in ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenAssertionState.java [78:253]
public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException, XMLSecurityException {
if (isAsserted()) {
//just return true when this token assertion is already fulfilled.
return true;
}
@SuppressWarnings("unchecked")
TokenSecurityEvent<SecurityToken> tokenSecurityEvent = (TokenSecurityEvent<SecurityToken>) securityEvent;
AbstractToken abstractToken = (AbstractToken) getAssertion();
final AbstractSecurityAssertion parentAssertion = abstractToken.getParentAssertion();
int ignoreToken = 0;
final List<WSSecurityTokenConstants.TokenUsage> tokenUsages = tokenSecurityEvent.getSecurityToken().getTokenUsages();
Iterator<WSSecurityTokenConstants.TokenUsage> tokenUsageIterator = tokenUsages.iterator();
loop:
while (tokenUsageIterator.hasNext()) {
WSSecurityTokenConstants.TokenUsage tokenUsage = tokenUsageIterator.next();
if (WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE.equals(tokenUsage)) {
if (initiator && !(parentAssertion instanceof RecipientToken)
&& !(parentAssertion instanceof RecipientSignatureToken)
&& !(parentAssertion instanceof SignatureToken)
&& !(parentAssertion instanceof ProtectionToken)
&& !(parentAssertion instanceof TransportToken)) {
ignoreToken++;
continue loop;
} else if (!initiator && !(parentAssertion instanceof InitiatorToken)
&& !(parentAssertion instanceof InitiatorSignatureToken)
&& !(parentAssertion instanceof SignatureToken)
&& !(parentAssertion instanceof ProtectionToken)
&& !(parentAssertion instanceof TransportToken)) {
ignoreToken++;
continue loop;
}
} else if (WSSecurityTokenConstants.TokenUsage_Signature.equals(tokenUsage)) {
throw new WSSPolicyException("Illegal token usage!");
} else if (WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION.equals(tokenUsage)) {
if (initiator && !(parentAssertion instanceof InitiatorToken)
&& !(parentAssertion instanceof InitiatorEncryptionToken)
&& !(parentAssertion instanceof EncryptionToken)
&& !(parentAssertion instanceof ProtectionToken)
&& !(parentAssertion instanceof TransportToken)) {
ignoreToken++;
continue loop;
} else if (!initiator && !(parentAssertion instanceof RecipientToken)
&& !(parentAssertion instanceof RecipientEncryptionToken)
&& !(parentAssertion instanceof EncryptionToken)
&& !(parentAssertion instanceof ProtectionToken)
&& !(parentAssertion instanceof TransportToken)) {
ignoreToken++;
continue loop;
}
} else if (WSSecurityTokenConstants.TokenUsage_Encryption.equals(tokenUsage)) {
throw new WSSPolicyException("Illegal token usage!");
} else if (WSSecurityTokenConstants.TOKENUSAGE_SUPPORTING_TOKENS.equals(tokenUsage)
|| WSSecurityTokenConstants.TOKENUSAGE_SIGNED_SUPPORTING_TOKENS.equals(tokenUsage)
|| WSSecurityTokenConstants.TOKENUSAGE_ENDORSING_SUPPORTING_TOKENS.equals(tokenUsage)
|| WSSecurityTokenConstants.TOKENUSAGE_SIGNED_ENDORSING_SUPPORTING_TOKENS.equals(tokenUsage)
|| WSSecurityTokenConstants.TOKENUSAGE_SIGNED_ENCRYPTED_SUPPORTING_TOKENS.equals(tokenUsage)
|| WSSecurityTokenConstants.TOKENUSAGE_ENCRYPTED_SUPPORTING_TOKENS.equals(tokenUsage)
|| WSSecurityTokenConstants.TOKENUSAGE_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS.equals(tokenUsage)
|| WSSecurityTokenConstants.TOKENUSAGE_SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS.equals(tokenUsage)
) {
if (parentAssertion instanceof TransportToken) {
continue loop;
}
if (!(parentAssertion instanceof SupportingTokens)) {
ignoreToken++;
continue loop;
}
// Allow *SupportingToken policies which are processed as Signed|Encrypted*SupportingTokens
final SupportingTokens supportingTokens = (SupportingTokens) parentAssertion;
final String tokenUsageName = tokenUsage.getName();
final String supportingTokensName = supportingTokens.getName().getLocalPart();
if (!tokenUsageName.equals(supportingTokensName)) {
if (supportingTokensName.contains("Endorsing") && !tokenUsageName.contains("Endorsing")) {
ignoreToken++;
continue loop;
}
if (supportingTokensName.startsWith("Signed") && !tokenUsageName.startsWith("Signed")) {
ignoreToken++;
continue loop;
}
if (supportingTokensName.contains("Encrypted") && !tokenUsageName.contains("Encrypted")) {
ignoreToken++;
continue loop;
}
}
}
}
if (ignoreToken >= tokenUsages.size()) {
//token is not for us, so return true to prevent false alarm
return true;
}
boolean asserted = true;
//WSP1.3, 5.1 Token Inclusion
//todo do we need a global token cache to fullfill ".../IncludeToken/Once" ?
SPConstants.IncludeTokenType includeTokenType = abstractToken.getIncludeTokenType();
boolean isIncludedInMessage =
((InboundSecurityToken)tokenSecurityEvent.getSecurityToken()).isIncludedInMessage();
switch (includeTokenType) {
case INCLUDE_TOKEN_NEVER:
if (isIncludedInMessage) {
setErrorMessage("Token must not be included");
asserted = false;
}
break;
case INCLUDE_TOKEN_ONCE:
break;
case INCLUDE_TOKEN_ALWAYS_TO_RECIPIENT:
if (initiator && isIncludedInMessage) {
setErrorMessage("Token must not be included");
asserted = false;
} else if (!initiator && !isIncludedInMessage) {
setErrorMessage("Token must be included");
asserted = false;
}
break;
case INCLUDE_TOKEN_ALWAYS_TO_INITIATOR:
if (initiator && !isIncludedInMessage) {
setErrorMessage("Token must be included");
asserted = false;
} else if (!initiator && isIncludedInMessage) {
setErrorMessage("Token must not be included");
asserted = false;
}
break;
case INCLUDE_TOKEN_ALWAYS:
if (!isIncludedInMessage) {
setErrorMessage("Token must be included");
asserted = false;
}
break;
}
//WSP1.3, 5.3 Token Properties
boolean hasDerivedKeys = false;
hasDerivedKeys = hasDerivedKeys(tokenSecurityEvent.getSecurityToken());
String namespace = getAssertion().getName().getNamespaceURI();
if (abstractToken.getDerivedKeys() != null) {
AbstractToken.DerivedKeys derivedKeys = abstractToken.getDerivedKeys();
switch (derivedKeys) {
case RequireDerivedKeys:
case RequireExplicitDerivedKeys:
case RequireImpliedDerivedKeys:
if (!hasDerivedKeys) {
setErrorMessage("Derived key must be used");
getPolicyAsserter().unassertPolicy(new QName(namespace, derivedKeys.name()),
"Derived key must be used");
asserted = false;
} else {
getPolicyAsserter().assertPolicy(new QName(namespace, derivedKeys.name()));
}
break;
}
} else {
if (hasDerivedKeys) {
setErrorMessage("Derived key must not be used");
asserted = false;
}
}
asserted &= assertToken(tokenSecurityEvent, abstractToken);
if (asserted) {
setAsserted(true);
}
//return false if not asserted for the main signature and encryption tokens
//always return true for supporting tokens.
return !(!asserted && (tokenUsages.contains(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE)
|| tokenUsages.contains(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION)));
}