org.opensaml.saml.metadata.resolver.filter.impl

Class SignatureValidationFilter

java.lang.Object

org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter

All Implemented Interfaces:

MetadataFilter

public class SignatureValidationFilter
extends Object
implements MetadataFilter

A metadata filter that validates XML signatures.

Field Summary

Fields

Modifier and Type	Field and Description
private net.shibboleth.utilities.java.support.resolver.CriteriaSet	defaultCriteria Set of externally specified default criteria for input to the trust engine.
private Logger	log Class logger.
private boolean	requireSignature Indicates whether signed metadata is required.
private org.opensaml.xmlsec.signature.support.SignaturePrevalidator	signaturePrevalidator Prevalidator for XML Signature instances.
private org.opensaml.xmlsec.signature.support.SignatureTrustEngine	signatureTrustEngine Trust engine used to validate a signature.

Constructor Summary

Constructors

Constructor and Description
SignatureValidationFilter(org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine) Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
protected net.shibboleth.utilities.java.support.resolver.CriteriaSet	buildCriteriaSet(org.opensaml.xmlsec.signature.SignableXMLObject signedMetadata, String metadataEntryName, boolean isEntityGroup) Build the criteria set which will be used as input to the configured trust engine.
org.opensaml.core.xml.XMLObject	filter(org.opensaml.core.xml.XMLObject metadata)
net.shibboleth.utilities.java.support.resolver.CriteriaSet	getDefaultCriteria() Get the set of default criteria used as input to the trust engine.
boolean	getRequireSignature() Gets whether incoming metadata's root element is required to be signed.
protected String	getRoleIDToken(String entityID, RoleDescriptor role) Get a string token for logging/debugging purposes that contains role information and containing entityID.
org.opensaml.xmlsec.signature.support.SignaturePrevalidator	getSignaturePrevalidator() Get the validator used to perform pre-validation on Signature tokens.
org.opensaml.xmlsec.signature.support.SignatureTrustEngine	getSignatureTrustEngine() Gets the trust engine used to validate signatures on incoming metadata.
protected void	performPreValidation(org.opensaml.xmlsec.signature.Signature signature, String metadataEntryName) Perform pre-validation on the Signature token.
protected void	processEntityDescriptor(EntityDescriptor entityDescriptor) Process the signatures on the specified EntityDescriptor and any signed children.
protected void	processEntityGroup(EntitiesDescriptor entitiesDescriptor) Process the signatures on the specified EntitiesDescriptor and any signed children.
void	setDefaultCriteria(net.shibboleth.utilities.java.support.resolver.CriteriaSet newCriteria) Set the set of default criteria used as input to the trust engine.
void	setRequireSignature(boolean require) Sets whether incoming metadata's root element is required to be signed.
void	setSignaturePrevalidator(org.opensaml.xmlsec.signature.support.SignaturePrevalidator validator) Set the validator used to perform pre-validation on Signature tokens.
protected void	verifySignature(org.opensaml.xmlsec.signature.SignableXMLObject signedMetadata, String metadataEntryName, boolean isEntityGroup) Evaluate the signature on the signed metadata instance.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

private final Logger log

Class logger.

signatureTrustEngine

private org.opensaml.xmlsec.signature.support.SignatureTrustEngine signatureTrustEngine

Trust engine used to validate a signature.

requireSignature

private boolean requireSignature

Indicates whether signed metadata is required.

defaultCriteria

private net.shibboleth.utilities.java.support.resolver.CriteriaSet defaultCriteria

Set of externally specified default criteria for input to the trust engine.

signaturePrevalidator

private org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator

Prevalidator for XML Signature instances.

Constructor Detail

SignatureValidationFilter

public SignatureValidationFilter(org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)

Constructor. Signature pre-validator defaults to SAMLSignatureProfileValidator.

Parameters:

engine - the trust engine used to validate signatures on incoming metadata.

Method Detail

getSignatureTrustEngine

@Nonnull
public org.opensaml.xmlsec.signature.support.SignatureTrustEngine getSignatureTrustEngine()

Gets the trust engine used to validate signatures on incoming metadata.

Returns:

trust engine used to validate signatures on incoming metadata

getSignaturePrevalidator

@Nullable
public org.opensaml.xmlsec.signature.support.SignaturePrevalidator getSignaturePrevalidator()

Get the validator used to perform pre-validation on Signature tokens.

Returns:

the configured Signature validator, or null

setSignaturePrevalidator

public void setSignaturePrevalidator(@Nullable
                            org.opensaml.xmlsec.signature.support.SignaturePrevalidator validator)

Set the validator used to perform pre-validation on Signature tokens.

Parameters:

validator - the signature prevalidator to use

getRequireSignature

public boolean getRequireSignature()

Gets whether incoming metadata's root element is required to be signed. Defaults to true.

Returns:

whether incoming metadata is required to be signed

setRequireSignature

public void setRequireSignature(boolean require)

Sets whether incoming metadata's root element is required to be signed. Defaults to true.

Parameters:

require - whether incoming metadata is required to be signed

getDefaultCriteria

@Nullable
public net.shibboleth.utilities.java.support.resolver.CriteriaSet getDefaultCriteria()

Get the set of default criteria used as input to the trust engine.

Returns:

the criteria set

setDefaultCriteria

public void setDefaultCriteria(@Nullable
                      net.shibboleth.utilities.java.support.resolver.CriteriaSet newCriteria)

Set the set of default criteria used as input to the trust engine.

Parameters:

newCriteria - the new criteria set to use

filter

public org.opensaml.core.xml.XMLObject filter(org.opensaml.core.xml.XMLObject metadata)
                                       throws FilterException

Specified by:

filter in interface MetadataFilter

Throws:

FilterException

processEntityDescriptor

protected void processEntityDescriptor(EntityDescriptor entityDescriptor)
                                throws FilterException

Process the signatures on the specified EntityDescriptor and any signed children. If signature verification fails on a child, it will be removed from the entity descriptor.

Parameters:

entityDescriptor - the EntityDescriptor to be processed

Throws:

FilterException - thrown if an error occurs during the signature verification process on the root EntityDescriptor specified

processEntityGroup

protected void processEntityGroup(EntitiesDescriptor entitiesDescriptor)
                           throws FilterException

Process the signatures on the specified EntitiesDescriptor and any signed children. If signature verification fails on a child, it will be removed from the entities descriptor group.

Parameters:

entitiesDescriptor - the EntitiesDescriptor to be processed

Throws:

FilterException - thrown if an error occurs during the signature verification process on the root EntitiesDescriptor specified

verifySignature

protected void verifySignature(org.opensaml.xmlsec.signature.SignableXMLObject signedMetadata,
                   String metadataEntryName,
                   boolean isEntityGroup)
                        throws FilterException

Evaluate the signature on the signed metadata instance.

Parameters:

signedMetadata - the metadata object whose signature is to be verified

metadataEntryName - the EntityDescriptor entityID, EntitiesDescriptor Name, AffiliationDescriptor affiliationOwnerID, or RoleDescriptor getRoleIDToken(String, RoleDescriptor) corresponding to the element whose signature is being evaluated. This is used exclusively for logging/debugging purposes and should not be used operationally (e.g. for building a criteria set).

isEntityGroup - flag indicating whether the signed object is a metadata group (EntitiesDescriptor), primarily useful for constructing a criteria set for the trust engine

Throws:

FilterException - thrown if the metadata entry's signature can not be established as trusted, or if an error occurs during the signature verification process

performPreValidation

protected void performPreValidation(org.opensaml.xmlsec.signature.Signature signature,
                        String metadataEntryName)
                             throws FilterException

Perform pre-validation on the Signature token.

Parameters:

signature - the signature to evaluate

metadataEntryName - the EntityDescriptor entityID, EntitiesDescriptor Name, AffiliationDescriptor affiliationOwnerID, or RoleDescriptor getRoleIDToken(String, RoleDescriptor) corresponding to the element whose signature is being evaluated. This is used exclusively for logging/debugging purposes and should not be used operationally (e.g. for building a criteria set).

Throws:

FilterException - thrown if the signature element fails pre-validation

buildCriteriaSet

protected net.shibboleth.utilities.java.support.resolver.CriteriaSet buildCriteriaSet(org.opensaml.xmlsec.signature.SignableXMLObject signedMetadata,
                                                                          String metadataEntryName,
                                                                          boolean isEntityGroup)

Build the criteria set which will be used as input to the configured trust engine.

Parameters:

signedMetadata - the metadata element whose signature is being verified

metadataEntryName - the EntityDescriptor entityID, EntitiesDescriptor Name, AffiliationDescriptor affiliationOwnerID, or RoleDescriptor getRoleIDToken(String, RoleDescriptor) corresponding to the element whose signature is being evaluated. This is used exclusively for logging/debugging purposes and should not be used operationally (e.g. for building the criteria set).

isEntityGroup - flag indicating whether the signed object is a metadata group (EntitiesDescriptor)

Returns:

the newly constructed criteria set

getRoleIDToken

protected String getRoleIDToken(String entityID,
                    RoleDescriptor role)

Get a string token for logging/debugging purposes that contains role information and containing entityID.

Parameters:

entityID - the containing entityID

role - the role descriptor

Returns:

the constructed role ID token.