Spring Security SAML

org.springframework.security.saml.trust
Class CertPathPKIXTrustEvaluator

java.lang.Object
  extended by org.opensaml.xml.security.x509.CertPathPKIXTrustEvaluator
      extended by org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator
All Implemented Interfaces:
org.opensaml.xml.security.x509.PKIXTrustEvaluator

public class CertPathPKIXTrustEvaluator
extends org.opensaml.xml.security.x509.CertPathPKIXTrustEvaluator

PKIX trust evaluator based on Java CertPath API. Class first constructs PKIXBuilderParameters using call to getPKIXBuilderParameters. Parameters consult the options property for defaults of isForceRevocationEnabled, forcedRevocation, policyMappingInhibited, anyPolicyInhibited and initialPolicies settings. System then constructs CertPathBuilder with PKIX algorithm and selected securityProvider and builds the certificate path. If path building succeeds system also optionally verifies the resulting certificate chain using CertPathValidator. In earlier Java versions the builder implementation doesn't support e.g. OCSP checking. Running a separate path validation makes it possible to use these features..


Constructor Summary
CertPathPKIXTrustEvaluator()
           
CertPathPKIXTrustEvaluator(org.opensaml.xml.security.x509.PKIXValidationOptions newOptions)
           
 
Method Summary
 void setSecurityProvider(String provider)
          Sets security provider used to instantiate CertPathBuilder and CertPathValidator instances from the CertPathBuilder and CertPathValidator factories.
 void setValidateCertPath(boolean validateCertPath)
          Flag indicating whether to execute additional certificate path validation using the java.security.cert.CertPathValidator factory.
 boolean validate(org.opensaml.xml.security.x509.PKIXValidationInformation validationInfo, org.opensaml.xml.security.x509.X509Credential untrustedCredential)
          
 
Methods inherited from class org.opensaml.xml.security.x509.CertPathPKIXTrustEvaluator
addCRLsToStoreMaterial, buildCertStore, buildTrustAnchor, getEffectiveVerificationDepth, getPKIXBuilderParameters, getPKIXValidationOptions, getTrustAnchors, getX500DNHandler, setPKIXValidationOptions, setX500DNHandler, storeContainsCRLs
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

CertPathPKIXTrustEvaluator

public CertPathPKIXTrustEvaluator()

CertPathPKIXTrustEvaluator

public CertPathPKIXTrustEvaluator(org.opensaml.xml.security.x509.PKIXValidationOptions newOptions)
Method Detail

validate

public boolean validate(org.opensaml.xml.security.x509.PKIXValidationInformation validationInfo,
                        org.opensaml.xml.security.x509.X509Credential untrustedCredential)
                 throws org.opensaml.xml.security.SecurityException

Specified by:
validate in interface org.opensaml.xml.security.x509.PKIXTrustEvaluator
Overrides:
validate in class org.opensaml.xml.security.x509.CertPathPKIXTrustEvaluator
Throws:
org.opensaml.xml.security.SecurityException

setSecurityProvider

public void setSecurityProvider(String provider)
Sets security provider used to instantiate CertPathBuilder and CertPathValidator instances from the CertPathBuilder and CertPathValidator factories. When no value is specified system will use the default security provider. Default value is null.

Parameters:
provider - name of the security provider (e.g. BC for BouncyCastle)

setValidateCertPath

public void setValidateCertPath(boolean validateCertPath)
Flag indicating whether to execute additional certificate path validation using the java.security.cert.CertPathValidator factory. The CertPathBuilder typically performs most PKIX verifications already, but in some cases (e.g. for OCSP support and CRLDP support in certain Java versions) it is necessary to run additional checkins in the validator. Default value is false.

Parameters:
validateCertPath - flag indicating usage of the CertPathValidator.

Spring Security SAML