in modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java [593:680]
protected void validateSignedPartsHeaders(ValidatorData data, List<WSEncryptionPart> signatureParts,
List<WSSecurityEngineResult> results)
throws RampartException {
RampartMessageData rmd = data.getRampartMessageData();
Node envelope = rmd.getDocument().getFirstChild();
WSSecurityEngineResult[] actionResults = fetchActionResults(results, WSConstants.SIGN);
// Find elements that are signed
List<QName> actuallySigned = new ArrayList<QName>();
if (actionResults != null) {
for (WSSecurityEngineResult actionResult : actionResults) {
List wsDataRefs = (List) actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
// if header was encrypted before it was signed, protected
// element is 'EncryptedHeader.' the actual element is
// first child element
for (Object objectDataReference : wsDataRefs) {
WSDataRef wsDataRef = (WSDataRef) objectDataReference;
Element protectedElement = wsDataRef.getProtectedElement();
if (protectedElement.getLocalName().equals("EncryptedHeader")) {
NodeList nodeList = protectedElement.getChildNodes();
for (int x = 0; x < nodeList.getLength(); x++) {
if (nodeList.item(x).getNodeType() == Node.ELEMENT_NODE) {
String ns = (nodeList.item(x)).getNamespaceURI();
String ln = (nodeList.item(x)).getLocalName();
actuallySigned.add(new QName(ns, ln));
break;
}
}
} else {
String ns = protectedElement.getNamespaceURI();
String ln = protectedElement.getLocalName();
actuallySigned.add(new QName(ns, ln));
}
}
}
}
for (WSEncryptionPart wsep : signatureParts) {
if (wsep.getName().equals(WSConstants.ELEM_BODY)) {
QName bodyQName;
if (WSConstants.URI_SOAP11_ENV.equals(envelope.getNamespaceURI())) {
bodyQName = new SOAP11Constants().getBodyQName();
} else {
bodyQName = new SOAP12Constants().getBodyQName();
}
if (!actuallySigned.contains(bodyQName) && !rmd.getPolicyData().isSignBodyOptional()) {
// soap body is not signed
throw new RampartException("bodyNotSigned");
}
} else if (wsep.getName().equals(WSConstants.ELEM_HEADER) ||
wsep.getXpath() != null) {
// TODO earlier this was wsep.getType() == WSConstants.PART_TYPE_ELEMENT
// This means that encrypted element of an XPath expression type. Therefore we are checking
// now whether an XPath expression exists. - Verify
Element element = XMLUtils.findElement(
envelope, wsep.getName(), wsep.getNamespace());
if (element == null) {
// The signedpart header or element we are checking is not present in
// soap envelope - this is allowed
continue;
}
// header or the element present in soap envelope - verify that it is part of signature
if (actuallySigned.contains(new QName(element.getNamespaceURI(), element.getLocalName()))) {
continue;
}
String msg = wsep.getXpath() != null ?
"signedPartHeaderNotSigned" : "signedElementNotSigned";
// header or the element defined in policy is present but not signed
throw new RampartException(msg, new String[]{wsep.getNamespace() + ":" + wsep.getName()});
}
}
}