Spring Security SAML

org.springframework.security.saml.context
Class SAMLContextProviderImpl

java.lang.Object
  extended by org.springframework.security.saml.context.SAMLContextProviderImpl
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean, SAMLContextProvider
Direct Known Subclasses:
SAMLContextProviderLB

public class SAMLContextProviderImpl
extends Object
implements SAMLContextProvider, org.springframework.beans.factory.InitializingBean

Class is responsible for parsing HttpRequest/Response and determining which local entity (IDP/SP) is responsible for its handling.

Author:
Vladimir Schaefer

Field Summary
protected  KeyManager keyManager
           
protected static org.slf4j.Logger logger
           
protected  MetadataManager metadata
           
protected  org.opensaml.security.MetadataCredentialResolver metadataResolver
           
protected  org.opensaml.xml.security.x509.PKIXValidationInformationResolver pkixResolver
           
protected  org.opensaml.xml.security.x509.PKIXTrustEvaluator pkixTrustEvaluator
           
protected  SAMLMessageStorageFactory storageFactory
           
 
Constructor Summary
SAMLContextProviderImpl()
           
 
Method Summary
 void afterPropertiesSet()
          Verifies that required entities were autowired or set and initializes resolvers used to construct trust engines.
 SAMLMessageContext getLocalAndPeerEntity(HttpServletRequest request, HttpServletResponse response)
          Creates a SAMLContext with local entity and peer values filled.
 SAMLMessageContext getLocalEntity(HttpServletRequest request, HttpServletResponse response)
          Creates a SAMLContext with local entity values filled.
protected  void populateDecrypter(SAMLMessageContext samlContext)
          Populates a decrypter based on settings in the extended metadata or using a default credential when no encryption credential is specified in the extended metadata.
protected  void populateGenericContext(HttpServletRequest request, HttpServletResponse response, SAMLMessageContext context)
           
protected  void populateLocalContext(SAMLMessageContext context)
           
protected  void populateLocalEntity(SAMLMessageContext samlContext)
          Method populates fields localEntityId, localEntityRole, localEntityMetadata, localEntityRoleMetadata and peerEntityRole.
protected  void populateLocalEntityId(SAMLMessageContext context, String requestURI)
          Method tries to load localEntityAlias and localEntityRole from the request path.
protected  void populatePeerContext(SAMLMessageContext samlContext)
          Populates additional information about the peer based on the previously loaded peerEntityId.
protected  void populatePeerEntityId(SAMLMessageContext context)
          First tries to find pre-configured IDP from the request attribute.
protected  void populatePeerSSLCredential(SAMLMessageContext samlContext)
          Tries to load peer SSL certificate from the inbound message transport using attribute "javax.servlet.request.X509Certificate".
protected  void populateSSLCredential(SAMLMessageContext samlContext)
          Populates X509 Credential used to authenticate this machine against peer servers.
protected  void populateSSLHostnameVerifier(SAMLMessageContext samlContext)
          Populates hostname verifier using value configured in the context provider..
protected  void populateSSLTrustEngine(SAMLMessageContext samlContext)
          Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or from the values overridden in the ExtendedMetadata.
protected  void populateTrustEngine(SAMLMessageContext samlContext)
          Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or from the values overridden in the ExtendedMetadata.
 void setKeyManager(KeyManager keyManager)
          Key manager provides information about private certificate and trusted keys provide in addition to cryptographic material present in entity metadata documents.
 void setMetadata(MetadataManager metadata)
          Metadata manager provides information about all available IDP and SP entities.
 void setMetadataResolver(org.opensaml.security.MetadataCredentialResolver metadataResolver)
          Sets resolver used to populate trusted credentials from XML and Extended metadata.
 void setPkixResolver(org.opensaml.xml.security.x509.PKIXValidationInformationResolver pkixResolver)
          Sets resolver used to populate data for PKIX trust engine.
 void setPkixTrustEvaluator(org.opensaml.xml.security.x509.PKIXTrustEvaluator pkixTrustEvaluator)
          Trust evaluator is responsible for verifying whether to trust certificate based on PKIX verification.
 void setStorageFactory(SAMLMessageStorageFactory storageFactory)
          Implementation of the SAML message storage factory providing custom mechanism for storage of SAML messages such as http session, cookies or no storage at all.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

logger

protected static final org.slf4j.Logger logger

keyManager

protected KeyManager keyManager

metadata

protected MetadataManager metadata

metadataResolver

protected org.opensaml.security.MetadataCredentialResolver metadataResolver

pkixResolver

protected org.opensaml.xml.security.x509.PKIXValidationInformationResolver pkixResolver

pkixTrustEvaluator

protected org.opensaml.xml.security.x509.PKIXTrustEvaluator pkixTrustEvaluator

storageFactory

protected SAMLMessageStorageFactory storageFactory
Constructor Detail

SAMLContextProviderImpl

public SAMLContextProviderImpl()
Method Detail

getLocalEntity

public SAMLMessageContext getLocalEntity(HttpServletRequest request,
                                         HttpServletResponse response)
                                  throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Creates a SAMLContext with local entity values filled. Also request and response must be stored in the context as message transports.

Specified by:
getLocalEntity in interface SAMLContextProvider
Parameters:
request - request
response - response
Returns:
context
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case of metadata problems

getLocalAndPeerEntity

public SAMLMessageContext getLocalAndPeerEntity(HttpServletRequest request,
                                                HttpServletResponse response)
                                         throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Creates a SAMLContext with local entity and peer values filled. Also request and response must be stored in the context as message transports. Should be used when both local entity and peer entity can be determined from the request.

Specified by:
getLocalAndPeerEntity in interface SAMLContextProvider
Parameters:
request - request
response - response
Returns:
context
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case of metadata problems

populatePeerEntityId

protected void populatePeerEntityId(SAMLMessageContext context)
                             throws org.opensaml.saml2.metadata.provider.MetadataProviderException
First tries to find pre-configured IDP from the request attribute. If not found loads the IDP_PARAMETER from the request and if it is not null verifies whether IDP with this value is valid IDP in our circle of trust. Processing fails when IDP is not valid. IDP is set as PeerEntityId in the context.

If request parameter is null the default IDP is returned.

Parameters:
context - context to populate ID for
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case provided IDP value is invalid

populatePeerContext

protected void populatePeerContext(SAMLMessageContext samlContext)
                            throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Populates additional information about the peer based on the previously loaded peerEntityId.

Parameters:
samlContext - to populate
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata problem is encountered

populateGenericContext

protected void populateGenericContext(HttpServletRequest request,
                                      HttpServletResponse response,
                                      SAMLMessageContext context)
                               throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException

populateLocalContext

protected void populateLocalContext(SAMLMessageContext context)
                             throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException

populateLocalEntityId

protected void populateLocalEntityId(SAMLMessageContext context,
                                     String requestURI)
                              throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Method tries to load localEntityAlias and localEntityRole from the request path. Path is supposed to be in format: https(s)://server:port/application/saml/filterName/alias/aliasName/idp|sp?query. In case alias is missing from the path defaults are used. Otherwise localEntityId and sp or idp localEntityRole is entered into the context.

In case alias entity id isn't found an exception is raised.

Parameters:
context - context to populate fields localEntityId and localEntityRole for
requestURI - context path to parse entityId and entityRole from
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case entityId can't be populated

populateLocalEntity

protected void populateLocalEntity(SAMLMessageContext samlContext)
                            throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Method populates fields localEntityId, localEntityRole, localEntityMetadata, localEntityRoleMetadata and peerEntityRole. In case fields localAlias, localEntityId, localEntiyRole or peerEntityRole are set they are used, defaults of default SP and IDP as a peer are used instead.

Parameters:
samlContext - context to populate
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata do not contain expected entities or localAlias is specified but not found

populateSSLCredential

protected void populateSSLCredential(SAMLMessageContext samlContext)
Populates X509 Credential used to authenticate this machine against peer servers. Uses key with alias specified in extended metadata under TlsKey, when not set uses the default credential.

Parameters:
samlContext - context to populate

populateSSLHostnameVerifier

protected void populateSSLHostnameVerifier(SAMLMessageContext samlContext)
Populates hostname verifier using value configured in the context provider..

Parameters:
samlContext - context to populate

populatePeerSSLCredential

protected void populatePeerSSLCredential(SAMLMessageContext samlContext)
Tries to load peer SSL certificate from the inbound message transport using attribute "javax.servlet.request.X509Certificate". If found sets peerSSLCredential in the context.

Parameters:
samlContext - context to populate

populateDecrypter

protected void populateDecrypter(SAMLMessageContext samlContext)
Populates a decrypter based on settings in the extended metadata or using a default credential when no encryption credential is specified in the extended metadata.

Parameters:
samlContext - context to populate decryptor for.

populateTrustEngine

protected void populateTrustEngine(SAMLMessageContext samlContext)
Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or from the values overridden in the ExtendedMetadata.

Parameters:
samlContext - context to populate

populateSSLTrustEngine

protected void populateSSLTrustEngine(SAMLMessageContext samlContext)
Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or from the values overridden in the ExtendedMetadata. The trust engine is used to verify SSL connections.

Parameters:
samlContext - context to populate

setMetadata

@Autowired
public void setMetadata(MetadataManager metadata)
Metadata manager provides information about all available IDP and SP entities.

Parameters:
metadata - metadata mangaer

setKeyManager

@Autowired
public void setKeyManager(KeyManager keyManager)
Key manager provides information about private certificate and trusted keys provide in addition to cryptographic material present in entity metadata documents.

Parameters:
keyManager - key manager

setPkixResolver

public void setPkixResolver(org.opensaml.xml.security.x509.PKIXValidationInformationResolver pkixResolver)
Sets resolver used to populate data for PKIX trust engine. Trust anchors are internally cached. They get populated using configured MetadataResolver and enhanced with trustedKeys from the ExtendedMetadata. System uses default configuration when property is not set. Default implementation (org.springframework.security.saml.trust.PKIXInformationResolver) loads trust anchors from both metadata and extended metadata of the peer entity. In case ExtendedMetadata doesn't define any trustedKeys (property trustedKeys is null which is the default), system will use all certificates available in the configured keyStore as trust anchors.

Parameters:
pkixResolver - pkix resolver
See Also:
PKIXInformationResolver

setPkixTrustEvaluator

public void setPkixTrustEvaluator(org.opensaml.xml.security.x509.PKIXTrustEvaluator pkixTrustEvaluator)
Trust evaluator is responsible for verifying whether to trust certificate based on PKIX verification. System uses default configuration when property is not set. Default implementation (org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator) uses Java CertPath API to perform the verification. The default implementation can be constructed with an instance of org.opensaml.xml.security.x509.CertPathPKIXValidationOptions which further customizes the PKIX process, e.g. in regard to certificate expiration checking. It is also possible to customize the security provider to use for loading of the CertPath API factories.

Parameters:
pkixTrustEvaluator - pkix trust evaluator
See Also:
CertPathPKIXTrustEvaluator

setMetadataResolver

public void setMetadataResolver(org.opensaml.security.MetadataCredentialResolver metadataResolver)
Sets resolver used to populate trusted credentials from XML and Extended metadata. Metadata resolver is used as the only resolver for MetaIOP security profile. It is also used for loading of trusted anchors in the PKIX profile. System uses default configuration when property is not set. Default implementation (org.springframework.security.saml.trust.MetadataCredentialResolver) populates trusted certificates from both peer metadata and peer extended metadata (properties signingKey, encryptionKey and tlsKey).

Parameters:
metadataResolver - metaiop resolver
See Also:
MetadataCredentialResolver

setStorageFactory

@Autowired(required=false)
public void setStorageFactory(SAMLMessageStorageFactory storageFactory)
Implementation of the SAML message storage factory providing custom mechanism for storage of SAML messages such as http session, cookies or no storage at all.

Parameters:
storageFactory - storage factory

afterPropertiesSet

public void afterPropertiesSet()
                        throws ServletException
Verifies that required entities were autowired or set and initializes resolvers used to construct trust engines.

Specified by:
afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
Throws:
ServletException

Spring Security SAML