Spring Security SAML

org.springframework.security.saml.websso
Class SingleLogoutProfileImpl

java.lang.Object
  extended by org.springframework.security.saml.websso.AbstractProfileBase
      extended by org.springframework.security.saml.websso.SingleLogoutProfileImpl
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean, SingleLogoutProfile

public class SingleLogoutProfileImpl
extends AbstractProfileBase
implements SingleLogoutProfile

Implementation of the SAML 2.0 Single Logout profile.

Author:
Vladimir Schaefer

Field Summary
 
Fields inherited from class org.springframework.security.saml.websso.AbstractProfileBase
artifactMap, builderFactory, metadata, processor
 
Constructor Summary
SingleLogoutProfileImpl()
           
 
Method Summary
protected  org.opensaml.saml2.core.LogoutRequest getLogoutRequest(SAMLMessageContext context, SAMLCredential credential, org.opensaml.saml2.metadata.Endpoint bindingService)
          Returns logout request message ready to be sent to the IDP.
protected  org.opensaml.saml2.core.NameID getNameID(SAMLMessageContext context, org.opensaml.saml2.core.LogoutRequest request)
           
 String getProfileIdentifier()
          Implementation are expected to provide an unique identifier for the profile this class implements.
 boolean processLogoutRequest(SAMLMessageContext context, SAMLCredential credential)
          Implementer must ensure that the incoming LogoutRequest stored in the context is verified and return true if local logout should be executed.
 void processLogoutResponse(SAMLMessageContext context)
          Implementer is responsible for processing of LogoutResponse message present in the context.
 void sendLogoutRequest(SAMLMessageContext context, SAMLCredential credential)
          Call to the method must ensure that LogoutRequest SAML message is sent to the IDP requesting global logout of all known sessions.
protected  void sendLogoutResponse(org.opensaml.saml2.core.Status status, SAMLMessageContext context)
           
 
Methods inherited from class org.springframework.security.saml.websso.AbstractProfileBase
afterPropertiesSet, buildCommonAttributes, generateID, getEndpointBinding, getIssuer, getMaxAssertionTime, getResponseSkew, getStatus, isEndpointMatching, sendMessage, sendMessage, setArtifactMap, setMaxAssertionTime, setMetadata, setProcessor, setResponseSkew, verifyEndpoint, verifyIssuer, verifySignature
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SingleLogoutProfileImpl

public SingleLogoutProfileImpl()
Method Detail

getProfileIdentifier

public String getProfileIdentifier()
Description copied from class: AbstractProfileBase
Implementation are expected to provide an unique identifier for the profile this class implements.

Specified by:
getProfileIdentifier in class AbstractProfileBase
Returns:
profile name

sendLogoutRequest

public void sendLogoutRequest(SAMLMessageContext context,
                              SAMLCredential credential)
                       throws org.opensaml.common.SAMLException,
                              org.opensaml.saml2.metadata.provider.MetadataProviderException,
                              org.opensaml.ws.message.encoder.MessageEncodingException
Description copied from interface: SingleLogoutProfile
Call to the method must ensure that LogoutRequest SAML message is sent to the IDP requesting global logout of all known sessions.

Specified by:
sendLogoutRequest in interface SingleLogoutProfile
Parameters:
context - processing context
credential - credential of the currently logged user
Throws:
org.opensaml.common.SAMLException - in case logout request can't be created
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case idp metadata can't be resolved
org.opensaml.ws.message.encoder.MessageEncodingException - in case message can't be sent using given binding

getLogoutRequest

protected org.opensaml.saml2.core.LogoutRequest getLogoutRequest(SAMLMessageContext context,
                                                                 SAMLCredential credential,
                                                                 org.opensaml.saml2.metadata.Endpoint bindingService)
                                                          throws org.opensaml.common.SAMLException,
                                                                 org.opensaml.saml2.metadata.provider.MetadataProviderException
Returns logout request message ready to be sent to the IDP.

Parameters:
context - message context
credential - information about assertions used to log current user in
bindingService - service used to deliver the request
Returns:
logoutRequest to be sent to IDP
Throws:
org.opensaml.common.SAMLException - error creating the message
org.opensaml.saml2.metadata.provider.MetadataProviderException - error retrieving metadata

processLogoutRequest

public boolean processLogoutRequest(SAMLMessageContext context,
                                    SAMLCredential credential)
                             throws org.opensaml.common.SAMLException,
                                    org.opensaml.saml2.metadata.provider.MetadataProviderException,
                                    org.opensaml.ws.message.encoder.MessageEncodingException
Description copied from interface: SingleLogoutProfile
Implementer must ensure that the incoming LogoutRequest stored in the context is verified and return true if local logout should be executed. Method must send LogoutResponse message to the sender in any case.

Specified by:
processLogoutRequest in interface SingleLogoutProfile
Parameters:
context - context containing SAML message being processed
credential - credential of the currently logged user
Returns:
true if local logout should be performed
Throws:
org.opensaml.common.SAMLException - in case message is invalid and response can't be sent back
org.opensaml.saml2.metadata.provider.MetadataProviderException - in case there are problems with determining idp metadata
org.opensaml.ws.message.encoder.MessageEncodingException - in case message can't be sent

sendLogoutResponse

protected void sendLogoutResponse(org.opensaml.saml2.core.Status status,
                                  SAMLMessageContext context)
                           throws org.opensaml.saml2.metadata.provider.MetadataProviderException,
                                  org.opensaml.common.SAMLException,
                                  org.opensaml.ws.message.encoder.MessageEncodingException
Throws:
org.opensaml.saml2.metadata.provider.MetadataProviderException
org.opensaml.common.SAMLException
org.opensaml.ws.message.encoder.MessageEncodingException

getNameID

protected org.opensaml.saml2.core.NameID getNameID(SAMLMessageContext context,
                                                   org.opensaml.saml2.core.LogoutRequest request)
                                            throws org.opensaml.xml.encryption.DecryptionException
Throws:
org.opensaml.xml.encryption.DecryptionException

processLogoutResponse

public void processLogoutResponse(SAMLMessageContext context)
                           throws org.opensaml.common.SAMLException,
                                  org.opensaml.xml.security.SecurityException,
                                  org.opensaml.xml.validation.ValidationException
Description copied from interface: SingleLogoutProfile
Implementer is responsible for processing of LogoutResponse message present in the context. In case the message is invalid exception should be raised, although this doesn't mean any problem to the processing, as logout has already been executed.

Specified by:
processLogoutResponse in interface SingleLogoutProfile
Parameters:
context - context containing processed SAML message
Throws:
org.opensaml.common.SAMLException - in case the received SAML message is malformed or invalid
org.opensaml.xml.security.SecurityException - in case the signature of the message is not trusted
org.opensaml.xml.validation.ValidationException - in case the signature of the message is invalid

Spring Security SAML