Package org.opensaml.saml.common.binding.security.impl

Class SAMLProtocolMessageXMLSignatureSecurityHandler

  • All Implemented Interfaces:
    net.shibboleth.utilities.java.support.component.Component, net.shibboleth.utilities.java.support.component.DestructableComponent, net.shibboleth.utilities.java.support.component.InitializableComponent, org.opensaml.messaging.handler.MessageHandler
    public class SAMLProtocolMessageXMLSignatureSecurityHandler
extends BaseSAMLXMLSignatureSecurityHandler
    SAML security message handler which validates the signature (if present) on the SAMLObject which represents the SAML protocol message being processed.

    If the message is not an instance of SignableSAMLObject, then no processing is performed. If signature validation is successful, and the SAML message context issuer was not previously authenticated, then the context's authentication state will be set to true.

    If an optional SAMLSignatureProfileValidator or subclass is supplied, this validator will be used to validate the XML Signature element prior to the actual cryptographic validation of the signature. This might for example be used to enforce certain signature profile requirements or to detect signatures upon which it would be unsafe to attempt cryptographic processing. The validator will default to SAMLSignatureProfileValidator.

    • Field Summary

      Fields 
      Modifier and Type Field Description
      private org.slf4j.Logger log
      Logger.
      private org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator
      Validator for XML Signature instances.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void doEvaluate​(org.opensaml.xmlsec.signature.Signature signature, org.opensaml.saml.common.SignableSAMLObject signableObject, org.opensaml.messaging.context.MessageContext messageContext)
      Perform cryptographic validation and trust evaluation on the Signature token using the configured Signature trust engine.
      void doInvoke​(org.opensaml.messaging.context.MessageContext messageContext)
      org.opensaml.xmlsec.signature.support.SignaturePrevalidator getSignaturePrevalidator()
      Get the prevalidator for XML Signature instances.
      protected void performPrevalidation​(org.opensaml.xmlsec.signature.Signature signature)
      Perform pre-validation on the Signature token.
      void setSignaturePrevalidator​(org.opensaml.xmlsec.signature.support.SignaturePrevalidator validator)
      Set the prevalidator for XML Signature instances.

      • Methods inherited from class org.opensaml.security.messaging.impl.BaseTrustEngineSecurityHandler

        evaluate, evaluate, getTrustEngine

      • Methods inherited from class org.opensaml.messaging.handler.AbstractMessageHandler

        doPostInvoke, doPostInvoke, getActivationCondition, getLogPrefix, invoke, setActivationCondition

      • Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

        destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

      • Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

        initialize, isInitialized

    • Field Detail

      • log

        @Nonnull
private final org.slf4j.Logger log
        Logger.

      • signaturePrevalidator

        @Nullable
private org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator
        Validator for XML Signature instances.

    • Constructor Detail

      • SAMLProtocolMessageXMLSignatureSecurityHandler

        public SAMLProtocolMessageXMLSignatureSecurityHandler()
        Constructor. Signature prevalidator defaults to SAMLSignatureProfileValidator.

    • Method Detail

      • getSignaturePrevalidator

        @Nullable
public org.opensaml.xmlsec.signature.support.SignaturePrevalidator getSignaturePrevalidator()
        Get the prevalidator for XML Signature instances.
        Returns:
        Returns the prevalidator.

      • setSignaturePrevalidator

        public void setSignaturePrevalidator​(@Nullable
                                     org.opensaml.xmlsec.signature.support.SignaturePrevalidator validator)
        Set the prevalidator for XML Signature instances.
        Parameters:
        validator - The prevalidator to set.

      • doInvoke

        public void doInvoke​(@Nonnull
                     org.opensaml.messaging.context.MessageContext messageContext)
              throws org.opensaml.messaging.handler.MessageHandlerException
        Specified by:
        doInvoke in class org.opensaml.messaging.handler.AbstractMessageHandler
        Throws:
        org.opensaml.messaging.handler.MessageHandlerException

      • doEvaluate

        protected void doEvaluate​(@Nonnull
                          org.opensaml.xmlsec.signature.Signature signature,
                          @Nonnull
                          org.opensaml.saml.common.SignableSAMLObject signableObject,
                          @Nonnull
                          org.opensaml.messaging.context.MessageContext messageContext)
                   throws org.opensaml.messaging.handler.MessageHandlerException
        Perform cryptographic validation and trust evaluation on the Signature token using the configured Signature trust engine.
        Parameters:
        signature - the signature which is being evaluated
        signableObject - the signable object which contained the signature
        messageContext - the SAML message context being processed
        Throws:
        org.opensaml.messaging.handler.MessageHandlerException - thrown if the signature fails validation

      • performPrevalidation

        protected void performPrevalidation​(@Nonnull
                                    org.opensaml.xmlsec.signature.Signature signature)
                             throws org.opensaml.messaging.handler.MessageHandlerException
        Perform pre-validation on the Signature token.
        Parameters:
        signature - the signature to evaluate
        Throws:
        org.opensaml.messaging.handler.MessageHandlerException - thrown if the signature element fails pre-validation