Package org.opensaml.saml.saml2.profile.impl

Class AddNameIDToSubjects

  • All Implemented Interfaces:
    net.shibboleth.utilities.java.support.component.Component, net.shibboleth.utilities.java.support.component.DestructableComponent, net.shibboleth.utilities.java.support.component.InitializableComponent, org.opensaml.profile.action.ProfileAction
    public class AddNameIDToSubjects
extends org.opensaml.profile.action.AbstractProfileAction
    Action that builds a NameID and adds it to the Subject of all the assertions found in a Response. The message to update is returned by a lookup strategy, by default the message returned by InOutOperationContext.getOutboundMessageContext().

    If no Response exists, then an Assertion directly in the outbound message context will be used or created by the default lookup strategy.

    If no Subject exists in the assertions found, it will be cretaed.

    The source of the NameID is one of a set of candidate SAML2NameIDGenerator plugins injected into the action. The plugin(s) to attempt to use are derived from the Format value, which is established by a lookup strategy.

    In addition, the generation process is influenced by the requested NameIDPolicy, which is evaluated using a pluggable predicate.

    Event:
    EventIds.PROCEED_EVENT_ID, EventIds.INVALID_PROFILE_CTX, SAMLEventIds.INVALID_NAMEID_POLICY

    • Field Summary

      Fields 
      Modifier and Type Field Description
      private List<org.opensaml.saml.saml2.core.Assertion> assertions
      Response to modify.
      private Function<org.opensaml.profile.context.ProfileRequestContext,​List<org.opensaml.saml.saml2.core.Assertion>> assertionsLookupStrategy
      Strategy used to locate the Response to operate on.
      private Function<org.opensaml.profile.context.ProfileRequestContext,​List<String>> formatLookupStrategy
      Strategy used to determine the formats to try.
      private List<String> formats
      Formats to try.
      private org.opensaml.saml.saml2.profile.SAML2NameIDGenerator generator
      Generator to use.
      private net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy idGenerator
      The generator to use.
      private Function<org.opensaml.profile.context.ProfileRequestContext,​net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy> idGeneratorLookupStrategy
      Strategy used to locate the IdentifierGenerationStrategy to use.
      private String issuerId
      EntityID to populate into Issuer element.
      private Function<org.opensaml.profile.context.ProfileRequestContext,​String> issuerLookupStrategy
      Strategy used to obtain the response issuer value.
      private Logger log
      Class logger.
      private org.opensaml.saml.common.SAMLObjectBuilder<org.opensaml.saml.saml2.core.NameID> nameIdBuilder
      Builder for NameID objects.
      private Predicate<org.opensaml.profile.context.ProfileRequestContext> nameIDPolicyPredicate
      Predicate to validate NameIDPolicy.
      private boolean overwriteExisting
      Flag controlling whether to overwrite an existing NameID.
      private org.opensaml.saml.saml2.core.AuthnRequest request
      Request to examine.
      private Function<org.opensaml.profile.context.ProfileRequestContext,​org.opensaml.saml.saml2.core.AuthnRequest> requestLookupStrategy
      Strategy used to locate the AuthnRequest to operate on, if any.
      private String requiredFormat
      Format required by requested NameIDPolicy.
      private org.opensaml.saml.common.SAMLObjectBuilder<org.opensaml.saml.saml2.core.Subject> subjectBuilder
      Builder for Subject objects.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      private org.opensaml.saml.saml2.core.NameID cloneNameID​(org.opensaml.saml.saml2.core.NameID nameId)
      Create an efficient field-wise copy of a NameID.
      protected void doExecute​(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
      protected void doInitialize()
      protected boolean doPreExecute​(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
      private org.opensaml.saml.saml2.core.NameID generateNameID​(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
      Attempt to generate a NameID using each of the candidate Formats and plugins.
      private org.opensaml.saml.saml2.core.Subject getAssertionSubject​(org.opensaml.saml.saml2.core.Assertion assertion)
      Get the subject to which the name identifier will be added.
      private String getRequiredFormat​(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
      Extract a format required by the inbound request, if present.
      void setAssertionsLookupStrategy​(Function<org.opensaml.profile.context.ProfileRequestContext,​List<org.opensaml.saml.saml2.core.Assertion>> strategy)
      Set the strategy used to locate the Assertions to operate on.
      void setFormatLookupStrategy​(Function<org.opensaml.profile.context.ProfileRequestContext,​List<String>> strategy)
      Set the strategy function to use to obtain the formats to try.
      void setIdentifierGeneratorLookupStrategy​(Function<org.opensaml.profile.context.ProfileRequestContext,​net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy> strategy)
      Set the strategy used to locate the IdentifierGenerationStrategy to use.
      void setIssuerLookupStrategy​(Function<org.opensaml.profile.context.ProfileRequestContext,​String> strategy)
      Set the strategy used to locate the issuer value to use.
      void setNameIDGenerator​(org.opensaml.saml.saml2.profile.SAML2NameIDGenerator theGenerator)
      Set the generator to use.
      void setNameIDPolicyPredicate​(Predicate<org.opensaml.profile.context.ProfileRequestContext> predicate)
      Set the predicate used to evaluate the NameIDPolicy.
      void setOverwriteExisting​(boolean flag)
      Set whether to overwrite any existing NameID objects found.
      void setRequestLookupStrategy​(Function<org.opensaml.profile.context.ProfileRequestContext,​org.opensaml.saml.saml2.core.AuthnRequest> strategy)
      Set the strategy used to locate the AuthnRequest to examine, if any.

      • Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

        doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

      • Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

        destroy, doDestroy, initialize, isDestroyed, isInitialized

      • Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

        initialize, isInitialized

    • Field Detail

      • log

        @Nonnull
private final Logger log
        Class logger.

      • subjectBuilder

        @Nonnull
private org.opensaml.saml.common.SAMLObjectBuilder<org.opensaml.saml.saml2.core.Subject> subjectBuilder
        Builder for Subject objects.

      • nameIdBuilder

        @Nonnull
private org.opensaml.saml.common.SAMLObjectBuilder<org.opensaml.saml.saml2.core.NameID> nameIdBuilder
        Builder for NameID objects.

      • overwriteExisting

        private boolean overwriteExisting
        Flag controlling whether to overwrite an existing NameID.

      • requestLookupStrategy

        @Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,​org.opensaml.saml.saml2.core.AuthnRequest> requestLookupStrategy
        Strategy used to locate the AuthnRequest to operate on, if any.

      • assertionsLookupStrategy

        @Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,​List<org.opensaml.saml.saml2.core.Assertion>> assertionsLookupStrategy
        Strategy used to locate the Response to operate on.

      • idGeneratorLookupStrategy

        @Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,​net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy> idGeneratorLookupStrategy
        Strategy used to locate the IdentifierGenerationStrategy to use.

      • issuerLookupStrategy

        @Nullable
private Function<org.opensaml.profile.context.ProfileRequestContext,​String> issuerLookupStrategy
        Strategy used to obtain the response issuer value.

      • nameIDPolicyPredicate

        @Nonnull
private Predicate<org.opensaml.profile.context.ProfileRequestContext> nameIDPolicyPredicate
        Predicate to validate NameIDPolicy.

      • formatLookupStrategy

        @Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,​List<String>> formatLookupStrategy
        Strategy used to determine the formats to try.

      • generator

        @NonnullAfterInit
private org.opensaml.saml.saml2.profile.SAML2NameIDGenerator generator
        Generator to use.

      • formats

        @Nonnull
@NonnullElements
private List<String> formats
        Formats to try.

      • requiredFormat

        @Nullable
private String requiredFormat
        Format required by requested NameIDPolicy.

      • request

        @Nullable
private org.opensaml.saml.saml2.core.AuthnRequest request
        Request to examine.

      • assertions

        @Nullable
private List<org.opensaml.saml.saml2.core.Assertion> assertions
        Response to modify.

      • idGenerator

        @Nullable
private net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy idGenerator
        The generator to use.

      • issuerId

        @Nullable
private String issuerId
        EntityID to populate into Issuer element.

    • Constructor Detail

      • AddNameIDToSubjects

        public AddNameIDToSubjects()
                    throws net.shibboleth.utilities.java.support.component.ComponentInitializationException
        Constructor.
        Throws:
        net.shibboleth.utilities.java.support.component.ComponentInitializationException - if an error occurs initializing default predicate.

    • Method Detail

      • setOverwriteExisting

        public void setOverwriteExisting​(boolean flag)
        Set whether to overwrite any existing NameID objects found.
        Parameters:
        flag - true iff the action should overwrite any existing objects

      • setRequestLookupStrategy

        public void setRequestLookupStrategy​(@Nonnull
                                     Function<org.opensaml.profile.context.ProfileRequestContext,​org.opensaml.saml.saml2.core.AuthnRequest> strategy)
        Set the strategy used to locate the AuthnRequest to examine, if any.
        Parameters:
        strategy - strategy used to locate the AuthnRequest

      • setAssertionsLookupStrategy

        public void setAssertionsLookupStrategy​(@Nonnull
                                        Function<org.opensaml.profile.context.ProfileRequestContext,​List<org.opensaml.saml.saml2.core.Assertion>> strategy)
        Set the strategy used to locate the Assertions to operate on.
        Parameters:
        strategy - lookup strategy

      • setIdentifierGeneratorLookupStrategy

        public void setIdentifierGeneratorLookupStrategy​(@Nonnull
                                                 Function<org.opensaml.profile.context.ProfileRequestContext,​net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy> strategy)
        Set the strategy used to locate the IdentifierGenerationStrategy to use.
        Parameters:
        strategy - lookup strategy

      • setIssuerLookupStrategy

        public void setIssuerLookupStrategy​(@Nullable
                                    Function<org.opensaml.profile.context.ProfileRequestContext,​String> strategy)
        Set the strategy used to locate the issuer value to use.
        Parameters:
        strategy - lookup strategy

      • setNameIDPolicyPredicate

        public void setNameIDPolicyPredicate​(@Nonnull
                                     Predicate<org.opensaml.profile.context.ProfileRequestContext> predicate)
        Set the predicate used to evaluate the NameIDPolicy.
        Parameters:
        predicate - predicate used to evaluate the NameIDPolicy

      • setFormatLookupStrategy

        public void setFormatLookupStrategy​(@Nonnull
                                    Function<org.opensaml.profile.context.ProfileRequestContext,​List<String>> strategy)
        Set the strategy function to use to obtain the formats to try.
        Parameters:
        strategy - format lookup strategy

      • setNameIDGenerator

        public void setNameIDGenerator​(@Nullable
                               org.opensaml.saml.saml2.profile.SAML2NameIDGenerator theGenerator)
        Set the generator to use.
        Parameters:
        theGenerator - the generator to use

      • doInitialize

        protected void doInitialize()
                     throws net.shibboleth.utilities.java.support.component.ComponentInitializationException
        Overrides:
        doInitialize in class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
        Throws:
        net.shibboleth.utilities.java.support.component.ComponentInitializationException

      • doPreExecute

        protected boolean doPreExecute​(@Nonnull
                               org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
        Overrides:
        doPreExecute in class org.opensaml.profile.action.AbstractProfileAction

      • doExecute

        protected void doExecute​(@Nonnull
                         org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
        Overrides:
        doExecute in class org.opensaml.profile.action.AbstractProfileAction

      • getRequiredFormat

        @Nullable
private String getRequiredFormat​(@Nonnull
                                 org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
        Extract a format required by the inbound request, if present.
        Parameters:
        profileRequestContext - current profile request context
        Returns:
        a format dictated by the request, or null

      • generateNameID

        @Nullable
private org.opensaml.saml.saml2.core.NameID generateNameID​(@Nonnull
                                                           org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
        Attempt to generate a NameID using each of the candidate Formats and plugins.
        Parameters:
        profileRequestContext - current profile request context
        Returns:
        a generated NameID or null

      • getAssertionSubject

        @Nonnull
private org.opensaml.saml.saml2.core.Subject getAssertionSubject​(@Nonnull
                                                                 org.opensaml.saml.saml2.core.Assertion assertion)
        Get the subject to which the name identifier will be added.
        Parameters:
        assertion - the assertion being modified
        Returns:
        the assertion to which the name identifier will be added

      • cloneNameID

        @Nonnull
private org.opensaml.saml.saml2.core.NameID cloneNameID​(@Nonnull
                                                        org.opensaml.saml.saml2.core.NameID nameId)
        Create an efficient field-wise copy of a NameID.
        Parameters:
        nameId - the object to clone
        Returns:
        the copy