| Code with Misuse: |
class SamlAssertionValidator {
/**
* Check the Subject Confirmation method requirements
*/
protected void verifySubjectConfirmationMethod(
SamlAssertionWrapper samlAssertion
) throws WSSecurityException {
List<String> methods = samlAssertion.getConfirmationMethods();
if ((methods == null || methods.isEmpty())
&& requiredSubjectConfirmationMethod != null) {
LOG.debug("A required subject confirmation method was not present");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
}
boolean signed = samlAssertion.isSigned();
boolean requiredMethodFound = false;
for (String method : methods) {
if (OpenSAMLUtil.isMethodHolderOfKey(method)) {
if (samlAssertion.getSubjectKeyInfo() == null) {
LOG.debug("There is no Subject KeyInfo to match the holder-of-key subject conf method");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noKeyInSAMLToken");
}
// The assertion must have been signed for HOK
if (!signed) {
LOG.debug("A holder-of-key assertion must be signed");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
}
}
if (method != null && method.equals(requiredSubjectConfirmationMethod)) {
requiredMethodFound = true;
}
}
if (!requiredMethodFound && requiredSubjectConfirmationMethod != null) {
LOG.debug("A required subject confirmation method was not present");
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE,
"invalidSAMLsecurity");
}
}
}
|
