private UsernameToken assertTokens(
      SoapMessage message, UsernameTokenPrincipal princ, boolean signed) {
    AssertionInfoMap aim = message.get(AssertionInfoMap.class);
    Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.USERNAME_TOKEN);
    UsernameToken tok = null;
    for (AssertionInfo ai : ais) {
      tok = (UsernameToken) ai.getAssertion();
      ai.setAsserted(true);
      if ((tok.getPasswordType() == UsernameToken.PasswordType.HashPassword)
          && (princ == null || !princ.isPasswordDigest())) {
        ai.setNotAsserted("Password hashing policy not enforced");
      } else {
        assertPolicy(aim, SPConstants.HASH_PASSWORD);
      }

      if ((tok.getPasswordType() != UsernameToken.PasswordType.NoPassword)
          && isNonEndorsingSupportingToken(tok)
          && (princ == null || princ.getPassword() == null)) {
        ai.setNotAsserted("Username Token No Password supplied");
      } else {
        assertPolicy(aim, SPConstants.NO_PASSWORD);
      }

      if (tok.isCreated() && princ.getCreatedTime() == null) {
        ai.setNotAsserted("No Created Time");
      } else {
        assertPolicy(aim, SP13Constants.CREATED);
      }

      if (tok.isNonce() && princ.getNonce() == null) {
        ai.setNotAsserted("No Nonce");
      } else {
        assertPolicy(aim, SP13Constants.NONCE);
      }
    }

    assertPolicy(aim, SPConstants.USERNAME_TOKEN10);
    assertPolicy(aim, SPConstants.USERNAME_TOKEN11);
    assertPolicy(aim, SPConstants.SUPPORTING_TOKENS);

    if (signed || isTLSInUse(message)) {
      assertPolicy(aim, SPConstants.SIGNED_SUPPORTING_TOKENS);
    }
    return tok;
  }
  protected void processToken(SoapMessage message) {
    Header h = findSecurityHeader(message, false);
    if (h == null) {
      return;
    }
    boolean utWithCallbacks =
        MessageUtils.getContextualBoolean(message, SecurityConstants.VALIDATE_TOKEN, true);

    Element el = (Element) h.getObject();
    Element child = DOMUtils.getFirstElement(el);
    while (child != null) {
      if (SPConstants.USERNAME_TOKEN.equals(child.getLocalName())
          && WSConstants.WSSE_NS.equals(child.getNamespaceURI())) {
        try {
          Principal principal = null;
          Subject subject = null;
          if (utWithCallbacks) {
            final WSSecurityEngineResult result = validateToken(child, message);
            principal = (Principal) result.get(WSSecurityEngineResult.TAG_PRINCIPAL);
            subject = (Subject) result.get(WSSecurityEngineResult.TAG_SUBJECT);
          } else {
            boolean bspCompliant = isWsiBSPCompliant(message);
            principal = parseTokenAndCreatePrincipal(child, bspCompliant);
            WSS4JTokenConverter.convertToken(message, principal);
          }

          SecurityContext sc = message.get(SecurityContext.class);
          if (sc == null || sc.getUserPrincipal() == null) {
            if (subject != null && principal != null) {
              message.put(SecurityContext.class, createSecurityContext(principal, subject));
            } else if (principal instanceof UsernameTokenPrincipal) {
              UsernameTokenPrincipal utPrincipal = (UsernameTokenPrincipal) principal;
              String nonce = null;
              if (utPrincipal.getNonce() != null) {
                nonce = Base64.encode(utPrincipal.getNonce());
              }
              subject =
                  createSubject(
                      utPrincipal.getName(),
                      utPrincipal.getPassword(),
                      utPrincipal.isPasswordDigest(),
                      nonce,
                      utPrincipal.getCreatedTime());
              message.put(SecurityContext.class, createSecurityContext(utPrincipal, subject));
            }
          }

          if (principal instanceof UsernameTokenPrincipal) {
            storeResults((UsernameTokenPrincipal) principal, message);
          }
        } catch (WSSecurityException ex) {
          throw new Fault(ex);
        } catch (Base64DecodingException ex) {
          throw new Fault(ex);
        }
      }
      child = DOMUtils.getNextElement(child);
    }
  }
  private void storeResults(UsernameTokenPrincipal principal, SoapMessage message) {
    List<WSSecurityEngineResult> v = new ArrayList<WSSecurityEngineResult>();
    int action = WSConstants.UT;
    if (principal.getPassword() == null) {
      action = WSConstants.UT_NOPASSWORD;
    }
    v.add(0, new WSSecurityEngineResult(action, principal, null, null, null));
    List<WSHandlerResult> results =
        CastUtils.cast((List<?>) message.get(WSHandlerConstants.RECV_RESULTS));
    if (results == null) {
      results = new ArrayList<WSHandlerResult>();
      message.put(WSHandlerConstants.RECV_RESULTS, results);
    }
    WSHandlerResult rResult = new WSHandlerResult(null, v);
    results.add(0, rResult);

    assertTokens(message, principal, false);
    message.put(WSS4JInInterceptor.PRINCIPAL_RESULT, principal);
  }