package at.gv.egovernment.moa.id.auth.validator; import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.XPathUtils; /** * * This class is used to validate an {@link CreateXMLSignatureResponse} * returned by the security layer. * This class implements the Singleton pattern. * @author Stefan Knirsch * @version $Id$ */ public class CreateXMLSignatureResponseValidator { /** Xpath prefix for reaching SecurityLayer 1.0 Namespaces */ private static final String SAML = Constants.SAML_PREFIX + ":"; /** Xpath prefix for reaching XML-DSIG Namespaces */ private static final String DSIG = Constants.DSIG_PREFIX + ":"; /** Xpath expression to the SAML:Assertion element */ private static final String ROOT = SAML + "Assertion"; /** Xpath expression to the SAML:NameIdentifier element */ private static final String SAML_SUBJECT_NAME_IDENTIFIER_XPATH = SAML + "AttributeStatement/" + SAML + "Subject/" + SAML + "NameIdentifier"; /** Xpath expression to the SAML:Attribute element */ private static final String SAML_ATTRIBUTE_XPATH = ROOT + "/" + SAML + "AttributeStatement/" + SAML + "Attribute"; /** Xpath expression to the SAML:AttributeValue element */ private static final String SAML_ATTRIBUTE_VALUE_XPATH = SAML + "AttributeValue"; /** Singleton instance. null, if none has been created. */ private static CreateXMLSignatureResponseValidator instance; /** * Constructor for a singleton CreateXMLSignatureResponseValidator. * @return an instance of CreateXMLSignatureResponseValidator * @throws ValidateException if no instance can be created */ public static synchronized CreateXMLSignatureResponseValidator getInstance() throws ValidateException { if (instance == null) { instance = new CreateXMLSignatureResponseValidator(); } return instance; } /** * The Method validate is used for validating an explicit {@link CreateXMLSignatureResponse} * @param createXMLSignatureResponse * @param gbTarget * @param oaURL * @throws ValidateException */ public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, String gbTarget, String oaURL) throws ValidateException { // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier XPathUtils.selectNodeList(createXMLSignatureResponse.getSamlAssertion(),SAML_SUBJECT_NAME_IDENTIFIER_XPATH); SAMLAttribute[] samlattributes = createXMLSignatureResponse.getSamlAttributes(); boolean foundOA = false; boolean foundGB = false; for (int i = 0; i < samlattributes.length; i++) { if (samlattributes[i].getName().equals("Geschäftsbereich")) if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { foundGB = true; if (!gbTarget.equals(samlattributes[i].getValue())) { throw new ValidateException("validator.13", null); } } else throw new ValidateException("validator.12", null); if (samlattributes[i].getName().equals("OA")) if (samlattributes[i].getNamespace().equals("http://reference.e-government.gv.at/namespace/moa/20020822#")) { foundOA = true; if (!oaURL.equals(samlattributes[i].getValue())) // CHECKS für die AttributeVALUES fehlen noch { throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlattributes[i].getValue()}); } } else throw new ValidateException("validator.15", null); } if (!foundOA) throw new ValidateException("validator.14", null); if (!foundGB) throw new ValidateException("validator.11", null); //Check if dsig:Signature exists Element dsigSignature = (Element) XPathUtils.selectSingleNode(createXMLSignatureResponse.getSamlAssertion(),DSIG + "Signature"); if (dsigSignature==null) throw new ValidateException("validator.05", null); } }