ws-security-dom/src/main/java/org/apache/wss4j/dom/engine/WSSecurityEngine.java - ws-wss4j - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements. See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership. The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License. You may obtain a copy of the License at
  *
  * http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied. See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */

 package org.apache.wss4j.dom.engine;

 import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;

 import javax.security.auth.callback.CallbackHandler;
 import javax.xml.namespace.QName;

 import org.apache.wss4j.common.bsp.BSPRule;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDocInfo;
 import org.apache.wss4j.dom.callback.CallbackLookup;
 import org.apache.wss4j.dom.callback.DOMCallbackLookup;
 import org.apache.wss4j.dom.handler.RequestData;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.dom.processor.Processor;
 import org.apache.wss4j.dom.saml.DOMSAMLUtil;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;

 /**
  * WS-Security Engine.
  */
 public class WSSecurityEngine {
     private static final org.slf4j.Logger LOG =
         org.slf4j.LoggerFactory.getLogger(WSSecurityEngine.class);

     /**
      * The WSSConfig instance used by this SecurityEngine to
      * find Processors for processing security headers
      */
     private WSSConfig wssConfig;
     private boolean doDebug;
     private CallbackLookup callbackLookup;

     /**
      * @return      the WSSConfig object set on this instance
      */
     public final WSSConfig
     getWssConfig() {
         if (wssConfig == null) {
             wssConfig = WSSConfig.getNewInstance();
         }
         return wssConfig;
     }

     /**
      * @param cfg   the WSSConfig instance for this WSSecurityEngine to use
      *
      * @return      the WSSConfig instance previously set on this
      *              WSSecurityEngine instance
      */
     public final WSSConfig
     setWssConfig(WSSConfig cfg) {
         WSSConfig ret = wssConfig;
         wssConfig = cfg;
         return ret;
     }

     /**
      * Set the CallbackLookup object to use to locate elements
      * @param callbackLookup the CallbackLookup object to use to locate elements
      */
     public void setCallbackLookup(CallbackLookup callbackLookup) {
         this.callbackLookup = callbackLookup;
     }

     /**
      * Get the CallbackLookup object to use to locate elements
      * @return the CallbackLookup object to use to locate elements
      */
     public CallbackLookup getCallbackLookup() {
         return callbackLookup;
     }

     /**
      * Process the security header given the soap envelope as W3C document.
      * <p/>
      * This is the main entry point to verify or decrypt a SOAP envelope.
      * First check if a <code>wsse:Security</code> is available with the
      * defined actor.
      *
      * @param doc    the SOAP envelope as {@link Document}
      * @param actor  the engine works on behalf of this <code>actor</code>. Refer
      *               to the SOAP specification about <code>actor</code> or <code>role
      *               </code>
      * @param cb     a callback hander to the caller to resolve passwords during
      *               encryption and UsernameToken handling
      * @param crypto the object that implements the access to the keystore and the
      *               handling of certificates.
      * @return a WSHandlerResult Object containing the results of processing the security header
      * @throws WSSecurityException
      * @see WSSecurityEngine#processSecurityHeader(Element securityHeader, CallbackHandler cb,
      * Crypto sigVerCrypto, Crypto decCrypto)
      */
     public WSHandlerResult processSecurityHeader(
         Document doc,
         String actor,
         CallbackHandler cb,
         Crypto crypto
     ) throws WSSecurityException {
         return processSecurityHeader(doc, actor, cb, crypto, crypto);
     }

     /**
      * Process the security header given the soap envelope as W3C document.
      * <p/>
      * This is the main entry point to verify or decrypt a SOAP envelope.
      * First check if a <code>wsse:Security</code> is available with the
      * defined actor.
      *
      * @param doc       the SOAP envelope as {@link Document}
      * @param actor     the engine works on behalf of this <code>actor</code>. Refer
      *                  to the SOAP specification about <code>actor</code> or <code>role
      *                  </code>
      * @param cb        a callback hander to the caller to resolve passwords during
      *                  encryption and UsernameToken handling
      * @param sigVerCrypto the object that implements the access to the keystore and the
      *                  handling of certificates for Signature verification
      * @param decCrypto the object that implements the access to the keystore and the
      *                  handling of certificates for Decryption
      * @return a WSHandlerResult Object containing the results of processing the security header
      * @throws WSSecurityException
      * @see WSSecurityEngine#processSecurityHeader(
      * Element securityHeader, CallbackHandler cb, Crypto sigVerCrypto, Crypto decCrypto)
      */
     public WSHandlerResult processSecurityHeader(
         Document doc,
         String actor,
         CallbackHandler cb,
         Crypto sigVerCrypto,
         Crypto decCrypto
     ) throws WSSecurityException {
         LOG.debug("enter processSecurityHeader()");

         if (actor == null) {
             actor = "";
         }
         WSHandlerResult wsResult = null;
         Element elem = WSSecurityUtil.getSecurityHeader(doc, actor);
         if (elem != null) {
             LOG.debug("Processing WS-Security header for '{}' actor.", actor);
             wsResult = processSecurityHeader(elem, actor, cb, sigVerCrypto, decCrypto);
         }
         return wsResult;
     }

     /**
      * Process the security header given the <code>wsse:Security</code> DOM
      * Element.
      *
      * This function loops over all direct child elements of the
      * <code>wsse:Security</code> header. If it finds a known element, it
      * transfers control to the appropriate handling function. The method
      * processes the known child elements in the same order as they appear in
      * the <code>wsse:Security</code> element. This is in accordance to the WS
      * Security specification. <p/>
      *
      * Currently the functions can handle the following child elements:
      *
      * <ul>
      * <li>{@link #SIGNATURE <code>ds:Signature</code>}</li>
      * <li>{@link #ENCRYPTED_KEY <code>xenc:EncryptedKey</code>}</li>
      * <li>{@link #REFERENCE_LIST <code>xenc:ReferenceList</code>}</li>
      * <li>{@link #USERNAME_TOKEN <code>wsse:UsernameToken</code>}</li>
      * <li>{@link #TIMESTAMP <code>wsu:Timestamp</code>}</li>
      * </ul>
      *
      * Note that additional child elements can be processed if appropriate
      * Processors have been registered with the WSSCondig instance set
      * on this class.
      *
      * @param securityHeader the <code>wsse:Security</code> header element
      * @param cb             a callback hander to the caller to resolve passwords during
      *                       encryption and UsernameToken handling
      * @param sigVerCrypto   the object that implements the access to the keystore and the
      *                       handling of certificates used for Signature verification
      * @param decCrypto      the object that implements the access to the keystore and the
      *                       handling of certificates used for Decryption
      * @return a WSHandlerResult Object containing the results of processing the security header
      * @throws WSSecurityException
      */
     public WSHandlerResult processSecurityHeader(
         Element securityHeader,
         String actor,
         CallbackHandler cb,
         Crypto sigVerCrypto,
         Crypto decCrypto
     ) throws WSSecurityException {
         RequestData data = new RequestData();
         data.setActor(actor);
         data.setWssConfig(getWssConfig());
         data.setDecCrypto(decCrypto);
         data.setSigVerCrypto(sigVerCrypto);
         data.setCallbackHandler(cb);
         return processSecurityHeader(securityHeader, data);
     }

     /**
      * Process the security header given the soap envelope as W3C document.
      * <p/>
      * This is the main entry point to verify or decrypt a SOAP envelope.
      * First check if a <code>wsse:Security</code> is available with the
      * defined actor.
      *
      * @param doc       the SOAP envelope as {@link Document}
      * @param requestData    the RequestData associated with the request.  It should
      *                       be able to provide the callback handler, cryptos, etc...
      *                       as needed by the processing
      * @return a WSHandlerResult Object containing the results of processing the security header
      * @throws WSSecurityException
      */
     public WSHandlerResult processSecurityHeader(
         Document doc, RequestData requestData
     ) throws WSSecurityException {
         if (requestData.getActor() == null) {
             requestData.setActor("");
         }
         String actor = requestData.getActor();
         WSHandlerResult wsResult = null;
         Element elem = WSSecurityUtil.getSecurityHeader(doc, actor);
         if (elem != null) {
             if (doDebug) {
                 LOG.debug("Processing WS-Security header for '" + actor + "' actor.");
             }
             wsResult = processSecurityHeader(elem, requestData);
         }
         return wsResult;
     }

     /**
      * Process the security header given the <code>wsse:Security</code> DOM
      * Element.
      *
      * This function loops over all direct child elements of the
      * <code>wsse:Security</code> header. If it finds a known element, it
      * transfers control to the appropriate handling function. The method
      * processes the known child elements in the same order as they appear in
      * the <code>wsse:Security</code> element. This is in accordance to the WS
      * Security specification. <p/>
      *
      * Currently the functions can handle the following child elements:
      *
      * <ul>
      * <li>{@link #SIGNATURE <code>ds:Signature</code>}</li>
      * <li>{@link #ENCRYPTED_KEY <code>xenc:EncryptedKey</code>}</li>
      * <li>{@link #REFERENCE_LIST <code>xenc:ReferenceList</code>}</li>
      * <li>{@link #USERNAME_TOKEN <code>wsse:UsernameToken</code>}</li>
      * <li>{@link #TIMESTAMP <code>wsu:Timestamp</code>}</li>
      * </ul>
      *
      * Note that additional child elements can be processed if appropriate
      * Processors have been registered with the WSSCondig instance set
      * on this class.
      *
      * @param securityHeader the <code>wsse:Security</code> header element
      * @param requestData    the RequestData associated with the request.  It should
      *                       be able to provide the callback handler, cryptos, etc...
      *                       as needed by the processing
      * @return a WSHandlerResult Object containing the results of processing the security header
      * @throws WSSecurityException
      */
     public WSHandlerResult processSecurityHeader(
         Element securityHeader,
         RequestData requestData
     ) throws WSSecurityException {
         if (securityHeader == null) {
             List<WSSecurityEngineResult> results = Collections.emptyList();
             Map<Integer, List<WSSecurityEngineResult>> actionResults = Collections.emptyMap();
             return new WSHandlerResult(null, results, actionResults);
         }

         if (requestData.getWssConfig() == null) {
             requestData.setWssConfig(getWssConfig());
         }

         //
         // Gather some info about the document to process and store
         // it for retrieval. Store the implementation of signature crypto
         // (no need for encryption --- yet)
         //
         WSDocInfo wsDocInfo = new WSDocInfo(securityHeader.getOwnerDocument());
         CallbackLookup callbackLookupToUse = callbackLookup;
         if (callbackLookupToUse == null) {
             callbackLookupToUse = new DOMCallbackLookup(securityHeader.getOwnerDocument());
         }
         wsDocInfo.setCallbackLookup(callbackLookupToUse);
         wsDocInfo.setCrypto(requestData.getSigVerCrypto());
         wsDocInfo.setSecurityHeader(securityHeader);
         requestData.setWsDocInfo(wsDocInfo);

         final WSSConfig cfg = getWssConfig();
         Node node = securityHeader.getFirstChild();

         List<WSSecurityEngineResult> returnResults = new LinkedList<>();
         boolean foundTimestamp = false;
         while (node != null) {
             Node nextSibling = node.getNextSibling();
             if (Node.ELEMENT_NODE == node.getNodeType()) {
                 QName el = new QName(node.getNamespaceURI(), node.getLocalName());

                 // Check for multiple timestamps
                 if (foundTimestamp && el.equals(WSConstants.TIMESTAMP)) {
                     requestData.getBSPEnforcer().handleBSPRule(BSPRule.R3227);
                 } else if (el.equals(WSConstants.TIMESTAMP)) {
                     foundTimestamp = true;
                 }
                 //
                 // Call the processor for this token. After the processor returns,
                 // store it for later retrieval. The token processor may store some
                 // information about the processed token
                 //
                 Processor p = cfg.getProcessor(el);
                 if (p != null) {
                     List<WSSecurityEngineResult> results = p.handleToken((Element) node, requestData);
                     if (!results.isEmpty()) {
                         returnResults.addAll(0, results);
                     }
                 } else {
                     if (doDebug) {
                         LOG.debug(
                             "Unknown Element: " + node.getLocalName() + " " + node.getNamespaceURI()
                         );
                     }
                 }
             }
             //
             // If the next sibling is null and the stored next sibling is not null, then we have
             // encountered an EncryptedData element which was decrypted, and so the next sibling
             // of the current node is null. In that case, go on to the previously stored next
             // sibling
             //
             if (node.getNextSibling() == null && nextSibling != null
                 && nextSibling.getParentNode() != null) {
                 node = nextSibling;
             } else {
                 node = node.getNextSibling();
             }
         }

         WSHandlerResult handlerResult =
             new WSHandlerResult(requestData.getActor(), returnResults, wsDocInfo.getActionResults());

         // Validate SAML Subject Confirmation requirements
         if (requestData.isValidateSamlSubjectConfirmation()) {
             Element bodyElement = callbackLookupToUse.getSOAPBody();
             DOMSAMLUtil.validateSAMLResults(handlerResult, requestData.getTlsCerts(), bodyElement);
         }

         wsDocInfo.clear();

         return handlerResult;
     }
 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/

	package org.apache.wss4j.dom.engine;

	import java.util.Collections;
	import java.util.LinkedList;
	import java.util.List;
	import java.util.Map;

	import javax.security.auth.callback.CallbackHandler;
	import javax.xml.namespace.QName;

	import org.apache.wss4j.common.bsp.BSPRule;
	import org.apache.wss4j.common.crypto.Crypto;
	import org.apache.wss4j.common.ext.WSSecurityException;
	import org.apache.wss4j.dom.WSConstants;
	import org.apache.wss4j.dom.WSDocInfo;
	import org.apache.wss4j.dom.callback.CallbackLookup;
	import org.apache.wss4j.dom.callback.DOMCallbackLookup;
	import org.apache.wss4j.dom.handler.RequestData;
	import org.apache.wss4j.dom.handler.WSHandlerResult;
	import org.apache.wss4j.dom.processor.Processor;
	import org.apache.wss4j.dom.saml.DOMSAMLUtil;
	import org.apache.wss4j.dom.util.WSSecurityUtil;
	import org.w3c.dom.Document;
	import org.w3c.dom.Element;
	import org.w3c.dom.Node;

	/**
	* WS-Security Engine.
	*/
	public class WSSecurityEngine {
	private static final org.slf4j.Logger LOG =
	org.slf4j.LoggerFactory.getLogger(WSSecurityEngine.class);

	/**
	* The WSSConfig instance used by this SecurityEngine to
	* find Processors for processing security headers
	*/
	private WSSConfig wssConfig;
	private boolean doDebug;
	private CallbackLookup callbackLookup;

	/**
	* @return the WSSConfig object set on this instance
	*/
	public final WSSConfig
	getWssConfig() {
	if (wssConfig == null) {
	wssConfig = WSSConfig.getNewInstance();
	}
	return wssConfig;
	}

	/**
	* @param cfg the WSSConfig instance for this WSSecurityEngine to use
	*
	* @return the WSSConfig instance previously set on this
	* WSSecurityEngine instance
	*/
	public final WSSConfig
	setWssConfig(WSSConfig cfg) {
	WSSConfig ret = wssConfig;
	wssConfig = cfg;
	return ret;
	}

	/**
	* Set the CallbackLookup object to use to locate elements
	* @param callbackLookup the CallbackLookup object to use to locate elements
	*/
	public void setCallbackLookup(CallbackLookup callbackLookup) {
	this.callbackLookup = callbackLookup;
	}

	/**
	* Get the CallbackLookup object to use to locate elements
	* @return the CallbackLookup object to use to locate elements
	*/
	public CallbackLookup getCallbackLookup() {
	return callbackLookup;
	}

	/**
	* Process the security header given the soap envelope as W3C document.
	* <p/>
	* This is the main entry point to verify or decrypt a SOAP envelope.
	* First check if a <code>wsse:Security</code> is available with the
	* defined actor.
	*
	* @param doc the SOAP envelope as {@link Document}
	* @param actor the engine works on behalf of this <code>actor</code>. Refer
	* to the SOAP specification about <code>actor</code> or <code>role
	* </code>
	* @param cb a callback hander to the caller to resolve passwords during
	* encryption and UsernameToken handling
	* @param crypto the object that implements the access to the keystore and the
	* handling of certificates.
	* @return a WSHandlerResult Object containing the results of processing the security header
	* @throws WSSecurityException
	* @see WSSecurityEngine#processSecurityHeader(Element securityHeader, CallbackHandler cb,
	* Crypto sigVerCrypto, Crypto decCrypto)
	*/
	public WSHandlerResult processSecurityHeader(
	Document doc,
	String actor,
	CallbackHandler cb,
	Crypto crypto
	) throws WSSecurityException {
	return processSecurityHeader(doc, actor, cb, crypto, crypto);
	}

	/**
	* Process the security header given the soap envelope as W3C document.
	* <p/>
	* This is the main entry point to verify or decrypt a SOAP envelope.
	* First check if a <code>wsse:Security</code> is available with the
	* defined actor.
	*
	* @param doc the SOAP envelope as {@link Document}
	* @param actor the engine works on behalf of this <code>actor</code>. Refer
	* to the SOAP specification about <code>actor</code> or <code>role
	* </code>
	* @param cb a callback hander to the caller to resolve passwords during
	* encryption and UsernameToken handling
	* @param sigVerCrypto the object that implements the access to the keystore and the
	* handling of certificates for Signature verification
	* @param decCrypto the object that implements the access to the keystore and the
	* handling of certificates for Decryption
	* @return a WSHandlerResult Object containing the results of processing the security header
	* @throws WSSecurityException
	* @see WSSecurityEngine#processSecurityHeader(
	* Element securityHeader, CallbackHandler cb, Crypto sigVerCrypto, Crypto decCrypto)
	*/
	public WSHandlerResult processSecurityHeader(
	Document doc,
	String actor,
	CallbackHandler cb,
	Crypto sigVerCrypto,
	Crypto decCrypto
	) throws WSSecurityException {
	LOG.debug("enter processSecurityHeader()");

	if (actor == null) {
	actor = "";
	}
	WSHandlerResult wsResult = null;
	Element elem = WSSecurityUtil.getSecurityHeader(doc, actor);
	if (elem != null) {
	LOG.debug("Processing WS-Security header for '{}' actor.", actor);
	wsResult = processSecurityHeader(elem, actor, cb, sigVerCrypto, decCrypto);
	}
	return wsResult;
	}

	/**
	* Process the security header given the <code>wsse:Security</code> DOM
	* Element.
	*
	* This function loops over all direct child elements of the
	* <code>wsse:Security</code> header. If it finds a known element, it
	* transfers control to the appropriate handling function. The method
	* processes the known child elements in the same order as they appear in
	* the <code>wsse:Security</code> element. This is in accordance to the WS
	* Security specification. <p/>
	*
	* Currently the functions can handle the following child elements:
	*
	* <ul>
	* <li>{@link #SIGNATURE <code>ds:Signature</code>}</li>
	* <li>{@link #ENCRYPTED_KEY <code>xenc:EncryptedKey</code>}</li>
	* <li>{@link #REFERENCE_LIST <code>xenc:ReferenceList</code>}</li>
	* <li>{@link #USERNAME_TOKEN <code>wsse:UsernameToken</code>}</li>
	* <li>{@link #TIMESTAMP <code>wsu:Timestamp</code>}</li>
	* </ul>
	*
	* Note that additional child elements can be processed if appropriate
	* Processors have been registered with the WSSCondig instance set
	* on this class.
	*
	* @param securityHeader the <code>wsse:Security</code> header element
	* @param cb a callback hander to the caller to resolve passwords during
	* encryption and UsernameToken handling
	* @param sigVerCrypto the object that implements the access to the keystore and the
	* handling of certificates used for Signature verification
	* @param decCrypto the object that implements the access to the keystore and the
	* handling of certificates used for Decryption
	* @return a WSHandlerResult Object containing the results of processing the security header
	* @throws WSSecurityException
	*/
	public WSHandlerResult processSecurityHeader(
	Element securityHeader,
	String actor,
	CallbackHandler cb,
	Crypto sigVerCrypto,
	Crypto decCrypto
	) throws WSSecurityException {
	RequestData data = new RequestData();
	data.setActor(actor);
	data.setWssConfig(getWssConfig());
	data.setDecCrypto(decCrypto);
	data.setSigVerCrypto(sigVerCrypto);
	data.setCallbackHandler(cb);
	return processSecurityHeader(securityHeader, data);
	}

	/**
	* Process the security header given the soap envelope as W3C document.
	* <p/>
	* This is the main entry point to verify or decrypt a SOAP envelope.
	* First check if a <code>wsse:Security</code> is available with the
	* defined actor.
	*
	* @param doc the SOAP envelope as {@link Document}
	* @param requestData the RequestData associated with the request. It should
	* be able to provide the callback handler, cryptos, etc...
	* as needed by the processing
	* @return a WSHandlerResult Object containing the results of processing the security header
	* @throws WSSecurityException
	*/
	public WSHandlerResult processSecurityHeader(
	Document doc, RequestData requestData
	) throws WSSecurityException {
	if (requestData.getActor() == null) {
	requestData.setActor("");
	}
	String actor = requestData.getActor();
	WSHandlerResult wsResult = null;
	Element elem = WSSecurityUtil.getSecurityHeader(doc, actor);
	if (elem != null) {
	if (doDebug) {
	LOG.debug("Processing WS-Security header for '" + actor + "' actor.");
	}
	wsResult = processSecurityHeader(elem, requestData);
	}
	return wsResult;
	}

	/**
	* Process the security header given the <code>wsse:Security</code> DOM
	* Element.
	*
	* This function loops over all direct child elements of the
	* <code>wsse:Security</code> header. If it finds a known element, it
	* transfers control to the appropriate handling function. The method
	* processes the known child elements in the same order as they appear in
	* the <code>wsse:Security</code> element. This is in accordance to the WS
	* Security specification. <p/>
	*
	* Currently the functions can handle the following child elements:
	*
	* <ul>
	* <li>{@link #SIGNATURE <code>ds:Signature</code>}</li>
	* <li>{@link #ENCRYPTED_KEY <code>xenc:EncryptedKey</code>}</li>
	* <li>{@link #REFERENCE_LIST <code>xenc:ReferenceList</code>}</li>
	* <li>{@link #USERNAME_TOKEN <code>wsse:UsernameToken</code>}</li>
	* <li>{@link #TIMESTAMP <code>wsu:Timestamp</code>}</li>
	* </ul>
	*
	* Note that additional child elements can be processed if appropriate
	* Processors have been registered with the WSSCondig instance set
	* on this class.
	*
	* @param securityHeader the <code>wsse:Security</code> header element
	* @param requestData the RequestData associated with the request. It should
	* be able to provide the callback handler, cryptos, etc...
	* as needed by the processing
	* @return a WSHandlerResult Object containing the results of processing the security header
	* @throws WSSecurityException
	*/
	public WSHandlerResult processSecurityHeader(
	Element securityHeader,
	RequestData requestData
	) throws WSSecurityException {
	if (securityHeader == null) {
	List<WSSecurityEngineResult> results = Collections.emptyList();
	Map<Integer, List<WSSecurityEngineResult>> actionResults = Collections.emptyMap();
	return new WSHandlerResult(null, results, actionResults);
	}

	if (requestData.getWssConfig() == null) {
	requestData.setWssConfig(getWssConfig());
	}

	//
	// Gather some info about the document to process and store
	// it for retrieval. Store the implementation of signature crypto
	// (no need for encryption --- yet)
	//
	WSDocInfo wsDocInfo = new WSDocInfo(securityHeader.getOwnerDocument());
	CallbackLookup callbackLookupToUse = callbackLookup;
	if (callbackLookupToUse == null) {
	callbackLookupToUse = new DOMCallbackLookup(securityHeader.getOwnerDocument());
	}
	wsDocInfo.setCallbackLookup(callbackLookupToUse);
	wsDocInfo.setCrypto(requestData.getSigVerCrypto());
	wsDocInfo.setSecurityHeader(securityHeader);
	requestData.setWsDocInfo(wsDocInfo);

	final WSSConfig cfg = getWssConfig();
	Node node = securityHeader.getFirstChild();

	List<WSSecurityEngineResult> returnResults = new LinkedList<>();
	boolean foundTimestamp = false;
	while (node != null) {
	Node nextSibling = node.getNextSibling();
	if (Node.ELEMENT_NODE == node.getNodeType()) {
	QName el = new QName(node.getNamespaceURI(), node.getLocalName());

	// Check for multiple timestamps
	if (foundTimestamp && el.equals(WSConstants.TIMESTAMP)) {
	requestData.getBSPEnforcer().handleBSPRule(BSPRule.R3227);
	} else if (el.equals(WSConstants.TIMESTAMP)) {
	foundTimestamp = true;
	}
	//
	// Call the processor for this token. After the processor returns,
	// store it for later retrieval. The token processor may store some
	// information about the processed token
	//
	Processor p = cfg.getProcessor(el);
	if (p != null) {
	List<WSSecurityEngineResult> results = p.handleToken((Element) node, requestData);
	if (!results.isEmpty()) {
	returnResults.addAll(0, results);
	}
	} else {
	if (doDebug) {
	LOG.debug(
	"Unknown Element: " + node.getLocalName() + " " + node.getNamespaceURI()
	);
	}
	}
	}
	//
	// If the next sibling is null and the stored next sibling is not null, then we have
	// encountered an EncryptedData element which was decrypted, and so the next sibling
	// of the current node is null. In that case, go on to the previously stored next
	// sibling
	//
	if (node.getNextSibling() == null && nextSibling != null
	&& nextSibling.getParentNode() != null) {
	node = nextSibling;
	} else {
	node = node.getNextSibling();
	}
	}

	WSHandlerResult handlerResult =
	new WSHandlerResult(requestData.getActor(), returnResults, wsDocInfo.getActionResults());

	// Validate SAML Subject Confirmation requirements
	if (requestData.isValidateSamlSubjectConfirmation()) {
	Element bodyElement = callbackLookupToUse.getSOAPBody();
	DOMSAMLUtil.validateSAMLResults(handlerResult, requestData.getTlsCerts(), bodyElement);
	}

	wsDocInfo.clear();

	return handlerResult;
	}
	}