Package net.shibboleth.idp.authn.impl

Class ValidateRemoteUser

java.lang.Object
net.shibboleth.shared.component.AbstractInitializableComponent
org.opensaml.profile.action.AbstractProfileAction
org.opensaml.profile.action.AbstractConditionalProfileAction
net.shibboleth.idp.profile.AbstractProfileAction
net.shibboleth.idp.authn.AbstractAuthenticationAction
net.shibboleth.idp.authn.AbstractValidationAction
net.shibboleth.idp.authn.impl.AbstractAuditingValidationAction
net.shibboleth.idp.authn.impl.ValidateRemoteUser
All Implemented Interfaces:
PrincipalSupportingComponent, Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
public class ValidateRemoteUser extends AbstractAuditingValidationAction
An action that checks for a UsernameContext and directly produces an AuthenticationResult based on that identity.

Various optional properties are supported to control the validation process.

Event:
EventIds.PROCEED_EVENT_ID, AuthnEventIds.INVALID_CREDENTIALS, AuthnEventIds.NO_CREDENTIALS
Precondition:
ProfileRequestContext.getSubcontext(AuthenticationContext.class, false).getAttemptedFlow() != null
Postcondition:
If AuthenticationContext.getSubcontext(UsernameContext.class, false).getUsername() != null, then an AuthenticationResult is saved to the AuthenticationContext.

  • Field Details

    • DEFAULT_METRIC_NAME

      @Nonnull @NotEmpty private static final String DEFAULT_METRIC_NAME
      Default prefix for metrics.
      See Also:

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.

    • allowedUsernames

      @Nonnull private Set<String> allowedUsernames
      Usernames to accept.

    • deniedUsernames

      @Nonnull private Set<String> deniedUsernames
      Usernames to deny.

    • matchExpression

      @Nullable private Pattern matchExpression
      A regular expression to apply for acceptance testing.

    • usernameContext

      @NonnullBeforeExec private UsernameContext usernameContext
      Username context identifying identity to validate.

  • Constructor Details

    • ValidateRemoteUser

      public ValidateRemoteUser()
      Constructor.

  • Method Details

    • setAllowedUsernames

      public void setAllowedUsernames(@Nullable Collection<String> allowed)
      Set the allowed usernames.
      Parameters:
      allowed - usernames to allow

    • setDeniedUsernames

      public void setDeniedUsernames(@Nullable Collection<String> denied)
      Set the denied usernames.
      Parameters:
      denied - usernames to deny

    • setMatchExpression

      public void setMatchExpression(@Nullable Pattern expression)
      Set a matching expression to apply for acceptance.
      Parameters:
      expression - a matching expression

    • doPreExecute

      protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action's pre-execute step. Default implementation just returns true.
      Overrides:
      doPreExecute in class AbstractValidationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context
      Returns:
      true iff execution should continue

    • doExecute

      protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action. Default implementation throws an exception.
      Overrides:
      doExecute in class AbstractAuthenticationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context

    • isAuthenticated

      private boolean isAuthenticated(@Nonnull @NotEmpty String username)
      Check whitelist, blacklist, and matching expression for acceptance.
      Parameters:
      username - the username to evaluate
      Returns:
      true iff the username is acceptable

    • populateSubject

      @Nonnull protected Subject populateSubject(@Nonnull Subject subject)
      Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.

      Typically this will include attaching a UsernamePrincipal, but this is not a requirement if other components are suitably overridden.

      Specified by:
      populateSubject in class AbstractValidationAction
      Parameters:
      subject - subject to populate
      Returns:
      the input subject