in rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java [174:297]
private void doEncryptBeforeSign() {
try {
AbstractTokenWrapper encryptionWrapper = getEncryptionToken();
assertTokenWrapper(encryptionWrapper);
AbstractToken encryptionToken = encryptionWrapper.getToken();
String tokenId = null;
SecurityToken tok = null;
if (encryptionToken instanceof KerberosToken) {
tok = getSecurityToken();
if (MessageUtils.isRequestor(message)) {
addKerberosToken((KerberosToken)encryptionToken, false, true, true);
}
} else if (encryptionToken instanceof IssuedToken) {
tok = getSecurityToken();
addIssuedToken(encryptionToken, tok, false, true);
if (tok == null && !isRequestor()) {
org.apache.xml.security.stax.securityToken.SecurityToken securityToken =
findInboundSecurityToken(WSSecurityEventConstants.SAML_TOKEN);
tokenId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
}
} else if (encryptionToken instanceof SecureConversationToken
|| encryptionToken instanceof SecurityContextToken
|| encryptionToken instanceof SpnegoContextToken) {
tok = getSecurityToken();
if (tok != null && isRequestor()) {
WSSSecurityProperties properties = getProperties();
WSSConstants.Action actionToPerform = WSSConstants.CUSTOM_TOKEN;
properties.addAction(actionToPerform);
} else if (tok == null && !isRequestor()) {
org.apache.xml.security.stax.securityToken.SecurityToken securityToken =
findInboundSecurityToken(WSSecurityEventConstants.SECURITY_CONTEXT_TOKEN);
tokenId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
}
} else if (encryptionToken instanceof X509Token) {
if (isRequestor()) {
tokenId = setupEncryptedKey();
} else {
org.apache.xml.security.stax.securityToken.SecurityToken securityToken =
findEncryptedKeyToken();
tokenId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
}
} else if (encryptionToken instanceof UsernameToken) {
unassertPolicy(sbinding, "UsernameTokens not supported with Symmetric binding");
return;
}
assertToken(encryptionToken);
if (tok == null) {
tokenId = XMLUtils.getIDFromReference(tokenId);
// Get hold of the token from the token storage
tok = TokenStoreUtils.getTokenStore(message).getToken(tokenId);
}
// Store key
if (!(MessageUtils.isRequestor(message) && encryptionToken instanceof KerberosToken)) {
storeSecurityToken(encryptionToken, tok);
}
final List<SecurePart> encrParts;
final List<SecurePart> sigParts;
try {
encrParts = getEncryptedParts();
//Signed parts are determined before encryption because encrypted signed headers
//will not be included otherwise
sigParts = getSignedParts();
} catch (SOAPException ex) {
throw new Fault(ex);
}
addSupportingTokens();
if (encryptionToken != null && !encrParts.isEmpty()) {
if (isRequestor()) {
encrParts.addAll(encryptedTokensList);
}
//Check for signature protection
if (sbinding.isEncryptSignature()) {
SecurePart part =
new SecurePart(new QName(XMLSecurityConstants.NS_DSIG, "Signature"), Modifier.Element);
encrParts.add(part);
if (signatureConfirmationAdded) {
part = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element);
encrParts.add(part);
}
assertPolicy(
new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
}
doEncryption(encryptionWrapper, encrParts);
}
if (timestampAdded) {
SecurePart part =
new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
sigParts.add(part);
}
sigParts.addAll(this.getSignedParts());
if (!sigParts.isEmpty()) {
AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken();
if (sigAbstractTokenWrapper != null) {
AbstractToken sigToken = sigAbstractTokenWrapper.getToken();
if (isRequestor()) {
doSignature(sigAbstractTokenWrapper, sigToken, sigParts);
} else {
addSignatureConfirmation(sigParts);
doSignature(sigAbstractTokenWrapper, sigToken, sigParts);
}
}
}
removeSignatureIfSignedSAML();
enforceEncryptBeforeSigningWithSignedSAML();
prependSignatureToSC();
putCustomTokenAfterSignature();
} catch (RuntimeException ex) {
throw ex;
} catch (Exception ex) {
throw new Fault(ex);
}
}