View Javadoc

1   /*
2    * Copyright [2006] [University Corporation for Advanced Internet Development, Inc.]
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package org.opensaml.ws.security.provider;
18  
19  import org.opensaml.ws.message.MessageContext;
20  import org.opensaml.ws.security.SecurityPolicyException;
21  import org.opensaml.ws.security.SecurityPolicyRule;
22  import org.opensaml.xml.security.CriteriaSet;
23  import org.opensaml.xml.security.SecurityException;
24  import org.opensaml.xml.security.trust.TrustEngine;
25  import org.slf4j.Logger;
26  import org.slf4j.LoggerFactory;
27  
28  /**
29   * Base rule which uses a trust engine to evaluate a token extracted from the request or message.
30   * 
31   * @param <TokenType> type of token which is being evaluated by the underlying trust engine
32   */
33  public abstract class BaseTrustEngineRule<TokenType> implements SecurityPolicyRule {
34  
35      /** Logger. */
36      private final Logger log = LoggerFactory.getLogger(BaseTrustEngineRule.class);
37  
38      /** Trust engine used to verify the particular token type. */
39      private TrustEngine<TokenType> trustEngine;
40  
41      /**
42       * Constructor.
43       * 
44       * @param engine Trust engine used to verify the particular token type
45       */
46      public BaseTrustEngineRule(TrustEngine<TokenType> engine) {
47          trustEngine = engine;
48      }
49  
50      /**
51       * Gets the engine used to validate the untrusted token.
52       * 
53       * @return engine engine used to validate the untrusted token
54       */
55      protected TrustEngine<TokenType> getTrustEngine() {
56          return trustEngine;
57      }
58      
59      /**
60       * Subclasses are required to implement this method to build a criteria set for the trust engine
61       * according to trust engine and application-specific needs.
62       * 
63       * @param entityID the candidate issuer entity ID which is being evaluated 
64       * @param messageContext the message context which is being evaluated
65       * @return a newly constructly set of criteria suitable for the configured trust engine
66       * @throws SecurityPolicyException thrown if criteria set can not be constructed
67       */
68      protected abstract CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext)
69          throws SecurityPolicyException;
70  
71      /**
72       * Evaluate the token using the configured trust engine against criteria built using
73       * the specified candidate issuer entity ID and message context information.
74       * 
75       * @param token the token to be evaluated
76       * @param entityID the candidate issuer entity ID which is being evaluated 
77       * @param messageContext the message context which is being evaluated
78       * @return true if the token satisfies the criteria as determined by the trust engine, otherwise false
79       * @throws SecurityPolicyException thrown if there is a fatal error during trust engine evaluation
80       */
81      protected boolean evaluate(TokenType token, String entityID, MessageContext messageContext)
82          throws SecurityPolicyException {
83          
84          CriteriaSet criteriaSet = buildCriteriaSet(entityID, messageContext);
85          if (criteriaSet == null) {
86              log.error("Returned criteria set was null, can not perform trust engine evaluation of token");
87              throw new SecurityPolicyException("Returned criteria set was null");
88          }
89          
90          return evaluate(token, criteriaSet);
91      }
92      
93      /**
94       * Evaluate the token against the specified criteria using the configured trust engine.
95       * 
96       * @param token the token to be evaluated
97       * @param criteriaSet the set of criteria against which to evaluate the token
98       * @return true if the token satisfies the criteria as determined by the trust engine, otherwise false
99       * @throws SecurityPolicyException thrown if there is a fatal error during trust engine evaluation
100      */
101     protected boolean evaluate(TokenType token, CriteriaSet criteriaSet) throws SecurityPolicyException {
102         try {
103             return getTrustEngine().validate(token, criteriaSet);
104         } catch (SecurityException e) {
105             log.error("There was an error evaluating the request's token using the trust engine", e);
106             throw new SecurityPolicyException("Error during trust engine evaluation of the token", e);
107         }
108     }
109 
110 }