View Javadoc

1   /*
2    * Copyright [2007] [University Corporation for Advanced Internet Development, Inc.]
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package org.opensaml.common.binding.security;
18  
19  import org.opensaml.common.binding.SAMLMessageContext;
20  import org.opensaml.security.MetadataCriteria;
21  import org.opensaml.ws.message.MessageContext;
22  import org.opensaml.ws.security.SecurityPolicyException;
23  import org.opensaml.ws.security.provider.BaseTrustEngineRule;
24  import org.opensaml.xml.security.CriteriaSet;
25  import org.opensaml.xml.security.credential.UsageType;
26  import org.opensaml.xml.security.criteria.EntityIDCriteria;
27  import org.opensaml.xml.security.criteria.UsageCriteria;
28  import org.opensaml.xml.security.trust.TrustEngine;
29  import org.opensaml.xml.signature.Signature;
30  import org.opensaml.xml.util.DatatypeHelper;
31  import org.slf4j.Logger;
32  import org.slf4j.LoggerFactory;
33  
34  /**
35   * Base class for SAML security policy rules which evaluate a signature with a signature trust engine.
36   */
37  public abstract class BaseSAMLXMLSignatureSecurityPolicyRule extends BaseTrustEngineRule<Signature> {
38      
39      /** Logger. */
40      private final Logger log = LoggerFactory.getLogger(BaseSAMLXMLSignatureSecurityPolicyRule.class);
41      
42      /**
43       * Constructor.
44       *
45       * @param engine Trust engine used to verify the signature
46       */
47      public BaseSAMLXMLSignatureSecurityPolicyRule(TrustEngine<Signature> engine) {
48          super(engine);
49      }
50  
51      /** {@inheritDoc} */
52      protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext)
53          throws SecurityPolicyException {
54          if (!(messageContext instanceof SAMLMessageContext)) {
55              log.error("Supplied message context was not an instance of SAMLMessageContext, can not build criteria set from SAML metadata parameters");
56              throw new SecurityPolicyException("Supplied message context was not an instance of SAMLMessageContext");
57          }
58          
59          SAMLMessageContext samlContext = (SAMLMessageContext) messageContext;
60          
61          CriteriaSet criteriaSet = new CriteriaSet();
62          if (! DatatypeHelper.isEmpty(entityID)) {
63              criteriaSet.add(new EntityIDCriteria(entityID) );
64          }
65          
66          MetadataCriteria mdCriteria = 
67              new MetadataCriteria(samlContext.getPeerEntityRole(), samlContext.getInboundSAMLProtocol());
68          criteriaSet.add(mdCriteria);
69          
70          criteriaSet.add( new UsageCriteria(UsageType.SIGNING) );
71          
72          return criteriaSet;
73      }
74  
75  }