Package org.opensaml.saml.saml2.wssecurity.messaging.impl

Class DefaultSAML20AssertionValidationContextBuilder

java.lang.Object

org.opensaml.saml.saml2.wssecurity.messaging.impl.DefaultSAML20AssertionValidationContextBuilder

All Implemented Interfaces:

Function<SAML20AssertionTokenValidationInput,org.opensaml.saml.common.assertion.ValidationContext>

public class DefaultSAML20AssertionValidationContextBuilder
extends Object
implements Function<SAML20AssertionTokenValidationInput,org.opensaml.saml.common.assertion.ValidationContext>

Function which implements default behavior for building an instance of ValidationContext from an instance of SAML20AssertionTokenValidationInput.

Field Summary

Fields

Modifier and Type	Field	Description
private org.slf4j.Logger	log	Logger.
private Function<net.shibboleth.utilities.java.support.collection.Pair<org.opensaml.messaging.context.MessageContext,org.opensaml.saml.saml2.core.Assertion>,net.shibboleth.utilities.java.support.resolver.CriteriaSet>	signatureCriteriaSetFunction	A function for resolving the signature validation CriteriaSet for a particular function.
private boolean	signatureRequired	Flag indicating whether an Assertion signature is required.

Constructor Summary

Constructors

Constructor	Description
DefaultSAML20AssertionValidationContextBuilder()	Constructor.

Method Summary

Modifier and Type	Method	Description
org.opensaml.saml.common.assertion.ValidationContext	apply(SAML20AssertionTokenValidationInput input)
protected Map<String,Object>	buildStaticParameters(SAML20AssertionTokenValidationInput input)	Build the static parameters map for input to the ValidationContext.
protected X509Certificate	getAttesterCertificate(SAML20AssertionTokenValidationInput input)	Get the attesting entity's X509Certificate.
protected String	getAttesterIPAddress(SAML20AssertionTokenValidationInput input)	Get the attester's IP address.
protected PublicKey	getAttesterPublicKey(SAML20AssertionTokenValidationInput input)	Get the attesting entity's PublicKey.
protected net.shibboleth.utilities.java.support.resolver.CriteriaSet	getSignatureCriteriaSet(SAML20AssertionTokenValidationInput input)	Get the signature validation criteria set.
Function<net.shibboleth.utilities.java.support.collection.Pair<org.opensaml.messaging.context.MessageContext,org.opensaml.saml.saml2.core.Assertion>,net.shibboleth.utilities.java.support.resolver.CriteriaSet>	getSignatureCriteriaSetFunction()	Get the function for resolving the signature validation CriteriaSet for a particular function.
protected Set<InetAddress>	getValidAddresses(SAML20AssertionTokenValidationInput input)	Get the set of addresses which are valid for subject confirmation.
protected Set<String>	getValidAudiences(SAML20AssertionTokenValidationInput input)	Get the valid audiences for attestation.
protected Set<String>	getValidRecipients(SAML20AssertionTokenValidationInput input)	Get the valid recipient endpoints for attestation.
boolean	isSignatureRequired()	Get the flag indicating whether an Assertion signature is required.
void	setSignatureCriteriaSetFunction(Function<net.shibboleth.utilities.java.support.collection.Pair<org.opensaml.messaging.context.MessageContext,org.opensaml.saml.saml2.core.Assertion>,net.shibboleth.utilities.java.support.resolver.CriteriaSet> function)	Set the function for resolving the signature validation CriteriaSet for a particular function.
void	setSignatureRequired(boolean flag)	Set the flag indicating whether an Assertion signature is required.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.util.function.Function

andThen, compose

Field Detail

log

@Nullable
private org.slf4j.Logger log

Logger.

signatureCriteriaSetFunction

private Function<net.shibboleth.utilities.java.support.collection.Pair<org.opensaml.messaging.context.MessageContext,org.opensaml.saml.saml2.core.Assertion>,net.shibboleth.utilities.java.support.resolver.CriteriaSet> signatureCriteriaSetFunction

A function for resolving the signature validation CriteriaSet for a particular function.

signatureRequired

private boolean signatureRequired

Flag indicating whether an Assertion signature is required.

Constructor Detail

DefaultSAML20AssertionValidationContextBuilder

public DefaultSAML20AssertionValidationContextBuilder()

Constructor.

Method Detail

isSignatureRequired

public boolean isSignatureRequired()

Get the flag indicating whether an Assertion signature is required.

Defaults to: true.

Returns:

true if required, false if not

setSignatureRequired

public void setSignatureRequired(boolean flag)

Set the flag indicating whether an Assertion signature is required.

Defaults to: true.

Parameters:

flag - true if required, false if not

getSignatureCriteriaSetFunction

@Nullable
public Function<net.shibboleth.utilities.java.support.collection.Pair<org.opensaml.messaging.context.MessageContext,org.opensaml.saml.saml2.core.Assertion>,net.shibboleth.utilities.java.support.resolver.CriteriaSet> getSignatureCriteriaSetFunction()

Get the function for resolving the signature validation CriteriaSet for a particular function.

Defaults to: null.

Returns:

a criteria set instance, or null

setSignatureCriteriaSetFunction

public void setSignatureCriteriaSetFunction(@Nullable
                                            Function<net.shibboleth.utilities.java.support.collection.Pair<org.opensaml.messaging.context.MessageContext,org.opensaml.saml.saml2.core.Assertion>,net.shibboleth.utilities.java.support.resolver.CriteriaSet> function)

Set the function for resolving the signature validation CriteriaSet for a particular function.

Defaults to: null.

Parameters:

function - the resolving function, may be null

apply

@Nullable
public org.opensaml.saml.common.assertion.ValidationContext apply(@Nullable
                                                                  SAML20AssertionTokenValidationInput input)

Specified by:

apply in interface Function<SAML20AssertionTokenValidationInput,org.opensaml.saml.common.assertion.ValidationContext>

buildStaticParameters

@Nonnull
protected Map<String,Object> buildStaticParameters(@Nonnull
                                                         SAML20AssertionTokenValidationInput input)

Build the static parameters map for input to the ValidationContext.

Parameters:

input - the assertion validation input

Returns:

the static parameters map

getSignatureCriteriaSet

@Nonnull
protected net.shibboleth.utilities.java.support.resolver.CriteriaSet getSignatureCriteriaSet(@Nonnull
                                                                                             SAML20AssertionTokenValidationInput input)

Get the signature validation criteria set.

This implementation first evaluates the result of applying the function getSignatureCriteriaSetFunction(), if configured. If that evaluation did not produce an EntityIdCriterion, one is added based on the issuer of the Assertion. If that evaluation did not produce an instance of UsageCriterion, one is added with the value of UsageType.SIGNING.

Parameters:

input - the assertion validation input

Returns:

the criteria set based on the message context data

getAttesterCertificate

@Nullable
protected X509Certificate getAttesterCertificate(@Nonnull
                                                 SAML20AssertionTokenValidationInput input)

Get the attesting entity's X509Certificate.

This implementation returns the client TLS certificate present in the HttpServletRequest, or null if one is not present.

Parameters:

input - the assertion validation input

Returns:

the entity certificate, or null

getAttesterPublicKey

@Nullable
protected PublicKey getAttesterPublicKey(@Nonnull
                                         SAML20AssertionTokenValidationInput input)

Get the attesting entity's PublicKey.

This implementation returns null. Subclasses should override to implement specific logic.

Parameters:

input - the assertion validation input

Returns:

the entity public key, or null

getValidRecipients

@Nonnull
protected Set<String> getValidRecipients(@Nonnull
                                         SAML20AssertionTokenValidationInput input)

Get the valid recipient endpoints for attestation.

This implementation returns a set containing the 2 values;

1. HttpServletRequest.getRequestURL()
2. if present, AbstractSAMLEntityContext.getEntityId()

Parameters:

input - the assertion validation input

Returns:

set of recipient endpoint URI's

getValidAddresses

@Nonnull
protected Set<InetAddress> getValidAddresses(@Nonnull
                                             SAML20AssertionTokenValidationInput input)

Get the set of addresses which are valid for subject confirmation.

This implementation simply returns the set based on getAttesterIPAddress(SAML20AssertionTokenValidationInput), if that produces a value. Otherwise an empty set is returned.

Parameters:

input - the assertion validation input

Returns:

the set of valid addresses

getAttesterIPAddress

@Nonnull
protected String getAttesterIPAddress(@Nonnull
                                      SAML20AssertionTokenValidationInput input)

Get the attester's IP address.

This implementation returns the value of ServletRequest.getRemoteAddr().

Parameters:

input - the assertion validation input

Returns:

the IP address of the attester

getValidAudiences

@Nonnull
protected Set<String> getValidAudiences(@Nonnull
                                        SAML20AssertionTokenValidationInput input)

Get the valid audiences for attestation.

This implementation returns a set containing the single entityID held by the message context's AbstractSAMLEntityContext.getEntityId(), if present. Otherwise an empty set is returned.

Parameters:

input - the assertion validation input

Returns:

set of audience URI's