Deque<XMLSecEvent> eventQueue, Integer index) throws XMLSecurityException {
final Document samlTokenDocument = (Document) parseStructure(eventQueue, index, securityProperties);
final WSSSecurityProperties wssSecurityProperties = (WSSSecurityProperties) securityProperties;
final WSInboundSecurityContext wsInboundSecurityContext = (WSInboundSecurityContext) inputProcessorChain.getSecurityContext();
final Element samlElement = samlTokenDocument.getDocumentElement();
final SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(samlElement);
SamlTokenValidator samlTokenValidator = wssSecurityProperties.getValidator(new QName(samlElement.getNamespaceURI(), samlElement.getLocalName()));
if (samlTokenValidator == null) {
samlTokenValidator = new SamlTokenValidatorImpl();
}
//important: check the signature before we do other processing...
if (samlAssertionWrapper.isSigned()) {
Signature signature = samlAssertionWrapper.getSignature();
if (signature == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN,
"empty", "no signature to validate");
}
int sigKeyInfoIdx = getSignatureKeyInfoIndex(eventQueue);
if (sigKeyInfoIdx < 0) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noKeyInSAMLToken");
}
InboundSecurityToken sigSecurityToken = parseKeyInfo(inputProcessorChain, securityProperties, eventQueue, sigKeyInfoIdx);
if (sigSecurityToken == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noKeyInSAMLToken");
}
samlTokenValidator.validate(sigSecurityToken, wssSecurityProperties);
BasicX509Credential credential = new BasicX509Credential();
if (sigSecurityToken.getX509Certificates() != null) {
credential.setEntityCertificate(sigSecurityToken.getX509Certificates()[0]);
} else if (sigSecurityToken.getPublicKey() != null) {
credential.setPublicKey(sigSecurityToken.getPublicKey());
} else {
throw new WSSecurityException(
WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity",
"cannot get certificate or key"
);
}
SignatureValidator sigValidator = new SignatureValidator(credential);
try {
sigValidator.validate(signature);
} catch (ValidationException ex) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"empty", ex, "SAML signature validation failed");
}
}
String confirmMethod = null;
List<String> methods = samlAssertionWrapper.getConfirmationMethods();
if (methods != null && methods.size() > 0) {
confirmMethod = methods.get(0);
}
final InboundSecurityToken subjectSecurityToken;
if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) {
// First try to get the credential from a CallbackHandler
final byte[] subjectSecretKey = SAMLUtil.getSecretKeyFromCallbackHandler(
samlAssertionWrapper.getId(), wssSecurityProperties.getCallbackHandler());
if (subjectSecretKey != null && subjectSecretKey.length > 0) {
subjectSecurityToken = new AbstractInboundSecurityToken(
wsInboundSecurityContext, IDGenerator.generateID(null),
WSSecurityTokenConstants.KeyIdentifier_NoKeyInfo, true) {
@Override
public WSSecurityTokenConstants.TokenType getTokenType() {
return WSSecurityTokenConstants.DefaultToken;
}
@Override
public boolean isAsymmetric() throws XMLSecurityException {
return false;
}
@Override
protected Key getKey(String algorithmURI, XMLSecurityConstants.AlgorithmUsage
algorithmUsage, String correlationID) throws XMLSecurityException {
Key key = super.getKey(algorithmURI, algorithmUsage, correlationID);
if (key == null) {
String algoFamily = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
key = new SecretKeySpec(subjectSecretKey, algoFamily);
setSecretKey(algorithmURI, key);
}
return key;
}
};
} else {
// The assertion must have been signed for HOK
if (!samlAssertionWrapper.isSigned()) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "invalidSAMLsecurity");
}
int subjectKeyInfoIndex = getSubjectKeyInfoIndex(eventQueue);
if (subjectKeyInfoIndex < 0) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noKeyInSAMLToken");
}
subjectSecurityToken = parseKeyInfo(inputProcessorChain, securityProperties, eventQueue, subjectKeyInfoIndex);
if (subjectSecurityToken == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY_TOKEN, "noKeyInSAMLToken");
}
}
} else {
subjectSecurityToken = null;
}
final List<XMLSecEvent> xmlSecEvents = getResponsibleXMLSecEvents(eventQueue, index);
final List<QName> elementPath = getElementPath(eventQueue);
final TokenContext tokenContext = new TokenContext(wssSecurityProperties, wsInboundSecurityContext, xmlSecEvents, elementPath);
//jdk 1.6 compiler bug? http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6302954
//type parameters of <T>T cannot be determined; no unique maximal instance exists for type variable T with
// upper bounds org.apache.wss4j.stax.securityToken.SamlSecurityToken,
// org.apache.wss4j.stax.securityToken.SamlSecurityToken,
// org.apache.xml.security.stax.ext.securityToken.InboundSecurityToken
//works fine on jdk 1.7
final SamlSecurityToken samlSecurityToken =
samlTokenValidator.</*fake @see above*/SamlSecurityTokenImpl>
validate(samlAssertionWrapper, subjectSecurityToken, tokenContext);
SecurityTokenProvider<InboundSecurityToken> subjectSecurityTokenProvider =
new SecurityTokenProvider<InboundSecurityToken>() {
@Override
public InboundSecurityToken getSecurityToken() throws XMLSecurityException {
return (InboundSecurityToken)samlSecurityToken;
}
@Override
public String getId() {
return samlAssertionWrapper.getId();
}
};
wsInboundSecurityContext.registerSecurityTokenProvider(samlAssertionWrapper.getId(), subjectSecurityTokenProvider);
//fire a tokenSecurityEvent
SamlTokenSecurityEvent samlTokenSecurityEvent = new SamlTokenSecurityEvent();
samlTokenSecurityEvent.setSecurityToken((SamlSecurityToken)subjectSecurityTokenProvider.getSecurityToken());
samlTokenSecurityEvent.setCorrelationID(samlAssertionWrapper.getId());
wsInboundSecurityContext.registerSecurityEvent(samlTokenSecurityEvent);
if (wssSecurityProperties.isValidateSamlSubjectConfirmation()) {
SAMLTokenVerifierInputProcessor samlTokenVerifierInputProcessor =
new SAMLTokenVerifierInputProcessor(
securityProperties, samlAssertionWrapper, subjectSecurityTokenProvider, subjectSecurityToken);
wsInboundSecurityContext.addSecurityEventListener(samlTokenVerifierInputProcessor);
inputProcessorChain.addProcessor(samlTokenVerifierInputProcessor);
}
}