in ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/enforcer/PolicyEnforcer.java [303:503]
protected List<Assertable> getAssertableForAssertion(AbstractSecurityAssertion abstractSecurityAssertion)
throws WSSPolicyException {
List<Assertable> assertableList = new LinkedList<>();
boolean tokenRequired = true;
if (abstractSecurityAssertion instanceof AbstractToken) {
tokenRequired = isTokenRequired((AbstractToken)abstractSecurityAssertion);
}
if (abstractSecurityAssertion instanceof ContentEncryptedElements) {
// initialized with asserted=true because it could be that parent elements are encrypted and
// therefore these element are also encrypted
// the test if it is really encrypted is done via the PolicyInputProcessor which emits
// EncryptedElementEvents for unencrypted elements with the unencrypted flag
assertableList.add(new ContentEncryptedElementsAssertionState(abstractSecurityAssertion, policyAsserter, true));
} else if (abstractSecurityAssertion instanceof EncryptedParts) {
// initialized with asserted=true with the same reason as by the EncryptedParts above
assertableList.add(new EncryptedPartsAssertionState(abstractSecurityAssertion, policyAsserter, true, attachmentCount, soap12));
} else if (abstractSecurityAssertion instanceof EncryptedElements) {
// initialized with asserted=true with the same reason as by the EncryptedParts above
assertableList.add(new EncryptedElementsAssertionState(abstractSecurityAssertion, policyAsserter, true));
} else if (abstractSecurityAssertion instanceof SignedParts) {
// initialized with asserted=true because it could be that parent elements are signed and
// therefore these element are also signed
// the test if it is really signed is done via the PolicyInputProcessor which emits SignedElementEvents for
// unsigned elements with the unsigned flag
assertableList.add(new SignedPartsAssertionState(abstractSecurityAssertion, policyAsserter, true, attachmentCount, soap12));
} else if (abstractSecurityAssertion instanceof SignedElements) {
// initialized with asserted=true with the same reason as by the SignedParts above
assertableList.add(new SignedElementsAssertionState(abstractSecurityAssertion, policyAsserter, true));
} else if (abstractSecurityAssertion instanceof RequiredElements) {
assertableList.add(new RequiredElementsAssertionState(abstractSecurityAssertion, policyAsserter, false));
} else if (abstractSecurityAssertion instanceof RequiredParts) {
assertableList.add(new RequiredPartsAssertionState(abstractSecurityAssertion, policyAsserter, false, soap12));
} else if (abstractSecurityAssertion instanceof UsernameToken) {
assertableList.add(new UsernameTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof IssuedToken) {
assertableList.add(new IssuedTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof X509Token) {
assertableList.add(new X509TokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof KerberosToken) {
assertableList.add(new KerberosTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof SpnegoContextToken) {
assertableList.add(new SpnegoContextTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof SecureConversationToken) {
assertableList.add(new SecureConversationTokenAssertionState(abstractSecurityAssertion, !tokenRequired,
policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof SecurityContextToken) {
assertableList.add(new SecurityContextTokenAssertionState(abstractSecurityAssertion, !tokenRequired,
policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof SamlToken) {
assertableList.add(new SamlTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof RelToken) {
assertableList.add(new RelTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof HttpsToken) {
assertableList.add(new HttpsTokenAssertionState(abstractSecurityAssertion,
!tokenRequired || initiator, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof KeyValueToken) {
assertableList.add(new KeyValueTokenAssertionState(abstractSecurityAssertion, !tokenRequired, policyAsserter, initiator));
} else if (abstractSecurityAssertion instanceof AlgorithmSuite) {
// initialized with asserted=true because we do negative matching
assertableList.add(new AlgorithmSuiteAssertionState(abstractSecurityAssertion, policyAsserter, true));
} else if (abstractSecurityAssertion instanceof Layout) {
//assertableList.add(new LayoutAssertionState(abstractSecurityAssertion, true));
String namespace = abstractSecurityAssertion.getName().getNamespaceURI();
policyAsserter.assertPolicy(new QName(namespace, SPConstants.LAYOUT_LAX));
policyAsserter.assertPolicy(new QName(namespace, SPConstants.LAYOUT_LAX_TIMESTAMP_FIRST));
policyAsserter.assertPolicy(new QName(namespace, SPConstants.LAYOUT_LAX_TIMESTAMP_LAST));
policyAsserter.assertPolicy(new QName(namespace, SPConstants.LAYOUT_STRICT));
policyAsserter.assertPolicy(abstractSecurityAssertion);
} else if (abstractSecurityAssertion instanceof AbstractBinding) {
policyAsserter.assertPolicy(abstractSecurityAssertion);
AbstractBinding abstractBinding = (AbstractBinding) abstractSecurityAssertion;
if (abstractBinding instanceof AbstractSymmetricAsymmetricBinding) {
AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding =
(AbstractSymmetricAsymmetricBinding) abstractSecurityAssertion;
assertableList.add(new ProtectionOrderAssertionState(abstractSymmetricAsymmetricBinding, policyAsserter, true));
assertableList.add(new SignatureProtectionAssertionState(abstractSymmetricAsymmetricBinding, policyAsserter, true));
if (abstractSymmetricAsymmetricBinding.isOnlySignEntireHeadersAndBody()) {
//initialized with asserted=true because we do negative matching
assertableList.add(new OnlySignEntireHeadersAndBodyAssertionState(abstractSecurityAssertion, policyAsserter,
true, actorOrRole));
}
assertableList.add(new TokenProtectionAssertionState(abstractSecurityAssertion, policyAsserter, true, soap12));
}
//WSP1.3, 6.2 Timestamp Property
assertableList.add(new IncludeTimeStampAssertionState(abstractBinding, policyAsserter, true));
if (abstractBinding.isIncludeTimestamp()) {
List<QName> timestampElementPath = new LinkedList<>();
if (soap12) {
timestampElementPath.addAll(WSSConstants.SOAP_12_WSSE_SECURITY_HEADER_PATH);
} else {
timestampElementPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
}
timestampElementPath.add(WSSConstants.TAG_WSU_TIMESTAMP);
RequiredElementsAssertionState requiredElementsAssertionState =
new RequiredElementsAssertionState(abstractBinding, policyAsserter, false);
requiredElementsAssertionState.addElement(timestampElementPath);
assertableList.add(requiredElementsAssertionState);
SignedElementsAssertionState signedElementsAssertionState =
new SignedElementsAssertionState(abstractSecurityAssertion, policyAsserter, true);
signedElementsAssertionState.addElement(timestampElementPath);
assertableList.add(signedElementsAssertionState);
}
} else if (abstractSecurityAssertion instanceof Wss10) {
Wss10 wss10 = (Wss10)abstractSecurityAssertion;
String namespace = wss10.getName().getNamespaceURI();
policyAsserter.assertPolicy(abstractSecurityAssertion);
if (wss10.isMustSupportRefEmbeddedToken()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_EMBEDDED_TOKEN));
}
if (wss10.isMustSupportRefExternalURI()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_EXTERNAL_URI));
}
if (wss10.isMustSupportRefIssuerSerial()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_ISSUER_SERIAL));
}
if (wss10.isMustSupportRefKeyIdentifier()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_KEY_IDENTIFIER));
}
if (abstractSecurityAssertion instanceof Wss11) {
Wss11 wss11 = (Wss11)abstractSecurityAssertion;
if (wss11.isMustSupportRefEncryptedKey()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_ENCRYPTED_KEY));
}
if (wss11.isMustSupportRefThumbprint()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_REF_THUMBPRINT));
}
if (wss11.isRequireSignatureConfirmation()) {
assertableList.add(new SignatureConfirmationAssertionState(wss11, policyAsserter, true));
if (initiator) {
//9 WSS: SOAP Message Security Options [Signature Confirmation]
List<QName> signatureConfirmationElementPath = new LinkedList<>();
if (soap12) {
signatureConfirmationElementPath.addAll(WSSConstants.SOAP_12_WSSE_SECURITY_HEADER_PATH);
} else {
signatureConfirmationElementPath.addAll(WSSConstants.SOAP_11_WSSE_SECURITY_HEADER_PATH);
}
signatureConfirmationElementPath.add(WSSConstants.TAG_WSSE11_SIG_CONF);
RequiredElementsAssertionState requiredElementsAssertionState =
new RequiredElementsAssertionState(wss11, policyAsserter, false);
requiredElementsAssertionState.addElement(signatureConfirmationElementPath);
assertableList.add(requiredElementsAssertionState);
SignedElementsAssertionState signedElementsAssertionState =
new SignedElementsAssertionState(wss11, policyAsserter, true);
signedElementsAssertionState.addElement(signatureConfirmationElementPath);
assertableList.add(signedElementsAssertionState);
}
}
}
} else if (abstractSecurityAssertion instanceof Trust10) {
Trust10 trust10 = (Trust10)abstractSecurityAssertion;
String namespace = trust10.getName().getNamespaceURI();
policyAsserter.assertPolicy(abstractSecurityAssertion);
if (trust10.isMustSupportClientChallenge()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_CLIENT_CHALLENGE));
}
if (trust10.isMustSupportIssuedTokens()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_ISSUED_TOKENS));
}
if (trust10.isMustSupportServerChallenge()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_SERVER_CHALLENGE));
}
if (trust10.isRequireClientEntropy()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.REQUIRE_CLIENT_ENTROPY));
}
if (trust10.isRequireServerEntropy()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.REQUIRE_SERVER_ENTROPY));
}
if (trust10 instanceof Trust13) {
Trust13 trust13 = (Trust13)trust10;
if (trust13.isMustSupportInteractiveChallenge()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.MUST_SUPPORT_INTERACTIVE_CHALLENGE));
}
if (trust13.isRequireAppliesTo()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.REQUIRE_APPLIES_TO));
}
if (trust13.isRequireRequestSecurityTokenCollection()) {
policyAsserter.assertPolicy(new QName(namespace,
SPConstants.REQUIRE_REQUEST_SECURITY_TOKEN_COLLECTION));
}
if (trust13.isScopePolicy15()) {
policyAsserter.assertPolicy(new QName(namespace, SPConstants.SCOPE_POLICY_15));
}
}
} else {
policyAsserter.assertPolicy(abstractSecurityAssertion);
}
/*else if (abstractSecurityAssertion instanceof AsymmetricBinding) {
} else if (abstractSecurityAssertion instanceof SymmetricBinding) {
} else if (abstractSecurityAssertion instanceof TransportBinding) {
} */
return assertableList;
}