1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.opensaml.common.binding.security;
18
19 import org.opensaml.common.binding.SAMLMessageContext;
20 import org.opensaml.security.MetadataCriteria;
21 import org.opensaml.ws.message.MessageContext;
22 import org.opensaml.ws.security.SecurityPolicyException;
23 import org.opensaml.ws.security.provider.BaseTrustEngineRule;
24 import org.opensaml.xml.security.CriteriaSet;
25 import org.opensaml.xml.security.credential.UsageType;
26 import org.opensaml.xml.security.criteria.EntityIDCriteria;
27 import org.opensaml.xml.security.criteria.UsageCriteria;
28 import org.opensaml.xml.security.trust.TrustEngine;
29 import org.opensaml.xml.signature.Signature;
30 import org.opensaml.xml.util.DatatypeHelper;
31 import org.slf4j.Logger;
32 import org.slf4j.LoggerFactory;
33
34
35
36
37 public abstract class BaseSAMLXMLSignatureSecurityPolicyRule extends BaseTrustEngineRule<Signature> {
38
39
40 private final Logger log = LoggerFactory.getLogger(BaseSAMLXMLSignatureSecurityPolicyRule.class);
41
42
43
44
45
46
47 public BaseSAMLXMLSignatureSecurityPolicyRule(TrustEngine<Signature> engine) {
48 super(engine);
49 }
50
51
52 protected CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext)
53 throws SecurityPolicyException {
54 if (!(messageContext instanceof SAMLMessageContext)) {
55 log.error("Supplied message context was not an instance of SAMLMessageContext, can not build criteria set from SAML metadata parameters");
56 throw new SecurityPolicyException("Supplied message context was not an instance of SAMLMessageContext");
57 }
58
59 SAMLMessageContext samlContext = (SAMLMessageContext) messageContext;
60
61 CriteriaSet criteriaSet = new CriteriaSet();
62 if (! DatatypeHelper.isEmpty(entityID)) {
63 criteriaSet.add(new EntityIDCriteria(entityID) );
64 }
65
66 MetadataCriteria mdCriteria =
67 new MetadataCriteria(samlContext.getPeerEntityRole(), samlContext.getInboundSAMLProtocol());
68 criteriaSet.add(mdCriteria);
69
70 criteriaSet.add( new UsageCriteria(UsageType.SIGNING) );
71
72 return criteriaSet;
73 }
74
75 }