in ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java [258:370]
private void parseSupportingTokens(MessageTokens messageTokens, HttpsTokenSecurityEvent httpsTokenSecurityEvent,
Deque<SecurityEvent> securityEventDeque) throws XMLSecurityException {
Iterator<TokenSecurityEvent<? extends InboundSecurityToken>> supportingTokensIterator = messageTokens.supportingTokens.iterator();
while (supportingTokensIterator.hasNext()) {
TokenSecurityEvent<? extends InboundSecurityToken> tokenSecurityEvent = supportingTokensIterator.next();
List<InboundSecurityToken> signingSecurityTokens =
isSignedToken(tokenSecurityEvent, securityEventDeque, httpsTokenSecurityEvent);
List<QName> securityHeader =
soap12 ? WSSConstants.SOAP_12_WSSE_SECURITY_HEADER_PATH : WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH;
List<QName> signatureElementPath = new ArrayList<>(4);
signatureElementPath.addAll(securityHeader);
signatureElementPath.add(WSSConstants.TAG_dsig_Signature);
boolean signsSignature = signsElement(tokenSecurityEvent, signatureElementPath, securityEventDeque);
boolean encryptsSignature = encryptsElement(tokenSecurityEvent, signatureElementPath, securityEventDeque);
List<QName> signatureConfirmationElementPath = new ArrayList<>(4);
signatureConfirmationElementPath.addAll(securityHeader);
signatureConfirmationElementPath.add(WSSConstants.TAG_WSSE11_SIG_CONF);
boolean signsSignatureConfirmation =
signsElement(tokenSecurityEvent, signatureConfirmationElementPath, securityEventDeque);
boolean encryptsSignatureConfirmation =
encryptsElement(tokenSecurityEvent, signatureConfirmationElementPath, securityEventDeque);
List<QName> timestampElementPath = new ArrayList<>(4);
timestampElementPath.addAll(securityHeader);
timestampElementPath.add(WSSConstants.TAG_WSU_TIMESTAMP);
boolean signsTimestamp = signsElement(tokenSecurityEvent, timestampElementPath, securityEventDeque);
List<QName> usernameTokenElementPath = new ArrayList<>(4);
usernameTokenElementPath.addAll(securityHeader);
usernameTokenElementPath.add(WSSConstants.TAG_WSSE_USERNAME_TOKEN);
boolean encryptsUsernameToken = encryptsElement(tokenSecurityEvent, usernameTokenElementPath, securityEventDeque);
boolean transportSecurityActive = Boolean.TRUE.equals(get(WSSConstants.TRANSPORT_SECURITY_ACTIVE));
List<InboundSecurityToken> encryptingSecurityTokens =
isEncryptedToken(tokenSecurityEvent, securityEventDeque, httpsTokenSecurityEvent);
boolean signatureUsage =
tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(WSSecurityTokenConstants.TokenUsage_Signature);
boolean encryptionUsage =
tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(WSSecurityTokenConstants.TokenUsage_Encryption);
if (!transportSecurityActive && signsSignatureConfirmation && signsTimestamp && !signsSignature) {
supportingTokensIterator.remove();
messageTokens.messageSignatureTokens =
addTokenSecurityEvent(tokenSecurityEvent, messageTokens.messageSignatureTokens);
if (encryptionUsage) {
messageTokens.messageEncryptionTokens =
addTokenSecurityEvent(tokenSecurityEvent, messageTokens.messageEncryptionTokens);
}
} else if (!transportSecurityActive && signsSignatureConfirmation && !signsSignature) {
supportingTokensIterator.remove();
messageTokens.messageSignatureTokens =
addTokenSecurityEvent(tokenSecurityEvent, messageTokens.messageSignatureTokens);
if (encryptionUsage) {
messageTokens.messageEncryptionTokens =
addTokenSecurityEvent(tokenSecurityEvent, messageTokens.messageEncryptionTokens);
}
} else if (!transportSecurityActive && signsTimestamp && !signsSignature) {
supportingTokensIterator.remove();
messageTokens.messageSignatureTokens =
addTokenSecurityEvent(tokenSecurityEvent, messageTokens.messageSignatureTokens);
if (encryptionUsage) {
messageTokens.messageEncryptionTokens =
addTokenSecurityEvent(tokenSecurityEvent, messageTokens.messageEncryptionTokens);
}
} else if (!transportSecurityActive
&& (encryptsSignature || encryptsSignatureConfirmation || encryptsUsernameToken)) {
supportingTokensIterator.remove();
messageTokens.messageEncryptionTokens =
addTokenSecurityEvent(tokenSecurityEvent, messageTokens.messageEncryptionTokens);
} else if (signsSignature && !signingSecurityTokens.isEmpty() && !encryptingSecurityTokens.isEmpty()) {
supportingTokensIterator.remove();
messageTokens.signedEndorsingEncryptedSupportingTokens =
addTokenSecurityEvent(tokenSecurityEvent, messageTokens.signedEndorsingEncryptedSupportingTokens);
} else if (transportSecurityActive && signsTimestamp && !signingSecurityTokens.isEmpty()
&& !encryptingSecurityTokens.isEmpty()) {
supportingTokensIterator.remove();
messageTokens.signedEndorsingEncryptedSupportingTokens =
addTokenSecurityEvent(tokenSecurityEvent, messageTokens.signedEndorsingEncryptedSupportingTokens);
} else if (signsSignature && signingSecurityTokens.isEmpty() && !encryptingSecurityTokens.isEmpty()) {
supportingTokensIterator.remove();
messageTokens.endorsingEncryptedSupportingTokens =
addTokenSecurityEvent(tokenSecurityEvent, messageTokens.endorsingEncryptedSupportingTokens);
} else if (signsSignature && !signingSecurityTokens.isEmpty()) {
supportingTokensIterator.remove();
messageTokens.signedEndorsingSupportingTokens =
addTokenSecurityEvent(tokenSecurityEvent, messageTokens.signedEndorsingSupportingTokens);
} else if (signatureUsage && !signingSecurityTokens.isEmpty()) {
supportingTokensIterator.remove();
messageTokens.signedEndorsingSupportingTokens =
addTokenSecurityEvent(tokenSecurityEvent, messageTokens.signedEndorsingSupportingTokens);
} else if (signsSignature) {
supportingTokensIterator.remove();
messageTokens.endorsingSupportingTokens =
addTokenSecurityEvent(tokenSecurityEvent, messageTokens.endorsingSupportingTokens);
} else if (!signingSecurityTokens.isEmpty() && !encryptingSecurityTokens.isEmpty()) {
supportingTokensIterator.remove();
messageTokens.signedEncryptedSupportingTokens =
addTokenSecurityEvent(tokenSecurityEvent, messageTokens.signedEncryptedSupportingTokens);
} else if (!signingSecurityTokens.isEmpty()) {
supportingTokensIterator.remove();
messageTokens.signedSupportingTokens =
addTokenSecurityEvent(tokenSecurityEvent, messageTokens.signedSupportingTokens);
} else if (!encryptingSecurityTokens.isEmpty()) {
supportingTokensIterator.remove();
messageTokens.encryptedSupportingTokens =
addTokenSecurityEvent(tokenSecurityEvent, messageTokens.encryptedSupportingTokens);
}
}
}