View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.assertionStates;
20  
21  import org.apache.wss4j.policy.AssertionState;
22  import org.apache.wss4j.policy.SPConstants;
23  import org.apache.wss4j.common.WSSPolicyException;
24  import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
25  import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
26  import org.apache.xml.security.stax.securityEvent.SecurityEvent;
27  import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
28  import org.apache.wss4j.policy.stax.Assertable;
29  import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
30  import org.apache.wss4j.policy.stax.PolicyAsserter;
31  import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
32  import org.apache.wss4j.stax.utils.WSSUtils;
33  
34  import javax.xml.namespace.QName;
35  
36  import java.util.List;
37  
38  /**
39   * WSP1.3, 6.6 Entire Header and Body Signatures Property
40   */
41  public class OnlySignEntireHeadersAndBodyAssertionState extends AssertionState implements Assertable {
42  
43      private String roleOrActor;
44      private PolicyAsserter policyAsserter;
45  
46      public OnlySignEntireHeadersAndBodyAssertionState(AbstractSecurityAssertion assertion,
47                                                        PolicyAsserter policyAsserter,
48                                                        boolean asserted,
49                                                        String roleOrActor) {
50          super(assertion, asserted);
51          this.roleOrActor = roleOrActor;
52  
53          this.policyAsserter = policyAsserter;
54          if (this.policyAsserter == null) {
55              this.policyAsserter = new DummyPolicyAsserter();
56          }
57  
58          if (asserted) {
59              String namespace = getAssertion().getName().getNamespaceURI();
60              policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
61          }
62      }
63  
64      @Override
65      public SecurityEventConstants.Event[] getSecurityEventType() {
66          return new SecurityEventConstants.Event[]{
67                  WSSecurityEventConstants.SIGNED_PART,
68                  WSSecurityEventConstants.SignedElement
69          };
70      }
71  
72      @Override
73      public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
74          String namespace = getAssertion().getName().getNamespaceURI();
75  
76          AbstractSecuredElementSecurityEvent abstractSecuredElementSecurityEvent = (AbstractSecuredElementSecurityEvent) securityEvent;
77          if (abstractSecuredElementSecurityEvent.isSigned() && !abstractSecuredElementSecurityEvent.isAttachment()) {
78              List<QName> elementPath = abstractSecuredElementSecurityEvent.getElementPath();
79              if (elementPath.size() == 4 && WSSUtils.isInSecurityHeader(abstractSecuredElementSecurityEvent.getXmlSecEvent(),
80                                                                         elementPath, roleOrActor)) {
81                  setAsserted(true);
82                  policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
83                  return true;
84              }
85              if (elementPath.size() == 3 && WSSUtils.isInSOAPHeader(elementPath)) {
86                  setAsserted(true);
87                  policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
88                  return true;
89              }
90              if (elementPath.size() == 2 && WSSUtils.isInSOAPBody(elementPath)) {
91                  setAsserted(true);
92                  policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
93                  return true;
94              }
95              setAsserted(false);
96              setErrorMessage("OnlySignEntireHeadersAndBody not fulfilled, offending element: " + WSSUtils.pathAsString(elementPath));
97              policyAsserter.unassertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY),
98                                            getErrorMessage());
99              return false;
100         }
101 
102         policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
103         return true;
104     }
105 }