java.lang.Object
- org.opensaml.security.credential.impl.AbstractCredentialResolver
- - org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver
  - - org.opensaml.saml.security.impl.MetadataCredentialResolver

All Implemented Interfaces:

net.shibboleth.utilities.java.support.component.Component, net.shibboleth.utilities.java.support.component.InitializableComponent, net.shibboleth.utilities.java.support.resolver.Resolver<org.opensaml.security.credential.Credential,net.shibboleth.utilities.java.support.resolver.CriteriaSet>, org.opensaml.security.credential.CredentialResolver
```
public class MetadataCredentialResolver
extends org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver
implements net.shibboleth.utilities.java.support.component.InitializableComponent
```
A credential resolver capable of resolving credentials from SAML 2 metadata.
Credentials may be resolved either by directly supplying an instance of RoleDescriptor in the input CriteriaSet, or by looking up the role descriptor via a supplied RoleDescriptorResolver.

The following resolution modes and associated Criterion inputs are supported:

Direct resolution from a supplied RoleDescriptor:
- RoleDescriptorCriterion - required
- UsageCriterion - optional; if absent, the effective value UsageType.UNSPECIFIED will be used for credential resolution.
Resolution from a metadata source using a RoleDescriptorResolver:
- EntityIdCriterion - required
- EntityRoleCriterion - required
- ProtocolCriterion - optional; if absent, credentials will be resolved from all matching roles, regardless of protocol support.
- UsageCriterion - optional; if absent, the effective value UsageType.UNSPECIFIED will be used for credential resolution.
In order to support resolution from a metadata source using EntityIdCriterion + EntityRoleCriterion, an instance of RoleDescriptorResolver must be supplied. Otherwise it is optional.

An instance of KeyInfoCredentialResolver must always be supplied.

Field Summary

Fields
Modifier and Type	Field	Description
`private boolean`	`isInitialized`	Initialization flag.
`private org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver`	`keyInfoCredentialResolver`	Credential resolver used to resolve credentials from role descriptor KeyInfo elements.
`private org.slf4j.Logger`	`log`	Class logger.
`private org.opensaml.saml.metadata.resolver.RoleDescriptorResolver`	`roleDescriptorResolver`	Metadata RoleDescriptor resolver which is the source of credentials.

Constructor Summary

Constructors
Constructor Description

MetadataCredentialResolver()

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`protected void`	`extractCredentials(Collection<org.opensaml.security.credential.Credential> accumulator, org.opensaml.saml.saml2.metadata.KeyDescriptor keyDescriptor, String entityID, org.opensaml.security.credential.UsageType mdUsage)`	Extract the credentials from the specified KeyDescriptor.
`protected org.opensaml.security.credential.UsageType`	`getEffectiveUsageInput(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet)`	Get the effective `UsageType` input to use.
`org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver`	`getKeyInfoCredentialResolver()`	Get the KeyInfo credential resolver used by this entityDescriptorResolver resolver to handle KeyInfo elements.
`org.opensaml.saml.metadata.resolver.RoleDescriptorResolver`	`getRoleDescriptorResolver()`	Get the metadata RoleDescriptor resolver instance used by this resolver.
`protected Iterable<org.opensaml.saml.saml2.metadata.RoleDescriptor>`	`getRoleDescriptors(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet, String entityID, QName role, String protocol)`	Get the list of role descriptors which match the given entityID, role and protocol.
`void`	`initialize()`
`boolean`	`isInitialized()`
`protected boolean`	`matchUsage(org.opensaml.security.credential.UsageType metadataUsage, org.opensaml.security.credential.UsageType criteriaUsage)`	Match usage enum type values from entityDescriptorResolver KeyDescriptor and from credential criteria.
`protected void`	`processRoleDescriptor(Collection<org.opensaml.security.credential.Credential> accumulator, org.opensaml.saml.saml2.metadata.RoleDescriptor roleDescriptor, String entityID, org.opensaml.security.credential.UsageType usage)`	Process a RoleDescriptor by examing each of its KeyDescriptors.
`protected Collection<org.opensaml.security.credential.Credential>`	`resolveFromMetadata(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet, String entityID, QName role, String protocol, org.opensaml.security.credential.UsageType usage)`	Resolves credentials using this resolver's configured instance of `RoleDescriptorResolver`.
`protected Collection<org.opensaml.security.credential.Credential>`	`resolveFromRoleDescriptor(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet, org.opensaml.saml.saml2.metadata.RoleDescriptor roleDescriptor, org.opensaml.security.credential.UsageType usage)`	Resolves credentials using a supplied instance of `RoleDescriptor`.
`protected Iterable<org.opensaml.security.credential.Credential>`	`resolveFromSource(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet)`
`void`	`setKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver resolver)`	Set the KeyInfo credential resolver used by this entityDescriptorResolver resolver to handle KeyInfo elements.
`void`	`setRoleDescriptorResolver(org.opensaml.saml.metadata.resolver.RoleDescriptorResolver resolver)`	Set the metadata RoleDescriptor resolver instance used by this resolver.

Methods inherited from class org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver
isSatisfyAllPredicates, resolve, setSatisfyAllPredicates

Methods inherited from class org.opensaml.security.credential.impl.AbstractCredentialResolver
resolveSingle

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

roleDescriptorResolver

@Nullable
private org.opensaml.saml.metadata.resolver.RoleDescriptorResolver roleDescriptorResolver

Metadata RoleDescriptor resolver which is the source of credentials.

keyInfoCredentialResolver
```
@NonnullAfterInit
private org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver keyInfoCredentialResolver
```
Credential resolver used to resolve credentials from role descriptor KeyInfo elements.

isInitialized
```
private boolean isInitialized
```
Initialization flag.

Constructor Detail
- MetadataCredentialResolver
```
public MetadataCredentialResolver()
```

Method Detail

isInitialized
```
public boolean isInitialized()
```
Specified by:

isInitialized in interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize
```
public void initialize()
                throws net.shibboleth.utilities.java.support.component.ComponentInitializationException
```
Specified by:

initialize in interface net.shibboleth.utilities.java.support.component.InitializableComponent

Throws:

net.shibboleth.utilities.java.support.component.ComponentInitializationException

getRoleDescriptorResolver
```
@Nullable
public org.opensaml.saml.metadata.resolver.RoleDescriptorResolver getRoleDescriptorResolver()
```
Get the metadata RoleDescriptor resolver instance used by this resolver.
This is optional. If not supplied, credentials may only be resolved via input of a RoleDescriptorCriterion.

Returns:

the resolver's RoleDescriptor metadata resolver instance

setRoleDescriptorResolver
```
public void setRoleDescriptorResolver(@Nullable
                                      org.opensaml.saml.metadata.resolver.RoleDescriptorResolver resolver)
```
Set the metadata RoleDescriptor resolver instance used by this resolver.
This is optional. If not supplied, credentials may only be resolved via input of a RoleDescriptorCriterion.

Parameters:

resolver - the new RoleDescriptorResolver to use

getKeyInfoCredentialResolver
```
@NonnullAfterInit
public org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver getKeyInfoCredentialResolver()
```
Get the KeyInfo credential resolver used by this entityDescriptorResolver resolver to handle KeyInfo elements.

Returns:

KeyInfo credential resolver

setKeyInfoCredentialResolver
```
public void setKeyInfoCredentialResolver(@Nonnull
                                         org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver resolver)
```
Set the KeyInfo credential resolver used by this entityDescriptorResolver resolver to handle KeyInfo elements.

Parameters:

resolver - the new KeyInfoCredentialResolver to use

resolveFromSource

@Nonnull
protected Iterable<org.opensaml.security.credential.Credential> resolveFromSource(@Nonnull
                                                                                  net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet)
                                                                           throws net.shibboleth.utilities.java.support.resolver.ResolverException

Specified by:: resolveFromSource in class org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver
Throws:: net.shibboleth.utilities.java.support.resolver.ResolverException

getEffectiveUsageInput

@Nonnull
protected org.opensaml.security.credential.UsageType getEffectiveUsageInput(@Nonnull
                                                                            net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet)

Get the effective UsageType input to use.

Parameters:: criteriaSet - the criteria set being processed
Returns:: the effective usage value

resolveFromRoleDescriptor

@Nonnull
protected Collection<org.opensaml.security.credential.Credential> resolveFromRoleDescriptor(@Nonnull
                                                                                            net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet,
                                                                                            @Nonnull
                                                                                            org.opensaml.saml.saml2.metadata.RoleDescriptor roleDescriptor,
                                                                                            @Nonnull
                                                                                            org.opensaml.security.credential.UsageType usage)
                                                                                     throws net.shibboleth.utilities.java.support.resolver.ResolverException

Resolves credentials using a supplied instance of RoleDescriptor.

Parameters:: criteriaSet - the criteria set being processed; roleDescriptor - the role descriptor being processed; usage - intended usage of resolved credentials
Returns:: the resolved credentials or null
Throws:: net.shibboleth.utilities.java.support.resolver.ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format

resolveFromMetadata

@Nonnull
protected Collection<org.opensaml.security.credential.Credential> resolveFromMetadata(@Nonnull
                                                                                      net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet,
                                                                                      @Nonnull @NotEmpty
                                                                                      String entityID,
                                                                                      @Nonnull
                                                                                      QName role,
                                                                                      @Nullable
                                                                                      String protocol,
                                                                                      @Nonnull
                                                                                      org.opensaml.security.credential.UsageType usage)
                                                                               throws net.shibboleth.utilities.java.support.resolver.ResolverException

Resolves credentials using this resolver's configured instance of RoleDescriptorResolver.

Parameters:: criteriaSet - the criteria set being processed; entityID - entityID of the credential owner; role - role in which the entity is operating; protocol - protocol over which the entity is operating (may be null); usage - intended usage of resolved credentials
Returns:: the resolved credentials or null
Throws:: net.shibboleth.utilities.java.support.resolver.ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format

processRoleDescriptor

protected void processRoleDescriptor(@Nonnull
                                     Collection<org.opensaml.security.credential.Credential> accumulator,
                                     @Nonnull
                                     org.opensaml.saml.saml2.metadata.RoleDescriptor roleDescriptor,
                                     @Nullable
                                     String entityID,
                                     @Nonnull
                                     org.opensaml.security.credential.UsageType usage)
                              throws net.shibboleth.utilities.java.support.resolver.ResolverException

Process a RoleDescriptor by examing each of its KeyDescriptors.

Parameters:: accumulator - the collection of credentials being accumulated for return to the caller; roleDescriptor - the KeyDescriptor being processed; entityID - the entity ID of the KeyDescriptor being processed; usage - the credential usage type specified as resolve input
Throws:: net.shibboleth.utilities.java.support.resolver.ResolverException - if there is a problem resolving credentials from the KeyDescriptor's KeyInfo element

extractCredentials
```
protected void extractCredentials(@Nonnull
                                  Collection<org.opensaml.security.credential.Credential> accumulator,
                                  @Nonnull
                                  org.opensaml.saml.saml2.metadata.KeyDescriptor keyDescriptor,
                                  @Nullable
                                  String entityID,
                                  @Nonnull
                                  org.opensaml.security.credential.UsageType mdUsage)
                           throws net.shibboleth.utilities.java.support.resolver.ResolverException
```
Extract the credentials from the specified KeyDescriptor. First the credentials are looking up in object metadata cache. If they are not found there, then they will be resolved from the KeyDescriptor's KeyInfo and then cached in the KeyDescriptor's object metadata before returning.

Parameters:

accumulator - the collection of credentials being accumulated for return to the caller

keyDescriptor - the KeyDescriptor being processed

entityID - the entity ID of the KeyDescriptor being processed

mdUsage - the effective credential usage type in effect for the resolved credentials

Throws:

net.shibboleth.utilities.java.support.resolver.ResolverException - if there is a problem resolving credentials from the KeyDescriptor's KeyInfo element

matchUsage
```
protected boolean matchUsage(@Nonnull
                             org.opensaml.security.credential.UsageType metadataUsage,
                             @Nonnull
                             org.opensaml.security.credential.UsageType criteriaUsage)
```
Match usage enum type values from entityDescriptorResolver KeyDescriptor and from credential criteria.

Parameters:

metadataUsage - the value from the 'use' attribute of a entityDescriptorResolver KeyDescriptor element

criteriaUsage - the value from credential criteria

Returns:

true if the two usage specifiers match for purposes of resolving credentials, false otherwise

getRoleDescriptors

@Nonnull
protected Iterable<org.opensaml.saml.saml2.metadata.RoleDescriptor> getRoleDescriptors(@Nonnull
                                                                                       net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet,
                                                                                       @Nonnull
                                                                                       String entityID,
                                                                                       @Nonnull
                                                                                       QName role,
                                                                                       @Nullable
                                                                                       String protocol)
                                                                                throws net.shibboleth.utilities.java.support.resolver.ResolverException

Get the list of role descriptors which match the given entityID, role and protocol.

Parameters:: criteriaSet - criteria set being processed; entityID - entity ID of the credential owner; role - role in which the entity is operating; protocol - protocol over which the entity is operating (may be null)
Returns:: a list of role descriptors matching the given parameters, or null
Throws:: net.shibboleth.utilities.java.support.resolver.ResolverException - thrown if there is an error retrieving role descriptors from the entityDescriptorResolver provider

Class MetadataCredentialResolver

Field Summary

Constructor Summary

Method Summary

Methods inherited from class org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver

Methods inherited from class org.opensaml.security.credential.impl.AbstractCredentialResolver

Methods inherited from class java.lang.Object

Field Detail

log

roleDescriptorResolver

keyInfoCredentialResolver

isInitialized

Constructor Detail

MetadataCredentialResolver

Method Detail

isInitialized

initialize

getRoleDescriptorResolver

setRoleDescriptorResolver

getKeyInfoCredentialResolver

setKeyInfoCredentialResolver