1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.assertionStates;
20
21 import org.apache.wss4j.policy.AssertionState;
22 import org.apache.wss4j.policy.SPConstants;
23 import org.apache.wss4j.common.WSSPolicyException;
24 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
25 import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
26 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
27 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
28 import org.apache.wss4j.policy.stax.Assertable;
29 import org.apache.wss4j.policy.stax.DummyPolicyAsserter;
30 import org.apache.wss4j.policy.stax.PolicyAsserter;
31 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
32 import org.apache.wss4j.stax.utils.WSSUtils;
33
34 import javax.xml.namespace.QName;
35
36 import java.util.List;
37
38
39
40
41 public class OnlySignEntireHeadersAndBodyAssertionState extends AssertionState implements Assertable {
42
43 private String roleOrActor;
44 private PolicyAsserter policyAsserter;
45
46 public OnlySignEntireHeadersAndBodyAssertionState(AbstractSecurityAssertion assertion,
47 PolicyAsserter policyAsserter,
48 boolean asserted,
49 String roleOrActor) {
50 super(assertion, asserted);
51 this.roleOrActor = roleOrActor;
52
53 this.policyAsserter = policyAsserter;
54 if (this.policyAsserter == null) {
55 this.policyAsserter = new DummyPolicyAsserter();
56 }
57
58 if (asserted) {
59 String namespace = getAssertion().getName().getNamespaceURI();
60 policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
61 }
62 }
63
64 @Override
65 public SecurityEventConstants.Event[] getSecurityEventType() {
66 return new SecurityEventConstants.Event[]{
67 WSSecurityEventConstants.SIGNED_PART,
68 WSSecurityEventConstants.SignedElement
69 };
70 }
71
72 @Override
73 public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
74 String namespace = getAssertion().getName().getNamespaceURI();
75
76 AbstractSecuredElementSecurityEvent abstractSecuredElementSecurityEvent = (AbstractSecuredElementSecurityEvent) securityEvent;
77 if (abstractSecuredElementSecurityEvent.isSigned() && !abstractSecuredElementSecurityEvent.isAttachment()) {
78 List<QName> elementPath = abstractSecuredElementSecurityEvent.getElementPath();
79 if (elementPath.size() == 4 && WSSUtils.isInSecurityHeader(abstractSecuredElementSecurityEvent.getXmlSecEvent(),
80 elementPath, roleOrActor)) {
81 setAsserted(true);
82 policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
83 return true;
84 }
85 if (elementPath.size() == 3 && WSSUtils.isInSOAPHeader(elementPath)) {
86 setAsserted(true);
87 policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
88 return true;
89 }
90 if (elementPath.size() == 2 && WSSUtils.isInSOAPBody(elementPath)) {
91 setAsserted(true);
92 policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
93 return true;
94 }
95 setAsserted(false);
96 setErrorMessage("OnlySignEntireHeadersAndBody not fulfilled, offending element: " + WSSUtils.pathAsString(elementPath));
97 policyAsserter.unassertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY),
98 getErrorMessage());
99 return false;
100 }
101
102 policyAsserter.assertPolicy(new QName(namespace, SPConstants.ONLY_SIGN_ENTIRE_HEADERS_AND_BODY));
103 return true;
104 }
105 }