cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: Fixes relating to WSS4J changes
Date Fri, 25 Nov 2016 12:56:33 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 8a605be6d -> 970080fb9


Fixes relating to WSS4J changes


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/970080fb
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/970080fb
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/970080fb

Branch: refs/heads/master
Commit: 970080fb9d7208c99ad2bde8e3c6c63a5211b448
Parents: 8a605be
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Nov 25 12:49:14 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Nov 25 12:49:14 2016 +0000

----------------------------------------------------------------------
 .../saml/sso/AbstractSAMLCallbackHandler.java   |   4 +-
 .../wss4j/UsernameTokenInterceptor.java         |  15 ++-
 .../policyhandlers/AbstractBindingBuilder.java  | 111 +++++++++----------
 .../AsymmetricBindingHandler.java               |  39 ++++---
 .../policyhandlers/SymmetricBindingHandler.java |  33 +++---
 .../policyhandlers/TransportBindingHandler.java |  35 +++---
 .../policyhandlers/WSSecurityTokenHolder.java   |   5 +-
 .../security/wss4j/WSS4JOutInterceptorTest.java |   4 +-
 .../wss4j/saml/AbstractSAMLCallbackHandler.java |   4 +-
 .../cxf/sts/operation/AbstractOperation.java    |   8 +-
 .../token/provider/DefaultSubjectProvider.java  |   4 +-
 .../sts/token/provider/TokenProviderUtils.java  |  10 +-
 .../cxf/sts/operation/IssueSamlUnitTest.java    |   6 +-
 13 files changed, 137 insertions(+), 141 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/970080fb/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
index 9772967..ee801f7 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
@@ -207,10 +207,10 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
             Document doc = docBuilder.newDocument();
                   
             // Create an Encrypted Key
-            WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
+            WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
             encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
             encrKey.setUseThisCert(certs[0]);
-            encrKey.prepare(doc, null);
+            encrKey.prepare(null);
             ephemeralKey = encrKey.getEphemeralKey();
             Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
             

http://git-wip-us.apache.org/repos/asf/cxf/blob/970080fb/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
index 0660109..890cbf1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java
@@ -29,6 +29,7 @@ import java.util.Set;
 
 import javax.security.auth.Subject;
 
+import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.common.util.StringUtils;
@@ -369,8 +370,11 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
         UsernameToken tok = assertTokens(message);
 
         Header h = findSecurityHeader(message, true);
+        Element el = (Element)h.getObject();
+        Document doc = el.getOwnerDocument();
+        
         WSSecUsernameToken utBuilder = 
-            addUsernameToken(message, tok);
+            addUsernameToken(message, doc, tok);
         if (utBuilder == null) {
             AssertionInfoMap aim = message.get(AssertionInfoMap.class);
             Collection<AssertionInfo> ais = 
@@ -382,13 +386,12 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
             }
             return;
         }
-        Element el = (Element)h.getObject();
-        utBuilder.prepare(el.getOwnerDocument());
+        utBuilder.prepare();
         el.appendChild(utBuilder.getUsernameTokenElement());
     }
 
 
-    protected WSSecUsernameToken addUsernameToken(SoapMessage message, UsernameToken token) {
+    protected WSSecUsernameToken addUsernameToken(SoapMessage message, Document doc, UsernameToken token) {
         String userName = 
             (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message);
         WSSConfig wssConfig = (WSSConfig)message.getContextualProperty(WSSConfig.class.getName());
@@ -399,7 +402,7 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
         if (!StringUtils.isEmpty(userName)) {
             // If NoPassword property is set we don't need to set the password
             if (token.getPasswordType() == UsernameToken.PasswordType.NoPassword) {
-                WSSecUsernameToken utBuilder = new WSSecUsernameToken();
+                WSSecUsernameToken utBuilder = new WSSecUsernameToken(doc);
                 utBuilder.setIdAllocator(wssConfig.getIdAllocator());
                 utBuilder.setWsTimeSource(wssConfig.getCurrentTime());
                 utBuilder.setUserInfo(userName, null);
@@ -415,7 +418,7 @@ public class UsernameTokenInterceptor extends AbstractTokenInterceptor {
             
             if (!StringUtils.isEmpty(password)) {
                 //If the password is available then build the token
-                WSSecUsernameToken utBuilder = new WSSecUsernameToken();
+                WSSecUsernameToken utBuilder = new WSSecUsernameToken(doc);
                 utBuilder.setIdAllocator(wssConfig.getIdAllocator());
                 utBuilder.setWsTimeSource(wssConfig.getCurrentTime());
                 if (token.getPasswordType() == UsernameToken.PasswordType.HashPassword) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/970080fb/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index c59d16c..cf4333d 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -222,9 +222,9 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
     
     protected void insertAfter(Element child, Element sib) {
         if (sib.getNextSibling() == null) {
-            secHeader.getSecurityHeader().appendChild(child);
+            secHeader.getSecurityHeaderElement().appendChild(child);
         } else {
-            secHeader.getSecurityHeader().insertBefore(child, sib.getNextSibling());
+            secHeader.getSecurityHeaderElement().insertBefore(child, sib.getNextSibling());
         }
     }
     
@@ -235,12 +235,12 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             insertAfter(el, lastEncryptedKeyElement);
         } else if (topDownElement != null) {
             insertAfter(el, topDownElement);
-        } else if (secHeader.getSecurityHeader().getFirstChild() != null) {
-            secHeader.getSecurityHeader().insertBefore(
-                el, secHeader.getSecurityHeader().getFirstChild()
+        } else if (secHeader.getSecurityHeaderElement().getFirstChild() != null) {
+            secHeader.getSecurityHeaderElement().insertBefore(
+                el, secHeader.getSecurityHeaderElement().getFirstChild()
             );
         } else {
-            secHeader.getSecurityHeader().appendChild(el);
+            secHeader.getSecurityHeaderElement().appendChild(el);
         }
         lastEncryptedKeyElement = el;
     }
@@ -249,15 +249,15 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         if (lastEncryptedKeyElement != null) {
             insertAfter(el, lastEncryptedKeyElement);
         } else if (lastDerivedKeyElement != null) {
-            secHeader.getSecurityHeader().insertBefore(el, lastDerivedKeyElement);
+            secHeader.getSecurityHeaderElement().insertBefore(el, lastDerivedKeyElement);
         } else if (topDownElement != null) {
             insertAfter(el, topDownElement);
-        } else if (secHeader.getSecurityHeader().getFirstChild() != null) {
-            secHeader.getSecurityHeader().insertBefore(
-                el, secHeader.getSecurityHeader().getFirstChild()
+        } else if (secHeader.getSecurityHeaderElement().getFirstChild() != null) {
+            secHeader.getSecurityHeaderElement().insertBefore(
+                el, secHeader.getSecurityHeaderElement().getFirstChild()
             );
         } else {
-            secHeader.getSecurityHeader().appendChild(el);
+            secHeader.getSecurityHeaderElement().appendChild(el);
         }
         lastEncryptedKeyElement = el;
     }
@@ -272,29 +272,29 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         } else if (topDownElement != null) {
             insertAfter(el, topDownElement);
         } else if (bottomUpElement != null) {
-            secHeader.getSecurityHeader().insertBefore(el, bottomUpElement);
+            secHeader.getSecurityHeaderElement().insertBefore(el, bottomUpElement);
         } else {
-            secHeader.getSecurityHeader().appendChild(el);
+            secHeader.getSecurityHeaderElement().appendChild(el);
         }
         lastSupportingTokenElement = el;
     }
     
     protected void insertBeforeBottomUp(Element el) {
         if (bottomUpElement == null) {
-            secHeader.getSecurityHeader().appendChild(el);
+            secHeader.getSecurityHeaderElement().appendChild(el);
         } else {
-            secHeader.getSecurityHeader().insertBefore(el, bottomUpElement);
+            secHeader.getSecurityHeaderElement().insertBefore(el, bottomUpElement);
         }
         bottomUpElement = el;
     }
     
     protected void addTopDownElement(Element el) {
         if (topDownElement == null) {
-            if (secHeader.getSecurityHeader().getFirstChild() == null) {
-                secHeader.getSecurityHeader().appendChild(el);
+            if (secHeader.getSecurityHeaderElement().getFirstChild() == null) {
+                secHeader.getSecurityHeaderElement().appendChild(el);
             } else {
-                secHeader.getSecurityHeader().insertBefore(
-                    el, secHeader.getSecurityHeader().getFirstChild()
+                secHeader.getSecurityHeaderElement().insertBefore(
+                    el, secHeader.getSecurityHeaderElement().getFirstChild()
                 );
             }
         } else {
@@ -335,11 +335,11 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             if (ttl <= 0) {
                 ttl = 300;
             }
-            timestampEl = new WSSecTimestamp();
+            timestampEl = new WSSecTimestamp(secHeader);
             timestampEl.setIdAllocator(wssConfig.getIdAllocator());
             timestampEl.setWsTimeSource(wssConfig.getCurrentTime());
             timestampEl.setTimeToLive(ttl);
-            timestampEl.prepare(saaj.getSOAPPart());
+            timestampEl.prepare();
             
             String namespace = binding.getName().getNamespaceURI();
             PolicyUtils.assertPolicy(aim, new QName(namespace, SPConstants.INCLUDE_TIMESTAMP));
@@ -360,7 +360,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
                         new QName(binding.getLayout().getName().getNamespaceURI(), 
                                   SPConstants.LAYOUT_LAX_TIMESTAMP_LAST));
                     Element el = timestamp.getElement();
-                    secHeader.getSecurityHeader().appendChild(el);
+                    secHeader.getSecurityHeaderElement().appendChild(el);
                     if (bottomUpElement == null) {
                         bottomUpElement = el;
                     }
@@ -398,17 +398,17 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         // Make sure that the Timestamp is in first place, if that is what the policy requires
         if (binding.getLayout() != null && timestampEl != null) {
             if (binding.getLayout().getLayoutType() == LayoutType.LaxTsFirst
-                && secHeader.getSecurityHeader().getFirstChild() != timestampEl.getElement()) {
-                Node firstChild = secHeader.getSecurityHeader().getFirstChild();
+                && secHeader.getSecurityHeaderElement().getFirstChild() != timestampEl.getElement()) {
+                Node firstChild = secHeader.getSecurityHeaderElement().getFirstChild();
                 while (firstChild != null && firstChild.getNodeType() != Node.ELEMENT_NODE) {
                     firstChild = firstChild.getNextSibling();
                 }
                 if (firstChild != null && firstChild != timestampEl.getElement()) {
-                    secHeader.getSecurityHeader().insertBefore(timestampEl.getElement(), firstChild);
+                    secHeader.getSecurityHeaderElement().insertBefore(timestampEl.getElement(), firstChild);
                 }
             } else if (binding.getLayout().getLayoutType() == LayoutType.LaxTsLast
-                && secHeader.getSecurityHeader().getLastChild() != timestampEl.getElement()) {
-                secHeader.getSecurityHeader().appendChild(timestampEl.getElement());
+                && secHeader.getSecurityHeaderElement().getLastChild() != timestampEl.getElement()) {
+                secHeader.getSecurityHeaderElement().appendChild(timestampEl.getElement());
             } 
         }
     }
@@ -476,11 +476,11 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         
                 if (secToken.getX509Certificate() == null) {  
                     ret.add(
-                        new SupportingToken(token, new WSSecurityTokenHolder(secToken),
+                        new SupportingToken(token, new WSSecurityTokenHolder(secToken, secHeader),
                                             getSignedParts(suppTokens))
                     );
                 } else {
-                    WSSecSignature sig = new WSSecSignature();
+                    WSSecSignature sig = new WSSecSignature(secHeader);
                     sig.setIdAllocator(wssConfig.getIdAllocator());
                     sig.setCallbackLookup(callbackLookup);
                     sig.setX509Certificate(secToken.getX509Certificate());
@@ -513,7 +513,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
                     String password = getPassword(uname, token, WSPasswordCallback.SIGNATURE);
                     sig.setUserInfo(uname, password);
                     try {
-                        sig.prepare(saaj.getSOAPPart(), secToken.getCrypto(), secHeader);
+                        sig.prepare(secToken.getCrypto());
                     } catch (WSSecurityException e) {
                         LOG.log(Level.FINE, e.getMessage(), e);
                         throw new Fault(e);
@@ -530,13 +530,13 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
                 if (bstElem != null) {
                     if (lastEncryptedKeyElement != null) {
                         if (lastEncryptedKeyElement.getNextSibling() != null) {
-                            secHeader.getSecurityHeader().insertBefore(bstElem, 
+                            secHeader.getSecurityHeaderElement().insertBefore(bstElem, 
                                 lastEncryptedKeyElement.getNextSibling());
                         } else {
-                            secHeader.getSecurityHeader().appendChild(bstElem);
+                            secHeader.getSecurityHeaderElement().appendChild(bstElem);
                         }
                     } else {
-                        sig.prependBSTElementToHeader(secHeader);
+                        sig.prependBSTElementToHeader();
                     }
                     if (suppTokens.isEncryptedToken()) {
                         WSEncryptionPart part = new WSEncryptionPart(sig.getBSTTokenId(), "Element");
@@ -577,7 +577,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         if (endorse) {
             WSSecUsernameToken utBuilder = addDKUsernameToken(token, true);
             if (utBuilder != null) {
-                utBuilder.prepare(saaj.getSOAPPart());
+                utBuilder.prepare();
                 addSupportingElement(utBuilder.getUsernameTokenElement());
                 ret.add(new SupportingToken(token, utBuilder, null));
                 if (encryptedToken) {
@@ -589,7 +589,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         } else {
             WSSecUsernameToken utBuilder = addUsernameToken(token);
             if (utBuilder != null) {
-                utBuilder.prepare(saaj.getSOAPPart());
+                utBuilder.prepare();
                 addSupportingElement(utBuilder.getUsernameTokenElement());
                 ret.add(new SupportingToken(token, utBuilder, null));
                 //WebLogic and WCF always encrypt these
@@ -608,8 +608,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
     }
     
     protected Element cloneElement(Element el) {
-        if (!secHeader.getSecurityHeader().getOwnerDocument().equals(el.getOwnerDocument())) {
-            return (Element)secHeader.getSecurityHeader().getOwnerDocument().importNode(el, true);
+        if (!secHeader.getSecurityHeaderElement().getOwnerDocument().equals(el.getOwnerDocument())) {
+            return (Element)secHeader.getSecurityHeaderElement().getOwnerDocument().importNode(el, true);
         }
         return el;
     }
@@ -774,7 +774,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         
         String userName = (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message);
         if (!StringUtils.isEmpty(userName)) {
-            WSSecUsernameToken utBuilder = new WSSecUsernameToken();
+            WSSecUsernameToken utBuilder = new WSSecUsernameToken(secHeader);
             utBuilder.setIdAllocator(wssConfig.getIdAllocator());
             utBuilder.setWsTimeSource(wssConfig.getCurrentTime());
             
@@ -825,7 +825,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         
         String userName = (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message);
         if (!StringUtils.isEmpty(userName)) {
-            WSSecUsernameToken utBuilder = new WSSecUsernameToken();
+            WSSecUsernameToken utBuilder = new WSSecUsernameToken(secHeader);
             utBuilder.setIdAllocator(wssConfig.getIdAllocator());
             utBuilder.setWsTimeSource(wssConfig.getCurrentTime());
             
@@ -839,7 +839,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
                 // If the password is available then build the token
                 utBuilder.setUserInfo(userName, password);
                 utBuilder.addDerivedKey(useMac, null, 1000);
-                utBuilder.prepare(saaj.getSOAPPart());
+                utBuilder.prepare();
             } else {
                 unassertPolicy(token, "No password available");
                 return null;
@@ -1425,7 +1425,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
     }
     
     protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token) throws WSSecurityException {
-        WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
+        WSSecEncryptedKey encrKey = new WSSecEncryptedKey(secHeader);
         encrKey.setIdAllocator(wssConfig.getIdAllocator());
         encrKey.setCallbackLookup(callbackLookup);
         encrKey.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
@@ -1449,7 +1449,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         encrKey.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
         encrKey.setMGFAlgorithm(algType.getMGFAlgo());
         
-        encrKey.prepare(saaj.getSOAPPart(), crypto);
+        encrKey.prepare(crypto);
         
         if (alsoIncludeToken) {
             X509Certificate encCert = getEncryptCert(crypto, encrUser);
@@ -1458,7 +1458,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             bstToken.addWSUNamespace();
             bstToken.setID(wssConfig.getIdAllocator().createSecureId("X509-", encCert));
             WSSecurityUtil.prependChildElement(
-                secHeader.getSecurityHeader(), bstToken.getElement()
+                secHeader.getSecurityHeaderElement(), bstToken.getElement()
             );
             bstElement = bstToken.getElement();
         }
@@ -1705,7 +1705,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
     protected WSSecSignature getSignatureBuilder(
         AbstractToken token, boolean attached, boolean endorse
     ) throws WSSecurityException {
-        WSSecSignature sig = new WSSecSignature();
+        WSSecSignature sig = new WSSecSignature(secHeader);
         sig.setIdAllocator(wssConfig.getIdAllocator());
         sig.setCallbackLookup(callbackLookup);
         sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
@@ -1825,7 +1825,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         sig.setAddInclusivePrefixes(includePrefixes);
         
         try {
-            sig.prepare(saaj.getSOAPPart(), crypto, secHeader);
+            sig.prepare(crypto);
         } catch (WSSecurityException e) {
             LOG.log(Level.FINE, e.getMessage(), e);
             unassertPolicy(token, e);
@@ -1861,7 +1861,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
                     sigParts.add(bstPart);
                 }
                 try {
-                    List<Reference> referenceList = sig.addReferencesToSign(sigParts, secHeader);
+                    List<Reference> referenceList = sig.addReferencesToSign(sigParts);
                     sig.computeSignature(referenceList, false, null);
                     
                     addSig(sig.getSignatureValue());
@@ -1929,7 +1929,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         throws WSSecurityException {
         
         Document doc = saaj.getSOAPPart();
-        WSSecDKSign dkSign = new WSSecDKSign();
+        WSSecDKSign dkSign = new WSSecDKSign(secHeader);
         dkSign.setIdAllocator(wssConfig.getIdAllocator());
         dkSign.setCallbackLookup(callbackLookup);
         
@@ -1984,7 +1984,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             dkSign.setCustomValueType(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
         } 
         
-        dkSign.prepare(doc, secHeader);
+        dkSign.prepare();
         
         if (isTokenProtection) {
             String sigTokId = XMLUtils.getIDFromReference(tok.getId());
@@ -1993,7 +1993,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         
         dkSign.getParts().addAll(sigParts);
         
-        List<Reference> referenceList = dkSign.addReferencesToSign(sigParts, secHeader);
+        List<Reference> referenceList = dkSign.addReferencesToSign(sigParts);
         
         //Add elements to header
         addSupportingElement(dkSign.getdktElement());
@@ -2014,8 +2014,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
                                          boolean isSigProtect)
         throws WSSecurityException {
         
-        Document doc = saaj.getSOAPPart();
-        WSSecSignature sig = new WSSecSignature();
+        WSSecSignature sig = new WSSecSignature(secHeader);
         sig.setIdAllocator(wssConfig.getIdAllocator());
         sig.setCallbackLookup(callbackLookup);
         
@@ -2064,10 +2063,10 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
         sig.setDigestAlgo(algType.getDigest());
         sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
-        sig.prepare(doc, getSignatureCrypto(), secHeader);
+        sig.prepare(getSignatureCrypto());
 
         sig.getParts().addAll(sigParts);
-        List<Reference> referenceList = sig.addReferencesToSign(sigParts, secHeader);
+        List<Reference> referenceList = sig.addReferencesToSign(sigParts);
 
         //Do signature
         sig.computeSignature(referenceList, false, null);
@@ -2166,13 +2165,13 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         
         sigConfList = new ArrayList<>();
         // prepare a SignatureConfirmation token
-        WSSecSignatureConfirmation wsc = new WSSecSignatureConfirmation();
+        WSSecSignatureConfirmation wsc = new WSSecSignatureConfirmation(secHeader);
         wsc.setIdAllocator(wssConfig.getIdAllocator());
         if (signatureActions.size() > 0) {
             for (WSSecurityEngineResult wsr : signatureActions) {
                 byte[] sigVal = (byte[]) wsr.get(WSSecurityEngineResult.TAG_SIGNATURE_VALUE);
                 wsc.setSignatureValue(sigVal);
-                wsc.prepare(saaj.getSOAPPart());
+                wsc.prepare();
                 addSupportingElement(wsc.getSignatureConfirmationElement());
                 if (sigParts != null) {
                     WSEncryptionPart part = new WSEncryptionPart(wsc.getId(), "Element");
@@ -2183,7 +2182,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
             }
         } else {
             //No Sig value
-            wsc.prepare(saaj.getSOAPPart());
+            wsc.prepare();
             addSupportingElement(wsc.getSignatureConfirmationElement());
             if (sigParts != null) {
                 WSEncryptionPart part = new WSEncryptionPart(wsc.getId(), "Element");

http://git-wip-us.apache.org/repos/asf/cxf/blob/970080fb/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
index 28c33d8..bea5631 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
@@ -404,9 +404,9 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
             && encrBase instanceof WSSecDKEncrypt) {
             try {
                 Element secondRefList = 
-                    ((WSSecDKEncrypt)encrBase).encryptForExternalRef(null, secondEncrParts, secHeader);
+                    ((WSSecDKEncrypt)encrBase).encryptForExternalRef(null, secondEncrParts);
                 if (secondRefList != null) {
-                    ((WSSecDKEncrypt)encrBase).addExternalRefElement(secondRefList, secHeader);
+                    ((WSSecDKEncrypt)encrBase).addExternalRefElement(secondRefList);
                 }
 
             } catch (WSSecurityException ex) {
@@ -424,7 +424,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
                 } else {
                     this.insertBeforeBottomUp(secondRefList);
                 }
-                ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts, secHeader);
+                ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts);
 
             } catch (WSSecurityException ex) {
                 LOG.log(Level.FINE, ex.getMessage(), ex);
@@ -446,14 +446,13 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
                 return doEncryptionDerived(recToken, encrToken, encrParts, algorithmSuite);
             } else {
                 try {
-                    WSSecEncrypt encr = new WSSecEncrypt();
+                    WSSecEncrypt encr = new WSSecEncrypt(secHeader);
                     encr.setEncryptionSerializer(new StaxSerializer());
                     encr.setIdAllocator(wssConfig.getIdAllocator());
                     encr.setCallbackLookup(callbackLookup);
                     encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
                     encr.setStoreBytesInAttachment(storeBytesInAttachment);
                     
-                    encr.setDocument(saaj.getSOAPPart());
                     Crypto crypto = getEncryptionCrypto();
                     
                     SecurityToken securityToken = getSecurityToken();
@@ -499,13 +498,13 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
                     encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
                     encr.setMGFAlgorithm(algType.getMGFAlgo());
                     encr.setDigestAlgorithm(algType.getEncryptionDigest());
-                    encr.prepare(saaj.getSOAPPart(), crypto);
+                    encr.prepare(crypto);
                     
                     Element encryptedKeyElement = encr.getEncryptedKeyElement();
                     List<Element> attachments = encr.getAttachmentEncryptedDataElements();
                     //Encrypt, get hold of the ref list and add it
                     if (externalRef) {
-                        Element refList = encr.encryptForRef(null, encrParts, secHeader);
+                        Element refList = encr.encryptForRef(null, encrParts);
                         if (refList != null) {
                             insertBeforeBottomUp(refList);
                         }
@@ -518,7 +517,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
                             this.addEncryptedKeyElement(encryptedKeyElement);
                         }
                     } else {
-                        Element refList = encr.encryptForRef(null, encrParts, secHeader);
+                        Element refList = encr.encryptForRef(null, encrParts);
                         if (refList != null || (attachments != null && !attachments.isEmpty())) {
                             this.addEncryptedKeyElement(encryptedKeyElement);
                         }
@@ -536,7 +535,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
 
                     // Put BST before EncryptedKey element
                     if (encr.getBSTTokenId() != null) {
-                        encr.prependBSTElementToHeader(secHeader);
+                        encr.prependBSTElementToHeader();
                     }
 
                     return encr;
@@ -554,7 +553,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
                                      List<WSEncryptionPart> encrParts,
                                      AlgorithmSuite algorithmSuite) {
         try {
-            WSSecDKEncrypt dkEncr = new WSSecDKEncrypt();
+            WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader);
             dkEncr.setEncryptionSerializer(new StaxSerializer());
             dkEncr.setIdAllocator(wssConfig.getIdAllocator());
             dkEncr.setCallbackLookup(callbackLookup);
@@ -575,10 +574,10 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
             AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
             dkEncr.setSymmetricEncAlgorithm(algType.getEncryption());
             dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8);
-            dkEncr.prepare(saaj.getSOAPPart());
+            dkEncr.prepare();
 
             addDerivedKeyElement(dkEncr.getdktElement());
-            Element refList = dkEncr.encryptForExternalRef(null, encrParts, secHeader);
+            Element refList = dkEncr.encryptForExternalRef(null, encrParts);
             if (refList != null) {
                 insertBeforeBottomUp(refList);
             }
@@ -631,7 +630,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
             // Add the BST to the security header if required
             if (!attached && isTokenRequired(sigToken.getIncludeTokenType())) {
                 WSSecSignature sig = getSignatureBuilder(sigToken, attached, false);
-                sig.appendBSTElementToHeader(secHeader);
+                sig.appendBSTElementToHeader();
             } 
             return;
         }
@@ -639,7 +638,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
             // Set up the encrypted key to use
             setupEncryptedKey(wrapper, sigToken);
             
-            WSSecDKSign dkSign = new WSSecDKSign();
+            WSSecDKSign dkSign = new WSSecDKSign(secHeader);
             dkSign.setIdAllocator(wssConfig.getIdAllocator());
             dkSign.setCallbackLookup(callbackLookup);
             dkSign.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
@@ -666,7 +665,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
             dkSign.setAddInclusivePrefixes(includePrefixes);
             
             try {
-                dkSign.prepare(saaj.getSOAPPart(), secHeader);
+                dkSign.prepare();
 
                 if (abinding.isProtectTokens()) {
                     assertPolicy(
@@ -686,7 +685,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
 
                 dkSign.getParts().addAll(sigParts);
 
-                List<Reference> referenceList = dkSign.addReferencesToSign(sigParts, secHeader);
+                List<Reference> referenceList = dkSign.addReferencesToSign(sigParts);
                 if (!referenceList.isEmpty()) {
                     // Add elements to header
                     addDerivedKeyElement(dkSign.getdktElement());
@@ -719,10 +718,10 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
                     bstPart.setElement(sig.getBinarySecurityTokenElement());
                     sigParts.add(bstPart);
                 }
-                sig.prependBSTElementToHeader(secHeader);
+                sig.prependBSTElementToHeader();
             }
 
-            List<Reference> referenceList = sig.addReferencesToSign(sigParts, secHeader);
+            List<Reference> referenceList = sig.addReferencesToSign(sigParts);
             if (!referenceList.isEmpty()) {
                 //Do signature
                 if (bottomUpElement == null) {
@@ -735,7 +734,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
                 if (!abinding.isProtectTokens()) {
                     Element bstElement = sig.getBinarySecurityTokenElement();
                     if (bstElement != null) {
-                        secHeader.getSecurityHeader().insertBefore(bstElement, bottomUpElement);
+                        secHeader.getSecurityHeaderElement().insertBefore(bstElement, bottomUpElement);
                     }
                 }
                 
@@ -787,7 +786,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
         Element bstElem = encrKey.getBinarySecurityTokenElement();
         if (bstElem != null) {
             // If a BST is available then use it
-            encrKey.prependBSTElementToHeader(secHeader);
+            encrKey.prependBSTElementToHeader();
         }
         
         // Add the EncryptedKey

http://git-wip-us.apache.org/repos/asf/cxf/blob/970080fb/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index 2534048..473cd2a 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -251,10 +251,10 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
                     if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys 
                         && !secondEncrParts.isEmpty()) {
                         secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null, 
-                                secondEncrParts, secHeader);
+                                secondEncrParts);
                     } else if (!secondEncrParts.isEmpty()) {
                         //Encrypt, get hold of the ref list and add it
-                        secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts, secHeader);
+                        secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts);
                     }
                     if (secondRefList != null) {
                         this.addDerivedKeyElement(secondRefList);
@@ -402,7 +402,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
                                           List<WSEncryptionPart> encrParts,
                                           boolean atEnd) {
         try {
-            WSSecDKEncrypt dkEncr = new WSSecDKEncrypt();
+            WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader);
             dkEncr.setEncryptionSerializer(new StaxSerializer());
             dkEncr.setIdAllocator(wssConfig.getIdAllocator());
             dkEncr.setCallbackLookup(callbackLookup);
@@ -486,12 +486,12 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
             AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
             dkEncr.setSymmetricEncAlgorithm(algType.getEncryption());
             dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8);
-            dkEncr.prepare(saaj.getSOAPPart());
+            dkEncr.prepare();
             Element encrDKTokenElem = null;
             encrDKTokenElem = dkEncr.getdktElement();
             addDerivedKeyElement(encrDKTokenElem);
             
-            Element refList = dkEncr.encryptForExternalRef(null, encrParts, secHeader);
+            Element refList = dkEncr.encryptForExternalRef(null, encrParts);
             List<Element> attachments = dkEncr.getAttachmentEncryptedDataElements();
             addAttachmentsForEncryption(atEnd, refList, attachments);
 
@@ -519,7 +519,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
                                            attached, encrParts, atEnd);
             } else {
                 try {
-                    WSSecEncrypt encr = new WSSecEncrypt();
+                    WSSecEncrypt encr = new WSSecEncrypt(secHeader);
                     encr.setEncryptionSerializer(new StaxSerializer());
                     encr.setIdAllocator(wssConfig.getIdAllocator());
                     encr.setCallbackLookup(callbackLookup);
@@ -552,7 +552,6 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
                         setEncryptionUser(encr, encrToken, false, crypto);
                     }
                     
-                    encr.setDocument(saaj.getSOAPPart());
                     encr.setEncryptSymmKey(false);
                     encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
                     encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
@@ -595,13 +594,13 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
                         encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
                     }
 
-                    encr.prepare(saaj.getSOAPPart(), crypto);
+                    encr.prepare(crypto);
                    
                     if (encr.getBSTTokenId() != null) {
-                        encr.prependBSTElementToHeader(secHeader);
+                        encr.prependBSTElementToHeader();
                     }
                    
-                    Element refList = encr.encryptForRef(null, encrParts, secHeader);
+                    Element refList = encr.encryptForRef(null, encrParts);
                     List<Element> attachments = encr.getAttachmentEncryptedDataElements();
                     addAttachmentsForEncryption(atEnd, refList, attachments);
                     
@@ -643,7 +642,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
                                SecurityToken tok,
                                boolean included) throws WSSecurityException {
         Document doc = saaj.getSOAPPart();
-        WSSecDKSign dkSign = new WSSecDKSign();
+        WSSecDKSign dkSign = new WSSecDKSign(secHeader);
         dkSign.setIdAllocator(wssConfig.getIdAllocator());
         dkSign.setCallbackLookup(callbackLookup);
         dkSign.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
@@ -735,7 +734,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
             }
         }
         
-        dkSign.prepare(doc, secHeader);
+        dkSign.prepare();
         
         if (sbinding.isProtectTokens()) {
             String sigTokId = tok.getId();
@@ -754,7 +753,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
         }
         
         dkSign.getParts().addAll(sigs);
-        List<Reference> referenceList = dkSign.addReferencesToSign(sigs, secHeader);
+        List<Reference> referenceList = dkSign.addReferencesToSign(sigs);
         if (!referenceList.isEmpty()) {
             //Add elements to header
             Element el = dkSign.getdktElement();
@@ -783,7 +782,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
         if (policyToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
             return doSignatureDK(sigs, policyAbstractTokenWrapper, policyToken, tok, included);
         } else {
-            WSSecSignature sig = new WSSecSignature();
+            WSSecSignature sig = new WSSecSignature(secHeader);
             sig.setIdAllocator(wssConfig.getIdAllocator());
             sig.setCallbackLookup(callbackLookup);
             sig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
@@ -888,9 +887,9 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
                 crypto = getSignatureCrypto();
             }
             this.message.getExchange().put(SecurityConstants.SIGNATURE_CRYPTO, crypto);
-            sig.prepare(saaj.getSOAPPart(), crypto, secHeader);
+            sig.prepare(crypto);
             sig.getParts().addAll(sigs);
-            List<Reference> referenceList = sig.addReferencesToSign(sigs, secHeader);
+            List<Reference> referenceList = sig.addReferencesToSign(sigs);
             if (!referenceList.isEmpty()) {
                 //Do signature
                 if (bottomUpElement == null) {
@@ -937,7 +936,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
         //If direct ref is used to refer to the cert
         //then add the cert to the sec header now
         if (bstTokenId != null && bstTokenId.length() > 0) {
-            encrKey.prependBSTElementToHeader(secHeader);
+            encrKey.prependBSTElementToHeader();
         }
         return id;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/970080fb/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
index 4e092d7..b0495e6 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
@@ -29,7 +29,6 @@ import javax.xml.crypto.dsig.Reference;
 import javax.xml.soap.SOAPException;
 import javax.xml.soap.SOAPMessage;
 
-import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.interceptor.Fault;
@@ -105,8 +104,8 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
             if (token instanceof UsernameToken) {
                 WSSecUsernameToken utBuilder = addUsernameToken((UsernameToken)token);
                 if (utBuilder != null) {
-                    utBuilder.prepare(saaj.getSOAPPart());
-                    utBuilder.appendToHeader(secHeader);
+                    utBuilder.prepare();
+                    utBuilder.appendToHeader();
                 }
             } else if (token instanceof IssuedToken || token instanceof KerberosToken
                 || token instanceof SpnegoContextToken) {
@@ -345,8 +344,6 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
     private byte[] doX509TokenSignature(AbstractToken token, SupportingTokens wrapper) 
         throws Exception {
         
-        Document doc = saaj.getSOAPPart();
-        
         List<WSEncryptionPart> sigParts = 
             signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
         
@@ -358,9 +355,9 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
             if (bstElem != null) {
                 addTopDownElement(bstElem);
             }
-            encrKey.appendToHeader(secHeader);
+            encrKey.appendToHeader();
             
-            WSSecDKSign dkSig = new WSSecDKSign();
+            WSSecDKSign dkSig = new WSSecDKSign(secHeader);
             dkSig.setIdAllocator(wssConfig.getIdAllocator());
             dkSig.setCallbackLookup(callbackLookup);
             if (token.getVersion() == SPConstants.SPVersion.SP11) {
@@ -374,13 +371,13 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
             
             dkSig.setExternalKey(encrKey.getEphemeralKey(), encrKey.getId());
             
-            dkSig.prepare(doc, secHeader);
+            dkSig.prepare();
             
             dkSig.getParts().addAll(sigParts);
-            List<Reference> referenceList = dkSig.addReferencesToSign(sigParts, secHeader);
+            List<Reference> referenceList = dkSig.addReferencesToSign(sigParts);
             
             //Do signature
-            dkSig.appendDKElementToHeader(secHeader);
+            dkSig.appendDKElementToHeader();
             dkSig.computeSignature(referenceList, false, null);
             
             return dkSig.getSignatureValue();
@@ -388,9 +385,9 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
             WSSecSignature sig = getSignatureBuilder(token, false, false);
             assertPolicy(wrapper);
             if (sig != null) {
-                sig.prependBSTElementToHeader(secHeader);
+                sig.prependBSTElementToHeader();
             
-                List<Reference> referenceList = sig.addReferencesToSign(sigParts, secHeader);
+                List<Reference> referenceList = sig.addReferencesToSign(sigParts);
                 
                 if (bottomUpElement == null) {
                     sig.computeSignature(referenceList, false, null);
@@ -451,7 +448,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
         List<WSEncryptionPart> sigParts
     ) throws Exception {
         //Do Signature with derived keys
-        WSSecDKSign dkSign = new WSSecDKSign();
+        WSSecDKSign dkSign = new WSSecDKSign(secHeader);
         dkSign.setIdAllocator(wssConfig.getIdAllocator());
         dkSign.setCallbackLookup(callbackLookup);
         AlgorithmSuite algorithmSuite = tbinding.getAlgorithmSuite();
@@ -481,13 +478,12 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
         if (token.getVersion() == SPConstants.SPVersion.SP11) {
             dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
         }
-        Document doc = saaj.getSOAPPart();
-        dkSign.prepare(doc, secHeader);
+        dkSign.prepare();
 
         addDerivedKeyElement(dkSign.getdktElement());
 
         dkSign.getParts().addAll(sigParts);
-        List<Reference> referenceList = dkSign.addReferencesToSign(sigParts, secHeader);
+        List<Reference> referenceList = dkSign.addReferencesToSign(sigParts);
 
         //Do signature
         dkSign.computeSignature(referenceList, false, null);
@@ -502,7 +498,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
         SupportingTokens wrapper,
         List<WSEncryptionPart> sigParts
     ) throws Exception {
-        WSSecSignature sig = new WSSecSignature();
+        WSSecSignature sig = new WSSecSignature(secHeader);
         sig.setIdAllocator(wssConfig.getIdAllocator());
         sig.setCallbackLookup(callbackLookup);
         
@@ -583,11 +579,10 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
         AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
         sig.setDigestAlgo(algType.getDigest());
 
-        Document doc = saaj.getSOAPPart();
-        sig.prepare(doc, crypto, secHeader);
+        sig.prepare(crypto);
 
         sig.getParts().addAll(sigParts);
-        List<Reference> referenceList = sig.addReferencesToSign(sigParts, secHeader);
+        List<Reference> referenceList = sig.addReferencesToSign(sigParts);
 
         //Do signature
         if (bottomUpElement == null) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/970080fb/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/WSSecurityTokenHolder.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/WSSecurityTokenHolder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/WSSecurityTokenHolder.java
index 14d35b4..3791d1a 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/WSSecurityTokenHolder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/WSSecurityTokenHolder.java
@@ -21,6 +21,7 @@ package org.apache.cxf.ws.security.wss4j.policyhandlers;
 
 import org.apache.cxf.ws.security.tokenstore.SecurityToken;
 import org.apache.wss4j.dom.message.WSSecBase;
+import org.apache.wss4j.dom.message.WSSecHeader;
 
 /**
  * 
@@ -28,8 +29,8 @@ import org.apache.wss4j.dom.message.WSSecBase;
 public class WSSecurityTokenHolder extends WSSecBase {
     SecurityToken token;
     
-    public WSSecurityTokenHolder(SecurityToken t) {
-        super();
+    public WSSecurityTokenHolder(SecurityToken t, WSSecHeader securityHeader) {
+        super(securityHeader);
         token = t;
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/970080fb/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptorTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptorTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptorTest.java
index bcb0d95..35c76f9 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptorTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JOutInterceptorTest.java
@@ -224,12 +224,12 @@ public class WSS4JOutInterceptorTest extends AbstractSecurityTest {
         private int executions;
         
         @Override
-        public void execute(WSHandler handler, SecurityActionToken actionToken, Document doc,
+        public void execute(WSHandler handler, SecurityActionToken actionToken,
                 RequestData reqData) throws WSSecurityException {
             
             this.executions++;
             reqData.setPwType(WSConstants.PW_TEXT);
-            super.execute(handler, actionToken, doc, reqData);
+            super.execute(handler, actionToken, reqData);
         }
 
         public int getExecutions() {

http://git-wip-us.apache.org/repos/asf/cxf/blob/970080fb/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
index 0b03e57..2026ec2 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
@@ -171,10 +171,10 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
             Document doc = docBuilder.newDocument();
                   
             // Create an Encrypted Key
-            WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
+            WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
             encrKey.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
             encrKey.setUseThisCert(certs[0]);
-            encrKey.prepare(doc, null);
+            encrKey.prepare(null);
             ephemeralKey = encrKey.getEphemeralKey();
             Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
             

http://git-wip-us.apache.org/repos/asf/cxf/blob/970080fb/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
index 82f739c..b1360b8 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
@@ -341,15 +341,15 @@ public abstract class AbstractOperation {
             }
         }
         
-        WSSecEncryptedKey builder = new WSSecEncryptedKey();
+        Document doc = DOMUtils.createDocument();
+        
+        WSSecEncryptedKey builder = new WSSecEncryptedKey(doc);
         builder.setUserInfo(name);
         builder.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
         builder.setEphemeralKey(secret);
         builder.setKeyEncAlgo(keyWrapAlgorithm);
         
-        Document doc = DOMUtils.createDocument();
-                                 
-        builder.prepare(doc, stsProperties.getEncryptionCrypto());
+        builder.prepare(stsProperties.getEncryptionCrypto());
         
         return builder.getEncryptedKeyElement();
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/970080fb/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
index 9433039..5feb707 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
@@ -334,13 +334,13 @@ public class DefaultSubjectProvider implements SubjectProvider {
         KeyInfoBean keyInfo = new KeyInfoBean();
 
         // Create an EncryptedKey
-        WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
+        WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
         encrKey.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
         encrKey.setEphemeralKey(secret);
         encrKey.setSymmetricEncAlgorithm(encryptionProperties.getEncryptionAlgorithm());
         encrKey.setUseThisCert(certificate);
         encrKey.setKeyEncAlgo(encryptionProperties.getKeyWrapAlgorithm());
-        encrKey.prepare(doc, encryptionCrypto);
+        encrKey.prepare(encryptionCrypto);
         Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
 
         // Append the EncryptedKey to a KeyInfo element

http://git-wip-us.apache.org/repos/asf/cxf/blob/970080fb/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
index c0794a1..5d0ed4e 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
@@ -149,7 +149,10 @@ public final class TokenProviderUtils {
             }
         }
         
-        WSSecEncrypt builder = new WSSecEncrypt();
+        Document doc = element.getOwnerDocument();
+        doc.appendChild(element);
+        
+        WSSecEncrypt builder = new WSSecEncrypt(doc);
         if (WSHandlerConstants.USE_REQ_SIG_CERT.equals(name)) {
             X509Certificate cert = getReqSigCert(messageContext);
             builder.setUseThisCert(cert);
@@ -164,10 +167,7 @@ public final class TokenProviderUtils {
         WSEncryptionPart encryptionPart = new WSEncryptionPart(id, "Element");
         encryptionPart.setElement(element);
         
-        Document doc = element.getOwnerDocument();
-        doc.appendChild(element);
-                                 
-        builder.prepare(element.getOwnerDocument(), stsProperties.getEncryptionCrypto());
+        builder.prepare(stsProperties.getEncryptionCrypto());
         builder.encryptForRef(null, Collections.singletonList(encryptionPart));
         
         return doc.getDocumentElement();

http://git-wip-us.apache.org/repos/asf/cxf/blob/970080fb/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
index c7326d1..1db76c6 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
@@ -825,13 +825,13 @@ public class IssueSamlUnitTest extends org.junit.Assert {
         );
         
         // Now add Entropy
-        WSSecEncryptedKey builder = new WSSecEncryptedKey();
+        Document doc = DOMUtils.createDocument();
+        WSSecEncryptedKey builder = new WSSecEncryptedKey(doc);
         builder.setUserInfo("mystskey");
         builder.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
         builder.setKeyEncAlgo(WSConstants.KEYTRANSPORT_RSAOAEP);
         
-        Document doc = DOMUtils.createDocument();
-        builder.prepare(doc, stsProperties.getSignatureCrypto());
+        builder.prepare(stsProperties.getSignatureCrypto());
         Element encryptedKeyElement = builder.getEncryptedKeyElement();
         byte[] secret = builder.getEphemeralKey();
         


Mime
View raw message