net.shibboleth.idp.authn.impl

Class ValidateRemoteUser

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction<InboundMessageType,OutboundMessageType>

org.opensaml.profile.action.AbstractConditionalProfileAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.profile.AbstractProfileAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.authn.AbstractAuthenticationAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.authn.AbstractValidationAction

net.shibboleth.idp.authn.impl.ValidateRemoteUser

All Implemented Interfaces:

PrincipalSupportingComponent, Component, DestructableComponent, InitializableComponent, ProfileAction, org.springframework.beans.factory.Aware, org.springframework.context.MessageSource, org.springframework.context.MessageSourceAware, org.springframework.webflow.execution.Action

public class ValidateRemoteUser
extends AbstractValidationAction

An action that checks for a UsernameContext and directly produces an AuthenticationResult based on that identity.

Various optional properties are supported to control the validation process.

Event:

EventIds.PROCEED_EVENT_ID, EventIds.INVALID_PROFILE_CTX, AuthnEventIds.INVALID_CREDENTIALS, AuthnEventIds.NO_CREDENTIALS

Precondition:

ProfileRequestContext.getSubcontext(AuthenticationContext.class, false).getAttemptedFlow() != null

Postcondition:

If AuthenticationContext.getSubcontext(UsernameContext.class, false).getUsername() != null, then an AuthenticationResult is saved to the AuthenticationContext.

Field Summary

Fields

Modifier and Type	Field and Description
private Set<String>	blacklistedUsernames A blacklist of usernames to deny.
private static String	DEFAULT_METRIC_NAME Default prefix for metrics.
private org.slf4j.Logger	log Class logger.
private Pattern	matchExpression A regular expression to apply for acceptance testing.
private UsernameContext	usernameContext Username context identifying identity to validate.
private Set<String>	whitelistedUsernames A whitelist of usernames to accept.

Constructor Summary

Constructors

Constructor and Description
ValidateRemoteUser() Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
protected void	doExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)
protected boolean	doPreExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)
private boolean	isAuthenticated(String username) Check whitelist, blacklist, and matching expression for acceptance.
protected Subject	populateSubject(Subject subject)
void	setBlacklistedUsernames(Collection<String> blacklist) Set the blacklisted usernames.
void	setMatchExpression(Pattern expression) Set a matching expression to apply for acceptance.
void	setWhitelistedUsernames(Collection<String> whitelist) Set the whitelisted usernames.

Methods inherited from class net.shibboleth.idp.authn.AbstractValidationAction

addDefaultPrincipals, buildAuthenticationResult, getClassifiedErrors, getMetricName, getResultCachingPredicate, getSubject, getSupportedPrincipals, handleError, handleError, handleWarning, recordFailure, recordSuccess, setAddDefaultPrincipals, setClassifiedMessages, setMetricName, setRequesterLookupStrategy, setResponderLookupStrategy, setResultCachingPredicate, setSupportedPrincipals

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

doExecute, doPreExecute, setLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

DEFAULT_METRIC_NAME

@Nonnull
@NotEmpty
private static final String DEFAULT_METRIC_NAME

Default prefix for metrics.

See Also:

Constant Field Values

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

whitelistedUsernames

@Nonnull
@NonnullElements
private Set<String> whitelistedUsernames

A whitelist of usernames to accept.

blacklistedUsernames

@Nonnull
@NonnullElements
private Set<String> blacklistedUsernames

A blacklist of usernames to deny.

matchExpression

@Nullable
private Pattern matchExpression

A regular expression to apply for acceptance testing.

usernameContext

@Nullable
private UsernameContext usernameContext

Username context identifying identity to validate.

Constructor Detail

ValidateRemoteUser

public ValidateRemoteUser()

Constructor.

Method Detail

setWhitelistedUsernames

public void setWhitelistedUsernames(@Nonnull@NonnullElements
                           Collection<String> whitelist)

Set the whitelisted usernames.

Parameters:

whitelist - whitelist to set

setBlacklistedUsernames

public void setBlacklistedUsernames(@Nonnull@NonnullElements
                           Collection<String> blacklist)

Set the blacklisted usernames.

Parameters:

blacklist - blacklist to set

setMatchExpression

public void setMatchExpression(@Nullable
                      Pattern expression)

Set a matching expression to apply for acceptance.

Parameters:

expression - a matching expression

doPreExecute

protected boolean doPreExecute(@Nonnull
                   ProfileRequestContext profileRequestContext,
                   @Nonnull
                   AuthenticationContext authenticationContext)

Overrides:

doPreExecute in class AbstractValidationAction

doExecute

protected void doExecute(@Nonnull
             ProfileRequestContext profileRequestContext,
             @Nonnull
             AuthenticationContext authenticationContext)

Overrides:

doExecute in class AbstractAuthenticationAction

isAuthenticated

private boolean isAuthenticated(@Nonnull@NotEmpty
                      String username)

Check whitelist, blacklist, and matching expression for acceptance.

Parameters:

username - the username to evaluate

Returns:

true iff the username is acceptable

populateSubject

@Nonnull
protected Subject populateSubject(@Nonnull
                              Subject subject)

Specified by:

populateSubject in class AbstractValidationAction