Package org.opensaml.saml.saml2.profile.impl

Class EncryptNameIDs

java.lang.Object
net.shibboleth.shared.component.AbstractInitializableComponent
org.opensaml.profile.action.AbstractProfileAction
org.opensaml.profile.action.AbstractConditionalProfileAction
org.opensaml.saml.saml2.profile.impl.AbstractEncryptAction
org.opensaml.saml.saml2.profile.impl.EncryptNameIDs
All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent, ProfileAction
public class EncryptNameIDs extends AbstractEncryptAction
Action that encrypts all NameIDs in a message obtained from a lookup strategy, by default the outbound message context.

Specific formats may be excluded from encryption, by default excluding the "entity" format.

Event:
EventIds.PROCEED_EVENT_ID, EventIds.UNABLE_TO_ENCRYPT
Postcondition:
All SAML NameIDs in all locations have been replaced with encrypted versions. It's possible for some to be replaced but others not if an error occurs.

  • Field Details

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.

    • messageLookupStrategy

      @Nonnull private Function<ProfileRequestContext,SAMLObject> messageLookupStrategy
      Strategy used to locate the message to operate on.

    • excludedFormats

      @Nonnull private Set<String> excludedFormats
      Formats to exclude from encryption.

    • message

      @NonnullBeforeExec private SAMLObject message
      The message to operate on.

  • Constructor Details

    • EncryptNameIDs

      public EncryptNameIDs()
      Constructor.

  • Method Details

    • setMessageLookupStrategy

      public void setMessageLookupStrategy(@Nonnull Function<ProfileRequestContext,SAMLObject> strategy)
      Set the strategy used to locate the Response to operate on.
      Parameters:
      strategy - strategy used to locate the Response to operate on

    • setExcludedFormats

      public void setExcludedFormats(@Nonnull Collection<String> formats)
      Set the NameID formats to ignore and leave unencrypted.
      Parameters:
      formats - formats to exclude

    • getApplicableParameters

      @Nullable protected EncryptionParameters getApplicableParameters(@Nullable EncryptionContext ctx)
      Return the right set of parameters for the operation to be performed, or none if no encryption should occur.
      Specified by:
      getApplicableParameters in class AbstractEncryptAction
      Parameters:
      ctx - possibly null input context to pull parameters from
      Returns:
      the right parameter set, or null for none

    • doPreExecute

      protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext)
      Called prior to execution, actions may override this method to perform pre-processing for a request.

      If false is returned, execution will not proceed, and the action should attach an EventContext to the context tree to signal how to continue with overall workflow processing.

      If returning successfully, the last step should be to return the result of the superclass version of this method.

      Overrides:
      doPreExecute in class AbstractEncryptAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      Returns:
      true iff execution should proceed

    • doExecute

      protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext)
      Performs this action. Actions must override this method to perform their work.
      Overrides:
      doExecute in class AbstractProfileAction
      Parameters:
      profileRequestContext - the current IdP profile request context

    • shouldEncrypt

      private boolean shouldEncrypt(@Nonnull NameID name)
      Return true iff the NameID should be encrypted.
      Parameters:
      name - NameID to check
      Returns:
      true iff encryption should happen

    • processSubject

      private void processSubject(@Nullable Subject subject) throws EncryptionException
      Encrypt any NameIDs found in a subject and replace them with the result.
      Parameters:
      subject - subject to operate on
      Throws:
      EncryptionException - if an error occurs

    • processLogoutRequest

      private void processLogoutRequest(@Nonnull LogoutRequest request) throws EncryptionException
      Encrypt a NameID found in a LogoutRequest and replace it with the result.
      Parameters:
      request - request to operate on
      Throws:
      EncryptionException - if an error occurs

    • processManageNameIDRequest

      private void processManageNameIDRequest(@Nonnull ManageNameIDRequest request) throws EncryptionException
      Encrypt a NameID found in a ManageNameIDRequest and replace it with the result.
      Parameters:
      request - request to operate on
      Throws:
      EncryptionException - if an error occurs

    • processNameIDMappingRequest

      private void processNameIDMappingRequest(@Nonnull NameIDMappingRequest request) throws EncryptionException
      Encrypt a NameID found in a NameIDMappingRequest and replace it with the result.
      Parameters:
      request - request to operate on
      Throws:
      EncryptionException - if an error occurs

    • processNameIDMappingResponse

      private void processNameIDMappingResponse(@Nonnull NameIDMappingResponse response) throws EncryptionException
      Encrypt a NameID found in a NameIDMappingResponse and replace it with the result.
      Parameters:
      response - response to operate on
      Throws:
      EncryptionException - if an error occurs

    • processAssertion

      private void processAssertion(@Nonnull Assertion assertion) throws EncryptionException
      Decrypt any EncryptedID found in an assertion and replace it with the result.
      Parameters:
      assertion - assertion to operate on
      Throws:
      EncryptionException - if an error occurs