Spring Security SAML

org.springframework.security.saml
Class SAMLAuthenticationProvider

java.lang.Object
  extended by org.springframework.security.saml.SAMLAuthenticationProvider
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean, org.springframework.security.authentication.AuthenticationProvider

public class SAMLAuthenticationProvider
extends Object
implements org.springframework.security.authentication.AuthenticationProvider, org.springframework.beans.factory.InitializingBean

Authentication provider is capable of verifying validity of a SAMLAuthenticationToken and in case the token is valid to create an authenticated UsernamePasswordAuthenticationToken.

Author:
Vladimir Schafer

Field Summary
protected  WebSSOProfileConsumer consumer
           
protected  WebSSOProfileConsumer hokConsumer
           
protected  SAMLLogger samlLogger
           
protected  SAMLUserDetailsService userDetails
           
 
Constructor Summary
SAMLAuthenticationProvider()
           
 
Method Summary
 void afterPropertiesSet()
          Verifies that required entities were autowired or set.
 org.springframework.security.core.Authentication authenticate(org.springframework.security.core.Authentication authentication)
          Attempts to perform authentication of an Authentication object.
protected  Collection<? extends org.springframework.security.core.GrantedAuthority> getEntitlements(SAMLCredential credential, Object userDetail)
          Method is responsible for returning collection of users entitlements.
protected  Date getExpirationDate(SAMLCredential credential)
          Parses the SAMLCredential for expiration time.
protected  Object getPrincipal(SAMLCredential credential, Object userDetail)
          Method determines what will be stored as principal of the created Authentication object.
 SAMLUserDetailsService getUserDetails()
          Returns saml user details service used to load information about logged user from SAML data.
protected  Object getUserDetails(SAMLCredential credential)
          Populates user data from SAMLCredential into UserDetails object.
 boolean isForcePrincipalAsString()
           
 void setConsumer(WebSSOProfileConsumer consumer)
          Profile for consumption of processed messages, must be set.
 void setForcePrincipalAsString(boolean forcePrincipalAsString)
           
 void setHokConsumer(WebSSOProfileConsumer hokConsumer)
          Profile for consumption of processed messages using the Holder-of-Key profile, must be set.
 void setSamlLogger(SAMLLogger samlLogger)
          Logger for SAML events, cannot be null, must be set.
 void setUserDetails(SAMLUserDetailsService userDetails)
          The user details can be optionally set and is automatically called while user SAML assertion is validated.
 boolean supports(Class aClass)
          SAMLAuthenticationToken is the only supported token.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

consumer

protected WebSSOProfileConsumer consumer

hokConsumer

protected WebSSOProfileConsumer hokConsumer

samlLogger

protected SAMLLogger samlLogger

userDetails

protected SAMLUserDetailsService userDetails
Constructor Detail

SAMLAuthenticationProvider

public SAMLAuthenticationProvider()
Method Detail

authenticate

public org.springframework.security.core.Authentication authenticate(org.springframework.security.core.Authentication authentication)
                                                              throws org.springframework.security.core.AuthenticationException
Attempts to perform authentication of an Authentication object. The authentication must be of type SAMLAuthenticationToken and must contain filled SAMLMessageContext. If the SAML inbound message in the context is valid, UsernamePasswordAuthenticationToken with name given in the SAML message NameID and assertion used to verify the user as credential (SAMLCredential object) is created and set as authenticated.

Specified by:
authenticate in interface org.springframework.security.authentication.AuthenticationProvider
Parameters:
authentication - SAMLAuthenticationToken to verify
Returns:
UsernamePasswordAuthenticationToken with name as NameID value and SAMLCredential as credential object
Throws:
org.springframework.security.core.AuthenticationException - user can't be authenticated due to an error

getUserDetails

protected Object getUserDetails(SAMLCredential credential)
Populates user data from SAMLCredential into UserDetails object. By default supplied implementation of the SAMLUserDetailsService is called and value of type UserDetails is returned. Users are encouraged to supply implementation of this class and also include correct implementation of the getAuthorities method in it, which is used to populate the entitlements inside the Authentication object.

If no SAMLUserDetailsService is specified null is returned.

Parameters:
credential - credential to load user from
Returns:
user details object corresponding to the SAML credential or null if data can't be loaded

getPrincipal

protected Object getPrincipal(SAMLCredential credential,
                              Object userDetail)
Method determines what will be stored as principal of the created Authentication object. By default (when forcePrincipalAsString is true) string representation of the NameID returned from SAML message is used. Otherwise userDetail object is used, when set, when not NameID object from the credential is returned. Other implementations can be created by overriding the method.

Parameters:
credential - credential used to authenticate user
userDetail - loaded user details, can be null
Returns:
principal to store inside Authentication object

getEntitlements

protected Collection<? extends org.springframework.security.core.GrantedAuthority> getEntitlements(SAMLCredential credential,
                                                                                                   Object userDetail)
Method is responsible for returning collection of users entitlements. Default implementation verifies whether userDetail object is of UserDetails type and returns userDetail.getAuthorities().

In case object of other type is found empty list is returned. Users are supposed to override this method to provide custom parsing is such case.

Parameters:
credential - credential used to authenticate user during SSO
userDetail - user detail object returned from getUserDetails call
Returns:
collection of users entitlements, mustn't be null

getExpirationDate

protected Date getExpirationDate(SAMLCredential credential)
Parses the SAMLCredential for expiration time. Locates all AuthnStatements present within the assertion (only one in most cases) and computes the expiration based on sessionNotOnOrAfter field.

Parameters:
credential - credential to use for expiration parsing.
Returns:
null if no expiration is present, expiration time onOrAfter which the token is not valid anymore

getUserDetails

public SAMLUserDetailsService getUserDetails()
Returns saml user details service used to load information about logged user from SAML data.

Returns:
service or null if not set

supports

public boolean supports(Class aClass)
SAMLAuthenticationToken is the only supported token.

Specified by:
supports in interface org.springframework.security.authentication.AuthenticationProvider
Parameters:
aClass - class to check for support
Returns:
true if class is of type SAMLAuthenticationToken

setUserDetails

@Autowired(required=false)
public void setUserDetails(SAMLUserDetailsService userDetails)
The user details can be optionally set and is automatically called while user SAML assertion is validated.

Parameters:
userDetails - user details

setSamlLogger

@Autowired
public void setSamlLogger(SAMLLogger samlLogger)
Logger for SAML events, cannot be null, must be set.

Parameters:
samlLogger - logger

setConsumer

@Autowired
@Qualifier(value="webSSOprofileConsumer")
public void setConsumer(WebSSOProfileConsumer consumer)
Profile for consumption of processed messages, must be set.

Parameters:
consumer - consumer

setHokConsumer

@Autowired
@Qualifier(value="hokWebSSOprofileConsumer")
public void setHokConsumer(WebSSOProfileConsumer hokConsumer)
Profile for consumption of processed messages using the Holder-of-Key profile, must be set.

Parameters:
hokConsumer - holder-of-key consumer

isForcePrincipalAsString

public boolean isForcePrincipalAsString()

setForcePrincipalAsString

public void setForcePrincipalAsString(boolean forcePrincipalAsString)

afterPropertiesSet

public void afterPropertiesSet()
                        throws ServletException
Verifies that required entities were autowired or set.

Specified by:
afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
Throws:
ServletException

Spring Security SAML