Package org.springframework.security.saml2.provider.service.authentication

Class Saml2AuthenticationToken

java.lang.Object

org.springframework.security.authentication.AbstractAuthenticationToken

org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationToken

All Implemented Interfaces:

Serializable, Principal, Authentication, CredentialsContainer

public class Saml2AuthenticationToken
extends AbstractAuthenticationToken

Represents an incoming SAML 2.0 response containing an assertion that has not been validated. isAuthenticated() will always return false.

Since:

5.2

See Also:

• Serialized Form

Constructor Summary

Constructors

Constructor	Description
Saml2AuthenticationToken(String saml2Response, String recipientUri, String idpEntityId, String localSpEntityId, List<Saml2X509Credential> credentials)	Deprecated. Use Saml2AuthenticationToken(RelyingPartyRegistration, String) instead
Saml2AuthenticationToken(RelyingPartyRegistration relyingPartyRegistration, String saml2Response)	Creates a Saml2AuthenticationToken with the provided parameters Note that the given RelyingPartyRegistration should have all its templates resolved at this point.
Saml2AuthenticationToken(RelyingPartyRegistration relyingPartyRegistration, String saml2Response, AbstractSaml2AuthenticationRequest authenticationRequest)	Creates a Saml2AuthenticationToken with the provided parameters.

Method Summary

Modifier and Type	Method	Description
AbstractSaml2AuthenticationRequest	getAuthenticationRequest()	Returns the authentication request sent to the assertion party or null if no authentication request is present
Object	getCredentials()	Returns the decoded and inflated SAML 2.0 Response XML object as a string
String	getIdpEntityId()	Deprecated. Use getRelyingPartyRegistration().getAssertingPartyDetails().getEntityId() instead
String	getLocalSpEntityId()	Deprecated. Use getRelyingPartyRegistration().getEntityId() instead
Object	getPrincipal()	Always returns null.
String	getRecipientUri()	Deprecated. Use getRelyingPartyRegistration().getAssertionConsumerServiceLocation() instead
RelyingPartyRegistration	getRelyingPartyRegistration()	Get the resolved RelyingPartyRegistration associated with the request
String	getSaml2Response()	Returns inflated and decoded XML representation of the SAML 2 Response
List<Saml2X509Credential>	getX509Credentials()	Deprecated. Get the credentials through getRelyingPartyRegistration() instead
boolean	isAuthenticated()	Used to indicate to AbstractSecurityInterceptor whether it should present the authentication token to the AuthenticationManager.
void	setAuthenticated(boolean authenticated)	The state of this object cannot be changed.

Methods inherited from class org.springframework.security.authentication.AbstractAuthenticationToken

equals, eraseCredentials, getAuthorities, getDetails, getName, hashCode, setDetails, toString

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Methods inherited from interface java.security.Principal

implies

Constructor Details

Saml2AuthenticationToken

public Saml2AuthenticationToken(RelyingPartyRegistration relyingPartyRegistration,
 String saml2Response,
 AbstractSaml2AuthenticationRequest authenticationRequest)

Creates a Saml2AuthenticationToken with the provided parameters. Note that the given RelyingPartyRegistration should have all its templates resolved at this point. See Saml2WebSsoAuthenticationFilter for an example of performing that resolution.

Parameters:

relyingPartyRegistration - the resolved RelyingPartyRegistration to use

saml2Response - the SAML 2.0 response to authenticate

authenticationRequest - the AuthNRequest sent to the asserting party

Since:

5.6

Saml2AuthenticationToken

public Saml2AuthenticationToken(RelyingPartyRegistration relyingPartyRegistration,
 String saml2Response)

Creates a Saml2AuthenticationToken with the provided parameters Note that the given RelyingPartyRegistration should have all its templates resolved at this point. See Saml2WebSsoAuthenticationFilter for an example of performing that resolution.

Parameters:

relyingPartyRegistration - the resolved RelyingPartyRegistration to use

saml2Response - the SAML 2.0 response to authenticate

Since:

5.4

Saml2AuthenticationToken

@Deprecated
public Saml2AuthenticationToken(String saml2Response,
 String recipientUri,
 String idpEntityId,
 String localSpEntityId,
 List<Saml2X509Credential> credentials)

Deprecated.

Use Saml2AuthenticationToken(RelyingPartyRegistration, String) instead

Creates an authentication token from an incoming SAML 2 Response object

Parameters:

saml2Response - inflated and decoded XML representation of the SAML 2 Response

recipientUri - the URL that the SAML 2 Response was received at. Used for validation

idpEntityId - the entity ID of the asserting entity

localSpEntityId - the configured local SP, the relying party, entity ID

credentials - the credentials configured for signature verification and decryption

Method Details

getCredentials

public Object getCredentials()

Returns the decoded and inflated SAML 2.0 Response XML object as a string

Returns:

decoded and inflated XML data as a String

getPrincipal

public Object getPrincipal()

Always returns null.

Returns:

null

getRelyingPartyRegistration

public RelyingPartyRegistration getRelyingPartyRegistration()

Get the resolved RelyingPartyRegistration associated with the request

Returns:

the resolved RelyingPartyRegistration

Since:

5.4

getSaml2Response

public String getSaml2Response()

Returns inflated and decoded XML representation of the SAML 2 Response

Returns:

inflated and decoded XML representation of the SAML 2 Response

getRecipientUri

@Deprecated
public String getRecipientUri()

Deprecated.

Use getRelyingPartyRegistration().getAssertionConsumerServiceLocation() instead

Returns the URI that the SAML 2 Response object came in on

Returns:

URI as a string

getLocalSpEntityId

@Deprecated
public String getLocalSpEntityId()

Deprecated.

Use getRelyingPartyRegistration().getEntityId() instead

Returns the configured entity ID of the receiving relying party, SP

Returns:

an entityID for the configured local relying party

getX509Credentials

@Deprecated
public List<Saml2X509Credential> getX509Credentials()

Deprecated.

Get the credentials through getRelyingPartyRegistration() instead

Returns all the credentials associated with the relying party configuraiton

Returns:

all associated credentials

isAuthenticated

public boolean isAuthenticated()

Description copied from interface: Authentication

Used to indicate to AbstractSecurityInterceptor whether it should present the authentication token to the AuthenticationManager. Typically an AuthenticationManager (or, more often, one of its AuthenticationProviders) will return an immutable authentication token after successful authentication, in which case that token can safely return true to this method. Returning true will improve performance, as calling the AuthenticationManager for every request will no longer be necessary.

For security reasons, implementations of this interface should be very careful about returning true from this method unless they are either immutable, or have some way of ensuring the properties have not been changed since original creation.

Specified by:

isAuthenticated in interface Authentication

Overrides:

isAuthenticated in class AbstractAuthenticationToken

Returns:

false

setAuthenticated

public void setAuthenticated(boolean authenticated)

The state of this object cannot be changed. Will always throw an exception

Specified by:

setAuthenticated in interface Authentication

Overrides:

setAuthenticated in class AbstractAuthenticationToken

Parameters:

authenticated - ignored

getIdpEntityId

@Deprecated
public String getIdpEntityId()

Deprecated.

Use getRelyingPartyRegistration().getAssertingPartyDetails().getEntityId() instead

Returns the configured IDP, asserting party, entity ID

Returns:

a string representing the entity ID

getAuthenticationRequest

public AbstractSaml2AuthenticationRequest getAuthenticationRequest()

Returns the authentication request sent to the assertion party or null if no authentication request is present

Returns:

the authentication request sent to the assertion party

Since:

5.6