Apache CXF API

org.apache.cxf.ws.security.wss4j.policyvalidators
Class AbstractSamlPolicyValidator

java.lang.Object
  extended by org.apache.cxf.ws.security.wss4j.policyvalidators.AbstractTokenPolicyValidator
      extended by org.apache.cxf.ws.security.wss4j.policyvalidators.AbstractSamlPolicyValidator
Direct Known Subclasses:
IssuedTokenPolicyValidator, SamlTokenPolicyValidator

public abstract class AbstractSamlPolicyValidator
extends AbstractTokenPolicyValidator

Some abstract functionality for validating SAML Assertions


Constructor Summary
AbstractSamlPolicyValidator()
           
 
Method Summary
 boolean checkHolderOfKey(org.apache.ws.security.saml.ext.AssertionWrapper assertionWrapper, List<org.apache.ws.security.WSSecurityEngineResult> signedResults, Certificate[] tlsCerts)
          Check the holder-of-key requirements against the received assertion.
protected  boolean compareCredentials(org.apache.ws.security.saml.SAMLKeyInfo subjectKeyInfo, List<org.apache.ws.security.WSSecurityEngineResult> signedResults, Certificate[] tlsCerts)
          Compare the credentials of the assertion to the credentials used in 2-way TLS or those used to verify signatures.
protected  boolean isTokenRequired(Token token, Message message)
          Check to see if a token is required or not.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

AbstractSamlPolicyValidator

public AbstractSamlPolicyValidator()
Method Detail

isTokenRequired

protected boolean isTokenRequired(Token token,
                                  Message message)
Check to see if a token is required or not.

Overrides:
isTokenRequired in class AbstractTokenPolicyValidator
Parameters:
token - the token
message - The message
Returns:
true if the token is required

checkHolderOfKey

public boolean checkHolderOfKey(org.apache.ws.security.saml.ext.AssertionWrapper assertionWrapper,
                                List<org.apache.ws.security.WSSecurityEngineResult> signedResults,
                                Certificate[] tlsCerts)
Check the holder-of-key requirements against the received assertion. The subject credential of the SAML Assertion must have been used to sign some portion of the message, thus showing proof-of-possession of the private/secret key. Alternatively, the subject credential of the SAML Assertion must match a client certificate credential when 2-way TLS is used.

Parameters:
assertionWrapper - the SAML Assertion wrapper object
signedResults - a list of all of the signed results

compareCredentials

protected boolean compareCredentials(org.apache.ws.security.saml.SAMLKeyInfo subjectKeyInfo,
                                     List<org.apache.ws.security.WSSecurityEngineResult> signedResults,
                                     Certificate[] tlsCerts)
Compare the credentials of the assertion to the credentials used in 2-way TLS or those used to verify signatures. Return true on a match

Parameters:
subjectKeyInfo - the SAMLKeyInfo object
signedResults - a list of all of the signed results
Returns:
true if the credentials of the assertion were used to verify a signature

Apache CXF API

Apache CXF