Spring Security SAML

org.springframework.security.saml.metadata
Class ExtendedMetadataDelegate

java.lang.Object
  extended by org.springframework.security.saml.metadata.AbstractMetadataDelegate
      extended by org.springframework.security.saml.metadata.ExtendedMetadataDelegate
All Implemented Interfaces:
org.opensaml.saml2.metadata.provider.MetadataProvider, org.opensaml.saml2.metadata.provider.ObservableMetadataProvider, ExtendedMetadataProvider

public class ExtendedMetadataDelegate
extends AbstractMetadataDelegate
implements ExtendedMetadataProvider

Class enables delegation of normal entity metadata loading to the selected provider while enhancing data with extended metadata.


Nested Class Summary
 
Nested classes/interfaces inherited from interface org.opensaml.saml2.metadata.provider.ObservableMetadataProvider
org.opensaml.saml2.metadata.provider.ObservableMetadataProvider.Observer
 
Field Summary
protected  org.slf4j.Logger log
           
 
Constructor Summary
ExtendedMetadataDelegate(org.opensaml.saml2.metadata.provider.MetadataProvider delegate)
          Uses provider for normal entity data, for each entity available in the delegate returns given defaults.
ExtendedMetadataDelegate(org.opensaml.saml2.metadata.provider.MetadataProvider delegate, ExtendedMetadata defaultMetadata)
          Uses provider for normal entity data, for each entity available in the delegate returns given defaults.
ExtendedMetadataDelegate(org.opensaml.saml2.metadata.provider.MetadataProvider delegate, ExtendedMetadata defaultMetadata, Map<String,ExtendedMetadata> extendedMetadataMap)
          Uses provider for normal entity data, tries to locate extended metadata by search in the map, in case it's not found uses the default.
ExtendedMetadataDelegate(org.opensaml.saml2.metadata.provider.MetadataProvider delegate, Map<String,ExtendedMetadata> extendedMetadataMap)
          Uses provider for normal entity data, tries to locate extended metadata by search in the map.
 
Method Summary
 void destroy()
          Method destroys the metadata delegate.
 ExtendedMetadata getExtendedMetadata(String entityID)
          Tries to load extended metadata for the given entity.
 Set<String> getMetadataTrustedKeys()
          If set returns set of keys which can be used to verify whether signature of the metadata is trusted.
 void initialize()
          Method performs initialization of the provider it delegates to.
 boolean isForceMetadataRevocationCheck()
           
 boolean isMetadataRequireSignature()
          Flag indicating whether metadata must be signed.
 boolean isMetadataTrustCheck()
           
protected  boolean isTrustFiltersInitialized()
           
 void setForceMetadataRevocationCheck(boolean forceMetadataRevocationCheck)
          Determines whether check for certificate revocation should always be done as part of the PKIX validation.
 void setMetadataRequireSignature(boolean metadataRequireSignature)
          When set to true metadata from this provider should only be accepted when correctly signed and verified.
 void setMetadataTrustCheck(boolean metadataTrustCheck)
           
 void setMetadataTrustedKeys(Set<String> metadataTrustedKeys)
          Set of aliases of keys present in the KeyManager which can be used to verify whether signature on metadata entity is trusted.
protected  void setTrustFiltersInitialized(boolean trustFiltersInitialized)
           
 String toString()
           
 
Methods inherited from class org.springframework.security.saml.metadata.AbstractMetadataDelegate
equals, getDelegate, getEntitiesDescriptor, getEntityDescriptor, getMetadata, getMetadataFilter, getObservers, getRole, getRole, hashCode, requireValidMetadata, setMetadataFilter, setRequireValidMetadata
 
Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, wait, wait, wait
 

Field Detail

log

protected final org.slf4j.Logger log
Constructor Detail

ExtendedMetadataDelegate

public ExtendedMetadataDelegate(org.opensaml.saml2.metadata.provider.MetadataProvider delegate)
Uses provider for normal entity data, for each entity available in the delegate returns given defaults.

Parameters:
delegate - delegate with available entities

ExtendedMetadataDelegate

public ExtendedMetadataDelegate(org.opensaml.saml2.metadata.provider.MetadataProvider delegate,
                                ExtendedMetadata defaultMetadata)
Uses provider for normal entity data, for each entity available in the delegate returns given defaults.

Parameters:
delegate - delegate with available entities
defaultMetadata - default extended metadata, can be null

ExtendedMetadataDelegate

public ExtendedMetadataDelegate(org.opensaml.saml2.metadata.provider.MetadataProvider delegate,
                                Map<String,ExtendedMetadata> extendedMetadataMap)
Uses provider for normal entity data, tries to locate extended metadata by search in the map.

Parameters:
delegate - delegate with available entities
extendedMetadataMap - map, can be null

ExtendedMetadataDelegate

public ExtendedMetadataDelegate(org.opensaml.saml2.metadata.provider.MetadataProvider delegate,
                                ExtendedMetadata defaultMetadata,
                                Map<String,ExtendedMetadata> extendedMetadataMap)
Uses provider for normal entity data, tries to locate extended metadata by search in the map, in case it's not found uses the default.

Parameters:
delegate - delegate with available entities
defaultMetadata - default extended metadata, can be null
extendedMetadataMap - map, can be null
Method Detail

getExtendedMetadata

public ExtendedMetadata getExtendedMetadata(String entityID)
                                     throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Tries to load extended metadata for the given entity. The following algorithm is used:
  1. Verifies that entityId can be located using the delegate (in other words makes sure we don't return extended metdata for entities we don't have the basic ones for
  2. In case extended metadata is available and contains value for the entityId it is returned
  3. Returns default metadata otherwise

Specified by:
getExtendedMetadata in interface ExtendedMetadataProvider
Parameters:
entityID - entity to load metadata for
Returns:
extended metadata or null in case no default is given and entity can be located or is not present in the delegate
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - error

initialize

public void initialize()
                throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Method performs initialization of the provider it delegates to.

Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case initialization fails

destroy

public void destroy()
Method destroys the metadata delegate.


getMetadataTrustedKeys

public Set<String> getMetadataTrustedKeys()
If set returns set of keys which can be used to verify whether signature of the metadata is trusted. When not set any of the keys in the configured KeyManager can be used to verify trust.

By default the value is null.

Returns:
trusted keys or null

setMetadataTrustedKeys

public void setMetadataTrustedKeys(Set<String> metadataTrustedKeys)
Set of aliases of keys present in the KeyManager which can be used to verify whether signature on metadata entity is trusted. When set to null any key of KeyManager can be used to verify trust.

Parameters:
metadataTrustedKeys - keys or null

isMetadataRequireSignature

public boolean isMetadataRequireSignature()
Flag indicating whether metadata must be signed.

By default signature is not required.

Returns:
signature flag

setMetadataRequireSignature

public void setMetadataRequireSignature(boolean metadataRequireSignature)
When set to true metadata from this provider should only be accepted when correctly signed and verified. Metadata with an invalid signature or signed by a not-trusted credential will be ignored.

Parameters:
metadataRequireSignature - flag to set

isMetadataTrustCheck

public boolean isMetadataTrustCheck()

setMetadataTrustCheck

public void setMetadataTrustCheck(boolean metadataTrustCheck)

isForceMetadataRevocationCheck

public boolean isForceMetadataRevocationCheck()

setForceMetadataRevocationCheck

public void setForceMetadataRevocationCheck(boolean forceMetadataRevocationCheck)
Determines whether check for certificate revocation should always be done as part of the PKIX validation. Revocation is evaluated by the underlaying JCE implementation and depending on configuration may include CRL and OCSP verification of the certificate in question.

When set to false revocation is only performed when MetadataManager includes CRLs

Parameters:
forceMetadataRevocationCheck - revocation flag

isTrustFiltersInitialized

protected boolean isTrustFiltersInitialized()

setTrustFiltersInitialized

protected void setTrustFiltersInitialized(boolean trustFiltersInitialized)

toString

public String toString()
Overrides:
toString in class Object

Spring Security SAML