in ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/UsernameTokenAssertionState.java [77:171]
public boolean assertToken(TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent,
AbstractToken abstractToken) throws WSSPolicyException, XMLSecurityException {
if (!(tokenSecurityEvent instanceof UsernameTokenSecurityEvent)) {
throw new WSSPolicyException("Expected a UsernameSecurityTokenEvent but got " + tokenSecurityEvent.getClass().getName());
}
UsernameSecurityToken usernameSecurityToken = (UsernameSecurityToken) tokenSecurityEvent.getSecurityToken();
UsernameTokenSecurityEvent usernameTokenSecurityEvent = (UsernameTokenSecurityEvent) tokenSecurityEvent;
UsernameToken usernameToken = (UsernameToken) abstractToken;
String namespace = getAssertion().getName().getNamespaceURI();
if (usernameToken.getPasswordType() != null) {
switch (usernameToken.getPasswordType()) { //NOPMD
case NoPassword:
if (usernameTokenSecurityEvent.getUsernameTokenPasswordType()
!= WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE) {
setErrorMessage("UsernameToken contains a password but the policy prohibits it");
getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.NO_PASSWORD),
getErrorMessage());
return false;
}
getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.NO_PASSWORD));
break;
case HashPassword:
if (usernameTokenSecurityEvent.getUsernameTokenPasswordType()
!= WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
setErrorMessage("UsernameToken does not contain a hashed password");
getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.HASH_PASSWORD),
getErrorMessage());
return false;
}
getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.HASH_PASSWORD));
break;
}
} else if (usernameTokenSecurityEvent.getUsernameTokenPasswordType() == WSSConstants.UsernameTokenPasswordType.PASSWORD_NONE) {
// We must have a password for the default case
setErrorMessage("UsernameToken must contain a password");
getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
return false;
} else if (usernameTokenSecurityEvent.getUsernameTokenPasswordType() == WSSConstants.UsernameTokenPasswordType.PASSWORD_DIGEST) {
// We must have a plaintext password for the default case
setErrorMessage("UsernameToken password must not be hashed");
getPolicyAsserter().unassertPolicy(getAssertion(), getErrorMessage());
return false;
}
if (usernameToken.isCreated()) {
if (usernameSecurityToken.getCreatedTime() == null
|| usernameTokenSecurityEvent.getUsernameTokenPasswordType() != WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT) {
setErrorMessage("UsernameToken does not contain a created timestamp or password is not plain text");
getPolicyAsserter().unassertPolicy(SP13Constants.CREATED, getErrorMessage());
return false;
} else {
getPolicyAsserter().assertPolicy(SP13Constants.CREATED);
}
}
if (usernameToken.isNonce()) {
if (usernameSecurityToken.getNonce() == null
|| usernameTokenSecurityEvent.getUsernameTokenPasswordType() != WSSConstants.UsernameTokenPasswordType.PASSWORD_TEXT) {
setErrorMessage("UsernameToken does not contain a nonce or password is not plain text");
getPolicyAsserter().unassertPolicy(SP13Constants.NONCE, getErrorMessage());
return false;
} else {
getPolicyAsserter().assertPolicy(SP13Constants.NONCE);
}
}
if (usernameToken.getUsernameTokenType() != null) {
switch (usernameToken.getUsernameTokenType()) { //NOPMD
case WssUsernameToken10:
if (usernameTokenSecurityEvent.getUsernameTokenProfile() != null
&& usernameTokenSecurityEvent.getUsernameTokenProfile().equals(WSSConstants.NS_USERNAMETOKEN_PROFILE11)) {
setErrorMessage("Policy enforces UsernameToken profile 1.0 but we got 1.1");
getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.USERNAME_TOKEN10),
getErrorMessage());
return false;
}
getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.USERNAME_TOKEN10));
break;
case WssUsernameToken11:
if (usernameTokenSecurityEvent.getUsernameTokenProfile() != null
&& !usernameTokenSecurityEvent.getUsernameTokenProfile().equals(WSSConstants.NS_USERNAMETOKEN_PROFILE11)) {
setErrorMessage("Policy enforces UsernameToken profile 1.1 but we got 1.0");
getPolicyAsserter().unassertPolicy(new QName(namespace, SPConstants.USERNAME_TOKEN11),
getErrorMessage());
return false;
}
getPolicyAsserter().assertPolicy(new QName(namespace, SPConstants.USERNAME_TOKEN11));
break;
}
}
//always return true to prevent false alarm in case additional tokens with the same usage
//appears in the message but do not fulfill the policy and are also not needed to fulfil the policy.
getPolicyAsserter().assertPolicy(getAssertion());
return true;
}