Spring Security SAML

org.springframework.security.saml.metadata
Class MetadataManager

java.lang.Object
  extended by org.opensaml.saml2.metadata.provider.BaseMetadataProvider
      extended by org.opensaml.saml2.metadata.provider.ChainingMetadataProvider
          extended by org.springframework.security.saml.metadata.MetadataManager
All Implemented Interfaces:
org.opensaml.saml2.metadata.provider.MetadataProvider, org.opensaml.saml2.metadata.provider.ObservableMetadataProvider, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, ExtendedMetadataProvider
Direct Known Subclasses:
CachingMetadataManager

public class MetadataManager
extends org.opensaml.saml2.metadata.provider.ChainingMetadataProvider
implements ExtendedMetadataProvider, org.springframework.beans.factory.InitializingBean, org.springframework.beans.factory.DisposableBean

Class offers extra services on top of the underlying chaining MetadataProviders. Manager keeps track of all available identity and service providers configured inside the chained metadata providers. Exactly one service provider can be determined as hosted.

The class is synchronized using in internal ReentrantReadWriteLock.

All metadata providers are kept in two groups - available providers - which contain all the ones users have registered, and active providers - all those which passed validation. List of active providers is updated during each refresh.

Author:
Vladimir Schaefer

Nested Class Summary
 
Nested classes/interfaces inherited from interface org.opensaml.saml2.metadata.provider.ObservableMetadataProvider
org.opensaml.saml2.metadata.provider.ObservableMetadataProvider.Observer
 
Field Summary
protected  KeyManager keyManager
           
protected  org.slf4j.Logger log
           
 
Fields inherited from class org.opensaml.saml2.metadata.provider.BaseMetadataProvider
unmarshallerFactory
 
Constructor Summary
MetadataManager(List<org.opensaml.saml2.metadata.provider.MetadataProvider> providers)
          Creates new metadata manager, automatically registers itself for notifications from metadata changes and calls reload upon a change.
 
Method Summary
 void addMetadataProvider(org.opensaml.saml2.metadata.provider.MetadataProvider newProvider)
          Adds a new metadata provider to the managed list.
 void afterPropertiesSet()
          Method must be called after provider construction.
 void destroy()
          Stops and removes the timer in case it was started.
 List<ExtendedMetadataDelegate> getAvailableProviders()
          Method provides list of all available providers.
 ExtendedMetadata getDefaultExtendedMetadata()
           
 String getDefaultIDP()
          Returns entity ID of the IDP to be used by default.
 org.opensaml.saml2.metadata.EntityDescriptor getEntityDescriptor(byte[] hash)
          Locates entity descriptor whose entityId SHA-1 hash equals the one in the parameter.
 String getEntityIdForAlias(String entityAlias)
          Tries to load entityId for entity with the given alias.
 ExtendedMetadata getExtendedMetadata(String entityID)
          Tries to locate ExtendedMetadata by trying one provider after another.
 String getHostedSPName()
          The method returns name of SP running this application.
 Set<String> getIDPEntityNames()
          Returns set of names of all IDPs available in the metadata
protected  org.opensaml.xml.security.x509.PKIXValidationInformationResolver getPKIXResolver(org.opensaml.saml2.metadata.provider.MetadataProvider provider, Set<String> trustedKeys, Set<String> trustedNames)
          Method is expected to construct information resolver with all trusted data available for the given provider.
 List<org.opensaml.saml2.metadata.provider.MetadataProvider> getProviders()
          Method provides list of active providers - those which are valid and can be queried for metadata.
 Set<String> getSPEntityNames()
          Returns set of names of all SPs entity names
protected  org.opensaml.xml.signature.SignatureTrustEngine getTrustEngine(org.opensaml.saml2.metadata.provider.MetadataProvider provider)
          Method is expected to create a trust engine used to verify signatures from this provider.
protected  void initializeProvider(ExtendedMetadataDelegate provider)
          Method is expected to make sure that the provider is properly initialized.
protected  void initializeProviderData(ExtendedMetadataDelegate provider)
          Method populates local storage of IDP and SP names and verifies any name conflicts which might arise.
protected  void initializeProviderFilters(ExtendedMetadataDelegate provider)
          Method is automatically called during each attempt to initialize the provider data.
 boolean isIDPValid(String idpID)
           
 boolean isRefreshRequired()
          Flag indicating whether configuration of the metadata should be reloaded.
 boolean isSPValid(String spID)
           
protected  List<String> parseProvider(org.opensaml.saml2.metadata.provider.MetadataProvider provider)
          Parses the provider and returns set of entityIDs contained inside the provider.
 void refreshMetadata()
          Method can be repeatedly called to browse all configured providers and load SP and IDP names which are supported by them.
 void removeMetadataProvider(org.opensaml.saml2.metadata.provider.MetadataProvider provider)
          Removes existing metadata provider from the availability list.
 void setDefaultExtendedMetadata(ExtendedMetadata defaultExtendedMetadata)
          Sets default extended metadata to be used in case no version specific is available.
 void setDefaultIDP(String defaultIDP)
          Sets name of IDP to be used as default.
 void setHostedSPName(String hostedSPName)
          Sets nameID of SP hosted on this machine.
 void setKeyManager(KeyManager keyManager)
           
 void setProviders(List<org.opensaml.saml2.metadata.provider.MetadataProvider> newProviders)
           
 void setRefreshCheckInterval(long refreshCheckInterval)
          Interval in milliseconds used for re-verification of metadata and their reload.
 void setRefreshRequired(boolean refreshRequired)
          Indicates that the metadata should be reloaded as the provider configuration has changed.
 
Methods inherited from class org.opensaml.saml2.metadata.provider.ChainingMetadataProvider
doAddMetadataProvider, emitChangeEvent, getEntitiesDescriptor, getEntityDescriptor, getMetadata, getMetadataFilter, getObservers, getRole, getRole, setMetadataFilter, setRequireValidMetadata
 
Methods inherited from class org.opensaml.saml2.metadata.provider.BaseMetadataProvider
requireValidMetadata
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface org.opensaml.saml2.metadata.provider.MetadataProvider
requireValidMetadata
 

Field Detail

log

protected final org.slf4j.Logger log

keyManager

protected KeyManager keyManager
Constructor Detail

MetadataManager

public MetadataManager(List<org.opensaml.saml2.metadata.provider.MetadataProvider> providers)
                throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Creates new metadata manager, automatically registers itself for notifications from metadata changes and calls reload upon a change. Also registers timer which verifies whether metadata needs to be reloaded in a specified time interval.

It is mandatory that method afterPropertiesSet is called after the construction.

Parameters:
providers - providers to include, mustn't be null or empty
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - error during initialization
Method Detail

afterPropertiesSet

public final void afterPropertiesSet()
                              throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Method must be called after provider construction. It creates the refresh timer and refreshes the metadata for the first time.

Specified by:
afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - error

destroy

public void destroy()
Stops and removes the timer in case it was started. Cleans all metadata objects.

Specified by:
destroy in interface org.springframework.beans.factory.DisposableBean
Overrides:
destroy in class org.opensaml.saml2.metadata.provider.ChainingMetadataProvider

setProviders

public void setProviders(List<org.opensaml.saml2.metadata.provider.MetadataProvider> newProviders)
                  throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Overrides:
setProviders in class org.opensaml.saml2.metadata.provider.ChainingMetadataProvider
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException

refreshMetadata

public void refreshMetadata()
Method can be repeatedly called to browse all configured providers and load SP and IDP names which are supported by them. Providers which fail during initialization are ignored for this refresh.


addMetadataProvider

public void addMetadataProvider(org.opensaml.saml2.metadata.provider.MetadataProvider newProvider)
                         throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Adds a new metadata provider to the managed list. At first provider is only registered and will be validated upon next round of metadata refreshing or call to refreshMetadata.

Unless provider already extends class ExtendedMetadataDelegate it will be automatically wrapped in it as part of the addition.

Overrides:
addMetadataProvider in class org.opensaml.saml2.metadata.provider.ChainingMetadataProvider
Parameters:
newProvider - provider
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case provider can't be added

removeMetadataProvider

public void removeMetadataProvider(org.opensaml.saml2.metadata.provider.MetadataProvider provider)
Removes existing metadata provider from the availability list. Provider will be completely removed during next manager refresh.

Overrides:
removeMetadataProvider in class org.opensaml.saml2.metadata.provider.ChainingMetadataProvider
Parameters:
provider - provider to remove

getProviders

public List<org.opensaml.saml2.metadata.provider.MetadataProvider> getProviders()
Method provides list of active providers - those which are valid and can be queried for metadata. Returned value is a copy.

Overrides:
getProviders in class org.opensaml.saml2.metadata.provider.ChainingMetadataProvider
Returns:
active providers

getAvailableProviders

public List<ExtendedMetadataDelegate> getAvailableProviders()
Method provides list of all available providers. Not all of these providers may be used in case their validation failed. Returned value is a copy of the data.

Returns:
all available providers

initializeProvider

protected void initializeProvider(ExtendedMetadataDelegate provider)
                           throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Method is expected to make sure that the provider is properly initialized. Also all loaded filters should get applied.

Parameters:
provider - provider to initialize
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - error

initializeProviderData

protected void initializeProviderData(ExtendedMetadataDelegate provider)
                               throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Method populates local storage of IDP and SP names and verifies any name conflicts which might arise.

Parameters:
provider - provider to initialize
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - error

initializeProviderFilters

protected void initializeProviderFilters(ExtendedMetadataDelegate provider)
                                  throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Method is automatically called during each attempt to initialize the provider data. It expects to load all filters required for metadata verification. It must also be ensured that metadata provider is ready to be used after call to this method.

Each provider must extend AbstractMetadataProvider or be of ExtendedMetadataDelegate type.

By default a SignatureValidationFilter is added together with any existing filters.

Parameters:
provider - provider to check
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case initialization fails

getTrustEngine

protected org.opensaml.xml.signature.SignatureTrustEngine getTrustEngine(org.opensaml.saml2.metadata.provider.MetadataProvider provider)
Method is expected to create a trust engine used to verify signatures from this provider.

Parameters:
provider - provider to create engine for
Returns:
trust engine or null to skip trust verification

getPKIXResolver

protected org.opensaml.xml.security.x509.PKIXValidationInformationResolver getPKIXResolver(org.opensaml.saml2.metadata.provider.MetadataProvider provider,
                                                                                           Set<String> trustedKeys,
                                                                                           Set<String> trustedNames)
Method is expected to construct information resolver with all trusted data available for the given provider.

Parameters:
provider - provider
trustedKeys - trusted keys for the providers
trustedNames - trusted names for the providers (always null)
Returns:
information resolver

parseProvider

protected List<String> parseProvider(org.opensaml.saml2.metadata.provider.MetadataProvider provider)
                              throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Parses the provider and returns set of entityIDs contained inside the provider.

Parameters:
provider - provider to parse
Returns:
set of entityIDs available in the provider
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - error

getIDPEntityNames

public Set<String> getIDPEntityNames()
Returns set of names of all IDPs available in the metadata

Returns:
set of entityID names

getSPEntityNames

public Set<String> getSPEntityNames()
Returns set of names of all SPs entity names

Returns:
set of SP entity names available in the metadata

isIDPValid

public boolean isIDPValid(String idpID)
Parameters:
idpID - name of IDP to check
Returns:
true if IDP entity ID is in the circle of trust with our entity

isSPValid

public boolean isSPValid(String spID)
Parameters:
spID - entity ID of SP to check
Returns:
true if given SP entity ID is valid in circle of trust

getHostedSPName

public String getHostedSPName()
The method returns name of SP running this application. This name is either set from spring context of automatically by invoking of the metadata filter.

Returns:
name of hosted SP metadata which can be returned by call to getEntityDescriptor.

setHostedSPName

public void setHostedSPName(String hostedSPName)
Sets nameID of SP hosted on this machine. This can either be called from springContext or automatically during invocation of metadata generation filter.

Parameters:
hostedSPName - name of metadata describing SP hosted on this machine

getDefaultIDP

public String getDefaultIDP()
                     throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Returns entity ID of the IDP to be used by default. In case the defaultIDP property has been set it is returned. Otherwise first available IDP in IDP list is used.

Returns:
entity ID of IDP to use
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case IDP can't be determined

setDefaultIDP

public void setDefaultIDP(String defaultIDP)
Sets name of IDP to be used as default.

Parameters:
defaultIDP - IDP to set as default

getExtendedMetadata

public ExtendedMetadata getExtendedMetadata(String entityID)
                                     throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Tries to locate ExtendedMetadata by trying one provider after another. Only providers implementing ExtendedMetadataProvider are considered.

In case none of the providers can supply the extended version, the default is used.

A copy of the internal representation is always returned, modifying the returned object will not be reflected in the subsequent calls.

Specified by:
getExtendedMetadata in interface ExtendedMetadataProvider
Parameters:
entityID - entity ID to load extended metadata for
Returns:
extended metadata or defaults
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - never thrown

getEntityDescriptor

public org.opensaml.saml2.metadata.EntityDescriptor getEntityDescriptor(byte[] hash)
                                                                 throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Locates entity descriptor whose entityId SHA-1 hash equals the one in the parameter.

Parameters:
hash - hash of the entity descriptor
Returns:
found descriptor or null
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata required for processing can't be loaded

getEntityIdForAlias

public String getEntityIdForAlias(String entityAlias)
                           throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Tries to load entityId for entity with the given alias. Fails in case two entities with the same alias are configured in the system.

Parameters:
entityAlias - alias to locate id for
Returns:
entity id for the given alias or null if none exists
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case two entity have the same non-null alias

getDefaultExtendedMetadata

public ExtendedMetadata getDefaultExtendedMetadata()
Returns:
default extended metadata to be used in case no entity specific version exists, never null

setDefaultExtendedMetadata

public void setDefaultExtendedMetadata(ExtendedMetadata defaultExtendedMetadata)
Sets default extended metadata to be used in case no version specific is available.

Parameters:
defaultExtendedMetadata - metadata, RuntimeException when null

isRefreshRequired

public boolean isRefreshRequired()
Flag indicating whether configuration of the metadata should be reloaded.

Returns:
true if reload is required

setRefreshRequired

public void setRefreshRequired(boolean refreshRequired)
Indicates that the metadata should be reloaded as the provider configuration has changed. Uses a separate locking mechanism to allow setting metadata refresh flag without interrupting existing readers.

Parameters:
refreshRequired - true if refresh is required

setRefreshCheckInterval

public void setRefreshCheckInterval(long refreshCheckInterval)
Interval in milliseconds used for re-verification of metadata and their reload. Upon trigger each provider is asked to return it's metadata, which might trigger their reloading. In case metadata is reloaded the manager is notified and automatically refreshes all internal data by calling refreshMetadata.

In case the value is smaller than zero the timer is not created. The default value is 10000l.

The value can only be modified before the call to the afterBeanPropertiesSet, the changes are not applied after that.

Parameters:
refreshCheckInterval - internal, timer not created if <= 2000

setKeyManager

@Autowired
public void setKeyManager(KeyManager keyManager)

Spring Security SAML