org.apache.cxf.ws.security.tokenstore.SecurityToken Java Examples

public boolean isTokenExpired(String homeRealm, RequestContext context)
    throws Exception {

    SecurityToken idpToken =
        (SecurityToken) WebUtils.getAttributeFromExternalContext(context, homeRealm);
    if (idpToken == null) {
        return true;
    }

    if (tokenExpirationValidation && idpToken.isExpired()) {
        LOG.info("[IDP_TOKEN=" + idpToken.getId() + "] is expired.");
        return true;
    }

    return false;
}
 

private SecurityToken getEncryptedKey() {
    WSSecurityEngineResult encryptedKeyResult = getEncryptedKeyResult();
    if (encryptedKeyResult != null) {
        // Store it in the cache
        Instant created = Instant.now();
        Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);

        String encryptedKeyID = (String)encryptedKeyResult.get(WSSecurityEngineResult.TAG_ID);
        SecurityToken securityToken = new SecurityToken(encryptedKeyID, created, expires);
        securityToken.setSecret((byte[])encryptedKeyResult.get(WSSecurityEngineResult.TAG_SECRET));
        securityToken.setSHA1(getSHA1((byte[])encryptedKeyResult
                                .get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY)));

        return securityToken;
    }

    return null;
}
 

private void doCancel(
    Exchange exchange,
    SecurityToken cancelToken,
    W3CDOMStreamWriter writer,
    String prefix,
    String namespace
) throws Exception {
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeStartElement(prefix, "RequestSecurityTokenResponseCollection", namespace);
    }
    writer.writeStartElement(prefix, "RequestSecurityTokenResponse", namespace);

    TokenStore store = (TokenStore)exchange.getEndpoint().getEndpointInfo()
            .getProperty(TokenStore.class.getName());
    store.remove(cancelToken.getId());
    // Put the token on the out message so that we can sign the response
    exchange.put(SecurityConstants.TOKEN, cancelToken);
    writer.writeEmptyElement(prefix, "RequestedTokenCancelled", namespace);

    writer.writeEndElement();
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeEndElement();
    }
}
 

public SecurityToken retrieveToken(Message message, Element delegationToken, String cacheKey)
        throws TokenStoreException {
    if (delegationToken == null) {
        return null;
    }
    TokenStore tokenStore = TokenStoreUtils.getTokenStore(message);

    // See if the token corresponding to the delegation Token is stored in the cache
    // and if it points to an issued token
    String id = getIdFromToken(delegationToken);
    SecurityToken cachedToken = tokenStore.getToken(id);
    if (cachedToken != null) {
        Map<String, Object> properties = cachedToken.getProperties();
        if (properties != null && properties.containsKey(cacheKey)) {
            String associatedToken = (String)properties.get(cacheKey);
            SecurityToken issuedToken = tokenStore.getToken(associatedToken);
            if (issuedToken != null) {
                return issuedToken;
            }
        }
    }

    return null;
}
 

/**
 * Store a SAML Assertion as a SecurityToken
 */
protected void storeAssertionAsSecurityToken(AssertionWrapper assertion) {
    String id = findIDFromSamlToken(assertion.getElement());
    if (id == null) {
        return;
    }
    SecurityToken secToken = new SecurityToken(id);
    if (assertion.getSaml2() != null) {
        secToken.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
    } else {
        secToken.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
    }
    secToken.setToken(assertion.getElement());
    getTokenStore().add(secToken);
    message.setContextualProperty(SecurityConstants.TOKEN_ID, secToken.getId());
}
 

/**
 * Store a SAML Assertion as a SecurityToken
 */
protected void storeAssertionAsSecurityToken(SamlAssertionWrapper assertion) throws TokenStoreException {
    String id = findIDFromSamlToken(assertion.getElement());
    if (id == null) {
        return;
    }
    SecurityToken secToken = new SecurityToken(id);
    if (assertion.getSaml2() != null) {
        secToken.setTokenType(WSS4JConstants.WSS_SAML2_TOKEN_TYPE);
    } else {
        secToken.setTokenType(WSS4JConstants.WSS_SAML_TOKEN_TYPE);
    }
    secToken.setToken(assertion.getElement());
    getTokenStore().add(secToken);
    message.put(SecurityConstants.TOKEN_ID, secToken.getId());
}
 

public SecurityToken requestSecurityToken(
    String appliesTo, String action, String requestType, String binaryExchange
) throws Exception {
    STSResponse response = issue(appliesTo, action, requestType, binaryExchange);

    SecurityToken token = 
        createSecurityToken(getDocumentElement(response.getResponse()), response.getEntropy());
    
    if (response.getCert() != null) {
        token.setX509Certificate(response.getCert(), response.getCrypto());
    }
    if (token.getTokenType() == null) {
        String tokenTypeFromTemplate = getTokenTypeFromTemplate();
        if (tokenTypeFromTemplate != null) {
            token.setTokenType(tokenTypeFromTemplate);
        } else if (tokenType != null) {
            token.setTokenType(tokenType);
        }
    }
    return token;
}
 

private SecurityToken requestSecurityToken(
    Bus bus, String wsdlLocation, boolean enableEntropy
) throws Exception {
    STSClient stsClient = new STSClient(bus);
    stsClient.setWsdlLocation(wsdlLocation);
    stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService");
    stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port");

    Map<String, Object> properties = new HashMap<>();
    properties.put(SecurityConstants.USERNAME, "alice");
    properties.put(
        SecurityConstants.CALLBACK_HANDLER,
        "org.apache.cxf.systest.sts.common.CommonCallbackHandler"
    );
    properties.put("ws-security.sts.token.properties", "serviceKeystore.properties");

    stsClient.setProperties(properties);
    stsClient.setSecureConv(true);
    stsClient.setRequiresEntropy(enableEntropy);
    stsClient.setKeySize(128);
    stsClient.setAddressingNamespace("http://www.w3.org/2005/08/addressing");

    return stsClient.requestSecurityToken(null);
}
 

private List<SecurityToken> validateSecurityToken(
    Bus bus, String wsdlLocation, SecurityToken securityToken
) throws Exception {
    STSClient stsClient = new STSClient(bus);
    stsClient.setWsdlLocation(wsdlLocation);
    stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService");
    stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port");

    Map<String, Object> properties = new HashMap<>();
    properties.put(SecurityConstants.USERNAME, "alice");
    properties.put(
        SecurityConstants.CALLBACK_HANDLER,
        "org.apache.cxf.systest.sts.common.CommonCallbackHandler"
    );
    properties.put(SecurityConstants.STS_TOKEN_PROPERTIES, "serviceKeystore.properties");

    stsClient.setProperties(properties);
    stsClient.setAddressingNamespace("http://www.w3.org/2005/08/addressing");

    return stsClient.validateSecurityToken(securityToken);
}
 

private String setupUTDerivedKey(UsernameToken sigToken) throws WSSecurityException {
    boolean useMac = hasSignedPartsOrElements();
    WSSecUsernameToken usernameToken = addDKUsernameToken(sigToken, useMac);
    String id = usernameToken.getId();
    byte[] secret = usernameToken.getDerivedKey();

    Date created = new Date();
    Date expires = new Date();
    expires.setTime(created.getTime() + 300000);
    SecurityToken tempTok = 
        new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
    tempTok.setSecret(secret);
    
    tokenStore.add(tempTok);
    
    return id;
}
 

/**
 * Store a SAML Assertion as a SecurityToken
 */
protected void storeAssertionAsSecurityToken(AssertionWrapper assertion) {
    String id = findIDFromSamlToken(assertion.getElement());
    if (id == null) {
        return;
    }
    SecurityToken secToken = new SecurityToken(id);
    if (assertion.getSaml2() != null) {
        secToken.setTokenType(WSConstants.WSS_SAML2_TOKEN_TYPE);
    } else {
        secToken.setTokenType(WSConstants.WSS_SAML_TOKEN_TYPE);
    }
    secToken.setToken(assertion.getElement());
    getTokenStore().add(secToken);
    message.setContextualProperty(SecurityConstants.TOKEN_ID, secToken.getId());
}
 

private void parseHandlerResults(
    WSHandlerResult rResult,
    Message message,
    AssertionInfoMap aim
) {
    List<WSSecurityEngineResult> kerberosResults = findKerberosResults(rResult.getResults());
    for (WSSecurityEngineResult wser : kerberosResults) {
        KerberosSecurity kerberosToken = 
            (KerberosSecurity)wser.get(WSSecurityEngineResult.TAG_BINARY_SECURITY_TOKEN);
        KerberosTokenPolicyValidator kerberosValidator = 
            new KerberosTokenPolicyValidator(message);
        boolean valid = kerberosValidator.validatePolicy(aim, kerberosToken);
        if (valid) {
            SecurityToken token = createSecurityToken(kerberosToken);
            token.setSecret((byte[])wser.get(WSSecurityEngineResult.TAG_SECRET));
            getTokenStore(message).add(token);
            message.getExchange().put(SecurityConstants.TOKEN_ID, token.getId());
            return;
        }
    }
}
 

private void doCancel(
    Exchange exchange, 
    SecurityToken cancelToken, 
    W3CDOMStreamWriter writer,
    String prefix, 
    String namespace
) throws Exception {
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeStartElement(prefix, "RequestSecurityTokenResponseCollection", namespace);
    }
    writer.writeStartElement(prefix, "RequestSecurityTokenResponse", namespace);
    
    TokenStore store = (TokenStore)exchange.get(Endpoint.class).getEndpointInfo()
            .getProperty(TokenStore.class.getName());
    store.remove(cancelToken.getId());
    writer.writeEmptyElement(prefix, "RequestedTokenCancelled", namespace);
    
    writer.writeEndElement();
    if (STSUtils.WST_NS_05_12.equals(namespace)) {
        writer.writeEndElement();
    }
}
 

private static SecurityToken getTokenFromSTS(Message message,
                                      STSClient client, String appliesTo,
                                      TokenRequestParams params) throws Exception {
    client.setTrust(params.getTrust10());
    client.setTrust(params.getTrust13());
    client.setTemplate(params.getTokenTemplate());
    if (params.getWspNamespace() != null) {
        client.setWspNamespace(params.getWspNamespace());
    }
    String addressingNamespace = getAddressingNamespaceURI(message);
    if (addressingNamespace != null) {
        client.setAddressingNamespace(addressingNamespace);
    }
    if (params.getClaims() != null) {
        client.setClaims(params.getClaims());
    }
    Map<String, Object> ctx = client.getRequestContext();
    mapSecurityProps(message, ctx);
    
    return client.requestSecurityToken(appliesTo);
}
 

private SecurityToken getTokenFromSTS(
    Message message,
    STSClient client,
    AssertionInfoMap aim,
    AddressingProperties maps,
    IssuedToken itok,
    String appliesTo
) throws Exception {
    client.setTrust(getTrust10(aim));
    client.setTrust(getTrust13(aim));
    client.setTemplate(itok.getRstTemplate());
    if (maps == null) {
        return client.requestSecurityToken();
    } else {
        client.setAddressingNamespace(maps.getNamespaceURI());
        return client.requestSecurityToken(appliesTo);
    }
}
 

@org.junit.Test
public void testSAMLOnBehalfOf() throws Exception {
    SpringBusFactory bf = new SpringBusFactory();
    URL busFile = SAMLDelegationTest.class.getResource("cxf-client.xml");

    Bus bus = bf.createBus(busFile.toString());
    BusFactory.setDefaultBus(bus);
    BusFactory.setThreadDefaultBus(bus);

    // Get a token from the UT endpoint first
    SecurityToken token =
        requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, bus,
                             DEFAULT_ADDRESS, "Transport_UT_Port");
    assertEquals(SAML2_TOKEN_TYPE, token.getTokenType());
    assertNotNull(token.getToken());

    // Use the first token as OnBehalfOf to get another token

    // First try with the UT endpoint. This should fail as there is no Delegation Handler.
    try {
        requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, token.getToken(), bus,
                                 DEFAULT_ADDRESS, true, "Transport_UT_Port");
        fail("Failure expected on no delegation handler");
    } catch (Exception ex) {
        // expected
    }

    // Now send to the Transport endpoint.
    SecurityToken token2 =
        requestSecurityToken(SAML2_TOKEN_TYPE, BEARER_KEYTYPE, token.getToken(), bus,
                             DEFAULT_ADDRESS, true, "Transport_Port");
    assertEquals(SAML2_TOKEN_TYPE, token2.getTokenType());
    assertNotNull(token2.getToken());

    bus.shutdown(true);
}
 

private SecurityToken requestSecurityToken(
    String tokenType,
    Bus bus,
    String endpointAddress,
    Map<String, Object> msgProperties,
    String wsdlPort
) throws Exception {
    STSClient stsClient = new STSClient(bus);
    String port = STSPORT;

    stsClient.setWsdlLocation("https://localhost:" + port + "/SecurityTokenService/Transport?wsdl");
    stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService");
    if (wsdlPort != null) {
        stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}" + wsdlPort);
    } else {
        stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port");
    }

    Map<String, Object> properties = msgProperties;
    if (properties == null) {
        properties = new HashMap<>();
        properties.put(SecurityConstants.USERNAME, "alice");
        properties.put(
                       SecurityConstants.CALLBACK_HANDLER,
                       "org.apache.cxf.systest.sts.common.CommonCallbackHandler"
        );
    }

    stsClient.setProperties(properties);
    stsClient.setTokenType(tokenType);
    stsClient.setSendKeyType(false);

    return stsClient.requestSecurityToken(endpointAddress);
}
 

/**
 * Return true on successfully parsing a SecurityContextToken result
 */
static boolean parseSCTResult(SoapMessage message) {
    List<WSHandlerResult> results = 
        CastUtils.cast((List<?>)message.get(WSHandlerConstants.RECV_RESULTS));
    if (results == null) {
        return false;
    }
    
    for (WSHandlerResult rResult : results) {
        List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();

        for (WSSecurityEngineResult wser : wsSecEngineResults) {
            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
            if (actInt.intValue() == WSConstants.SCT) {
                SecurityContextToken tok = 
                    (SecurityContextToken)wser.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
                message.getExchange().put(SecurityConstants.TOKEN_ID, tok.getIdentifier());
                
                byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                if (secret != null) {
                    SecurityToken token = new SecurityToken(tok.getIdentifier());
                    token.setToken(tok.getElement());
                    token.setSecret(secret);
                    token.setTokenType(tok.getTokenType());
                    getTokenStore(message).add(token);
                }
                return true;
            }
        }
    }
    return false;
}
 

public void add(SecurityToken token) {
    if (token != null && !StringUtils.isEmpty(token.getId())) {
        int parsedTTL = getTTL(token);
        if (parsedTTL > 0) {
            getCacheMap().put(token.getId(), token, parsedTTL, TimeUnit.SECONDS);
        }
    }
}
 

@org.junit.Test
public void testEncryptedToken() throws Exception {
    SpringBusFactory bf = new SpringBusFactory();
    URL busFile = SecurityContextTokenUnitTest.class.getResource("cxf-client.xml");

    Bus bus = bf.createBus(busFile.toString());
    BusFactory.setDefaultBus(bus);
    BusFactory.setThreadDefaultBus(bus);

    SecurityToken token = requestSecurityToken(bus, test.getStsPort());
    assertNotNull(token);

    bus.shutdown(true);
}
 

private SecurityToken findCancelToken(Exchange exchange, Element el) throws WSSecurityException {
    SecurityTokenReference ref = new SecurityTokenReference(DOMUtils.getFirstElement(el));
    String uri = ref.getReference().getURI();
    TokenStore store = (TokenStore)exchange.get(Endpoint.class).getEndpointInfo()
            .getProperty(TokenStore.class.getName());
    return store.getToken(uri);
}
 

@org.junit.Test
public void testRenewSAML2TokenDifferentAppliesTo() throws Exception {
    SpringBusFactory bf = new SpringBusFactory();
    URL busFile = SAMLRenewUnitTest.class.getResource("cxf-client-unit.xml");

    Bus bus = bf.createBus(busFile.toString());
    BusFactory.setDefaultBus(bus);
    BusFactory.setThreadDefaultBus(bus);

    String wsdlLocation =
        "https://localhost:" + test.getStsPort() + "/SecurityTokenService/Transport?wsdl";

    // Request the token
    SecurityToken token =
        requestSecurityToken(bus, wsdlLocation, WSS4JConstants.WSS_SAML2_TOKEN_TYPE, 2, true);
    assertNotNull(token);
    // Sleep to expire the token
    Thread.sleep(2100);

    // Renew the token
    token.setIssuerAddress("http://www.apache.org");
    try {
        renewSecurityToken(bus, wsdlLocation, token, true);
        fail("Failure expected on a different AppliesTo address");
    } catch (Exception ex) {
        // expected
    }

    bus.shutdown(true);
}
 

private SecurityToken requestSecurityToken(
    String tokenType,
    String keyType,
    Bus bus,
    String endpointAddress
) throws Exception {
    return requestSecurityToken(tokenType, keyType, null, bus, endpointAddress, null, null, null, null);
}
 

@org.junit.Test
public void testImminentExpiry() throws Exception {

    SpringBusFactory bf = new SpringBusFactory();
    URL busFile = CachingTest.class.getResource("cxf-client.xml");

    Bus bus = bf.createBus(busFile.toString());
    BusFactory.setDefaultBus(bus);
    BusFactory.setThreadDefaultBus(bus);

    URL wsdl = CachingTest.class.getResource("DoubleIt.wsdl");
    Service service = Service.create(wsdl, SERVICE_QNAME);
    QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML1Port");
    DoubleItPortType port =
        service.getPort(portQName, DoubleItPortType.class);
    ((BindingProvider)port).getRequestContext().put("thread.local.request.context", "true");
    updateAddressPort(port, PORT);

    // Make a successful invocation
    doubleIt(port, 25);

    Client client = ClientProxy.getClient(port);
    Endpoint ep = client.getEndpoint();
    String id = (String)ep.get(SecurityConstants.TOKEN_ID);
    TokenStore store = (TokenStore)ep.getEndpointInfo().getProperty(TokenStore.class.getName());
    SecurityToken tok = store.getToken(id);
    assertNotNull(tok);

    // Make the token "about to expire"
    tok.setExpires(Instant.now().plusSeconds(5L));
    assertTrue(tok.isAboutToExpire(10L));

    doubleIt(port, 25);

    ((java.io.Closeable)port).close();
    bus.shutdown(true);
}
 

@org.junit.Test
public void testCancelSecurityContextToken() throws Exception {
    SpringBusFactory bf = new SpringBusFactory();
    URL busFile = SecurityContextTokenCancelTest.class.getResource("cxf-client.xml");

    Bus bus = bf.createBus(busFile.toString());
    BusFactory.setDefaultBus(bus);
    BusFactory.setThreadDefaultBus(bus);

    String wsdlLocation =
        "https://localhost:" + STSPORT + "/SecurityTokenService/TransportSCT?wsdl";
    SecurityToken token =
        requestSecurityToken(bus, wsdlLocation, true);
    assertTrue(token.getSecret() != null && token.getSecret().length > 0);

    // Cancel the SecurityContextToken - this should fail as the secret associated with the SCT
    // is not used to sign some part of the message
    String port = "{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Port";
    boolean cancelled = cancelSecurityToken(bus, wsdlLocation, port, true, token);
    assertFalse(cancelled);

    String endorsingPort = "{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Transport_Endorsing_Port";
    cancelled = cancelSecurityToken(bus, wsdlLocation, endorsingPort, true, token);
    assertTrue(cancelled);

    bus.shutdown(true);
}
 

@Test
public void testSTSAsymmetricBinding() throws Exception {
    Bus bus = BusFactory.getThreadDefaultBus();
    STSClient stsClient = initStsClientAsymmeticBinding(bus);

    MessageImpl message = prepareMessage(bus, stsClient, SERVICE_ENDPOINT_ASSYMETRIC);
    STSTokenRetriever.TokenRequestParams params = new STSTokenRetriever.TokenRequestParams();

    SecurityToken token = STSTokenRetriever.getToken(message, params);
    validateSecurityToken(token);
}
 

private String getUTDerivedKey() throws WSSecurityException {
    
    List<WSHandlerResult> results = CastUtils.cast((List<?>)message.getExchange().getInMessage()
        .get(WSHandlerConstants.RECV_RESULTS));
    
    for (WSHandlerResult rResult : results) {
        List<WSSecurityEngineResult> wsSecEngineResults = rResult.getResults();
        
        for (WSSecurityEngineResult wser : wsSecEngineResults) {
            Integer actInt = (Integer)wser.get(WSSecurityEngineResult.TAG_ACTION);
            String utID = (String)wser.get(WSSecurityEngineResult.TAG_ID);
            if (actInt.intValue() == WSConstants.UT_NOPASSWORD) {
                if (utID == null || utID.length() == 0) {
                    utID = wssConfig.getIdAllocator().createId("UsernameToken-", null);
                }
                Date created = new Date();
                Date expires = new Date();
                expires.setTime(created.getTime() + 300000);
                SecurityToken tempTok = new SecurityToken(utID, created, expires);
                
                byte[] secret = (byte[])wser.get(WSSecurityEngineResult.TAG_SECRET);
                tempTok.setSecret(secret);
                tokenStore.add(tempTok);

                return utID;
            }
        }
    }
    return null;
}
 

private SecurityToken getTransformedToken(TokenStore tokenStore, int hash) {
    SecurityToken recoveredToken = tokenStore.getToken(Integer.toString(hash));
    if (recoveredToken != null && recoveredToken.getTokenHash() == hash) {
        String transformedTokenId = recoveredToken.getTransformedTokenIdentifier();
        if (transformedTokenId != null) {
            return tokenStore.getToken(transformedTokenId);
        }
    }
    return null;
}
 

public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    for (int i = 0; i < callbacks.length; i++) {
        WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
        
        String id = pc.getIdentifier();
        
        if (SecurityTokenReference.ENC_KEY_SHA1_URI.equals(pc.getType())
            || WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(pc.getType())) {
            for (String tokenId : store.getTokenIdentifiers()) {
                SecurityToken token = store.getToken(tokenId);
                if (id.equals(token.getSHA1())) {
                    pc.setKey(token.getSecret());
                    return;
                }
            }
        } else { 
            SecurityToken tok = store.getToken(id);
            if (tok != null) {
                pc.setKey(tok.getSecret());
                pc.setCustomToken(tok.getToken());
                return;
            }
        }
    }
    if (internal != null) {
        internal.handle(callbacks);
    }
}
 

private void addSignedSupportingTokens(SupportingToken sgndSuppTokens) 
    throws Exception {
    for (Token token : sgndSuppTokens.getTokens()) {
        if (token instanceof UsernameToken) {
            WSSecUsernameToken utBuilder = addUsernameToken((UsernameToken)token);
            if (utBuilder != null) {
                utBuilder.prepare(saaj.getSOAPPart());
                utBuilder.appendToHeader(secHeader);
            }
        } else if (token instanceof IssuedToken || token instanceof KerberosToken) {
            SecurityToken secTok = getSecurityToken();
            
            if (includeToken(token.getInclusion())) {
                //Add the token
                addEncryptedKeyElement(cloneElement(secTok.getToken()));
            }
        } else if (token instanceof SamlToken) {
            AssertionWrapper assertionWrapper = addSamlToken((SamlToken)token);
            if (assertionWrapper != null) {
                addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
            }
        } else {
            //REVISIT - not supported for signed.  Exception?
        }
    }
    
}