in ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/SAMLTokenOutputProcessor.java [78:228]
public void processEvent(XMLSecEvent xmlSecEvent, final OutputProcessorChain outputProcessorChain)
throws XMLStreamException, XMLSecurityException {
try {
final SAMLCallback samlCallback = new SAMLCallback();
SAMLUtil.doSAMLCallback(((WSSSecurityProperties) getSecurityProperties()).getSamlCallbackHandler(), samlCallback);
SamlAssertionWrapper samlAssertionWrapper = new SamlAssertionWrapper(samlCallback);
if (samlCallback.isSignAssertion()) {
samlAssertionWrapper.signAssertion(
samlCallback.getIssuerKeyName(),
samlCallback.getIssuerKeyPassword(),
samlCallback.getIssuerCrypto(),
samlCallback.isSendKeyValue(),
samlCallback.getCanonicalizationAlgorithm(),
samlCallback.getSignatureAlgorithm(),
samlCallback.getSignatureDigestAlgorithm()
);
}
boolean senderVouches = false;
boolean hok = false;
List<String> methods = samlAssertionWrapper.getConfirmationMethods();
if (methods != null && !methods.isEmpty()) {
String confirmMethod = methods.get(0);
if (OpenSAMLUtil.isMethodSenderVouches(confirmMethod)) {
senderVouches = true;
} else if (OpenSAMLUtil.isMethodHolderOfKey(confirmMethod)) {
hok = true;
}
}
final String securityTokenReferenceId = IDGenerator.generateID(null);
final String tokenId = samlAssertionWrapper.getId();
final FinalSAMLTokenOutputProcessor finalSAMLTokenOutputProcessor;
XMLSecurityConstants.Action action = getAction();
boolean includeSTR = false;
GenericOutboundSecurityToken securityToken = null;
// See if a token is already available
String sigTokenId =
outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE);
SecurityTokenProvider<OutboundSecurityToken> signatureTokenProvider = null;
if (sigTokenId != null) {
signatureTokenProvider =
outputProcessorChain.getSecurityContext().getSecurityTokenProvider(sigTokenId);
if (signatureTokenProvider != null) {
securityToken =
(GenericOutboundSecurityToken)signatureTokenProvider.getSecurityToken();
}
}
if (WSSConstants.SAML_TOKEN_SIGNED.equals(action) && senderVouches) {
includeSTR = true;
if (securityToken == null) {
securityToken = getSecurityToken(samlCallback, outputProcessorChain);
}
finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(securityToken, samlAssertionWrapper,
securityTokenReferenceId, senderVouches, includeSTR);
finalSAMLTokenOutputProcessor.setAction(getAction(), getActionOrder());
securityToken.setProcessor(finalSAMLTokenOutputProcessor);
} else if (WSSConstants.SAML_TOKEN_SIGNED.equals(action) && hok) {
final Element ref;
if (securityToken != null) {
ref = securityToken.getCustomTokenReference();
} else {
ref = null;
}
finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(null, samlAssertionWrapper,
securityTokenReferenceId, senderVouches, includeSTR);
final SAMLSecurityTokenProvider securityTokenProvider =
new SAMLSecurityTokenProvider(samlCallback, (WSSSecurityProperties)getSecurityProperties(),
tokenId, ref, finalSAMLTokenOutputProcessor);
//fire a tokenSecurityEvent
TokenSecurityEvent<OutboundSecurityToken> tokenSecurityEvent =
new TokenSecurityEvent<OutboundSecurityToken>(WSSecurityEventConstants.SAML_TOKEN) {
public OutboundSecurityToken getSecurityToken() {
try {
return securityTokenProvider.getSecurityToken();
} catch (XMLSecurityException e) {
LOG.debug(e.getMessage(), e);
}
return null;
}
};
outputProcessorChain.getSecurityContext().registerSecurityEvent(tokenSecurityEvent);
outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(tokenId, securityTokenProvider);
outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, tokenId);
} else if (WSSConstants.SAML_TOKEN_UNSIGNED.equals(getAction())) {
// Check to see whether this token is to be signed by the message signature. If so,
// output a STR to be signed instead, and remove this Assertion from the signature parts
// list
QName assertionName = new QName(WSSConstants.NS_SAML2, "Assertion");
if (samlAssertionWrapper.getSamlVersion() == SAMLVersion.VERSION_11) {
assertionName = new QName(WSSConstants.NS_SAML, "Assertion");
}
Iterator<SecurePart> signaturePartsIterator =
securityProperties.getSignatureSecureParts().iterator();
while (signaturePartsIterator.hasNext()) {
SecurePart securePart = signaturePartsIterator.next();
if (samlAssertionWrapper.getId().equals(securePart.getIdToSecure())
|| assertionName.equals(securePart.getName())) {
includeSTR = true;
signaturePartsIterator.remove();
break;
}
}
finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(null, samlAssertionWrapper,
securityTokenReferenceId, senderVouches,
includeSTR);
if (includeSTR) {
finalSAMLTokenOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class);
}
} else {
finalSAMLTokenOutputProcessor = new FinalSAMLTokenOutputProcessor(null, samlAssertionWrapper,
securityTokenReferenceId, senderVouches,
includeSTR);
}
finalSAMLTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
finalSAMLTokenOutputProcessor.setAction(action, getActionOrder());
finalSAMLTokenOutputProcessor.init(outputProcessorChain);
if (includeSTR) {
WSSSecurePart securePart =
new WSSSecurePart(
new QName(WSSConstants.SOAPMESSAGE_NS10_STR_TRANSFORM), SecurePart.Modifier.Element);
securePart.setIdToSecure(tokenId);
securePart.setIdToReference(securityTokenReferenceId);
outputProcessorChain.getSecurityContext().putAsMap(WSSConstants.SIGNATURE_PARTS, tokenId, securePart);
}
} finally {
outputProcessorChain.removeProcessor(this);
}
outputProcessorChain.processEvent(xmlSecEvent);
}