View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.assertionStates;
20  
21  import javax.xml.namespace.QName;
22  
23  import org.apache.wss4j.common.WSSPolicyException;
24  import org.apache.wss4j.policy.SPConstants;
25  import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
26  import org.apache.wss4j.policy.model.AbstractToken;
27  import org.apache.wss4j.policy.model.SecurityContextToken;
28  import org.apache.wss4j.policy.stax.PolicyAsserter;
29  import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
30  import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
31  import org.apache.xml.security.stax.securityToken.SecurityToken;
32  import org.apache.wss4j.stax.securityEvent.SecurityContextTokenSecurityEvent;
33  import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
34  
35  /**
36   * WSP1.3, 5.4.6 SecurityContextToken Assertion
37   */
38  
39  public class SecurityContextTokenAssertionState extends TokenAssertionState {
40  
41      public SecurityContextTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
42                                                PolicyAsserter policyAsserter, boolean initiator) {
43          super(assertion, asserted, policyAsserter, initiator);
44  
45          if (asserted) {
46              SecurityContextToken token = (SecurityContextToken) getAssertion();
47              String namespace = token.getName().getNamespaceURI();
48              if (token.isRequireExternalUriReference()) {
49                  getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_EXTERNAL_URI_REFERENCE));
50              }
51              if (token.isSc10SecurityContextToken()) {
52                  getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.SC10_SECURITY_CONTEXT_TOKEN));
53              }
54              if (token.isSc13SecurityContextToken()) {
55                  getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.SC13_SECURITY_CONTEXT_TOKEN));
56              }
57          }
58      }
59  
60      @Override
61      public SecurityEventConstants.Event[] getSecurityEventType() {
62          return new SecurityEventConstants.Event[]{
63                  WSSecurityEventConstants.SECURITY_CONTEXT_TOKEN
64          };
65      }
66  
67      @Override
68      public boolean assertToken(TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent,
69                                 AbstractToken abstractToken) throws WSSPolicyException {
70          if (!(tokenSecurityEvent instanceof SecurityContextTokenSecurityEvent)) {
71              throw new WSSPolicyException("Expected a SecurityContextTokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
72          }
73          SecurityContextTokenSecurityEvent securityContextTokenSecurityEvent = (SecurityContextTokenSecurityEvent) tokenSecurityEvent;
74          SecurityContextToken securityContextToken = (SecurityContextToken) abstractToken;
75  
76          if (securityContextToken.getIssuerName() != null
77              && !securityContextToken.getIssuerName().equals(securityContextTokenSecurityEvent.getIssuerName())) {
78              setErrorMessage("IssuerName in Policy (" + securityContextToken.getIssuerName()
79                  + ") didn't match with the one in the SecurityContextToken (" + securityContextTokenSecurityEvent.getIssuerName() + ")");
80              getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
81              return false;
82          }
83  
84          String namespace = getAssertion().getName().getNamespaceURI();
85          if (securityContextToken.isRequireExternalUriReference()) {
86              if (!securityContextTokenSecurityEvent.isExternalUriRef()) {
87                  setErrorMessage("Policy enforces externalUriRef but we didn't got one");
88                  getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.REQUIRE_EXTERNAL_URI_REFERENCE),
89                                                     getErrorMessage());
90                  return false;
91              } else {
92                  getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_EXTERNAL_URI_REFERENCE));
93              }
94          }
95          //todo sp:SC13SecurityContextToken:
96          //always return true to prevent false alarm in case additional tokens with the same usage
97          //appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
98          if (securityContextToken.isSc10SecurityContextToken()) {
99              getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.SC10_SECURITY_CONTEXT_TOKEN));
100         }
101         if (securityContextToken.isSc13SecurityContextToken()) {
102             getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.SC13_SECURITY_CONTEXT_TOKEN));
103         }
104 
105         getPolicyAsserter().assertPolicy(getAssertion());
106         return true;
107     }
108 }