Spring Security SAML

org.springframework.security.saml
Class SAMLDiscovery

java.lang.Object
  extended by org.springframework.web.filter.GenericFilterBean
      extended by org.springframework.security.saml.SAMLDiscovery
All Implemented Interfaces:
Filter, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.web.context.ServletContextAware

public class SAMLDiscovery
extends org.springframework.web.filter.GenericFilterBean

Filter implements Identity Provider Discovery Service as defined in initializes IDP Discovery Profile as defined in http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf.

Author:
Vladimir Schaefer

Field Summary
protected  SAMLContextProvider contextProvider
          Context provider.
static String ENTITY_ID_PARAM
          Unique identifier of the party performing the request.
static String FILTER_URL
          Default name of path suffix which will invoke this filter.
protected  String filterProcessesUrl
          Url this filter should get activated on.
static String IDP_DISCO_PROTOCOL_SINGLE
          Default profile of the discovery service.
protected  String idpSelectionPath
          In case this property is set to not null value the user will be redirected to this URL for selection of IDP to use for login.
protected static org.slf4j.Logger logger
           
protected  MetadataManager metadata
          Metadata manager used to look up entity IDs and discovery URLs.
static String PASSIVE_PARAM
          Request parameter indicating whether discovery service can interact with the user agent.
static String POLICY_PARAM
          Policy to use in order to determine IDP.
static String RETURN_ID_PARAM
          Request parameter specifying which response attribute to use for conveying the determined IDP name.
static String RETURN_PARAM
          Used to store return parameter in the forwarded request object.
static String RETURN_URL
          Used to store return URL in the forwarded request object.
static String RETURN_URL_PARAM
          URL used by the discovery service to send the response.
protected  SAMLEntryPoint samlEntryPoint
          Entry point dependency for loading of correct URL.
 
Constructor Summary
SAMLDiscovery()
           
 
Method Summary
 void afterPropertiesSet()
          Verifies that required entities were autowired or set.
 void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
           
protected  String getDefaultReturnURL(SAMLMessageContext messageContext)
          Provides default return URL based on metadata in case none was supplied in the request.
 String getFilterProcessesUrl()
           
 String getIdpSelectionPath()
          Path used to forward request in order to enable target IDP selection
protected  String getPassiveIDP(HttpServletRequest request)
          Returns IDP to be used in passive mode.
protected  boolean isResponseURLValid(String returnURL, SAMLMessageContext messageContext)
          Verifies whether return URL supplied in the request is valid.
protected  void processDiscoveryRequest(HttpServletRequest request, HttpServletResponse response)
          Method processes IDP Discovery request, validates it for conformity and either sends a passive response with default IDP (when isPassive mode is requested) or forwards browser to the IDP selection.
protected  boolean processFilter(HttpServletRequest request)
          The filter will be used in case the URL of the request contains the FILTER_URL.
protected  void sendIDPSelection(HttpServletRequest request, HttpServletResponse response, String responseURL, String returnParam)
          Forward the request to a page which renders IDP selection page for the user.
protected  void sendPassiveResponse(HttpServletRequest request, HttpServletResponse response, String responseURL, String returnParam, String entityID)
          Creates a URL to be used for returning of the selected IDP and sends a redirect.
 void setContextProvider(SAMLContextProvider contextProvider)
          Sets entity responsible for populating local entity context data.
 void setFilterProcessesUrl(String filterProcessesUrl)
          Custom filter URL which overrides the default.
 void setIdpSelectionPath(String idpSelectionPath)
          Sets path where request dispatcher will send user for IDP selection.
 void setMetadata(MetadataManager metadata)
          Metadata manager, cannot be null, must be set.
 void setSamlEntryPoint(SAMLEntryPoint samlEntryPoint)
          Dependency for loading of entry point URL
 
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setServletContext
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

logger

protected static final org.slf4j.Logger logger

RETURN_URL

public static final String RETURN_URL
Used to store return URL in the forwarded request object.

See Also:
Constant Field Values

RETURN_PARAM

public static final String RETURN_PARAM
Used to store return parameter in the forwarded request object.

See Also:
Constant Field Values

ENTITY_ID_PARAM

public static final String ENTITY_ID_PARAM
Unique identifier of the party performing the request. Part of IDP Disco specification.

See Also:
Constant Field Values

RETURN_URL_PARAM

public static final String RETURN_URL_PARAM
URL used by the discovery service to send the response. Value is verified against metadata of the requesting entity. URL can contain additional query part, but mustn't include the same attribute as specified in returnIdParam. Part of IDP Disco specification.

See Also:
Constant Field Values

RETURN_ID_PARAM

public static final String RETURN_ID_PARAM
Request parameter specifying which response attribute to use for conveying the determined IDP name. Uses "entityID" when empty. Part of IDP Disco specification.

See Also:
Constant Field Values

POLICY_PARAM

public static final String POLICY_PARAM
Policy to use in order to determine IDP. Only the default IDP_DISCO_PROTOCOL_SINGLE is supported and is also used when policy request attribute is unspecified. Part of IDP Disco specification.

See Also:
Constant Field Values

PASSIVE_PARAM

public static final String PASSIVE_PARAM
Request parameter indicating whether discovery service can interact with the user agent. Allowed values are "true" or "false" Set to "false" when unspecified. Part of IDP Disco specification.

See Also:
Constant Field Values

idpSelectionPath

protected String idpSelectionPath
In case this property is set to not null value the user will be redirected to this URL for selection of IDP to use for login. In case it is null user will be redirected to the default IDP.


metadata

protected MetadataManager metadata
Metadata manager used to look up entity IDs and discovery URLs.


contextProvider

protected SAMLContextProvider contextProvider
Context provider.


samlEntryPoint

protected SAMLEntryPoint samlEntryPoint
Entry point dependency for loading of correct URL.


filterProcessesUrl

protected String filterProcessesUrl
Url this filter should get activated on.


FILTER_URL

public static final String FILTER_URL
Default name of path suffix which will invoke this filter.

See Also:
Constant Field Values

IDP_DISCO_PROTOCOL_SINGLE

public static final String IDP_DISCO_PROTOCOL_SINGLE
Default profile of the discovery service.

See Also:
Constant Field Values
Constructor Detail

SAMLDiscovery

public SAMLDiscovery()
Method Detail

doFilter

public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain chain)
              throws IOException,
                     ServletException
Throws:
IOException
ServletException

processFilter

protected boolean processFilter(HttpServletRequest request)
The filter will be used in case the URL of the request contains the FILTER_URL.

Parameters:
request - request used to determine whether to enable this filter
Returns:
true if this filter should be used

processDiscoveryRequest

protected void processDiscoveryRequest(HttpServletRequest request,
                                       HttpServletResponse response)
                                throws IOException,
                                       ServletException
Method processes IDP Discovery request, validates it for conformity and either sends a passive response with default IDP (when isPassive mode is requested) or forwards browser to the IDP selection. By default the page located at idpSelectionPath is included.

Parameters:
request - request
response - response
Throws:
ServletException - error
IOException - io error

sendPassiveResponse

protected void sendPassiveResponse(HttpServletRequest request,
                                   HttpServletResponse response,
                                   String responseURL,
                                   String returnParam,
                                   String entityID)
                            throws IOException,
                                   ServletException
Creates a URL to be used for returning of the selected IDP and sends a redirect.

Parameters:
request - request object
response - response object
responseURL - base for the return URL
returnParam - parameter name to send the IDP entityId in
entityID - entity ID to send or null for fail state
Throws:
IOException - in case redirect sending fails
ServletException - in case redirect sending fails

sendIDPSelection

protected void sendIDPSelection(HttpServletRequest request,
                                HttpServletResponse response,
                                String responseURL,
                                String returnParam)
                         throws IOException,
                                ServletException
Forward the request to a page which renders IDP selection page for the user. The URL for redirect and param for IDP selection are included as request attributes under keys with constant names RETURN_URL and RETURN_PARAM.

Parameters:
request - request object
response - response object
responseURL - base for the return URL
returnParam - parameter name to send the IDP entityId in
Throws:
IOException - in case forwarding to the selection page fails
ServletException - in case forwarding to the selection page fails

getDefaultReturnURL

protected String getDefaultReturnURL(SAMLMessageContext messageContext)
Provides default return URL based on metadata in case none was supplied in the request. URL is automatically generated for local entities which do not contain discovery URL in metadata.

Parameters:
messageContext - context for the local SP
Returns:
URL to return the selected IDP to
Throws:
org.opensaml.common.SAMLRuntimeException - in case entity is remote and doesn't contain URL in metadata

isResponseURLValid

protected boolean isResponseURLValid(String returnURL,
                                     SAMLMessageContext messageContext)
Verifies whether return URL supplied in the request is valid. By default it is verified that the host part of the supplied URL is the same as the host part of the default response location in metadata (IDP Disco, 320)

Parameters:
returnURL - URL from the request
messageContext - message context for current SP
Returns:
true if the request is valid, false otherwise

getPassiveIDP

protected String getPassiveIDP(HttpServletRequest request)
Returns IDP to be used in passive mode. By default the default IDP designated so in metadata is used.

Parameters:
request - IDP discovery request
Returns:
IDP configured as default or null when no such exists

getIdpSelectionPath

public String getIdpSelectionPath()
Path used to forward request in order to enable target IDP selection

Returns:
path for forward

setIdpSelectionPath

public void setIdpSelectionPath(String idpSelectionPath)
Sets path where request dispatcher will send user for IDP selection. In case it is null the default server will always be used.

Parameters:
idpSelectionPath - selection path

setMetadata

@Autowired
public void setMetadata(MetadataManager metadata)
Metadata manager, cannot be null, must be set.

Parameters:
metadata - manager

setSamlEntryPoint

@Autowired(required=false)
public void setSamlEntryPoint(SAMLEntryPoint samlEntryPoint)
Dependency for loading of entry point URL

Parameters:
samlEntryPoint -

setContextProvider

@Autowired
public void setContextProvider(SAMLContextProvider contextProvider)
Sets entity responsible for populating local entity context data.

Parameters:
contextProvider - provider implementation

getFilterProcessesUrl

public String getFilterProcessesUrl()
Returns:
filter URL

setFilterProcessesUrl

public void setFilterProcessesUrl(String filterProcessesUrl)
Custom filter URL which overrides the default. Filter url determines URL where filter starts processing.

Parameters:
filterProcessesUrl - filter URL

afterPropertiesSet

public void afterPropertiesSet()
                        throws ServletException
Verifies that required entities were autowired or set.

Specified by:
afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
Overrides:
afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean
Throws:
ServletException

Spring Security SAML