net.shibboleth.idp.authn.impl

Class FilterFlowsByAttribute

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction<InboundMessageType,OutboundMessageType>

org.opensaml.profile.action.AbstractConditionalProfileAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.profile.AbstractProfileAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.authn.AbstractAuthenticationAction

net.shibboleth.idp.authn.impl.FilterFlowsByAttribute

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, org.springframework.beans.factory.Aware, org.springframework.context.MessageSource, org.springframework.context.MessageSourceAware, org.springframework.webflow.execution.Action

public class FilterFlowsByAttribute
extends AbstractAuthenticationAction

An authentication action that filters out potential authentication flows by comparing an IdPAttribute's values to the custom principals supported by each flow.

It optionally (and by default) filters out active AuthenticationResult objects from possible reuse for SSO.

The type of principals is ignored, and only string-based values of an attribute are supported.

Event:

EventIds.PROCEED_EVENT_ID

Precondition:

ProfileRequestContext.getSubcontext(AuthenticationContext.class) != null

Postcondition:

AuthenticationContext.getPotentialFlows() and AuthenticationContext.getActiveResults() are modified as above.

Field Summary

Fields

Modifier and Type	Field and Description
private IdPAttribute	attribute The attribute to match against.
private com.google.common.base.Function<ProfileRequestContext,AttributeContext>	attributeContextLookupStrategy Lookup strategy for locating AttributeContext.
private String	attributeId The attribute ID to look for.
private boolean	filterActiveResults Whether to also filter active results to limit SSO.
private org.slf4j.Logger	log Class logger.

Constructor Summary

Constructors

Constructor and Description
FilterFlowsByAttribute() Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
protected void	doExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)
protected boolean	doPreExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)
private String	getMatch(AuthenticationFlowDescriptor flow) Compare the flow's custom principal names to the string values of the attribute.
private String	getMatch(AuthenticationResult result) Compare the result's custom principal names to the string values of the attribute.
void	setAttributeContextLookupStrategy(com.google.common.base.Function<ProfileRequestContext,AttributeContext> strategy) Set the lookup strategy for the AttributeContext.
void	setAttributeId(String id) Set the attribute ID to look for.
void	setFilterActiveResults(boolean flag) Set whether to filter active results (those usable for SSO) as well as inactive flows.

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

doExecute, doPreExecute, setLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

attributeContextLookupStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,AttributeContext> attributeContextLookupStrategy

Lookup strategy for locating AttributeContext.

attributeId

@Nullable
private String attributeId

The attribute ID to look for.

filterActiveResults

private boolean filterActiveResults

Whether to also filter active results to limit SSO.

attribute

@Nullable
private IdPAttribute attribute

The attribute to match against.

Constructor Detail

FilterFlowsByAttribute

public FilterFlowsByAttribute()

Constructor.

Method Detail

setAttributeContextLookupStrategy

public void setAttributeContextLookupStrategy(@Nonnull
                                     com.google.common.base.Function<ProfileRequestContext,AttributeContext> strategy)

Set the lookup strategy for the AttributeContext.

Parameters:

strategy - lookup strategy

setAttributeId

public void setAttributeId(@Nullable
                  String id)

Set the attribute ID to look for.

Parameters:

id - attribute ID to look for

setFilterActiveResults

public void setFilterActiveResults(boolean flag)

Set whether to filter active results (those usable for SSO) as well as inactive flows.

Defaults to true

Parameters:

flag - flag to set

doPreExecute

protected boolean doPreExecute(@Nonnull
                   ProfileRequestContext profileRequestContext,
                   @Nonnull
                   AuthenticationContext authenticationContext)

Overrides:

doPreExecute in class AbstractAuthenticationAction

doExecute

protected void doExecute(@Nonnull
             ProfileRequestContext profileRequestContext,
             @Nonnull
             AuthenticationContext authenticationContext)

Overrides:

doExecute in class AbstractAuthenticationAction

getMatch

@Nullable
private String getMatch(@Nonnull
                       AuthenticationFlowDescriptor flow)

Compare the flow's custom principal names to the string values of the attribute.

Parameters:

flow - flow to examine

Returns:

a match between the flow's principal names and the attribute's string values, or null

getMatch

@Nullable
private String getMatch(@Nonnull
                       AuthenticationResult result)

Compare the result's custom principal names to the string values of the attribute.

Parameters:

result - result to examine

Returns:

a match between the result's principal names and the attribute's string values, or null