAsEvent(subOutputProcessorChain, headerElementName);
+                outputProcessorChain.removeProcessor(this);
             }
         }
 

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/KerberosSecurityTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/KerberosSecurityTokenOutputProcessor.java?rev=1484123&r1=1484122&r2=1484123&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/KerberosSecurityTokenOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/KerberosSecurityTokenOutputProcessor.java Sat May 18 14:08:00 2013
@@ -30,12 +30,11 @@ import org.apache.xml.security.stax.ext.
 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
 import org.apache.xml.security.stax.ext.stax.XMLSecAttribute;
 import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
-import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
 import org.apache.xml.security.stax.impl.util.IDGenerator;
 import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
 import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
 
-import javax.xml.stream.XMLStreamConstants;
+import javax.xml.namespace.QName;
 import javax.xml.stream.XMLStreamException;
 import java.util.ArrayList;
 import java.util.List;
@@ -76,7 +75,6 @@ public class KerberosSecurityTokenOutput
 
             if (WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN.equals(action)) {
                 outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, bstId);
-                outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_APPEND_SIGNATURE_ON_THIS_ID, bstId);
                 FinalKerberosSecurityTokenOutputProcessor finalKerberosSecurityTokenOutputProcessor =
                         new FinalKerberosSecurityTokenOutputProcessor(kerberosClientSecurityToken);
                 finalKerberosSecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
@@ -114,28 +112,32 @@ public class KerberosSecurityTokenOutput
         }
 
         @Override
-        public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
+        public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain)
+                throws XMLStreamException, XMLSecurityException {
+
             outputProcessorChain.processEvent(xmlSecEvent);
-            if (xmlSecEvent.getEventType() == XMLStreamConstants.START_ELEMENT) {
-                XMLSecStartElement xmlSecStartElement = xmlSecEvent.asStartElement();
-                if (xmlSecStartElement.getName().equals(WSSConstants.TAG_wsse_Security)
-                        && WSSUtils.isInSecurityHeader(xmlSecStartElement, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
-                    OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
-
-                    List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(3);
-                    attributes.add(createAttribute(WSSConstants.ATT_NULL_EncodingType, WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING));
-                    attributes.add(createAttribute(WSSConstants.ATT_NULL_ValueType, WSSConstants.NS_GSS_Kerberos5_AP_REQ));
-                    attributes.add(createAttribute(WSSConstants.ATT_wsu_Id, securityToken.getId()));
-                    createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse_BinarySecurityToken, false, attributes);
-                    createCharactersAndOutputAsEvent(subOutputProcessorChain,
-                            new Base64(76, new byte[]{'\n'}).encodeToString(securityToken.getTicket())
-                    );
-                    createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse_BinarySecurityToken);
-                    if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(getAction())) {
-                        WSSUtils.createReferenceListStructureForEncryption(this, subOutputProcessorChain);
-                    }
-                    outputProcessorChain.removeProcessor(this);
+
+            if (WSSUtils.isSecurityHeaderElement(xmlSecEvent, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
+
+                final QName headerElementName = WSSConstants.TAG_wsse_BinarySecurityToken;
+                WSSUtils.updateSecurityHeaderOrder(outputProcessorChain, headerElementName, getAction(), false);
+
+                OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
+
+                List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(3);
+                attributes.add(createAttribute(WSSConstants.ATT_NULL_EncodingType, WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING));
+                attributes.add(createAttribute(WSSConstants.ATT_NULL_ValueType, WSSConstants.NS_GSS_Kerberos5_AP_REQ));
+                attributes.add(createAttribute(WSSConstants.ATT_wsu_Id, securityToken.getId()));
+                createStartElementAndOutputAsEvent(subOutputProcessorChain, headerElementName, false, attributes);
+                createCharactersAndOutputAsEvent(subOutputProcessorChain,
+                        new Base64(76, new byte[]{'\n'}).encodeToString(securityToken.getTicket())
+                );
+                createEndElementAndOutputAsEvent(subOutputProcessorChain, headerElementName);
+                if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(getAction())) {                    
+                    WSSUtils.updateSecurityHeaderOrder(outputProcessorChain, WSSConstants.TAG_xenc_ReferenceList, getAction(), false);                    
+                    WSSUtils.createReferenceListStructureForEncryption(this, subOutputProcessorChain);
                 }
+                outputProcessorChain.removeProcessor(this);
             }
         }
     }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java?rev=1484123&r1=1484122&r2=1484123&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java Sat May 18 14:08:00 2013
@@ -34,7 +34,6 @@ import org.apache.xml.security.stax.ext.
 import org.apache.xml.security.stax.ext.stax.XMLSecAttribute;
 import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
 import org.apache.xml.security.stax.ext.stax.XMLSecNamespace;
-import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
 import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
 import org.apache.xml.security.stax.impl.util.IDGenerator;
 import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
@@ -44,7 +43,6 @@ import org.w3c.dom.*;
 
 import javax.crypto.spec.SecretKeySpec;
 import javax.xml.namespace.QName;
-import javax.xml.stream.XMLStreamConstants;
 import javax.xml.stream.XMLStreamException;
 import java.security.Key;
 import java.security.PrivateKey;
@@ -138,7 +136,6 @@ public class SAMLTokenOutputProcessor ex
 
                 outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(binarySecurityTokenId, securityTokenProvider);
                 outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, binarySecurityTokenId);
-                outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_APPEND_SIGNATURE_ON_THIS_ID, securityTokenReferenceId);
 
             } else {
                 final SAMLKeyInfo samlKeyInfo = new SAMLKeyInfo();
@@ -231,7 +228,6 @@ public class SAMLTokenOutputProcessor ex
 
                 outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(tokenId, securityTokenProvider);
                 outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, tokenId);
-                outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_APPEND_SIGNATURE_ON_THIS_ID, tokenId);
             }
 
             XMLSecurityConstants.Action action = getAction();
@@ -277,26 +273,36 @@ public class SAMLTokenOutputProcessor ex
                 throws XMLStreamException, XMLSecurityException {
 
             outputProcessorChain.processEvent(xmlSecEvent);
-            if (xmlSecEvent.getEventType() == XMLStreamConstants.START_ELEMENT) {
-                XMLSecStartElement xmlSecStartElement = xmlSecEvent.asStartElement();
-                if (xmlSecStartElement.getName().equals(WSSConstants.TAG_wsse_Security)
-                        && WSSUtils.isInSecurityHeader(xmlSecStartElement,
-                        ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
-
-                    OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
-                    if (senderVouches && getSecurityProperties().getSignatureKeyIdentifier() ==
-                            WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference) {
 
-                        WSSUtils.createBinarySecurityTokenStructure(this, outputProcessorChain, securityToken.getId(),
-                                securityToken.getX509Certificates(), getSecurityProperties().isUseSingleCert());
-                    }
-                    outputSamlAssertion(samlAssertionWrapper.toDOM(null), subOutputProcessorChain);
-                    if (senderVouches && WSSConstants.SAML_TOKEN_SIGNED.equals(getAction())) {
-                        outputSecurityTokenReference(subOutputProcessorChain, samlAssertionWrapper,
-                                securityTokenReferenceId, samlAssertionWrapper.getId());
-                    }
-                    outputProcessorChain.removeProcessor(this);
+            if (WSSUtils.isSecurityHeaderElement(xmlSecEvent, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
+
+                OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
+                if (senderVouches && getSecurityProperties().getSignatureKeyIdentifier() ==
+                        WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference) {
+
+                    WSSUtils.updateSecurityHeaderOrder(
+                            outputProcessorChain, WSSConstants.TAG_wsse_BinarySecurityToken, getAction(), false);
+
+                    WSSUtils.createBinarySecurityTokenStructure(this, outputProcessorChain, securityToken.getId(),
+                            securityToken.getX509Certificates(), getSecurityProperties().isUseSingleCert());
+                }
+
+                final QName headerElementName;
+                if (samlAssertionWrapper.getSamlVersion() == SAMLVersion.VERSION_11) {
+                    headerElementName = WSSConstants.TAG_saml_Assertion;
+                } else {
+                    headerElementName = WSSConstants.TAG_saml2_Assertion;
+                }
+                WSSUtils.updateSecurityHeaderOrder(outputProcessorChain, headerElementName, getAction(), false);
+
+                outputSamlAssertion(samlAssertionWrapper.toDOM(null), subOutputProcessorChain);
+                if (senderVouches && WSSConstants.SAML_TOKEN_SIGNED.equals(getAction())) {                    
+                    WSSUtils.updateSecurityHeaderOrder(
+                            outputProcessorChain, WSSConstants.TAG_wsse_SecurityTokenReference, getAction(), false);                    
+                    outputSecurityTokenReference(subOutputProcessorChain, samlAssertionWrapper,
+                            securityTokenReferenceId, samlAssertionWrapper.getId());
                 }
+                outputProcessorChain.removeProcessor(this);
             }
         }
     }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SecurityContextTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SecurityContextTokenOutputProcessor.java?rev=1484123&r1=1484122&r2=1484123&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SecurityContextTokenOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SecurityContextTokenOutputProcessor.java Sat May 18 14:08:00 2013
@@ -27,13 +27,12 @@ import org.apache.xml.security.exception
 import org.apache.xml.security.stax.ext.*;
 import org.apache.xml.security.stax.ext.stax.XMLSecAttribute;
 import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
-import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
 import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
 import org.apache.xml.security.stax.impl.util.IDGenerator;
 import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
 import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
 
-import javax.xml.stream.XMLStreamConstants;
+import javax.xml.namespace.QName;
 import javax.xml.stream.XMLStreamException;
 import java.security.Key;
 import java.security.PublicKey;
@@ -143,24 +142,27 @@ public class SecurityContextTokenOutputP
         }
 
         @Override
-        public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
+        public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain)
+                throws XMLStreamException, XMLSecurityException {
+
             outputProcessorChain.processEvent(xmlSecEvent);
-            if (xmlSecEvent.getEventType() == XMLStreamConstants.START_ELEMENT) {
-                XMLSecStartElement xmlSecStartElement = xmlSecEvent.asStartElement();
-                if (xmlSecStartElement.getName().equals(WSSConstants.TAG_wsse_Security)
-                        && WSSUtils.isInSecurityHeader(xmlSecStartElement, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
-                    OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
-
-                    List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(1);
-                    attributes.add(createAttribute(WSSConstants.ATT_wsu_Id, securityToken.getId()));
-                    createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_SecurityContextToken, true, attributes);
-                    createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Identifier, false, null);
-                    createCharactersAndOutputAsEvent(subOutputProcessorChain, identifier);
-                    createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Identifier);
-                    createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_SecurityContextToken);
 
-                    outputProcessorChain.removeProcessor(this);
-                }
+            if (WSSUtils.isSecurityHeaderElement(xmlSecEvent, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
+
+                final QName headerElementName = WSSConstants.TAG_wsc0502_SecurityContextToken;
+                WSSUtils.updateSecurityHeaderOrder(outputProcessorChain, headerElementName, getAction(), false);
+
+                OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
+
+                List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(1);
+                attributes.add(createAttribute(WSSConstants.ATT_wsu_Id, securityToken.getId()));
+                createStartElementAndOutputAsEvent(subOutputProcessorChain, headerElementName, true, attributes);
+                createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Identifier, false, null);
+                createCharactersAndOutputAsEvent(subOutputProcessorChain, identifier);
+                createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsc0502_Identifier);
+                createEndElementAndOutputAsEvent(subOutputProcessorChain, headerElementName);
+
+                outputProcessorChain.removeProcessor(this);
             }
         }
     }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SecurityHeaderOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SecurityHeaderOutputProcessor.java?rev=1484123&r1=1484122&r2=1484123&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SecurityHeaderOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SecurityHeaderOutputProcessor.java Sat May 18 14:08:00 2013
@@ -131,11 +131,9 @@ public class SecurityHeaderOutputProcess
                             }
                         }
                     }
-                } else if (level == 3 && WSSConstants.TAG_wsse_Security.equals(xmlSecStartElement.getName())) {
-                    if (WSSUtils.isResponsibleActorOrRole(xmlSecStartElement, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
+                } else if (WSSUtils.isSecurityHeaderElement(xmlSecEvent, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
                         //remove this processor. its no longer needed.
-                        outputProcessorChain.removeProcessor(this);
-                    }
+                        outputProcessorChain.removeProcessor(this);                    
                 } else if (level == 2
                         && WSSConstants.TAG_soap_Body_LocalName.equals(xmlSecStartElement.getName().getLocalPart())
                         && xmlSecStartElement.getName().getNamespaceURI().equals(soapMessageVersion)) {

Added: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SecurityHeaderReorderProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SecurityHeaderReorderProcessor.java?rev=1484123&view=auto
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SecurityHeaderReorderProcessor.java (added)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SecurityHeaderReorderProcessor.java Sat May 18 14:08:00 2013
@@ -0,0 +1,157 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.wss4j.stax.impl.processor.output;
+
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.stax.ext.WSSConstants;
+import org.apache.wss4j.stax.ext.WSSSecurityProperties;
+import org.apache.wss4j.stax.ext.WSSUtils;
+import org.apache.wss4j.stax.impl.SecurityHeaderOrder;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.ext.AbstractOutputProcessor;
+import org.apache.xml.security.stax.ext.OutputProcessorChain;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
+import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
+import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
+import org.apache.xml.security.stax.impl.processor.output.FinalOutputProcessor;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamConstants;
+import javax.xml.stream.XMLStreamException;
+import java.util.*;
+
+/**
+ * The basic ordering (token dependencies) is given through the processor order
+ * but we have more ordering criterias e.g. signed timestamp and strict header ordering ws-policy.
+ * To be able to sign a timestamp the processor must be inserted before the signature processor but that
+ * means that the timestamp is below the signature in the sec-header. Because of the highly dynamic nature
+ * of the processor chain (and encryption makes it far more worse) we have to order the headers afterwards.
+ * So that is what this processor does, the final header reordering...
+ */
+public class SecurityHeaderReorderProcessor extends AbstractOutputProcessor {
+
+    final private Map<XMLSecurityConstants.Action, Map<QName, Deque<XMLSecEvent>>> actionEventMap =
+            new LinkedHashMap<XMLSecurityConstants.Action, Map<QName, Deque<XMLSecEvent>>>();
+
+    private int securityHeaderIndex = 0;
+    private Deque<XMLSecEvent> currentDeque;
+
+    public SecurityHeaderReorderProcessor() throws XMLSecurityException {
+        super();
+        setPhase(XMLSecurityConstants.Phase.POSTPROCESSING);
+        addBeforeProcessor(FinalOutputProcessor.class.getName());
+    }
+
+    @Override
+    public void init(OutputProcessorChain outputProcessorChain) throws XMLSecurityException {
+        super.init(outputProcessorChain);
+
+        XMLSecurityConstants.Action[] outActions = getSecurityProperties().getOutAction();
+        for (int i = outActions.length - 1; i >= 0; i--) {
+            XMLSecurityConstants.Action outAction = outActions[i];
+            actionEventMap.put(outAction, new TreeMap<QName, Deque<XMLSecEvent>>(new Comparator<QName>() {
+                @Override
+                public int compare(QName o1, QName o2) {
+                    if (WSSConstants.TAG_dsig_Signature.equals(o1)) {
+                        return 1;
+                    } else if (WSSConstants.TAG_dsig_Signature.equals(o2)) {
+                        return -1;
+                    }
+                    return 1;
+                }
+            }));
+        }
+    }
+
+    @Override
+    public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
+
+        int documentLevel = xmlSecEvent.getDocumentLevel();
+        if (documentLevel < 3 ||
+                !WSSUtils.isInSecurityHeader(xmlSecEvent, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
+            outputProcessorChain.processEvent(xmlSecEvent);
+            return;
+        }
+
+        //now we are in our security header
+
+        if (documentLevel == 3) {
+            if (xmlSecEvent.isEndElement() && xmlSecEvent.asEndElement().getName().equals(WSSConstants.TAG_wsse_Security)) {
+                OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
+
+                Iterator<Map.Entry<XMLSecurityConstants.Action, Map<QName, Deque<XMLSecEvent>>>> iterator = actionEventMap.entrySet().iterator();
+                while (iterator.hasNext()) {
+                    Map.Entry<XMLSecurityConstants.Action, Map<QName, Deque<XMLSecEvent>>> next = iterator.next();
+                    Iterator<Map.Entry<QName, Deque<XMLSecEvent>>> entryIterator = next.getValue().entrySet().iterator();
+                    while (entryIterator.hasNext()) {
+                        Map.Entry<QName, Deque<XMLSecEvent>> entry = entryIterator.next();
+                        Deque<XMLSecEvent> xmlSecEvents = entry.getValue();
+                        while (!xmlSecEvents.isEmpty()) {
+                            XMLSecEvent event = xmlSecEvents.pop();
+                            subOutputProcessorChain.reset();
+                            subOutputProcessorChain.processEvent(event);
+                        }
+                    }
+                }
+                outputProcessorChain.removeProcessor(this);
+            }
+            outputProcessorChain.processEvent(xmlSecEvent);
+            return;
+        } else if (documentLevel == 4) {
+            switch (xmlSecEvent.getEventType()) {
+                case XMLStreamConstants.START_ELEMENT:
+                    XMLSecStartElement xmlSecStartElement = xmlSecEvent.asStartElement();
+
+                    List<SecurityHeaderOrder> securityHeaderOrderList = outputProcessorChain.getSecurityContext().getAsList(SecurityHeaderOrder.class);
+                    SecurityHeaderOrder securityHeaderOrder = securityHeaderOrderList.get(securityHeaderIndex);
+                    if (!xmlSecStartElement.getName().equals(WSSConstants.TAG_xenc_EncryptedData) &&
+                            !xmlSecStartElement.getName().equals(securityHeaderOrder.getSecurityHeaderElementName())) {
+                        throw new WSSecurityException(
+                                WSSecurityException.ErrorCode.FAILURE, "empty",
+                                "Invalid security header order. Expected " +
+                                        securityHeaderOrder.getSecurityHeaderElementName() +
+                                        " but got " + xmlSecStartElement.getName());
+                    }
+
+                    Map<QName, Deque<XMLSecEvent>> map = null;
+                    if (!securityHeaderOrder.isEncrypted()) {
+                        map = actionEventMap.get(securityHeaderOrder.getAction());
+                    } else {
+                        Iterator<Map.Entry<XMLSecurityConstants.Action, Map<QName, Deque<XMLSecEvent>>>> iterator = actionEventMap.entrySet().iterator();
+                        while (iterator.hasNext()) {
+                            Map.Entry<XMLSecurityConstants.Action, Map<QName, Deque<XMLSecEvent>>> next = iterator.next();
+                            if (next.getKey().getName().contains("Encrypt")) {
+                                map = next.getValue();
+                                break;
+                            }
+                        }
+                        if (map == null) {
+                            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "empty", "No encrypt action found");
+                        }
+                    }
+                    currentDeque = new ArrayDeque<XMLSecEvent>();
+                    map.put(securityHeaderOrder.getSecurityHeaderElementName(), currentDeque);
+
+                    securityHeaderIndex++;
+                    break;
+            }
+        }
+        currentDeque.offer(xmlSecEvent);
+    }
+}

Propchange: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SecurityHeaderReorderProcessor.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SignatureConfirmationOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SignatureConfirmationOutputProcessor.java?rev=1484123&r1=1484122&r2=1484123&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SignatureConfirmationOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SignatureConfirmationOutputProcessor.java Sat May 18 14:08:00 2013
@@ -27,13 +27,12 @@ import org.apache.xml.security.stax.ext.
 import org.apache.xml.security.stax.ext.OutputProcessorChain;
 import org.apache.xml.security.stax.ext.stax.XMLSecAttribute;
 import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
-import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
 import org.apache.xml.security.stax.impl.util.IDGenerator;
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.xml.security.stax.securityEvent.SignatureValueSecurityEvent;
 
-import javax.xml.stream.XMLStreamConstants;
+import javax.xml.namespace.QName;
 import javax.xml.stream.XMLStreamException;
 import java.util.ArrayList;
 import java.util.List;
@@ -47,40 +46,44 @@ public class SignatureConfirmationOutput
     }
 
     @Override
-    public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
+    public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain)
+            throws XMLStreamException, XMLSecurityException {
+
         outputProcessorChain.processEvent(xmlSecEvent);
-        if (xmlSecEvent.getEventType() == XMLStreamConstants.START_ELEMENT) {
-            XMLSecStartElement xmlSecStartElement = xmlSecEvent.asStartElement();
-            if (xmlSecStartElement.getName().equals(WSSConstants.TAG_wsse_Security)
-                    && WSSUtils.isInSecurityHeader(xmlSecStartElement, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
-                OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
-
-                boolean aSignatureFound = false;
-
-                List<SecurityEvent> requestSecurityEvents = outputProcessorChain.getSecurityContext().getAsList(SecurityEvent.class);
-                for (int i = 0; i < requestSecurityEvents.size(); i++) {
-                    SecurityEvent securityEvent = requestSecurityEvents.get(i);
-                    if (SecurityEventConstants.SignatureValue.equals(securityEvent.getSecurityEventType())) {
-                        aSignatureFound = true;
-                        SignatureValueSecurityEvent signatureValueSecurityEvent = (SignatureValueSecurityEvent) securityEvent;
-
-                        List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(2);
-                        attributes.add(createAttribute(WSSConstants.ATT_wsu_Id, IDGenerator.generateID(null)));
-                        attributes.add(createAttribute(WSSConstants.ATT_NULL_Value, new Base64(76, new byte[]{'\n'}).encodeToString(signatureValueSecurityEvent.getSignatureValue())));
-                        createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse11_SignatureConfirmation, true, attributes);
-                        createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse11_SignatureConfirmation);
-                    }
-                }
 
-                if (!aSignatureFound) {
-                    List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(1);
+        if (WSSUtils.isSecurityHeaderElement(xmlSecEvent, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
+
+            final QName headerElementName = WSSConstants.TAG_wsse11_SignatureConfirmation;
+
+            OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
+
+            boolean aSignatureFound = false;
+
+            List<SecurityEvent> requestSecurityEvents = outputProcessorChain.getSecurityContext().getAsList(SecurityEvent.class);
+            for (int i = 0; i < requestSecurityEvents.size(); i++) {
+                SecurityEvent securityEvent = requestSecurityEvents.get(i);
+                if (SecurityEventConstants.SignatureValue.equals(securityEvent.getSecurityEventType())) {
+                    aSignatureFound = true;
+                    SignatureValueSecurityEvent signatureValueSecurityEvent = (SignatureValueSecurityEvent) securityEvent;
+
+                    WSSUtils.updateSecurityHeaderOrder(outputProcessorChain, headerElementName, getAction(), false);
+
+                    List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(2);
                     attributes.add(createAttribute(WSSConstants.ATT_wsu_Id, IDGenerator.generateID(null)));
-                    createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse11_SignatureConfirmation, true, attributes);
-                    createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsse11_SignatureConfirmation);
+                    attributes.add(createAttribute(WSSConstants.ATT_NULL_Value, new Base64(76, new byte[]{'\n'}).encodeToString(signatureValueSecurityEvent.getSignatureValue())));
+                    createStartElementAndOutputAsEvent(subOutputProcessorChain, headerElementName, true, attributes);
+                    createEndElementAndOutputAsEvent(subOutputProcessorChain, headerElementName);
                 }
+            }
 
-                outputProcessorChain.removeProcessor(this);
+            if (!aSignatureFound) {
+                List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(1);
+                attributes.add(createAttribute(WSSConstants.ATT_wsu_Id, IDGenerator.generateID(null)));
+                createStartElementAndOutputAsEvent(subOutputProcessorChain, headerElementName, true, attributes);
+                createEndElementAndOutputAsEvent(subOutputProcessorChain, headerElementName);
             }
+
+            outputProcessorChain.removeProcessor(this);
         }
     }
 }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/TimestampOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/TimestampOutputProcessor.java?rev=1484123&r1=1484122&r2=1484123&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/TimestampOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/TimestampOutputProcessor.java Sat May 18 14:08:00 2013
@@ -25,20 +25,21 @@ import org.apache.xml.security.exception
 import org.apache.xml.security.stax.ext.AbstractOutputProcessor;
 import org.apache.xml.security.stax.ext.OutputProcessorChain;
 import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
-import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
 
 import javax.xml.datatype.XMLGregorianCalendar;
-import javax.xml.stream.XMLStreamConstants;
+import javax.xml.namespace.QName;
 import javax.xml.stream.XMLStreamException;
-import java.util.Calendar;
-import java.util.GregorianCalendar;
+import java.util.*;
 
 public class TimestampOutputProcessor extends AbstractOutputProcessor {
 
     public TimestampOutputProcessor() throws XMLSecurityException {
         super();
+        addAfterProcessor(UsernameTokenOutputProcessor.class.getName());
+        addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
+        addBeforeProcessor(EncryptOutputProcessor.class.getName());
     }
-
+    
     /*
     <wsu:Timestamp wsu:Id="Timestamp-1247751600"
         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
@@ -52,31 +53,34 @@ public class TimestampOutputProcessor ex
      */
 
     @Override
-    public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
+    public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain) 
+            throws XMLStreamException, XMLSecurityException {
+        
         outputProcessorChain.processEvent(xmlSecEvent);
-        if (xmlSecEvent.getEventType() == XMLStreamConstants.START_ELEMENT) {
-            XMLSecStartElement xmlSecStartElement = xmlSecEvent.asStartElement();
-            if (xmlSecStartElement.getName().equals(WSSConstants.TAG_wsse_Security)
-                    && WSSUtils.isInSecurityHeader(xmlSecStartElement, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
-                XMLGregorianCalendar created = WSSConstants.datatypeFactory.newXMLGregorianCalendar(new GregorianCalendar());
-
-                GregorianCalendar expiresCalendar = new GregorianCalendar();
-                expiresCalendar.add(Calendar.SECOND, ((WSSSecurityProperties) getSecurityProperties()).getTimestampTTL());
-                XMLGregorianCalendar expires = WSSConstants.datatypeFactory.newXMLGregorianCalendar(expiresCalendar);
-
-                OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
-                //wsu:id is optional and will be added when signing...
-                createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsu_Timestamp, true, null);
-                createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsu_Created, false, null);
-                createCharactersAndOutputAsEvent(subOutputProcessorChain, created.toXMLFormat());
-                createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsu_Created);
-                createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsu_Expires, false, null);
-                createCharactersAndOutputAsEvent(subOutputProcessorChain, expires.toXMLFormat());
-                createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsu_Expires);
-                createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsu_Timestamp);
 
-                outputProcessorChain.removeProcessor(this);
-            }
+        if (WSSUtils.isSecurityHeaderElement(xmlSecEvent, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
+            
+            final QName headerElementName = WSSConstants.TAG_wsu_Timestamp;
+            WSSUtils.updateSecurityHeaderOrder(outputProcessorChain, headerElementName, getAction(), false);
+
+            XMLGregorianCalendar created = WSSConstants.datatypeFactory.newXMLGregorianCalendar(new GregorianCalendar());
+
+            GregorianCalendar expiresCalendar = new GregorianCalendar();
+            expiresCalendar.add(Calendar.SECOND, ((WSSSecurityProperties) getSecurityProperties()).getTimestampTTL());
+            XMLGregorianCalendar expires = WSSConstants.datatypeFactory.newXMLGregorianCalendar(expiresCalendar);
+
+            OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
+            //wsu:id is optional and will be added when signing...
+            createStartElementAndOutputAsEvent(subOutputProcessorChain, headerElementName, true, null);
+            createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsu_Created, false, null);
+            createCharactersAndOutputAsEvent(subOutputProcessorChain, created.toXMLFormat());
+            createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsu_Created);
+            createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsu_Expires, false, null);
+            createCharactersAndOutputAsEvent(subOutputProcessorChain, expires.toXMLFormat());
+            createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_wsu_Expires);
+            createEndElementAndOutputAsEvent(subOutputProcessorChain, headerElementName);
+
+            outputProcessorChain.removeProcessor(this);
         }
     }
 }



Mime
View raw message