001: /*
002: * $Id: ImportSamlAssertionFilter.java,v 1.7 2007/01/08 16:06:01 shyam_rao Exp $
003: */
004:
005: /*
006: * The contents of this file are subject to the terms
007: * of the Common Development and Distribution License
008: * (the License). You may not use this file except in
009: * compliance with the License.
010: *
011: * You can obtain a copy of the license at
012: * https://glassfish.dev.java.net/public/CDDLv1.0.html.
013: * See the License for the specific language governing
014: * permissions and limitations under the License.
015: *
016: * When distributing Covered Code, include this CDDL
017: * Header Notice in each file and include the License file
018: * at https://glassfish.dev.java.net/public/CDDLv1.0.html.
019: * If applicable, add the following below the CDDL Header,
020: * with the fields enclosed by brackets [] replaced by
021: * you own identifying information:
022: * "Portions Copyrighted [year] [name of copyright owner]"
023: *
024: * Copyright 2006 Sun Microsystems Inc. All Rights Reserved
025: */
026:
027: package com.sun.xml.wss.impl.filter;
028:
029: import com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl;
030: import com.sun.xml.wss.saml.Assertion;
031: import com.sun.xml.wss.saml.AssertionUtil;
032:
033: import java.util.Iterator;
034: import java.util.HashMap;
035: import java.util.logging.Level;
036: import javax.xml.soap.SOAPElement;
037: import org.w3c.dom.Element;
038:
039: import com.sun.xml.wss.impl.MessageConstants;
040: import com.sun.xml.wss.impl.SecurableSoapMessage;
041: import com.sun.xml.wss.XWSSecurityException;
042: import com.sun.xml.wss.impl.FilterProcessingContext;
043: import com.sun.xml.wss.logging.LogDomainConstants;
044: import com.sun.xml.wss.core.SecurityHeader;
045: import com.sun.xml.wss.impl.policy.mls.AuthenticationTokenPolicy;
046:
047: import java.util.logging.Logger;
048: import org.w3c.dom.NodeList;
049: import com.sun.xml.wss.impl.policy.mls.MessagePolicy;
050:
051: /**
052: * @author Kumar Jayanti
053: */
054: public class ImportSamlAssertionFilter {
055:
056: protected static final Logger log = Logger.getLogger(
057: LogDomainConstants.FILTER_DOMAIN,
058: LogDomainConstants.FILTER_DOMAIN_BUNDLE);
059:
060: public static void process(FilterProcessingContext context)
061: throws XWSSecurityException {
062:
063: SecurableSoapMessage secureMessage = context
064: .getSecurableSoapMessage();
065: SecurityHeader wsseSecurity = secureMessage
066: .findSecurityHeader();
067: Assertion samlAssertion = null;
068: SOAPElement samlElement = null;
069:
070: if (context.getMode() == FilterProcessingContext.ADHOC
071: || context.getMode() == FilterProcessingContext.DEFAULT
072: || context.getMode() == FilterProcessingContext.WSDL_POLICY) {
073:
074: NodeList nl = null;
075: Element elem = null;
076:
077: for (Iterator iter = wsseSecurity.getChildElements(); iter
078: .hasNext();) {
079: elem = (Element) iter.next();
080: if (elem.getAttributeNode("ID") != null) {
081: nl = wsseSecurity.getElementsByTagNameNS(
082: MessageConstants.SAML_v2_0_NS,
083: MessageConstants.SAML_ASSERTION_LNAME);
084: break;
085: } else if (elem.getAttributeNode("AssertionID") != null) {
086: nl = wsseSecurity.getElementsByTagNameNS(
087: MessageConstants.SAML_v1_0_NS,
088: MessageConstants.SAML_ASSERTION_LNAME);
089: break;
090: }
091: }
092:
093: // if (wsseSecurity.getChildElements()Attributes().equals("AssertionID")){
094: // nl = wsseSecurity.getElementsByTagNameNS(
095: // MessageConstants.SAML_v1_0_NS, MessageConstants.SAML_ASSERTION_LNAME);
096: // }else{
097: // nl = wsseSecurity.getElementsByTagNameNS(
098: // MessageConstants.SAML_v2_0_NS, MessageConstants.SAML_ASSERTION_LNAME);
099: // }
100:
101: if (nl == null) {
102: throw new XWSSecurityException("SAMLAssertion is null");
103: }
104: int nodeListLength = nl.getLength();
105:
106: //for now we dont allow multiple saml assertions
107: if (nodeListLength == 0) {
108: // Log Message
109: throw new XWSSecurityException(
110: "No SAML Assertion found, Reciever requirement not met");
111: } else if (nodeListLength > 1) {
112: throw new XWSSecurityException(
113: "More than one SAML Assertion found, Reciever requirement not met");
114: } else {
115: samlElement = (SOAPElement) nl.item(0);
116: try {
117: samlAssertion = AssertionUtil
118: .fromElement(samlElement);
119: } catch (Exception e) {
120: log.log(Level.SEVERE,
121: "WSS0418.saml.import.exception");
122: throw SecurableSoapMessage.newSOAPFaultException(
123: MessageConstants.WSSE_INVALID_SECURITY,
124: "Exception while importing SAML Token", e);
125: }
126: }
127:
128: if (context.getMode() == FilterProcessingContext.ADHOC) {
129:
130: //try to validate against the policy
131: AuthenticationTokenPolicy policy = (AuthenticationTokenPolicy) context
132: .getSecurityPolicy();
133: AuthenticationTokenPolicy.SAMLAssertionBinding samlPolicy = (AuthenticationTokenPolicy.SAMLAssertionBinding) policy
134: .getFeatureBinding();
135:
136: //ensure the authorityId if specified matches
137: if (!"".equals(samlPolicy.getAuthorityIdentifier())) {
138: if (!samlPolicy.getAuthorityIdentifier().equals(
139: samlAssertion.getSamlIssuer())) {
140: //log here
141: XWSSecurityException xwse = new XWSSecurityException(
142: "Invalid Assertion Issuer, expected "
143: + samlPolicy
144: .getAuthorityIdentifier()
145: + ", found "
146: + (samlAssertion
147: .getSamlIssuer()));
148: throw SecurableSoapMessage
149: .newSOAPFaultException(
150: MessageConstants.WSSE_INVALID_SECURITY_TOKEN,
151: "Received SAML Assertion has invalid Issuer",
152: xwse);
153:
154: }
155: }
156: }
157:
158: } else {
159: if (context.getMode() == FilterProcessingContext.POSTHOC) {
160: throw new XWSSecurityException(
161: "Internal Error: Called ImportSAMLAssertionFilter in POSTHOC Mode");
162: }
163:
164: if (context.getMode() == FilterProcessingContext.WSDL_POLICY) {
165: AuthenticationTokenPolicy.SAMLAssertionBinding bind = new AuthenticationTokenPolicy.SAMLAssertionBinding();
166: ((MessagePolicy) context.getInferredSecurityPolicy())
167: .append(bind);
168: }
169:
170: try {
171: samlAssertion = AssertionUtil.fromElement(wsseSecurity
172: .getCurrentHeaderElement());
173: } catch (Exception ex) {
174: throw SecurableSoapMessage.newSOAPFaultException(
175: MessageConstants.WSSE_INVALID_SECURITY_TOKEN,
176: "Exception while importing SAML Assertion", ex);
177: }
178: }
179:
180: HashMap tokenCache = context.getTokenCache();
181: //assuming unique IDs
182: tokenCache.put(samlAssertion.getAssertionID(), samlAssertion);
183:
184: //if (!samlAssertion.isTimeValid()) {
185: // log.log(Level.SEVERE, "WSS0417.saml.timestamp.invalid");
186: // throw SecurableSoapMessage.newSOAPFaultException(
187: // MessageConstants.WSSE_FAILED_AUTHENTICATION,
188: // "SAML Condition (notBefore, notOnOrAfter) Validation failed",
189: // new Exception(
190: // "SAML Condition (notBefore, notOnOrAfter) Validation failed"));
191: //}
192:
193: //ensure it is an SV assertion
194: /*String confirmationMethod = AssertionUtil.getConfirmationMethod(samlElement);
195: if (!MessageConstants.SAML_SENDER_VOUCHES.equals(confirmationMethod)) {
196: XWSSecurityException xwse = new XWSSecurityException("Invalid ConfirmationMethod " + confirmationMethod);
197: throw SecurableSoapMessage.newSOAPFaultException(
198: MessageConstants.WSSE_INVALID_SECURITY,
199: "Invalid ConfirmationMethod",
200: xwse);
201: }*/
202:
203: context.getSecurityEnvironment().validateSAMLAssertion(
204: context.getExtraneousProperties(), samlElement);
205:
206: context.getSecurityEnvironment().updateOtherPartySubject(
207: DefaultSecurityEnvironmentImpl.getSubject(context),
208: samlAssertion);
209:
210: }
211:
212: }
|