Package org.opensaml.saml.saml2.profile.impl

Class EncryptNameIDs

  • All Implemented Interfaces:
    net.shibboleth.utilities.java.support.component.Component, net.shibboleth.utilities.java.support.component.DestructableComponent, net.shibboleth.utilities.java.support.component.InitializableComponent, org.opensaml.profile.action.ProfileAction
    public class EncryptNameIDs
extends AbstractEncryptAction
    Action that encrypts all NameIDs in a message obtained from a lookup strategy, by default the outbound message context.

    Specific formats may be excluded from encryption, by default excluding the "entity" format.

    Event:
    EventIds.PROCEED_EVENT_ID, EventIds.UNABLE_TO_ENCRYPT
    Postcondition:
    All SAML NameIDs in all locations have been replaced with encrypted versions. It's possible for some to be replaced but others not if an error occurs.

    • Field Summary

      Fields 
      Modifier and Type Field Description
      private Set<String> excludedFormats
      Formats to exclude from encryption.
      private org.slf4j.Logger log
      Class logger.
      private org.opensaml.saml.common.SAMLObject message
      The message to operate on.
      private Function<org.opensaml.profile.context.ProfileRequestContext,​org.opensaml.saml.common.SAMLObject> messageLookupStrategy
      Strategy used to locate the message to operate on.

    • Constructor Summary

      Constructors 
      Constructor Description
      EncryptNameIDs()
      Constructor.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void doExecute​(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
      protected boolean doPreExecute​(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
      protected org.opensaml.xmlsec.EncryptionParameters getApplicableParameters​(org.opensaml.saml.saml2.profile.context.EncryptionContext ctx)
      Return the right set of parameters for the operation to be performed, or none if no encryption should occur.
      private void processAssertion​(org.opensaml.saml.saml2.core.Assertion assertion)
      Decrypt any EncryptedID found in an assertion and replace it with the result.
      private void processLogoutRequest​(org.opensaml.saml.saml2.core.LogoutRequest request)
      Encrypt a NameID found in a LogoutRequest and replace it with the result.
      private void processManageNameIDRequest​(org.opensaml.saml.saml2.core.ManageNameIDRequest request)
      Encrypt a NameID found in a ManageNameIDRequest and replace it with the result.
      private void processNameIDMappingRequest​(org.opensaml.saml.saml2.core.NameIDMappingRequest request)
      Encrypt a NameID found in a NameIDMappingRequest and replace it with the result.
      private void processNameIDMappingResponse​(org.opensaml.saml.saml2.core.NameIDMappingResponse response)
      Encrypt a NameID found in a NameIDMappingResponse and replace it with the result.
      private void processSubject​(org.opensaml.saml.saml2.core.Subject subject)
      Encrypt any NameIDs found in a subject and replace them with the result.
      void setExcludedFormats​(Collection<String> formats)
      Set the NameID formats to ignore and leave unencrypted.
      void setMessageLookupStrategy​(Function<org.opensaml.profile.context.ProfileRequestContext,​org.opensaml.saml.common.SAMLObject> strategy)
      Set the strategy used to locate the Response to operate on.
      private boolean shouldEncrypt​(org.opensaml.saml.saml2.core.NameID name)
      Return true iff the NameID should be encrypted.

      • Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

        getActivationCondition, setActivationCondition

      • Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

        doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

      • Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

        destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

      • Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

        initialize, isInitialized

    • Field Detail

      • log

        @Nonnull
private final org.slf4j.Logger log
        Class logger.

      • messageLookupStrategy

        @Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,​org.opensaml.saml.common.SAMLObject> messageLookupStrategy
        Strategy used to locate the message to operate on.

      • excludedFormats

        @Nonnull
@NonnullElements
private Set<String> excludedFormats
        Formats to exclude from encryption.

      • message

        @Nullable
private org.opensaml.saml.common.SAMLObject message
        The message to operate on.

    • Constructor Detail

      • EncryptNameIDs

        public EncryptNameIDs()
        Constructor.

    • Method Detail

      • setMessageLookupStrategy

        public void setMessageLookupStrategy​(@Nonnull
                                     Function<org.opensaml.profile.context.ProfileRequestContext,​org.opensaml.saml.common.SAMLObject> strategy)
        Set the strategy used to locate the Response to operate on.
        Parameters:
        strategy - strategy used to locate the Response to operate on

      • setExcludedFormats

        public void setExcludedFormats​(@Nonnull @NonnullElements
                               Collection<String> formats)
        Set the NameID formats to ignore and leave unencrypted.
        Parameters:
        formats - formats to exclude

      • getApplicableParameters

        @Nullable
protected org.opensaml.xmlsec.EncryptionParameters getApplicableParameters​(@Nullable
                                                                           org.opensaml.saml.saml2.profile.context.EncryptionContext ctx)
        Return the right set of parameters for the operation to be performed, or none if no encryption should occur.
        Specified by:
        getApplicableParameters in class AbstractEncryptAction
        Parameters:
        ctx - possibly null input context to pull parameters from
        Returns:
        the right parameter set, or null for none

      • doPreExecute

        protected boolean doPreExecute​(@Nonnull
                               org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
        Overrides:
        doPreExecute in class AbstractEncryptAction

      • doExecute

        protected void doExecute​(@Nonnull
                         org.opensaml.profile.context.ProfileRequestContext profileRequestContext)
        Overrides:
        doExecute in class org.opensaml.profile.action.AbstractProfileAction

      • shouldEncrypt

        private boolean shouldEncrypt​(@Nullable
                              org.opensaml.saml.saml2.core.NameID name)
        Return true iff the NameID should be encrypted.
        Parameters:
        name - NameID to check
        Returns:
        true iff encryption should happen

      • processSubject

        private void processSubject​(@Nullable
                            org.opensaml.saml.saml2.core.Subject subject)
                     throws org.opensaml.xmlsec.encryption.support.EncryptionException
        Encrypt any NameIDs found in a subject and replace them with the result.
        Parameters:
        subject - subject to operate on
        Throws:
        org.opensaml.xmlsec.encryption.support.EncryptionException - if an error occurs

      • processLogoutRequest

        private void processLogoutRequest​(@Nonnull
                                  org.opensaml.saml.saml2.core.LogoutRequest request)
                           throws org.opensaml.xmlsec.encryption.support.EncryptionException
        Encrypt a NameID found in a LogoutRequest and replace it with the result.
        Parameters:
        request - request to operate on
        Throws:
        org.opensaml.xmlsec.encryption.support.EncryptionException - if an error occurs

      • processManageNameIDRequest

        private void processManageNameIDRequest​(@Nonnull
                                        org.opensaml.saml.saml2.core.ManageNameIDRequest request)
                                 throws org.opensaml.xmlsec.encryption.support.EncryptionException
        Encrypt a NameID found in a ManageNameIDRequest and replace it with the result.
        Parameters:
        request - request to operate on
        Throws:
        org.opensaml.xmlsec.encryption.support.EncryptionException - if an error occurs

      • processNameIDMappingRequest

        private void processNameIDMappingRequest​(@Nonnull
                                         org.opensaml.saml.saml2.core.NameIDMappingRequest request)
                                  throws org.opensaml.xmlsec.encryption.support.EncryptionException
        Encrypt a NameID found in a NameIDMappingRequest and replace it with the result.
        Parameters:
        request - request to operate on
        Throws:
        org.opensaml.xmlsec.encryption.support.EncryptionException - if an error occurs

      • processNameIDMappingResponse

        private void processNameIDMappingResponse​(@Nonnull
                                          org.opensaml.saml.saml2.core.NameIDMappingResponse response)
                                   throws org.opensaml.xmlsec.encryption.support.EncryptionException
        Encrypt a NameID found in a NameIDMappingResponse and replace it with the result.
        Parameters:
        response - response to operate on
        Throws:
        org.opensaml.xmlsec.encryption.support.EncryptionException - if an error occurs

      • processAssertion

        private void processAssertion​(@Nonnull
                              org.opensaml.saml.saml2.core.Assertion assertion)
                       throws org.opensaml.xmlsec.encryption.support.EncryptionException
        Decrypt any EncryptedID found in an assertion and replace it with the result.
        Parameters:
        assertion - assertion to operate on
        Throws:
        org.opensaml.xmlsec.encryption.support.EncryptionException - if an error occurs