1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.assertionStates;
20
21 import javax.xml.namespace.QName;
22
23 import org.apache.wss4j.common.WSSPolicyException;
24 import org.apache.wss4j.policy.SPConstants;
25 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
26 import org.apache.wss4j.policy.model.AbstractToken;
27 import org.apache.wss4j.policy.model.HttpsToken;
28 import org.apache.wss4j.policy.stax.PolicyAsserter;
29 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
30 import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
31 import org.apache.xml.security.stax.securityToken.SecurityToken;
32 import org.apache.wss4j.stax.securityEvent.HttpsTokenSecurityEvent;
33 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
34
35
36
37
38
39 public class HttpsTokenAssertionState extends TokenAssertionState {
40
41 public HttpsTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
42 PolicyAsserter policyAsserter, boolean initiator) {
43 super(assertion, asserted, policyAsserter, initiator);
44
45 if (asserted) {
46 HttpsToken token = (HttpsToken) getAssertion();
47 String namespace = token.getName().getNamespaceURI();
48 if (token.getAuthenticationType() != null) {
49 getPolicyAsserter().assertPolicy(new QName(namespace, token.getAuthenticationType().name()));
50 }
51 }
52 }
53
54 @Override
55 public SecurityEventConstants.Event[] getSecurityEventType() {
56 return new SecurityEventConstants.Event[]{
57 WSSecurityEventConstants.HTTPS_TOKEN
58 };
59 }
60
61 @Override
62 public boolean assertToken(TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent,
63 AbstractToken abstractToken) throws WSSPolicyException {
64 if (!(tokenSecurityEvent instanceof HttpsTokenSecurityEvent)) {
65 throw new WSSPolicyException("Expected a HttpsTokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
66 }
67
68 HttpsTokenSecurityEvent httpsTokenSecurityEvent = (HttpsTokenSecurityEvent) tokenSecurityEvent;
69 HttpsToken httpsToken = (HttpsToken) abstractToken;
70
71 if (httpsToken.getIssuerName() != null && !httpsToken.getIssuerName().equals(httpsTokenSecurityEvent.getIssuerName())) {
72 setErrorMessage("IssuerName in Policy (" + httpsToken.getIssuerName() + ") didn't match with the one in the HttpsToken ("
73 + httpsTokenSecurityEvent.getIssuerName() + ")");
74 getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
75 return false;
76 }
77 if (!isInitiator() && httpsToken.getAuthenticationType() != null) {
78 String namespace = getAssertion().getName().getNamespaceURI();
79
80 switch (httpsToken.getAuthenticationType()) {
81 case HttpBasicAuthentication:
82 if (httpsTokenSecurityEvent.getAuthenticationType()
83 != HttpsTokenSecurityEvent.AuthenticationType.HttpBasicAuthentication) {
84 setErrorMessage("Policy enforces HttpBasicAuthentication but we got "
85 + httpsTokenSecurityEvent.getAuthenticationType());
86 getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.HTTP_BASIC_AUTHENTICATION),
87 getErrorMessage());
88 return false;
89 }
90 getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.HTTP_BASIC_AUTHENTICATION));
91 break;
92 case HttpDigestAuthentication:
93 if (httpsTokenSecurityEvent.getAuthenticationType()
94 != HttpsTokenSecurityEvent.AuthenticationType.HttpDigestAuthentication) {
95 setErrorMessage("Policy enforces HttpDigestAuthentication but we got "
96 + httpsTokenSecurityEvent.getAuthenticationType());
97 getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.HTTP_DIGEST_AUTHENTICATION),
98 getErrorMessage());
99 return false;
100 }
101 getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.HTTP_DIGEST_AUTHENTICATION));
102 break;
103 case RequireClientCertificate:
104 if (httpsTokenSecurityEvent.getAuthenticationType()
105 != HttpsTokenSecurityEvent.AuthenticationType.HttpsClientCertificateAuthentication) {
106 setErrorMessage("Policy enforces HttpClientCertificateAuthentication but we got "
107 + httpsTokenSecurityEvent.getAuthenticationType());
108 getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.REQUIRE_CLIENT_CERTIFICATE),
109 getErrorMessage());
110 return false;
111 }
112 getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_CLIENT_CERTIFICATE));
113 break;
114 }
115 }
116
117 getPolicyAsserter().assertPolicy(getAssertion());
118 return true;
119 }
120 }