Package net.shibboleth.idp.cas.proxy.impl

Class HttpClientProxyValidator

java.lang.Object

net.shibboleth.idp.cas.proxy.impl.HttpClientProxyValidator

All Implemented Interfaces:

ProxyValidator

public class HttpClientProxyValidator
extends Object
implements ProxyValidator

Authenticates a CAS proxy callback endpoint using an HttpClient instance to establish the connection and a TrustEngine to verify the TLS certificate presented by the remote peer. The endpoint is validated if and only if the following requirements are met:

1. Proxy callback URI specifies the https scheme.
2. The TLS certificate presented by the remote peer is trusted.
3. The HTTP response status code is approved via setAllowedResponseCodes(Set) (only 200 by default).

Field Summary

Fields

Modifier and Type	Field	Description
private Set<Integer>	allowedResponseCodes	List of HTTP response codes permitted for successful proxy callback.
private org.apache.http.client.HttpClient	httpClient	HTTP client that connects to proxy callback endpoint.
protected static String	HTTPS_SCHEME	Required https scheme for proxy callbacks.
private org.slf4j.Logger	log	Class logger.
private HttpClientSecurityParameters	securityParameters	HTTP client security parameters.
private Function<ProfileRequestContext,ServiceContext>	serviceCtxLookupFunction	Looks up a ServiceContext from the profile request context.

Constructor Summary

Constructors

Constructor	Description
HttpClientProxyValidator(org.apache.http.client.HttpClient client, HttpClientSecurityParameters parameters)	Constructor.

Method Summary

Modifier and Type	Method	Description
protected int	connect(URI uri, Service service)	Connect to the given CAS proxy callback endpoint and return the HTTP response code.
void	setAllowedResponseCodes(Set<Integer> responseCodes)	Sets the HTTP response codes permitted for successful authentication of the proxy callback URL.
private static void	setCASTLSTrustEngineCriteria(org.apache.http.client.protocol.HttpClientContext context, URI requestUri, Service service)	Install TLS trust criteria.
void	validate(ProfileRequestContext profileRequestContext, URI proxyCallbackUri)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

HTTPS_SCHEME

@Nonnull
@NotEmpty
protected static final String HTTPS_SCHEME

Required https scheme for proxy callbacks.

See Also:

Constant Field Values

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

serviceCtxLookupFunction

@Nonnull
private final Function<ProfileRequestContext,ServiceContext> serviceCtxLookupFunction

Looks up a ServiceContext from the profile request context.

httpClient

@Nonnull
private final org.apache.http.client.HttpClient httpClient

HTTP client that connects to proxy callback endpoint.

securityParameters

@Nonnull
private final HttpClientSecurityParameters securityParameters

HTTP client security parameters.

allowedResponseCodes

@NotEmpty
@NonnullElements
private Set<Integer> allowedResponseCodes

List of HTTP response codes permitted for successful proxy callback.

Constructor Detail

HttpClientProxyValidator

public HttpClientProxyValidator(@Nonnull
                                org.apache.http.client.HttpClient client,
                                @Nonnull
                                HttpClientSecurityParameters parameters)

Constructor.

Parameters:

client - HttpClient to use

parameters - security parameters for client

Method Detail

setAllowedResponseCodes

public void setAllowedResponseCodes(@NotEmpty @NonnullElements
                                    Set<Integer> responseCodes)

Sets the HTTP response codes permitted for successful authentication of the proxy callback URL.

Parameters:

responseCodes - One or more HTTP response codes.

validate

public void validate(@Nonnull
                     ProfileRequestContext profileRequestContext,
                     @Nonnull
                     URI proxyCallbackUri)
              throws GeneralSecurityException

Specified by:

validate in interface ProxyValidator

Throws:

GeneralSecurityException

connect

protected int connect(@Nonnull
                      URI uri,
                      @Nonnull
                      Service service)
               throws GeneralSecurityException

Connect to the given CAS proxy callback endpoint and return the HTTP response code. TLS peer certificate validation is an essential security aspect of establishing the connection.

Parameters:

uri - CAS proxy callback URI to connect to.

service - CAS service requesting the connection.

Returns:

HTTP response code.

Throws:

GeneralSecurityException - On connection errors, e.g. invalid/untrusted cert.

setCASTLSTrustEngineCriteria

private static void setCASTLSTrustEngineCriteria(org.apache.http.client.protocol.HttpClientContext context,
                                                 URI requestUri,
                                                 Service service)

Install TLS trust criteria.

Parameters:

context - client context

requestUri - URI to obtain hostname

service - CAS service