net.shibboleth.idp.session.impl.DetectIdentitySwitch

All Implemented Interfaces:: Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action

public class DetectIdentitySwitch extends AbstractAuthenticationAction

An authentication action that checks for a mismatch between an existing session's identity and the result of a newly canonicalized subject (from a SubjectCanonicalizationContext).

On a mismatch it destroys a pre-existing session and clears AuthenticationContext and SessionContext state such that no trace of its impact on the contexts remains, and signals the event.

An error interacting with the session layer will result in an EventIds.IO_ERROR event.

Event:: EventIds.PROCEED_EVENT_ID, EventIds.INVALID_PROFILE_CTX, EventIds.IO_ERROR, AuthnEventIds.IDENTITY_SWITCH
Postcondition:: If an identity switch is detected, SessionContext.getIdPSession() == null && AuthenticationContext.getActiveResults().isEmpty()

Field Summary

Fields

Modifier and Type

Field

Description

private Function<ProfileRequestContext,SubjectCanonicalizationContext>

c14nContextLookupStrategy

Lookup function for SubjectCanonicalizationContext.

private final org.slf4j.Logger

log

Class logger.

private String

newPrincipalName

A newly established principal name to check.

private Function<ProfileRequestContext,SessionContext>

sessionContextLookupStrategy

Lookup function for SessionContext.

private SessionContext

sessionCtx

SessionContext to operate on.

private SessionManager

sessionManager

SessionManager.
Constructor Summary

Constructors

Constructor

Description

DetectIdentitySwitch()

Constructor.
Method Summary

Modifier and Type

Method

Description

protected void

doExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)

Performs this authentication action.

protected void

doInitialize()

protected boolean

doPreExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)

Performs this authentication action's pre-execute step.

void

setSessionContextLookupStrategy(Function<ProfileRequestContext,SessionContext> strategy)

Set the lookup strategy for the SessionContext to access.

void

setSessionManager(SessionManager manager)

Set the SessionManager to use.

void

setSubjectCanonicalizationContextLookupStrategy(Function<ProfileRequestContext,SubjectCanonicalizationContext> strategy)

Set the lookup strategy for the SubjectCanonicalizationContext to access.

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction
doExecute, doPreExecute, setAuthenticationContextLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction
doExecute, execute, getBean, getBean, getMessage, getMessage, getMessage, getParameter, getParameter, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction
getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction
doPostExecute, doPostExecute, ensureHttpServletRequest, ensureHttpServletResponse, execute, getHttpServletRequest, getHttpServletRequestSupplier, getHttpServletResponse, getHttpServletResponseSupplier, getLogPrefix, isPreExecuteCalled, setHttpServletRequestSupplier, setHttpServletResponseSupplier

Methods inherited from class net.shibboleth.shared.component.AbstractInitializableComponent
checkComponentActive, checkSetterPreconditions, destroy, doDestroy, ifDestroyedThrowDestroyedComponentException, ifInitializedThrowUnmodifiabledComponentException, ifNotInitializedThrowUninitializedComponentException, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.shared.component.InitializableComponent
initialize, isInitialized

Field Details
- log
  
  @Nonnull private final org.slf4j.Logger log
  
  Class logger.
- sessionManager
  
  @NonnullAfterInit private SessionManager sessionManager
  
  SessionManager.
- sessionContextLookupStrategy
  
  @Nonnull private Function<ProfileRequestContext,SessionContext> sessionContextLookupStrategy
  
  Lookup function for SessionContext.
- c14nContextLookupStrategy
  
  @Nonnull private Function<ProfileRequestContext,SubjectCanonicalizationContext> c14nContextLookupStrategy
  
  Lookup function for SubjectCanonicalizationContext.
- sessionCtx
  
  @NonnullBeforeExec private SessionContext sessionCtx
  
  SessionContext to operate on.
- newPrincipalName
  
  @NonnullBeforeExec private String newPrincipalName
  
  A newly established principal name to check.
Constructor Details
- DetectIdentitySwitch
  
  public DetectIdentitySwitch()
  
  Constructor.
Method Details
- setSessionManager
  
  public void setSessionManager(@Nonnull SessionManager manager)
  
  Set the SessionManager to use.
  
  Parameters:
  
  manager - session manager to use
- setSessionContextLookupStrategy
  
  public void setSessionContextLookupStrategy(@Nonnull Function<ProfileRequestContext,SessionContext> strategy)
  
  Set the lookup strategy for the SessionContext to access.
  
  Parameters:
  
  strategy - lookup strategy
- setSubjectCanonicalizationContextLookupStrategy
  
  public void setSubjectCanonicalizationContextLookupStrategy(@Nonnull Function<ProfileRequestContext,SubjectCanonicalizationContext> strategy)
  
  Set the lookup strategy for the SubjectCanonicalizationContext to access.
  
  Parameters:
  
  strategy - lookup strategy
- doInitialize
  
  protected void doInitialize() throws ComponentInitializationException
  
  Overrides:
  
  doInitialize in class AbstractInitializableComponent
  
  Throws:
  
  ComponentInitializationException
- doPreExecute
  
  protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
  
  Performs this authentication action's pre-execute step. Default implementation just returns true.
  
  Overrides:
  
  doPreExecute in class AbstractAuthenticationAction
  
  Parameters:
  
  profileRequestContext - the current IdP profile request context
  
  authenticationContext - the current authentication context
  
  Returns:
  
  true iff execution should continue
- doExecute
  
  protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
  
  Performs this authentication action. Default implementation throws an exception.
  
  Overrides:
  
  doExecute in class AbstractAuthenticationAction
  
  Parameters:
  
  profileRequestContext - the current IdP profile request context
  
  authenticationContext - the current authentication context

Class DetectIdentitySwitch

Field Summary

Constructor Summary

Method Summary

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

Methods inherited from class net.shibboleth.shared.component.AbstractInitializableComponent

Methods inherited from class java.lang.Object

Methods inherited from interface net.shibboleth.shared.component.InitializableComponent

Field Details

log

sessionManager

sessionContextLookupStrategy

c14nContextLookupStrategy

sessionCtx

newPrincipalName

Constructor Details

DetectIdentitySwitch

Method Details

setSessionManager

setSessionContextLookupStrategy

setSubjectCanonicalizationContextLookupStrategy

doInitialize

doPreExecute

doExecute