/*
* Copyright 2003-2004 The Apache Software Foundation.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.apache.ws.security.saml;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
import org.apache.ws.security.components.crypto.CryptoFactory;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
import org.apache.xml.security.keys.content.X509Data;
import org.apache.xml.security.signature.XMLSignature;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLException;
import org.opensaml.SAMLNameIdentifier;
import org.opensaml.SAMLStatement;
import org.opensaml.SAMLSubject;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.Properties;
/**
* Builds a WS SAML Assertion and inserts it into the SOAP Envelope. Refer to
* the WS specification, SAML Token profile
*
* @author Davanum Srinivas (dims@yahoo.com).
*/
public class SAMLIssuerImpl implements SAMLIssuer {
private static final Log log = LogFactory.getLog(SAMLIssuerImpl.class.getName());
private SAMLAssertion sa = null;
private Document instanceDoc = null;
private Properties properties = null;
private Crypto issuerCrypto = null;
private String issuerKeyPassword = null;
private String issuerKeyName = null;
private boolean senderVouches = true;
private String[] confirmationMethods = new String[1];
private Crypto userCrypto = null;
private String username = null;
/**
* Constructor.
*/
public SAMLIssuerImpl() {
}
public SAMLIssuerImpl(Properties prop) {
/*
* if no properties .. just return an instance, the rest will be done
* later or this instance is just used to handle certificate
* conversions in this implementation
*/
if (prop == null) {
return;
}
properties = prop;
String cryptoProp =
properties.getProperty("org.apache.ws.security.saml.issuer.cryptoProp.file");
if (cryptoProp != null) {
issuerCrypto = CryptoFactory.getInstance(cryptoProp);
issuerKeyName =
properties.getProperty("org.apache.ws.security.saml.issuer.key.name");
issuerKeyPassword =
properties.getProperty("org.apache.ws.security.saml.issuer.key.password");
}
if ("senderVouches"
.equals(properties.getProperty("org.apache.ws.security.saml.confirmationMethod"))) {
confirmationMethods[0] = SAMLSubject.CONF_SENDER_VOUCHES;
} else if (
"keyHolder".equals(properties.getProperty("org.apache.ws.security.saml.confirmationMethod"))) {
confirmationMethods[0] = SAMLSubject.CONF_HOLDER_KEY;
senderVouches = false;
} else {
// throw something here - this is a mandatory property
}
}
/**
* Creates a new <code>SAMLAssertion</code>.
* <p/>
* <p/>
* A complete <code>SAMLAssertion</code> is constructed.
*
* @return SAMLAssertion
*/
public SAMLAssertion newAssertion() { // throws Exception {
log.debug("Begin add SAMLAssertion token...");
/*
* if (senderVouches == false && userCrypto == null) { throw
* exception("need user crypto data to insert key") }
*/
// Issuer must enable crypto functions to get the issuer's certificate
String issuer =
properties.getProperty("org.apache.ws.security.saml.issuer");
String name =
properties.getProperty("org.apache.ws.security.saml.subjectNameId.name");
String qualifier =
properties.getProperty("org.apache.ws.security.saml.subjectNameId.qualifier");
try {
SAMLNameIdentifier nameId =
new SAMLNameIdentifier(name, qualifier, "");
String subjectIP = null;
String authMethod = null;
if ("password"
.equals(properties.getProperty("org.apache.ws.security.saml.authenticationMethod"))) {
authMethod =
SAMLAuthenticationStatement.AuthenticationMethod_Password;
}
Date authInstant = new Date();
Collection bindings = null;
SAMLSubject subject =
new SAMLSubject(nameId,
Arrays.asList(confirmationMethods),
null,
null);
SAMLStatement[] statements =
{
new SAMLAuthenticationStatement(subject,
authMethod,
authInstant,
subjectIP,
null,
bindings)};
sa =
new SAMLAssertion(issuer,
null,
null,
null,
null,
Arrays.asList(statements));
if (!senderVouches) {
KeyInfo ki = new KeyInfo(instanceDoc);
try {
X509Certificate[] certs =
userCrypto.getCertificates(username);
X509Data certElem = new X509Data(instanceDoc);
certElem.addCertificate(certs[0]);
ki.add(certElem);
} catch (WSSecurityException ex) {
if (log.isDebugEnabled()) {
log.debug(ex.getMessage(), ex);
}
return null;
} catch (XMLSecurityException ex) {
if (log.isDebugEnabled()) {
log.debug(ex.getMessage(), ex);
}
return null;
}
Element keyInfoElement = ki.getElement();
keyInfoElement.setAttributeNS(WSConstants.XMLNS_NS, "xmlns:"
+ WSConstants.SIG_PREFIX, WSConstants.SIG_NS);
subject.setKeyInfo(ki);
// prepare to sign the SAML token
try {
X509Certificate[] issuerCerts =
issuerCrypto.getCertificates(issuerKeyName);
String sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_RSA;
String pubKeyAlgo =
issuerCerts[0].getPublicKey().getAlgorithm();
log.debug("automatic sig algo detection: " + pubKeyAlgo);
if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_DSA;
}
java.security.Key issuerPK =
issuerCrypto.getPrivateKey(issuerKeyName,
issuerKeyPassword);
sa.sign(sigAlgo, issuerPK, Arrays.asList(issuerCerts));
} catch (WSSecurityException ex) {
if (log.isDebugEnabled()) {
log.debug(ex.getMessage(), ex);
}
return null;
} catch (Exception ex) {
if (log.isDebugEnabled()) {
log.debug(ex.getMessage(), ex);
}
return null;
}
}
} catch (SAMLException ex) {
if (log.isDebugEnabled()) {
log.debug(ex.getMessage(), ex);
}
throw new RuntimeException(ex.toString(), ex);
}
return sa;
}
/**
* @param userCrypto The userCrypto to set.
*/
public void setUserCrypto(Crypto userCrypto) {
this.userCrypto = userCrypto;
}
/**
* @param username The username to set.
*/
public void setUsername(String username) {
this.username = username;
}
/**
* @return Returns the issuerCrypto.
*/
public Crypto getIssuerCrypto() {
return issuerCrypto;
}
/**
* @return Returns the issuerKeyName.
*/
public String getIssuerKeyName() {
return issuerKeyName;
}
/**
* @return Returns the issuerKeyPassword.
*/
public String getIssuerKeyPassword() {
return issuerKeyPassword;
}
/**
* @return Returns the senderVouches.
*/
public boolean isSenderVouches() {
return senderVouches;
}
/**
* @param instanceDoc The instanceDoc to set.
*/
public void setInstanceDoc(Document instanceDoc) {
this.instanceDoc = instanceDoc;
}
}