net.shibboleth.idp.authn.impl

Class FinalizeAuthentication

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction<InboundMessageType,OutboundMessageType>

org.opensaml.profile.action.AbstractConditionalProfileAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.profile.AbstractProfileAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.authn.AbstractAuthenticationAction

net.shibboleth.idp.authn.impl.FinalizeAuthentication

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, org.springframework.beans.factory.Aware, org.springframework.context.MessageSource, org.springframework.context.MessageSourceAware, org.springframework.webflow.execution.Action

public class FinalizeAuthentication
extends AbstractAuthenticationAction

An authentication action that runs after a completed authentication flow (or the reuse of an active result) and transfers information from other contexts into a SubjectContext child of the ProfileRequestContext.

The action also cross-checks RequestedPrincipalContext.getMatchingPrincipal(), if set, against the AuthenticationResult to ensure that the result produced actually satisfies the request. This is redundant when reusing active results, but is necessary to prevent a flow from running that can return different results and having it produce a result that doesn't actually satisfy the request. Such a flow would be buggy, but this guards against a mistake from leaving the subsystem.

If no matching Principal is established, or if the match is no longer valid, the request is evaluated in conjunction with the AuthenticationResult to establish a Principal that does satisfy the request and it is recorded via RequestedPrincipalContext.setMatchingPrincipal(Principal).

The context is populated based on the presence of a canonical principal name in either a SubjectCanonicalizationContext or SessionContext, and also includes the completed AuthenticationResult and any other active results found in the AuthenticationContext.

Any SubjectCanonicalizationContext found will be removed.

If a SubjectContext already exists, then this action will validate that the same principal name is represented by it, and signal a mismatch otherwise. This is used in protocols that indicate normatively what the authenticated identity is required to be.

Event:

EventIds.PROCEED_EVENT_ID, IdPEventIds.INVALID_SUBJECT_CTX, AuthnEventIds.REQUEST_UNSUPPORTED

Precondition:

ProfileRequestContext.getSubcontext(AuthenticationContext.class) != null

Postcondition:

If SubjectCanonicalizationContext.getCanonicalPrincipalName() != null || SessionContext.getIdPSession() != null then ProfileRequestContext.getSubcontext(SubjectContext.class) != null, AuthenticationContext.setCompletionInstant() was called,

ProfileRequestContext.getSubcontext(SubjectCanonicalizationContext.class) == null

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
private class	FinalizeAuthentication.WeightedComparator A Comparator that compares the mapped weights of the two operands, using a weight of zero for any unmapped values.

Field Summary

Fields

Modifier and Type	Field and Description
private String	canonicalPrincipalName The principal name extracted from the context tree.
private org.slf4j.Logger	log Class logger.
private Map<Principal,Integer>	weightMap A map supplying weighted preference to particular Principals.

Constructor Summary

Constructors

Constructor and Description
FinalizeAuthentication() Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
protected void	doExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)
protected boolean	doPreExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)
protected Principal	findMatchingPrincipal(AuthenticationContext authenticationContext, RequestedPrincipalContext requestedPrincipalCtx) Evaluate request criteria and the AuthenticationResult to locate a Principal in the result that satisfies the request criteria.
void	setWeightMap(Map<Principal,Integer> map) Set the map of Principals to weight values to impose a sort order on any matching Principals found in the authentication result.

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

doExecute, doPreExecute, setLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

weightMap

@Nonnull
@NonnullElements
private Map<Principal,Integer> weightMap

A map supplying weighted preference to particular Principals.

canonicalPrincipalName

@Nullable
private String canonicalPrincipalName

The principal name extracted from the context tree.

Constructor Detail

FinalizeAuthentication

public FinalizeAuthentication()

Constructor.

Method Detail

setWeightMap

public void setWeightMap(@Nullable@NonnullElements
                Map<Principal,Integer> map)

Set the map of Principals to weight values to impose a sort order on any matching Principals found in the authentication result.

Parameters:

map - map to set

doPreExecute

protected boolean doPreExecute(@Nonnull
                   ProfileRequestContext profileRequestContext,
                   @Nonnull
                   AuthenticationContext authenticationContext)

Overrides:

doPreExecute in class AbstractAuthenticationAction

doExecute

protected void doExecute(@Nonnull
             ProfileRequestContext profileRequestContext,
             @Nonnull
             AuthenticationContext authenticationContext)

Overrides:

doExecute in class AbstractAuthenticationAction

findMatchingPrincipal

@Nullable
protected Principal findMatchingPrincipal(@Nonnull
                                       AuthenticationContext authenticationContext,
                                       @Nonnull
                                       RequestedPrincipalContext requestedPrincipalCtx)

Evaluate request criteria and the AuthenticationResult to locate a Principal in the result that satisfies the request criteria.

If a weighting map is supplied, the Principal returned is the one that both satisfies the request and is highest weighted.

Parameters:

authenticationContext - authentication context

requestedPrincipalCtx - request criteria

Returns:

matching Principal, or null