org.springframework.security.saml.websso
Class WebSSOProfileConsumerImpl

java.lang.Object
  org.springframework.security.saml.websso.AbstractProfileBase
      org.springframework.security.saml.websso.WebSSOProfileConsumerImpl

All Implemented Interfaces:

org.springframework.beans.factory.InitializingBean, WebSSOProfileConsumer

Direct Known Subclasses:

WebSSOProfileConsumerHoKImpl

public class WebSSOProfileConsumerImpl
extends AbstractProfileBase
implements WebSSOProfileConsumer

Class is able to process Response objects returned from the IDP after SP initialized SSO or unsolicited response from IDP. In case the response is correctly validated and no errors are found the SAMLCredential is created.

Author:

Vladimir Schäfer

Field Summary

Fields inherited from class org.springframework.security.saml.websso.AbstractProfileBase

artifactMap, builderFactory, metadata, processor

Constructor Summary

WebSSOProfileConsumerImpl()

WebSSOProfileConsumerImpl(SAMLProcessor processor, MetadataManager manager)

Method Summary

int	getMaxAuthenticationAge() Maximum time between authentication of user and processing of an authentication statement.
String	getProfileIdentifier() Implementation are expected to provide an unique identifier for the profile this class implements.
protected Serializable	processAdditionalData(SAMLMessageContext context) This is a hook method enabling subclasses to process additional data from the SAML exchange, like assertions with different confirmations or additional attributes.
SAMLCredential	processAuthenticationResponse(SAMLMessageContext context) The input context object must have set the properties related to the returned Response, which is validated and in case no errors are found the SAMLCredential is returned.
void	setMaxAuthenticationAge(int maxAuthenticationAge) Sets maximum time between users authentication and processing of an authentication statement.
protected void	verifyAssertion(org.opensaml.saml2.core.Assertion assertion, org.opensaml.saml2.core.AuthnRequest request, SAMLMessageContext context)
protected void	verifyAssertionConditions(org.opensaml.saml2.core.Conditions conditions, SAMLMessageContext context, boolean audienceRequired)
protected void	verifyAssertionSignature(org.opensaml.xml.signature.Signature signature, SAMLMessageContext context) Verifies signature of the assertion.
protected void	verifyAuthenticationStatement(org.opensaml.saml2.core.AuthnStatement auth, org.opensaml.saml2.core.RequestedAuthnContext requestedAuthnContext, SAMLMessageContext context) Verifies that authentication statement is valid.
protected void	verifyAuthnContext(org.opensaml.saml2.core.RequestedAuthnContext requestedAuthnContext, org.opensaml.saml2.core.AuthnContext receivedContext, SAMLMessageContext context) Implementation is expected to verify that the requested authentication context corresponds with the received value.
protected void	verifyConditions(SAMLMessageContext context, List<org.opensaml.saml2.core.Condition> conditions) Verifies conditions of the assertion which were are not understood.
protected void	verifySubject(org.opensaml.saml2.core.Subject subject, org.opensaml.saml2.core.AuthnRequest request, SAMLMessageContext context) Verifies validity of Subject element, only bearer confirmation is validated.

Methods inherited from class org.springframework.security.saml.websso.AbstractProfileBase

afterPropertiesSet, buildCommonAttributes, generateID, getEndpointBinding, getIssuer, getMaxAssertionTime, getResponseSkew, getStatus, isEndpointMatching, sendMessage, sendMessage, setArtifactMap, setMaxAssertionTime, setMetadata, setProcessor, setResponseSkew, verifyEndpoint, verifyIssuer, verifySignature

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

WebSSOProfileConsumerImpl

public WebSSOProfileConsumerImpl()

WebSSOProfileConsumerImpl

public WebSSOProfileConsumerImpl(SAMLProcessor processor,
                                 MetadataManager manager)

Method Detail

getProfileIdentifier

public String getProfileIdentifier()

Description copied from class: AbstractProfileBase

Implementation are expected to provide an unique identifier for the profile this class implements.

Specified by:

getProfileIdentifier in class AbstractProfileBase

Returns:

profile name

processAuthenticationResponse

public SAMLCredential processAuthenticationResponse(SAMLMessageContext context)
                                             throws org.opensaml.common.SAMLException,
                                                    org.opensaml.xml.security.SecurityException,
                                                    org.opensaml.xml.validation.ValidationException,
                                                    org.opensaml.xml.encryption.DecryptionException

The input context object must have set the properties related to the returned Response, which is validated and in case no errors are found the SAMLCredential is returned.

Specified by:

processAuthenticationResponse in interface WebSSOProfileConsumer

Parameters:

context - context including response object

Returns:

SAMLCredential with information about user

Throws:

org.opensaml.common.SAMLException - in case the response is invalid

org.opensaml.xml.security.SecurityException - in the signature on response can't be verified

org.opensaml.xml.validation.ValidationException - in case the response structure is not conforming to the standard

org.opensaml.xml.encryption.DecryptionException

processAdditionalData

protected Serializable processAdditionalData(SAMLMessageContext context)
                                      throws org.opensaml.common.SAMLException

This is a hook method enabling subclasses to process additional data from the SAML exchange, like assertions with different confirmations or additional attributes. The returned object is stored inside the SAMLCredential. Implementation is responsible for ensuring compliance with the SAML specification. The method is called once all the other processing was finished and incoming message is deemed as valid.

Parameters:

context - context containing incoming message

Returns:

object to store in the credential, null by default

Throws:

org.opensaml.common.SAMLException - in case processing fails

verifyAssertion

protected void verifyAssertion(org.opensaml.saml2.core.Assertion assertion,
                               org.opensaml.saml2.core.AuthnRequest request,
                               SAMLMessageContext context)
                        throws org.springframework.security.core.AuthenticationException,
                               org.opensaml.common.SAMLException,
                               org.opensaml.xml.security.SecurityException,
                               org.opensaml.xml.validation.ValidationException,
                               org.opensaml.xml.encryption.DecryptionException

Throws:

org.springframework.security.core.AuthenticationException

org.opensaml.common.SAMLException

org.opensaml.xml.security.SecurityException

org.opensaml.xml.validation.ValidationException

org.opensaml.xml.encryption.DecryptionException

verifySubject

protected void verifySubject(org.opensaml.saml2.core.Subject subject,
                             org.opensaml.saml2.core.AuthnRequest request,
                             SAMLMessageContext context)
                      throws org.opensaml.common.SAMLException,
                             org.opensaml.xml.encryption.DecryptionException

Verifies validity of Subject element, only bearer confirmation is validated.

Parameters:

subject - subject to validate

request - request

context - context

Throws:

org.opensaml.common.SAMLException - error validating the object

org.opensaml.xml.encryption.DecryptionException - in case the NameID can't be decrypted

verifyAssertionSignature

protected void verifyAssertionSignature(org.opensaml.xml.signature.Signature signature,
                                        SAMLMessageContext context)
                                 throws org.opensaml.common.SAMLException,
                                        org.opensaml.xml.security.SecurityException,
                                        org.opensaml.xml.validation.ValidationException

Verifies signature of the assertion. In case signature is not present and SP required signatures in metadata the exception is thrown.

Parameters:

signature - signature to verify

context - context

Throws:

org.opensaml.common.SAMLException - signature missing although required

org.opensaml.xml.security.SecurityException - signature can't be validated

org.opensaml.xml.validation.ValidationException - signature is malformed

verifyAssertionConditions

protected void verifyAssertionConditions(org.opensaml.saml2.core.Conditions conditions,
                                         SAMLMessageContext context,
                                         boolean audienceRequired)
                                  throws org.opensaml.common.SAMLException

Throws:

org.opensaml.common.SAMLException

verifyConditions

protected void verifyConditions(SAMLMessageContext context,
                                List<org.opensaml.saml2.core.Condition> conditions)
                         throws org.opensaml.common.SAMLException

Verifies conditions of the assertion which were are not understood. By default system fails in case any non-understood condition is present.

Parameters:

context - message context

conditions - conditions which were not understood

Throws:

org.opensaml.common.SAMLException - in case conditions are not empty

verifyAuthenticationStatement

protected void verifyAuthenticationStatement(org.opensaml.saml2.core.AuthnStatement auth,
                                             org.opensaml.saml2.core.RequestedAuthnContext requestedAuthnContext,
                                             SAMLMessageContext context)
                                      throws org.springframework.security.core.AuthenticationException

Verifies that authentication statement is valid. Checks the authInstant and sessionNotOnOrAfter fields.

Parameters:

auth - statement to check

requestedAuthnContext - original requested context can be null for unsolicited messages or when no context was requested

context - message context

Throws:

org.springframework.security.core.AuthenticationException - in case the statement is invalid

verifyAuthnContext

protected void verifyAuthnContext(org.opensaml.saml2.core.RequestedAuthnContext requestedAuthnContext,
                                  org.opensaml.saml2.core.AuthnContext receivedContext,
                                  SAMLMessageContext context)
                           throws org.springframework.security.authentication.InsufficientAuthenticationException

Implementation is expected to verify that the requested authentication context corresponds with the received value. Identity provider sending the context can be loaded from the SAMLContext.

By default verification is done only for "exact" context. It is checked whether received context contains one of the requested method.

In case requestedAuthnContext is null no verification is done.

Method can be reimplemented in subclasses.

Parameters:

requestedAuthnContext - context requested in the original request, null for unsolicited messages or when no context was required

receivedContext - context from the response message

context - saml context

Throws:

org.springframework.security.authentication.InsufficientAuthenticationException - in case expected context doesn't correspond with the received value

getMaxAuthenticationAge

public int getMaxAuthenticationAge()

Maximum time between authentication of user and processing of an authentication statement.

Returns:

max authentication age, defaults to 7200

setMaxAuthenticationAge

public void setMaxAuthenticationAge(int maxAuthenticationAge)

Sets maximum time between users authentication and processing of an authentication statement.

Parameters:

maxAuthenticationAge - authentication age