Package net.shibboleth.idp.authn.impl

Class FinalizeAuthentication

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction

org.opensaml.profile.action.AbstractConditionalProfileAction

net.shibboleth.idp.profile.AbstractProfileAction

net.shibboleth.idp.authn.AbstractAuthenticationAction

net.shibboleth.idp.authn.impl.FinalizeAuthentication

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action

public class FinalizeAuthentication
extends AbstractAuthenticationAction

An authentication action that runs after a completed authentication flow (or the reuse of an active result) and transfers information from other contexts into a SubjectContext child of the ProfileRequestContext.

The action enforces any constraints on proxying that may be present in the result against the intended use based on the RelyingPartyContext.

The action also cross-checks RequestedPrincipalContext.getMatchingPrincipal(), if set, against the AuthenticationResult to ensure that the result produced actually satisfies the request. This is redundant when reusing active results, but is necessary to prevent a flow from running that can return different results and having it produce a result that doesn't actually satisfy the request. Such a flow would be buggy, but this guards against a mistake from leaving the subsystem.

If no matching Principal is established, or if the match is no longer valid, the request is evaluated in conjunction with the AuthenticationResult to establish a Principal that does satisfy the request and it is recorded via RequestedPrincipalContext.setMatchingPrincipal(Principal).

The context is populated based on the presence of a canonical principal name in either a SubjectCanonicalizationContext or SessionContext, and also includes the completed AuthenticationResult and any other active results found in the AuthenticationContext.

Any SubjectCanonicalizationContext found will be removed.

If AuthenticationContext.getRequiredName() is set, then this action will validate that the same principal name is represented by it, and signal a mismatch otherwise. This is used in protocols that indicate normatively what the authenticated identity is required to be.

Event:

EventIds.PROCEED_EVENT_ID, AuthnEventIds.INVALID_SUBJECT, AuthnEventIds.INVALID_AUTHN_CTX, AuthnEventIds.REQUEST_UNSUPPORTED

Precondition:

ProfileRequestContext.getSubcontext(AuthenticationContext.class) != null

Postcondition:

If SubjectCanonicalizationContext.getCanonicalPrincipalName() != null || SessionContext.getIdPSession() != null then ProfileRequestContext.getSubcontext(SubjectContext.class) != null, AuthenticationContext.setCompletionInstant() was called,

ProfileRequestContext.getSubcontext(SubjectCanonicalizationContext.class) == null

Field Summary

Fields

Modifier and Type	Field	Description
private String	canonicalPrincipalName	The principal name extracted from the context tree.
private org.slf4j.Logger	log	Class logger.

Constructor Summary

Constructors

Constructor	Description
FinalizeAuthentication()

Method Summary

Modifier and Type	Method	Description
private boolean	checkProxyRestrictions(ProfileRequestContext profileRequestContext, Subject subject)	Check for proxy restrictions and evaluate them against the request.
protected void	doExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)
protected boolean	doPreExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)
protected Principal	findMatchingPrincipal(AuthenticationContext authenticationContext, RequestedPrincipalContext requestedPrincipalCtx)	Evaluate request criteria and the AuthenticationResult to locate a Principal in the result that satisfies the request criteria.

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

doExecute, doPreExecute, setAuthenticationContextLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

canonicalPrincipalName

@Nullable
private String canonicalPrincipalName

The principal name extracted from the context tree.

Constructor Detail

FinalizeAuthentication

public FinalizeAuthentication()

Method Detail

doPreExecute

protected boolean doPreExecute(@Nonnull
                               ProfileRequestContext profileRequestContext,
                               @Nonnull
                               AuthenticationContext authenticationContext)

Overrides:

doPreExecute in class AbstractAuthenticationAction

doExecute

protected void doExecute(@Nonnull
                         ProfileRequestContext profileRequestContext,
                         @Nonnull
                         AuthenticationContext authenticationContext)

Overrides:

doExecute in class AbstractAuthenticationAction

findMatchingPrincipal

@Nullable
protected Principal findMatchingPrincipal(@Nonnull
                                          AuthenticationContext authenticationContext,
                                          @Nonnull
                                          RequestedPrincipalContext requestedPrincipalCtx)

Evaluate request criteria and the AuthenticationResult to locate a Principal in the result that satisfies the request criteria.

If a weighting map is supplied, the Principal returned is the one that both satisfies the request and is highest weighted according to the underlying flow descriptor.

Parameters:

authenticationContext - authentication context

requestedPrincipalCtx - request criteria

Returns:

matching Principal, or null

checkProxyRestrictions

private boolean checkProxyRestrictions(@Nonnull
                                       ProfileRequestContext profileRequestContext,
                                       @Nonnull
                                       Subject subject)

Check for proxy restrictions and evaluate them against the request.

Parameters:

profileRequestContext - current profile request context

subject - the authentication result's subject

Returns:

true iff processing should continue