Package net.shibboleth.idp.authn

Class AbstractValidationAction

java.lang.Object
net.shibboleth.shared.component.AbstractInitializableComponent
org.opensaml.profile.action.AbstractProfileAction
org.opensaml.profile.action.AbstractConditionalProfileAction
net.shibboleth.idp.profile.AbstractProfileAction
net.shibboleth.idp.authn.AbstractAuthenticationAction
net.shibboleth.idp.authn.AbstractValidationAction
All Implemented Interfaces:
PrincipalSupportingComponent, Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
Direct Known Subclasses:
AbstractAuditingValidationAction, ValidateSAMLAuthentication
public abstract class AbstractValidationAction extends AbstractAuthenticationAction implements PrincipalSupportingComponent
A base class for authentication related actions that validate credentials and produce an AuthenticationResult.
Event:
AuthnEventIds.INVALID_AUTHN_CTX, AuthnEventIds.REQUEST_UNSUPPORTED
Precondition:
ProfileRequestContext.getSubcontext(AuthenticationContext.class).getAttemptedFlow() != null

  • Field Details

    • DEFAULT_METRIC_NAME

      @Nonnull @NotEmpty private static final String DEFAULT_METRIC_NAME
      Default prefix for metrics.
      See Also:

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.

    • metricName

      @Nonnull @NotEmpty private String metricName
      Base name of metrics.

    • authenticatedSubject

      @Nonnull private final Subject authenticatedSubject
      Basis for AuthenticationResult.

    • addDefaultPrincipals

      private boolean addDefaultPrincipals
      Whether to inject the authentication flow's default custom principals into the subject.

    • clearErrorContext

      private boolean clearErrorContext
      Indicates whether to clear any existing AuthenticationErrorContext before execution.

    • cleanupHook

      @Nullable private Consumer<ProfileRequestContext> cleanupHook
      A cleanup hook to execute after successful validation.

    • classifiedMessages

      @Nonnull private Map<String,Collection<String>> classifiedMessages
      Error messages associated with a specific error condition token.

    • resultCachingPredicate

      @Nullable private Predicate<ProfileRequestContext> resultCachingPredicate
      Predicate to apply when setting AuthenticationResult cacheability.

    • requesterLookupStrategy

      @Nullable private Function<ProfileRequestContext,String> requesterLookupStrategy
      Function used to obtain the requester ID.

    • responderLookupStrategy

      @Nullable private Function<ProfileRequestContext,String> responderLookupStrategy
      Function used to obtain the responder ID.

  • Constructor Details

    • AbstractValidationAction

      public AbstractValidationAction()
      Constructor.

  • Method Details

    • getMetricName

      @Nonnull @NotEmpty public String getMetricName()
      Get the base name to use for metrics reported.
      Returns:
      root for name of metrics
      Since:
      3.3.0

    • setMetricName

      public void setMetricName(@Nonnull @NotEmpty String name)
      Set the base name to use for metrics reported.
      Parameters:
      name - root for name of metrics
      Since:
      3.3.0

    • addDefaultPrincipals

      public boolean addDefaultPrincipals()
      Get whether to inject the authentication flow's default custom principals into the subject.

      This is the default behavior, and works for static flows in which the principal set can be statically determined from the flow.

      Returns:
      whether to inject the authentication flow's default custom principals into the subject

    • setAddDefaultPrincipals

      public void setAddDefaultPrincipals(boolean flag)
      Set whether to inject the authentication flow's default custom principals into the subject.
      Parameters:
      flag - flag to set

    • getClassifiedErrors

      @Nonnull @Unmodifiable @NotLive public Map<String,Collection<String>> getClassifiedErrors()
      Get the error messages mapped to specific events.

      The map keys are the events and the values are the message collections.

      Returns:
      classified error message map

    • setClassifiedMessages

      public void setClassifiedMessages(@Nullable Map<String,Collection<String>> messages)
      Set the error messages to map to specific events.

      The map keys are the events and the values are the message collections.

      Parameters:
      messages - the error message / event mappings to set

    • getResultCachingPredicate

      @Nullable public Predicate<ProfileRequestContext> getResultCachingPredicate()
      Get predicate to apply to determine cacheability of AuthenticationResult.
      Returns:
      predicate to apply, or null

    • setResultCachingPredicate

      public void setResultCachingPredicate(@Nullable Predicate<ProfileRequestContext> predicate)
      Set predicate to apply to determine cacheability of AuthenticationResult.
      Parameters:
      predicate - predicate to apply, or null

    • getCleanupHook

      @Nullable public Consumer<ProfileRequestContext> getCleanupHook()
      Get the cleanup hook to execute after successful validation.
      Returns:
      cleanup hook
      Since:
      4.1.0

    • setCleanupHook

      public void setCleanupHook(@Nullable Consumer<ProfileRequestContext> hook)
      Set the cleanup hook to execute after successful validation.
      Parameters:
      hook - cleanup hook
      Since:
      4.1.0

    • getRequesterLookupStrategy

      @Nullable public Function<ProfileRequestContext,String> getRequesterLookupStrategy()
      Get the strategy used to locate the requester ID for canonicalization.
      Returns:
      lookup strategy
      Since:
      4.0.0

    • setRequesterLookupStrategy

      public void setRequesterLookupStrategy(@Nullable Function<ProfileRequestContext,String> strategy)
      Set the strategy used to locate the requester ID for canonicalization.
      Parameters:
      strategy - lookup strategy

    • getResponderLookupStrategy

      @Nullable public Function<ProfileRequestContext,String> getResponderLookupStrategy()
      Get the strategy used to locate the responder ID for canonicalization.
      Returns:
      lookup strategy
      Since:
      4.0.0

    • setResponderLookupStrategy

      public void setResponderLookupStrategy(@Nullable Function<ProfileRequestContext,String> strategy)
      Set the strategy used to locate the responder ID for canonicalization.
      Parameters:
      strategy - lookup strategy

    • getSupportedPrincipals

      @Nonnull @Unmodifiable @NotLive public <T extends Principal> Set<T> getSupportedPrincipals(@Nonnull Class<T> c)
      Get an immutable set of supported custom principals that the component produces, supports, contains, etc.
      Specified by:
      getSupportedPrincipals in interface PrincipalSupportingComponent
      Type Parameters:
      T - type of Principal to inquire on
      Parameters:
      c - type of Principal to inquire on
      Returns:
      a set of matching principals

    • setSupportedPrincipals

      public void setSupportedPrincipals(@Nullable Collection<Principal> principals)
      Set supported non-user-specific principals that the action will include in the subjects it generates, in place of any default principals from the flow.

      Setting to a null or empty collection will maintain the default behavior of relying on the flow.

      Parameters:
      principals - supported principals to include

    • getSubject

      @Nonnull protected Subject getSubject()
      Get the subject to be produced by successful execution of this action.
      Returns:
      the subject meant as the result of this action

    • doPreExecute

      protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action's pre-execute step. Default implementation just returns true.
      Overrides:
      doPreExecute in class AbstractAuthenticationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context
      Returns:
      true iff execution should continue

    • buildAuthenticationResult

      protected void buildAuthenticationResult(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Normally called upon successful completion of credential validation, calls the populateSubject(Subject) abstract method, stores an AuthenticationResult in the AuthenticationContext, and attaches a SubjectCanonicalizationContext to the ProfileRequestContext in preparation for c14n to occur.
      Parameters:
      profileRequestContext - the current profile request context
      authenticationContext - the current authentication context

    • populateSubject

      @Nonnull protected abstract Subject populateSubject(@Nonnull Subject subject)
      Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.

      Typically this will include attaching a UsernamePrincipal, but this is not a requirement if other components are suitably overridden.

      Parameters:
      subject - subject to populate
      Returns:
      the input subject

    • recordSuccess

      protected void recordSuccess(@Nonnull ProfileRequestContext profileRequestContext)
      Record a successful authentication attempt against the configured counter. Records nothing if the metrics registry is not installed into the runtime.
      Parameters:
      profileRequestContext - profile request context
      Since:
      4.1.0

    • recordFailure

      protected void recordFailure(@Nonnull ProfileRequestContext profileRequestContext)
      Record a failed authentication attempt against the configured counter. Records nothing if the metrics registry is not installed into the runtime.
      Parameters:
      profileRequestContext - profile request context
      Since:
      4.1.0

    • handleError

      protected void handleError(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull Exception e, @Nonnull @NotEmpty String eventId)
      Adds an exception encountered during the action to an AuthenticationErrorContext, creating one if necessary, beneath the AuthenticationContext.

      The exception message is evaluated as a potential match as a "classified" error and if matched, the classification label is attached to the AuthenticationErrorContext and used as the resulting event for the action.

      Parameters:
      profileRequestContext - the current profile request context
      authenticationContext - the current authentication context
      e - the exception to process
      eventId - the event to "return" via an EventContext if the exception message is not classified

    • handleError

      protected void handleError(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nullable String message, @Nonnull @NotEmpty String eventId)
      Evaluates a message as a potential match as a "classified" error and if matched, the classification label is attached to an AuthenticationErrorContext and used as the resulting event for the action.

      If no match, the supplied eventId is used as the result.

      If multiple matches, the first matching label is used as the result, but each match is added to the context.

      Parameters:
      profileRequestContext - the current profile request context
      authenticationContext - the current authentication context
      message - to process
      eventId - the event to "return" via an EventContext if the message is not classified

    • handleWarning

      protected void handleWarning(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nullable String message, @Nonnull @NotEmpty String eventId)
      Evaluates a message as a potential match as a "classified" warning and if matched, the classification label is attached to an AuthenticationWarningContext and used as the resulting event for the action.

      If no match, the supplied eventId is used as the result.

      If multiple matches, the first matching label is used as the result, but each match is added to the context.

      Parameters:
      profileRequestContext - the current profile request context
      authenticationContext - the current authentication context
      message - to process
      eventId - the event to "return" via an EventContext if the message is not classified