Return-Path: 
 <commits-return-31104-apmail-cxf-commits-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-commits-archive@www.apache.org
Delivered-To: apmail-cxf-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 013C31037F
	for <apmail-cxf-commits-archive@www.apache.org>;
 Tue, 25 Feb 2014 11:07:56 +0000 (UTC)
Received: (qmail 33057 invoked by uid 500); 25 Feb 2014 11:07:53 -0000
Delivered-To: apmail-cxf-commits-archive@cxf.apache.org
Received: (qmail 31210 invoked by uid 500); 25 Feb 2014 11:07:51 -0000
Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cxf.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cxf.apache.org>
List-Post: <mailto:commits@cxf.apache.org>
List-Id: <commits.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list commits@cxf.apache.org
Received: (qmail 30546 invoked by uid 99); 25 Feb 2014 11:07:48 -0000
Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org)
 (140.211.11.114)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Feb 2014 11:07:48 +0000
Received: by tyr.zones.apache.org (Postfix, from userid 65534)
	id 43811925F2F; Tue, 25 Feb 2014 11:07:48 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: coheigea@apache.org
To: commits@cxf.apache.org
Message-Id: <0439bf00e97941eb949620d03c31f690@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: git commit: Allow tokens that are encrypted before being signed
Date: Tue, 25 Feb 2014 11:07:48 +0000 (UTC)

Repository: cxf
Updated Branches:
  refs/heads/master 98347e4ee -> 2d9257621


Allow tokens that are encrypted before being signed


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2d925762
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2d925762
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2d925762

Branch: refs/heads/master
Commit: 2d92576212e60146e57c1050fa9a63342fe05bee
Parents: 98347e4
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Feb 25 10:59:22 2014 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Feb 25 11:00:40 2014 +0000

----------------------------------------------------------------------
 .../AbstractSupportingTokenPolicyValidator.java | 30 ++++++++++++++++++--
 1 file changed, 27 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2d925762/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
index 0fe5766..93cb1f6 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AbstractSupportingTokenPolicyValidator.java
@@ -794,7 +794,8 @@ public abstract class AbstractSupportingTokenPolicyValidator
             List<WSDataRef> dataRefs = 
                 CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
             for (WSDataRef dataRef : dataRefs) {
-                if (token == dataRef.getProtectedElement()) {
+                if (token == dataRef.getProtectedElement()
+                    || isEncryptedTokenSigned(token, dataRef)) {
                     return true;
                 }
             }
@@ -802,13 +803,36 @@ public abstract class AbstractSupportingTokenPolicyValidator
         return false;
     }
     
+    private boolean isEncryptedTokenSigned(Element token, WSDataRef signedRef) {
+        if (signedRef.getProtectedElement() != null
+            && "EncryptedData".equals(signedRef.getProtectedElement().getLocalName())
+            && WSConstants.ENC_NS.equals(signedRef.getProtectedElement().getNamespaceURI())) {
+            String encryptedDataId = 
+                signedRef.getProtectedElement().getAttributeNS(null, "Id");
+            for (WSSecurityEngineResult result : encryptedResults) {
+                List<WSDataRef> encryptedDataRefs = 
+                    CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+                if (encryptedDataRefs != null) {
+                    for (WSDataRef encryptedDataRef : encryptedDataRefs) {
+                        if (token == encryptedDataRef.getProtectedElement()
+                            && (encryptedDataRef.getWsuId() != null 
+                                && encryptedDataRef.getWsuId().equals(encryptedDataId))) {
+                            return true;
+                        }
+                    }
+                }
+            }
+        }
+        return false;
+    }
+    
     /**
      * Return true if a token was encrypted, false otherwise.
      */
     private boolean isTokenEncrypted(Element token) {
-        for (WSSecurityEngineResult signedResult : encryptedResults) {
+        for (WSSecurityEngineResult result : encryptedResults) {
             List<WSDataRef> dataRefs = 
-                CastUtils.cast((List<?>)signedResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+                CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
             if (dataRefs == null) {
                 return false;
             }