Spring Security SAML

org.springframework.security.saml.trust
Class PKIXInformationResolver

java.lang.Object
  extended by org.springframework.security.saml.trust.PKIXInformationResolver
All Implemented Interfaces:
org.opensaml.xml.security.Resolver<org.opensaml.xml.security.x509.PKIXValidationInformation,org.opensaml.xml.security.CriteriaSet>, org.opensaml.xml.security.x509.PKIXValidationInformationResolver

public class PKIXInformationResolver
extends Object
implements org.opensaml.xml.security.x509.PKIXValidationInformationResolver

Implementation resolves PKIX information based on extended metadata configuration and provider data. Values are cached and automatically cleared upon metadata refresh. At first data is loaded from the metadata (or extended) metadata of the peer entity. In addition all trusted keys declared for the entity are also included.


Nested Class Summary
protected  class PKIXInformationResolver.MetadataCacheKey
          A class which serves as the key into the cache of credentials previously resolved.
protected  class PKIXInformationResolver.MetadataProviderObserver
          An observer that clears the credential cache if the underlying metadata changes.
 
Constructor Summary
PKIXInformationResolver(MetadataCredentialResolver metadataResolver, MetadataManager metadataProvider, KeyManager keyManager)
          Constructor.
 
Method Summary
protected  void cacheCredentials(PKIXInformationResolver.MetadataCacheKey cacheKey, Collection<org.opensaml.xml.security.x509.PKIXValidationInformation> credentials)
          Adds resolved credentials to the cache.
protected  void checkCriteriaRequirements(org.opensaml.xml.security.CriteriaSet criteriaSet)
          Check that all necessary credential criteria are available.
protected  int getPKIXDepth()
          Allowed depth of PKIX trust path length.
protected  ReadWriteLock getReadWriteLock()
          Get the lock instance used to synchronize access to the credential cache.
protected  Collection<org.opensaml.xml.security.x509.PKIXValidationInformation> populateCredentials(org.opensaml.xml.security.CriteriaSet criteriaSet)
          Method responsible for loading of PKIX information.
protected  void populateMetadataAnchors(org.opensaml.xml.security.CriteriaSet criteriaSet, Collection<X509Certificate> anchors, Collection<X509CRL> crls)
          Method loads credentials satisfying the criteriaSet from the metadata of the related entity.
protected  void populateTrustedKeysAnchors(org.opensaml.xml.security.CriteriaSet criteriaSet, Collection<X509Certificate> anchors, Collection<X509CRL> crls)
          Method add trusted anchors which include all trusted certificates configuration in the ExtendedMetadata.
 Iterable<org.opensaml.xml.security.x509.PKIXValidationInformation> resolve(org.opensaml.xml.security.CriteriaSet criteria)
           
protected  Iterable<org.opensaml.xml.security.x509.PKIXValidationInformation> resolveFromSource(org.opensaml.xml.security.CriteriaSet criteriaSet)
           
 org.opensaml.xml.security.x509.PKIXValidationInformation resolveSingle(org.opensaml.xml.security.CriteriaSet criteria)
          Returns first found PKIX information satisfying the condition.
 Set<String> resolveTrustedNames(org.opensaml.xml.security.CriteriaSet criteriaSet)
           
protected  Collection<org.opensaml.xml.security.x509.PKIXValidationInformation> retrieveFromCache(PKIXInformationResolver.MetadataCacheKey cacheKey)
          Retrieves pre-resolved credentials from the cache.
 boolean supportsTrustedNameResolution()
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

PKIXInformationResolver

public PKIXInformationResolver(MetadataCredentialResolver metadataResolver,
                               MetadataManager metadataProvider,
                               KeyManager keyManager)
Constructor.

Parameters:
metadataResolver - resolver used to extract basic credentials out of metadata
metadataProvider - provider of the metadata used to load extended metadata for an entity
keyManager - key manager
Throws:
IllegalArgumentException - thrown if the supplied provider is null
Method Detail

getReadWriteLock

protected ReadWriteLock getReadWriteLock()
Get the lock instance used to synchronize access to the credential cache.

Returns:
a read-write lock instance

resolveFromSource

protected Iterable<org.opensaml.xml.security.x509.PKIXValidationInformation> resolveFromSource(org.opensaml.xml.security.CriteriaSet criteriaSet)
                                                                                        throws org.opensaml.xml.security.SecurityException
Throws:
org.opensaml.xml.security.SecurityException

populateCredentials

protected Collection<org.opensaml.xml.security.x509.PKIXValidationInformation> populateCredentials(org.opensaml.xml.security.CriteriaSet criteriaSet)
                                                                                            throws org.opensaml.xml.security.SecurityException
Method responsible for loading of PKIX information.

Parameters:
criteriaSet - criteria for selection of data to include
Returns:
PKIX information
Throws:
org.opensaml.xml.security.SecurityException

checkCriteriaRequirements

protected void checkCriteriaRequirements(org.opensaml.xml.security.CriteriaSet criteriaSet)
Check that all necessary credential criteria are available.

Parameters:
criteriaSet - the credential set to evaluate

retrieveFromCache

protected Collection<org.opensaml.xml.security.x509.PKIXValidationInformation> retrieveFromCache(PKIXInformationResolver.MetadataCacheKey cacheKey)
Retrieves pre-resolved credentials from the cache.

Parameters:
cacheKey - the key to the metadata cache
Returns:
the collection of cached credentials or null

populateMetadataAnchors

protected void populateMetadataAnchors(org.opensaml.xml.security.CriteriaSet criteriaSet,
                                       Collection<X509Certificate> anchors,
                                       Collection<X509CRL> crls)
                                throws org.opensaml.xml.security.SecurityException
Method loads credentials satisfying the criteriaSet from the metadata of the related entity.

Parameters:
criteriaSet - criteria set
anchors - pkix anchors
crls - CRLs for the anchors
Throws:
org.opensaml.xml.security.SecurityException - thrown if the key, certificate, or CRL information is represented in an unsupported format

populateTrustedKeysAnchors

protected void populateTrustedKeysAnchors(org.opensaml.xml.security.CriteriaSet criteriaSet,
                                          Collection<X509Certificate> anchors,
                                          Collection<X509CRL> crls)
                                   throws org.opensaml.xml.security.SecurityException
Method add trusted anchors which include all trusted certificates configuration in the ExtendedMetadata. In case no trusted certificates were configured all certificates in the KeyManager are considered as trusted and added to the anchor list.

Parameters:
criteriaSet - criteria set
anchors - pkix anchors
crls - CRLs for the anchors
Throws:
org.opensaml.xml.security.SecurityException - thrown if the key, certificate, or CRL information is represented in an unsupported format

getPKIXDepth

protected int getPKIXDepth()
Allowed depth of PKIX trust path length.

Returns:
by default 5

cacheCredentials

protected void cacheCredentials(PKIXInformationResolver.MetadataCacheKey cacheKey,
                                Collection<org.opensaml.xml.security.x509.PKIXValidationInformation> credentials)
Adds resolved credentials to the cache.

Parameters:
cacheKey - the key for caching the credentials
credentials - collection of credentials to cache

resolveTrustedNames

public Set<String> resolveTrustedNames(org.opensaml.xml.security.CriteriaSet criteriaSet)
                                throws org.opensaml.xml.security.SecurityException,
                                       UnsupportedOperationException
Specified by:
resolveTrustedNames in interface org.opensaml.xml.security.x509.PKIXValidationInformationResolver
Throws:
org.opensaml.xml.security.SecurityException
UnsupportedOperationException

supportsTrustedNameResolution

public boolean supportsTrustedNameResolution()
Specified by:
supportsTrustedNameResolution in interface org.opensaml.xml.security.x509.PKIXValidationInformationResolver

resolve

public Iterable<org.opensaml.xml.security.x509.PKIXValidationInformation> resolve(org.opensaml.xml.security.CriteriaSet criteria)
                                                                           throws org.opensaml.xml.security.SecurityException
Specified by:
resolve in interface org.opensaml.xml.security.Resolver<org.opensaml.xml.security.x509.PKIXValidationInformation,org.opensaml.xml.security.CriteriaSet>
Throws:
org.opensaml.xml.security.SecurityException

resolveSingle

public org.opensaml.xml.security.x509.PKIXValidationInformation resolveSingle(org.opensaml.xml.security.CriteriaSet criteria)
                                                                       throws org.opensaml.xml.security.SecurityException
Returns first found PKIX information satisfying the condition.

Specified by:
resolveSingle in interface org.opensaml.xml.security.Resolver<org.opensaml.xml.security.x509.PKIXValidationInformation,org.opensaml.xml.security.CriteriaSet>
Parameters:
criteria - criteria
Returns:
first instance
Throws:
org.opensaml.xml.security.SecurityException - error

Spring Security SAML