org.springframework.security.saml.websso
Class SingleLogoutProfileImpl

java.lang.Object
  org.springframework.security.saml.websso.AbstractProfileBase
      org.springframework.security.saml.websso.SingleLogoutProfileImpl

All Implemented Interfaces:

org.springframework.beans.factory.InitializingBean, SingleLogoutProfile

public class SingleLogoutProfileImpl
extends AbstractProfileBase
implements SingleLogoutProfile

Implementation of the SAML 2.0 Single Logout profile.

Author:

Vladimir Schaefer

Field Summary

Fields inherited from class org.springframework.security.saml.websso.AbstractProfileBase

artifactMap, builderFactory, metadata, processor

Constructor Summary

SingleLogoutProfileImpl()

Method Summary

protected org.opensaml.saml2.core.LogoutRequest	getLogoutRequest(SAMLMessageContext context, SAMLCredential credential, org.opensaml.saml2.metadata.Endpoint bindingService) Returns logout request message ready to be sent to the IDP.
protected org.opensaml.saml2.core.NameID	getNameID(SAMLMessageContext context, org.opensaml.saml2.core.LogoutRequest request)
String	getProfileIdentifier() Implementation are expected to provide an unique identifier for the profile this class implements.
boolean	processLogoutRequest(SAMLMessageContext context, SAMLCredential credential) Implementer must ensure that the incoming LogoutRequest stored in the context is verified and return true if local logout should be executed.
void	processLogoutResponse(SAMLMessageContext context) Implementer is responsible for processing of LogoutResponse message present in the context.
void	sendLogoutRequest(SAMLMessageContext context, SAMLCredential credential) Call to the method must ensure that LogoutRequest SAML message is sent to the IDP requesting global logout of all known sessions.
protected void	sendLogoutResponse(org.opensaml.saml2.core.Status status, SAMLMessageContext context)

Methods inherited from class org.springframework.security.saml.websso.AbstractProfileBase

afterPropertiesSet, buildCommonAttributes, generateID, getEndpointBinding, getIssuer, getMaxAssertionTime, getResponseSkew, getStatus, isEndpointMatching, sendMessage, sendMessage, setArtifactMap, setMaxAssertionTime, setMetadata, setProcessor, setResponseSkew, verifyEndpoint, verifyIssuer, verifySignature

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SingleLogoutProfileImpl

public SingleLogoutProfileImpl()

Method Detail

getProfileIdentifier

public String getProfileIdentifier()

Description copied from class: AbstractProfileBase

Implementation are expected to provide an unique identifier for the profile this class implements.

Specified by:

getProfileIdentifier in class AbstractProfileBase

Returns:

profile name

sendLogoutRequest

public void sendLogoutRequest(SAMLMessageContext context,
                              SAMLCredential credential)
                       throws org.opensaml.common.SAMLException,
                              org.opensaml.saml2.metadata.provider.MetadataProviderException,
                              org.opensaml.ws.message.encoder.MessageEncodingException

Description copied from interface: SingleLogoutProfile

Call to the method must ensure that LogoutRequest SAML message is sent to the IDP requesting global logout of all known sessions.

Specified by:

sendLogoutRequest in interface SingleLogoutProfile

Parameters:

context - processing context

credential - credential of the currently logged user

Throws:

org.opensaml.common.SAMLException - in case logout request can't be created

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case idp metadata can't be resolved

org.opensaml.ws.message.encoder.MessageEncodingException - in case message can't be sent using given binding

getLogoutRequest

protected org.opensaml.saml2.core.LogoutRequest getLogoutRequest(SAMLMessageContext context,
                                                                 SAMLCredential credential,
                                                                 org.opensaml.saml2.metadata.Endpoint bindingService)
                                                          throws org.opensaml.common.SAMLException,
                                                                 org.opensaml.saml2.metadata.provider.MetadataProviderException

Returns logout request message ready to be sent to the IDP.

Parameters:

context - message context

credential - information about assertions used to log current user in

bindingService - service used to deliver the request

Returns:

logoutRequest to be sent to IDP

Throws:

org.opensaml.common.SAMLException - error creating the message

org.opensaml.saml2.metadata.provider.MetadataProviderException - error retrieving metadata

processLogoutRequest

public boolean processLogoutRequest(SAMLMessageContext context,
                                    SAMLCredential credential)
                             throws org.opensaml.common.SAMLException,
                                    org.opensaml.saml2.metadata.provider.MetadataProviderException,
                                    org.opensaml.ws.message.encoder.MessageEncodingException

Description copied from interface: SingleLogoutProfile

Implementer must ensure that the incoming LogoutRequest stored in the context is verified and return true if local logout should be executed. Method must send LogoutResponse message to the sender in any case.

Specified by:

processLogoutRequest in interface SingleLogoutProfile

Parameters:

context - context containing SAML message being processed

credential - credential of the currently logged user

Returns:

true if local logout should be performed

Throws:

org.opensaml.common.SAMLException - in case message is invalid and response can't be sent back

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case there are problems with determining idp metadata

org.opensaml.ws.message.encoder.MessageEncodingException - in case message can't be sent

sendLogoutResponse

protected void sendLogoutResponse(org.opensaml.saml2.core.Status status,
                                  SAMLMessageContext context)
                           throws org.opensaml.saml2.metadata.provider.MetadataProviderException,
                                  org.opensaml.common.SAMLException,
                                  org.opensaml.ws.message.encoder.MessageEncodingException

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException

org.opensaml.common.SAMLException

org.opensaml.ws.message.encoder.MessageEncodingException

getNameID

protected org.opensaml.saml2.core.NameID getNameID(SAMLMessageContext context,
                                                   org.opensaml.saml2.core.LogoutRequest request)
                                            throws org.opensaml.xml.encryption.DecryptionException

Throws:

org.opensaml.xml.encryption.DecryptionException

processLogoutResponse

public void processLogoutResponse(SAMLMessageContext context)
                           throws org.opensaml.common.SAMLException,
                                  org.opensaml.xml.security.SecurityException,
                                  org.opensaml.xml.validation.ValidationException

Description copied from interface: SingleLogoutProfile

Implementer is responsible for processing of LogoutResponse message present in the context. In case the message is invalid exception should be raised, although this doesn't mean any problem to the processing, as logout has already been executed.

Specified by:

processLogoutResponse in interface SingleLogoutProfile

Parameters:

context - context containing processed SAML message

Throws:

org.opensaml.common.SAMLException - in case the received SAML message is malformed or invalid

org.opensaml.xml.security.SecurityException - in case the signature of the message is not trusted

org.opensaml.xml.validation.ValidationException - in case the signature of the message is invalid