WebSSOProfileConsumerImpl (Spring Security SAML 1.0.10.RELEASE API)

java.lang.Object
- org.springframework.security.saml.websso.AbstractProfileBase
- - org.springframework.security.saml.websso.WebSSOProfileConsumerImpl

All Implemented Interfaces:

org.springframework.beans.factory.InitializingBean, WebSSOProfileConsumer

Direct Known Subclasses:

WebSSOProfileConsumerHoKImpl
```
public class WebSSOProfileConsumerImpl
extends AbstractProfileBase
implements WebSSOProfileConsumer
```
Class is able to process Response objects returned from the IDP after SP initialized SSO or unsolicited response from IDP. In case the response is correctly validated and no errors are found the SAMLCredential is created.

Author:

Vladimir Schäfer

Field Summary
- Fields inherited from class org.springframework.security.saml.websso.AbstractProfileBase
  artifactMap, builderFactory, log, metadata, processor, uriComparator

Constructor Summary

Constructors
Constructor and Description

WebSSOProfileConsumerImpl()

WebSSOProfileConsumerImpl(SAMLProcessor processor, MetadataManager manager)

Constructors
Constructor and Description
`WebSSOProfileConsumerImpl()`
`WebSSOProfileConsumerImpl(SAMLProcessor processor, MetadataManager manager)`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`long`	`getMaxAuthenticationAge()` Maximum time between authentication of user and processing of an authentication statement.
`String`	`getProfileIdentifier()` Implementation are expected to provide an unique identifier for the profile this class implements.
`boolean`	`isIncludeAllAttributes()`
`boolean`	`isReleaseDOM()`
`protected Serializable`	`processAdditionalData(SAMLMessageContext context)` This is a hook method enabling subclasses to process additional data from the SAML exchange, like assertions with different confirmations or additional attributes.
`SAMLCredential`	`processAuthenticationResponse(SAMLMessageContext context)` The input context object must have set the properties related to the returned Response, which is validated and in case no errors are found the SAMLCredential is returned.
`void`	`setIncludeAllAttributes(boolean includeAllAttributes)` Flag indicates whether to include attributes from all assertions (value true), or only from the assertion which was authentication using the Bearer SubjectConfirmation (value false, by default).
`void`	`setMaxAuthenticationAge(long maxAuthenticationAge)` Sets maximum time between users authentication and processing of an authentication statement.
`void`	`setReleaseDOM(boolean releaseDOM)` Flag indicates whether to release internal structure of the assertion returned in SAMLCredential.
`protected void`	`verifyAssertion(org.opensaml.saml2.core.Assertion assertion, org.opensaml.saml2.core.AuthnRequest request, SAMLMessageContext context)`
`protected void`	`verifyAssertionConditions(org.opensaml.saml2.core.Conditions conditions, SAMLMessageContext context, boolean audienceRequired)`
`protected void`	`verifyAssertionSignature(org.opensaml.xml.signature.Signature signature, SAMLMessageContext context)` Verifies signature of the assertion.
`protected void`	`verifyAudience(SAMLMessageContext context, List<org.opensaml.saml2.core.AudienceRestriction> audienceRestrictions)` Method verifies audience restrictions of the assertion.
`protected void`	`verifyAuthenticationStatement(org.opensaml.saml2.core.AuthnStatement auth, org.opensaml.saml2.core.RequestedAuthnContext requestedAuthnContext, SAMLMessageContext context)` Verifies that authentication statement is valid.
`protected void`	`verifyAuthnContext(org.opensaml.saml2.core.RequestedAuthnContext requestedAuthnContext, org.opensaml.saml2.core.AuthnContext receivedContext, SAMLMessageContext context)` Implementation is expected to verify that the requested authentication context corresponds with the received value.
`protected void`	`verifyConditions(SAMLMessageContext context, List<org.opensaml.saml2.core.Condition> conditions)` Verifies conditions of the assertion which were are not understood.
`protected void`	`verifySubject(org.opensaml.saml2.core.Subject subject, org.opensaml.saml2.core.AuthnRequest request, SAMLMessageContext context)` Verifies validity of Subject element, only bearer confirmation is validated.

Methods inherited from class org.springframework.security.saml.websso.AbstractProfileBase
afterPropertiesSet, buildCommonAttributes, generateID, getEndpointBinding, getIssuer, getMaxAssertionTime, getResponseSkew, getStatus, isEndpointMatching, sendMessage, sendMessage, setArtifactMap, setMaxAssertionTime, setMetadata, setProcessor, setResponseSkew, verifyEndpoint, verifyIssuer, verifySignature

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

- Constructor Detail
  - WebSSOProfileConsumerImpl
```
public WebSSOProfileConsumerImpl()
```
  - WebSSOProfileConsumerImpl
```
public WebSSOProfileConsumerImpl(SAMLProcessor processor,
                                 MetadataManager manager)
```
- Method Detail
  - getProfileIdentifier
```
public String getProfileIdentifier()
```
    Description copied from class: AbstractProfileBase
    
    Implementation are expected to provide an unique identifier for the profile this class implements.
    
    Specified by:
    
    getProfileIdentifier in class AbstractProfileBase
    
    Returns:
    
    profile name
  - processAuthenticationResponse
```
public SAMLCredential processAuthenticationResponse(SAMLMessageContext context)
                                             throws org.opensaml.common.SAMLException,
                                                    org.opensaml.xml.security.SecurityException,
                                                    org.opensaml.xml.validation.ValidationException,
                                                    org.opensaml.xml.encryption.DecryptionException
```
    The input context object must have set the properties related to the returned Response, which is validated and in case no errors are found the SAMLCredential is returned.
    
    Specified by:
    
    processAuthenticationResponse in interface WebSSOProfileConsumer
    
    Parameters:
    
    context - context including response object
    
    Returns:
    
    SAMLCredential with information about user
    
    Throws:
    
    org.opensaml.common.SAMLException - in case the response is invalid
    
    org.opensaml.xml.security.SecurityException - in the signature on response can't be verified
    
    org.opensaml.xml.validation.ValidationException - in case the response structure is not conforming to the standard
    
    org.opensaml.xml.encryption.DecryptionException
  - processAdditionalData
```
protected Serializable processAdditionalData(SAMLMessageContext context)
                                      throws org.opensaml.common.SAMLException
```
    This is a hook method enabling subclasses to process additional data from the SAML exchange, like assertions with different confirmations or additional attributes. The returned object is stored inside the SAMLCredential. Implementation is responsible for ensuring compliance with the SAML specification. The method is called once all the other processing was finished and incoming message is deemed as valid.
    
    Parameters:
    
    context - context containing incoming message
    
    Returns:
    
    object to store in the credential, null by default
    
    Throws:
    
    org.opensaml.common.SAMLException - in case processing fails
  - verifyAssertion
```
protected void verifyAssertion(org.opensaml.saml2.core.Assertion assertion,
                               org.opensaml.saml2.core.AuthnRequest request,
                               SAMLMessageContext context)
                        throws org.springframework.security.core.AuthenticationException,
                               org.opensaml.common.SAMLException,
                               org.opensaml.xml.security.SecurityException,
                               org.opensaml.xml.validation.ValidationException,
                               org.opensaml.xml.encryption.DecryptionException
```
    Throws:
    
    org.springframework.security.core.AuthenticationException
    
    org.opensaml.common.SAMLException
    
    org.opensaml.xml.security.SecurityException
    
    org.opensaml.xml.validation.ValidationException
    
    org.opensaml.xml.encryption.DecryptionException
  - verifySubject
```
protected void verifySubject(org.opensaml.saml2.core.Subject subject,
                             org.opensaml.saml2.core.AuthnRequest request,
                             SAMLMessageContext context)
                      throws org.opensaml.common.SAMLException,
                             org.opensaml.xml.encryption.DecryptionException
```
    Verifies validity of Subject element, only bearer confirmation is validated.
    
    Parameters:
    
    subject - subject to validate
    
    request - request
    
    context - context
    
    Throws:
    
    org.opensaml.common.SAMLException - error validating the object
    
    org.opensaml.xml.encryption.DecryptionException - in case the NameID can't be decrypted
  - verifyAssertionSignature
```
protected void verifyAssertionSignature(org.opensaml.xml.signature.Signature signature,
                                        SAMLMessageContext context)
                                 throws org.opensaml.common.SAMLException,
                                        org.opensaml.xml.security.SecurityException,
                                        org.opensaml.xml.validation.ValidationException
```
    Verifies signature of the assertion. In case signature is not present and SP required signatures in metadata the exception is thrown.
    
    Parameters:
    
    signature - signature to verify
    
    context - context
    
    Throws:
    
    org.opensaml.common.SAMLException - signature missing although required
    
    org.opensaml.xml.security.SecurityException - signature can't be validated
    
    org.opensaml.xml.validation.ValidationException - signature is malformed
  - verifyAssertionConditions
```
protected void verifyAssertionConditions(org.opensaml.saml2.core.Conditions conditions,
                                         SAMLMessageContext context,
                                         boolean audienceRequired)
                                  throws org.opensaml.common.SAMLException
```
    Throws:
    
    org.opensaml.common.SAMLException
  - verifyAudience
```
protected void verifyAudience(SAMLMessageContext context,
                              List<org.opensaml.saml2.core.AudienceRestriction> audienceRestrictions)
                       throws org.opensaml.common.SAMLException
```
    Method verifies audience restrictions of the assertion. Multiple audience restrictions are treated as a logical AND and local entity must be present in all of them. Multiple audiences within one restrictions for a logical OR.
    
    Parameters:
    
    context - context
    
    audienceRestrictions - audience restrictions to verify
    
    Throws:
    
    org.opensaml.common.SAMLException - in case local entity doesn't match the audience restrictions
  - verifyConditions
```
protected void verifyConditions(SAMLMessageContext context,
                                List<org.opensaml.saml2.core.Condition> conditions)
                         throws org.opensaml.common.SAMLException
```
    Verifies conditions of the assertion which were are not understood. By default system fails in case any non-understood condition is present.
    
    Parameters:
    
    context - message context
    
    conditions - conditions which were not understood
    
    Throws:
    
    org.opensaml.common.SAMLException - in case conditions are not empty
  - verifyAuthenticationStatement
```
protected void verifyAuthenticationStatement(org.opensaml.saml2.core.AuthnStatement auth,
                                             org.opensaml.saml2.core.RequestedAuthnContext requestedAuthnContext,
                                             SAMLMessageContext context)
                                      throws org.springframework.security.core.AuthenticationException
```
    Verifies that authentication statement is valid. Checks the authInstant and sessionNotOnOrAfter fields.
    
    Parameters:
    
    auth - statement to check
    
    requestedAuthnContext - original requested context can be null for unsolicited messages or when no context was requested
    
    context - message context
    
    Throws:
    
    org.springframework.security.core.AuthenticationException - in case the statement is invalid
  - verifyAuthnContext
```
protected void verifyAuthnContext(org.opensaml.saml2.core.RequestedAuthnContext requestedAuthnContext,
                                  org.opensaml.saml2.core.AuthnContext receivedContext,
                                  SAMLMessageContext context)
                           throws org.springframework.security.authentication.InsufficientAuthenticationException
```
    Implementation is expected to verify that the requested authentication context corresponds with the received value. Identity provider sending the context can be loaded from the SAMLContext.
    By default verification is done only for "exact" context. It is checked whether received context contains one of the requested method.
    In case requestedAuthnContext is null no verification is done.
    Method can be reimplemented in subclasses.
    
    Parameters:
    
    requestedAuthnContext - context requested in the original request, null for unsolicited messages or when no context was required
    
    receivedContext - context from the response message
    
    context - saml context
    
    Throws:
    
    org.springframework.security.authentication.InsufficientAuthenticationException - in case expected context doesn't correspond with the received value
  - getMaxAuthenticationAge
```
public long getMaxAuthenticationAge()
```
    Maximum time between authentication of user and processing of an authentication statement.
    
    Returns:
    
    max authentication age, defaults to 7200 (in seconds)
  - setMaxAuthenticationAge
```
public void setMaxAuthenticationAge(long maxAuthenticationAge)
```
    Sets maximum time between users authentication and processing of an authentication statement.
    
    Parameters:
    
    maxAuthenticationAge - authentication age (in seconds)
  - isIncludeAllAttributes
```
public boolean isIncludeAllAttributes()
```
    Returns:
    
    true to include attributes from all assertions, false to only include those from the confirmed assertion
  - setIncludeAllAttributes
```
public void setIncludeAllAttributes(boolean includeAllAttributes)
```
    Flag indicates whether to include attributes from all assertions (value true), or only from the assertion which was authentication using the Bearer SubjectConfirmation (value false, by default).
    
    Parameters:
    
    includeAllAttributes - true to include attributes from all assertions
  - isReleaseDOM
```
public boolean isReleaseDOM()
```
    Returns:
    
    release dom flag, true by default
  - setReleaseDOM
```
public void setReleaseDOM(boolean releaseDOM)
```
    Flag indicates whether to release internal structure of the assertion returned in SAMLCredential. Set to false in case you'd like to have access to the original Assertion value (include signatures).
    
    Parameters:
    
    releaseDOM - release dom flag

Class WebSSOProfileConsumerImpl

Field Summary

Fields inherited from class org.springframework.security.saml.websso.AbstractProfileBase

Constructor Summary

Method Summary

Methods inherited from class org.springframework.security.saml.websso.AbstractProfileBase

Methods inherited from class java.lang.Object

Constructor Detail

WebSSOProfileConsumerImpl

WebSSOProfileConsumerImpl

Method Detail

getProfileIdentifier

processAuthenticationResponse

processAdditionalData

verifyAssertion

verifySubject

verifyAssertionSignature

verifyAssertionConditions

verifyAudience

verifyConditions

verifyAuthenticationStatement

verifyAuthnContext

getMaxAuthenticationAge

setMaxAuthenticationAge

isIncludeAllAttributes

setIncludeAllAttributes

isReleaseDOM

setReleaseDOM