View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.assertionStates;
20  
21  import javax.xml.namespace.QName;
22  
23  import org.apache.wss4j.common.WSSPolicyException;
24  import org.apache.wss4j.policy.SPConstants;
25  import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
26  import org.apache.wss4j.policy.model.AbstractToken;
27  import org.apache.wss4j.policy.model.HttpsToken;
28  import org.apache.wss4j.policy.stax.PolicyAsserter;
29  import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
30  import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
31  import org.apache.xml.security.stax.securityToken.SecurityToken;
32  import org.apache.wss4j.stax.securityEvent.HttpsTokenSecurityEvent;
33  import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
34  
35  /**
36   * WSP1.3, 5.4.10 HttpsToken Assertion
37   */
38  
39  public class HttpsTokenAssertionState extends TokenAssertionState {
40  
41      public HttpsTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
42                                      PolicyAsserter policyAsserter, boolean initiator) {
43          super(assertion, asserted, policyAsserter, initiator);
44  
45          if (asserted) {
46              HttpsToken token = (HttpsToken) getAssertion();
47              String namespace = token.getName().getNamespaceURI();
48              if (token.getAuthenticationType() != null) {
49                  getPolicyAsserter().assertPolicy(new QName(namespace, token.getAuthenticationType().name()));
50              }
51          }
52      }
53  
54      @Override
55      public SecurityEventConstants.Event[] getSecurityEventType() {
56          return new SecurityEventConstants.Event[]{
57                  WSSecurityEventConstants.HTTPS_TOKEN
58          };
59      }
60  
61      @Override
62      public boolean assertToken(TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent,
63                                 AbstractToken abstractToken) throws WSSPolicyException {
64          if (!(tokenSecurityEvent instanceof HttpsTokenSecurityEvent)) {
65              throw new WSSPolicyException("Expected a HttpsTokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
66          }
67  
68          HttpsTokenSecurityEvent httpsTokenSecurityEvent = (HttpsTokenSecurityEvent) tokenSecurityEvent;
69          HttpsToken httpsToken = (HttpsToken) abstractToken;
70  
71          if (httpsToken.getIssuerName() != null && !httpsToken.getIssuerName().equals(httpsTokenSecurityEvent.getIssuerName())) {
72              setErrorMessage("IssuerName in Policy (" + httpsToken.getIssuerName() + ") didn't match with the one in the HttpsToken ("
73                  + httpsTokenSecurityEvent.getIssuerName() + ")");
74              getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
75              return false;
76          }
77          if (!isInitiator() && httpsToken.getAuthenticationType() != null) {
78              String namespace = getAssertion().getName().getNamespaceURI();
79  
80              switch (httpsToken.getAuthenticationType()) {
81                  case HttpBasicAuthentication:
82                      if (httpsTokenSecurityEvent.getAuthenticationType()
83                          != HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication) {
84                          setErrorMessage("Policy enforces HttpBasicAuthentication but we got "
85                              + httpsTokenSecurityEvent.getAuthenticationType());
86                          getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.HTTP_BASIC_AUTHENTICATION),
87                                                           getErrorMessage());
88                          return false;
89                      }
90                      getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.HTTP_BASIC_AUTHENTICATION));
91                      break;
92                  case HttpDigestAuthentication:
93                      if (httpsTokenSecurityEvent.getAuthenticationType()
94                          != HttpsTokenSecurityEvent.AuthenticationType.HttpDigestAuthentication) {
95                          setErrorMessage("Policy enforces HttpDigestAuthentication but we got "
96                              + httpsTokenSecurityEvent.getAuthenticationType());
97                          getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.HTTP_DIGEST_AUTHENTICATION),
98                                                             getErrorMessage());
99                          return false;
100                     }
101                     getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.HTTP_DIGEST_AUTHENTICATION));
102                     break;
103                 case RequireClientCertificate:
104                     if (httpsTokenSecurityEvent.getAuthenticationType()
105                         != HttpsTokenSecurityEvent.AuthenticationType.HttpsClientCertificateAuthentication) {
106                         setErrorMessage("Policy enforces HttpClientCertificateAuthentication but we got "
107                             + httpsTokenSecurityEvent.getAuthenticationType());
108                         getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.REQUIRE_CLIENT_CERTIFICATE),
109                                                            getErrorMessage());
110                         return false;
111                     }
112                     getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_CLIENT_CERTIFICATE));
113                     break;
114             }
115         }
116 
117         getPolicyAsserter().assertPolicy(getAssertion());
118         return true;
119     }
120 }