Package net.shibboleth.idp.authn.impl

Class ValidateCredentials

java.lang.Object
net.shibboleth.shared.component.AbstractInitializableComponent
org.opensaml.profile.action.AbstractProfileAction
org.opensaml.profile.action.AbstractConditionalProfileAction
net.shibboleth.idp.profile.AbstractProfileAction
net.shibboleth.idp.authn.AbstractAuthenticationAction
net.shibboleth.idp.authn.AbstractValidationAction
net.shibboleth.idp.authn.impl.AbstractAuditingValidationAction
net.shibboleth.idp.authn.impl.ValidateCredentials
All Implemented Interfaces:
CredentialValidator.ErrorHandler, CredentialValidator.WarningHandler, PrincipalSupportingComponent, Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
public class ValidateCredentials extends AbstractAuditingValidationAction implements CredentialValidator.WarningHandler, CredentialValidator.ErrorHandler
An action that processes a list of CredentialValidator objects to produce an AuthenticationResult.
Since:
4.0.0
Event:
EventIds.PROCEED_EVENT_ID, others on error
Precondition:
ProfileRequestContext.getSubcontext(AuthenticationContext.class).getAttemptedFlow() != null

  • Field Details

    • DEFAULT_METRIC_NAME

      @Nonnull @NotEmpty private static final String DEFAULT_METRIC_NAME
      Default prefix for metrics.
      See Also:

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.

    • credentialValidators

      @Nonnull private List<CredentialValidator> credentialValidators
      Ordered list of validators.

    • requireAll

      private boolean requireAll
      Whether all validators must succeed.

    • lockoutManager

      @Nullable private AccountLockoutManager lockoutManager
      Optional lockout management interface.

    • results

      @Nonnull private Collection<Subject> results
      Results from successful validators.

    • currentValidator

      @Nullable private CredentialValidator currentValidator
      Currently executing validator.

    • warningSignaled

      private boolean warningSignaled
      Tracks whether a warning event was signaled.

    • errorSignaled

      private boolean errorSignaled
      Tracks whether an error event was signaled.

  • Constructor Details

    • ValidateCredentials

      public ValidateCredentials()
      Constructor.

  • Method Details

    • setLockoutManager

      public void setLockoutManager(@Nullable AccountLockoutManager manager)
      Set an account lockout management component.
      Parameters:
      manager - lockout manager

    • setValidators

      public void setValidators(@Nullable List<CredentialValidator> validators)
      Set the list of validators to use.
      Parameters:
      validators - validators to use

    • setRequireAll

      public void setRequireAll(boolean flag)
      Set whether to execute and require success from all configured validators, or stop at the first successful result.
      Parameters:
      flag - flag to set

    • getMetricName

      @Nonnull @NotEmpty public String getMetricName()
      Get the base name to use for metrics reported.
      Overrides:
      getMetricName in class AbstractValidationAction
      Returns:
      root for name of metrics

    • handleWarning

      public void handleWarning(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nullable String message, @Nonnull @NotEmpty String eventId)
      Evaluates a message as a potential match as a "classified" warning and if matched, the classification label is attached to an AuthenticationWarningContext and used as the resulting event for the action.

      If no match, the supplied eventId is used as the result.

      If multiple matches, the first matching label is used as the result, but each match is added to the context.

      Specified by:
      handleWarning in interface CredentialValidator.WarningHandler
      Overrides:
      handleWarning in class AbstractValidationAction
      Parameters:
      profileRequestContext - the current profile request context
      authenticationContext - the current authentication context
      message - to process
      eventId - the event to "return" via an EventContext if the message is not classified

    • handleError

      public void handleError(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nullable String message, @Nonnull @NotEmpty String eventId)
      Evaluates a message as a potential match as a "classified" error and if matched, the classification label is attached to an AuthenticationErrorContext and used as the resulting event for the action.

      If no match, the supplied eventId is used as the result.

      If multiple matches, the first matching label is used as the result, but each match is added to the context.

      Specified by:
      handleError in interface CredentialValidator.ErrorHandler
      Overrides:
      handleError in class AbstractValidationAction
      Parameters:
      profileRequestContext - the current profile request context
      authenticationContext - the current authentication context
      message - to process
      eventId - the event to "return" via an EventContext if the message is not classified

    • handleError

      public void handleError(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull Exception e, @Nonnull @NotEmpty String eventId)
      Adds an exception encountered during the action to an AuthenticationErrorContext, creating one if necessary, beneath the AuthenticationContext.

      The exception message is evaluated as a potential match as a "classified" error and if matched, the classification label is attached to the AuthenticationErrorContext and used as the resulting event for the action.

      Specified by:
      handleError in interface CredentialValidator.ErrorHandler
      Overrides:
      handleError in class AbstractValidationAction
      Parameters:
      profileRequestContext - the current profile request context
      authenticationContext - the current authentication context
      e - the exception to process
      eventId - the event to "return" via an EventContext if the exception message is not classified

    • doExecute

      protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action. Default implementation throws an exception.
      Overrides:
      doExecute in class AbstractAuthenticationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context

    • populateSubject

      @Nonnull protected Subject populateSubject(@Nonnull Subject subject)
      Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.

      Typically this will include attaching a UsernamePrincipal, but this is not a requirement if other components are suitably overridden.

      Specified by:
      populateSubject in class AbstractValidationAction
      Parameters:
      subject - subject to populate
      Returns:
      the input subject

    • recordSuccess

      protected void recordSuccess(@Nonnull ProfileRequestContext profileRequestContext)
      Record a successful authentication attempt against the configured counter. Records nothing if the metrics registry is not installed into the runtime.

      Also optionally clears account lockout state.

      Overrides:
      recordSuccess in class AbstractAuditingValidationAction
      Parameters:
      profileRequestContext - profile request context

    • getAuditFields

      @Nonnull @Unmodifiable @NotLive protected Map<String,String> getAuditFields(@Nonnull ProfileRequestContext profileRequestContext)
      Subclasses can override this method to supply additional audit fields to store.
      Overrides:
      getAuditFields in class AbstractAuditingValidationAction
      Parameters:
      profileRequestContext - profile request context
      Returns:
      audit fields