package; import org.w3c.dom.Element; import; import; import; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.XPathUtils; /** * * This class is used to validate an {@link CreateXMLSignatureResponse} * returned by the security layer. * This class implements the Singleton pattern. * @author Stefan Knirsch * @version $Id$ */ public class CreateXMLSignatureResponseValidator { /** Xpath prefix for reaching SAML Namespaces */ private static final String SAML = Constants.SAML_PREFIX + ":"; /** Xpath prefix for reaching XML-DSIG Namespaces */ private static final String DSIG = Constants.DSIG_PREFIX + ":"; /** Xpath expression to the SAML:Assertion element */ private static final String ROOT = SAML + "Assertion"; /** Xpath expression to the SAML:NameIdentifier element */ private static final String SAML_SUBJECT_NAME_IDENTIFIER_XPATH = SAML + "AttributeStatement/" + SAML + "Subject/" + SAML + "NameIdentifier"; /** Xpath expression to the SAML:Attribute element */ private static final String SAML_ATTRIBUTE_XPATH = ROOT + "/" + SAML + "AttributeStatement/" + SAML + "Attribute"; /** Xpath expression to the SAML:AttributeValue element */ private static final String SAML_ATTRIBUTE_VALUE_XPATH = SAML + "AttributeValue"; /** Singleton instance. null, if none has been created. */ private static CreateXMLSignatureResponseValidator instance; /** * Constructor for a singleton CreateXMLSignatureResponseValidator. * @return an instance of CreateXMLSignatureResponseValidator * @throws ValidateException if no instance can be created */ public static synchronized CreateXMLSignatureResponseValidator getInstance() throws ValidateException { if (instance == null) { instance = new CreateXMLSignatureResponseValidator(); } return instance; } /** * The Method validate is used for validating an explicit {@link CreateXMLSignatureResponse} * @param createXMLSignatureResponse * @param gbTarget * @param oaURL * @throws ValidateException */ public void validate(CreateXMLSignatureResponse createXMLSignatureResponse, AuthenticationSession session) throws ValidateException { // A3.056: more then one /saml:Assertion/saml:AttributeStatement/saml:Subject/saml:NameIdentifier String gbTarget = session.getTarget(); String oaURL = session.getPublicOAURLPrefix(); boolean businessService = session.getBusinessService(); // XPathUtils.selectNodeList(createXMLSignatureResponse.getSamlAssertion(),SAML_SUBJECT_NAME_IDENTIFIER_XPATH); SAMLAttribute[] samlattributes = createXMLSignatureResponse.getSamlAttributes(); boolean foundOA = false; boolean foundGB = false; boolean foundWBPK = false; for (int i = 0; i < samlattributes.length; i++) { if (samlattributes[i].getName().equals("Geschaeftsbereich")) { if (businessService) { throw new ValidateException("validator.26", null); } if (samlattributes[i].getNamespace().equals("")) { foundGB = true; if (!gbTarget.equals((String)samlattributes[i].getValue())) { throw new ValidateException("validator.13", null); } } else { throw new ValidateException("validator.12", null); } } if (samlattributes[i].getName().equals("OA")) { if (samlattributes[i].getNamespace().equals("")) { foundOA = true; if (!oaURL.equals((String)samlattributes[i].getValue())) { // CHECKS für die AttributeVALUES fehlen noch throw new ValidateException("validator.16", new Object[] {":gefunden wurde '" + oaURL + "', erwartet wurde '" + samlattributes[i].getValue()}); } } else { throw new ValidateException("validator.15", null); } } if (samlattributes[i].getName().equals("wbPK")) { if (!businessService) { throw new ValidateException("validator.27", null); } if (samlattributes[i].getNamespace().equals("")) { foundWBPK = true; try { Element attrValue = (Element)samlattributes[i].getValue(); String value = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Value").item(0)).getFirstChild().getNodeValue(); String type = ((Element)attrValue.getElementsByTagNameNS(Constants.PD_NS_URI, "Type").item(0)).getFirstChild().getNodeValue(); if (!value.equals(session.getIdentityLink().getIdentificationValue())) { throw new ValidateException("validator.28", null); } if (!type.equals(session.getIdentityLink().getIdentificationType())) { throw new ValidateException("validator.28", null); } } catch (Exception ex) { throw new ValidateException("validator.29", null); } } else { throw new ValidateException("validator.30", null); } } } if (!foundOA) throw new ValidateException("validator.14", null); if (businessService) { if (!foundWBPK) throw new ValidateException("validator.31", null); } else { if (!foundGB) throw new ValidateException("validator.11", null); } //Check if dsig:Signature exists Element dsigSignature = (Element) XPathUtils.selectSingleNode(createXMLSignatureResponse.getSamlAssertion(),DSIG + "Signature"); if (dsigSignature==null) throw new ValidateException("validator.05", null); } }