Spring Security SAML

org.springframework.security.saml.processor
Class SAMLProcessorImpl

java.lang.Object
  extended by org.springframework.security.saml.processor.SAMLProcessorImpl
All Implemented Interfaces:
SAMLProcessor

public class SAMLProcessorImpl
extends Object
implements SAMLProcessor

Processor is capable of parsing SAML message from HttpServletRequest and populate the SAMLMessageContext for further validations.

Author:
Vladimir Schäfer

Field Summary
protected  Collection<SAMLBinding> bindings
          Bindings supported by this processor.
 
Constructor Summary
SAMLProcessorImpl(Collection<SAMLBinding> bindings)
          Creates a processor supporting multiple bindings.
SAMLProcessorImpl(SAMLBinding binding)
          Creates a processor supporting a single binding.
 
Method Summary
protected  SAMLBinding getBinding(org.opensaml.saml2.metadata.Endpoint endpoint)
          Determines binding to be used for the given endpoint.
protected  SAMLBinding getBinding(org.opensaml.ws.transport.InTransport transport)
          Analyzes the transport object and returns the first binding capable of sending/extracting a SAML message from to/from it.
protected  SAMLBinding getBinding(String bindingName)
          Finds binding with the given name.
protected  void populateSecurityPolicy(SAMLMessageContext samlContext, SAMLBinding binding)
          Populates security policy to use for the incoming message and sets it in the samlContext as securityPolicyResolver.
 SAMLMessageContext retrieveMessage(SAMLMessageContext samlContext)
          Loads incoming SAML message using one of the configured bindings and populates the SAMLMessageContext object with it.
 SAMLMessageContext retrieveMessage(SAMLMessageContext samlContext, SAMLBinding binding)
          Loads incoming SAML message using one of the configured bindings and populates the SAMLMessageContext object with it.
 SAMLMessageContext retrieveMessage(SAMLMessageContext samlContext, String binding)
          Loads incoming SAML message using one of the configured bindings and populates the SAMLMessageContext object with it.
 SAMLMessageContext sendMessage(SAMLMessageContext samlContext, boolean sign)
          Method sends SAML message contained in the context to the specified peerEntityEnpoint.
protected  SAMLMessageContext sendMessage(SAMLMessageContext samlContext, boolean sign, SAMLBinding binding)
          Sends SAML message using the given binding.
 SAMLMessageContext sendMessage(SAMLMessageContext samlContext, boolean sign, String bindingName)
           
protected  void verifyContext(SAMLMessageContext samlContext)
          Verifies that context contains all the required information related to the local entity.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

bindings

protected Collection<SAMLBinding> bindings
Bindings supported by this processor.

Constructor Detail

SAMLProcessorImpl

public SAMLProcessorImpl(SAMLBinding binding)
Creates a processor supporting a single binding.

Parameters:
binding - binding

SAMLProcessorImpl

public SAMLProcessorImpl(Collection<SAMLBinding> bindings)
Creates a processor supporting multiple bindings.

Parameters:
bindings - bindings
Method Detail

retrieveMessage

public SAMLMessageContext retrieveMessage(SAMLMessageContext samlContext,
                                          SAMLBinding binding)
                                   throws org.opensaml.common.SAMLException,
                                          org.opensaml.saml2.metadata.provider.MetadataProviderException,
                                          org.opensaml.ws.message.decoder.MessageDecodingException,
                                          org.opensaml.xml.security.SecurityException
Loads incoming SAML message using one of the configured bindings and populates the SAMLMessageContext object with it. The context is expected to contain inboundMessageTransport and outboundMessageTransport. In case localEntityId, localEntityRole or peerEntityRole is set it will be used, otherwise default SP is loaded as a local entity and IDP presumed as a peer.

Parameters:
samlContext - context
binding - to use for message extraction
Returns:
SAML message context with filled information about the message
Throws:
org.opensaml.common.SAMLException - error retrieving the message from the request
org.opensaml.saml2.metadata.provider.MetadataProviderException - error retrieving metadata
org.opensaml.ws.message.decoder.MessageDecodingException - error decoding the message
org.opensaml.xml.security.SecurityException - error verifying message

populateSecurityPolicy

protected void populateSecurityPolicy(SAMLMessageContext samlContext,
                                      SAMLBinding binding)
Populates security policy to use for the incoming message and sets it in the samlContext as securityPolicyResolver. SecurityPolicy is populated using getSecurityPolicy method of the used binding.

Parameters:
samlContext - saml context to set the policy to
binding - binding used to retrieve the message

retrieveMessage

public SAMLMessageContext retrieveMessage(SAMLMessageContext samlContext,
                                          String binding)
                                   throws org.opensaml.common.SAMLException,
                                          org.opensaml.saml2.metadata.provider.MetadataProviderException,
                                          org.opensaml.ws.message.decoder.MessageDecodingException,
                                          org.opensaml.xml.security.SecurityException
Loads incoming SAML message using one of the configured bindings and populates the SAMLMessageContext object with it.

Specified by:
retrieveMessage in interface SAMLProcessor
Parameters:
samlContext - saml context
binding - to use for message extraction
Returns:
SAML message context with filled information about the message
Throws:
org.opensaml.common.SAMLException - error retrieving the message from the request
org.opensaml.saml2.metadata.provider.MetadataProviderException - error retrieving metadat
org.opensaml.ws.message.decoder.MessageDecodingException - error decoding the message
org.opensaml.xml.security.SecurityException - error verifying message

retrieveMessage

public SAMLMessageContext retrieveMessage(SAMLMessageContext samlContext)
                                   throws org.opensaml.common.SAMLException,
                                          org.opensaml.saml2.metadata.provider.MetadataProviderException,
                                          org.opensaml.ws.message.decoder.MessageDecodingException,
                                          org.opensaml.xml.security.SecurityException
Loads incoming SAML message using one of the configured bindings and populates the SAMLMessageContext object with it.

Specified by:
retrieveMessage in interface SAMLProcessor
Parameters:
samlContext - saml context
Returns:
SAML message context with filled information about the message
Throws:
org.opensaml.common.SAMLException - error retrieving the message from the request
org.opensaml.saml2.metadata.provider.MetadataProviderException - error retrieving metadat
org.opensaml.ws.message.decoder.MessageDecodingException - error decoding the message
org.opensaml.xml.security.SecurityException - error verifying message

sendMessage

public SAMLMessageContext sendMessage(SAMLMessageContext samlContext,
                                      boolean sign)
                               throws org.opensaml.common.SAMLException,
                                      org.opensaml.saml2.metadata.provider.MetadataProviderException,
                                      org.opensaml.ws.message.encoder.MessageEncodingException
Method sends SAML message contained in the context to the specified peerEntityEnpoint. Binding is automatically determined based on the selected endpoint.

Specified by:
sendMessage in interface SAMLProcessor
Parameters:
samlContext - context
sign - true when sent message should be signed
Returns:
resulting context, might be a copy
Throws:
org.opensaml.common.SAMLException
org.opensaml.saml2.metadata.provider.MetadataProviderException
org.opensaml.ws.message.encoder.MessageEncodingException

sendMessage

public SAMLMessageContext sendMessage(SAMLMessageContext samlContext,
                                      boolean sign,
                                      String bindingName)
                               throws org.opensaml.common.SAMLException,
                                      org.opensaml.saml2.metadata.provider.MetadataProviderException,
                                      org.opensaml.ws.message.encoder.MessageEncodingException
Specified by:
sendMessage in interface SAMLProcessor
Throws:
org.opensaml.common.SAMLException
org.opensaml.saml2.metadata.provider.MetadataProviderException
org.opensaml.ws.message.encoder.MessageEncodingException

sendMessage

protected SAMLMessageContext sendMessage(SAMLMessageContext samlContext,
                                         boolean sign,
                                         SAMLBinding binding)
                                  throws org.opensaml.common.SAMLException,
                                         org.opensaml.saml2.metadata.provider.MetadataProviderException,
                                         org.opensaml.ws.message.encoder.MessageEncodingException
Sends SAML message using the given binding. Context is expected to contain outboundMessageTransport. In case localEntityId or localEntityRole is set, it is used, default SP is used otherwise.

Parameters:
samlContext - context
sign - if true sent message is signed
binding - binding to use
Returns:
context
Throws:
org.opensaml.common.SAMLException - in case message can't be sent
org.opensaml.ws.message.encoder.MessageEncodingException - in case message encoding fails
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata for required entities is not found

verifyContext

protected void verifyContext(SAMLMessageContext samlContext)
                      throws org.opensaml.saml2.metadata.provider.MetadataProviderException
Verifies that context contains all the required information related to the local entity.

Parameters:
samlContext - context to populate
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata do not contain expected entities

getBinding

protected SAMLBinding getBinding(org.opensaml.ws.transport.InTransport transport)
                          throws org.opensaml.common.SAMLException
Analyzes the transport object and returns the first binding capable of sending/extracting a SAML message from to/from it. In case no binding is found SAMLException is thrown.

Parameters:
transport - transport type to get binding for
Returns:
decoder
Throws:
org.opensaml.common.SAMLException - in case no suitable decoder is found for given request

getBinding

protected SAMLBinding getBinding(org.opensaml.saml2.metadata.Endpoint endpoint)
                          throws org.opensaml.common.SAMLException,
                                 org.opensaml.saml2.metadata.provider.MetadataProviderException
Determines binding to be used for the given endpoint. By default binding returned from getBinding call on the endpoint is used. Speciall handling is used for Holder of Key WebSSO profile endpoints where real binding is stored under hoksso:ProtocolBinding attribute.

Parameters:
endpoint - endpoint t
Returns:
binding
Throws:
org.opensaml.common.SAMLException - in case binding can't be found
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case binding of the endpoint can't be determined
See Also:
SAMLUtil.getBindingForEndpoint(org.opensaml.saml2.metadata.Endpoint)

getBinding

protected SAMLBinding getBinding(String bindingName)
                          throws org.opensaml.common.SAMLException
Finds binding with the given name.

Parameters:
bindingName - name
Returns:
binding
Throws:
org.opensaml.common.SAMLException - in case binding can't be found

Spring Security SAML