1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  
20  package org.apache.ws.security.common;
21  
22  import org.apache.ws.security.WSSecurityException;
23  import org.apache.ws.security.handler.RequestData;
24  import org.apache.ws.security.saml.ext.AssertionWrapper;
25  import org.apache.ws.security.validate.Credential;
26  import org.apache.ws.security.validate.SamlAssertionValidator;
27  
28  public class CustomSamlAssertionValidator extends SamlAssertionValidator {
29      
30      @Override
31      public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
32          Credential returnedCredential = super.validate(credential, data);
33          
34          //
35          // Do some custom validation on the assertion
36          //
37          AssertionWrapper assertion = credential.getAssertion();
38          if (!"www.example.com".equals(assertion.getIssuerString())) {
39              throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
40          }
41          if (assertion.getSaml1() != null) {
42              // Get the SAML subject and validate it
43              org.opensaml.saml1.core.Assertion saml1Assertion = assertion.getSaml1();
44              org.opensaml.saml1.core.Subject samlSubject = null;
45              for (org.opensaml.saml1.core.Statement stmt : saml1Assertion.getStatements()) {
46                  if (stmt instanceof org.opensaml.saml1.core.AttributeStatement) {
47                      org.opensaml.saml1.core.AttributeStatement attrStmt = 
48                          (org.opensaml.saml1.core.AttributeStatement) stmt;
49                      samlSubject = attrStmt.getSubject();
50                      break;
51                  } else if (stmt instanceof org.opensaml.saml1.core.AuthenticationStatement) {
52                      org.opensaml.saml1.core.AuthenticationStatement authStmt = 
53                          (org.opensaml.saml1.core.AuthenticationStatement) stmt;
54                      samlSubject = authStmt.getSubject();
55                      break;
56                  } else {
57                      org.opensaml.saml1.core.AuthorizationDecisionStatement authzStmt =
58                          (org.opensaml.saml1.core.AuthorizationDecisionStatement)stmt;
59                      samlSubject = authzStmt.getSubject();
60                  }
61              }
62                  
63              if (samlSubject == null) {
64                  throw new WSSecurityException(
65                      WSSecurityException.FAILURE, "invalidSAMLToken", 
66                      new Object[] {"for Signature (no Subject)"}
67                  );
68              }
69              String nameIdentifier = samlSubject.getNameIdentifier().getNameIdentifier();
70              if (nameIdentifier == null || !nameIdentifier.contains("uid=joe")) {
71                  throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
72              }
73          } else {
74              org.opensaml.saml2.core.Assertion saml2Assertion = assertion.getSaml2();
75              org.opensaml.saml2.core.Subject subject = saml2Assertion.getSubject();
76              String nameIdentifier = subject.getNameID().getValue();
77              if (nameIdentifier == null || !nameIdentifier.contains("uid=joe")) {
78                  throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
79              }
80          }
81          
82          return returnedCredential;
83      }
84      
85  }