Package org.opensaml.saml.common.binding.security.impl

Class BaseSAMLSimpleSignatureSecurityHandler

  • All Implemented Interfaces:
    net.shibboleth.utilities.java.support.component.Component, net.shibboleth.utilities.java.support.component.DestructableComponent, net.shibboleth.utilities.java.support.component.InitializableComponent, org.opensaml.messaging.handler.MessageHandler
    Direct Known Subclasses:
    SAML2HTTPPostSimpleSignSecurityHandler, SAML2HTTPRedirectDeflateSignatureSecurityHandler
    public abstract class BaseSAMLSimpleSignatureSecurityHandler
extends org.opensaml.messaging.handler.AbstractMessageHandler
    Base class for security-oriented message handlers which verify simple "blob" signatures computed over some components of a request.

    • Field Summary

      Fields 
      Modifier and Type Field Description
      private javax.servlet.http.HttpServletRequest httpServletRequest
      The HttpServletRequest being processed.
      private org.slf4j.Logger log
      Logger.
      private org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext peerContext
      The context representing the SAML peer entity.
      private org.opensaml.saml.common.messaging.context.SAMLProtocolContext samlProtocolContext
      The SAML protocol context in operation.
      private org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine
      Signature trust engine used to validate raw signatures.

    • Method Summary

      All Methods Instance Methods Abstract Methods Concrete Methods 
      Modifier and Type Method Description
      protected net.shibboleth.utilities.java.support.resolver.CriteriaSet buildCriteriaSet​(String entityID, org.opensaml.messaging.context.MessageContext messageContext)
      Build a criteria set suitable for input to the trust engine.
      protected String deriveSignerEntityID​(org.opensaml.messaging.context.MessageContext messageContext)
      Derive the signer's entity ID from the message context.
      private void doEvaluate​(byte[] signature, byte[] signedContent, String algorithmURI, org.opensaml.messaging.context.MessageContext messageContext)
      Evaluate the simple signature based on information in the request and/or message context.
      protected void doInitialize()
      protected void doInvoke​(org.opensaml.messaging.context.MessageContext messageContext)
      protected boolean doPreInvoke​(org.opensaml.messaging.context.MessageContext messageContext)
      javax.servlet.http.HttpServletRequest getHttpServletRequest()
      Get the HTTP servlet request being processed.
      protected List<org.opensaml.security.credential.Credential> getRequestCredentials​(org.opensaml.messaging.context.MessageContext messageContext)
      Extract any candidate validation credentials from the request and/or message context.
      protected byte[] getSignature()
      Extract the signature value from the request, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential).
      protected String getSignatureAlgorithm()
      Extract the signature algorithm URI value from the request.
      protected abstract byte[] getSignedContent()
      Get the content over which to validate the signature, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential).
      protected org.opensaml.xmlsec.signature.support.SignatureTrustEngine getTrustEngine()
      Gets the engine used to validate the signature.
      protected abstract boolean ruleHandles​(org.opensaml.messaging.context.MessageContext messageContext)
      Determine whether the rule should handle the request, based on the unwrapped HTTP servlet request and/or message context.
      void setHttpServletRequest​(javax.servlet.http.HttpServletRequest request)
      Set the HTTP servlet request being processed.
      protected boolean validateSignature​(byte[] signature, byte[] signedContent, String algorithmURI, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet, List<org.opensaml.security.credential.Credential> candidateCredentials)
      Validate the simple signature.

      • Methods inherited from class org.opensaml.messaging.handler.AbstractMessageHandler

        doPostInvoke, doPostInvoke, getActivationCondition, getLogPrefix, invoke, setActivationCondition

      • Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

        destroy, doDestroy, initialize, isDestroyed, isInitialized

      • Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

        initialize, isInitialized

    • Field Detail

      • log

        @Nonnull
private final org.slf4j.Logger log
        Logger.

      • httpServletRequest

        @NonnullAfterInit
private javax.servlet.http.HttpServletRequest httpServletRequest
        The HttpServletRequest being processed.

      • peerContext

        @Nullable
private org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext peerContext
        The context representing the SAML peer entity.

      • samlProtocolContext

        @Nullable
private org.opensaml.saml.common.messaging.context.SAMLProtocolContext samlProtocolContext
        The SAML protocol context in operation.

      • trustEngine

        @Nullable
private org.opensaml.xmlsec.signature.support.SignatureTrustEngine trustEngine
        Signature trust engine used to validate raw signatures.

    • Constructor Detail

      • BaseSAMLSimpleSignatureSecurityHandler

        public BaseSAMLSimpleSignatureSecurityHandler()

    • Method Detail

      • getTrustEngine

        @Nullable
protected org.opensaml.xmlsec.signature.support.SignatureTrustEngine getTrustEngine()
        Gets the engine used to validate the signature.
        Returns:
        engine engine used to validate the signature

      • getHttpServletRequest

        @NonnullAfterInit
public javax.servlet.http.HttpServletRequest getHttpServletRequest()
        Get the HTTP servlet request being processed.
        Returns:
        Returns the request.

      • setHttpServletRequest

        public void setHttpServletRequest​(@Nonnull
                                  javax.servlet.http.HttpServletRequest request)
        Set the HTTP servlet request being processed.
        Parameters:
        request - The to set.

      • doInitialize

        protected void doInitialize()
                     throws net.shibboleth.utilities.java.support.component.ComponentInitializationException
        Overrides:
        doInitialize in class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
        Throws:
        net.shibboleth.utilities.java.support.component.ComponentInitializationException

      • doPreInvoke

        protected boolean doPreInvoke​(@Nonnull
                              org.opensaml.messaging.context.MessageContext messageContext)
                       throws org.opensaml.messaging.handler.MessageHandlerException
        Overrides:
        doPreInvoke in class org.opensaml.messaging.handler.AbstractMessageHandler
        Throws:
        org.opensaml.messaging.handler.MessageHandlerException

      • doInvoke

        protected void doInvoke​(@Nonnull
                        org.opensaml.messaging.context.MessageContext messageContext)
                 throws org.opensaml.messaging.handler.MessageHandlerException
        Specified by:
        doInvoke in class org.opensaml.messaging.handler.AbstractMessageHandler
        Throws:
        org.opensaml.messaging.handler.MessageHandlerException

      • doEvaluate

        private void doEvaluate​(@Nonnull @NotEmpty
                        byte[] signature,
                        @Nonnull @NotEmpty
                        byte[] signedContent,
                        @Nonnull @NotEmpty
                        String algorithmURI,
                        @Nonnull
                        org.opensaml.messaging.context.MessageContext messageContext)
                 throws org.opensaml.messaging.handler.MessageHandlerException
        Evaluate the simple signature based on information in the request and/or message context.
        Parameters:
        signature - the signature value
        signedContent - the content that was signed
        algorithmURI - the signature algorithm URI which was used to sign the content
        messageContext - the SAML message context being processed
        Throws:
        org.opensaml.messaging.handler.MessageHandlerException - thrown if there are errors during the signature validation process

      • validateSignature

        protected boolean validateSignature​(@Nonnull @NotEmpty
                                    byte[] signature,
                                    @Nonnull @NotEmpty
                                    byte[] signedContent,
                                    @Nonnull @NotEmpty
                                    String algorithmURI,
                                    @Nonnull
                                    net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet,
                                    @Nonnull @NonnullElements
                                    List<org.opensaml.security.credential.Credential> candidateCredentials)
                             throws org.opensaml.messaging.handler.MessageHandlerException
        Validate the simple signature.
        Parameters:
        signature - the signature value
        signedContent - the content that was signed
        algorithmURI - the signature algorithm URI which was used to sign the content
        criteriaSet - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation
        candidateCredentials - the request-derived candidate credential(s) containing the validation key for the signature (optional)
        Returns:
        true if signature can be verified successfully, false otherwise
        Throws:
        org.opensaml.messaging.handler.MessageHandlerException - thrown if there are errors during the signature validation process

      • getRequestCredentials

        @Nonnull
@NonnullElements
protected List<org.opensaml.security.credential.Credential> getRequestCredentials​(@Nonnull
                                                                                  org.opensaml.messaging.context.MessageContext messageContext)
                                                                           throws org.opensaml.messaging.handler.MessageHandlerException
        Extract any candidate validation credentials from the request and/or message context. Some bindings allow validataion keys for the simple signature to be supplied, and others do not.
        Parameters:
        messageContext - the SAML message context being processed
        Returns:
        a list of candidate validation credentials in the request, or null if none were present
        Throws:
        org.opensaml.messaging.handler.MessageHandlerException - thrown if there is an error during request processing

      • getSignature

        @Nullable
protected byte[] getSignature()
                       throws org.opensaml.messaging.handler.MessageHandlerException
        Extract the signature value from the request, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential). Defaults to the Base64-decoded value of the HTTP request parameter named Signature.
        Returns:
        the signature value
        Throws:
        org.opensaml.messaging.handler.MessageHandlerException - thrown if there is an error during request processing

      • getSignatureAlgorithm

        @Nullable
protected String getSignatureAlgorithm()
                                throws org.opensaml.messaging.handler.MessageHandlerException
        Extract the signature algorithm URI value from the request. Defaults to the HTTP request parameter named SigAlg.
        Returns:
        the signature algorithm URI value
        Throws:
        org.opensaml.messaging.handler.MessageHandlerException - thrown if there is an error during request processing

      • deriveSignerEntityID

        @Nullable
protected String deriveSignerEntityID​(@Nonnull
                                      org.opensaml.messaging.context.MessageContext messageContext)
                               throws org.opensaml.messaging.handler.MessageHandlerException
        Derive the signer's entity ID from the message context. This is implementation-specific and there is no default. This is primarily an extension point for subclasses.
        Parameters:
        messageContext - the SAML message context being processed
        Returns:
        the signer's derived entity ID
        Throws:
        org.opensaml.messaging.handler.MessageHandlerException - thrown if there is an error during request processing

      • buildCriteriaSet

        @Nonnull
protected net.shibboleth.utilities.java.support.resolver.CriteriaSet buildCriteriaSet​(@Nullable
                                                                                      String entityID,
                                                                                      @Nonnull
                                                                                      org.opensaml.messaging.context.MessageContext messageContext)
                                                                               throws org.opensaml.messaging.handler.MessageHandlerException
        Build a criteria set suitable for input to the trust engine.
        Parameters:
        entityID - the candidate issuer entity ID which is being evaluated
        messageContext - the message context which is being evaluated
        Returns:
        a newly constructly set of criteria suitable for the configured trust engine
        Throws:
        org.opensaml.messaging.handler.MessageHandlerException - thrown if criteria set can not be constructed

      • getSignedContent

        @Nullable
protected abstract byte[] getSignedContent()
                                    throws org.opensaml.messaging.handler.MessageHandlerException
        Get the content over which to validate the signature, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential).
        Returns:
        the signed content extracted from the request, in the format suitable for input to the trust engine.
        Throws:
        org.opensaml.messaging.handler.MessageHandlerException - thrown if there is an error during request processing

      • ruleHandles

        protected abstract boolean ruleHandles​(@Nonnull
                                       org.opensaml.messaging.context.MessageContext messageContext)
                                throws org.opensaml.messaging.handler.MessageHandlerException
        Determine whether the rule should handle the request, based on the unwrapped HTTP servlet request and/or message context.
        Parameters:
        messageContext - the SAML message context being processed
        Returns:
        true if the rule should attempt to process the request, otherwise false
        Throws:
        org.opensaml.messaging.handler.MessageHandlerException - thrown if there is an error during request processing