View Javadoc

1   /*
2    * Copyright [2007] [University Corporation for Advanced Internet Development, Inc.]
3    *
4    * Licensed under the Apache License, Version 2.0 (the "License");
5    * you may not use this file except in compliance with the License.
6    * You may obtain a copy of the License at
7    *
8    * http://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS,
12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13   * See the License for the specific language governing permissions and
14   * limitations under the License.
15   */
16  
17  package org.opensaml.common.binding.security;
18  
19  import org.opensaml.common.binding.SAMLMessageContext;
20  import org.opensaml.security.MetadataCriteria;
21  import org.opensaml.ws.message.MessageContext;
22  import org.opensaml.ws.security.SecurityPolicyException;
23  import org.opensaml.ws.security.provider.CertificateNameOptions;
24  import org.opensaml.ws.security.provider.ClientCertAuthRule;
25  import org.opensaml.xml.security.CriteriaSet;
26  import org.opensaml.xml.security.trust.TrustEngine;
27  import org.opensaml.xml.security.x509.X509Credential;
28  import org.slf4j.Logger;
29  import org.slf4j.LoggerFactory;
30  
31  /**
32   * SAML specialization of {@link ClientCertAuthRule} which provides support for X509Credential trust engine validation
33   * based on SAML metadta.
34   */
35  public class SAMLMDClientCertAuthRule extends ClientCertAuthRule {
36  
37      /** Logger. */
38      private final Logger log = LoggerFactory.getLogger(SAMLMDClientCertAuthRule.class);
39  
40      /**
41       * Constructor.
42       * 
43       * @param engine Trust engine used to verify the request X509Credential
44       * @param nameOptions options for deriving issuer names from an X.509 certificate
45       */
46      public SAMLMDClientCertAuthRule(TrustEngine<X509Credential> engine, CertificateNameOptions nameOptions) {
47          super(engine, nameOptions);
48      }
49  
50      /** {@inheritDoc} */
51      protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext) 
52          throws SecurityPolicyException {
53          
54          if (!(messageContext instanceof SAMLMessageContext)) {
55              log.error("Supplied message context was not an instance of SAMLMessageContext, can not build criteria set from SAML metadata parameters");
56              throw new SecurityPolicyException("Supplied message context was not an instance of SAMLMessageContext");
57          }
58          
59          SAMLMessageContext samlContext = (SAMLMessageContext) messageContext;
60  
61          CriteriaSet criteriaSet = super.buildCriteriaSet(entityID, messageContext);
62          MetadataCriteria mdCriteria = 
63              new MetadataCriteria(samlContext.getPeerEntityRole(), samlContext.getInboundSAMLProtocol());
64          criteriaSet.add(mdCriteria);
65  
66          return criteriaSet;
67      }
68  }