IssuedTokenKeyBinding itk = (IssuedTokenKeyBinding)originalKeyBinding;
IssuedTokenContext issuedTokenContext = context.getTrustContext();
//Get the IssuedToken and insert it into the message
GenericToken issuedToken = (GenericToken)issuedTokenContext.getSecurityToken();
SOAPElement tokenElem = null;
SecurityTokenReference str = null;
Element strElem = null;
// check if the token is already present
IssuedTokenKeyBinding ikb = (IssuedTokenKeyBinding)originalKeyBinding;
//String ikbPolicyId = ikb.getPolicyToken().getTokenId();
String ikbPolicyId = ikb.getUUID();
//Look for TrustToken in TokenCache
HashMap tokCache = context.getTokenCache();
Object tok = tokCache.get(ikbPolicyId);
SOAPElement issuedTokenElementFromMsg = null;
String iTokenType = ikb.getIncludeToken();
boolean includeIST = (ikb.INCLUDE_ALWAYS_TO_RECIPIENT.equals(iTokenType) ||
ikb.INCLUDE_ALWAYS.equals(iTokenType) ||
ikb.INCLUDE_ALWAYS_VER2.equals(iTokenType) ||
ikb.INCLUDE_ALWAYS_TO_RECIPIENT_VER2.equals(iTokenType)
);
if (includeIST && (issuedToken == null)) {
logger.log(Level.SEVERE, LogStringsMessages.WSS_1343_NULL_ISSUED_TOKEN());
throw new XWSSecurityException("Issued Token to be inserted into the Message was Null");
}
if (issuedToken != null) {
// treat the token as an Opaque entity and just insert the token into message
Element elem = (Element)issuedToken.getTokenValue();
if (tok == null) {
//TODO: remove these expensive conversions DOM Imports
tokenElem = XMLUtil.convertToSoapElement(secureMessage.getSOAPPart(), elem);
//FIX for Issue 26: We need an Id to cache and MS is not setting in some cases
String tokId = tokenElem.getAttribute("Id");
if ("".equals(tokId) &&
MessageConstants.ENCRYPTED_DATA_LNAME.equals(tokenElem.getLocalName())) {
tokenElem.setAttribute("Id", secureMessage.generateId());
}
tokCache.put(ikbPolicyId, tokenElem);
} else {
// it will be SOAPElement retrieve its wsuId attr
String wsuId = SecurityUtil.getWsuIdOrId((Element)tok);
issuedTokenElementFromMsg = (SOAPElement)secureMessage.getElementById(wsuId);
if (issuedTokenElementFromMsg == null) {
logger.log(Level.SEVERE,LogStringsMessages.WSS_1344_ERROR_LOCATE_ISSUE_TOKEN_MESSAGE());
throw new XWSSecurityException("Could not locate Issued Token in Message");
}
}
}
if (includeIST) {
strElem = (Element)issuedTokenContext.getAttachedSecurityTokenReference().getTokenValue();
} else {
strElem = (Element)issuedTokenContext.getUnAttachedSecurityTokenReference().getTokenValue();
}
//TODO: remove these expensive conversions
Element imported = (Element)secureMessage.getSOAPPart().importNode(strElem,true);
str = new SecurityTokenReference(XMLUtil.convertToSoapElement(secureMessage.getSOAPPart(), imported), false);
if (originalKey != null) {
SecurityUtil.updateSamlVsKeyCache(str, context, originalKey);
}
String dktId = keyBinding.getUUID();
if (dktId == null) {
dktId = secureMessage.generateId();
}
DerivedKeyTokenHeaderBlock derivedKeyTokenHeaderBlock =
new DerivedKeyTokenHeaderBlock(
secureMessage.getSOAPPart(),
str,
Base64.encode(dkt.getNonce()),
dkt.getOffset(),
dkt.getLength(),
dktId);
if (issuedTokenElementFromMsg != null) {
SecurityHeader _secHeader = secureMessage.findOrCreateSecurityHeader();
_secHeader.insertBefore(derivedKeyTokenHeaderBlock, issuedTokenElementFromMsg.getNextSibling());
} else {
Node reflist = context.getCurrentRefList();
if (reflist != null) {
secureMessage.findOrCreateSecurityHeader().insertBefore(derivedKeyTokenHeaderBlock, reflist);
context.setCurrentReferenceList(null);
} else {
secureMessage.findOrCreateSecurityHeader().insertHeaderBlock(derivedKeyTokenHeaderBlock);
}
}
// insert the Issued Token after the DKT
if (tokenElem != null) {
if (includeIST) {
secureMessage.findOrCreateSecurityHeader().insertHeaderBlockElement(tokenElem);
}
// also store the token in Packet.invocationProperties to be used by
// client side response processing
context.setIssuedSAMLToken(tokenElem);
}
//Construct the STR for signature
DirectReference refSig = new DirectReference();
refSig.setURI("#"+dktId);
SecurityTokenReference sigTokenRef = new SecurityTokenReference(secureMessage.getSOAPPart());
sigTokenRef.setReference(refSig);
keyInfo = dsigHelper.constructKeyInfo(signaturePolicy,sigTokenRef);
// set the next sibling to next sibling of derived key token
nextSibling = derivedKeyTokenHeaderBlock.getAsSoapElement().getNextSibling();
nxtSiblingContainer[0] = nextSibling;
return keyInfo;
} else if ( PolicyTypeUtil.samlTokenPolicy(originalKeyBinding)) {
logger.log(Level.SEVERE, LogStringsMessages.WSS_1345_UNSUPPORTED_DERIVEDKEYS_SAML_TOKEN());
throw new UnsupportedOperationException("DerivedKeys with SAMLToken not yet supported");
} else if (PolicyTypeUtil.secureConversationTokenKeyBinding(originalKeyBinding)) {
SecureConversationTokenKeyBinding sctBinding = (SecureConversationTokenKeyBinding)originalKeyBinding;
//STR for DerivedKeyToken
SecurityTokenReference tokenRef = new SecurityTokenReference(secureMessage.getSOAPPart());
SOAPElement sctElement = insertSCT(context, sctBinding, tokenRef);
String dktId = keyBinding.getUUID();
if (dktId == null) {
dktId = secureMessage.generateId();
}
String nonce = Base64.encode(dkt.getNonce());
DerivedKeyTokenHeaderBlock dktHeaderBlock =
new DerivedKeyTokenHeaderBlock(
securityHeader.getOwnerDocument(), tokenRef, nonce, dkt.getOffset(), dkt.getLength() ,dktId);
Node next = (sctElement != null) ? sctElement.getNextSibling() : null;
if (next == null) {
Node reflist = context.getCurrentRefList();
if (reflist != null) {
next = reflist;
context.setCurrentReferenceList(null);
}
}
SOAPElement dktElem = (SOAPElement)securityHeader.insertBefore(
dktHeaderBlock.getAsSoapElement(), next);
//Construct the STR for signature
DirectReference refSig = new DirectReference();
refSig.setURI("#"+dktId);
SecurityTokenReference sigTokenRef = new SecurityTokenReference(secureMessage.getSOAPPart());
sigTokenRef.setReference(refSig);
// signature should be below DKT
nextSibling = dktElem.getNextSibling();
nxtSiblingContainer[0] = nextSibling;
keyInfo = dsigHelper.constructKeyInfo(signaturePolicy,sigTokenRef);
return keyInfo;
}
} else if ( PolicyTypeUtil.issuedTokenKeyBinding(keyBinding)) {
//Get the IssuedToken and insert it into the message
IssuedTokenContext issuedTokenContext = context.getTrustContext();
GenericToken issuedToken = (GenericToken)issuedTokenContext.getSecurityToken();
SOAPElement tokenElem = null;
SecurityTokenReference str = null;
Element strElem = null;
SOAPElement issuedTokenElementFromMsg = null;
// check if the token is already present
IssuedTokenKeyBinding ikb = (IssuedTokenKeyBinding)keyBinding;
//String ikbPolicyId = ikb.getPolicyToken().getTokenId();
String ikbPolicyId = ikb.getUUID();
//Look for TrustToken in TokenCache
HashMap tokCache = context.getTokenCache();
Object tok = tokCache.get(ikbPolicyId);
String iTokenType = ikb.getIncludeToken();
boolean includeIST = (ikb.INCLUDE_ALWAYS_TO_RECIPIENT.equals(iTokenType) ||
ikb.INCLUDE_ALWAYS.equals(iTokenType) ||
ikb.INCLUDE_ALWAYS_VER2.equals(iTokenType) ||
ikb.INCLUDE_ALWAYS_TO_RECIPIENT_VER2.equals(iTokenType)
);
if (includeIST && (issuedToken == null)) {
logger.log(Level.SEVERE, LogStringsMessages.WSS_1343_NULL_ISSUED_TOKEN());
throw new XWSSecurityException("Issued Token to be inserted into the Message was Null");
}
if (issuedToken != null) {
// treat the token as an Opaque entity and just insert the token into message
Element elem = (Element)issuedToken.getTokenValue();
if (tok == null) {
//TODO: remove these expensive conversions DOM Imports
tokenElem = XMLUtil.convertToSoapElement(secureMessage.getSOAPPart(), elem);
//FIX for Issue 26: We need an Id to cache and MS is not setting in some cases
String tokId = tokenElem.getAttribute("Id");