org.springframework.security.saml

Class SAMLAuthenticationProvider

java.lang.Object

org.springframework.security.saml.SAMLAuthenticationProvider

All Implemented Interfaces:

org.springframework.beans.factory.InitializingBean, org.springframework.security.authentication.AuthenticationProvider

public class SAMLAuthenticationProvider
extends Object
implements org.springframework.security.authentication.AuthenticationProvider, org.springframework.beans.factory.InitializingBean

Authentication provider is capable of verifying validity of a SAMLAuthenticationToken and in case the token is valid to create an authenticated UsernamePasswordAuthenticationToken.

Author:

Vladimir Schafer

Field Summary

Fields

Modifier and Type	Field and Description
protected WebSSOProfileConsumer	consumer
protected WebSSOProfileConsumer	hokConsumer
protected SAMLLogger	samlLogger
protected SAMLUserDetailsService	userDetails

Constructor Summary

Constructors

Constructor and Description
SAMLAuthenticationProvider()

Method Summary

Modifier and Type	Method and Description
void	afterPropertiesSet() Verifies that required entities were autowired or set.
org.springframework.security.core.Authentication	authenticate(org.springframework.security.core.Authentication authentication) Attempts to perform authentication of an Authentication object.
protected Collection<? extends org.springframework.security.core.GrantedAuthority>	getEntitlements(SAMLCredential credential, Object userDetail) Method is responsible for returning collection of users entitlements.
protected Date	getExpirationDate(SAMLCredential credential) Parses the SAMLCredential for expiration time.
protected Object	getPrincipal(SAMLCredential credential, Object userDetail) Method determines what will be stored as principal of the created Authentication object.
SAMLUserDetailsService	getUserDetails() Returns saml user details service used to load information about logged user from SAML data.
protected Object	getUserDetails(SAMLCredential credential) Populates user data from SAMLCredential into UserDetails object.
boolean	isExcludeCredential()
boolean	isForcePrincipalAsString()
void	setConsumer(WebSSOProfileConsumer consumer) Profile for consumption of processed messages, must be set.
void	setExcludeCredential(boolean excludeCredential) When false (default) the resulting Authentication object will include instance of SAMLCredential as a credential value.
void	setForcePrincipalAsString(boolean forcePrincipalAsString) By default principal in the returned Authentication object is the NameID included in the authenticated Assertion.
void	setHokConsumer(WebSSOProfileConsumer hokConsumer) Profile for consumption of processed messages using the Holder-of-Key profile, must be set.
void	setSamlLogger(SAMLLogger samlLogger) Logger for SAML events, cannot be null, must be set.
void	setUserDetails(SAMLUserDetailsService userDetails) The user details can be optionally set and is automatically called while user SAML assertion is validated.
boolean	supports(Class aClass) SAMLAuthenticationToken is the only supported token.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

consumer

protected WebSSOProfileConsumer consumer

hokConsumer

protected WebSSOProfileConsumer hokConsumer

samlLogger

protected SAMLLogger samlLogger

userDetails

protected SAMLUserDetailsService userDetails

Constructor Detail

SAMLAuthenticationProvider

public SAMLAuthenticationProvider()

Method Detail

authenticate

public org.springframework.security.core.Authentication authenticate(org.springframework.security.core.Authentication authentication)
                                                              throws org.springframework.security.core.AuthenticationException

Attempts to perform authentication of an Authentication object. The authentication must be of type SAMLAuthenticationToken and must contain filled SAMLMessageContext. If the SAML inbound message in the context is valid, UsernamePasswordAuthenticationToken with name given in the SAML message NameID and assertion used to verify the user as credential (SAMLCredential object) is created and set as authenticated.

Specified by:

authenticate in interface org.springframework.security.authentication.AuthenticationProvider

Parameters:

authentication - SAMLAuthenticationToken to verify

Returns:

UsernamePasswordAuthenticationToken with name as NameID value and SAMLCredential as credential object

Throws:

org.springframework.security.core.AuthenticationException - user can't be authenticated due to an error

getUserDetails

protected Object getUserDetails(SAMLCredential credential)

Populates user data from SAMLCredential into UserDetails object. By default supplied implementation of the SAMLUserDetailsService is called and value of type UserDetails is returned. Users are encouraged to supply implementation of this class and also include correct implementation of the getAuthorities method in it, which is used to populate the entitlements inside the Authentication object.

If no SAMLUserDetailsService is specified null is returned.

Parameters:

credential - credential to load user from

Returns:

user details object corresponding to the SAML credential or null if data can't be loaded

getPrincipal

protected Object getPrincipal(SAMLCredential credential,
                              Object userDetail)

Method determines what will be stored as principal of the created Authentication object. By default (when forcePrincipalAsString is true) string representation of the NameID returned from SAML message is used. Otherwise userDetail object is used, when set, when not NameID object from the credential is returned. Other implementations can be created by overriding the method.

Parameters:

credential - credential used to authenticate user

userDetail - loaded user details, can be null

Returns:

principal to store inside Authentication object

getEntitlements

protected Collection<? extends org.springframework.security.core.GrantedAuthority> getEntitlements(SAMLCredential credential,
                                                                                                   Object userDetail)

Method is responsible for returning collection of users entitlements. Default implementation verifies whether userDetail object is of UserDetails type and returns userDetail.getAuthorities().

In case object of other type is found empty list is returned. Users are supposed to override this method to provide custom parsing is such case.

Parameters:

credential - credential used to authenticate user during SSO

userDetail - user detail object returned from getUserDetails call

Returns:

collection of users entitlements, mustn't be null

getExpirationDate

protected Date getExpirationDate(SAMLCredential credential)

Parses the SAMLCredential for expiration time. Locates all AuthnStatements present within the assertion (only one in most cases) and computes the expiration based on sessionNotOnOrAfter field.

Parameters:

credential - credential to use for expiration parsing.

Returns:

null if no expiration is present, expiration time onOrAfter which the token is not valid anymore

getUserDetails

public SAMLUserDetailsService getUserDetails()

Returns saml user details service used to load information about logged user from SAML data.

Returns:

service or null if not set

supports

public boolean supports(Class aClass)

SAMLAuthenticationToken is the only supported token.

Specified by:

supports in interface org.springframework.security.authentication.AuthenticationProvider

Parameters:

aClass - class to check for support

Returns:

true if class is of type SAMLAuthenticationToken

setUserDetails

@Autowired(required=false)
public void setUserDetails(SAMLUserDetailsService userDetails)

The user details can be optionally set and is automatically called while user SAML assertion is validated.

Parameters:

userDetails - user details

setSamlLogger

@Autowired
public void setSamlLogger(SAMLLogger samlLogger)

Logger for SAML events, cannot be null, must be set.

Parameters:

samlLogger - logger

setConsumer

@Autowired
 @Qualifier(value="webSSOprofileConsumer")
public void setConsumer(WebSSOProfileConsumer consumer)

Profile for consumption of processed messages, must be set.

Parameters:

consumer - consumer

setHokConsumer

@Autowired
 @Qualifier(value="hokWebSSOprofileConsumer")
public void setHokConsumer(WebSSOProfileConsumer hokConsumer)

Profile for consumption of processed messages using the Holder-of-Key profile, must be set.

Parameters:

hokConsumer - holder-of-key consumer

isForcePrincipalAsString

public boolean isForcePrincipalAsString()

setForcePrincipalAsString

public void setForcePrincipalAsString(boolean forcePrincipalAsString)

By default principal in the returned Authentication object is the NameID included in the authenticated Assertion. The NameID is not serializable. Setting this value to true will force the NameID value to be a String.

Parameters:

forcePrincipalAsString - true to force principal to be a String

isExcludeCredential

public boolean isExcludeCredential()

setExcludeCredential

public void setExcludeCredential(boolean excludeCredential)

When false (default) the resulting Authentication object will include instance of SAMLCredential as a credential value. The credential includes information related to the authentication process, received attributes and is required for Single Logout. In case your application doesn't require the credential, it is possible to exclude it from the Authentication object by setting this flag to true.

Parameters:

excludeCredential - false to include credential in the Authentication object, true to exclude it

afterPropertiesSet

public void afterPropertiesSet()
                        throws ServletException

Verifies that required entities were autowired or set.

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

Throws:

ServletException