Spring Security SAML

org.springframework.security.saml.websso
Class AbstractProfileBase

java.lang.Object
  extended by org.springframework.security.saml.websso.AbstractProfileBase
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean
Direct Known Subclasses:
ArtifactResolutionProfileBase, SingleLogoutProfileImpl, WebSSOProfileConsumerImpl, WebSSOProfileImpl

public abstract class AbstractProfileBase
extends Object
implements org.springframework.beans.factory.InitializingBean

Base superclass for classes implementing processing of SAML messages.

Author:
Vladimir Schaefer

Field Summary
protected  org.opensaml.common.binding.artifact.SAMLArtifactMap artifactMap
           
protected  org.opensaml.xml.XMLObjectBuilderFactory builderFactory
           
protected static org.slf4j.Logger log
          Class logger.
protected  MetadataManager metadata
           
protected  SAMLProcessor processor
           
 
Constructor Summary
AbstractProfileBase()
           
AbstractProfileBase(SAMLProcessor processor, MetadataManager manager)
           
 
Method Summary
 void afterPropertiesSet()
           
protected  void buildCommonAttributes(String localEntityId, org.opensaml.saml2.core.RequestAbstractType request, org.opensaml.saml2.metadata.Endpoint service)
          Fills the request with version, issue instants and destination data.
protected  String generateID()
          Generates random ID to be used as Request/Response ID.
protected  String getEndpointBinding(org.opensaml.saml2.metadata.Endpoint endpoint)
          Method is expected to return binding used to transfer messages to this endpoint.
protected  org.opensaml.saml2.core.Issuer getIssuer(String localEntityId)
           
 int getMaxAssertionTime()
          Maximum time between assertion creation and current time when the assertion is usable in seconds.
abstract  String getProfileIdentifier()
          Implementation are expected to provide an unique identifier for the profile this class implements.
 int getResponseSkew()
           
protected  org.opensaml.saml2.core.Status getStatus(String code, String statusMessage)
           
protected  boolean isEndpointMatching(org.opensaml.saml2.metadata.Endpoint endpoint, String binding)
          Determines whether given endpoint can be used together with the specified binding.
protected  void sendMessage(SAMLMessageContext context, boolean sign)
          Method calls the processor and sends the message contained in the context.
protected  void sendMessage(SAMLMessageContext context, boolean sign, String binding)
          Method calls the processor and sends the message contained in the context.
 void setArtifactMap(org.opensaml.common.binding.artifact.SAMLArtifactMap artifactMap)
           
 void setMaxAssertionTime(int maxAssertionTime)
          Customizes max assertion time between assertion creation and it's usability.
 void setMetadata(MetadataManager metadata)
           
 void setProcessor(SAMLProcessor processor)
           
 void setResponseSkew(int responseSkew)
          Sets maximum difference between local time and time of the assertion creation which still allows message to be processed.
protected  void verifyEndpoint(org.opensaml.saml2.metadata.Endpoint endpoint, String destination)
          Verifies that the destination URL intended in the message matches with the endpoint address.
protected  void verifyIssuer(org.opensaml.saml2.core.Issuer issuer, SAMLMessageContext context)
           
protected  void verifySignature(org.opensaml.xml.signature.Signature signature, String IDPEntityID, org.opensaml.xml.signature.SignatureTrustEngine trustEngine)
           
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

log

protected static final org.slf4j.Logger log
Class logger.


metadata

protected MetadataManager metadata

processor

protected SAMLProcessor processor

artifactMap

protected org.opensaml.common.binding.artifact.SAMLArtifactMap artifactMap

builderFactory

protected org.opensaml.xml.XMLObjectBuilderFactory builderFactory
Constructor Detail

AbstractProfileBase

public AbstractProfileBase()

AbstractProfileBase

public AbstractProfileBase(SAMLProcessor processor,
                           MetadataManager manager)
Method Detail

getProfileIdentifier

public abstract String getProfileIdentifier()
Implementation are expected to provide an unique identifier for the profile this class implements.

Returns:
profile name

setResponseSkew

public void setResponseSkew(int responseSkew)
Sets maximum difference between local time and time of the assertion creation which still allows message to be processed. Basically determines maximum difference between clocks of the IDP and SP machines. Defaults to 60.

Parameters:
responseSkew - response skew time (in seconds)

getResponseSkew

public int getResponseSkew()
Returns:
response skew time (in seconds)

getMaxAssertionTime

public int getMaxAssertionTime()
Maximum time between assertion creation and current time when the assertion is usable in seconds.

Returns:
max assertion time

setMaxAssertionTime

public void setMaxAssertionTime(int maxAssertionTime)
Customizes max assertion time between assertion creation and it's usability. Default to 3000 seconds.

Parameters:
maxAssertionTime - time in seconds

sendMessage

protected void sendMessage(SAMLMessageContext context,
                           boolean sign)
                    throws org.opensaml.saml2.metadata.provider.MetadataProviderException,
                           org.opensaml.common.SAMLException,
                           org.opensaml.ws.message.encoder.MessageEncodingException
Method calls the processor and sends the message contained in the context. Subclasses can provide additional processing before the message delivery. Message is sent using binding defined in the peer entity of the context.

Parameters:
context - context
sign - whether the message should be signed
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - metadata error
org.opensaml.common.SAMLException - SAML encoding error
org.opensaml.ws.message.encoder.MessageEncodingException - message encoding error

sendMessage

protected void sendMessage(SAMLMessageContext context,
                           boolean sign,
                           String binding)
                    throws org.opensaml.saml2.metadata.provider.MetadataProviderException,
                           org.opensaml.common.SAMLException,
                           org.opensaml.ws.message.encoder.MessageEncodingException
Method calls the processor and sends the message contained in the context. Subclasses can provide additional processing before the message delivery. Message is sent using the specified binding.

Parameters:
context - context
sign - whether the message should be signed
binding - binding to use to send the message
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException - metadata error
org.opensaml.common.SAMLException - SAML encoding error
org.opensaml.ws.message.encoder.MessageEncodingException - message encoding error

getStatus

protected org.opensaml.saml2.core.Status getStatus(String code,
                                                   String statusMessage)

buildCommonAttributes

protected void buildCommonAttributes(String localEntityId,
                                     org.opensaml.saml2.core.RequestAbstractType request,
                                     org.opensaml.saml2.metadata.Endpoint service)
Fills the request with version, issue instants and destination data.

Parameters:
localEntityId - entityId of the local party acting as message issuer
request - request to be filled
service - service to use as destination for the request

getIssuer

protected org.opensaml.saml2.core.Issuer getIssuer(String localEntityId)

generateID

protected String generateID()
Generates random ID to be used as Request/Response ID.

Returns:
random ID

verifyIssuer

protected void verifyIssuer(org.opensaml.saml2.core.Issuer issuer,
                            SAMLMessageContext context)
                     throws org.opensaml.common.SAMLException
Throws:
org.opensaml.common.SAMLException

verifyEndpoint

protected void verifyEndpoint(org.opensaml.saml2.metadata.Endpoint endpoint,
                              String destination)
                       throws org.opensaml.common.SAMLException
Verifies that the destination URL intended in the message matches with the endpoint address. The URL message was ultimately received doesn't need to necessarily match the one defined in the metadata (in case of e.g. reverse-proxying of messages).

Parameters:
endpoint - endpoint the message was received at
destination - URL of the endpoint the message was intended to be sent to by the peer or null when not included
Throws:
org.opensaml.common.SAMLException - in case endpoint doesn't match

verifySignature

protected void verifySignature(org.opensaml.xml.signature.Signature signature,
                               String IDPEntityID,
                               org.opensaml.xml.signature.SignatureTrustEngine trustEngine)
                        throws org.opensaml.xml.security.SecurityException,
                               org.opensaml.xml.validation.ValidationException
Throws:
org.opensaml.xml.security.SecurityException
org.opensaml.xml.validation.ValidationException

getEndpointBinding

protected String getEndpointBinding(org.opensaml.saml2.metadata.Endpoint endpoint)
Method is expected to return binding used to transfer messages to this endpoint. For some profiles the binding attribute in the metadata contains the profile name, method correctly parses the real binding in these situations.

Parameters:
endpoint - endpoint
Returns:
binding

isEndpointMatching

protected boolean isEndpointMatching(org.opensaml.saml2.metadata.Endpoint endpoint,
                                     String binding)
Determines whether given endpoint can be used together with the specified binding.

By default value of the binding in the endpoint is compared for equality with the user provided binding.

Method is automatically called for verification of user supplied binding value in the WebSSOProfileOptions.

Parameters:
endpoint - endpoint to check
binding - binding the endpoint must support for the method to return true
Returns:
true if given endpoint can be used with the binding

setMetadata

@Autowired
public void setMetadata(MetadataManager metadata)

setProcessor

@Autowired(required=false)
public void setProcessor(SAMLProcessor processor)

setArtifactMap

public void setArtifactMap(org.opensaml.common.binding.artifact.SAMLArtifactMap artifactMap)

afterPropertiesSet

public void afterPropertiesSet()
                        throws Exception
Specified by:
afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean
Throws:
Exception

Spring Security SAML