org.springframework.security.saml.context

Class SAMLContextProviderImpl

java.lang.Object

org.springframework.security.saml.context.SAMLContextProviderImpl

All Implemented Interfaces:

org.springframework.beans.factory.InitializingBean, SAMLContextProvider

Direct Known Subclasses:

SAMLContextProviderLB

public class SAMLContextProviderImpl
extends Object
implements SAMLContextProvider, org.springframework.beans.factory.InitializingBean

Class is responsible for parsing HttpRequest/Response and determining which local entity (IDP/SP) is responsible for its handling.

Author:

Vladimir Schaefer

Field Summary

Fields

Modifier and Type	Field and Description
protected KeyManager	keyManager
protected static org.slf4j.Logger	log
protected MetadataManager	metadata
protected org.opensaml.security.MetadataCredentialResolver	metadataResolver
protected org.opensaml.xml.security.x509.PKIXValidationInformationResolver	pkixResolver
protected org.opensaml.xml.security.x509.PKIXTrustEvaluator	pkixTrustEvaluator
protected SAMLMessageStorageFactory	storageFactory

Constructor Summary

Constructors

Constructor and Description
SAMLContextProviderImpl()

Method Summary

Modifier and Type	Method and Description
void	afterPropertiesSet() Verifies that required entities were autowired or set and initializes resolvers used to construct trust engines.
protected String	getDefaultLocalEntityId(SAMLMessageContext context, String requestURI) Returns localEntityId to be populated for the context in case alias is missing from the path
protected QName	getDefaultLocalEntityRole(SAMLMessageContext context, String requestURI) Returns localEntityRole to be populated for the context in case alias is missing from the path
SAMLMessageContext	getLocalAndPeerEntity(HttpServletRequest request, HttpServletResponse response) Creates a SAMLContext with local entity and peer values filled.
SAMLMessageContext	getLocalEntity(HttpServletRequest request, HttpServletResponse response) Creates a SAMLContext with local entity values filled.
protected void	populateDecrypter(SAMLMessageContext samlContext) Populates a decrypter based on settings in the extended metadata or using a default credential when no encryption credential is specified in the extended metadata.
protected void	populateGenericContext(HttpServletRequest request, HttpServletResponse response, SAMLMessageContext context)
protected void	populateLocalContext(SAMLMessageContext context)
protected void	populateLocalEntity(SAMLMessageContext samlContext) Method populates fields localEntityId, localEntityRole, localEntityMetadata, localEntityRoleMetadata and peerEntityRole.
protected void	populateLocalEntityId(SAMLMessageContext context, String requestURI) Method tries to load localEntityAlias and localEntityRole from the request path.
protected void	populatePeerContext(SAMLMessageContext samlContext) Populates additional information about the peer based on the previously loaded peerEntityId.
protected void	populatePeerEntityId(SAMLMessageContext context) First tries to find pre-configured IDP from the request attribute.
protected void	populatePeerSSLCredential(SAMLMessageContext samlContext) Tries to load peer SSL certificate from the inbound message transport using attribute "javax.servlet.request.X509Certificate".
protected void	populateSSLCredential(SAMLMessageContext samlContext) Populates X509 Credential used to authenticate this machine against peer servers.
protected void	populateSSLHostnameVerifier(SAMLMessageContext samlContext) Populates hostname verifier using value configured in the context provider..
protected void	populateSSLTrustEngine(SAMLMessageContext samlContext) Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or from the values overridden in the ExtendedMetadata.
protected void	populateTrustEngine(SAMLMessageContext samlContext) Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or from the values overridden in the ExtendedMetadata.
void	setKeyManager(KeyManager keyManager) Key manager provides information about private certificate and trusted keys provide in addition to cryptographic material present in entity metadata documents.
void	setMetadata(MetadataManager metadata) Metadata manager provides information about all available IDP and SP entities.
void	setMetadataResolver(org.opensaml.security.MetadataCredentialResolver metadataResolver) Sets resolver used to populate trusted credentials from XML and Extended metadata.
void	setPkixResolver(org.opensaml.xml.security.x509.PKIXValidationInformationResolver pkixResolver) Sets resolver used to populate data for PKIX trust engine.
void	setPkixTrustEvaluator(org.opensaml.xml.security.x509.PKIXTrustEvaluator pkixTrustEvaluator) Trust evaluator is responsible for verifying whether to trust certificate based on PKIX verification.
void	setStorageFactory(SAMLMessageStorageFactory storageFactory) Implementation of the SAML message storage factory providing custom mechanism for storage of SAML messages such as http session, cookies or no storage at all.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

protected static final org.slf4j.Logger log

keyManager

protected KeyManager keyManager

metadata

protected MetadataManager metadata

metadataResolver

protected org.opensaml.security.MetadataCredentialResolver metadataResolver

pkixResolver

protected org.opensaml.xml.security.x509.PKIXValidationInformationResolver pkixResolver

pkixTrustEvaluator

protected org.opensaml.xml.security.x509.PKIXTrustEvaluator pkixTrustEvaluator

storageFactory

protected SAMLMessageStorageFactory storageFactory

Constructor Detail

SAMLContextProviderImpl

public SAMLContextProviderImpl()

Method Detail

getLocalEntity

public SAMLMessageContext getLocalEntity(HttpServletRequest request,
                                         HttpServletResponse response)
                                  throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Creates a SAMLContext with local entity values filled. Also request and response must be stored in the context as message transports.

Specified by:

getLocalEntity in interface SAMLContextProvider

Parameters:

request - request

response - response

Returns:

context

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case of metadata problems

getLocalAndPeerEntity

public SAMLMessageContext getLocalAndPeerEntity(HttpServletRequest request,
                                                HttpServletResponse response)
                                         throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Creates a SAMLContext with local entity and peer values filled. Also request and response must be stored in the context as message transports. Should be used when both local entity and peer entity can be determined from the request.

Specified by:

getLocalAndPeerEntity in interface SAMLContextProvider

Parameters:

request - request

response - response

Returns:

context

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case of metadata problems

populatePeerEntityId

protected void populatePeerEntityId(SAMLMessageContext context)
                             throws org.opensaml.saml2.metadata.provider.MetadataProviderException

First tries to find pre-configured IDP from the request attribute. If not found loads the IDP_PARAMETER from the request and if it is not null verifies whether IDP with this value is valid IDP in our circle of trust. Processing fails when IDP is not valid. IDP is set as PeerEntityId in the context.

If request parameter is null the default IDP is returned.

Parameters:

context - context to populate ID for

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case provided IDP value is invalid

populatePeerContext

protected void populatePeerContext(SAMLMessageContext samlContext)
                            throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Populates additional information about the peer based on the previously loaded peerEntityId.

Parameters:

samlContext - to populate

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata problem is encountered

populateGenericContext

protected void populateGenericContext(HttpServletRequest request,
                                      HttpServletResponse response,
                                      SAMLMessageContext context)
                               throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException

populateLocalContext

protected void populateLocalContext(SAMLMessageContext context)
                             throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException

populateLocalEntityId

protected void populateLocalEntityId(SAMLMessageContext context,
                                     String requestURI)
                              throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Method tries to load localEntityAlias and localEntityRole from the request path. Path is supposed to be in format: https(s)://server:port/application/saml/filterName/alias/aliasName/idp|sp?query. In case alias is missing from the path defaults are used. Otherwise localEntityId and sp or idp localEntityRole is entered into the context.

In case alias entity id isn't found an exception is raised.

Parameters:

context - context to populate fields localEntityId and localEntityRole for

requestURI - context path to parse entityId and entityRole from

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case entityId can't be populated

getDefaultLocalEntityId

protected String getDefaultLocalEntityId(SAMLMessageContext context,
                                         String requestURI)
                                  throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Returns localEntityId to be populated for the context in case alias is missing from the path

Parameters:

context - context to retrieve localEntityId for

requestURI - context path to parse entityId from

Returns:

localEntityId

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case entityId can't be retrieved

getDefaultLocalEntityRole

protected QName getDefaultLocalEntityRole(SAMLMessageContext context,
                                          String requestURI)
                                   throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Returns localEntityRole to be populated for the context in case alias is missing from the path

Parameters:

context - context to retrieve localEntityRole for

requestURI - context path to parse entityRole from

Returns:

localEntityRole

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case entityRole can't be retrieved

populateLocalEntity

protected void populateLocalEntity(SAMLMessageContext samlContext)
                            throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Method populates fields localEntityId, localEntityRole, localEntityMetadata, localEntityRoleMetadata and peerEntityRole. In case fields localAlias, localEntityId, localEntiyRole or peerEntityRole are set they are used, defaults of default SP and IDP as a peer are used instead.

Parameters:

samlContext - context to populate

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - in case metadata do not contain expected entities or localAlias is specified but not found

populateSSLCredential

protected void populateSSLCredential(SAMLMessageContext samlContext)

Populates X509 Credential used to authenticate this machine against peer servers. Uses key with alias specified in extended metadata under TlsKey, when not set uses the default credential.

Parameters:

samlContext - context to populate

populateSSLHostnameVerifier

protected void populateSSLHostnameVerifier(SAMLMessageContext samlContext)

Populates hostname verifier using value configured in the context provider..

Parameters:

samlContext - context to populate

populatePeerSSLCredential

protected void populatePeerSSLCredential(SAMLMessageContext samlContext)

Tries to load peer SSL certificate from the inbound message transport using attribute "javax.servlet.request.X509Certificate". If found sets peerSSLCredential in the context.

Parameters:

samlContext - context to populate

populateDecrypter

protected void populateDecrypter(SAMLMessageContext samlContext)

Populates a decrypter based on settings in the extended metadata or using a default credential when no encryption credential is specified in the extended metadata.

Parameters:

samlContext - context to populate decryptor for.

populateTrustEngine

protected void populateTrustEngine(SAMLMessageContext samlContext)

Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or from the values overridden in the ExtendedMetadata.

Parameters:

samlContext - context to populate

populateSSLTrustEngine

protected void populateSSLTrustEngine(SAMLMessageContext samlContext)

Based on the settings in the extended metadata either creates a PKIX trust engine with trusted keys specified in the extended metadata as anchors or (by default) an explicit trust engine using data from the metadata or from the values overridden in the ExtendedMetadata. The trust engine is used to verify SSL connections.

Parameters:

samlContext - context to populate

setMetadata

@Autowired
public void setMetadata(MetadataManager metadata)

Metadata manager provides information about all available IDP and SP entities.

Parameters:

metadata - metadata mangaer

setKeyManager

@Autowired
public void setKeyManager(KeyManager keyManager)

Key manager provides information about private certificate and trusted keys provide in addition to cryptographic material present in entity metadata documents.

Parameters:

keyManager - key manager

setPkixResolver

public void setPkixResolver(org.opensaml.xml.security.x509.PKIXValidationInformationResolver pkixResolver)

Sets resolver used to populate data for PKIX trust engine. Trust anchors are internally cached. They get populated using configured MetadataResolver and enhanced with trustedKeys from the ExtendedMetadata. System uses default configuration when property is not set. Default implementation (org.springframework.security.saml.trust.PKIXInformationResolver) loads trust anchors from both metadata and extended metadata of the peer entity. In case ExtendedMetadata doesn't define any trustedKeys (property trustedKeys is null which is the default), system will use all certificates available in the configured keyStore as trust anchors.

Parameters:

pkixResolver - pkix resolver

See Also:

PKIXInformationResolver

setPkixTrustEvaluator

public void setPkixTrustEvaluator(org.opensaml.xml.security.x509.PKIXTrustEvaluator pkixTrustEvaluator)

Trust evaluator is responsible for verifying whether to trust certificate based on PKIX verification. System uses default configuration when property is not set. Default implementation (org.springframework.security.saml.trust.CertPathPKIXTrustEvaluator) uses Java CertPath API to perform the verification. The default implementation can be constructed with an instance of org.opensaml.xml.security.x509.CertPathPKIXValidationOptions which further customizes the PKIX process, e.g. in regard to certificate expiration checking. It is also possible to customize the security provider to use for loading of the CertPath API factories.

Parameters:

pkixTrustEvaluator - pkix trust evaluator

See Also:

CertPathPKIXTrustEvaluator

setMetadataResolver

public void setMetadataResolver(org.opensaml.security.MetadataCredentialResolver metadataResolver)

Sets resolver used to populate trusted credentials from XML and Extended metadata. Metadata resolver is used as the only resolver for MetaIOP security profile. It is also used for loading of trusted anchors in the PKIX profile. System uses default configuration when property is not set. Default implementation (org.springframework.security.saml.trust.MetadataCredentialResolver) populates trusted certificates from both peer metadata and peer extended metadata (properties signingKey, encryptionKey and tlsKey).

Parameters:

metadataResolver - metaiop resolver

See Also:

MetadataCredentialResolver

setStorageFactory

@Autowired(required=false)
public void setStorageFactory(SAMLMessageStorageFactory storageFactory)

Implementation of the SAML message storage factory providing custom mechanism for storage of SAML messages such as http session, cookies or no storage at all.

Parameters:

storageFactory - storage factory

afterPropertiesSet

public void afterPropertiesSet()
                        throws ServletException

Verifies that required entities were autowired or set and initializes resolvers used to construct trust engines.

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

Throws:

ServletException