//initialized with asserted=true because it could be that parent elements are signed and therefore these element are also signed
//the test if it is really signed is done via the PolicyInputProcessor which emits SignedElementEvents for unsigned elements with the unsigned flag
assertableList.add(new SignedPartsAssertionState(abstractSecurityAssertion, policyAsserter, true, attachmentCount));
} else if (abstractSecurityAssertion instanceof SignedElements) {
//initialized with asserted=true with the same reason as by the SignedParts above
assertableList.add(new SignedElementsAssertionState(abstractSecurityAssertion, policyAsserter, true));
} else if (abstractSecurityAssertion instanceof RequiredElements) {
assertableList.add(new RequiredElementsAssertionState(abstractSecurityAssertion, policyAsserter, false));
} else if (abstractSecurityAssertion instanceof RequiredParts) {
assertableList.add(new RequiredPartsAssertionState(abstractSecurityAssertion, policyAsserter, false));
} else if (abstractSecurityAssertion instanceof UsernameToken) {
assertableList.add(new UsernameTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof IssuedToken) {
assertableList.add(new IssuedTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof X509Token) {
assertableList.add(new X509TokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof KerberosToken) {
assertableList.add(new KerberosTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof SpnegoContextToken) {
assertableList.add(new SpnegoContextTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof SecureConversationToken) {
assertableList.add(new SecureConversationTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof SecurityContextToken) {
assertableList.add(new SecurityContextTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof SamlToken) {
assertableList.add(new SamlTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof RelToken) {
assertableList.add(new RelTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof HttpsToken && !initiator) {
assertableList.add(new HttpsTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof KeyValueToken) {
assertableList.add(new KeyValueTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof AlgorithmSuite) {
//initialized with asserted=true because we do negative matching
assertableList.add(new AlgorithmSuiteAssertionState(abstractSecurityAssertion, policyAsserter, true));
} /*else if (abstractSecurityAssertion instanceof AsymmetricBinding) {
} else if (abstractSecurityAssertion instanceof SymmetricBinding) {
} else if (abstractSecurityAssertion instanceof TransportBinding) {
} */ else if (abstractSecurityAssertion instanceof Layout) {
//assertableList.add(new LayoutAssertionState(abstractSecurityAssertion, true));
String namespace = abstractSecurityAssertion.getName().getNamespaceURI();
policyAsserter.assertPolicy(new QName(namespace, SPConstants.LAYOUT_LAX));
policyAsserter.assertPolicy(new QName(namespace, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST));
policyAsserter.assertPolicy(new QName(namespace, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST));
policyAsserter.assertPolicy(new QName(namespace, SPConstants.LAYOUT_STRICT));
policyAsserter.assertPolicy(abstractSecurityAssertion);
}
else if (abstractSecurityAssertion instanceof AbstractBinding) {
policyAsserter.assertPolicy(abstractSecurityAssertion);
AbstractBinding abstractBinding = (AbstractBinding) abstractSecurityAssertion;
if (abstractBinding instanceof AbstractSymmetricAsymmetricBinding) {
AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding = (AbstractSymmetricAsymmetricBinding) abstractSecurityAssertion;
assertableList.add(new ProtectionOrderAssertionState(abstractSymmetricAsymmetricBinding, policyAsserter, true));
assertableList.add(new SignatureProtectionAssertionState(abstractSymmetricAsymmetricBinding, policyAsserter, true));
if (abstractSymmetricAsymmetricBinding.isOnlySignEntireHeadersAndBody()) {
//initialized with asserted=true because we do negative matching
assertableList.add(new OnlySignEntireHeadersAndBodyAssertionState(abstractSecurityAssertion, policyAsserter, true, actorOrRole));
}
assertableList.add(new TokenProtectionAssertionState(abstractSecurityAssertion, policyAsserter, true));
}
//WSP1.3, 6.2 Timestamp Property
assertableList.add(new IncludeTimeStampAssertionState(abstractBinding, policyAsserter, true));
if (abstractBinding.isIncludeTimestamp()) {
List<QName> timestampElementPath = new LinkedList<QName>();
timestampElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
timestampElementPath.add(WSSConstants.TAG_wsu_Timestamp);
RequiredElementsAssertionState requiredElementsAssertionState =
new RequiredElementsAssertionState(abstractBinding, policyAsserter, false);
requiredElementsAssertionState.addElement(timestampElementPath);
assertableList.add(requiredElementsAssertionState);
SignedElementsAssertionState signedElementsAssertionState =
new SignedElementsAssertionState(abstractSecurityAssertion, policyAsserter, true);
signedElementsAssertionState.addElement(timestampElementPath);
assertableList.add(signedElementsAssertionState);
}
} else if (abstractSecurityAssertion instanceof Wss10) {
Wss10 wss10 = (Wss10)abstractSecurityAssertion;
String namespace = wss10.getName().getNamespaceURI();
policyAsserter.assertPolicy(abstractSecurityAssertion);
if (wss10.isMustSupportRefEmbeddedToken()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN));
}
if (wss10.isMustSupportRefExternalURI()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI));
}
if (wss10.isMustSupportRefIssuerSerial()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL));
}
if (wss10.isMustSupportRefKeyIdentifier()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER));
}
if (abstractSecurityAssertion instanceof Wss11) {
Wss11 wss11 = (Wss11)abstractSecurityAssertion;
if (wss11.isMustSupportRefEncryptedKey()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY));
}
if (wss11.isMustSupportRefThumbprint()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_THUMBPRINT));
}
if (wss11.isRequireSignatureConfirmation()) {
assertableList.add(new SignatureConfirmationAssertionState(wss11, policyAsserter, true));
if (initiator) {
//9 WSS: SOAP Message Security Options [Signature Confirmation]
List<QName> signatureConfirmationElementPath = new LinkedList<QName>();
signatureConfirmationElementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
signatureConfirmationElementPath.add(WSSConstants.TAG_wsse11_SignatureConfirmation);
RequiredElementsAssertionState requiredElementsAssertionState =
new RequiredElementsAssertionState(wss11, policyAsserter, false);
requiredElementsAssertionState.addElement(signatureConfirmationElementPath);
assertableList.add(requiredElementsAssertionState);
SignedElementsAssertionState signedElementsAssertionState =
new SignedElementsAssertionState(wss11, policyAsserter, true);
signedElementsAssertionState.addElement(signatureConfirmationElementPath);
assertableList.add(signedElementsAssertionState);
}
}
}
} else {