1 /* 2 * Copyright [2006] [University Corporation for Advanced Internet Development, Inc.] 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package org.opensaml.ws.security.provider; 18 19 import org.opensaml.ws.message.MessageContext; 20 import org.opensaml.ws.security.SecurityPolicyException; 21 import org.opensaml.ws.security.SecurityPolicyRule; 22 import org.opensaml.xml.security.CriteriaSet; 23 import org.opensaml.xml.security.SecurityException; 24 import org.opensaml.xml.security.trust.TrustEngine; 25 import org.slf4j.Logger; 26 import org.slf4j.LoggerFactory; 27 28 /** 29 * Base rule which uses a trust engine to evaluate a token extracted from the request or message. 30 * 31 * @param <TokenType> type of token which is being evaluated by the underlying trust engine 32 */ 33 public abstract class BaseTrustEngineRule<TokenType> implements SecurityPolicyRule { 34 35 /** Logger. */ 36 private final Logger log = LoggerFactory.getLogger(BaseTrustEngineRule.class); 37 38 /** Trust engine used to verify the particular token type. */ 39 private TrustEngine<TokenType> trustEngine; 40 41 /** 42 * Constructor. 43 * 44 * @param engine Trust engine used to verify the particular token type 45 */ 46 public BaseTrustEngineRule(TrustEngine<TokenType> engine) { 47 trustEngine = engine; 48 } 49 50 /** 51 * Gets the engine used to validate the untrusted token. 52 * 53 * @return engine engine used to validate the untrusted token 54 */ 55 protected TrustEngine<TokenType> getTrustEngine() { 56 return trustEngine; 57 } 58 59 /** 60 * Subclasses are required to implement this method to build a criteria set for the trust engine 61 * according to trust engine and application-specific needs. 62 * 63 * @param entityID the candidate issuer entity ID which is being evaluated 64 * @param messageContext the message context which is being evaluated 65 * @return a newly constructly set of criteria suitable for the configured trust engine 66 * @throws SecurityPolicyException thrown if criteria set can not be constructed 67 */ 68 protected abstract CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext) 69 throws SecurityPolicyException; 70 71 /** 72 * Evaluate the token using the configured trust engine against criteria built using 73 * the specified candidate issuer entity ID and message context information. 74 * 75 * @param token the token to be evaluated 76 * @param entityID the candidate issuer entity ID which is being evaluated 77 * @param messageContext the message context which is being evaluated 78 * @return true if the token satisfies the criteria as determined by the trust engine, otherwise false 79 * @throws SecurityPolicyException thrown if there is a fatal error during trust engine evaluation 80 */ 81 protected boolean evaluate(TokenType token, String entityID, MessageContext messageContext) 82 throws SecurityPolicyException { 83 84 CriteriaSet criteriaSet = buildCriteriaSet(entityID, messageContext); 85 if (criteriaSet == null) { 86 log.error("Returned criteria set was null, can not perform trust engine evaluation of token"); 87 throw new SecurityPolicyException("Returned criteria set was null"); 88 } 89 90 return evaluate(token, criteriaSet); 91 } 92 93 /** 94 * Evaluate the token against the specified criteria using the configured trust engine. 95 * 96 * @param token the token to be evaluated 97 * @param criteriaSet the set of criteria against which to evaluate the token 98 * @return true if the token satisfies the criteria as determined by the trust engine, otherwise false 99 * @throws SecurityPolicyException thrown if there is a fatal error during trust engine evaluation 100 */ 101 protected boolean evaluate(TokenType token, CriteriaSet criteriaSet) throws SecurityPolicyException { 102 try { 103 return getTrustEngine().validate(token, criteriaSet); 104 } catch (SecurityException e) { 105 log.error("There was an error evaluating the request's token using the trust engine", e); 106 throw new SecurityPolicyException("Error during trust engine evaluation of the token", e); 107 } 108 } 109 110 }