org.apache.wss4j.common.ext.WSSecurityException Java Examples

private void checkSignedBody(List<SecurityEvent> results) throws WSSecurityException {
    if (!signBody) {
        return;
    }

    boolean isBodySigned = false;
    for (SecurityEvent signedEvent : results) {
        AbstractSecuredElementSecurityEvent securedEvent =
            (AbstractSecuredElementSecurityEvent)signedEvent;
        if (!securedEvent.isSigned()) {
            continue;
        }

        List<QName> signedPath = securedEvent.getElementPath();
        if (isBody(signedPath)) {
            isBodySigned = true;
            break;
        }
    }

    if (!isBodySigned) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
                                      new Exception("The SOAP Body is not signed"));
    }
}
 

@org.junit.Test
public void testNoSubjectConfirmationData() throws Exception {
    Response response = createResponse(null);

    // Validate the Response
    SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
    validator.setEnforceAssertionsSigned(false);
    validator.setIssuerIDP("http://cxf.apache.org/issuer");
    validator.setAssertionConsumerURL("http://recipient.apache.org");
    validator.setClientAddress("http://apache.org");
    validator.setRequestId("12345");
    validator.setSpIdentifier("http://service.apache.org");
    try {
        validator.validateSamlResponse(response, false);
        fail("Expected failure on bad response");
    } catch (WSSecurityException ex) {
        // expected
    }
}
 

private List<WSSecurityEngineResult> processToken(Element tokenElement, final SoapMessage message)
    throws WSSecurityException {
    RequestData data = new CXFRequestData();
    Object o = SecurityUtils.getSecurityPropertyValue(SecurityConstants.CALLBACK_HANDLER, message);
    try {
        data.setCallbackHandler(SecurityUtils.getCallbackHandler(o));
    } catch (Exception ex) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
    }
    data.setMsgContext(message);
    data.setWssConfig(WSSConfig.getNewInstance());

    WSDocInfo wsDocInfo = new WSDocInfo(tokenElement.getOwnerDocument());
    data.setWsDocInfo(wsDocInfo);

    BinarySecurityTokenProcessor p = new BinarySecurityTokenProcessor();
    return p.handleToken(tokenElement, data);
}
 

@SuppressWarnings("unchecked")
@Override
public <T extends UsernameSecurityToken & InboundSecurityToken> T validate(
        UsernameTokenType usernameTokenType, TokenContext tokenContext) throws WSSecurityException {
    UsernameSecurityTokenImpl token =
        super.</*fake @see above*/UsernameSecurityTokenImpl>validate(usernameTokenType, tokenContext);

    Subject subject = new Subject();
    subject.getPrincipals().add(token.getPrincipal());
    if ("Alice".equals(token.getUsername())) {
        subject.getPrincipals().add(new SimpleGroup("manager", token.getUsername()));
    }
    subject.getPrincipals().add(new SimpleGroup("worker", token.getUsername()));
    token.setSubject(subject);

    return (T)token;
}
 

private String createSamlToken(SamlAssertionWrapper assertion, String alias, boolean sign, String rstr)
    throws IOException, UnsupportedCallbackException, WSSecurityException, SAXException,
    ParserConfigurationException {
    WSPasswordCallback[] cb = {
        new WSPasswordCallback(alias, WSPasswordCallback.SIGNATURE)
    };
    cbPasswordHandler.handle(cb);
    String password = cb[0].getPassword();

    if (sign) {
        assertion.signAssertion(alias, password, crypto, false);
    }
    Document doc = STSUtil.toSOAPPart(rstr);
    Element token = assertion.toDOM(doc);

    Element e = XMLUtils.findElement(doc, "RequestedSecurityToken",
                                                    FederationConstants.WS_TRUST_13_NS);
    if (e == null) {
        e = XMLUtils.findElement(doc, "RequestedSecurityToken",
                                                FederationConstants.WS_TRUST_2005_02_NS);
    }
    e.appendChild(token);
    return DOM2Writer.nodeToString(doc);
}
 

private void storeTokenInCache(
    TokenStore tokenStore,
    SamlAssertionWrapper assertion,
    Principal principal,
    TokenRenewerParameters tokenParameters
) throws WSSecurityException {
    // Store the successfully renewed token in the cache
    byte[] signatureValue = assertion.getSignatureValue();
    if (tokenStore != null && signatureValue != null && signatureValue.length > 0) {

        SecurityToken securityToken =
            CacheUtils.createSecurityTokenForStorage(assertion.getElement(), assertion.getId(),
                assertion.getNotOnOrAfter(), tokenParameters.getPrincipal(), tokenParameters.getRealm(),
                tokenParameters.getTokenRequirements().getRenewing());
        CacheUtils.storeTokenInCache(
            securityToken, tokenParameters.getTokenStore(), signatureValue);
    }
}
 

/**
 * Validate a SAML 1.1 Protocol Response
 * @param samlResponse
 * @throws WSSecurityException
 */
public void validateSamlResponse(
    org.opensaml.saml.saml1.core.Response samlResponse,
    FedizContext config
) throws WSSecurityException {
    // Check the Status Code
    if (samlResponse.getStatus() == null
        || samlResponse.getStatus().getStatusCode() == null
        || samlResponse.getStatus().getStatusCode().getValue() == null) {
        LOG.debug("Either the SAML Response Status or StatusCode is null");
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }
    String statusValue = samlResponse.getStatus().getStatusCode().getValue().getLocalPart();
    if (!SAML1_STATUSCODE_SUCCESS.equals(statusValue)) {
        LOG.debug(
            "SAML Status code of " + samlResponse.getStatus().getStatusCode().getValue()
            + "does not equal " + SAML1_STATUSCODE_SUCCESS
        );
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
    }

    validateResponseSignature(samlResponse, config);
}
 

private Element createSAMLAssertion(
    String tokenType, Crypto crypto, String signatureUsername, CallbackHandler callbackHandler,
    Map<String, RealmProperties> realms, String user, String issuer
) throws WSSecurityException {
    SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
    samlTokenProvider.setRealmMap(realms);

    TokenProviderParameters providerParameters =
        createProviderParameters(
            tokenType, STSConstants.BEARER_KEY_KEYTYPE, crypto, signatureUsername,
            callbackHandler, user, issuer
        );
    if (realms != null) {
        providerParameters.setRealm("A");
    }
    TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

    return (Element)providerResponse.getToken();
}
 

@org.junit.Test
public void testInvalidNotOnOrAfter() throws Exception {
    SubjectConfirmationDataBean subjectConfirmationData = new SubjectConfirmationDataBean();
    subjectConfirmationData.setAddress("http://apache.org");
    subjectConfirmationData.setInResponseTo("12345");
    subjectConfirmationData.setNotAfter(new DateTime().minusSeconds(1));
    subjectConfirmationData.setRecipient("http://recipient.apache.org");

    Response response = createResponse(subjectConfirmationData);

    // Validate the Response
    SAMLSSOResponseValidator validator = new SAMLSSOResponseValidator();
    validator.setEnforceAssertionsSigned(false);
    validator.setIssuerIDP("http://cxf.apache.org/issuer");
    validator.setAssertionConsumerURL("http://recipient.apache.org");
    validator.setClientAddress("http://apache.org");
    validator.setRequestId("12345");
    validator.setSpIdentifier("http://service.apache.org");
    try {
        validator.validateSamlResponse(response, false);
        fail("Expected failure on bad response");
    } catch (WSSecurityException ex) {
        // expected
    }
}
 

protected UsernameTokenPrincipal parseTokenAndCreatePrincipal(Element tokenElement, boolean bspCompliant,
                                                              boolean allowNamespaceQualifiedPWDTypes)
    throws WSSecurityException, Base64DecodingException {
    BSPEnforcer bspEnforcer = new org.apache.wss4j.common.bsp.BSPEnforcer(!bspCompliant);
    org.apache.wss4j.dom.message.token.UsernameToken ut =
        new org.apache.wss4j.dom.message.token.UsernameToken(tokenElement, allowNamespaceQualifiedPWDTypes,
                                                             bspEnforcer);

    WSUsernameTokenPrincipalImpl principal = new WSUsernameTokenPrincipalImpl(ut.getName(), ut.isHashed());
    if (ut.getNonce() != null) {
        principal.setNonce(XMLUtils.decode(ut.getNonce()));
    }
    principal.setPassword(ut.getPassword());
    principal.setCreatedTime(ut.getCreated());
    principal.setPasswordType(ut.getPasswordType());

    return principal;
}
 

public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
    Credential validatedCredential = super.validate(credential, data);

    SamlAssertionWrapper transformedToken = validatedCredential.getTransformedToken();
    if (transformedToken == null || transformedToken.getSaml2() == null
        || !"DoubleItSTSIssuer".equals(transformedToken.getIssuerString())) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE);
    }

    transformedToken.parseSubject(
        new WSSSAMLKeyInfoProcessor(data), data.getSigVerCrypto(),
        data.getCallbackHandler()
    );
    SAMLKeyInfo keyInfo = transformedToken.getSubjectKeyInfo();
    byte[] secret = keyInfo.getSecret();
    validatedCredential.setSecretKey(secret);

    return validatedCredential;
}
 

private Element createUnsignedSAMLAssertion(
    String tokenType, String keyType, String user, String issuer
) throws WSSecurityException {
    SAMLTokenProvider samlTokenProvider = new SAMLTokenProvider();
    samlTokenProvider.setSignToken(false);

    TokenProviderParameters providerParameters =
        createProviderParameters(
            tokenType, keyType, null, null, null, user, issuer
        );

    TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
    assertNotNull(providerResponse);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

    return (Element)providerResponse.getToken();
}
 

private byte[] doIssuedTokenSignature(
    final AbstractToken token, final SupportingTokens wrapper
) throws Exception {
    boolean tokenIncluded = false;
    // Get the issued token
    SecurityToken secTok = getSecurityToken();
    if (secTok == null) {
        LOG.fine("The retrieved SecurityToken was null");
        Exception ex = new Exception("The retrieved SecurityToken was null");
        throw new WSSecurityException(
            WSSecurityException.ErrorCode.FAILURE, ex
        );
    }

    if (isTokenRequired(token.getIncludeTokenType())) {
        //Add the token
        Element el = cloneElement(secTok.getToken());
        //if (securityTok != null) {
            //do we need to sign this as well?
            //String id = addWsuIdToElement(el);
            //sigParts.add(new WSEncryptionPart(id));
        //}

        addEncryptedKeyElement(el);
        tokenIncluded = true;
    }

    List<WSEncryptionPart> sigParts =
            signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());

    if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
        return doDerivedKeySignature(tokenIncluded, secTok, token, sigParts);
    }
    return doSignature(tokenIncluded, secTok, token, sigParts);
}
 

public static CallbackHandler getCallbackHandler(Message message,
                                                 Class<?> callingClass,
                                                 String callbackProperty) throws WSSecurityException {
    //Then try to get the password from the given callback handler
    Object o = SecurityUtils.getSecurityPropertyValue(callbackProperty, message);

    try {
        return SecurityUtils.getCallbackHandler(o);
    } catch (Exception ex) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
    }
}
 

public AbstractWsSecurityHandler.WSSecHeaderGeneratorStep1 on(SOAPMessage message) throws TechnicalConnectorException {
   try {
      Validate.notNull(message);
      this.soapPart = message.getSOAPPart();
      this.wsSecHeader = new WSSecHeader();
      this.wsSecHeader.insertSecurityHeader(this.soapPart);
      WSSConfig config = WSSConfig.getNewInstance();
      config.setAddInclusivePrefixes(false);
      this.sign = new WSSecSignature(config);
      return this;
   } catch (WSSecurityException var3) {
      throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.HANDLER_ERROR, new Object[]{"unable to insert security header.", var3});
   }
}
 

public AbstractWsSecurityHandler.WSSecHeaderGeneratorStep1 on(SOAPMessage message) throws TechnicalConnectorException {
   try {
      Validate.notNull(message);
      this.soapPart = message.getSOAPPart();
      this.wsSecHeader = new WSSecHeader();
      this.wsSecHeader.insertSecurityHeader(this.soapPart);
      WSSConfig config = WSSConfig.getNewInstance();
      config.setAddInclusivePrefixes(false);
      this.sign = new WSSecSignature(config);
      return this;
   } catch (WSSecurityException var3) {
      throw new TechnicalConnectorException(TechnicalConnectorExceptionValues.HANDLER_ERROR, new Object[]{"unable to insert security header.", var3});
   }
}
 

private TokenProviderParameters createProviderParameters(
    String tokenType
) throws WSSecurityException {
    TokenProviderParameters parameters = new TokenProviderParameters();

    TokenRequirements tokenRequirements = new TokenRequirements();
    tokenRequirements.setTokenType(tokenType);
    parameters.setTokenRequirements(tokenRequirements);

    KeyRequirements keyRequirements = new KeyRequirements();
    parameters.setKeyRequirements(keyRequirements);

    parameters.setPrincipal(new CustomTokenPrincipal("alice"));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    parameters.setMessageContext(msgCtx);

    parameters.setAppliesToAddress("http://dummy-service.com/dummy");

    // Add STSProperties object
    StaticSTSProperties stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    parameters.setStsProperties(stsProperties);

    parameters.setEncryptionProperties(new EncryptionProperties());

    return parameters;
}
 

/**
 * Is Delegation allowed for a particular token
 */
protected boolean isDelegationAllowed(
    ReceivedToken receivedToken, String appliesToAddress
) {
    Element validateTargetElement = (Element)receivedToken.getToken();
    try {
        SamlAssertionWrapper assertion = new SamlAssertionWrapper(validateTargetElement);

        for (String confirmationMethod : assertion.getConfirmationMethods()) {
            if (!(SAML1Constants.CONF_BEARER.equals(confirmationMethod)
                || SAML2Constants.CONF_BEARER.equals(confirmationMethod))) {
                LOG.fine("An unsupported Confirmation Method was used: " + confirmationMethod);
                return false;
            }
        }

        if (checkAudienceRestriction && appliesToAddress != null) {
            List<String> addresses = getAudienceRestrictions(assertion);
            if (!(addresses.isEmpty() || addresses.contains(appliesToAddress))) {
                LOG.fine("The AppliesTo address " + appliesToAddress + " is not contained"
                         + " in the Audience Restriction addresses in the assertion");
                return false;
            }
        }
    } catch (WSSecurityException ex) {
        LOG.log(Level.WARNING, "Error in ascertaining whether delegation is allowed", ex);
        return false;
    }

    return true;
}
 

@org.junit.Test
public void testAsymmetricSignatureReplay() throws Exception {
    if (test.isStreaming()) {
        return;
    }

    SpringBusFactory bf = new SpringBusFactory();
    URL busFile = X509TokenTest.class.getResource("client.xml");

    Bus bus = bf.createBus(busFile.toString());
    BusFactory.setDefaultBus(bus);
    BusFactory.setThreadDefaultBus(bus);

    URL wsdl = X509TokenTest.class.getResource("DoubleItX509Signature.wsdl");
    Service service = Service.create(wsdl, SERVICE_QNAME);
    QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricSignaturePort");
    DoubleItPortType x509Port =
            service.getPort(portQName, DoubleItPortType.class);
    updateAddressPort(x509Port, test.getPort());

    Client cxfClient = ClientProxy.getClient(x509Port);
    SecurityHeaderCacheInterceptor cacheInterceptor =
        new SecurityHeaderCacheInterceptor();
    cxfClient.getOutInterceptors().add(cacheInterceptor);

    // Make two invocations with the same security header
    assertEquals(50, x509Port.doubleIt(25));
    try {
        x509Port.doubleIt(25);
        fail("Failure expected on a replayed Timestamp");
    } catch (javax.xml.ws.soap.SOAPFaultException ex) {
        assertTrue(ex.getMessage().contains(WSSecurityException.UNIFIED_SECURITY_ERR));
    }

    ((java.io.Closeable)x509Port).close();
    bus.shutdown(true);
}
 

public static XMLCipher initXMLCipher(String symEncAlgo, int mode, Key key)
    throws WSSecurityException {
    try {
        XMLCipher cipher = XMLCipher.getInstance(symEncAlgo);
        cipher.setSecureValidation(true);
        cipher.init(mode, key);
        return cipher;
    } catch (XMLEncryptionException ex) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, ex);
    }
}
 

@Override
public InboundSecurityToken validate(final BinarySecurityTokenType binarySecurityTokenType,
                                     final TokenContext tokenContext)
    throws WSSecurityException {
    STSStaxBSTValidator validator = new STSStaxBSTValidator(alwaysValidateToSts);
    return validator.validate(binarySecurityTokenType, tokenContext);
}
 

private TokenValidatorParameters createValidatorParameters() throws WSSecurityException {
    TokenValidatorParameters parameters = new TokenValidatorParameters();

    TokenRequirements tokenRequirements = new TokenRequirements();
    parameters.setTokenRequirements(tokenRequirements);

    KeyRequirements keyRequirements = new KeyRequirements();
    parameters.setKeyRequirements(keyRequirements);

    parameters.setPrincipal(new CustomTokenPrincipal("alice"));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    parameters.setMessageContext(msgCtx);

    // Add STSProperties object
    StaticSTSProperties stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    parameters.setStsProperties(stsProperties);
    parameters.setTokenStore(tokenStore);

    return parameters;
}
 

private STSPropertiesMBean createSTSPropertiesMBean(Crypto crypto) throws WSSecurityException {
    STSPropertiesMBean stsProperties = new StaticSTSProperties();
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    return stsProperties;
}
 

private TokenProviderParameters createProviderParameters(
    String tokenType, String keyType
) throws WSSecurityException {
    TokenProviderParameters parameters = new TokenProviderParameters();

    TokenRequirements tokenRequirements = new TokenRequirements();
    tokenRequirements.setTokenType(tokenType);
    parameters.setTokenRequirements(tokenRequirements);

    KeyRequirements keyRequirements = new KeyRequirements();
    keyRequirements.setKeyType(keyType);
    parameters.setKeyRequirements(keyRequirements);

    parameters.setPrincipal(new CustomTokenPrincipal("alice"));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    parameters.setMessageContext(msgCtx);

    parameters.setAppliesToAddress("http://dummy-service.com/dummy");

    // Add STSProperties object
    StaticSTSProperties stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    parameters.setStsProperties(stsProperties);

    parameters.setEncryptionProperties(new EncryptionProperties());

    return parameters;
}
 

/**
 * Validate the credential argument. It must contain either some Certificates or a PublicKey.
 *
 * A Crypto and a CallbackHandler implementation is required to be set.
 *
 * @param credential the Credential to be validated
 * @param data the RequestData associated with the request
 * @throws WSSecurityException on a failed validation
 */
public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
    if (credential == null
        || ((credential.getCertificates() == null || credential.getCertificates().length == 0)
            && credential.getPublicKey() == null)) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCredential");
    }

    verifyTrust(credential, data);

    return credential;
}
 

public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
    if (credential == null || credential.getUsernametoken() == null) {
        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCredential");
    }

    // Need to use SAAJ to get the SOAP Body as we are just using the UsernameTokenInterceptor
    SOAPMessage soapMessage = getSOAPMessage((SoapMessage)data.getMsgContext());
    try {
        Element soapBody = SAAJUtils.getBody(soapMessage);

        if (soapBody != null) {
            // Find custom Element in the SOAP Body
            Element realm = XMLUtils.findElement(soapBody, "realm", "http://cxf.apache.org/custom");
            if (realm != null) {
                String realmStr = realm.getTextContent();
                if ("custom-realm".equals(realmStr)) {

                    UsernameTokenValidator validator = new UsernameTokenValidator();
                    return validator.validate(credential, data);
                }
            }
        }
    } catch (SOAPException ex) {
        // ignore
    }

    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCredential");
}
 

@Test
public void testInvalidResponseSignature() throws Exception {
    final InputStream clientKey = getClass().getResourceAsStream("/keys/CZ683555118.p12");
    final InputStream serverCertificate = getClass().getResourceAsStream("/certificates/2qca16_rsa.der"); // This CA is not valid for playground, should throw an Exception
    final EETClient client = EETServiceFactory.getInstance(clientKey, "eet", serverCertificate);
    try {
        client.submitReceipt(getData(), CommunicationMode.REAL, EndpointType.PLAYGROUND, SubmissionType.FIRST_ATTEMPT);
        Assert.fail("Should fail due to error during certificate path validation");
    } catch (CommunicationException e) {
        final Throwable securityException = e.getCause().getCause();
        Assert.assertEquals(WSSecurityException.class, securityException.getClass());
        final WSSecurityException wsSecurityException = (WSSecurityException) securityException;
        Assert.assertEquals("certpath", wsSecurityException.getMsgID());
    }
}
 

private TokenProviderParameters createProviderParameters(
    String tokenType, String keyType, Crypto crypto,
    String signatureUsername, CallbackHandler callbackHandler
) throws WSSecurityException {
    TokenProviderParameters parameters = new TokenProviderParameters();

    TokenRequirements tokenRequirements = new TokenRequirements();
    tokenRequirements.setTokenType(tokenType);
    parameters.setTokenRequirements(tokenRequirements);

    KeyRequirements keyRequirements = new KeyRequirements();
    keyRequirements.setKeyType(keyType);
    ReceivedCredential receivedCredential = new ReceivedCredential();
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias("myclientkey");
    receivedCredential.setX509Cert(crypto.getX509Certificates(cryptoType)[0]);
    keyRequirements.setReceivedCredential(receivedCredential);
    parameters.setKeyRequirements(keyRequirements);

    parameters.setPrincipal(new CustomTokenPrincipal("alice"));
    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    parameters.setMessageContext(msgCtx);

    parameters.setAppliesToAddress("http://dummy-service.com/dummy");

    // Add STSProperties object
    StaticSTSProperties stsProperties = new StaticSTSProperties();
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setSignatureUsername(signatureUsername);
    stsProperties.setCallbackHandler(callbackHandler);
    stsProperties.setIssuer("STS");
    parameters.setStsProperties(stsProperties);

    parameters.setEncryptionProperties(new EncryptionProperties());
    parameters.setTokenStore(tokenStore);

    return parameters;
}
 

public void handle(Callback[] callbacks)
    throws IOException, UnsupportedCallbackException {
    for (int i = 0; i < callbacks.length; i++) {
        if (callbacks[i] instanceof SAMLCallback) {
            SAMLCallback callback = (SAMLCallback) callbacks[i];
            callback.setIssuer("www.example.com");
            callback.setSamlVersion(Version.SAML_11);
            SubjectBean subjectBean =
                new SubjectBean(
                    subjectName, subjectQualifier, confirmationMethod
                );
            if (SAML1Constants.CONF_HOLDER_KEY.equals(confirmationMethod)) {
                try {
                    KeyInfoBean keyInfo = createKeyInfo();
                    subjectBean.setKeyInfo(keyInfo);
                } catch (Exception ex) {
                    throw new IOException("Problem creating KeyInfo: " +  ex.getMessage());
                }
            }
            createAndSetStatement(subjectBean, callback);

            try {
                Crypto crypto = CryptoFactory.getInstance("outsecurity.properties");
                callback.setIssuerCrypto(crypto);
                callback.setIssuerKeyName("myalias");
                callback.setIssuerKeyPassword("myAliasPassword");
                callback.setSignAssertion(signAssertion);
            } catch (WSSecurityException e) {
                throw new IOException(e);
            }

        } else {
            throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
        }
    }
}
 

protected void setSecurityContext(
    ResponseState responseState, Message m, Element token
) throws WSSecurityException {
    CXFFedizPrincipal principal =
        new CXFFedizPrincipal(responseState.getSubject(), responseState.getClaims(),
                              responseState.getRoles(), token);

    SecurityTokenThreadLocal.setToken(principal.getLoginToken());
    FedizSecurityContext context =
        new FedizSecurityContext(principal, responseState.getRoles());
    m.put(SecurityContext.class, context);
}