View Javadoc

1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  
20  package org.apache.ws.security.str;
21  
22  import org.apache.ws.security.WSConstants;
23  import org.apache.ws.security.WSSecurityException;
24  import org.apache.ws.security.message.token.BinarySecurity;
25  import org.apache.ws.security.message.token.KerberosSecurity;
26  import org.apache.ws.security.message.token.PKIPathSecurity;
27  import org.apache.ws.security.message.token.SecurityTokenReference;
28  import org.apache.ws.security.message.token.X509Security;
29  import org.apache.ws.security.saml.ext.AssertionWrapper;
30  
31  /**
32   * This class enforces processing rules for SecurityTokenReferences to various token elements,
33   * according to the Basic Security Profile (BSP) specification.
34   */
35  public final class BSPEnforcer {
36      
37      private BSPEnforcer() {
38          //
39      }
40      
41      /**
42       * Check that the BinarySecurityToken referenced by the SecurityTokenReference argument 
43       * is BSP compliant.
44       * @param secRef The SecurityTokenReference to the BinarySecurityToken
45       * @param token The BinarySecurityToken
46       * @throws WSSecurityException
47       */
48      public static void checkBinarySecurityBSPCompliance(
49          SecurityTokenReference secRef,
50          BinarySecurity token
51      ) throws WSSecurityException {
52          if (secRef.containsReference()) {
53              // Check the ValueType attributes
54              String valueType = secRef.getReference().getValueType();
55              if (((token instanceof X509Security) && !X509Security.X509_V3_TYPE.equals(valueType))
56                  || ((token instanceof PKIPathSecurity) && !PKIPathSecurity.PKI_TYPE.equals(valueType))
57                  || ((token instanceof KerberosSecurity) 
58                          && !WSConstants.WSS_GSS_KRB_V5_AP_REQ.equals(valueType))) {
59                  throw new WSSecurityException(
60                      WSSecurityException.INVALID_SECURITY_TOKEN, 
61                      "invalidValueType", 
62                      new Object[]{valueType}
63                  );
64              }
65          } else if (secRef.containsKeyIdentifier()) {
66              String valueType = secRef.getKeyIdentifierValueType();
67              if (!SecurityTokenReference.SKI_URI.equals(valueType) 
68                  && !SecurityTokenReference.THUMB_URI.equals(valueType)
69                  && !WSConstants.WSS_KRB_KI_VALUE_TYPE.equals(valueType)) {
70                  throw new WSSecurityException(
71                      WSSecurityException.INVALID_SECURITY_TOKEN, 
72                      "invalidValueType", 
73                      new Object[]{valueType}
74                  );
75              }
76          }
77          
78          // Check TokenType attributes
79          if (token instanceof PKIPathSecurity) {
80              String tokenType = secRef.getTokenType();
81              if (!PKIPathSecurity.PKI_TYPE.equals(tokenType)) {
82                  throw new WSSecurityException(
83                      WSSecurityException.INVALID_SECURITY_TOKEN, 
84                      "invalidTokenType", 
85                       new Object[]{tokenType}
86                  );
87              }
88          }
89      }
90      
91      /**
92       * Check that the EncryptedKey referenced by the SecurityTokenReference argument 
93       * is BSP compliant.
94       * @param secRef The SecurityTokenReference to the BinarySecurityToken
95       * @throws WSSecurityException
96       */
97      public static void checkEncryptedKeyBSPCompliance(
98          SecurityTokenReference secRef
99      ) throws WSSecurityException {
100         if (secRef.containsKeyIdentifier()) {
101             String valueType = secRef.getKeyIdentifierValueType();
102             if (!SecurityTokenReference.ENC_KEY_SHA1_URI.equals(valueType)) {
103                 throw new WSSecurityException(
104                     WSSecurityException.INVALID_SECURITY_TOKEN, 
105                     "invalidValueType", 
106                     new Object[]{valueType}
107                 );
108             }
109         }
110         
111         String tokenType = secRef.getTokenType();
112         if (!WSConstants.WSS_ENC_KEY_VALUE_TYPE.equals(tokenType)) {
113             throw new WSSecurityException(
114                 WSSecurityException.INVALID_SECURITY_TOKEN, 
115                 "invalidTokenType", 
116                  new Object[]{tokenType}
117             );
118         }
119     }
120     
121     /**
122      * Check that the SAML token referenced by the SecurityTokenReference argument 
123      * is BSP compliant.
124      * @param secRef The SecurityTokenReference to the SAML token
125      * @param assertion The SAML Token AssertionWrapper object
126      * @throws WSSecurityException
127      */
128     public static void checkSamlTokenBSPCompliance(
129         SecurityTokenReference secRef,
130         AssertionWrapper assertion
131     ) throws WSSecurityException {
132         // Check the KeyIdentifier ValueType attributes
133         if (secRef.containsKeyIdentifier()) {
134             String valueType = secRef.getKeyIdentifierValueType();
135             if (assertion.getSaml1() != null 
136                 && !WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(valueType)) {
137                 throw new WSSecurityException(
138                     WSSecurityException.INVALID_SECURITY_TOKEN, 
139                     "invalidValueType", 
140                     new Object[]{valueType}
141                 );
142             }
143             if (assertion.getSaml2() != null 
144                 && !WSConstants.WSS_SAML2_KI_VALUE_TYPE.equals(valueType)) {
145                 throw new WSSecurityException(
146                     WSSecurityException.INVALID_SECURITY_TOKEN, 
147                     "invalidValueType", 
148                     new Object[]{valueType}
149                 );
150             }
151             String encoding = secRef.getKeyIdentifierEncodingType();
152             if (encoding != null && !"".equals(encoding)) {
153                 throw new WSSecurityException(
154                     WSSecurityException.INVALID_SECURITY_TOKEN, 
155                     "badEncodingType", 
156                     new Object[]{encoding}
157                 );
158             }
159         }
160         
161         // Check the TokenType attribute
162         String tokenType = secRef.getTokenType();
163         if (assertion.getSaml1() != null && !WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
164             throw new WSSecurityException(
165                 WSSecurityException.INVALID_SECURITY_TOKEN, 
166                 "invalidTokenType", 
167                  new Object[]{tokenType}
168             );
169         }
170         if (assertion.getSaml2() != null && !WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)) {
171             throw new WSSecurityException(
172                 WSSecurityException.INVALID_SECURITY_TOKEN, 
173                 "invalidTokenType", 
174                  new Object[]{tokenType}
175             );
176         }
177         
178         // Check the ValueType attribute of the Reference for SAML2
179         if (assertion.getSaml2() != null && secRef.containsReference()) {
180             String valueType = secRef.getReference().getValueType();
181             if (valueType != null && !"".equals(valueType)) {
182                 throw new WSSecurityException(
183                     WSSecurityException.INVALID_SECURITY_TOKEN, 
184                     "invalidValueType", 
185                     new Object[]{valueType}
186                 );
187             }
188         }
189     }
190     
191     /**
192      * Check that the Username token referenced by the SecurityTokenReference argument 
193      * is BSP compliant.
194      * @param secRef The SecurityTokenReference to the Username token
195      * @throws WSSecurityException
196      */
197     public static void checkUsernameTokenBSPCompliance(
198         SecurityTokenReference secRef
199     ) throws WSSecurityException {
200         if (!secRef.containsReference()) {
201             // BSP does not permit using a KeyIdentifier to refer to a U/T
202             throw new WSSecurityException(
203                 WSSecurityException.FAILED_CHECK, "unsupportedKeyId"
204             );
205         }
206         
207         String valueType = secRef.getReference().getValueType();
208         if (!WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE.equals(valueType)) {
209             // BSP says the Reference must have a ValueType of UsernameToken
210             throw new WSSecurityException(
211                 WSSecurityException.INVALID_SECURITY,
212                 "invalidValueType", 
213                 new Object[]{valueType}
214             );
215         }
216     }
217 
218     
219 }