Spring Security SAML

org.springframework.security.saml.websso
Class WebSSOProfileConsumerImpl

java.lang.Object
  extended by org.springframework.security.saml.websso.AbstractProfileBase
      extended by org.springframework.security.saml.websso.WebSSOProfileConsumerImpl
All Implemented Interfaces:
org.springframework.beans.factory.InitializingBean, WebSSOProfileConsumer
Direct Known Subclasses:
WebSSOProfileConsumerHoKImpl

public class WebSSOProfileConsumerImpl
extends AbstractProfileBase
implements WebSSOProfileConsumer

Class is able to process Response objects returned from the IDP after SP initialized SSO or unsolicited response from IDP. In case the response is correctly validated and no errors are found the SAMLCredential is created.

Author:
Vladimir Schäfer

Field Summary
 
Fields inherited from class org.springframework.security.saml.websso.AbstractProfileBase
artifactMap, builderFactory, metadata, processor
 
Constructor Summary
WebSSOProfileConsumerImpl()
           
WebSSOProfileConsumerImpl(SAMLProcessor processor, MetadataManager manager)
           
 
Method Summary
 int getMaxAuthenticationAge()
          Maximum time between authentication of user and processing of an authentication statement.
 String getProfileIdentifier()
          Implementation are expected to provide an unique identifier for the profile this class implements.
protected  Serializable processAdditionalData(SAMLMessageContext context)
          This is a hook method enabling subclasses to process additional data from the SAML exchange, like assertions with different confirmations or additional attributes.
 SAMLCredential processAuthenticationResponse(SAMLMessageContext context)
          The input context object must have set the properties related to the returned Response, which is validated and in case no errors are found the SAMLCredential is returned.
 void setMaxAuthenticationAge(int maxAuthenticationAge)
          Sets maximum time between users authentication and processing of an authentication statement.
protected  void verifyAssertion(org.opensaml.saml2.core.Assertion assertion, org.opensaml.saml2.core.AuthnRequest request, SAMLMessageContext context)
           
protected  void verifyAssertionConditions(org.opensaml.saml2.core.Conditions conditions, SAMLMessageContext context, boolean audienceRequired)
           
protected  void verifyAssertionSignature(org.opensaml.xml.signature.Signature signature, SAMLMessageContext context)
          Verifies signature of the assertion.
protected  void verifyAuthenticationStatement(org.opensaml.saml2.core.AuthnStatement auth, org.opensaml.saml2.core.RequestedAuthnContext requestedAuthnContext, SAMLMessageContext context)
          Verifies that authentication statement is valid.
protected  void verifyAuthnContext(org.opensaml.saml2.core.RequestedAuthnContext requestedAuthnContext, org.opensaml.saml2.core.AuthnContext receivedContext, SAMLMessageContext context)
          Implementation is expected to verify that the requested authentication context corresponds with the received value.
protected  void verifyConditions(SAMLMessageContext context, List<org.opensaml.saml2.core.Condition> conditions)
          Verifies conditions of the assertion which were are not understood.
protected  void verifySubject(org.opensaml.saml2.core.Subject subject, org.opensaml.saml2.core.AuthnRequest request, SAMLMessageContext context)
          Verifies validity of Subject element, only bearer confirmation is validated.
 
Methods inherited from class org.springframework.security.saml.websso.AbstractProfileBase
afterPropertiesSet, buildCommonAttributes, generateID, getEndpointBinding, getIssuer, getMaxAssertionTime, getResponseSkew, getStatus, isEndpointMatching, sendMessage, sendMessage, setArtifactMap, setMaxAssertionTime, setMetadata, setProcessor, setResponseSkew, verifyEndpoint, verifyIssuer, verifySignature
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

WebSSOProfileConsumerImpl

public WebSSOProfileConsumerImpl()

WebSSOProfileConsumerImpl

public WebSSOProfileConsumerImpl(SAMLProcessor processor,
                                 MetadataManager manager)
Method Detail

getProfileIdentifier

public String getProfileIdentifier()
Description copied from class: AbstractProfileBase
Implementation are expected to provide an unique identifier for the profile this class implements.

Specified by:
getProfileIdentifier in class AbstractProfileBase
Returns:
profile name

processAuthenticationResponse

public SAMLCredential processAuthenticationResponse(SAMLMessageContext context)
                                             throws org.opensaml.common.SAMLException,
                                                    org.opensaml.xml.security.SecurityException,
                                                    org.opensaml.xml.validation.ValidationException,
                                                    org.opensaml.xml.encryption.DecryptionException
The input context object must have set the properties related to the returned Response, which is validated and in case no errors are found the SAMLCredential is returned.

Specified by:
processAuthenticationResponse in interface WebSSOProfileConsumer
Parameters:
context - context including response object
Returns:
SAMLCredential with information about user
Throws:
org.opensaml.common.SAMLException - in case the response is invalid
org.opensaml.xml.security.SecurityException - in the signature on response can't be verified
org.opensaml.xml.validation.ValidationException - in case the response structure is not conforming to the standard
org.opensaml.xml.encryption.DecryptionException

processAdditionalData

protected Serializable processAdditionalData(SAMLMessageContext context)
                                      throws org.opensaml.common.SAMLException
This is a hook method enabling subclasses to process additional data from the SAML exchange, like assertions with different confirmations or additional attributes. The returned object is stored inside the SAMLCredential. Implementation is responsible for ensuring compliance with the SAML specification. The method is called once all the other processing was finished and incoming message is deemed as valid.

Parameters:
context - context containing incoming message
Returns:
object to store in the credential, null by default
Throws:
org.opensaml.common.SAMLException - in case processing fails

verifyAssertion

protected void verifyAssertion(org.opensaml.saml2.core.Assertion assertion,
                               org.opensaml.saml2.core.AuthnRequest request,
                               SAMLMessageContext context)
                        throws org.springframework.security.core.AuthenticationException,
                               org.opensaml.common.SAMLException,
                               org.opensaml.xml.security.SecurityException,
                               org.opensaml.xml.validation.ValidationException,
                               org.opensaml.xml.encryption.DecryptionException
Throws:
org.springframework.security.core.AuthenticationException
org.opensaml.common.SAMLException
org.opensaml.xml.security.SecurityException
org.opensaml.xml.validation.ValidationException
org.opensaml.xml.encryption.DecryptionException

verifySubject

protected void verifySubject(org.opensaml.saml2.core.Subject subject,
                             org.opensaml.saml2.core.AuthnRequest request,
                             SAMLMessageContext context)
                      throws org.opensaml.common.SAMLException,
                             org.opensaml.xml.encryption.DecryptionException
Verifies validity of Subject element, only bearer confirmation is validated.

Parameters:
subject - subject to validate
request - request
context - context
Throws:
org.opensaml.common.SAMLException - error validating the object
org.opensaml.xml.encryption.DecryptionException - in case the NameID can't be decrypted

verifyAssertionSignature

protected void verifyAssertionSignature(org.opensaml.xml.signature.Signature signature,
                                        SAMLMessageContext context)
                                 throws org.opensaml.common.SAMLException,
                                        org.opensaml.xml.security.SecurityException,
                                        org.opensaml.xml.validation.ValidationException
Verifies signature of the assertion. In case signature is not present and SP required signatures in metadata the exception is thrown.

Parameters:
signature - signature to verify
context - context
Throws:
org.opensaml.common.SAMLException - signature missing although required
org.opensaml.xml.security.SecurityException - signature can't be validated
org.opensaml.xml.validation.ValidationException - signature is malformed

verifyAssertionConditions

protected void verifyAssertionConditions(org.opensaml.saml2.core.Conditions conditions,
                                         SAMLMessageContext context,
                                         boolean audienceRequired)
                                  throws org.opensaml.common.SAMLException
Throws:
org.opensaml.common.SAMLException

verifyConditions

protected void verifyConditions(SAMLMessageContext context,
                                List<org.opensaml.saml2.core.Condition> conditions)
                         throws org.opensaml.common.SAMLException
Verifies conditions of the assertion which were are not understood. By default system fails in case any non-understood condition is present.

Parameters:
context - message context
conditions - conditions which were not understood
Throws:
org.opensaml.common.SAMLException - in case conditions are not empty

verifyAuthenticationStatement

protected void verifyAuthenticationStatement(org.opensaml.saml2.core.AuthnStatement auth,
                                             org.opensaml.saml2.core.RequestedAuthnContext requestedAuthnContext,
                                             SAMLMessageContext context)
                                      throws org.springframework.security.core.AuthenticationException
Verifies that authentication statement is valid. Checks the authInstant and sessionNotOnOrAfter fields.

Parameters:
auth - statement to check
requestedAuthnContext - original requested context can be null for unsolicited messages or when no context was requested
context - message context
Throws:
org.springframework.security.core.AuthenticationException - in case the statement is invalid

verifyAuthnContext

protected void verifyAuthnContext(org.opensaml.saml2.core.RequestedAuthnContext requestedAuthnContext,
                                  org.opensaml.saml2.core.AuthnContext receivedContext,
                                  SAMLMessageContext context)
                           throws org.springframework.security.authentication.InsufficientAuthenticationException
Implementation is expected to verify that the requested authentication context corresponds with the received value. Identity provider sending the context can be loaded from the SAMLContext.

By default verification is done only for "exact" context. It is checked whether received context contains one of the requested method.

In case requestedAuthnContext is null no verification is done.

Method can be reimplemented in subclasses.

Parameters:
requestedAuthnContext - context requested in the original request, null for unsolicited messages or when no context was required
receivedContext - context from the response message
context - saml context
Throws:
org.springframework.security.authentication.InsufficientAuthenticationException - in case expected context doesn't correspond with the received value

getMaxAuthenticationAge

public int getMaxAuthenticationAge()
Maximum time between authentication of user and processing of an authentication statement.

Returns:
max authentication age, defaults to 7200

setMaxAuthenticationAge

public void setMaxAuthenticationAge(int maxAuthenticationAge)
Sets maximum time between users authentication and processing of an authentication statement.

Parameters:
maxAuthenticationAge - authentication age

Spring Security SAML