View Javadoc

1   /*
2    * Copyright [2007] [University Corporation for Advanced Internet Development, Inc.]
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package org.opensaml.ws.security.provider;
18  
19  import org.opensaml.ws.message.MessageContext;
20  import org.opensaml.ws.security.SecurityPolicyException;
21  import org.opensaml.ws.security.SecurityPolicyRule;
22  import org.opensaml.ws.transport.http.HTTPTransport;
23  import org.opensaml.xml.util.DatatypeHelper;
24  import org.slf4j.Logger;
25  import org.slf4j.LoggerFactory;
26  
27  /**
28   * A security rule that checks basic HTTP connection properties.
29   */
30  public class HTTPRule implements SecurityPolicyRule {
31  
32      /** Class logger. */
33      private final Logger log = LoggerFactory.getLogger(HTTPRule.class);
34  
35      /** Expected content type of the request. */
36      private String requiredContentType;
37  
38      /** Expected method of the request. */
39      private String requiredRequestMethod;
40  
41      /** Whether the request must be secure. */
42      private boolean requireSecured;
43  
44      /**
45       * Constructor.
46       * 
47       * @param type expected content type
48       * @param method expected request method
49       * @param secured whether the request must be secured
50       */
51      public HTTPRule(String type, String method, boolean secured) {
52          requiredContentType = DatatypeHelper.safeTrimOrNullString(type);
53          requiredRequestMethod = DatatypeHelper.safeTrimOrNullString(method);
54          requireSecured = secured;
55      }
56  
57      /** {@inheritDoc} */
58      public void evaluate(MessageContext messageContext) throws SecurityPolicyException {
59  
60          if (!(messageContext.getInboundMessageTransport() instanceof HTTPTransport)) {
61              log.debug("Message context was did not contain an HTTP transport, unable to evaluate security rule");
62              return;
63          }
64  
65          doEvaluate(messageContext);
66      }
67  
68      /**
69       * Evaluates if the message context transport, guaranteed to be of type {@link HTTPTransport}, meets all
70       * requirements.
71       * 
72       * @param messageContext message context being evaluated
73       * 
74       * @throws SecurityPolicyException thrown if the message context does not meet the requirements of an evaluated rule
75       */
76      protected void doEvaluate(MessageContext messageContext) throws SecurityPolicyException {
77          HTTPTransport transport = (HTTPTransport) messageContext.getInboundMessageTransport();
78          evaluateContentType(transport);
79          evaluateRequestMethod(transport);
80          evaluateSecured(transport);
81      }
82  
83      /**
84       * Checks if the transport is of the correct content type.
85       * 
86       * @param transport transport being evalauted
87       * 
88       * @throws SecurityPolicyException thrown if the content type was an unexpected value
89       */
90      protected void evaluateContentType(HTTPTransport transport) throws SecurityPolicyException {
91          String transportContentType = transport.getHeaderValue("Content-Type");
92          if (requiredContentType != null && !transportContentType.startsWith(requiredContentType)) {
93              log.error("Invalid content type, expected " + requiredContentType + " but was " + transportContentType);
94              throw new SecurityPolicyException("Invalid content type, expected " + requiredContentType + " but was "
95                      + transportContentType);
96          }
97      }
98  
99      /**
100      * Checks if the transport is of the correct request method.
101      * 
102      * @param transport transport being evalauted
103      * 
104      * @throws SecurityPolicyException thrown if the request method was an unexpected value
105      */
106     protected void evaluateRequestMethod(HTTPTransport transport) throws SecurityPolicyException {
107         String transportMethod = transport.getHTTPMethod();
108         if (requiredRequestMethod != null && !transportMethod.equalsIgnoreCase(requiredRequestMethod)) {
109             log.error("Invalid request method, expected " + requiredRequestMethod + " but was " + transportMethod);
110             throw new SecurityPolicyException("Invalid request method, expected " + requiredRequestMethod + " but was "
111                     + transportMethod);
112         }
113     }
114 
115     /**
116      * Checks if the transport is secured.
117      * 
118      * @param transport transport being evalauted
119      * 
120      * @throws SecurityPolicyException thrown if the transport is not secure and was required to be
121      */
122     protected void evaluateSecured(HTTPTransport transport) throws SecurityPolicyException {
123         if (requireSecured && !transport.isConfidential()) {
124             log.error("Request was required to be secured but was not");
125             throw new SecurityPolicyException("Request was required to be secured but was not");
126         }
127     }
128 }