Spring Security SAML

org.springframework.security.saml
Class SAMLEntryPoint

java.lang.Object
  extended by org.springframework.web.filter.GenericFilterBean
      extended by org.springframework.security.saml.SAMLEntryPoint
All Implemented Interfaces:
Filter, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.security.web.AuthenticationEntryPoint, org.springframework.web.context.ServletContextAware

public class SAMLEntryPoint
extends org.springframework.web.filter.GenericFilterBean
implements org.springframework.security.web.AuthenticationEntryPoint

Class initializes SAML WebSSO Profile, IDP Discovery or ECP Profile from the SP side. Configuration of the local service provider and incoming request determines which profile will get invoked.

There are two ways the entry point can get invoked. Either user accesses a URL configured to require some degree of authentication and throws AuthenticationException which is handled and invokes the entry point. The other way is direct invocation of the entry point by accessing the /saml/login URL.

Author:
Vladimir Schaefer

Field Summary
protected  SAMLContextProvider contextProvider
           
protected  WebSSOProfileOptions defaultOptions
           
static String DISCOVERY_RESPONSE_PARAMETER
          Parameter is used to indicate response from IDP discovery service.
static String FILTER_URL
          Default name of path suffix which will invoke this filter.
protected  String filterProcessesUrl
          Url this filter should get activated on.
static String IDP_PARAMETER
          Name of parameter of HttpRequest telling entry point that the login should use specified idp.
protected static org.slf4j.Logger logger
           
protected  MetadataManager metadata
           
protected  SAMLDiscovery samlDiscovery
           
protected  SAMLLogger samlLogger
           
protected  WebSSOProfile webSSOprofile
           
protected  WebSSOProfile webSSOprofileECP
           
protected  WebSSOProfile webSSOprofileHoK
           
 
Constructor Summary
SAMLEntryPoint()
           
 
Method Summary
 void afterPropertiesSet()
          Verifies that required entities were autowired or set.
 void commence(HttpServletRequest request, HttpServletResponse response, org.springframework.security.core.AuthenticationException e)
          Method starts a process used to ultimately authenticate user using WebSSO Profile.
 void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
           
 String getFilterProcessesUrl()
           
protected  WebSSOProfileOptions getProfileOptions(SAMLMessageContext context, org.springframework.security.core.AuthenticationException exception)
          Method is supposed to populate preferences used to construct the SAML message.
protected  void initializeDiscovery(SAMLMessageContext context)
          Method initializes IDP Discovery Profile as defined in http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf It is presumed that metadata of the local Service Provider contains discovery return address.
protected  void initializeECP(SAMLMessageContext context, org.springframework.security.core.AuthenticationException e)
          Initializes ECP profile.
protected  void initializeSSO(SAMLMessageContext context, org.springframework.security.core.AuthenticationException e)
          WebSSO profile or WebSSO Holder-of-Key profile.
protected  boolean isDiscovery(SAMLMessageContext context)
          Determines whether IDP Discovery should be initialized.
protected  boolean isECP(SAMLMessageContext context)
          Determines whether ECP profile should get initialized.
protected  boolean processFilter(HttpServletRequest request)
          The filter will be used in case the URL of the request contains the DEFAULT_FILTER_URL.
 void setContextProvider(SAMLContextProvider contextProvider)
          Sets entity responsible for populating local entity context data.
 void setDefaultProfileOptions(WebSSOProfileOptions defaultOptions)
          Sets object which determines default values to be used as basis for construction during getProfileOptions call.
 void setFilterProcessesUrl(String filterProcessesUrl)
          Custom filter URL which overrides the default.
 void setMetadata(MetadataManager metadata)
          Metadata manager, cannot be null, must be set.
 void setSamlDiscovery(SAMLDiscovery samlDiscovery)
          Dependency for loading of discovery URL
 void setSamlLogger(SAMLLogger samlLogger)
          Logger for SAML events, cannot be null, must be set.
 void setWebSSOprofile(WebSSOProfile webSSOprofile)
          Profile for consumption of processed messages, cannot be null, must be set.
 void setWebSSOprofileECP(WebSSOProfile webSSOprofileECP)
           
 void setWebSSOprofileHoK(WebSSOProfile webSSOprofileHoK)
           
 
Methods inherited from class org.springframework.web.filter.GenericFilterBean
addRequiredProperty, destroy, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setServletContext
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

logger

protected static final org.slf4j.Logger logger

defaultOptions

protected WebSSOProfileOptions defaultOptions

webSSOprofile

protected WebSSOProfile webSSOprofile

webSSOprofileECP

protected WebSSOProfile webSSOprofileECP

webSSOprofileHoK

protected WebSSOProfile webSSOprofileHoK

metadata

protected MetadataManager metadata

samlLogger

protected SAMLLogger samlLogger

contextProvider

protected SAMLContextProvider contextProvider

samlDiscovery

protected SAMLDiscovery samlDiscovery

filterProcessesUrl

protected String filterProcessesUrl
Url this filter should get activated on.


FILTER_URL

public static final String FILTER_URL
Default name of path suffix which will invoke this filter.

See Also:
Constant Field Values

IDP_PARAMETER

public static final String IDP_PARAMETER
Name of parameter of HttpRequest telling entry point that the login should use specified idp.

See Also:
Constant Field Values

DISCOVERY_RESPONSE_PARAMETER

public static final String DISCOVERY_RESPONSE_PARAMETER
Parameter is used to indicate response from IDP discovery service. When present IDP discovery is not invoked again.

See Also:
Constant Field Values
Constructor Detail

SAMLEntryPoint

public SAMLEntryPoint()
Method Detail

doFilter

public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain chain)
              throws IOException,
                     ServletException
Specified by:
doFilter in interface Filter
Throws:
IOException
ServletException

processFilter

protected boolean processFilter(HttpServletRequest request)
The filter will be used in case the URL of the request contains the DEFAULT_FILTER_URL.

Parameters:
request - request used to determine whether to enable this filter
Returns:
true if this filter should be used

commence

public void commence(HttpServletRequest request,
                     HttpServletResponse response,
                     org.springframework.security.core.AuthenticationException e)
              throws IOException,
                     ServletException
Method starts a process used to ultimately authenticate user using WebSSO Profile. First task of the mechanism is to determine which IDP to use. Available options are: let the user agent determine IDP for us (ECP profile), use IDP discovery to determine IDP (or accept a predefined IDP in request), or use the default IDP. The following logic is used to determine our case:

By default contextProvider determines IDP to use by parameter "idp". In case parameter is missing the defaultIDP is used instead.

Subclasses can customize the WebSSO initialization behavior.

Specified by:
commence in interface org.springframework.security.web.AuthenticationEntryPoint
Parameters:
request - request
response - response
e - exception causing this entry point to be invoked or null when EntryPoint is invoked directly
Throws:
IOException - error sending response
ServletException - error initializing SAML protocol

initializeECP

protected void initializeECP(SAMLMessageContext context,
                             org.springframework.security.core.AuthenticationException e)
                      throws org.opensaml.saml2.metadata.provider.MetadataProviderException,
                             org.opensaml.common.SAMLException,
                             org.opensaml.ws.message.encoder.MessageEncodingException
Initializes ECP profile.

Subclasses can alter the initialization behaviour.

Parameters:
context - saml context, also containing wrapped request and response objects
e - exception causing the entry point to be invoked (if any)
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata can't be queried
org.opensaml.common.SAMLException - in case message sending fails
org.opensaml.ws.message.encoder.MessageEncodingException - in case SAML message encoding fails

initializeSSO

protected void initializeSSO(SAMLMessageContext context,
                             org.springframework.security.core.AuthenticationException e)
                      throws org.opensaml.saml2.metadata.provider.MetadataProviderException,
                             org.opensaml.common.SAMLException,
                             org.opensaml.ws.message.encoder.MessageEncodingException
WebSSO profile or WebSSO Holder-of-Key profile. Selection is made based on the settings of the Service Provider. In case Enhanced Client/Proxy is enabled and the request claims to support this profile it is used. Otherwise it is verified what is the binding and profile specified for the assertionConsumerIndex in the WebSSOProfileOptions. In case it is HoK the WebSSO Holder-of-Key profile is used, otherwise the ordinary WebSSO.

Subclasses can alter the initialization behaviour.

Parameters:
context - saml context, also containing wrapped request and response objects
e - exception causing the entry point to be invoked (if any)
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata can't be queried
org.opensaml.common.SAMLException - in case message sending fails
org.opensaml.ws.message.encoder.MessageEncodingException - in case SAML message encoding fails

initializeDiscovery

protected void initializeDiscovery(SAMLMessageContext context)
                            throws ServletException,
                                   IOException,
                                   org.opensaml.saml2.metadata.provider.MetadataProviderException
Method initializes IDP Discovery Profile as defined in http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf It is presumed that metadata of the local Service Provider contains discovery return address.

Parameters:
context - saml context also containing request and response objects
Throws:
ServletException - error
IOException - io error
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata of the local entity can't be populated

getProfileOptions

protected WebSSOProfileOptions getProfileOptions(SAMLMessageContext context,
                                                 org.springframework.security.core.AuthenticationException exception)
                                          throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Method is supposed to populate preferences used to construct the SAML message. Method can be overridden to provide logic appropriate for given application. In case defaultOptions object was set it will be used as basis for construction and request specific values will be update (idp field).

Parameters:
context - containing local entity
exception - exception causing invocation of this entry point (can be null)
Returns:
populated webSSOprofile
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata loading fails

setDefaultProfileOptions

public void setDefaultProfileOptions(WebSSOProfileOptions defaultOptions)
Sets object which determines default values to be used as basis for construction during getProfileOptions call.

Parameters:
defaultOptions - default object to use for options construction

isDiscovery

protected boolean isDiscovery(SAMLMessageContext context)
Determines whether IDP Discovery should be initialized. By default no user-selected IDP must be present in the context, IDP Discovery must be enabled and the request mustn't be a response from IDP Discovery in order for the method to return true.

Parameters:
context - context
Returns:
true if IDP Discovery should get initialized

isECP

protected boolean isECP(SAMLMessageContext context)
Determines whether ECP profile should get initialized. By default ECP is used when request declares supports for ECP and ECP is allowed for the current service provider. In case ECP is enabled but webSSOprofileECP wasn't set a warning is logged and ECP is not used.

Parameters:
context - context
Returns:
true if ECP profile should get initialized

setWebSSOprofile

@Autowired
@Qualifier(value="webSSOprofile")
public void setWebSSOprofile(WebSSOProfile webSSOprofile)
Profile for consumption of processed messages, cannot be null, must be set.

Parameters:
webSSOprofile - profile

setWebSSOprofileECP

@Autowired(required=false)
@Qualifier(value="ecpprofile")
public void setWebSSOprofileECP(WebSSOProfile webSSOprofileECP)

setWebSSOprofileHoK

@Autowired(required=false)
@Qualifier(value="hokWebSSOProfile")
public void setWebSSOprofileHoK(WebSSOProfile webSSOprofileHoK)

setSamlLogger

@Autowired
public void setSamlLogger(SAMLLogger samlLogger)
Logger for SAML events, cannot be null, must be set.

Parameters:
samlLogger - logger

setSamlDiscovery

@Autowired(required=false)
public void setSamlDiscovery(SAMLDiscovery samlDiscovery)
Dependency for loading of discovery URL

Parameters:
samlDiscovery - saml discovery endpoint

setContextProvider

@Autowired
public void setContextProvider(SAMLContextProvider contextProvider)
Sets entity responsible for populating local entity context data.

Parameters:
contextProvider - provider implementation

setMetadata

@Autowired
public void setMetadata(MetadataManager metadata)
Metadata manager, cannot be null, must be set.

Parameters:
metadata - manager

getFilterProcessesUrl

public String getFilterProcessesUrl()
Returns:
filter URL

setFilterProcessesUrl

public void setFilterProcessesUrl(String filterProcessesUrl)
Custom filter URL which overrides the default. Filter url determines URL where filter starts processing.

Parameters:
filterProcessesUrl - filter URL

afterPropertiesSet

public void afterPropertiesSet()
                        throws ServletException
Verifies that required entities were autowired or set.

Specified by:
afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
Overrides:
afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean
Throws:
ServletException

Spring Security SAML