From dd45e938564249a5e6897bd92dd29808d8990868 Mon Sep 17 00:00:00 2001 From: rudolf Date: Fri, 24 Oct 2003 08:34:56 +0000 Subject: MOA-ID version 1.1 (initial) git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@19 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../CreateXMLSignatureResponseValidator.java | 106 +++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java (limited to 'id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java') diff --git a/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java new file mode 100644 index 000000000..e596e79a4 --- /dev/null +++ b/id.server/src/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -0,0 +1,106 @@ +package at.gv.egovernment.moa.id.auth.validator; + +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.XPathUtils; + +/** + * + * This class is used to validate an {@link CreateXMLSignatureResponse} + * returned by the security layer. + * This class implements the Singleton pattern. + * @author Stefan Knirsch + * @version $Id$ + */ +public class CreateXMLSignatureResponseValidator { + + /** Xpath prefix for reaching SecurityLayer 1.0 Namespaces */ + private static final String SAML = Constants.SAML_PREFIX + ":"; + /** Xpath prefix for reaching XML-DSIG Namespaces */ + private static final String DSIG = Constants.DSIG_PREFIX + ":"; + /** Xpath expression to the SAML:Assertion element */ + private static final String ROOT = SAML + "Assertion"; + /** Xpath expression to the SAML:NameIdentifier element */ + private static final String SAML_SUBJECT_NAME_IDENTIFIER_XPATH = + SAML + "AttributeStatement/" + SAML + "Subject/" + + SAML + "NameIdentifier"; + /** Xpath expression to the SAML:Attribute element */ + private static final String SAML_ATTRIBUTE_XPATH = + ROOT + "/" + SAML + "AttributeStatement/" + SAML + "Attribute"; + /** Xpath expression to the SAML:AttributeValue element */ + private static final String SAML_ATTRIBUTE_VALUE_XPATH = + SAML + "AttributeValue"; + + + /** Singleton instance. null, if none has been created. */ + private static CreateXMLSignatureResponseValidator instance; + + /** + * Constructor for a singleton CreateXMLSignatureResponseValidator. + * @return an instance of CreateXMLSignatureResponseValidator + * @throws ValidateException if no instance can be created + */ + public static synchronized CreateXMLSignatureResponseValidator getInstance() + throws ValidateException { + if (instance == null) { + instance = new CreateXMLSignatureResponseValidator(); + } + return instance; + } + + + /** + * The Method validate is used for validating an explicit {@link CreateXMLSignatureResponse} + * @param createXMLSignatureResponse + * @param gbTarget + * @param oaURL + * @throws ValidateException + */ + public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, String gbTarget, String oaURL) + throws ValidateException { + + // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier + + XPathUtils.selectNodeList(createXMLSignatureResponse.getSamlAssertion(),SAML_SUBJECT_NAME_IDENTIFIER_XPATH); + + SAMLAttribute[] samlattributes = createXMLSignatureResponse.getSamlAttributes(); + boolean foundOA = false; + boolean foundGB = false; + for (int i = 0; i < samlattributes.length; i++) + { + if (samlattributes[i].getName().equals("Geschäftsbereich")) + if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) + + { + foundGB = true; + if (!gbTarget.equals(samlattributes[i].getValue())) + { + throw new ValidateException("validator.13", null); + } + } + else throw new ValidateException("validator.12", null); + if (samlattributes[i].getName().equals("OA")) + if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) + { + foundOA = true; + if (!oaURL.equals(samlattributes[i].getValue())) // CHECKS für die AttributeVALUES fehlen noch + { + throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlattributes[i].getValue()}); + } + + } + else throw new ValidateException("validator.15", null); + } + if (!foundOA) throw new ValidateException("validator.14", null); + if (!foundGB) throw new ValidateException("validator.11", null); + + //Check if dsig:Signature exists + Element dsigSignature = (Element) XPathUtils.selectSingleNode(createXMLSignatureResponse.getSamlAssertion(),DSIG + "Signature"); + if (dsigSignature==null) throw new ValidateException("validator.05", null); + + + } +} -- cgit v1.2.3