org.springframework.security.saml

Class SAMLDiscovery

java.lang.Object

org.springframework.web.filter.GenericFilterBean

org.springframework.security.saml.SAMLDiscovery

All Implemented Interfaces:

Filter, org.springframework.beans.factory.Aware, org.springframework.beans.factory.BeanNameAware, org.springframework.beans.factory.DisposableBean, org.springframework.beans.factory.InitializingBean, org.springframework.context.EnvironmentAware, org.springframework.core.env.EnvironmentCapable, org.springframework.web.context.ServletContextAware

public class SAMLDiscovery
extends org.springframework.web.filter.GenericFilterBean

Filter implements Identity Provider Discovery Service and Profile as defined in https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.pdf.

Author:

Vladimir Schaefer

Field Summary

Fields

Modifier and Type	Field and Description
protected SAMLContextProvider	contextProvider Context provider.
static String	ENTITY_ID_PARAM Unique identifier of the party performing the request.
static String	FILTER_URL Default name of path suffix which will invoke this filter.
protected String	filterProcessesUrl Url this filter should get activated on.
static String	IDP_DISCO_PROTOCOL_SINGLE Default profile of the discovery service.
protected String	idpSelectionPath In case this property is set to not null value the user will be redirected to this URL for selection of IDP to use for login.
protected static org.slf4j.Logger	log
protected MetadataManager	metadata Metadata manager used to look up entity IDs and discovery URLs.
static String	PASSIVE_PARAM Request parameter indicating whether discovery service can interact with the user agent.
static String	POLICY_PARAM Policy to use in order to determine IDP.
static String	RETURN_ID_PARAM Request parameter specifying which response attribute to use for conveying the determined IDP name.
static String	RETURN_PARAM Used to store return parameter in the forwarded request object.
static String	RETURN_URL Used to store return URL in the forwarded request object.
static String	RETURN_URL_PARAM URL used by the discovery service to send the response.
protected SAMLEntryPoint	samlEntryPoint Entry point dependency for loading of correct URL.

Fields inherited from class org.springframework.web.filter.GenericFilterBean

logger

Constructor Summary

Constructors

Constructor and Description
SAMLDiscovery()

Method Summary

Modifier and Type	Method and Description
void	afterPropertiesSet() Verifies that required entities were autowired or set.
void	doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
protected String	getDefaultReturnURL(SAMLMessageContext messageContext) Provides default return URL based on metadata in case none was supplied in the request.
String	getFilterProcessesUrl()
String	getIdpSelectionPath() Path used to forward request in order to enable target IDP selection
protected String	getPassiveIDP(HttpServletRequest request) Returns IDP to be used in passive mode.
protected boolean	isResponseURLValid(String returnURL, SAMLMessageContext messageContext) Verifies whether return URL supplied in the request is valid.
protected void	processDiscoveryRequest(HttpServletRequest request, HttpServletResponse response) Method processes IDP Discovery request, validates it for conformity and either sends a passive response with default IDP (when isPassive mode is requested) or forwards browser to the IDP selection.
protected boolean	processFilter(HttpServletRequest request) The filter will be used in case the URL of the request contains the FILTER_URL.
protected void	sendIDPSelection(HttpServletRequest request, HttpServletResponse response, String responseURL, String returnParam) Forward the request to a page which renders IDP selection page for the user.
protected void	sendPassiveResponse(HttpServletRequest request, HttpServletResponse response, String responseURL, String returnParam, String entityID) Creates a URL to be used for returning of the selected IDP and sends a redirect.
void	setContextProvider(SAMLContextProvider contextProvider) Sets entity responsible for populating local entity context data.
void	setFilterProcessesUrl(String filterProcessesUrl) Custom filter URL which overrides the default.
void	setIdpSelectionPath(String idpSelectionPath) Sets path where request dispatcher will send user for IDP selection.
void	setMetadata(MetadataManager metadata) Metadata manager, cannot be null, must be set.
void	setSamlEntryPoint(SAMLEntryPoint samlEntryPoint) Dependency for loading of entry point URL

Methods inherited from class org.springframework.web.filter.GenericFilterBean

addRequiredProperty, createEnvironment, destroy, getEnvironment, getFilterConfig, getFilterName, getServletContext, init, initBeanWrapper, initFilterBean, setBeanName, setEnvironment, setServletContext

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

protected static final org.slf4j.Logger log

RETURN_URL

public static final String RETURN_URL

Used to store return URL in the forwarded request object.

See Also:

Constant Field Values

RETURN_PARAM

public static final String RETURN_PARAM

Used to store return parameter in the forwarded request object.

See Also:

Constant Field Values

ENTITY_ID_PARAM

public static final String ENTITY_ID_PARAM

Unique identifier of the party performing the request. Part of IDP Disco specification.

See Also:

Constant Field Values

RETURN_URL_PARAM

public static final String RETURN_URL_PARAM

URL used by the discovery service to send the response. Value is verified against metadata of the requesting entity. URL can contain additional query part, but mustn't include the same attribute as specified in returnIdParam. Part of IDP Disco specification.

See Also:

Constant Field Values

RETURN_ID_PARAM

public static final String RETURN_ID_PARAM

Request parameter specifying which response attribute to use for conveying the determined IDP name. Uses "entityID" when empty. Part of IDP Disco specification.

See Also:

Constant Field Values

POLICY_PARAM

public static final String POLICY_PARAM

Policy to use in order to determine IDP. Only the default IDP_DISCO_PROTOCOL_SINGLE is supported and is also used when policy request attribute is unspecified. Part of IDP Disco specification.

See Also:

Constant Field Values

PASSIVE_PARAM

public static final String PASSIVE_PARAM

Request parameter indicating whether discovery service can interact with the user agent. Allowed values are "true" or "false" Set to "false" when unspecified. Part of IDP Disco specification.

See Also:

Constant Field Values

idpSelectionPath

protected String idpSelectionPath

In case this property is set to not null value the user will be redirected to this URL for selection of IDP to use for login. In case it is null user will be redirected to the default IDP.

metadata

protected MetadataManager metadata

Metadata manager used to look up entity IDs and discovery URLs.

contextProvider

protected SAMLContextProvider contextProvider

Context provider.

samlEntryPoint

protected SAMLEntryPoint samlEntryPoint

Entry point dependency for loading of correct URL.

filterProcessesUrl

protected String filterProcessesUrl

Url this filter should get activated on.

FILTER_URL

public static final String FILTER_URL

Default name of path suffix which will invoke this filter.

See Also:

Constant Field Values

IDP_DISCO_PROTOCOL_SINGLE

public static final String IDP_DISCO_PROTOCOL_SINGLE

Default profile of the discovery service.

See Also:

Constant Field Values

Constructor Detail

SAMLDiscovery

public SAMLDiscovery()

Method Detail

doFilter

public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain chain)
              throws IOException,
                     ServletException

Throws:

IOException

ServletException

processFilter

protected boolean processFilter(HttpServletRequest request)

The filter will be used in case the URL of the request contains the FILTER_URL.

Parameters:

request - request used to determine whether to enable this filter

Returns:

true if this filter should be used

processDiscoveryRequest

protected void processDiscoveryRequest(HttpServletRequest request,
                                       HttpServletResponse response)
                                throws IOException,
                                       ServletException

Method processes IDP Discovery request, validates it for conformity and either sends a passive response with default IDP (when isPassive mode is requested) or forwards browser to the IDP selection. By default the page located at idpSelectionPath is included.

Parameters:

request - request

response - response

Throws:

ServletException - error

IOException - io error

sendPassiveResponse

protected void sendPassiveResponse(HttpServletRequest request,
                                   HttpServletResponse response,
                                   String responseURL,
                                   String returnParam,
                                   String entityID)
                            throws IOException,
                                   ServletException

Creates a URL to be used for returning of the selected IDP and sends a redirect.

Parameters:

request - request object

response - response object

responseURL - base for the return URL

returnParam - parameter name to send the IDP entityId in

entityID - entity ID to send or null for fail state

Throws:

IOException - in case redirect sending fails

ServletException - in case redirect sending fails

sendIDPSelection

protected void sendIDPSelection(HttpServletRequest request,
                                HttpServletResponse response,
                                String responseURL,
                                String returnParam)
                         throws IOException,
                                ServletException

Forward the request to a page which renders IDP selection page for the user. The URL for redirect and param for IDP selection are included as request attributes under keys with constant names RETURN_URL and RETURN_PARAM.

Parameters:

request - request object

response - response object

responseURL - base for the return URL

returnParam - parameter name to send the IDP entityId in

Throws:

IOException - in case forwarding to the selection page fails

ServletException - in case forwarding to the selection page fails

getDefaultReturnURL

protected String getDefaultReturnURL(SAMLMessageContext messageContext)

Provides default return URL based on metadata in case none was supplied in the request. URL is automatically generated for local entities which do not contain discovery URL in metadata.

Parameters:

messageContext - context for the local SP

Returns:

URL to return the selected IDP to or null when URL cannot be determined

Throws:

org.opensaml.common.SAMLRuntimeException - in case entity is remote and doesn't contain URL in metadata

isResponseURLValid

protected boolean isResponseURLValid(String returnURL,
                                     SAMLMessageContext messageContext)

Verifies whether return URL supplied in the request is valid. By default it is verified that the host part of the supplied URL is the same as the host part of the default response location in metadata (IDP Disco, 320)

Parameters:

returnURL - URL from the request

messageContext - message context for current SP

Returns:

true if the request is valid, false otherwise

getPassiveIDP

protected String getPassiveIDP(HttpServletRequest request)

Returns IDP to be used in passive mode. By default the default IDP designated so in metadata is used.

Parameters:

request - IDP discovery request

Returns:

IDP configured as default or null when no such exists

getIdpSelectionPath

public String getIdpSelectionPath()

Path used to forward request in order to enable target IDP selection

Returns:

path for forward

setIdpSelectionPath

public void setIdpSelectionPath(String idpSelectionPath)

Sets path where request dispatcher will send user for IDP selection. In case it is null the default server will always be used.

Parameters:

idpSelectionPath - selection path

setMetadata

@Autowired
public void setMetadata(MetadataManager metadata)

Metadata manager, cannot be null, must be set.

Parameters:

metadata - metadata manager

setSamlEntryPoint

@Autowired(required=false)
public void setSamlEntryPoint(SAMLEntryPoint samlEntryPoint)

Dependency for loading of entry point URL

Parameters:

samlEntryPoint - entry point bean

setContextProvider

@Autowired
public void setContextProvider(SAMLContextProvider contextProvider)

Sets entity responsible for populating local entity context data.

Parameters:

contextProvider - provider implementation

getFilterProcessesUrl

public String getFilterProcessesUrl()

Returns:

filter URL

setFilterProcessesUrl

public void setFilterProcessesUrl(String filterProcessesUrl)

Custom filter URL which overrides the default. Filter url determines URL where filter starts processing.

Parameters:

filterProcessesUrl - filter URL

afterPropertiesSet

public void afterPropertiesSet()
                        throws ServletException

Verifies that required entities were autowired or set.

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

Overrides:

afterPropertiesSet in class org.springframework.web.filter.GenericFilterBean

Throws:

ServletException