Package net.shibboleth.idp.authn.impl

Class ValidateUserAgentAddress

java.lang.Object
net.shibboleth.shared.component.AbstractInitializableComponent
org.opensaml.profile.action.AbstractProfileAction
org.opensaml.profile.action.AbstractConditionalProfileAction
net.shibboleth.idp.profile.AbstractProfileAction
net.shibboleth.idp.authn.AbstractAuthenticationAction
net.shibboleth.idp.authn.AbstractValidationAction
net.shibboleth.idp.authn.impl.AbstractAuditingValidationAction
net.shibboleth.idp.authn.impl.ValidateUserAgentAddress
All Implemented Interfaces:
PrincipalSupportingComponent, Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
public class ValidateUserAgentAddress extends AbstractAuditingValidationAction
An action that ensures that a user-agent address found within a UserAgentContext is within a given range and generates an AuthenticationResult.
Event:
EventIds.PROCEED_EVENT_ID, AuthnEventIds.NO_CREDENTIALS, AuthnEventIds.INVALID_CREDENTIALS
Precondition:
ProfileRequestContext.getSubcontext(AuthenticationContext.class, false).getAttemptedFlow() != null
Postcondition:
If AuthenticationContext.getSubcontext(UserAgentContext.class, false) != null, and the content of getAddress() satisfies a configured address range, an AuthenticationResult is saved to the AuthenticationContext.

  • Field Details

    • DEFAULT_METRIC_NAME

      @Nonnull @NotEmpty private static final String DEFAULT_METRIC_NAME
      Default prefix for metrics.
      See Also:

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.

    • mappings

      @Nonnull private Map<String,Collection<IPRange>> mappings
      Map of IP ranges to principal names.

    • uaContext

      @NonnullBeforeExec private UserAgentContext uaContext
      User Agent context containing address to evaluate.

    • principalName

      @Nullable private String principalName
      The principal name established by the action, if any.

  • Constructor Details

    • ValidateUserAgentAddress

      public ValidateUserAgentAddress()
      Constructor.

  • Method Details

    • setMappings

      public void setMappings(@Nullable Map<String,Collection<IPRange>> newMappings)
      Set the IP range(s) to authenticate as particular principals.
      Parameters:
      newMappings - the IP range(s) to authenticate as particular principals

    • doPreExecute

      protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action's pre-execute step. Default implementation just returns true.
      Overrides:
      doPreExecute in class AbstractValidationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context
      Returns:
      true iff execution should continue

    • doExecute

      protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action. Default implementation throws an exception.
      Overrides:
      doExecute in class AbstractAuthenticationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context

    • isAuthenticated

      private boolean isAuthenticated(@Nonnull InetAddress address, @Nonnull Collection<IPRange> ranges)
      Checks whether the given IP address meets a set of IP range requirements.
      Parameters:
      address - the IP address to check
      ranges - the ranges to check
      Returns:
      true if the given IP address meets this stage's IP range requirements, false otherwise

    • populateSubject

      @Nonnull protected Subject populateSubject(@Nonnull Subject subject)
      Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.

      Typically this will include attaching a UsernamePrincipal, but this is not a requirement if other components are suitably overridden.

      Specified by:
      populateSubject in class AbstractValidationAction
      Parameters:
      subject - subject to populate
      Returns:
      the input subject

    • getAuditFields

      @Nullable @Unmodifiable @NotLive protected Map<String,String> getAuditFields(@Nonnull ProfileRequestContext profileRequestContext)
      Subclasses can override this method to supply additional audit fields to store.
      Overrides:
      getAuditFields in class AbstractAuditingValidationAction
      Parameters:
      profileRequestContext - profile request context
      Returns:
      audit fields