001: /*
002: * $Id: ExportSamlAssertionFilter.java,v 1.10 2007/08/14 12:16:02 kumarjayanti Exp $
003: */
004:
005: /*
006: * The contents of this file are subject to the terms
007: * of the Common Development and Distribution License
008: * (the License). You may not use this file except in
009: * compliance with the License.
010: *
011: * You can obtain a copy of the license at
012: * https://glassfish.dev.java.net/public/CDDLv1.0.html.
013: * See the License for the specific language governing
014: * permissions and limitations under the License.
015: *
016: * When distributing Covered Code, include this CDDL
017: * Header Notice in each file and include the License file
018: * at https://glassfish.dev.java.net/public/CDDLv1.0.html.
019: * If applicable, add the following below the CDDL Header,
020: * with the fields enclosed by brackets [] replaced by
021: * you own identifying information:
022: * "Portions Copyrighted [year] [name of copyright owner]"
023: *
024: * Copyright 2006 Sun Microsystems Inc. All Rights Reserved
025: */
026:
027: package com.sun.xml.wss.impl.filter;
028:
029: import com.sun.xml.ws.security.opt.api.SecurityElement;
030: import com.sun.xml.ws.security.opt.api.SecurityHeaderElement;
031: import com.sun.xml.ws.security.opt.impl.JAXBFilterProcessingContext;
032: import com.sun.xml.ws.security.opt.impl.crypto.SSEData;
033: import com.sun.xml.ws.security.opt.impl.message.GSHeaderElement;
034: import com.sun.xml.ws.security.opt.impl.util.NamespaceContextEx;
035: import com.sun.xml.ws.security.opt.impl.util.WSSElementFactory;
036:
037: import javax.xml.crypto.Data;
038: import java.util.HashMap;
039: import com.sun.xml.wss.saml.SAMLException;
040: import com.sun.xml.wss.impl.SecurableSoapMessage;
041: import com.sun.xml.wss.XWSSecurityException;
042: import com.sun.xml.wss.impl.FilterProcessingContext;
043: import com.sun.xml.wss.saml.Assertion;
044: import com.sun.xml.wss.core.SecurityHeader;
045: import com.sun.xml.wss.core.SecurityTokenReference;
046: import com.sun.xml.wss.impl.configuration.DynamicApplicationContext;
047: import com.sun.xml.wss.impl.keyinfo.KeyIdentifierStrategy;
048: import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
049:
050: import com.sun.xml.wss.impl.MessageConstants;
051: import org.w3c.dom.Element;
052:
053: /*
054: *
055: */
056: public class ExportSamlAssertionFilter {
057:
058: /* (non-Javadoc)
059: */
060: public static void process(FilterProcessingContext context)
061: throws XWSSecurityException {
062:
063: //make a DynamicPolicyCallback to obtain the SAML assertion
064:
065: boolean isOptimized = false;
066: SecurableSoapMessage secureMessage = null;
067: SecurityHeader securityHeader = null;
068: com.sun.xml.ws.security.opt.impl.outgoing.SecurityHeader optSecHeader = null;
069: SecurityHeaderElement she = null;
070: if (context instanceof JAXBFilterProcessingContext) {
071: isOptimized = true;
072: optSecHeader = ((JAXBFilterProcessingContext) context)
073: .getSecurityHeader();
074: } else {
075: secureMessage = context.getSecurableSoapMessage();
076: securityHeader = secureMessage.findOrCreateSecurityHeader();
077: }
078:
079: AuthenticationTokenPolicy policy = (AuthenticationTokenPolicy) context
080: .getSecurityPolicy();
081: AuthenticationTokenPolicy.SAMLAssertionBinding samlPolicy = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy
082: .getFeatureBinding();
083:
084: if (samlPolicy.getIncludeToken() == samlPolicy.INCLUDE_ONCE) {
085: throw new XWSSecurityException(
086: "Include Token ONCE not supported for SAMLToken Assertions");
087: }
088:
089: if (samlPolicy.getAssertionType() != AuthenticationTokenPolicy.SAMLAssertionBinding.SV_ASSERTION) {
090: // should never be called this way
091: throw new XWSSecurityException(
092: "Internal Error: ExportSamlAssertionFilter called for HOK assertion");
093: }
094:
095: //AuthenticationTokenPolicy policyClone = (AuthenticationTokenPolicy)policy.clone();
096: samlPolicy = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy
097: .getFeatureBinding();
098: samlPolicy.isReadOnly(true);
099:
100: DynamicApplicationContext dynamicContext = new DynamicApplicationContext(
101: context.getPolicyContext());
102: dynamicContext.setMessageIdentifier(context
103: .getMessageIdentifier());
104: dynamicContext.inBoundMessage(false);
105:
106: AuthenticationTokenPolicy.SAMLAssertionBinding resolvedPolicy = context
107: .getSecurityEnvironment().populateSAMLPolicy(
108: context.getExtraneousProperties(), samlPolicy,
109: dynamicContext);
110:
111: Assertion _assertion = null;
112: Element assertionElement = resolvedPolicy.getAssertion();
113: Element _authorityBinding = resolvedPolicy
114: .getAuthorityBinding();
115:
116: try {
117: if (System.getProperty("com.sun.xml.wss.saml.binding.jaxb") == null) {
118: if (assertionElement.getAttributeNode("ID") != null) {
119: _assertion = (Assertion) com.sun.xml.wss.saml.assertion.saml20.jaxb20.Assertion
120: .fromElement(assertionElement);
121: } else {
122: _assertion = (Assertion) com.sun.xml.wss.saml.assertion.saml11.jaxb20.Assertion
123: .fromElement(assertionElement);
124: }
125: } else {
126: _assertion = (Assertion) com.sun.xml.wss.saml.assertion.saml11.jaxb10.Assertion
127: .fromElement(assertionElement);
128: }
129: } catch (SAMLException ex) {
130: //ignore
131: }
132:
133: if (samlPolicy.getIncludeToken() == samlPolicy.INCLUDE_NEVER) {
134: if (_authorityBinding != null) {
135: //nullify the assertion set by Callback since IncludeToken is never
136: // do this because we have to maintain BackwardCompat with XWSS2.0
137: assertionElement = null;
138: }
139: }
140:
141: if ((_assertion == null) && (_authorityBinding == null)) {
142: throw new XWSSecurityException(
143: "None of SAML Assertion, SAML AuthorityBinding information was set into "
144: + " the Policy by the CallbackHandler");
145: }
146:
147: //TODO: check that the Confirmation Method of the assertion is indeed SV
148: if (_assertion != null) {
149: if (_assertion.getVersion() == null
150: && _authorityBinding == null) {
151: if (!isOptimized) {
152: if (System
153: .getProperty("com.sun.xml.wss.saml.binding.jaxb") == null) {
154: ((com.sun.xml.wss.saml.assertion.saml11.jaxb20.Assertion) _assertion)
155: .toElement(securityHeader);
156: } else {
157: ((com.sun.xml.wss.saml.assertion.saml11.jaxb10.Assertion) _assertion)
158: .toElement(securityHeader);
159: }
160: } else {
161: she = new GSHeaderElement(assertionElement,
162: ((JAXBFilterProcessingContext) context)
163: .getSOAPVersion());
164: if (optSecHeader.getChildElement(she.getId()) == null) {
165: optSecHeader.add(she);
166: } else {
167: return;
168: }
169:
170: }
171: HashMap tokenCache = context.getTokenCache();
172: //assuming unique IDs
173: tokenCache.put(
174: ((com.sun.xml.wss.saml.Assertion) _assertion)
175: .getAssertionID(), _assertion);
176: } else if (_assertion.getVersion() != null) {
177: if (!isOptimized) {
178: ((com.sun.xml.wss.saml.assertion.saml20.jaxb20.Assertion) _assertion)
179: .toElement(securityHeader);
180: } else {
181: she = new GSHeaderElement(assertionElement,
182: ((JAXBFilterProcessingContext) context)
183: .getSOAPVersion());
184: if (optSecHeader.getChildElement(she.getId()) == null) {
185: optSecHeader.add(she);
186: } else {
187: return;
188: }
189: }
190: HashMap tokenCache = context.getTokenCache();
191: //assuming unique IDs
192: tokenCache.put(
193: ((com.sun.xml.wss.saml.Assertion) _assertion)
194: .getID(), _assertion);
195: } else {
196: //Authoritybinding is set. So the Assertion should not be exported
197: if (null == resolvedPolicy.getSTRID()) {
198: throw new XWSSecurityException(
199: "Unsupported configuration: required wsu:Id value "
200: + " for SecurityTokenReference to Remote SAML Assertion not found "
201: + " in Policy");
202: }
203: }
204: }
205:
206: if (null != resolvedPolicy.getSTRID()) {
207: //generate and export an STR into the Header with the given ID
208: if ((_assertion == null)
209: && (null == resolvedPolicy.getAssertionId())) {
210: throw new XWSSecurityException(
211: "None of SAML Assertion, SAML Assertion Id information was set into "
212: + " the Policy by the CallbackHandler");
213: }
214:
215: String assertionId = resolvedPolicy.getAssertionId();
216: if (_assertion != null) {
217: assertionId = ((com.sun.xml.wss.saml.Assertion) _assertion)
218: .getAssertionID();
219: }
220: if (!isOptimized) {
221: SecurityTokenReference tokenRef = new SecurityTokenReference(
222: secureMessage.getSOAPPart());
223: tokenRef.setWsuId(resolvedPolicy.getSTRID());
224: // set wsse11:TokenType to SAML1.1 or SAML2.0
225: if (_assertion.getVersion() != null) {
226: tokenRef
227: .setTokenType(MessageConstants.WSSE_SAML_v2_0_TOKEN_TYPE);
228: } else {
229: tokenRef
230: .setTokenType(MessageConstants.WSSE_SAML_v1_1_TOKEN_TYPE);
231: }
232:
233: if (_authorityBinding != null) {
234: tokenRef.setSamlAuthorityBinding(_authorityBinding,
235: secureMessage.getSOAPPart());
236: }
237:
238: KeyIdentifierStrategy strat = new KeyIdentifierStrategy(
239: assertionId);
240: strat.insertKey(tokenRef, context
241: .getSecurableSoapMessage());
242: securityHeader.insertHeaderBlock(tokenRef);
243: } else {
244: JAXBFilterProcessingContext optContext = (JAXBFilterProcessingContext) context;
245: WSSElementFactory elementFactory = new WSSElementFactory(
246: optContext.getSOAPVersion());
247: com.sun.xml.ws.security.opt.impl.reference.KeyIdentifier ref = elementFactory
248: .createKeyIdentifier();
249: ref.setValue(assertionId);
250: ref
251: .setValueType(MessageConstants.WSSE_SAML_KEY_IDENTIFIER_VALUE_TYPE);
252: com.sun.xml.ws.security.opt.impl.keyinfo.SecurityTokenReference secTokRef = elementFactory
253: .createSecurityTokenReference(ref);
254: String strId = resolvedPolicy.getSTRID();
255: secTokRef.setId(strId);
256: if ("true"
257: .equals(optContext
258: .getExtraneousProperty("EnableWSS11PolicySender"))) {
259: // set wsse11:TokenType to SAML1.1 or SAML2.0
260: if (_assertion.getVersion() != null) {
261: secTokRef
262: .setTokenType(MessageConstants.WSSE_SAML_v2_0_TOKEN_TYPE);
263: } else {
264: secTokRef
265: .setTokenType(MessageConstants.WSSE_SAML_v1_1_TOKEN_TYPE);
266: }
267: ((NamespaceContextEx) optContext
268: .getNamespaceContext()).addWSS11NS();
269: }
270: Data data = new SSEData((SecurityElement) she, false,
271: optContext.getNamespaceContext());
272: optContext.getElementCache().put(strId, data);
273: optSecHeader.add(secTokRef);
274: }
275: }
276:
277: }
278: }
|