Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1079778 - in
 /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j:
 CryptoCoverageChecker.java CryptoCoverageUtil.java
 PolicyBasedWSS4JInInterceptor.java WSS4JInInterceptor.java
Date: Wed, 09 Mar 2011 12:38:33 -0000
To: commits@cxf.apache.org
From: coheigea@apache.org
Message-Id: <20110309123834.0E6E523889EB@eris.apache.org>

Author: coheigea
Date: Wed Mar  9 12:38:33 2011
New Revision: 1079778

URL: http://svn.apache.org/viewvc?rev=1079778&view=rev
Log:
[CXF-3366] - Removed SAAJ stuff from crypto policy checkers

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java?rev=1079778&r1=1079777&r2=1079778&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java Wed Mar  9 12:38:33 2011
@@ -28,8 +28,11 @@ import java.util.Map;
 import java.util.Vector;
 
 import javax.xml.namespace.QName;
+import javax.xml.soap.SOAPException;
 import javax.xml.soap.SOAPMessage;
 
+import org.w3c.dom.Element;
+
 import org.apache.cxf.binding.soap.SoapFault;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
@@ -46,7 +49,6 @@ import org.apache.ws.security.handler.WS
 import org.apache.ws.security.handler.WSHandlerResult;
 import org.apache.ws.security.util.WSSecurityUtil;
 
-
 /**
  * Utility to enable the checking of WS-Security signature/encryption
  * coverage based on the results of the WSS4J processors.  This interceptor
@@ -178,8 +180,13 @@ public class CryptoCoverageChecker exten
             }
                     
             try {
+                SOAPMessage saajDoc = message.getContent(SOAPMessage.class);
+                Element documentElement = null;
+                if (saajDoc != null && saajDoc.getSOAPPart() != null) {
+                    documentElement = saajDoc.getSOAPPart().getEnvelope();
+                }
                 CryptoCoverageUtil.checkCoverage(
-                        message.getContent(SOAPMessage.class),
+                        documentElement,
                         refsToCheck,
                         this.prefixMap, 
                         xPathExpression.getXPath(),
@@ -189,6 +196,10 @@ public class CryptoCoverageChecker exten
                 throw new SoapFault("No " + xPathExpression.getType()
                         + " element found matching XPath "
                         + xPathExpression.getXPath(), Fault.FAULT_CODE_CLIENT);
+            } catch (SOAPException e) {
+                throw new SoapFault("No " + xPathExpression.getType()
+                        + " element found matching XPath "
+                        + xPathExpression.getXPath(), Fault.FAULT_CODE_CLIENT);
             }
         }
     }

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java?rev=1079778&r1=1079777&r2=1079778&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java Wed Mar  9 12:38:33 2011
@@ -28,8 +28,6 @@ import java.util.List;
 import java.util.Map;
 
 import javax.xml.namespace.QName;
-import javax.xml.soap.SOAPException;
-import javax.xml.soap.SOAPMessage;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;
@@ -109,8 +107,8 @@ public final class CryptoCoverageUtil {
      * Checks that the references provided refer to the
      * signed/encrypted SOAP body element.
      * 
-     * @param message
-     *            the soap message containing the signature/encryption and content
+     * @param soapBody
+     *            the SOAP body element
      * @param refs
      *            the refs to the data extracted from the signature/encryption
      * @param type
@@ -124,21 +122,12 @@ public final class CryptoCoverageUtil {
      *             covered by the signature/encryption.
      */
     public static void checkBodyCoverage(
-        SOAPMessage message,
+        Element soapBody,
         final Collection<WSDataRef> refs,
         CoverageType type,
-        CoverageScope scope) throws WSSecurityException {
-        
-        final Element body;
-        
-        try {
-            body = message.getSOAPBody();
-        } catch (SOAPException e1) {
-            // Can't get the SAAJ parts out of the document.
-            throw new WSSecurityException(WSSecurityException.FAILURE);
-        }
-        
-        if (!CryptoCoverageUtil.matchElement(refs, type, scope, body)) {
+        CoverageScope scope
+    ) throws WSSecurityException {
+        if (!CryptoCoverageUtil.matchElement(refs, type, scope, soapBody)) {
             throw new WSSecurityException("The " + getCoverageTypeString(type)
                     + " does not cover the required elements (soap:Body).");
         }
@@ -151,8 +140,8 @@ public final class CryptoCoverageUtil {
      * namespace.  If {@code name} is null, all headers from {@code namespace}
      * are inspected for coverage.
      * 
-     * @param message
-     *            the soap message containing the signature/encryption and content
+     * @param soapHeader
+     *            the SOAP header element
      * @param refs
      *            the refs to the data extracted from the signature/encryption
      * @param namespaces
@@ -170,7 +159,7 @@ public final class CryptoCoverageUtil {
      *             covered by the signature/encryption.
      */
     public static void checkHeaderCoverage(
-            SOAPMessage message,
+            Element soapHeader,
             final Collection<WSDataRef> refs,
             String namespace,
             String name,
@@ -178,20 +167,10 @@ public final class CryptoCoverageUtil {
             CoverageScope scope) throws WSSecurityException {
         
         final List<Element> elements;
-        final Element parent;
-        
-        try {
-            parent = message.getSOAPHeader();
-        } catch (SOAPException e1) {
-            // Can't get the SAAJ parts out of the document.
-            throw new WSSecurityException(WSSecurityException.FAILURE);
-        }
-        
         if (name == null) {
-            elements = DOMUtils.getChildrenWithNamespace(parent, namespace);
+            elements = DOMUtils.getChildrenWithNamespace(soapHeader, namespace);
         } else {
-            elements = DOMUtils.getChildrenWithName(
-                    parent, namespace, name);
+            elements = DOMUtils.getChildrenWithName(soapHeader, namespace, name);
         }
         
         for (Element el : elements) {
@@ -208,8 +187,8 @@ public final class CryptoCoverageUtil {
      * signed/encrypted elements as defined by the XPath expression in {@code
      * xPath}.
      * 
-     * @param message
-     *            the soap message containing the signature/encryption and content
+     * @param soapEnvelope
+     *            the SOAP Envelope element
      * @param refs
      *            the refs to the data extracted from the signature/encryption
      * @param namespaces
@@ -227,14 +206,14 @@ public final class CryptoCoverageUtil {
      *             covered by the signature/encryption.
      */
     public static void checkCoverage(
-            SOAPMessage message,
+            Element soapEnvelope,
             final Collection<WSDataRef> refs,
             Map<String, String> namespaces,
             String xPath,
             CoverageType type,
             CoverageScope scope) throws WSSecurityException {
         
-        CryptoCoverageUtil.checkCoverage(message, refs, namespaces, Arrays
+        CryptoCoverageUtil.checkCoverage(soapEnvelope, refs, namespaces, Arrays
                 .asList(xPath), type, scope);
     }
     
@@ -243,8 +222,8 @@ public final class CryptoCoverageUtil {
      * signed/encrypted elements as defined by the XPath expressions in {@code
      * xPaths}.
      * 
-     * @param message
-     *            the soap message containing the signature/encryption and content
+     * @param soapEnvelope
+     *            the SOAP Envelope element
      * @param refs
      *            the refs to the data extracted from the signature/encryption
      * @param namespaces
@@ -262,7 +241,7 @@ public final class CryptoCoverageUtil {
      *             covered by the signature/encryption.
      */
     public static void checkCoverage(
-            SOAPMessage message,
+            Element soapEnvelope,
             final Collection<WSDataRef> refs,
             Map<String, String> namespaces,
             Collection<String> xPaths,
@@ -285,14 +264,11 @@ public final class CryptoCoverageUtil {
             try {
                 list = (NodeList)xpath.evaluate(
                         xpathString, 
-                        message.getSOAPPart().getEnvelope(),
+                        soapEnvelope,
                         XPathConstants.NODESET);
             } catch (XPathExpressionException e) {
                 // The xpath's are not valid in the config.
                 throw new WSSecurityException(WSSecurityException.FAILURE);
-            } catch (SOAPException e) {
-                // Can't get the SAAJ parts out of the document.
-                throw new WSSecurityException(WSSecurityException.FAILURE);
             }
             
             // If we found nodes then we need to do the check.

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1079778&r1=1079777&r2=1079778&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java Wed Mar  9 12:38:33 2011
@@ -31,14 +31,14 @@ import java.util.concurrent.ConcurrentHa
 
 import javax.xml.namespace.QName;
 import javax.xml.soap.SOAPException;
-import javax.xml.soap.SOAPHeader;
-import javax.xml.soap.SOAPMessage;
 import javax.xml.stream.XMLStreamException;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
 
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
 import org.apache.cxf.Bus;
@@ -351,7 +351,7 @@ public class PolicyBasedWSS4JInIntercept
                                    QName name, 
                                    Collection<WSDataRef> refs,
                                    SoapMessage msg,
-                                   SOAPMessage doc,
+                                   Element soapEnvelope,
                                    CoverageType type,
                                    CoverageScope scope) throws SOAPException {
         Collection<AssertionInfo> ais = aim.get(name);
@@ -373,7 +373,7 @@ public class PolicyBasedWSS4JInIntercept
                 if (xpaths != null) {
                     for (String xPath : xpaths) {
                         try {
-                            CryptoCoverageUtil.checkCoverage(doc, refs,
+                            CryptoCoverageUtil.checkCoverage(soapEnvelope, refs,
                                     namespaces, xPath, type, scope);
                         } catch (WSSecurityException e) {
                             ai.setNotAsserted("No " + type 
@@ -390,7 +390,8 @@ public class PolicyBasedWSS4JInIntercept
                               QName name, 
                               Collection<WSDataRef> signed,
                               SoapMessage msg,
-                              SOAPMessage doc,
+                              Element soapHeader,
+                              Element soapBody,
                               CoverageType type) throws SOAPException {
         Collection<AssertionInfo> ais = aim.get(name);
         if (ais != null) {
@@ -401,9 +402,13 @@ public class PolicyBasedWSS4JInIntercept
                 if (p.isBody()) {
                     try {
                         if (CoverageType.SIGNED.equals(type)) {
-                            CryptoCoverageUtil.checkBodyCoverage(doc, signed, type, CoverageScope.ELEMENT);
+                            CryptoCoverageUtil.checkBodyCoverage(
+                                soapBody, signed, type, CoverageScope.ELEMENT
+                            );
                         } else {
-                            CryptoCoverageUtil.checkBodyCoverage(doc, signed, type, CoverageScope.CONTENT);
+                            CryptoCoverageUtil.checkBodyCoverage(
+                                soapBody, signed, type, CoverageScope.CONTENT
+                            );
                         }
                     } catch (WSSecurityException e) {
                         ai.setNotAsserted(msg.getVersion().getBody() + " not " + type);
@@ -412,7 +417,7 @@ public class PolicyBasedWSS4JInIntercept
                 
                 for (Header h : p.getHeaders()) {
                     try {
-                        CryptoCoverageUtil.checkHeaderCoverage(doc, signed, h
+                        CryptoCoverageUtil.checkHeaderCoverage(soapHeader, signed, h
                                 .getNamespace(), h.getName(), type,
                                 CoverageScope.ELEMENT);
                     } catch (WSSecurityException e) {
@@ -493,11 +498,15 @@ public class PolicyBasedWSS4JInIntercept
         return prots;
     }
     
-    protected void doResults(SoapMessage msg, String actor, 
-                             SOAPMessage doc, List<WSSecurityEngineResult> results, 
-                             boolean utWithCallbacks) 
-        throws SOAPException, XMLStreamException, WSSecurityException {
-        
+    @Override
+    protected void doResults(
+        SoapMessage msg, 
+        String actor,
+        Element soapHeader,
+        Element soapBody,
+        List<WSSecurityEngineResult> results, 
+        boolean utWithCallbacks
+    ) throws SOAPException, XMLStreamException, WSSecurityException {
         AssertionInfoMap aim = msg.get(AssertionInfoMap.class);
         Collection<WSDataRef> signed = new HashSet<WSDataRef>();
         Collection<WSDataRef> encrypted = new HashSet<WSDataRef>();
@@ -576,19 +585,22 @@ public class PolicyBasedWSS4JInIntercept
         
         CryptoCoverageUtil.reconcileEncryptedSignedRefs(signed, encrypted);
         
-        assertTokens(aim, SP12Constants.SIGNED_PARTS, signed, msg, doc, CoverageType.SIGNED);
-        assertTokens(aim, SP12Constants.ENCRYPTED_PARTS, encrypted, msg, doc, CoverageType.ENCRYPTED);
-        assertXPathTokens(aim, SP12Constants.SIGNED_ELEMENTS, signed, msg, doc,
+        assertTokens(aim, SP12Constants.SIGNED_PARTS, signed, msg, soapHeader, soapBody, CoverageType.SIGNED);
+        assertTokens(
+            aim, SP12Constants.ENCRYPTED_PARTS, encrypted, msg, soapHeader, soapBody, CoverageType.ENCRYPTED
+        );
+        Element soapEnvelope = soapHeader.getOwnerDocument().getDocumentElement();
+        assertXPathTokens(aim, SP12Constants.SIGNED_ELEMENTS, signed, msg, soapEnvelope,
                 CoverageType.SIGNED, CoverageScope.ELEMENT);
-        assertXPathTokens(aim, SP12Constants.ENCRYPTED_ELEMENTS, encrypted, msg, doc,
+        assertXPathTokens(aim, SP12Constants.ENCRYPTED_ELEMENTS, encrypted, msg, soapEnvelope,
                 CoverageType.ENCRYPTED, CoverageScope.ELEMENT);
-        assertXPathTokens(aim, SP12Constants.CONTENT_ENCRYPTED_ELEMENTS, encrypted, msg, doc,
+        assertXPathTokens(aim, SP12Constants.CONTENT_ENCRYPTED_ELEMENTS, encrypted, msg, soapEnvelope,
                 CoverageType.ENCRYPTED, CoverageScope.CONTENT);
         
-        assertHeadersExists(aim, msg, doc);
-
-        assertAsymetricBinding(aim, msg, doc, prots, hasDerivedKeys);
-        assertSymetricBinding(aim, msg, doc, prots, hasDerivedKeys);
+        assertHeadersExists(aim, msg, soapHeader);
+        
+        assertAsymetricBinding(aim, msg, prots, hasDerivedKeys);
+        assertSymetricBinding(aim, msg, prots, hasDerivedKeys);
         assertTransportBinding(aim);
         
         
@@ -604,19 +616,19 @@ public class PolicyBasedWSS4JInIntercept
             assertPolicy(aim, SP12Constants.SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS);
         }
         
-        super.doResults(msg, actor, doc, results, utWithCallbacks);
+        super.doResults(msg, actor, soapHeader, soapBody, results, utWithCallbacks);
     }
-    private void assertHeadersExists(AssertionInfoMap aim, SoapMessage msg, SOAPMessage doc) 
+    private void assertHeadersExists(AssertionInfoMap aim, SoapMessage msg, Node header) 
         throws SOAPException {
         
-        SOAPHeader header = doc.getSOAPHeader();
         Collection<AssertionInfo> ais = aim.get(SP12Constants.REQUIRED_PARTS);
         if (ais != null) {
             for (AssertionInfo ai : ais) {
                 RequiredParts rp = (RequiredParts)ai.getAssertion();
                 ai.setAsserted(true);
                 for (Header h : rp.getHeaders()) {
-                    if (header == null || DOMUtils.getFirstChildWithName(header, h.getQName()) == null) {
+                    if (header == null 
+                        || DOMUtils.getFirstChildWithName((Element)header, h.getQName()) == null) {
                         ai.setNotAsserted("No header element of name " + h.getQName() + " found.");
                     }
                 }
@@ -653,7 +665,6 @@ public class PolicyBasedWSS4JInIntercept
 
     private boolean assertSymetricBinding(AssertionInfoMap aim, 
                                            SoapMessage message,
-                                           SOAPMessage doc,
                                            Protections prots,
                                            Boolean derived) {
         Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
@@ -694,7 +705,6 @@ public class PolicyBasedWSS4JInIntercept
     }
     private boolean assertAsymetricBinding(AssertionInfoMap aim, 
                                            SoapMessage message,
-                                           SOAPMessage doc,
                                            Protections prots,
                                            Boolean derived) {
         Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1079778&r1=1079777&r2=1079778&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Wed Mar  9 12:38:33 2011
@@ -31,7 +31,6 @@ import javax.security.auth.callback.Call
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.xml.namespace.QName;
-import javax.xml.soap.SOAPBody;
 import javax.xml.soap.SOAPException;
 import javax.xml.soap.SOAPMessage;
 import javax.xml.stream.XMLStreamConstants;
@@ -40,6 +39,7 @@ import javax.xml.stream.XMLStreamReader;
 import javax.xml.transform.dom.DOMSource;
 
 import org.w3c.dom.Element;
+import org.w3c.dom.Node;
 
 import org.apache.cxf.binding.soap.SoapFault;
 import org.apache.cxf.binding.soap.SoapMessage;
@@ -239,7 +239,7 @@ public class WSS4JInInterceptor extends 
                 t2 = System.currentTimeMillis();
             }
 
-            if (wsResult != null) { // security header found
+            if (wsResult != null && !wsResult.isEmpty()) { // security header found
                 if (reqData.getWssConfig().isEnableSignatureConfirmation()) {
                     checkSignatureConfirmation(reqData, wsResult);
                 }
@@ -247,12 +247,13 @@ public class WSS4JInInterceptor extends 
                 storeSignature(msg, reqData, wsResult);
                 storeTimestamp(msg, reqData, wsResult);
                 checkActions(msg, reqData, wsResult, actions);
-                doResults(msg, actor, doc, wsResult, utWithCallbacks);
+                doResults(
+                    msg, actor, doc.getSOAPHeader(), doc.getSOAPBody(), wsResult, utWithCallbacks
+                );
             } else { // no security header found
                 // Create an empty result list to pass into the required validation
                 // methods.
                 wsResult = new ArrayList<WSSecurityEngineResult>();
-                
                 if (doc.getSOAPPart().getEnvelope().getBody().hasFault()) {
                     LOG.warning("Request does not contain Security header, " 
                                 + "but it's a fault.");
@@ -266,12 +267,13 @@ public class WSS4JInInterceptor extends 
                     // the unasserted assertions will provide confirmation that
                     // security was not sufficient.
                     // checkActions(msg, reqData, wsResult, actions);
-                    doResults(msg, actor, doc, wsResult);
+                    doResults(msg, actor, doc.getSOAPHeader(), doc.getSOAPBody(), wsResult);
                 } else {
                     checkActions(msg, reqData, wsResult, actions);
-                    doResults(msg, actor, doc, wsResult);
+                    doResults(msg, actor, doc.getSOAPHeader(), doc.getSOAPBody(), wsResult);
                 }
             }
+            advanceBody(msg, doc.getSOAPBody());
 
             if (doTimeLog) {
                 t3 = System.currentTimeMillis();
@@ -353,13 +355,21 @@ public class WSS4JInInterceptor extends 
     }
 
     protected void doResults(
-        SoapMessage msg, String actor, SOAPMessage doc, List<WSSecurityEngineResult> wsResult
+        SoapMessage msg, 
+        String actor, 
+        Element soapHeader,
+        Element soapBody,
+        List<WSSecurityEngineResult> wsResult
     ) throws SOAPException, XMLStreamException, WSSecurityException {
-        doResults(msg, actor, doc, wsResult, false);
+        doResults(msg, actor, soapHeader, soapBody, wsResult, false);
     }
 
     protected void doResults(
-        SoapMessage msg, String actor, SOAPMessage doc, List<WSSecurityEngineResult> wsResult, 
+        SoapMessage msg, 
+        String actor,
+        Element soapHeader,
+        Element soapBody,
+        List<WSSecurityEngineResult> wsResult, 
         boolean utWithCallbacks
     ) throws SOAPException, XMLStreamException, WSSecurityException {
         /*
@@ -374,18 +384,6 @@ public class WSS4JInInterceptor extends 
         WSHandlerResult rResult = new WSHandlerResult(actor, wsResult);
         results.add(0, rResult);
 
-        SOAPBody body = doc.getSOAPBody();
-
-        XMLStreamReader reader = StaxUtils.createXMLStreamReader(new DOMSource(body));
-        // advance just past body
-        int evt = reader.next();
-        int i = 0;
-        while (reader.hasNext() && i < 1
-               && (evt != XMLStreamConstants.END_ELEMENT || evt != XMLStreamConstants.START_ELEMENT)) {
-            reader.next();
-            i++;
-        }
-        msg.setContent(XMLStreamReader.class, reader);
         for (WSSecurityEngineResult o : wsResult) {
             final Principal p = (Principal)o.get(WSSecurityEngineResult.TAG_PRINCIPAL);
             if (p != null) {
@@ -402,6 +400,20 @@ public class WSS4JInInterceptor extends 
         }
     }
 
+    protected void advanceBody(
+        SoapMessage msg, Node body
+    ) throws SOAPException, XMLStreamException, WSSecurityException {
+        XMLStreamReader reader = StaxUtils.createXMLStreamReader(new DOMSource(body));
+        // advance just past body
+        int evt = reader.next();
+        int i = 0;
+        while (reader.hasNext() && i < 1
+               && (evt != XMLStreamConstants.END_ELEMENT || evt != XMLStreamConstants.START_ELEMENT)) {
+            reader.next();
+            i++;
+        }
+        msg.setContent(XMLStreamReader.class, reader);
+    }
     
     protected SecurityContext createSecurityContext(final Principal p) {
         return new SecurityContext() {