View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.stax.setup;
20  
21  import java.net.URISyntaxException;
22  import java.util.HashSet;
23  import java.util.List;
24  
25  import javax.xml.XMLConstants;
26  import jakarta.xml.bind.JAXBContext;
27  import jakarta.xml.bind.JAXBException;
28  import javax.xml.namespace.QName;
29  import javax.xml.transform.Source;
30  import javax.xml.transform.stream.StreamSource;
31  import javax.xml.validation.Schema;
32  import javax.xml.validation.SchemaFactory;
33  
34  import org.apache.wss4j.common.WSS4JConstants;
35  import org.apache.wss4j.common.crypto.WSProviderConfig;
36  import org.apache.wss4j.common.ext.WSSecurityException;
37  import org.apache.wss4j.common.util.FIPSUtils;
38  import org.apache.wss4j.stax.ext.WSSConfigurationException;
39  import org.apache.wss4j.stax.ext.WSSConstants;
40  import org.apache.wss4j.stax.ext.WSSSecurityProperties;
41  import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
42  import org.apache.xml.security.exceptions.XMLSecurityException;
43  import org.apache.xml.security.stax.config.Init;
44  import org.apache.xml.security.stax.ext.SecurePart;
45  import org.apache.xml.security.stax.ext.XMLSecurityConstants;
46  import org.apache.xml.security.stax.impl.util.ConcreteLSInput;
47  import org.apache.xml.security.utils.ClassLoaderUtils;
48  import org.w3c.dom.ls.LSInput;
49  import org.w3c.dom.ls.LSResourceResolver;
50  import org.xml.sax.SAXException;
51  
52  /**
53   * This is the central class of the streaming webservice-security framework.<br/>
54   * Instances of the inbound and outbound security streams can be retrieved
55   * with this class.
56   */
57  public class WSSec {
58  
59      //todo outgoing client setup per policy
60  
61      static {
62          WSProviderConfig.init();
63          try {
64              Init.init(ClassLoaderUtils.getResource("wss/wss-config.xml", WSSec.class).toURI(), WSSec.class);
65  
66              WSSConstants.setJaxbContext(
67                      JAXBContext.newInstance(
68                              org.apache.wss4j.binding.wss10.ObjectFactory.class,
69                              org.apache.wss4j.binding.wss11.ObjectFactory.class,
70                              org.apache.wss4j.binding.wsu10.ObjectFactory.class,
71                              org.apache.wss4j.binding.wssc13.ObjectFactory.class,
72                              org.apache.wss4j.binding.wssc200502.ObjectFactory.class,
73                              org.apache.xml.security.binding.xmlenc.ObjectFactory.class,
74                              org.apache.xml.security.binding.xmlenc11.ObjectFactory.class,
75                              org.apache.xml.security.binding.xmldsig.ObjectFactory.class,
76                              org.apache.xml.security.binding.xmldsig11.ObjectFactory.class,
77                              org.apache.xml.security.binding.excc14n.ObjectFactory.class,
78                              org.apache.xml.security.binding.xop.ObjectFactory.class
79                      )
80              );
81  
82              Schema schema = loadWSSecuritySchemas();
83              WSSConstants.setJaxbSchemas(schema);
84          } catch (XMLSecurityException | JAXBException
85              | SAXException | URISyntaxException e) {
86              throw new RuntimeException(e.getMessage(), e);
87          }
88      }
89  
90      public static void init() {
91          // Do nothing
92      }
93  
94      /**
95       * Creates and configures an outbound streaming security engine
96       *
97       * @param securityProperties The user-defined security configuration
98       * @return A new OutboundWSSec
99       * @throws WSSecurityException
100      *          if the initialisation failed
101      * @throws org.apache.wss4j.stax.ext.WSSConfigurationException
102      *          if the configuration is invalid
103      */
104     public static OutboundWSSec getOutboundWSSec(WSSSecurityProperties securityProperties) throws WSSecurityException {
105         if (securityProperties == null) {
106             throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "missingSecurityProperties");
107         }
108 
109         securityProperties = validateAndApplyDefaultsToOutboundSecurityProperties(securityProperties);
110         return new OutboundWSSec(securityProperties);
111     }
112 
113     /**
114      * Creates and configures an inbound streaming security engine
115      *
116      * @param securityProperties The user-defined security configuration
117      * @return A new InboundWSSec
118      * @throws WSSecurityException
119      *          if the initialisation failed
120      * @throws org.apache.wss4j.stax.ext.WSSConfigurationException
121      *          if the configuration is invalid
122      */
123     public static InboundWSSec getInboundWSSec(WSSSecurityProperties securityProperties) throws WSSecurityException {
124         return getInboundWSSec(securityProperties, false);
125     }
126 
127     /**
128      * Creates and configures an inbound streaming security engine
129      *
130      * @param securityProperties The user-defined security configuration
131      * @param initiator Whether we are the message initiator or not
132      * @return A new InboundWSSec
133      * @throws WSSecurityException
134      *          if the initialisation failed
135      * @throws org.apache.wss4j.stax.ext.WSSConfigurationException
136      *          if the configuration is invalid
137      */
138     public static InboundWSSec getInboundWSSec(WSSSecurityProperties securityProperties,
139             boolean initiator) throws WSSecurityException {
140         return getInboundWSSec(securityProperties, initiator, false);
141     }
142 
143     /**
144      * Creates and configures an inbound streaming security engine
145      *
146      * @param securityProperties The user-defined security configuration
147      * @param initiator Whether we are the message initiator or not
148      * @param returnSecurityError Whether to return the underlying security error or not
149      * @return A new InboundWSSec
150      * @throws WSSecurityException
151      *          if the initialisation failed
152      * @throws org.apache.wss4j.stax.ext.WSSConfigurationException
153      *          if the configuration is invalid
154      */
155     public static InboundWSSec getInboundWSSec(WSSSecurityProperties securityProperties,
156                                                boolean initiator,
157                                                boolean returnSecurityError) throws WSSecurityException {
158         if (securityProperties == null) {
159             throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "missingSecurityProperties");
160         }
161 
162         securityProperties = validateAndApplyDefaultsToInboundSecurityProperties(securityProperties);
163         return new InboundWSSec(securityProperties, initiator, returnSecurityError);
164     }
165 
166     /**
167      * Validates the user supplied configuration and applies default values as apropriate for the outbound security engine
168      *
169      * @param securityProperties The configuration to validate
170      * @return The validated configuration
171      * @throws org.apache.wss4j.stax.ext.WSSConfigurationException
172      *          if the configuration is invalid
173      */
174     public static WSSSecurityProperties validateAndApplyDefaultsToOutboundSecurityProperties(WSSSecurityProperties securityProperties)
175         throws WSSConfigurationException {
176         if (securityProperties.getActions() == null || securityProperties.getActions().isEmpty()) {
177             throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noOutputAction");
178         }
179 
180         // Check for duplicate actions
181         if (new HashSet<XMLSecurityConstants.Action>(securityProperties.getActions()).size()
182             != securityProperties.getActions().size()) {
183             throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "stax.duplicateActions");
184         }
185 
186         for (XMLSecurityConstants.Action action : securityProperties.getActions()) {
187             if (WSSConstants.TIMESTAMP.equals(action)) {
188                 if (securityProperties.getTimestampTTL() == null) {
189                     securityProperties.setTimestampTTL(300);
190                 }
191             } else if (WSSConstants.SIGNATURE.equals(action)) {
192                 checkOutboundSignatureProperties(securityProperties);
193             } else if (WSSConstants.ENCRYPT.equals(action)) {
194                 checkOutboundEncryptionProperties(securityProperties);
195             } else if (WSSConstants.USERNAMETOKEN.equals(action)) {
196                 if (securityProperties.getTokenUser() == null) {
197                     throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noTokenUser");
198                 }
199                 if (securityProperties.getCallbackHandler() == null
200                     && WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE != securityProperties.getUsernameTokenPasswordType()) {
201                     throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
202                 }
203                 if (securityProperties.getUsernameTokenPasswordType() == null) {
204                     securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST);
205                 }
206             } else if (WSSConstants.USERNAMETOKEN_SIGNED.equals(action)) {
207                 if (securityProperties.getTokenUser() == null) {
208                     throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noTokenUser");
209                 }
210                 if (securityProperties.getCallbackHandler() == null) {
211                     throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
212                 }
213                 if (securityProperties.getSignatureAlgorithm() == null) {
214                     securityProperties.setSignatureAlgorithm(WSSConstants.NS_XMLDSIG_HMACSHA1);
215                 }
216                 if (securityProperties.getSignatureDigestAlgorithm() == null) {
217                     securityProperties.setSignatureDigestAlgorithm(WSSConstants.NS_XMLDSIG_SHA1);
218                 }
219                 if (securityProperties.getSignatureCanonicalizationAlgorithm() == null) {
220                     securityProperties.setSignatureCanonicalizationAlgorithm(WSSConstants.NS_C14N_EXCL);
221                 }
222                 securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_USERNAME_TOKEN_REFERENCE);
223                 if (securityProperties.getUsernameTokenPasswordType() == null) {
224                     securityProperties.setUsernameTokenPasswordType(WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST);
225                 }
226                 checkDefaultSecureParts(true, securityProperties);
227             } else if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
228                 checkOutboundSignatureDerivedProperties(securityProperties);
229             } else if (WSSConstants.ENCRYPTION_WITH_DERIVED_KEY.equals(action)) {
230                 checkOutboundEncryptionDerivedProperties(securityProperties);
231             } else if (WSSConstants.SAML_TOKEN_SIGNED.equals(action)) {
232                 if (securityProperties.getCallbackHandler() == null) {
233                     throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
234                 }
235                 if (securityProperties.getSamlCallbackHandler() == null) {
236                     throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noSAMLCallbackHandler");
237                 }
238                 if (securityProperties.getSignatureAlgorithm() == null) {
239                     securityProperties.setSignatureAlgorithm(WSSConstants.NS_XMLDSIG_RSASHA1);
240                 }
241                 if (securityProperties.getSignatureDigestAlgorithm() == null) {
242                     securityProperties.setSignatureDigestAlgorithm(WSSConstants.NS_XMLDSIG_SHA1);
243                 }
244                 if (securityProperties.getSignatureCanonicalizationAlgorithm() == null) {
245                     securityProperties.setSignatureCanonicalizationAlgorithm(WSSConstants.NS_C14N_EXCL);
246                 }
247                 if (securityProperties.getSignatureKeyIdentifiers().isEmpty()) {
248                     securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
249                 }
250                 checkDefaultSecureParts(true, securityProperties);
251             } else if (WSSConstants.SAML_TOKEN_UNSIGNED.equals(action)
252                 && securityProperties.getSamlCallbackHandler() == null) {
253                 throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noSAMLCallbackHandler");
254             } else if (WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN.equals(action)) {
255                 if (securityProperties.getCallbackHandler() == null) {
256                     throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
257                 }
258                 if (securityProperties.getSignatureAlgorithm() == null) {
259                     securityProperties.setSignatureAlgorithm(WSSConstants.NS_XMLDSIG_HMACSHA1);
260                 }
261                 if (securityProperties.getSignatureDigestAlgorithm() == null) {
262                     securityProperties.setSignatureDigestAlgorithm(WSSConstants.NS_XMLDSIG_SHA1);
263                 }
264                 if (securityProperties.getSignatureCanonicalizationAlgorithm() == null) {
265                     securityProperties.setSignatureCanonicalizationAlgorithm(WSSConstants.NS_C14N_EXCL);
266                 }
267                 if (securityProperties.getSignatureKeyIdentifiers().isEmpty()) {
268                     securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
269                 }
270                 checkDefaultSecureParts(true, securityProperties);
271             } else if (WSSConstants.ENCRYPTION_WITH_KERBEROS_TOKEN.equals(action)) {
272                 if (securityProperties.getCallbackHandler() == null) {
273                     throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
274                 }
275                 if (securityProperties.getEncryptionSymAlgorithm() == null) {
276                     securityProperties.setEncryptionSymAlgorithm(WSSConstants.NS_XENC_AES256);
277                 }
278                 if (securityProperties.getSignatureKeyIdentifiers().isEmpty()) {
279                     securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
280                 }
281                 checkDefaultSecureParts(false, securityProperties);
282             }
283         }
284         return new WSSSecurityProperties(securityProperties);
285     }
286 
287     private static void checkOutboundSignatureProperties(WSSSecurityProperties securityProperties) throws WSSConfigurationException {
288         if (!WSSConstants.NS_XMLDSIG_HMACSHA1.equals(securityProperties.getSignatureAlgorithm())) {
289             if (securityProperties.getSignatureKeyStore() == null
290                 && securityProperties.getSignatureCryptoProperties() == null
291                 && securityProperties.getSignatureCrypto() == null) {
292                 throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "signatureKeyStoreNotSet");
293             }
294             if (securityProperties.getSignatureUser() == null) {
295                 throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noSignatureUser");
296             }
297             if (securityProperties.getCallbackHandler() == null) {
298                 throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
299             }
300         }
301         if (securityProperties.getSignatureAlgorithm() == null) {
302             securityProperties.setSignatureAlgorithm(WSSConstants.NS_XMLDSIG_RSASHA1);
303         }
304         if (securityProperties.getSignatureDigestAlgorithm() == null) {
305             securityProperties.setSignatureDigestAlgorithm(WSSConstants.NS_XMLDSIG_SHA1);
306         }
307         if (securityProperties.getSignatureCanonicalizationAlgorithm() == null) {
308             securityProperties.setSignatureCanonicalizationAlgorithm(WSSConstants.NS_C14N_EXCL);
309         }
310         if (securityProperties.getSignatureKeyIdentifiers().isEmpty()) {
311             securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_IssuerSerial);
312         }
313         checkDefaultSecureParts(true, securityProperties);
314     }
315 
316     private static void checkOutboundSignatureDerivedProperties(WSSSecurityProperties securityProperties) throws WSSConfigurationException {
317         if (securityProperties.getCallbackHandler() == null) {
318             throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
319         }
320         if (securityProperties.getSignatureAlgorithm() == null) {
321             securityProperties.setSignatureAlgorithm(WSSConstants.NS_XMLDSIG_HMACSHA1);
322         }
323         if (securityProperties.getSignatureDigestAlgorithm() == null) {
324             securityProperties.setSignatureDigestAlgorithm(WSSConstants.NS_XMLDSIG_SHA1);
325         }
326         if (securityProperties.getSignatureCanonicalizationAlgorithm() == null) {
327             securityProperties.setSignatureCanonicalizationAlgorithm(WSSConstants.NS_C14N_EXCL);
328         }
329         if (securityProperties.getSignatureKeyIdentifiers().isEmpty()) {
330             securityProperties.setSignatureKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
331         }
332         if (securityProperties.getEncryptionSymAlgorithm() == null) {
333             securityProperties.setEncryptionSymAlgorithm(WSSConstants.NS_XENC_AES256);
334         }
335         if (securityProperties.getEncryptionKeyTransportAlgorithm() == null) {
336             //@see http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-1_5 :
337             //"RSA-OAEP is RECOMMENDED for the transport of AES keys"
338             //@see http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-oaep-mgf1p
339             securityProperties.setEncryptionKeyTransportAlgorithm(WSSConstants.NS_XENC_RSAOAEPMGF1P);
340         }
341         if (securityProperties.getEncryptionKeyIdentifier() == null) {
342             securityProperties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier);
343         }
344         if (securityProperties.getDerivedKeyKeyIdentifier() == null) {
345             securityProperties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier);
346         }
347         if (securityProperties.getDerivedKeyTokenReference() == null) {
348             securityProperties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.DirectReference);
349         }
350         if (securityProperties.getDerivedKeyTokenReference() != WSSConstants.DerivedKeyTokenReference.DirectReference) {
351             securityProperties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
352         }
353         checkDefaultSecureParts(true, securityProperties);
354     }
355 
356     private static void checkOutboundEncryptionProperties(WSSSecurityProperties securityProperties) throws WSSConfigurationException {
357         if (securityProperties.getEncryptionUseThisCertificate() == null
358             && securityProperties.getEncryptionKeyStore() == null
359             && securityProperties.getEncryptionCryptoProperties() == null
360             && !securityProperties.isUseReqSigCertForEncryption()
361             && securityProperties.isEncryptSymmetricEncryptionKey()
362             && securityProperties.getEncryptionCrypto() == null) {
363             throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "encryptionKeyStoreNotSet");
364         }
365         if (securityProperties.getEncryptionUser() == null
366             && securityProperties.getEncryptionUseThisCertificate() == null
367             && !securityProperties.isUseReqSigCertForEncryption()
368             && securityProperties.isEncryptSymmetricEncryptionKey()) {
369             throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noEncryptionUser");
370         }
371         if (securityProperties.getEncryptionSymAlgorithm() == null) {
372             securityProperties.setEncryptionSymAlgorithm(FIPSUtils.isFIPSEnabled()
373                 ? WSS4JConstants.AES_256_GCM : WSSConstants.NS_XENC_AES256);    
374         }
375         if (securityProperties.getEncryptionKeyTransportAlgorithm() == null) {
376             //@see http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-1_5 :
377             //"RSA-OAEP is RECOMMENDED for the transport of AES keys"
378             //@see http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-oaep-mgf1p
379             securityProperties.setEncryptionKeyTransportAlgorithm(WSSConstants.NS_XENC_RSAOAEPMGF1P);
380         }
381         if (securityProperties.getEncryptionKeyIdentifier() == null) {
382             securityProperties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_IssuerSerial);
383         }
384         checkDefaultSecureParts(false, securityProperties);
385     }
386 
387     private static void checkOutboundEncryptionDerivedProperties(WSSSecurityProperties securityProperties)
388         throws WSSConfigurationException {
389         if (securityProperties.getCallbackHandler() == null) {
390             throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noCallback");
391         }
392         if (securityProperties.getEncryptionUseThisCertificate() == null
393                 && securityProperties.getEncryptionKeyStore() == null
394                 && securityProperties.getEncryptionCryptoProperties() == null
395                 && !securityProperties.isUseReqSigCertForEncryption()
396                 && securityProperties.isEncryptSymmetricEncryptionKey()
397                 && securityProperties.getEncryptionCrypto() == null) {
398             throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "encryptionKeyStoreNotSet");
399         }
400         if (securityProperties.getEncryptionUser() == null
401                 && securityProperties.getEncryptionUseThisCertificate() == null
402                 && !securityProperties.isUseReqSigCertForEncryption()
403                 && securityProperties.isEncryptSymmetricEncryptionKey()) {
404             throw new WSSConfigurationException(WSSConfigurationException.ErrorCode.FAILURE, "noEncryptionUser");
405         }
406         if (securityProperties.getEncryptionSymAlgorithm() == null) {
407             securityProperties.setEncryptionSymAlgorithm(WSSConstants.NS_XENC_AES256);
408         }
409         if (securityProperties.getEncryptionKeyTransportAlgorithm() == null) {
410             //@see http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-1_5 :
411             //"RSA-OAEP is RECOMMENDED for the transport of AES keys"
412             //@see http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#rsa-oaep-mgf1p
413             securityProperties.setEncryptionKeyTransportAlgorithm(WSSConstants.NS_XENC_RSAOAEPMGF1P);
414         }
415         if (securityProperties.getEncryptionKeyIdentifier() == null) {
416             securityProperties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier);
417         }
418         if (securityProperties.getDerivedKeyKeyIdentifier() == null) {
419             securityProperties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_X509KeyIdentifier);
420         }
421         if (securityProperties.getDerivedKeyTokenReference() == null) {
422             securityProperties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.EncryptedKey);
423         }
424         if (securityProperties.getDerivedKeyTokenReference() != WSSConstants.DerivedKeyTokenReference.DirectReference) {
425             securityProperties.setDerivedKeyKeyIdentifier(WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE);
426         }
427         checkDefaultSecureParts(false, securityProperties);
428     }
429 
430     private static void checkDefaultSecureParts(boolean signature, WSSSecurityProperties securityProperties) {
431         if (signature) {
432             List<SecurePart> signatureParts = securityProperties.getSignatureSecureParts();
433             if (signatureParts.isEmpty()) {
434                 SecurePart securePart = new SecurePart(
435                     new QName(WSSConstants.NS_SOAP12, WSSConstants.TAG_SOAP_BODY_LN),
436                     SecurePart.Modifier.Element);
437                 signatureParts.add(securePart);
438             }
439         } else {
440             List<SecurePart> encryptionParts = securityProperties.getEncryptionSecureParts();
441             if (encryptionParts.isEmpty()) {
442                 SecurePart securePart = new SecurePart(
443                     new QName(WSSConstants.NS_SOAP12, WSSConstants.TAG_SOAP_BODY_LN),
444                     SecurePart.Modifier.Content);
445                 encryptionParts.add(securePart);
446             }
447         }
448     }
449 
450     /**
451      * Validates the user supplied configuration and applies default values as apropriate for the inbound security engine
452      *
453      * @param securityProperties The configuration to validate
454      * @return The validated configuration
455      * @throws org.apache.wss4j.stax.ext.WSSConfigurationException
456      *          if the configuration is invalid
457      */
458     public static WSSSecurityProperties validateAndApplyDefaultsToInboundSecurityProperties(WSSSecurityProperties securityProperties)
459         throws WSSConfigurationException {
460         return new WSSSecurityProperties(securityProperties);
461     }
462 
463     public static Schema loadWSSecuritySchemas() throws SAXException {
464         SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
465         schemaFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
466         schemaFactory.setResourceResolver(new LSResourceResolver() {
467             @Override
468             public LSInput resolveResource(String type, String namespaceURI, String publicId, String systemId, String baseURI) {
469                 if ("http://www.w3.org/2001/XMLSchema.dtd".equals(systemId)) {
470                     ConcreteLSInput concreteLSInput = new ConcreteLSInput();
471                     concreteLSInput.setByteStream(ClassLoaderUtils.getResourceAsStream("schemas/XMLSchema.dtd", WSSec.class));
472                     return concreteLSInput;
473                 } else if ("XMLSchema.dtd".equals(systemId)) {
474                     ConcreteLSInput concreteLSInput = new ConcreteLSInput();
475                     concreteLSInput.setByteStream(ClassLoaderUtils.getResourceAsStream("schemas/XMLSchema.dtd", WSSec.class));
476                     return concreteLSInput;
477                 } else if ("datatypes.dtd".equals(systemId)) {
478                     ConcreteLSInput concreteLSInput = new ConcreteLSInput();
479                     concreteLSInput.setByteStream(ClassLoaderUtils.getResourceAsStream("schemas/datatypes.dtd", WSSec.class));
480                     return concreteLSInput;
481                 } else if ("http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd".equals(systemId)) {
482                     ConcreteLSInput concreteLSInput = new ConcreteLSInput();
483                     concreteLSInput.setByteStream(ClassLoaderUtils.getResourceAsStream("schemas/xmldsig-core-schema.xsd", WSSec.class));
484                     return concreteLSInput;
485                 } else if ("http://www.w3.org/2001/xml.xsd".equals(systemId)) {
486                     ConcreteLSInput concreteLSInput = new ConcreteLSInput();
487                     concreteLSInput.setByteStream(ClassLoaderUtils.getResourceAsStream("schemas/xml.xsd", WSSec.class));
488                     return concreteLSInput;
489                 }
490                 return null;
491             }
492         });
493 
494         Schema schema = schemaFactory.newSchema(
495                 new Source[] {
496                         new StreamSource(ClassLoaderUtils.getResourceAsStream("schemas/xml.xsd", WSSec.class)),
497                         new StreamSource(ClassLoaderUtils.getResourceAsStream("schemas/soap-1.1.xsd", WSSec.class)),
498                         new StreamSource(ClassLoaderUtils.getResourceAsStream("schemas/soap-1.2.xsd", WSSec.class)),
499                         new StreamSource(ClassLoaderUtils.getResourceAsStream("schemas/exc-c14n.xsd", WSSec.class)),
500                         new StreamSource(ClassLoaderUtils.getResourceAsStream("schemas/xmldsig-core-schema.xsd", WSSec.class)),
501                         new StreamSource(ClassLoaderUtils.getResourceAsStream("schemas/xop-include.xsd", WSSec.class)),
502                         new StreamSource(ClassLoaderUtils.getResourceAsStream("schemas/xenc-schema.xsd", WSSec.class)),
503                         new StreamSource(ClassLoaderUtils.getResourceAsStream("schemas/xenc-schema-11.xsd", WSSec.class)),
504                         new StreamSource(ClassLoaderUtils.getResourceAsStream("schemas/xmldsig11-schema.xsd", WSSec.class)),
505                         new StreamSource(ClassLoaderUtils.getResourceAsStream("schemas/oasis-200401-wss-wssecurity-utility-1.0.xsd",
506                                                                               WSSec.class)),
507                         new StreamSource(ClassLoaderUtils.getResourceAsStream("schemas/oasis-200401-wss-wssecurity-secext-1.0.xsd",
508                                                                               WSSec.class)),
509                         new StreamSource(ClassLoaderUtils.getResourceAsStream("schemas/oasis-wss-wssecurity-secext-1.1.xsd",
510                                                                               WSSec.class)),
511                         new StreamSource(ClassLoaderUtils.getResourceAsStream("schemas/ws-secureconversation-200502.xsd",
512                                                                               WSSec.class)),
513                         new StreamSource(ClassLoaderUtils.getResourceAsStream("schemas/ws-secureconversation-1.3.xsd",
514                                                                               WSSec.class)),
515                 }
516         );
517         return schema;
518     }
519 }