Mercurial > dive4elements > river
annotate gwt-client/src/main/java/org/dive4elements/river/client/server/auth/saml/TicketValidator.java @ 8839:2c8259176c46
Add configurable time tolerance to SAML ticket validation.
This allows e.g. to account for time skew between the ISP and
the server this servlet is run on.
| author | Tom Gottfried <tom@intevation.de> |
|---|---|
| date | Wed, 28 Jun 2017 20:09:53 +0200 |
| parents | 238fc722f87a |
| children | 0a5239a1e46e |
| rev | line source |
|---|---|
|
5957
7b0db743f074
Convert some Latin-1 source files to UTF-8
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5949
diff
changeset
|
1 /* Copyright (C) 2011, 2012, 2013 by Bundesanstalt für Gewässerkunde |
|
5941
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
2 * Software engineering by Intevation GmbH |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
3 * |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
4 * This file is Free Software under the GNU AGPL (>=v3) |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
5 * and comes with ABSOLUTELY NO WARRANTY! Check out the |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
6 * documentation coming with Dive4Elements River for details. |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
7 */ |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
8 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
9 package org.dive4elements.river.client.server.auth.saml; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
10 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
11 import java.io.FileInputStream; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
12 import java.io.IOException; |
|
5949
0a0b4bfdf372
Add TicketValidator.checkTicket(InputStream) method.
Bernhard Herzog <bh@intevation.de>
parents:
5941
diff
changeset
|
13 import java.io.InputStream; |
|
5941
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
14 import java.security.Key; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
15 import java.util.Iterator; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
16 import java.util.Date; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
17 import javax.security.cert.X509Certificate; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
18 import javax.security.cert.CertificateException; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
19 import javax.xml.crypto.Data; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
20 import javax.xml.crypto.NodeSetData; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
21 import javax.xml.crypto.dsig.Reference; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
22 import javax.xml.crypto.dsig.XMLSignature; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
23 import javax.xml.crypto.dsig.XMLSignatureFactory; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
24 import javax.xml.crypto.dsig.dom.DOMValidateContext; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
25 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
26 import org.apache.log4j.Logger; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
27 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
28 import org.w3c.dom.Element; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
29 import org.w3c.dom.Node; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
30 import org.w3c.dom.NodeList; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
31 |
|
5949
0a0b4bfdf372
Add TicketValidator.checkTicket(InputStream) method.
Bernhard Herzog <bh@intevation.de>
parents:
5941
diff
changeset
|
32 import org.dive4elements.artifacts.httpclient.utils.XMLUtils; |
|
0a0b4bfdf372
Add TicketValidator.checkTicket(InputStream) method.
Bernhard Herzog <bh@intevation.de>
parents:
5941
diff
changeset
|
33 |
|
0a0b4bfdf372
Add TicketValidator.checkTicket(InputStream) method.
Bernhard Herzog <bh@intevation.de>
parents:
5941
diff
changeset
|
34 |
|
5941
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
35 /** |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
36 * Validator for SAML tickets. |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
37 */ |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
38 public class TicketValidator { |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
39 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
40 /** |
|
8203
238fc722f87a
sed 's/logger/log/g' src/**/*.java
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5957
diff
changeset
|
41 * The log used by the TicketValidator instances. |
|
5941
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
42 */ |
|
8203
238fc722f87a
sed 's/logger/log/g' src/**/*.java
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5957
diff
changeset
|
43 private static Logger log = Logger.getLogger(TicketValidator.class); |
|
5941
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
44 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
45 /** |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
46 * The trusted Key for signature checks. |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
47 */ |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
48 private Key trustedKey; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
49 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
50 /** |
|
8839
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
8203
diff
changeset
|
51 * Tolerance in milliseconds for validation based on NotBefore and |
|
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
8203
diff
changeset
|
52 * NotOnOrAfter of the SAML ticket |
|
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
8203
diff
changeset
|
53 */ |
|
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
8203
diff
changeset
|
54 private int timeEps; |
|
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
8203
diff
changeset
|
55 |
|
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
8203
diff
changeset
|
56 /** |
|
5941
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
57 * Creates a new TicketValidator from a trusted key. |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
58 * @param trustedKey The trusted key for the signature checks. |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
59 */ |
|
8839
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
8203
diff
changeset
|
60 public TicketValidator(Key trustedKey, int timeEps) { |
|
5941
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
61 this.trustedKey = trustedKey; |
|
8839
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
8203
diff
changeset
|
62 this.timeEps = timeEps; |
|
5941
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
63 } |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
64 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
65 /** |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
66 * Creates a new TicketValidator, loading the trusted key from a |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
67 * file. |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
68 * @param filename The filename of the X509 certificate containing |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
69 * the trusted public key. |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
70 */ |
|
8839
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
8203
diff
changeset
|
71 public TicketValidator(String filename, int timeEps) |
|
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
8203
diff
changeset
|
72 throws IOException, CertificateException { |
|
5941
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
73 this.trustedKey = loadKey(filename); |
|
8839
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
8203
diff
changeset
|
74 this.timeEps = timeEps; |
|
5941
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
75 } |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
76 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
77 /** |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
78 * Loads the public key from a file containing an X509 certificate. |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
79 */ |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
80 private Key loadKey(String filename) throws IOException, |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
81 CertificateException { |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
82 X509Certificate cert = X509Certificate.getInstance( |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
83 new FileInputStream(filename)); |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
84 cert.checkValidity(new Date()); |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
85 return cert.getPublicKey(); |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
86 } |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
87 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
88 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
89 /** |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
90 * Check the ticket represented by the given DOM element. |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
91 * @param root the DOM element under which the signature can be |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
92 * found. |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
93 * @return The assertion element from the signed data. |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
94 */ |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
95 public Assertion checkTicket(Element root) throws Exception { |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
96 markAssertionIdAttributes(root); |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
97 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
98 Node signode = XPathUtils.xpathNode(root, ".//ds:Signature"); |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
99 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
100 DOMValidateContext context = new DOMValidateContext(this.trustedKey, |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
101 signode); |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
102 context.setProperty("javax.xml.crypto.dsig.cacheReference", true); |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
103 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
104 XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM"); |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
105 XMLSignature signature = factory.unmarshalXMLSignature(context); |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
106 if (!signature.validate(context)) { |
|
8203
238fc722f87a
sed 's/logger/log/g' src/**/*.java
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5957
diff
changeset
|
107 log.error("Signature of SAML ticket could not be validated."); |
|
5941
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
108 return null; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
109 } |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
110 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
111 Element assertionElement = extractAssertion(signature, context); |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
112 if (assertionElement == null) { |
|
8203
238fc722f87a
sed 's/logger/log/g' src/**/*.java
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5957
diff
changeset
|
113 log.error("Could not extract assertion from signed content."); |
|
5941
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
114 return null; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
115 } |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
116 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
117 Assertion assertion = new Assertion(assertionElement); |
|
8839
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
8203
diff
changeset
|
118 if (!assertion.isValidNow(this.timeEps)) { |
|
8203
238fc722f87a
sed 's/logger/log/g' src/**/*.java
Sascha L. Teichmann <teichmann@intevation.de>
parents:
5957
diff
changeset
|
119 log.error("Ticket is not valid now" |
|
5941
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
120 + " (NotBefore: " + assertion.getFrom() |
|
8839
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
8203
diff
changeset
|
121 + ", NotOnOrAfter: " + assertion.getUntil() |
|
2c8259176c46
Add configurable time tolerance to SAML ticket validation.
Tom Gottfried <tom@intevation.de>
parents:
8203
diff
changeset
|
122 + ", Tolerance (milliseconds): " + this.timeEps); |
|
5941
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
123 return null; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
124 } |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
125 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
126 return assertion; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
127 } |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
128 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
129 /** |
|
5949
0a0b4bfdf372
Add TicketValidator.checkTicket(InputStream) method.
Bernhard Herzog <bh@intevation.de>
parents:
5941
diff
changeset
|
130 * Check the ticket read from an InputStream containing a SAML |
|
0a0b4bfdf372
Add TicketValidator.checkTicket(InputStream) method.
Bernhard Herzog <bh@intevation.de>
parents:
5941
diff
changeset
|
131 * document. |
|
0a0b4bfdf372
Add TicketValidator.checkTicket(InputStream) method.
Bernhard Herzog <bh@intevation.de>
parents:
5941
diff
changeset
|
132 * @param xml InputStream with the SAML ticket as XML |
|
0a0b4bfdf372
Add TicketValidator.checkTicket(InputStream) method.
Bernhard Herzog <bh@intevation.de>
parents:
5941
diff
changeset
|
133 * @return The assertion element from the signed data. |
|
0a0b4bfdf372
Add TicketValidator.checkTicket(InputStream) method.
Bernhard Herzog <bh@intevation.de>
parents:
5941
diff
changeset
|
134 */ |
|
0a0b4bfdf372
Add TicketValidator.checkTicket(InputStream) method.
Bernhard Herzog <bh@intevation.de>
parents:
5941
diff
changeset
|
135 public Assertion checkTicket(InputStream in) throws Exception { |
|
0a0b4bfdf372
Add TicketValidator.checkTicket(InputStream) method.
Bernhard Herzog <bh@intevation.de>
parents:
5941
diff
changeset
|
136 return checkTicket(XMLUtils.readDocument(in).getDocumentElement()); |
|
0a0b4bfdf372
Add TicketValidator.checkTicket(InputStream) method.
Bernhard Herzog <bh@intevation.de>
parents:
5941
diff
changeset
|
137 } |
|
0a0b4bfdf372
Add TicketValidator.checkTicket(InputStream) method.
Bernhard Herzog <bh@intevation.de>
parents:
5941
diff
changeset
|
138 |
|
0a0b4bfdf372
Add TicketValidator.checkTicket(InputStream) method.
Bernhard Herzog <bh@intevation.de>
parents:
5941
diff
changeset
|
139 /** |
|
5941
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
140 * Mark the AssertionID attribute of SAML Assertion elements as ID |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
141 * attribute, so that the signature checker can resolve the |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
142 * references properly and find the signed data. |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
143 */ |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
144 private void markAssertionIdAttributes(Element root) { |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
145 NodeList nodes = XPathUtils.xpathNodeList(root, "saml:Assertion"); |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
146 for (int i = 0; i < nodes.getLength(); i++) { |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
147 Element el = (Element)nodes.item(i); |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
148 el.setIdAttribute("AssertionID", true); |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
149 } |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
150 } |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
151 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
152 private Element extractAssertion(XMLSignature sig, |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
153 DOMValidateContext context) { |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
154 for (Object obj: sig.getSignedInfo().getReferences()) { |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
155 Data data = ((Reference)obj).getDereferencedData(); |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
156 if (data instanceof NodeSetData) { |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
157 Iterator i = ((NodeSetData)data).iterator(); |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
158 for (int k = 0; i.hasNext(); k++) { |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
159 Object node = i.next(); |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
160 if (node instanceof Element) { |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
161 Element el = (Element)node; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
162 if (el.getTagName().equals("Assertion")) |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
163 return el; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
164 } |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
165 } |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
166 } |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
167 } |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
168 |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
169 return null; |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
170 } |
|
c1806821860b
Add SAML ticket validator classes.
Bernhard Herzog <bh@intevation.de>
parents:
diff
changeset
|
171 } |