//make a DynamicPolicyCallback to obtain the SAML assertion
boolean isOptimized = false;
SecurableSoapMessage secureMessage = null;
SecurityHeader securityHeader = null;
com.sun.xml.ws.security.opt.impl.outgoing.SecurityHeader optSecHeader = null;
SecurityHeaderElement she = null;
if(context instanceof JAXBFilterProcessingContext){
isOptimized = true;
optSecHeader = ((JAXBFilterProcessingContext)context).getSecurityHeader();
} else{
secureMessage = context.getSecurableSoapMessage();
securityHeader = secureMessage.findOrCreateSecurityHeader();
}
AuthenticationTokenPolicy policy =
(AuthenticationTokenPolicy)context.getSecurityPolicy();
AuthenticationTokenPolicy.SAMLAssertionBinding samlPolicy =
(AuthenticationTokenPolicy.SAMLAssertionBinding)policy.getFeatureBinding();
if (samlPolicy.getIncludeToken() == samlPolicy.INCLUDE_ONCE) {
throw new XWSSecurityException("Include Token ONCE not supported for SAMLToken Assertions");
}
if (samlPolicy.getAssertionType() !=
AuthenticationTokenPolicy.SAMLAssertionBinding.SV_ASSERTION) {
// should never be called this way
throw new XWSSecurityException(
"Internal Error: ExportSamlAssertionFilter called for HOK assertion");
}
//AuthenticationTokenPolicy policyClone = (AuthenticationTokenPolicy)policy.clone();
samlPolicy =
(AuthenticationTokenPolicy.SAMLAssertionBinding)policy.getFeatureBinding();
samlPolicy.isReadOnly(true);
DynamicApplicationContext dynamicContext =
new DynamicApplicationContext(context.getPolicyContext());
dynamicContext.setMessageIdentifier(context.getMessageIdentifier());
dynamicContext.inBoundMessage(false);
AuthenticationTokenPolicy.SAMLAssertionBinding resolvedPolicy =
context.getSecurityEnvironment().populateSAMLPolicy(context.getExtraneousProperties(), samlPolicy, dynamicContext);
Assertion _assertion = null;
Element assertionElement = resolvedPolicy.getAssertion();
Element _authorityBinding = resolvedPolicy.getAuthorityBinding();
if (assertionElement == null) {
reader = resolvedPolicy.getAssertionReader();
if (reader != null) {
try {
reader.next(); //start document , so move to next event
id = reader.getAttributeValue(null, "AssertionID");
if (id == null) {
id = reader.getAttributeValue(null, "ID");
}
version = reader.getAttributeValue(null, "Version");
buffer = new MutableXMLStreamBuffer();
StreamWriterBufferCreator bCreator = new StreamWriterBufferCreator(buffer);
XMLStreamWriter writer_tmp = (XMLStreamWriter) bCreator;
while (!(XMLStreamReader.END_DOCUMENT == reader.getEventType())) {
com.sun.xml.ws.security.opt.impl.util.StreamUtil.writeCurrentEvent(reader, writer_tmp);
reader.next();
}
} catch (XMLStreamException ex) {
throw new XWSSecurityException(ex);
}
}
} else {
try {
if (System.getProperty("com.sun.xml.wss.saml.binding.jaxb") == null) {
if (assertionElement.getAttributeNode("ID") != null) {
_assertion = (Assertion) com.sun.xml.wss.saml.assertion.saml20.jaxb20.Assertion.fromElement(assertionElement);
} else {
_assertion = (Assertion) com.sun.xml.wss.saml.assertion.saml11.jaxb20.Assertion.fromElement(assertionElement);
}
} else {
_assertion = (Assertion) com.sun.xml.wss.saml.assertion.saml11.jaxb10.Assertion.fromElement(assertionElement);
}
} catch (SAMLException ex) {
//ignore
}
}
if (samlPolicy.getIncludeToken() == samlPolicy.INCLUDE_NEVER ||
samlPolicy.getIncludeToken() == samlPolicy.INCLUDE_NEVER_VER2 ) {
if (_authorityBinding != null) {
//nullify the assertion set by Callback since IncludeToken is never
// do this because we have to maintain BackwardCompat with XWSS2.0
assertionElement = null;
}
}
if ((_assertion == null) && (_authorityBinding == null) && reader == null) {
throw new XWSSecurityException(
"None of SAML Assertion,SAML Assertion Reader or SAML AuthorityBinding information was set into " +
" the Policy by the CallbackHandler");
}
//TODO: check that the Confirmation Method of the assertion is indeed SV
if (_assertion != null){
if(_assertion.getVersion() == null && _authorityBinding == null){
if(!isOptimized){
if ( System.getProperty("com.sun.xml.wss.saml.binding.jaxb") == null) {
((com.sun.xml.wss.saml.assertion.saml11.jaxb20.Assertion)_assertion).toElement(securityHeader);
} else {
((com.sun.xml.wss.saml.assertion.saml11.jaxb10.Assertion)_assertion).toElement(securityHeader);
}
} else {
she = new GSHeaderElement(assertionElement, ((JAXBFilterProcessingContext) context).getSOAPVersion());
if (optSecHeader.getChildElement(she.getId()) == null) {
optSecHeader.add(she);
} else {
return;
}
}
HashMap tokenCache = context.getTokenCache();
//assuming unique IDs
tokenCache.put(((com.sun.xml.wss.saml.Assertion)_assertion).getAssertionID(), _assertion);
} else if (_assertion.getVersion() != null){
if(!isOptimized){
((com.sun.xml.wss.saml.assertion.saml20.jaxb20.Assertion)_assertion).toElement(securityHeader);
} else {
she = new GSHeaderElement(assertionElement, ((JAXBFilterProcessingContext) context).getSOAPVersion());
if (optSecHeader.getChildElement(she.getId()) == null) {
optSecHeader.add(she);
} else {
return;
}
}
HashMap tokenCache = context.getTokenCache();
//assuming unique IDs
tokenCache.put(((com.sun.xml.wss.saml.Assertion)_assertion).getID(), _assertion);
} else {
//Authoritybinding is set. So the Assertion should not be exported
if (null == resolvedPolicy.getSTRID()) {
throw new XWSSecurityException(
"Unsupported configuration: required wsu:Id value " +
" for SecurityTokenReference to Remote SAML Assertion not found " +
" in Policy");
}
}
} else if(reader != null) {
she = new GSHeaderElement(buffer);
she.setId(id); // set the ID again to bring it to top
if (optSecHeader.getChildElement(she.getId()) == null) {
optSecHeader.add(she);
} else {
return;
}
}
if (null != resolvedPolicy.getSTRID()) {
//generate and export an STR into the Header with the given ID
if ((_assertion == null) && (null == resolvedPolicy.getAssertionId()) && reader == null) {
throw new XWSSecurityException(
"None of SAML Assertion, SAML Assertion Reader or SAML Assertion Id information was set into " +
" the Policy by the CallbackHandler");
}
String assertionId = resolvedPolicy.getAssertionId();
if (_assertion != null) {
assertionId = ((com.sun.xml.wss.saml.Assertion) _assertion).getAssertionID();
} else {
assertionId = (id != null) ? id : assertionId ;
}
if(!isOptimized){
SecurityTokenReference tokenRef = new SecurityTokenReference(secureMessage.getSOAPPart());
tokenRef.setWsuId(resolvedPolicy.getSTRID());
// set wsse11:TokenType to SAML1.1 or SAML2.0
if(_assertion != null && _assertion.getVersion() != null){
tokenRef.setTokenType(MessageConstants.WSSE_SAML_v2_0_TOKEN_TYPE);
} else {
if (reader != null) {
if (version == "2.0") {
tokenRef.setTokenType(MessageConstants.WSSE_SAML_v2_0_TOKEN_TYPE);
} else {
tokenRef.setTokenType(MessageConstants.WSSE_SAML_v1_1_TOKEN_TYPE);
}
} else {
tokenRef.setTokenType(MessageConstants.WSSE_SAML_v1_1_TOKEN_TYPE);
}
}
if (_authorityBinding != null) {
tokenRef.setSamlAuthorityBinding(_authorityBinding, secureMessage.getSOAPPart());
}
KeyIdentifierStrategy strat = new KeyIdentifierStrategy(assertionId);
strat.insertKey(tokenRef, context.getSecurableSoapMessage());
securityHeader.insertHeaderBlock(tokenRef);
} else{
JAXBFilterProcessingContext optContext = (JAXBFilterProcessingContext)context;
WSSElementFactory elementFactory = new WSSElementFactory(optContext.getSOAPVersion());
com.sun.xml.ws.security.opt.impl.reference.KeyIdentifier ref = elementFactory.createKeyIdentifier();
ref.setValue(assertionId);