PKIXInformationResolver (Spring Security SAML 1.0.10.RELEASE API)

java.lang.Object
- org.springframework.security.saml.trust.PKIXInformationResolver

All Implemented Interfaces:

org.opensaml.xml.security.Resolver<org.opensaml.xml.security.x509.PKIXValidationInformation,org.opensaml.xml.security.CriteriaSet>, org.opensaml.xml.security.x509.PKIXValidationInformationResolver
```
public class PKIXInformationResolver
extends Object
implements org.opensaml.xml.security.x509.PKIXValidationInformationResolver
```
Implementation resolves PKIX information based on extended metadata configuration and provider data. Values are cached and automatically cleared upon metadata refresh. At first data is loaded from the metadata (or extended) metadata of the peer entity. In addition all trusted keys declared for the entity are also included.

Nested Class Summary

Nested Classes
Modifier and Type	Class and Description
`protected class`	`PKIXInformationResolver.MetadataCacheKey` A class which serves as the key into the cache of credentials previously resolved.
`protected class`	`PKIXInformationResolver.MetadataProviderObserver` An observer that clears the credential cache if the underlying metadata changes.

Constructor Summary

Constructors
Constructor and Description
`PKIXInformationResolver(org.opensaml.security.MetadataCredentialResolver metadataResolver, MetadataManager metadataProvider, KeyManager keyManager)` Constructor.

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`protected void`	`cacheCredentials(PKIXInformationResolver.MetadataCacheKey cacheKey, Collection<org.opensaml.xml.security.x509.PKIXValidationInformation> credentials)` Adds resolved credentials to the cache.
`protected void`	`checkCriteriaRequirements(org.opensaml.xml.security.CriteriaSet criteriaSet)` Check that all necessary credential criteria are available.
`protected int`	`getPKIXDepth()` Allowed depth of PKIX trust path length.
`protected ReadWriteLock`	`getReadWriteLock()` Get the lock instance used to synchronize access to the credential cache.
`protected Collection<org.opensaml.xml.security.x509.PKIXValidationInformation>`	`populateCredentials(org.opensaml.xml.security.CriteriaSet criteriaSet)` Method responsible for loading of PKIX information.
`protected void`	`populateCRLs(org.opensaml.xml.security.CriteriaSet criteriaSet, Collection<X509Certificate> anchors, Collection<X509CRL> crls)` Extension points for loading of certificate revocation lists.
`protected void`	`populateMetadataAnchors(org.opensaml.xml.security.CriteriaSet criteriaSet, Collection<X509Certificate> anchors, Collection<X509CRL> crls)` Method loads credentials satisfying the criteriaSet from the metadata of the related entity.
`protected void`	`populateTrustedKeysAnchors(org.opensaml.xml.security.CriteriaSet criteriaSet, Collection<X509Certificate> anchors, Collection<X509CRL> crls)` Method add trusted anchors which include all trusted certificates configuration in the ExtendedMetadata.
`Iterable<org.opensaml.xml.security.x509.PKIXValidationInformation>`	`resolve(org.opensaml.xml.security.CriteriaSet criteria)`
`protected Iterable<org.opensaml.xml.security.x509.PKIXValidationInformation>`	`resolveFromSource(org.opensaml.xml.security.CriteriaSet criteriaSet)`
`org.opensaml.xml.security.x509.PKIXValidationInformation`	`resolveSingle(org.opensaml.xml.security.CriteriaSet criteria)` Returns first found PKIX information satisfying the condition.
`Set<String>`	`resolveTrustedNames(org.opensaml.xml.security.CriteriaSet criteriaSet)`
`protected Collection<org.opensaml.xml.security.x509.PKIXValidationInformation>`	`retrieveFromCache(PKIXInformationResolver.MetadataCacheKey cacheKey)` Retrieves pre-resolved credentials from the cache.
`boolean`	`supportsTrustedNameResolution()`

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail
- PKIXInformationResolver
```
public PKIXInformationResolver(org.opensaml.security.MetadataCredentialResolver metadataResolver,
                               MetadataManager metadataProvider,
                               KeyManager keyManager)
```
  Constructor.
  
  Parameters:
  
  metadataResolver - resolver used to extract basic credentials out of metadata
  
  metadataProvider - provider of the metadata used to load extended metadata for an entity
  
  keyManager - key manager
  
  Throws:
  
  IllegalArgumentException - thrown if the supplied provider is null

Method Detail

getReadWriteLock
```
protected ReadWriteLock getReadWriteLock()
```
Get the lock instance used to synchronize access to the credential cache.

Returns:

a read-write lock instance

resolveFromSource

protected Iterable<org.opensaml.xml.security.x509.PKIXValidationInformation> resolveFromSource(org.opensaml.xml.security.CriteriaSet criteriaSet)
                                                                                        throws org.opensaml.xml.security.SecurityException

Throws:: org.opensaml.xml.security.SecurityException

populateCredentials

protected Collection<org.opensaml.xml.security.x509.PKIXValidationInformation> populateCredentials(org.opensaml.xml.security.CriteriaSet criteriaSet)
                                                                                            throws org.opensaml.xml.security.SecurityException

Method responsible for loading of PKIX information.

Parameters:: criteriaSet - criteria for selection of data to include
Returns:: PKIX information
Throws:: org.opensaml.xml.security.SecurityException - in case credentials cannot be populated

checkCriteriaRequirements
```
protected void checkCriteriaRequirements(org.opensaml.xml.security.CriteriaSet criteriaSet)
```
Check that all necessary credential criteria are available.

Parameters:

criteriaSet - the credential set to evaluate

retrieveFromCache
```
protected Collection<org.opensaml.xml.security.x509.PKIXValidationInformation> retrieveFromCache(PKIXInformationResolver.MetadataCacheKey cacheKey)
```
Retrieves pre-resolved credentials from the cache.

Parameters:

cacheKey - the key to the metadata cache

Returns:

the collection of cached credentials or null

populateMetadataAnchors

protected void populateMetadataAnchors(org.opensaml.xml.security.CriteriaSet criteriaSet,
                                       Collection<X509Certificate> anchors,
                                       Collection<X509CRL> crls)
                                throws org.opensaml.xml.security.SecurityException

Method loads credentials satisfying the criteriaSet from the metadata of the related entity.

Parameters:: criteriaSet - criteria set; anchors - pkix anchors; crls - CRLs for the anchors
Throws:: org.opensaml.xml.security.SecurityException - thrown if the key, certificate, or CRL information is represented in an unsupported format

populateTrustedKeysAnchors
```
protected void populateTrustedKeysAnchors(org.opensaml.xml.security.CriteriaSet criteriaSet,
                                          Collection<X509Certificate> anchors,
                                          Collection<X509CRL> crls)
                                   throws org.opensaml.xml.security.SecurityException
```
Method add trusted anchors which include all trusted certificates configuration in the ExtendedMetadata. In case no trusted certificates were configured all certificates in the KeyManager are considered as trusted and added to the anchor list.

Parameters:

criteriaSet - criteria set

anchors - pkix anchors

crls - CRLs for the anchors

Throws:

org.opensaml.xml.security.SecurityException - thrown if the key, certificate, or CRL information is represented in an unsupported format

populateCRLs

protected void populateCRLs(org.opensaml.xml.security.CriteriaSet criteriaSet,
                            Collection<X509Certificate> anchors,
                            Collection<X509CRL> crls)
                     throws org.opensaml.xml.security.SecurityException

Extension points for loading of certificate revocation lists.

Parameters:: criteriaSet - criteria set; anchors - pkix anchors; crls - crls to be populated
Throws:: org.opensaml.xml.security.SecurityException - never thrown in default implementation

getPKIXDepth
```
protected int getPKIXDepth()
```
Allowed depth of PKIX trust path length.

Returns:

by default 5

cacheCredentials

protected void cacheCredentials(PKIXInformationResolver.MetadataCacheKey cacheKey,
                                Collection<org.opensaml.xml.security.x509.PKIXValidationInformation> credentials)

Adds resolved credentials to the cache.

Parameters:: cacheKey - the key for caching the credentials; credentials - collection of credentials to cache

resolveTrustedNames

public Set<String> resolveTrustedNames(org.opensaml.xml.security.CriteriaSet criteriaSet)
                                throws org.opensaml.xml.security.SecurityException,
                                       UnsupportedOperationException

Specified by:: resolveTrustedNames in interface org.opensaml.xml.security.x509.PKIXValidationInformationResolver
Throws:: org.opensaml.xml.security.SecurityException; UnsupportedOperationException

supportsTrustedNameResolution
```
public boolean supportsTrustedNameResolution()
```
Specified by:

supportsTrustedNameResolution in interface org.opensaml.xml.security.x509.PKIXValidationInformationResolver

resolve

public Iterable<org.opensaml.xml.security.x509.PKIXValidationInformation> resolve(org.opensaml.xml.security.CriteriaSet criteria)
                                                                           throws org.opensaml.xml.security.SecurityException

Specified by:: resolve in interface org.opensaml.xml.security.Resolver<org.opensaml.xml.security.x509.PKIXValidationInformation,org.opensaml.xml.security.CriteriaSet>
Throws:: org.opensaml.xml.security.SecurityException

resolveSingle
```
public org.opensaml.xml.security.x509.PKIXValidationInformation resolveSingle(org.opensaml.xml.security.CriteriaSet criteria)
                                                                       throws org.opensaml.xml.security.SecurityException
```
Returns first found PKIX information satisfying the condition.

Specified by:

resolveSingle in interface org.opensaml.xml.security.Resolver<org.opensaml.xml.security.x509.PKIXValidationInformation,org.opensaml.xml.security.CriteriaSet>

Parameters:

criteria - criteria

Returns:

first instance

Throws:

org.opensaml.xml.security.SecurityException - error

Class PKIXInformationResolver

Nested Class Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Detail

PKIXInformationResolver

Method Detail

getReadWriteLock

resolveFromSource

populateCredentials

checkCriteriaRequirements

retrieveFromCache

populateMetadataAnchors

populateTrustedKeysAnchors

populateCRLs

getPKIXDepth

cacheCredentials

resolveTrustedNames

supportsTrustedNameResolution

resolve

resolveSingle