in modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java [69:252]
public void validate(ValidatorData data, List<WSSecurityEngineResult> results)
throws RampartException {
RampartMessageData rmd = data.getRampartMessageData();
RampartPolicyData rpd = rmd.getPolicyData();
//If there's Security policy present and no results
//then we should throw an error
if(rpd != null && results == null) {
throw new RampartException("noSecurityResults");
}
//Check presence of timestamp
WSSecurityEngineResult tsResult = null;
if(rpd != null && rpd.isIncludeTimestamp()) {
WSSecurityEngine secEngine = new WSSecurityEngine();
try {
WSHandlerResult wsResults =
secEngine.processSecurityHeader(rmd.getDocument(), null, null, null);
tsResult =
wsResults.getActionResults().get(WSConstants.TS).get(0);
} catch (WSSecurityException e) {
// This has to be changed to propagate an instance of a RampartException up
throw new RampartException("An error occurred while searching for timestamp elements.", e);
}
if(tsResult == null && !rpd.isIncludeTimestampOptional()) {
throw new RampartException("timestampMissing");
}
}
//sig/encr
List<WSEncryptionPart> encryptedParts = RampartUtil.getEncryptedParts(rmd);
if(rpd != null && rpd.isSignatureProtection() && isSignatureRequired(rmd)) {
String sigId = RampartUtil.getSigElementId(rmd);
encryptedParts.add(RampartUtil.createEncryptionPart(WSConstants.SIG_LN, sigId, WSConstants.SIG_NS,
RampartConstants.XML_ENCRYPTION_MODIFIER_ELEMENT));
}
List<WSEncryptionPart> signatureParts = RampartUtil.getSignedParts(rmd);
//Timestamp is not included in sig parts
if (rpd != null) {
if (tsResult != null || !rpd.isIncludeTimestampOptional()) {
if (rpd.isIncludeTimestamp()
&& !rpd.isTransportBinding()) {
signatureParts.add(RampartUtil.createEncryptionPart(WSConstants.TIMESTAMP_TOKEN_LN, "timestamp"));
}
}
}
if(!rmd.isInitiator()) {
//Just an indicator for EndorsingSupportingToken signature
SupportingToken endSupportingToken = null;
if (rpd != null) {
endSupportingToken = rpd.getEndorsingSupportingTokens();
}
if(endSupportingToken != null && !endSupportingToken.isOptional()) {
SignedEncryptedParts endSignedParts = endSupportingToken.getSignedParts();
if((endSignedParts != null && !endSignedParts.isOptional() &&
(endSignedParts.isBody() ||
endSignedParts.getHeaders().size() > 0)) ||
rpd.isIncludeTimestamp()) {
signatureParts.add(RampartUtil.createEncryptionPart("EndorsingSupportingTokens",
"EndorsingSupportingTokens"));
}
}
//Just an indicator for SignedEndorsingSupportingToken signature
SupportingToken sgndEndSupportingToken = null;
if (rpd != null) {
sgndEndSupportingToken = rpd.getSignedEndorsingSupportingTokens();
}
if(sgndEndSupportingToken != null && !sgndEndSupportingToken.isOptional()) {
SignedEncryptedParts sgndEndSignedParts = sgndEndSupportingToken.getSignedParts();
if((sgndEndSignedParts != null && !sgndEndSignedParts.isOptional() &&
(sgndEndSignedParts.isBody() ||
sgndEndSignedParts.getHeaders().size() > 0)) ||
rpd.isIncludeTimestamp()) {
signatureParts.add(RampartUtil.createEncryptionPart("SignedEndorsingSupportingTokens",
"SignedEndorsingSupportingTokens"));
}
}
if (rpd != null) {
List<SupportingToken> supportingToks = rpd.getSupportingTokensList();
for (SupportingToken supportingToken : supportingToks) {
if (supportingToken != null && !supportingToken.isOptional()) {
SupportingPolicyData policyData = new SupportingPolicyData();
policyData.build(supportingToken);
encryptedParts.addAll(RampartUtil.getSupportingEncryptedParts(rmd, policyData));
signatureParts.addAll(RampartUtil.getSupportingSignedParts(rmd, policyData));
}
}
}
}
validateEncrSig(data,encryptedParts, signatureParts, results);
if(rpd != null && !rpd.isTransportBinding()) {
validateProtectionOrder(data, results);
}
validateEncryptedParts(data, encryptedParts, results);
validateSignedPartsHeaders(data, signatureParts, results);
validateRequiredElements(data);
//Supporting tokens
if(!rmd.isInitiator()) {
validateSupportingTokens(data, results);
}
/*
* Now we can check the certificate used to sign the message. In the
* following implementation the certificate is only trusted if either it
* itself or the certificate of the issuer is installed in the keystore.
*
* Note: the method verifyTrust(X509Certificate) allows custom
* implementations with other validation algorithms for subclasses.
*/
// Extract the signature action result from the action vector
WSSecurityEngine secEngine = new WSSecurityEngine();
WSSecurityEngineResult actionResult = null;
WSHandlerResult wsResults = null;
try {
wsResults =
secEngine.processSecurityHeader(rmd.getDocument(), null, null, null);
actionResult =
wsResults.getActionResults().get(WSConstants.SIGN).get(0);
} catch (WSSecurityException e) {
// This has to be changed to propagate an instance of a RampartException up
throw new RampartException("An error occurred while searching for signed elements.", e);
}
if (actionResult != null) {
X509Certificate returnCert = (X509Certificate) actionResult
.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
if (returnCert != null) {
if (!verifyTrust(returnCert, rmd)) {
throw new RampartException ("trustVerificationError");
}
}
}
/*
* Perform further checks on the timestamp that was transmitted in the
* header.
* In the following implementation the timestamp is valid if :
* Timestamp->Created < 'now' < Timestamp->Expires.
* (Last test handled by WSS4J also if timeStampStrict enabled)
*
* Note: the method verifyTimestamp(Timestamp) allows custom
* implementations with other validation algorithms for subclasses.
*/
// Extract the timestamp action result from the action vector
actionResult = null;
actionResult =
wsResults.getActionResults().get(WSConstants.TS).get(0);
if (actionResult != null) {
Timestamp timestamp = (Timestamp) actionResult
.get(WSSecurityEngineResult.TAG_TIMESTAMP);
if (timestamp != null) {
if (!verifyTimestamp(timestamp, rmd)) {
throw new RampartException("cannotValidateTimestamp");
}
}
}
}