@Override
public void processEvent(XMLSecEvent xmlSecEvent, final OutputProcessorChain outputProcessorChain)
throws XMLStreamException, XMLSecurityException {
try {
final SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(((WSSSecurityProperties) getSecurityProperties()).getSamlCallbackHandler(), samlCallback);
SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(samlCallback);
if (samlCallback.isSignAssertion()) {
samlAssertionWrapper.signAssertion(
samlCallback.getIssuerKeyName(),
samlCallback.getIssuerKeyPassword(),
samlCallback.getIssuerCrypto(),
samlCallback.isSendKeyValue(),
samlCallback.getCanonicalizationAlgorithm(),
samlCallback.getSignatureAlgorithm(),
samlCallback.getSignatureDigestAlgorithm()
);
}
boolean senderVouches = false;
boolean hok = false;
List<String> methods = samlAssertionWrapper.getConfirmationMethods();
if (methods != null && methods.size() > 0) {
String confirmMethod = methods.get(0);
if (OpenSAMLUtil.isMethodSenderVouches(confirmMethod)) {
senderVouches = true;
} else if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) {
hok = true;
}
}
final String securityTokenReferenceId = IDGenerator.generateID(null);
final String tokenId = samlAssertionWrapper.getId();
final FinalSAMLTokenOutputProcessor finalSAMLTokenOutputProcessor;
XMLSecurityConstants.Action action = getAction();
boolean includeSTR = false;
GenericOutboundSecurityToken securityToken = null;
// See if a token is already available
String sigTokenId =
outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE);
SecurityTokenProvider<OutboundSecurityToken> signatureTokenProvider = null;
if (sigTokenId != null) {
signatureTokenProvider =
outputProcessorChain.getSecurityContext().getSecurityTokenProvider(sigTokenId);
if (signatureTokenProvider != null) {
securityToken =
(GenericOutboundSecurityToken)signatureTokenProvider.getSecurityToken();
}
}
if (WSSConstants.SAML_TOKEN_SIGNED.equals(action) && senderVouches) {
includeSTR = true;
if (securityToken == null) {
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(samlCallback.getIssuerKeyName());
X509Certificate[] certificates = null;
if (samlCallback.getIssuerCrypto() != null) {
certificates = samlCallback.getIssuerCrypto().getX509Certificates(cryptoType);
}
if (certificates == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"empty", "No issuer certs were found to sign the SAML Assertion using issuer name: "
+ samlCallback.getIssuerKeyName()
);
}
PrivateKey privateKey;
try {
privateKey = samlCallback.getIssuerCrypto().getPrivateKey(
samlCallback.getIssuerKeyName(), samlCallback.getIssuerKeyPassword());
} catch (Exception ex) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, ex);
}
final String binarySecurityTokenId = IDGenerator.generateID(null);
final GenericOutboundSecurityToken bstSecurityToken =
new GenericOutboundSecurityToken(binarySecurityTokenId, WSSecurityTokenConstants.X509V3Token,
privateKey, certificates);
SecurityTokenProvider<OutboundSecurityToken> securityTokenProvider =
new SecurityTokenProvider<OutboundSecurityToken>() {
@Override
public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
return bstSecurityToken;
}
@Override
public String getId() {
return binarySecurityTokenId;
}
};
outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(binarySecurityTokenId, securityTokenProvider);
outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, binarySecurityTokenId);
securityToken = bstSecurityToken;
}
finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(securityToken, samlAssertionWrapper,
securityTokenReferenceId, senderVouches, includeSTR);
securityToken.setProcessor(finalSAMLTokenOutputProcessor);
} else if (WSSConstants.SAML_TOKEN_SIGNED.equals(action) && hok) {
final SAMLKeyInfo samlKeyInfo = new SAMLKeyInfo();
SubjectBean subjectBean = samlCallback.getSubject();
if (subjectBean != null) {
KeyInfoBean keyInfoBean = subjectBean.getKeyInfo();
if (keyInfoBean != null) {
X509Certificate x509Certificate = keyInfoBean.getCertificate();
if (x509Certificate != null) {
String alias = ((WSSSecurityProperties) getSecurityProperties()).getSignatureCrypto().
getX509Identifier(x509Certificate);
if (alias == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "aliasIsNull");
}
WSPasswordCallback wsPasswordCallback =
new WSPasswordCallback(alias, WSPasswordCallback.SIGNATURE);
WSSUtils.doPasswordCallback(
((WSSSecurityProperties) getSecurityProperties()).getCallbackHandler(),
wsPasswordCallback);
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(alias);
samlKeyInfo.setCerts(((WSSSecurityProperties) getSecurityProperties()).
getSignatureCrypto().getX509Certificates(cryptoType));
samlKeyInfo.setPrivateKey(((WSSSecurityProperties) getSecurityProperties()).
getSignatureCrypto().getPrivateKey(alias, wsPasswordCallback.getPassword()));
} else if (keyInfoBean.getPublicKey() != null) {
PublicKey publicKey = keyInfoBean.getPublicKey();
samlKeyInfo.setPublicKey(publicKey);
samlKeyInfo.setPrivateKey(((WSSSecurityProperties) getSecurityProperties()).
getSignatureCrypto().getPrivateKey(
samlCallback.getIssuerKeyName(), samlCallback.getIssuerKeyPassword()));
} else {
samlKeyInfo.setSecret(keyInfoBean.getEphemeralKey());
}
}
}
final Element ref;
if (securityToken != null) {
ref = securityToken.getCustomTokenReference();
} else {
ref = null;
}
finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(null, samlAssertionWrapper,
securityTokenReferenceId, senderVouches, includeSTR);
final SecurityTokenProvider<OutboundSecurityToken> securityTokenProvider =
new SecurityTokenProvider<OutboundSecurityToken>() {
private GenericOutboundSecurityToken samlSecurityToken;
@Override
public OutboundSecurityToken getSecurityToken() throws XMLSecurityException {
if (this.samlSecurityToken != null) {
return this.samlSecurityToken;
}
WSSecurityTokenConstants.TokenType tokenType;
if (samlCallback.getSamlVersion() == SAMLVersion.VERSION_10) {
tokenType = WSSecurityTokenConstants.Saml10Token;
} else if (samlCallback.getSamlVersion() == SAMLVersion.VERSION_11) {
tokenType = WSSecurityTokenConstants.Saml11Token;
} else {
tokenType = WSSecurityTokenConstants.Saml20Token;
}
if (samlKeyInfo.getPrivateKey() != null) {