Spring Security SAML

org.springframework.security.saml.context
Class SAMLContextProviderImpl

java.lang.Object
  extended by org.springframework.security.saml.context.SAMLContextProviderImpl
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean, SAMLContextProvider
Direct Known Subclasses:
SAMLContextProviderLB

public class SAMLContextProviderImpl
extends Object
implements SAMLContextProvider, org.springframework.beans.factory.InitializingBean

Class is responsible for parsing HttpRequest/Response and determining which local entity (IDP/SP) is responsible for it's handling.

Author:
Vladimir Schaefer

Field Summary
protected  KeyManager keyManager
           
protected static org.slf4j.Logger logger
           
protected  MetadataManager metadata
           
protected  MetadataCredentialResolver metadataResolver
           
protected  PKIXInformationResolver pkixResolver
           
protected  SAMLMessageStorageFactory storageFactory
           
 
Constructor Summary
SAMLContextProviderImpl()
           
 
Method Summary
 void afterPropertiesSet()
          Verifies that required entities were autowired or set and initializes resolvers used to construct trust engines.
 SAMLMessageContext getLocalAndPeerEntity(HttpServletRequest request, HttpServletResponse response)
          Creates a SAMLContext with local entity and peer values filled.
 SAMLMessageContext getLocalEntity(HttpServletRequest request, HttpServletResponse response)
          Creates a SAMLContext with local entity values filled.
protected  void populateDecrypter(SAMLMessageContext samlContext)
          Populates a decrypter based on settings in the extended metadata or using a default credential when no encryption credential is specified in the extended metadata.
protected  void populateGenericContext(HttpServletRequest request, HttpServletResponse response, SAMLMessageContext context)
           
protected  void populateLocalContext(SAMLMessageContext context)
           
protected  void populateLocalEntity(SAMLMessageContext samlContext)
          Method populates fields localEntityId, localEntityRole, localEntityMetadata, localEntityRoleMetadata and peerEntityRole.
protected  void populateLocalEntityId(SAMLMessageContext context, String requestURI)
          Method tries to load localEntityAlias and localEntityRole from the request path.
protected  void populatePeerContext(SAMLMessageContext samlContext)
          Populates additional information about the peer based on the previously loaded peerEntityId.
protected  void populatePeerEntityId(SAMLMessageContext context)
          First tries to find pre-configured IDP from the request attribute.
protected  void populatePeerSSLCredential(SAMLMessageContext samlContext)
          Tries to load peer SSL certificate from the inbound message transport using attribute "javax.servlet.request.X509Certificate".
protected  void populateSSLCredential(SAMLMessageContext samlContext)
          Populates X509 Credential used to authenticate this machine against peer servers.
protected  void populateSSLTrustEngine(SAMLMessageContext samlContext)
          Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or from the values overridden in the ExtendedMetadata.
protected  void populateTrustEngine(SAMLMessageContext samlContext)
          Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or from the values overridden in the ExtendedMetadata.
 void setKeyManager(KeyManager keyManager)
           
 void setMetadata(MetadataManager metadata)
           
 void setStorageFactory(SAMLMessageStorageFactory storageFactory)
          Implementation of the SAML message storage factory providing custom mechanism for storage of SAML messages such as http session, cookies or no storage at all.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

logger

protected static final org.slf4j.Logger logger

keyManager

protected KeyManager keyManager

metadata

protected MetadataManager metadata

metadataResolver

protected MetadataCredentialResolver metadataResolver

pkixResolver

protected PKIXInformationResolver pkixResolver

storageFactory

protected SAMLMessageStorageFactory storageFactory
Constructor Detail

SAMLContextProviderImpl

public SAMLContextProviderImpl()
Method Detail

getLocalEntity

public SAMLMessageContext getLocalEntity(HttpServletRequest request,
                                         HttpServletResponse response)
                                  throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Creates a SAMLContext with local entity values filled. Also request and response must be stored in the context as message transports.

Specified by:
getLocalEntity in interface SAMLContextProvider
Parameters:
request - request
response - response
Returns:
context
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case of metadata problems

getLocalAndPeerEntity

public SAMLMessageContext getLocalAndPeerEntity(HttpServletRequest request,
                                                HttpServletResponse response)
                                         throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Creates a SAMLContext with local entity and peer values filled. Also request and response must be stored in the context as message transports. Should be used when both local entity and peer entity can be determined from the request.

Specified by:
getLocalAndPeerEntity in interface SAMLContextProvider
Parameters:
request - request
response - response
Returns:
context
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case of metadata problems

populatePeerEntityId

protected void populatePeerEntityId(SAMLMessageContext context)
                             throws org.opensaml.saml2.metadata.provider.MetadataProviderException
First tries to find pre-configured IDP from the request attribute. If not found loads the IDP_PARAMETER from the request and if it is not null verifies whether IDP with this value is valid IDP in our circle of trust. Processing fails when IDP is not valid. IDP is set as PeerEntityId in the context.

If request parameter is null the default IDP is returned.

Parameters:
context - context to populate ID for
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case provided IDP value is invalid

populatePeerContext

protected void populatePeerContext(SAMLMessageContext samlContext)
                            throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Populates additional information about the peer based on the previously loaded peerEntityId.

Parameters:
samlContext - to populate
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata problem is encountered

populateGenericContext

protected void populateGenericContext(HttpServletRequest request,
                                      HttpServletResponse response,
                                      SAMLMessageContext context)
                               throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException

populateLocalContext

protected void populateLocalContext(SAMLMessageContext context)
                             throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException

populateLocalEntityId

protected void populateLocalEntityId(SAMLMessageContext context,
                                     String requestURI)
                              throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Method tries to load localEntityAlias and localEntityRole from the request path. Path is supposed to be in format: https(s)://server:port/application/saml/filterName/alias/aliasName/idp|sp?query. In case alias is missing from the path defaults are used. Otherwise localEntityId and sp or idp localEntityRole is entered into the context.

In case alias entity id isn't found an exception is raised.

Parameters:
context - context to populate fields localEntityId and localEntityRole for
requestURI - context path to parse entityId and entityRole from
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case entityId can't be populated

populateLocalEntity

protected void populateLocalEntity(SAMLMessageContext samlContext)
                            throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Method populates fields localEntityId, localEntityRole, localEntityMetadata, localEntityRoleMetadata and peerEntityRole. In case fields localAlias, localEntityId, localEntiyRole or peerEntityRole are set they are used, defaults of default SP and IDP as a peer are used instead.

Parameters:
samlContext - context to populate
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata do not contain expected entities or localAlias is specified but not found

populateSSLCredential

protected void populateSSLCredential(SAMLMessageContext samlContext)
Populates X509 Credential used to authenticate this machine against peer servers. Uses key with alias specified in extended metadata under TlsKey, when not set uses the default credential.

Parameters:
samlContext - context to populate

populatePeerSSLCredential

protected void populatePeerSSLCredential(SAMLMessageContext samlContext)
Tries to load peer SSL certificate from the inbound message transport using attribute "javax.servlet.request.X509Certificate". If found sets peerSSLCredential in the context.

Parameters:
samlContext - context to populate

populateDecrypter

protected void populateDecrypter(SAMLMessageContext samlContext)
Populates a decrypter based on settings in the extended metadata or using a default credential when no encryption credential is specified in the extended metadata.

Parameters:
samlContext - context to populate decryptor for.

populateTrustEngine

protected void populateTrustEngine(SAMLMessageContext samlContext)
Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or from the values overridden in the ExtendedMetadata.

Parameters:
samlContext - context to populate

populateSSLTrustEngine

protected void populateSSLTrustEngine(SAMLMessageContext samlContext)
Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or from the values overridden in the ExtendedMetadata. The trust engine is used to verify SSL connections.

Parameters:
samlContext - context to populate

setMetadata

@Autowired
public void setMetadata(MetadataManager metadata)

setKeyManager

@Autowired
public void setKeyManager(KeyManager keyManager)

setStorageFactory

@Autowired(required=false)
public void setStorageFactory(SAMLMessageStorageFactory storageFactory)
Implementation of the SAML message storage factory providing custom mechanism for storage of SAML messages such as http session, cookies or no storage at all.

Parameters:
storageFactory - storage factory

afterPropertiesSet

public void afterPropertiesSet()
                        throws ServletException
Verifies that required entities were autowired or set and initializes resolvers used to construct trust engines.

Specified by:
afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
Throws:
ServletException

Spring Security SAML