1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.wss4j.dom.common;
21
22 import org.apache.wss4j.common.ext.WSSecurityException;
23 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
24 import org.apache.wss4j.dom.handler.RequestData;
25 import org.apache.wss4j.dom.validate.Credential;
26 import org.apache.wss4j.dom.validate.SamlAssertionValidator;
27
28 public class CustomSamlAssertionValidator extends SamlAssertionValidator {
29
30 @Override
31 public Credential validate(Credential credential, RequestData data) throws WSSecurityException {
32 Credential returnedCredential = super.validate(credential, data);
33
34
35
36
37 SamlAssertionWrapper samlAssertion = credential.getSamlAssertion();
38 if (!"www.example.com".equals(samlAssertion.getIssuerString())) {
39 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
40 }
41 if (samlAssertion.getSaml1() != null) {
42
43 org.opensaml.saml.saml1.core.Assertion saml1Assertion = samlAssertion.getSaml1();
44 org.opensaml.saml.saml1.core.Subject samlSubject = null;
45 for (org.opensaml.saml.saml1.core.Statement stmt : saml1Assertion.getStatements()) {
46 if (stmt instanceof org.opensaml.saml.saml1.core.AttributeStatement) {
47 org.opensaml.saml.saml1.core.AttributeStatement attrStmt =
48 (org.opensaml.saml.saml1.core.AttributeStatement) stmt;
49 samlSubject = attrStmt.getSubject();
50 break;
51 } else if (stmt instanceof org.opensaml.saml.saml1.core.AuthenticationStatement) {
52 org.opensaml.saml.saml1.core.AuthenticationStatement authStmt =
53 (org.opensaml.saml.saml1.core.AuthenticationStatement) stmt;
54 samlSubject = authStmt.getSubject();
55 break;
56 } else {
57 org.opensaml.saml.saml1.core.AuthorizationDecisionStatement authzStmt =
58 (org.opensaml.saml.saml1.core.AuthorizationDecisionStatement)stmt;
59 samlSubject = authzStmt.getSubject();
60 }
61 }
62
63 if (samlSubject == null) {
64 throw new WSSecurityException(
65 WSSecurityException.ErrorCode.FAILURE, "invalidSAMLToken",
66 new Object[] {"for Signature (no Subject)"}
67 );
68 }
69 String nameIdentifier = samlSubject.getNameIdentifier().getValue();
70 if (nameIdentifier == null || !nameIdentifier.contains("uid=joe")) {
71 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
72 }
73 } else {
74 org.opensaml.saml.saml2.core.Assertion saml2Assertion = samlAssertion.getSaml2();
75 org.opensaml.saml.saml2.core.Subject subject = saml2Assertion.getSubject();
76 String nameIdentifier = subject.getNameID().getValue();
77 if (nameIdentifier == null || !nameIdentifier.contains("uid=joe")) {
78 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
79 }
80 }
81
82 return returnedCredential;
83 }
84
85 }