示例#1
0
  @Test
  public void testSaml1SignedSenderVouches() throws Exception {
    // Create + configure service
    Service service = createService();

    WSSSecurityProperties inProperties = new WSSSecurityProperties();
    Properties cryptoProperties =
        CryptoFactory.getProperties("insecurity.properties", this.getClass().getClassLoader());
    inProperties.setSignatureVerificationCryptoProperties(cryptoProperties);
    WSS4JStaxInInterceptor inhandler = new WSS4JStaxInInterceptor(inProperties);
    service.getInInterceptors().add(inhandler);

    // Create + configure client
    Echo echo = createClientProxy();

    Client client = ClientProxy.getClient(echo);
    client.getInInterceptors().add(new LoggingInInterceptor());
    client.getOutInterceptors().add(new LoggingOutInterceptor());

    Map<String, Object> properties = new HashMap<String, Object>();
    properties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_SIGNED);
    properties.put(WSHandlerConstants.SAML_CALLBACK_REF, new SAML1CallbackHandler());

    properties.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
    properties.put(WSHandlerConstants.USER, "alice");
    properties.put(WSHandlerConstants.PW_CALLBACK_REF, new PasswordCallbackHandler());
    properties.put(WSHandlerConstants.SIG_PROP_FILE, "alice.properties");

    WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor(properties);
    client.getOutInterceptors().add(ohandler);

    assertEquals("test", echo.echo("test"));
  }
示例#2
0
  @Test
  public void testSaml1() throws Exception {
    // Create + configure service
    Service service = createService();

    WSSSecurityProperties inProperties = new WSSSecurityProperties();
    inProperties.setValidateSamlSubjectConfirmation(false);
    WSS4JStaxInInterceptor inhandler = new WSS4JStaxInInterceptor(inProperties);
    service.getInInterceptors().add(inhandler);

    // Create + configure client
    Echo echo = createClientProxy();

    Client client = ClientProxy.getClient(echo);
    client.getInInterceptors().add(new LoggingInInterceptor());
    client.getOutInterceptors().add(new LoggingOutInterceptor());

    Map<String, Object> properties = new HashMap<String, Object>();
    properties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_UNSIGNED);
    properties.put(WSHandlerConstants.SAML_CALLBACK_REF, new SAML1CallbackHandler());

    WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor(properties);
    client.getOutInterceptors().add(ohandler);

    assertEquals("test", echo.echo("test"));
  }
示例#3
0
  @Test
  public void testSaml2TokenHOK() throws Exception {
    // Create + configure service
    Service service = createService();

    WSSSecurityProperties inProperties = new WSSSecurityProperties();
    Properties cryptoProperties =
        CryptoFactory.getProperties("insecurity.properties", this.getClass().getClassLoader());
    inProperties.setSignatureVerificationCryptoProperties(cryptoProperties);

    CustomStaxSamlValidator validator = new CustomStaxSamlValidator();
    inProperties.addValidator(WSConstants.SAML_TOKEN, validator);
    inProperties.addValidator(WSConstants.SAML2_TOKEN, validator);

    WSS4JStaxInInterceptor inhandler = new WSS4JStaxInInterceptor(inProperties);
    service.getInInterceptors().add(inhandler);

    // Create + configure client
    Echo echo = createClientProxy();

    Client client = ClientProxy.getClient(echo);
    client.getInInterceptors().add(new LoggingInInterceptor());
    client.getOutInterceptors().add(new LoggingOutInterceptor());

    Map<String, Object> properties = new HashMap<String, Object>();
    properties.put(WSHandlerConstants.ACTION, WSHandlerConstants.SAML_TOKEN_SIGNED);
    SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
    callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
    callbackHandler.setSignAssertion(true);
    properties.put(WSHandlerConstants.SAML_CALLBACK_REF, callbackHandler);

    properties.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
    properties.put(WSHandlerConstants.USER, "alice");
    properties.put(WSHandlerConstants.PW_CALLBACK_REF, new PasswordCallbackHandler());
    properties.put(WSHandlerConstants.SIG_PROP_FILE, "alice.properties");

    WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor(properties);
    client.getOutInterceptors().add(ohandler);

    try {
      echo.echo("test");
      fail("Failure expected on receiving sender vouches instead of HOK");
    } catch (javax.xml.ws.soap.SOAPFaultException ex) {
      // expected
    }
    validator.setRequireSenderVouches(false);

    try {
      echo.echo("test");
      fail("Failure expected on receiving a SAML 1.1 Token instead of SAML 2.0");
    } catch (javax.xml.ws.soap.SOAPFaultException ex) {
      // expected
    }
    validator.setRequireSAML1Assertion(false);

    assertEquals("test", echo.echo("test"));
  }
示例#4
0
  public void handleBinding() {
    AssertionInfoMap aim = getMessage().get(AssertionInfoMap.class);
    configureTimestamp(aim);
    assertPolicy(sbinding.getName());

    String asymSignatureAlgorithm =
        (String)
            getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
    if (asymSignatureAlgorithm != null && sbinding.getAlgorithmSuite() != null) {
      sbinding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
    }
    String symSignatureAlgorithm =
        (String)
            getMessage().getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
    if (symSignatureAlgorithm != null && sbinding.getAlgorithmSuite() != null) {
      sbinding.getAlgorithmSuite().setSymmetricSignature(symSignatureAlgorithm);
    }

    // Set up CallbackHandler which wraps the configured Handler
    WSSSecurityProperties properties = getProperties();
    TokenStoreCallbackHandler callbackHandler =
        new TokenStoreCallbackHandler(
            properties.getCallbackHandler(), TokenStoreUtils.getTokenStore(message));
    properties.setCallbackHandler(callbackHandler);

    if (sbinding.getProtectionOrder()
        == AbstractSymmetricAsymmetricBinding.ProtectionOrder.EncryptBeforeSigning) {
      doEncryptBeforeSign();
      assertPolicy(
          new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_BEFORE_SIGNING));
    } else {
      doSignBeforeEncrypt();
      assertPolicy(
          new QName(sbinding.getName().getNamespaceURI(), SPConstants.SIGN_BEFORE_ENCRYPTING));
    }

    if (!isRequestor()) {
      properties.setEncryptSymmetricEncryptionKey(false);
    }

    configureLayout(aim);
    assertAlgorithmSuite(sbinding.getAlgorithmSuite());
    assertWSSProperties(sbinding.getName().getNamespaceURI());
    assertTrustProperties(sbinding.getName().getNamespaceURI());
    assertPolicy(
        new QName(
            sbinding.getName().getNamespaceURI(), SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
    if (sbinding.isProtectTokens()) {
      assertPolicy(new QName(sbinding.getName().getNamespaceURI(), SPConstants.PROTECT_TOKENS));
    }
  }
示例#5
0
  private void doSignature(
      AbstractTokenWrapper wrapper,
      AbstractToken policyToken,
      SecurityToken tok,
      List<SecurePart> sigParts)
      throws WSSecurityException, SOAPException {

    // Action
    WSSSecurityProperties properties = getProperties();
    WSSConstants.Action actionToPerform = WSSConstants.SIGNATURE;
    if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
      actionToPerform = WSSConstants.SIGNATURE_WITH_DERIVED_KEY;
      if (MessageUtils.isRequestor(message) && policyToken instanceof X509Token) {
        properties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.EncryptedKey);
      } else {
        properties.setDerivedKeyTokenReference(
            WSSConstants.DerivedKeyTokenReference.DirectReference);
      }
      AlgorithmSuiteType algSuiteType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
      properties.setDerivedSignatureKeyLength(algSuiteType.getSignatureDerivedKeyLength() / 8);
    }

    if (policyToken.getVersion() == SPConstants.SPVersion.SP12) {
      properties.setUse200512Namespace(true);
    }

    List<WSSConstants.Action> actionList = properties.getActions();
    // Add a Signature directly before Kerberos, otherwise just append it
    boolean actionAdded = false;
    for (int i = 0; i < actionList.size(); i++) {
      WSSConstants.Action action = actionList.get(i);
      if (action.equals(WSSConstants.KERBEROS_TOKEN)) {
        actionList.add(i, actionToPerform);
        actionAdded = true;
        break;
      }
    }
    if (!actionAdded) {
      actionList.add(actionToPerform);
    }

    properties.getSignatureSecureParts().addAll(sigParts);

    AbstractToken sigToken = wrapper.getToken();
    if (sbinding.isProtectTokens() && sigToken instanceof X509Token && isRequestor()) {
      SecurePart securePart =
          new SecurePart(new QName(WSSConstants.NS_XMLENC, "EncryptedKey"), Modifier.Element);
      properties.addSignaturePart(securePart);
    }

    configureSignature(sigToken, false);

    if (policyToken instanceof X509Token) {
      properties.setIncludeSignatureToken(false);
      if (isRequestor()) {
        properties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_EncryptedKey);
      } else {
        properties.setSignatureKeyIdentifier(
            WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
        if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
          properties.setDerivedKeyKeyIdentifier(
              WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
          properties.setSignatureKeyIdentifier(
              WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
        }
      }
    } else if (policyToken instanceof KerberosToken) {
      if (isRequestor()) {
        properties.setDerivedKeyKeyIdentifier(
            WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
      } else {
        if (wrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
          properties.setSignatureKeyIdentifier(
              WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
        } else {
          properties.setSignatureKeyIdentifier(
              WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
        }
        properties.setDerivedKeyKeyIdentifier(
            WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
      }
    } else if (policyToken instanceof IssuedToken
        || policyToken instanceof SecurityContextToken
        || policyToken instanceof SecureConversationToken
        || policyToken instanceof SpnegoContextToken) {
      if (!isRequestor()) {
        properties.setIncludeSignatureToken(false);
      } else {
        properties.setIncludeSignatureToken(true);
      }
      properties.setDerivedKeyKeyIdentifier(
          WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
    }

    if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
      properties.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
    }
  }
示例#6
0
  private void doEncryption(
      AbstractTokenWrapper recToken, List<SecurePart> encrParts, boolean externalRef)
      throws SOAPException {
    // Do encryption
    if (recToken != null && recToken.getToken() != null) {
      AbstractToken encrToken = recToken.getToken();
      AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();

      // Action
      WSSSecurityProperties properties = getProperties();
      WSSConstants.Action actionToPerform = WSSConstants.ENCRYPT;
      if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        actionToPerform = WSSConstants.ENCRYPT_WITH_DERIVED_KEY;
        if (MessageUtils.isRequestor(message) && recToken.getToken() instanceof X509Token) {
          properties.setDerivedKeyTokenReference(
              WSSConstants.DerivedKeyTokenReference.EncryptedKey);
        } else {
          properties.setDerivedKeyTokenReference(
              WSSConstants.DerivedKeyTokenReference.DirectReference);
        }
        AlgorithmSuiteType algSuiteType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
        properties.setDerivedEncryptionKeyLength(algSuiteType.getEncryptionDerivedKeyLength() / 8);
      }

      if (recToken.getVersion() == SPConstants.SPVersion.SP12) {
        properties.setUse200512Namespace(true);
      }

      properties.getEncryptionSecureParts().addAll(encrParts);
      properties.addAction(actionToPerform);

      if (isRequestor()) {
        properties.setEncryptionKeyIdentifier(getKeyIdentifierType(encrToken));
        properties.setDerivedKeyKeyIdentifier(
            WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
      } else if (recToken.getToken() instanceof KerberosToken && !isRequestor()) {
        properties.setEncryptionKeyIdentifier(
            WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
        properties.setDerivedKeyKeyIdentifier(
            WSSecurityTokenConstants.KEYIDENTIFIER_KERBEROS_SHA1_IDENTIFIER);
        if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
          properties.setEncryptionKeyIdentifier(
              WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
        }
      } else if ((recToken.getToken() instanceof IssuedToken
              || recToken.getToken() instanceof SecureConversationToken
              || recToken.getToken() instanceof SpnegoContextToken)
          && !isRequestor()) {
        properties.setEncryptionKeyIdentifier(
            WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
      } else {
        properties.setEncryptionKeyIdentifier(
            WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
        if (recToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
          properties.setDerivedKeyKeyIdentifier(
              WSSecurityTokenConstants.KEYIDENTIFIER_ENCRYPTED_KEY_SHA1_IDENTIFIER);
          properties.setEncryptionKeyIdentifier(
              WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
          properties.setEncryptSymmetricEncryptionKey(false);
        }
      }

      // Find out do we also need to include the token as per the Inclusion requirement
      WSSecurityTokenConstants.KeyIdentifier keyIdentifier =
          properties.getEncryptionKeyIdentifier();
      if (encrToken instanceof X509Token
          && isTokenRequired(encrToken.getIncludeTokenType())
          && (WSSecurityTokenConstants.KeyIdentifier_IssuerSerial.equals(keyIdentifier)
              || WSSecurityTokenConstants.KEYIDENTIFIER_THUMBPRINT_IDENTIFIER.equals(keyIdentifier)
              || WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE.equals(
                  keyIdentifier))) {
        properties.setIncludeEncryptionToken(true);
      } else {
        properties.setIncludeEncryptionToken(false);
      }

      properties.setEncryptionKeyTransportAlgorithm(
          algorithmSuite.getAlgorithmSuiteType().getAsymmetricKeyWrap());
      properties.setEncryptionSymAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());

      String encUser =
          (String)
              SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_USERNAME, message);
      if (encUser == null) {
        encUser =
            (String) SecurityUtils.getSecurityPropertyValue(SecurityConstants.USERNAME, message);
      }
      if (encUser != null && properties.getEncryptionUser() == null) {
        properties.setEncryptionUser(encUser);
      }
      if (ConfigurationConstants.USE_REQ_SIG_CERT.equals(encUser)) {
        properties.setUseReqSigCertForEncryption(true);
      }

      if (encrToken instanceof KerberosToken
          || encrToken instanceof IssuedToken
          || encrToken instanceof SpnegoContextToken
          || encrToken instanceof SecurityContextToken
          || encrToken instanceof SecureConversationToken) {
        properties.setEncryptSymmetricEncryptionKey(false);
      }
    }
  }
示例#7
0
  private void doSignBeforeEncrypt() {
    AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken();
    assertTokenWrapper(sigAbstractTokenWrapper);
    AbstractToken sigToken = sigAbstractTokenWrapper.getToken();
    String sigTokId = null;

    try {
      SecurityToken sigTok = null;
      if (sigToken != null) {
        if (sigToken instanceof KerberosToken) {
          sigTok = getSecurityToken();
          if (isRequestor()) {
            addKerberosToken((KerberosToken) sigToken, false, true, true);
          }
        } else if (sigToken instanceof IssuedToken) {
          sigTok = getSecurityToken();
          addIssuedToken((IssuedToken) sigToken, sigTok, false, true);

          if (sigTok == null && !isRequestor()) {
            org.apache.xml.security.stax.securityToken.SecurityToken securityToken =
                findInboundSecurityToken(WSSecurityEventConstants.SAML_TOKEN);
            sigTokId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
          }
        } else if (sigToken instanceof SecureConversationToken
            || sigToken instanceof SecurityContextToken
            || sigToken instanceof SpnegoContextToken) {
          sigTok = getSecurityToken();
          if (sigTok != null && isRequestor()) {
            WSSSecurityProperties properties = getProperties();
            WSSConstants.Action actionToPerform = WSSConstants.CUSTOM_TOKEN;
            properties.addAction(actionToPerform);
          } else if (sigTok == null && !isRequestor()) {
            org.apache.xml.security.stax.securityToken.SecurityToken securityToken =
                findInboundSecurityToken(WSSecurityEventConstants.SECURITY_CONTEXT_TOKEN);
            sigTokId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
          }
        } else if (sigToken instanceof X509Token) {
          if (isRequestor()) {
            sigTokId = setupEncryptedKey(sigAbstractTokenWrapper, sigToken);
          } else {
            org.apache.xml.security.stax.securityToken.SecurityToken securityToken =
                findEncryptedKeyToken();
            sigTokId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
          }
        } else if (sigToken instanceof UsernameToken) {
          unassertPolicy(sbinding, "UsernameTokens not supported with Symmetric binding");
          return;
        }
        assertToken(sigToken);
      } else {
        unassertPolicy(sbinding, "No signature token");
        return;
      }

      if (sigTok == null && StringUtils.isEmpty(sigTokId)) {
        unassertPolicy(sigAbstractTokenWrapper, "No signature token id");
        return;
      }
      if (sigTok == null) {
        sigTok = TokenStoreUtils.getTokenStore(message).getToken(sigTokId);
      }

      // Store key
      if (!(MessageUtils.isRequestor(message) && sigToken instanceof KerberosToken)) {
        storeSecurityToken(sigToken, sigTok);
      }

      // Add timestamp
      List<SecurePart> sigs = new ArrayList<>();
      if (timestampAdded) {
        SecurePart part =
            new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
        sigs.add(part);
      }
      sigs.addAll(this.getSignedParts());

      if (!isRequestor()) {
        addSignatureConfirmation(sigs);
      }

      if (!sigs.isEmpty()) {
        doSignature(sigAbstractTokenWrapper, sigToken, sigTok, sigs);
      }

      addSupportingTokens();
      removeSignatureIfSignedSAML();
      prependSignatureToSC();

      // Encryption
      List<SecurePart> enc = getEncryptedParts();

      // Check for signature protection
      if (sbinding.isEncryptSignature()) {
        SecurePart part =
            new SecurePart(new QName(WSSConstants.NS_DSIG, "Signature"), Modifier.Element);
        enc.add(part);
        if (signatureConfirmationAdded) {
          part = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element);
          enc.add(part);
        }
        assertPolicy(
            new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
      }

      // Do encryption
      if (isRequestor()) {
        enc.addAll(encryptedTokensList);
      }
      AbstractTokenWrapper encrAbstractTokenWrapper = getEncryptionToken();
      doEncryption(encrAbstractTokenWrapper, enc, false);

      putCustomTokenAfterSignature();
    } catch (Exception e) {
      throw new Fault(e);
    }
  }
示例#8
0
  private void doEncryptBeforeSign() {
    try {
      AbstractTokenWrapper encryptionWrapper = getEncryptionToken();
      assertTokenWrapper(encryptionWrapper);
      AbstractToken encryptionToken = encryptionWrapper.getToken();

      String tokenId = null;
      SecurityToken tok = null;
      if (encryptionToken instanceof KerberosToken) {
        tok = getSecurityToken();
        if (MessageUtils.isRequestor(message)) {
          addKerberosToken((KerberosToken) encryptionToken, false, true, true);
        }
      } else if (encryptionToken instanceof IssuedToken) {
        tok = getSecurityToken();
        addIssuedToken((IssuedToken) encryptionToken, tok, false, true);

        if (tok == null && !isRequestor()) {
          org.apache.xml.security.stax.securityToken.SecurityToken securityToken =
              findInboundSecurityToken(WSSecurityEventConstants.SAML_TOKEN);
          tokenId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
        }
      } else if (encryptionToken instanceof SecureConversationToken
          || encryptionToken instanceof SecurityContextToken
          || encryptionToken instanceof SpnegoContextToken) {
        tok = getSecurityToken();
        if (tok != null && isRequestor()) {
          WSSSecurityProperties properties = getProperties();
          WSSConstants.Action actionToPerform = WSSConstants.CUSTOM_TOKEN;
          properties.addAction(actionToPerform);
        } else if (tok == null && !isRequestor()) {
          org.apache.xml.security.stax.securityToken.SecurityToken securityToken =
              findInboundSecurityToken(WSSecurityEventConstants.SECURITY_CONTEXT_TOKEN);
          tokenId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
        }
      } else if (encryptionToken instanceof X509Token) {
        if (isRequestor()) {
          tokenId = setupEncryptedKey(encryptionWrapper, encryptionToken);
        } else {
          org.apache.xml.security.stax.securityToken.SecurityToken securityToken =
              findEncryptedKeyToken();
          tokenId = WSS4JUtils.parseAndStoreStreamingSecurityToken(securityToken, message);
        }
      } else if (encryptionToken instanceof UsernameToken) {
        unassertPolicy(sbinding, "UsernameTokens not supported with Symmetric binding");
        return;
      }
      assertToken(encryptionToken);
      if (tok == null) {
        tokenId = XMLUtils.getIDFromReference(tokenId);

        // Get hold of the token from the token storage
        tok = TokenStoreUtils.getTokenStore(message).getToken(tokenId);
      }

      // Store key
      if (!(MessageUtils.isRequestor(message) && encryptionToken instanceof KerberosToken)) {
        storeSecurityToken(encryptionToken, tok);
      }

      List<SecurePart> encrParts = null;
      List<SecurePart> sigParts = null;
      try {
        encrParts = getEncryptedParts();
        // Signed parts are determined before encryption because encrypted signed headers
        // will not be included otherwise
        sigParts = getSignedParts();
      } catch (SOAPException ex) {
        throw new Fault(ex);
      }

      addSupportingTokens();

      if (encryptionToken != null && encrParts.size() > 0) {
        if (isRequestor()) {
          encrParts.addAll(encryptedTokensList);
        }

        // Check for signature protection
        if (sbinding.isEncryptSignature()) {
          SecurePart part =
              new SecurePart(new QName(WSSConstants.NS_DSIG, "Signature"), Modifier.Element);
          encrParts.add(part);
          if (signatureConfirmationAdded) {
            part = new SecurePart(WSSConstants.TAG_WSSE11_SIG_CONF, Modifier.Element);
            encrParts.add(part);
          }
          assertPolicy(
              new QName(sbinding.getName().getNamespaceURI(), SPConstants.ENCRYPT_SIGNATURE));
        }

        doEncryption(encryptionWrapper, encrParts, true);
      }

      if (timestampAdded) {
        SecurePart part =
            new SecurePart(new QName(WSSConstants.NS_WSU10, "Timestamp"), Modifier.Element);
        sigParts.add(part);
      }
      sigParts.addAll(this.getSignedParts());

      if (sigParts.size() > 0) {
        AbstractTokenWrapper sigAbstractTokenWrapper = getSignatureToken();
        if (sigAbstractTokenWrapper != null) {
          AbstractToken sigToken = sigAbstractTokenWrapper.getToken();
          if (isRequestor()) {
            doSignature(sigAbstractTokenWrapper, sigToken, tok, sigParts);
          } else {
            addSignatureConfirmation(sigParts);
            doSignature(sigAbstractTokenWrapper, sigToken, tok, sigParts);
          }
        }
      }

      removeSignatureIfSignedSAML();
      enforceEncryptBeforeSigningWithSignedSAML();
      prependSignatureToSC();
      putCustomTokenAfterSignature();
    } catch (RuntimeException ex) {
      throw ex;
    } catch (Exception ex) {
      throw new Fault(ex);
    }
  }