/******************************************************************************* * Copyright 2017 Graz University of Technology * EAAF-Core Components has been developed in a cooperation between EGIZ, * A-SIT Plus, A-SIT, and Graz University of Technology. * * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * https://joinup.ec.europa.eu/news/understanding-eupl-v12 * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. *******************************************************************************/ /******************************************************************************* *******************************************************************************/ /******************************************************************************* *******************************************************************************/ package at.gv.egiz.eaaf.modules.pvp2.impl.verification; import java.util.List; import org.opensaml.common.binding.SAMLMessageContext; import org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule; import org.opensaml.ws.transport.http.HTTPInTransport; import org.opensaml.xml.util.DatatypeHelper; /** * @author tlenz * */ public class PVPAuthRequestSignedRole extends SAML2AuthnRequestsSignedRule { @Override protected boolean isMessageSigned(SAMLMessageContext messageContext) { // This handles HTTP-Redirect and HTTP-POST-SimpleSign bindings. HTTPInTransport inTransport = (HTTPInTransport) messageContext.getInboundMessageTransport(); //Check signature parameter exists only once and is not empty List sigParam = inTransport.getParameterValues("Signature"); boolean isValidSigned = sigParam.size() == 1 && !DatatypeHelper.isEmpty(sigParam.get(0)); //Check signature-algorithm parameter exists only once and is not empty List sigAlgParam = inTransport.getParameterValues("SigAlg"); boolean isValidSigAlgExists = sigAlgParam.size() == 1 && !DatatypeHelper.isEmpty(sigAlgParam.get(0)); //Check signature-content parameter exists only once and is not empty List samlReqParam = inTransport.getParameterValues("SAMLRequest"); List samlRespParam = inTransport.getParameterValues("SAMLResponse"); boolean isValidContent = ( ( samlReqParam.size() == 1 && !DatatypeHelper.isEmpty(samlReqParam.get(0)) ) || ( samlRespParam.size() == 1 && !DatatypeHelper.isEmpty(samlRespParam.get(0)) ) ) && !(samlReqParam.size() == 1 && samlRespParam.size() == 1) ; return isValidSigned && isValidSigAlgExists && isValidContent; } }