org.springframework.security.saml.websso

Class AbstractProfileBase

java.lang.Object

org.springframework.security.saml.websso.AbstractProfileBase

All Implemented Interfaces:

org.springframework.beans.factory.InitializingBean

Direct Known Subclasses:

ArtifactResolutionProfileBase, SingleLogoutProfileImpl, WebSSOProfileConsumerImpl, WebSSOProfileImpl

public abstract class AbstractProfileBase
extends Object
implements org.springframework.beans.factory.InitializingBean

Base superclass for classes implementing processing of SAML messages.

Author:

Vladimir Schaefer

Field Summary

Fields

Modifier and Type	Field and Description
protected org.opensaml.common.binding.artifact.SAMLArtifactMap	artifactMap
protected org.opensaml.xml.XMLObjectBuilderFactory	builderFactory
protected org.slf4j.Logger	log Class logger.
protected MetadataManager	metadata
protected SAMLProcessor	processor
protected org.opensaml.common.binding.decoding.URIComparator	uriComparator

Constructor Summary

Constructors

Constructor and Description
AbstractProfileBase()
AbstractProfileBase(SAMLProcessor processor, MetadataManager manager)

Method Summary

Modifier and Type	Method and Description
void	afterPropertiesSet()
protected void	buildCommonAttributes(String localEntityId, org.opensaml.saml2.core.RequestAbstractType request, org.opensaml.saml2.metadata.Endpoint service) Fills the request with version, issue instants and destination data.
protected String	generateID() Generates random ID to be used as Request/Response ID.
protected String	getEndpointBinding(org.opensaml.saml2.metadata.Endpoint endpoint) Method is expected to return binding used to transfer messages to this endpoint.
protected org.opensaml.saml2.core.Issuer	getIssuer(String localEntityId)
int	getMaxAssertionTime() Maximum time between assertion creation and current time when the assertion is usable in seconds.
abstract String	getProfileIdentifier() Implementation are expected to provide an unique identifier for the profile this class implements.
int	getResponseSkew()
protected org.opensaml.saml2.core.Status	getStatus(String code, String statusMessage)
protected boolean	isEndpointMatching(org.opensaml.saml2.metadata.Endpoint endpoint, String binding) Determines whether given endpoint can be used together with the specified binding.
protected void	sendMessage(SAMLMessageContext context, boolean sign) Method calls the processor and sends the message contained in the context.
protected void	sendMessage(SAMLMessageContext context, boolean sign, String binding) Method calls the processor and sends the message contained in the context.
void	setArtifactMap(org.opensaml.common.binding.artifact.SAMLArtifactMap artifactMap)
void	setMaxAssertionTime(int maxAssertionTime) Customizes max assertion time between assertion creation and it's usability.
void	setMetadata(MetadataManager metadata)
void	setProcessor(SAMLProcessor processor)
void	setResponseSkew(int responseSkew) Sets maximum difference between local time and time of the assertion creation which still allows message to be processed.
protected void	verifyEndpoint(org.opensaml.saml2.metadata.Endpoint endpoint, String destination) Verifies that the destination URL intended in the message matches with the endpoint address.
protected void	verifyIssuer(org.opensaml.saml2.core.Issuer issuer, SAMLMessageContext context)
protected void	verifySignature(org.opensaml.xml.signature.Signature signature, String IDPEntityID, org.opensaml.xml.signature.SignatureTrustEngine trustEngine)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

protected final org.slf4j.Logger log

Class logger.

metadata

protected MetadataManager metadata

processor

protected SAMLProcessor processor

artifactMap

protected org.opensaml.common.binding.artifact.SAMLArtifactMap artifactMap

builderFactory

protected org.opensaml.xml.XMLObjectBuilderFactory builderFactory

uriComparator

protected org.opensaml.common.binding.decoding.URIComparator uriComparator

Constructor Detail

AbstractProfileBase

public AbstractProfileBase()

AbstractProfileBase

public AbstractProfileBase(SAMLProcessor processor,
                           MetadataManager manager)

Method Detail

getProfileIdentifier

public abstract String getProfileIdentifier()

Implementation are expected to provide an unique identifier for the profile this class implements.

Returns:

profile name

setResponseSkew

public void setResponseSkew(int responseSkew)

Sets maximum difference between local time and time of the assertion creation which still allows message to be processed. Basically determines maximum difference between clocks of the IDP and SP machines. Defaults to 60.

Parameters:

responseSkew - response skew time (in seconds)

getResponseSkew

public int getResponseSkew()

Returns:

response skew time (in seconds)

getMaxAssertionTime

public int getMaxAssertionTime()

Maximum time between assertion creation and current time when the assertion is usable in seconds.

Returns:

max assertion time

setMaxAssertionTime

public void setMaxAssertionTime(int maxAssertionTime)

Customizes max assertion time between assertion creation and it's usability. Default to 3000 seconds.

Parameters:

maxAssertionTime - time in seconds

sendMessage

protected void sendMessage(SAMLMessageContext context,
                           boolean sign)
                    throws org.opensaml.saml2.metadata.provider.MetadataProviderException,
                           org.opensaml.common.SAMLException,
                           org.opensaml.ws.message.encoder.MessageEncodingException

Method calls the processor and sends the message contained in the context. Subclasses can provide additional processing before the message delivery. Message is sent using binding defined in the peer entity of the context.

Parameters:

context - context

sign - whether the message should be signed

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - metadata error

org.opensaml.common.SAMLException - SAML encoding error

org.opensaml.ws.message.encoder.MessageEncodingException - message encoding error

sendMessage

protected void sendMessage(SAMLMessageContext context,
                           boolean sign,
                           String binding)
                    throws org.opensaml.saml2.metadata.provider.MetadataProviderException,
                           org.opensaml.common.SAMLException,
                           org.opensaml.ws.message.encoder.MessageEncodingException

Method calls the processor and sends the message contained in the context. Subclasses can provide additional processing before the message delivery. Message is sent using the specified binding.

Parameters:

context - context

sign - whether the message should be signed

binding - binding to use to send the message

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException - metadata error

org.opensaml.common.SAMLException - SAML encoding error

org.opensaml.ws.message.encoder.MessageEncodingException - message encoding error

getStatus

protected org.opensaml.saml2.core.Status getStatus(String code,
                                                   String statusMessage)

buildCommonAttributes

protected void buildCommonAttributes(String localEntityId,
                                     org.opensaml.saml2.core.RequestAbstractType request,
                                     org.opensaml.saml2.metadata.Endpoint service)

Fills the request with version, issue instants and destination data.

Parameters:

localEntityId - entityId of the local party acting as message issuer

request - request to be filled

service - service to use as destination for the request

getIssuer

protected org.opensaml.saml2.core.Issuer getIssuer(String localEntityId)

generateID

protected String generateID()

Generates random ID to be used as Request/Response ID.

Returns:

random ID

verifyIssuer

protected void verifyIssuer(org.opensaml.saml2.core.Issuer issuer,
                            SAMLMessageContext context)
                     throws org.opensaml.common.SAMLException

Throws:

org.opensaml.common.SAMLException

verifyEndpoint

protected void verifyEndpoint(org.opensaml.saml2.metadata.Endpoint endpoint,
                              String destination)
                       throws org.opensaml.common.SAMLException

Verifies that the destination URL intended in the message matches with the endpoint address. The URL message was ultimately received doesn't need to necessarily match the one defined in the metadata (in case of e.g. reverse-proxying of messages).

Parameters:

endpoint - endpoint the message was received at

destination - URL of the endpoint the message was intended to be sent to by the peer or null when not included

Throws:

org.opensaml.common.SAMLException - in case endpoint doesn't match

verifySignature

protected void verifySignature(org.opensaml.xml.signature.Signature signature,
                               String IDPEntityID,
                               org.opensaml.xml.signature.SignatureTrustEngine trustEngine)
                        throws org.opensaml.xml.security.SecurityException,
                               org.opensaml.xml.validation.ValidationException

Throws:

org.opensaml.xml.security.SecurityException

org.opensaml.xml.validation.ValidationException

getEndpointBinding

protected String getEndpointBinding(org.opensaml.saml2.metadata.Endpoint endpoint)

Method is expected to return binding used to transfer messages to this endpoint. For some profiles the binding attribute in the metadata contains the profile name, method correctly parses the real binding in these situations.

Parameters:

endpoint - endpoint

Returns:

binding

isEndpointMatching

protected boolean isEndpointMatching(org.opensaml.saml2.metadata.Endpoint endpoint,
                                     String binding)

Determines whether given endpoint can be used together with the specified binding.

By default value of the binding in the endpoint is compared for equality with the user provided binding.

Method is automatically called for verification of user supplied binding value in the WebSSOProfileOptions.

Parameters:

endpoint - endpoint to check

binding - binding the endpoint must support for the method to return true

Returns:

true if given endpoint can be used with the binding

setMetadata

@Autowired
public void setMetadata(MetadataManager metadata)

setProcessor

@Autowired(required=false)
public void setProcessor(SAMLProcessor processor)

setArtifactMap

public void setArtifactMap(org.opensaml.common.binding.artifact.SAMLArtifactMap artifactMap)

afterPropertiesSet

public void afterPropertiesSet()
                        throws Exception

Specified by:

afterPropertiesSet in interface org.springframework.beans.factory.InitializingBean

Throws:

Exception