1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.assertionStates;
20
21 import javax.xml.namespace.QName;
22
23 import org.apache.wss4j.common.WSSPolicyException;
24 import org.apache.wss4j.policy.SPConstants;
25 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
26 import org.apache.wss4j.policy.model.AbstractToken;
27 import org.apache.wss4j.policy.model.KerberosToken;
28 import org.apache.wss4j.policy.stax.PolicyAsserter;
29 import org.apache.wss4j.stax.securityToken.KerberosServiceSecurityToken;
30 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
31 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
32 import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
33 import org.apache.xml.security.stax.securityToken.SecurityToken;
34 import org.apache.xml.security.stax.securityToken.SecurityTokenConstants.KeyIdentifier;
35 import org.apache.wss4j.stax.securityEvent.KerberosTokenSecurityEvent;
36 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
37
38
39
40
41
42 public class KerberosTokenAssertionState extends TokenAssertionState {
43
44 public KerberosTokenAssertionState(AbstractSecurityAssertion assertion, boolean asserted,
45 PolicyAsserter policyAsserter, boolean initiator) {
46 super(assertion, asserted, policyAsserter, initiator);
47
48 if (asserted) {
49 KerberosToken token = (KerberosToken) getAssertion();
50 String namespace = token.getName().getNamespaceURI();
51 if (token.isRequireKeyIdentifierReference()) {
52 getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
53 }
54 if (token.getApReqTokenType() != null) {
55 getPolicyAsserter().assertPolicy(new QName(namespace, token.getApReqTokenType().name()));
56 }
57 }
58 }
59
60 @Override
61 public SecurityEventConstants.Event[] getSecurityEventType() {
62 return new SecurityEventConstants.Event[]{
63 WSSecurityEventConstants.KERBEROS_TOKEN
64 };
65 }
66
67 @Override
68 public boolean assertToken(TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent,
69 AbstractToken abstractToken) throws WSSPolicyException {
70 if (!(tokenSecurityEvent instanceof KerberosTokenSecurityEvent)) {
71 throw new WSSPolicyException("Expected a KerberosTokenSecurityEvent but got " + tokenSecurityEvent.getClass().getName());
72 }
73
74 KerberosToken kerberosToken = (KerberosToken) abstractToken;
75 KerberosTokenSecurityEvent kerberosTokenSecurityEvent = (KerberosTokenSecurityEvent) tokenSecurityEvent;
76 KerberosServiceSecurityToken kerberosServiceSecurityToken = kerberosTokenSecurityEvent.getSecurityToken();
77
78 if (kerberosToken.getIssuerName() != null
79 && !kerberosToken.getIssuerName().equals(kerberosTokenSecurityEvent.getIssuerName())) {
80 setErrorMessage("IssuerName in Policy (" + kerberosToken.getIssuerName() + ") didn't match with the one in the IssuedToken ("
81 + kerberosTokenSecurityEvent.getIssuerName() + ")");
82 getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
83 return false;
84 }
85
86 String namespace = getAssertion().getName().getNamespaceURI();
87 if (kerberosToken.isRequireKeyIdentifierReference()) {
88 KeyIdentifier kerberosKeyIdentifier = kerberosServiceSecurityToken.getKeyIdentifier();
89 if (!WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF.equals(kerberosKeyIdentifier)) {
90 setErrorMessage("Policy enforces KeyIdentifierReference but we got " + kerberosKeyIdentifier);
91 getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE),
92 getErrorMessage());
93 return false;
94 } else {
95 getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE));
96 }
97 }
98 if (kerberosToken.getApReqTokenType() != null) {
99 switch (kerberosToken.getApReqTokenType()) {
100 case WssKerberosV5ApReqToken11:
101 if (!kerberosTokenSecurityEvent.isKerberosV5ApReqToken11()) {
102 setErrorMessage("Policy enforces " + kerberosToken.getApReqTokenType());
103 getPolicyAsserter().unassertPolicy(new QName(namespace, "WssKerberosV5ApReqToken11"),
104 getErrorMessage());
105 return false;
106 }
107 getPolicyAsserter().assertPolicy(new QName(namespace, "WssKerberosV5ApReqToken11"));
108 break;
109 case WssGssKerberosV5ApReqToken11:
110 if (!kerberosTokenSecurityEvent.isGssKerberosV5ApReqToken11()) {
111 setErrorMessage("Policy enforces " + kerberosToken.getApReqTokenType());
112 getPolicyAsserter().unassertPolicy(new QName(namespace, "WssGssKerberosV5ApReqToken11"),
113 getErrorMessage());
114 return false;
115 }
116 getPolicyAsserter().assertPolicy(new QName(namespace, "WssGssKerberosV5ApReqToken11"));
117 break;
118 }
119 }
120
121
122 getPolicyAsserter().assertPolicy(getAssertion());
123 return true;
124 }
125 }