org.springframework.security.saml

Class SAMLEntryPoint

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.springframework.security.saml.SAMLEntryPoint

All Implemented Interfaces:

javax.servlet.Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.security.web.AuthenticationEntryPoint, org.springframework.web.context.ServletContextAware

public class SAMLEntryPoint
extends org.springframework.web.filter.GenericFilterBean
implements org.springframework.security.web.AuthenticationEntryPoint

Class initializes SAML WebSSO Profile, IDP Discovery or ECP Profile from the SP side. Configuration of the local service provider and incoming request determines which profile will get invoked.

There are two ways the entry point can get invoked. Either user accesses a URL configured to require some degree of authentication and throws AuthenticationException which is handled and invokes the entry point. The other way is direct invocation of the entry point by accessing the /saml/login URL.

Author:

Vladimir Schaefer

Field Summary

Fields

Modifier and Type	Field and Description
protected SAMLContextProvider	contextProvider
protected WebSSOProfileOptions	defaultOptions
static java.lang.String	DISCOVERY_RESPONSE_PARAMETER Parameter is used to indicate response from IDP discovery service.
static java.lang.String	FILTER_URL Default name of path suffix which will invoke this filter.
protected java.lang.String	filterProcessesUrl Url this filter should get activated on.
static java.lang.String	IDP_PARAMETER Name of parameter of HttpRequest telling entry point that the login should use specified idp.
protected static org.slf4j.Logger	log
protected MetadataManager	metadata
protected SAMLDiscovery	samlDiscovery
protected SAMLLogger	samlLogger
protected WebSSOProfile	webSSOprofile
protected WebSSOProfile	webSSOprofileECP
protected WebSSOProfile	webSSOprofileHoK

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor and Description
SAMLEntryPoint()

Method Summary

Modifier and Type	Method and Description
void	afterPropertiesSet() Verifies that required entities were autowired or set.
void	commence(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, org.springframework.security.core.AuthenticationException e) Method starts a process used to ultimately authenticate user using WebSSO Profile.
void	doFilter(javax.servlet.ServletRequest request, javax.servlet.ServletResponse response, javax.servlet.FilterChain chain)
java.lang.String	getFilterProcessesUrl()
protected WebSSOProfileOptions	getProfileOptions(SAMLMessageContext context, org.springframework.security.core.AuthenticationException exception) Method is supposed to populate preferences used to construct the SAML message.
protected void	initializeDiscovery(SAMLMessageContext context) Method initializes IDP Discovery Profile as defined in http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf It is presumed that metadata of the local Service Provider contains discovery return address.
protected void	initializeECP(SAMLMessageContext context, org.springframework.security.core.AuthenticationException e) Initializes ECP profile.
protected void	initializeSSO(SAMLMessageContext context, org.springframework.security.core.AuthenticationException e) WebSSO profile or WebSSO Holder-of-Key profile.
protected boolean	isDiscovery(SAMLMessageContext context) Determines whether IDP Discovery should be initialized.
protected boolean	isECP(SAMLMessageContext context) Determines whether ECP profile should get initialized.
protected boolean	processFilter(javax.servlet.http.HttpServletRequest request) The filter will be used in case the URL of the request contains the DEFAULT_FILTER_URL.
void	setContextProvider(SAMLContextProvider contextProvider) Sets entity responsible for populating local entity context data.
void	setDefaultProfileOptions(WebSSOProfileOptions defaultOptions) Sets object which determines default values to be used as basis for construction during getProfileOptions call.
void	setFilterProcessesUrl(java.lang.String filterProcessesUrl) Custom filter URL which overrides the default.
void	setMetadata(MetadataManager metadata) Metadata manager, cannot be null, must be set.
void	setSamlDiscovery(SAMLDiscovery samlDiscovery) Dependency for loading of discovery URL
void	setSamlLogger(SAMLLogger samlLogger) Logger for SAML events, cannot be null, must be set.
void	setWebSSOprofile(WebSSOProfile webSSOprofile) Profile for consumption of processed messages, cannot be null, must be set.
void	setWebSSOprofileECP(WebSSOProfile webSSOprofileECP)
void	setWebSSOprofileHoK(WebSSOProfile webSSOprofileHoK)

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

protected static final org.slf4j.Logger log

defaultOptions

protected WebSSOProfileOptions defaultOptions

webSSOprofile

protected WebSSOProfile webSSOprofile

webSSOprofileECP

protected WebSSOProfile webSSOprofileECP

webSSOprofileHoK

protected WebSSOProfile webSSOprofileHoK

metadata

protected MetadataManager metadata

samlLogger

protected SAMLLogger samlLogger

contextProvider

protected SAMLContextProvider contextProvider

samlDiscovery

protected SAMLDiscovery samlDiscovery

filterProcessesUrl

protected java.lang.String filterProcessesUrl

Url this filter should get activated on.

FILTER_URL

public static final java.lang.String FILTER_URL

Default name of path suffix which will invoke this filter.

See Also:

Constant Field Values

IDP_PARAMETER

public static final java.lang.String IDP_PARAMETER

Name of parameter of HttpRequest telling entry point that the login should use specified idp.

See Also:

Constant Field Values

DISCOVERY_RESPONSE_PARAMETER

public static final java.lang.String DISCOVERY_RESPONSE_PARAMETER

Parameter is used to indicate response from IDP discovery service. When present IDP discovery is not invoked again.

See Also:

Constant Field Values

Constructor Detail

SAMLEntryPoint

public SAMLEntryPoint()

Method Detail

doFilter

public void doFilter(javax.servlet.ServletRequest request,
                     javax.servlet.ServletResponse response,
                     javax.servlet.FilterChain chain)
              throws java.io.IOException,
                     javax.servlet.ServletException

Specified by:

doFilter in interface javax.servlet.Filter

Throws:

java.io.IOException

javax.servlet.ServletException

processFilter

protected boolean processFilter(javax.servlet.http.HttpServletRequest request)

The filter will be used in case the URL of the request contains the DEFAULT_FILTER_URL.

Parameters:

request - request used to determine whether to enable this filter

Returns:

true if this filter should be used

commence

public void commence(javax.servlet.http.HttpServletRequest request,
                     javax.servlet.http.HttpServletResponse response,
                     org.springframework.security.core.AuthenticationException e)
              throws java.io.IOException,
                     javax.servlet.ServletException

Method starts a process used to ultimately authenticate user using WebSSO Profile. First task of the mechanism is to determine which IDP to use. Available options are: let the user agent determine IDP for us (ECP profile), use IDP discovery to determine IDP (or accept a predefined IDP in request), or use the default IDP. The following logic is used to determine our case:

• In case IDP wasn't determined in contextProvider and discovery is enabled and the current request doesn't already contain IDP information then IDP Discovery is initialized
• In case request supports Enhanced Client or Proxy as per SAML specification and ECP is supported authentication is initialized using ECP.
• In case IDP is available WebSSO or HoKWebSSO is initialized otherwise we fail during SSO initialization.

By default contextProvider determines IDP to use by parameter "idp". In case parameter is missing the defaultIDP is used instead.

Subclasses can customize the WebSSO initialization behavior.

Specified by:

commence in interface org.springframework.security.web.AuthenticationEntryPoint

Parameters:

request - request

response - response

e - exception causing this entry point to be invoked or null when EntryPoint is invoked directly

Throws:

java.io.IOException - error sending response

javax.servlet.ServletException - error initializing SAML protocol

initializeECP

protected void initializeECP(SAMLMessageContext context,
                             org.springframework.security.core.AuthenticationException e)
                      throws org.opensaml.saml2.metadata.provider.MetadataProviderException,
                             org.opensaml.common.SAMLException,
                             org.opensaml.ws.message.encoder.MessageEncodingException

Initializes ECP profile.

Subclasses can alter the initialization behaviour.

Parameters:

context - saml context, also containing wrapped request and response objects

e - exception causing the entry point to be invoked (if any)

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata can't be queried

org.opensaml.common.SAMLException - in case message sending fails

org.opensaml.ws.message.encoder.MessageEncodingException - in case SAML message encoding fails

initializeSSO

protected void initializeSSO(SAMLMessageContext context,
                             org.springframework.security.core.AuthenticationException e)
                      throws org.opensaml.saml2.metadata.provider.MetadataProviderException,
                             org.opensaml.common.SAMLException,
                             org.opensaml.ws.message.encoder.MessageEncodingException

WebSSO profile or WebSSO Holder-of-Key profile. Selection is made based on the settings of the Service Provider. In case Enhanced Client/Proxy is enabled and the request claims to support this profile it is used. Otherwise it is verified what is the binding and profile specified for the assertionConsumerIndex in the WebSSOProfileOptions. In case it is HoK the WebSSO Holder-of-Key profile is used, otherwise the ordinary WebSSO.

Subclasses can alter the initialization behaviour.

Parameters:

context - saml context, also containing wrapped request and response objects

e - exception causing the entry point to be invoked (if any)

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata can't be queried

org.opensaml.common.SAMLException - in case message sending fails

org.opensaml.ws.message.encoder.MessageEncodingException - in case SAML message encoding fails

initializeDiscovery

protected void initializeDiscovery(SAMLMessageContext context)
                            throws javax.servlet.ServletException,
                                   java.io.IOException,
                                   org.opensaml.saml2.metadata.provider.MetadataProviderException

Method initializes IDP Discovery Profile as defined in http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf It is presumed that metadata of the local Service Provider contains discovery return address.

Parameters:

context - saml context also containing request and response objects

Throws:

javax.servlet.ServletException - error

java.io.IOException - io error

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata of the local entity can't be populated

getProfileOptions

protected WebSSOProfileOptions getProfileOptions(SAMLMessageContext context,
                                                 org.springframework.security.core.AuthenticationException exception)
                                          throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Method is supposed to populate preferences used to construct the SAML message. Method can be overridden to provide logic appropriate for given application. In case defaultOptions object was set it will be used as basis for construction and request specific values will be update (idp field).

Parameters:

context - containing local entity

exception - exception causing invocation of this entry point (can be null)

Returns:

populated webSSOprofile

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata loading fails

setDefaultProfileOptions

public void setDefaultProfileOptions(WebSSOProfileOptions defaultOptions)

Sets object which determines default values to be used as basis for construction during getProfileOptions call.

Parameters:

defaultOptions - default object to use for options construction

isDiscovery

protected boolean isDiscovery(SAMLMessageContext context)

Determines whether IDP Discovery should be initialized. By default no user-selected IDP must be present in the context, IDP Discovery must be enabled and the request mustn't be a response from IDP Discovery in order for the method to return true.

Parameters:

context - context

Returns:

true if IDP Discovery should get initialized

isECP

protected boolean isECP(SAMLMessageContext context)

Determines whether ECP profile should get initialized. By default ECP is used when request declares supports for ECP and ECP is allowed for the current service provider. In case ECP is enabled but webSSOprofileECP wasn't set a warning is logged and ECP is not used.

Parameters:

context - context

Returns:

true if ECP profile should get initialized

setWebSSOprofile

@Autowired
 @Qualifier(value="webSSOprofile")
public void setWebSSOprofile(WebSSOProfile webSSOprofile)

Profile for consumption of processed messages, cannot be null, must be set.

Parameters:

webSSOprofile - profile

setWebSSOprofileECP

@Autowired(required=false)
 @Qualifier(value="ecpprofile")
public void setWebSSOprofileECP(WebSSOProfile webSSOprofileECP)

setWebSSOprofileHoK

@Autowired(required=false)
 @Qualifier(value="hokWebSSOProfile")
public void setWebSSOprofileHoK(WebSSOProfile webSSOprofileHoK)

setSamlLogger

@Autowired
public void setSamlLogger(SAMLLogger samlLogger)

Logger for SAML events, cannot be null, must be set.

Parameters:

samlLogger - logger

setSamlDiscovery

@Autowired(required=false)
public void setSamlDiscovery(SAMLDiscovery samlDiscovery)

Dependency for loading of discovery URL

Parameters:

samlDiscovery - saml discovery endpoint

setContextProvider

@Autowired
public void setContextProvider(SAMLContextProvider contextProvider)

Sets entity responsible for populating local entity context data.

Parameters:

contextProvider - provider implementation

setMetadata

@Autowired
public void setMetadata(MetadataManager metadata)

Metadata manager, cannot be null, must be set.

Parameters:

metadata - manager

getFilterProcessesUrl

public java.lang.String getFilterProcessesUrl()

Returns:

filter URL

setFilterProcessesUrl

public void setFilterProcessesUrl(java.lang.String filterProcessesUrl)

Custom filter URL which overrides the default. Filter url determines URL where filter starts processing.

Parameters:

filterProcessesUrl - filter URL

afterPropertiesSet

public void afterPropertiesSet()
                        throws javax.servlet.ServletException

Verifies that required entities were autowired or set.

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

Overrides:

afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean

Throws:

javax.servlet.ServletException