Package org.opensaml.saml.common.binding.security.impl

Class BaseSAMLSimpleSignatureSecurityHandler

java.lang.Object
net.shibboleth.shared.component.AbstractInitializableComponent
org.opensaml.messaging.handler.AbstractMessageHandler
org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler
All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent, MessageHandler
Direct Known Subclasses:
SAML2HTTPPostSimpleSignSecurityHandler, SAML2HTTPRedirectDeflateSignatureSecurityHandler
public abstract class BaseSAMLSimpleSignatureSecurityHandler extends AbstractMessageHandler
Base class for security-oriented message handlers which verify simple "blob" signatures computed over some components of a request.

  • Field Details

    • log

      @Nonnull private final org.slf4j.Logger log
      Logger.

    • httpServletRequestSupplier

      @NonnullAfterInit private NonnullSupplier<HttpServletRequest> httpServletRequestSupplier
      The HttpServletRequest being processed.

    • peerContext

      @Nullable private SAMLPeerEntityContext peerContext
      The context representing the SAML peer entity.

    • samlProtocol

      @Nullable private String samlProtocol
      The SAML protocol in use.

    • samlRole

      @Nullable private QName samlRole
      The SAML role in use.

    • signatureValidationParameters

      @Nullable private SignatureValidationParameters signatureValidationParameters
      Parameters for signature validation.

    • trustEngine

      @Nullable private SignatureTrustEngine trustEngine
      Signature trust engine used to validate raw signatures.

  • Constructor Details

    • BaseSAMLSimpleSignatureSecurityHandler

      public BaseSAMLSimpleSignatureSecurityHandler()

  • Method Details

    • getTrustEngine

      @Nullable protected SignatureTrustEngine getTrustEngine()
      Gets the engine used to validate the signature.
      Returns:
      engine engine used to validate the signature

    • getHttpServletRequest

      @NonnullAfterInit public HttpServletRequest getHttpServletRequest()
      Get the current HTTP request if available.
      Returns:
      current HTTP request

    • getHttpServletRequestSupplier

      @Nullable public NonnullSupplier<HttpServletRequest> getHttpServletRequestSupplier()
      Get the supplier for HTTP request if available.
      Returns:
      current HTTP request

    • setHttpServletRequestSupplier

      public void setHttpServletRequestSupplier(@Nullable NonnullSupplier<HttpServletRequest> requestSupplier)
      Set the current HTTP request Supplier.
      Parameters:
      requestSupplier - Supplier for the current HTTP request

    • doInitialize

      protected void doInitialize() throws ComponentInitializationException
      Overrides:
      doInitialize in class AbstractInitializableComponent
      Throws:
      ComponentInitializationException

    • doPreInvoke

      protected boolean doPreInvoke(@Nonnull MessageContext messageContext) throws MessageHandlerException
      Overrides:
      doPreInvoke in class AbstractMessageHandler
      Throws:
      MessageHandlerException

    • doInvoke

      protected void doInvoke(@Nonnull MessageContext messageContext) throws MessageHandlerException
      Specified by:
      doInvoke in class AbstractMessageHandler
      Throws:
      MessageHandlerException

    • doEvaluate

      private void doEvaluate(@Nonnull @NotEmpty byte[] signature, @Nonnull @NotEmpty byte[] signedContent, @Nonnull @NotEmpty String algorithmURI, @Nonnull MessageContext messageContext) throws MessageHandlerException
      Evaluate the simple signature based on information in the request and/or message context.
      Parameters:
      signature - the signature value
      signedContent - the content that was signed
      algorithmURI - the signature algorithm URI which was used to sign the content
      messageContext - the SAML message context being processed
      Throws:
      MessageHandlerException - thrown if there are errors during the signature validation process

    • validateSignature

      protected boolean validateSignature(@Nonnull @NotEmpty byte[] signature, @Nonnull @NotEmpty byte[] signedContent, @Nonnull @NotEmpty String algorithmURI, @Nonnull CriteriaSet criteriaSet, @Nonnull List<Credential> candidateCredentials) throws MessageHandlerException
      Validate the simple signature.
      Parameters:
      signature - the signature value
      signedContent - the content that was signed
      algorithmURI - the signature algorithm URI which was used to sign the content
      criteriaSet - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation
      candidateCredentials - the request-derived candidate credential(s) containing the validation key for the signature (optional)
      Returns:
      true if signature can be verified successfully, false otherwise
      Throws:
      MessageHandlerException - thrown if there are errors during the signature validation process

    • getRequestCredentials

      @Nonnull @Unmodifiable @NotLive protected List<Credential> getRequestCredentials(@Nonnull MessageContext messageContext) throws MessageHandlerException
      Extract any candidate validation credentials from the request and/or message context. Some bindings allow validataion keys for the simple signature to be supplied, and others do not.
      Parameters:
      messageContext - the SAML message context being processed
      Returns:
      a list of candidate validation credentials in the request, or null if none were present
      Throws:
      MessageHandlerException - thrown if there is an error during request processing

    • getSignature

      @Nullable protected byte[] getSignature() throws MessageHandlerException
      Extract the signature value from the request, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential). Defaults to the Base64-decoded value of the HTTP request parameter named Signature.
      Returns:
      the signature value
      Throws:
      MessageHandlerException - thrown if there is an error during request processing

    • getSignatureAlgorithm

      @Nullable protected String getSignatureAlgorithm() throws MessageHandlerException
      Extract the signature algorithm URI value from the request. Defaults to the HTTP request parameter named SigAlg.
      Returns:
      the signature algorithm URI value
      Throws:
      MessageHandlerException - thrown if there is an error during request processing

    • deriveSignerEntityID

      @Nullable protected String deriveSignerEntityID(@Nonnull MessageContext messageContext) throws MessageHandlerException
      Derive the signer's entity ID from the message context. This is implementation-specific and there is no default. This is primarily an extension point for subclasses.
      Parameters:
      messageContext - the SAML message context being processed
      Returns:
      the signer's derived entity ID
      Throws:
      MessageHandlerException - thrown if there is an error during request processing

    • buildCriteriaSet

      @Nonnull protected CriteriaSet buildCriteriaSet(@Nullable String entityID, @Nonnull MessageContext messageContext) throws MessageHandlerException
      Build a criteria set suitable for input to the trust engine.
      Parameters:
      entityID - the candidate issuer entity ID which is being evaluated
      messageContext - the message context which is being evaluated
      Returns:
      a newly constructly set of criteria suitable for the configured trust engine
      Throws:
      MessageHandlerException - thrown if criteria set can not be constructed

    • getSignedContent

      @Nullable protected abstract byte[] getSignedContent() throws MessageHandlerException
      Get the content over which to validate the signature, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential).
      Returns:
      the signed content extracted from the request, in the format suitable for input to the trust engine.
      Throws:
      MessageHandlerException - thrown if there is an error during request processing

    • ruleHandles

      protected abstract boolean ruleHandles(@Nonnull MessageContext messageContext) throws MessageHandlerException
      Determine whether the rule should handle the request, based on the unwrapped HTTP servlet request and/or message context.
      Parameters:
      messageContext - the SAML message context being processed
      Returns:
      true if the rule should attempt to process the request, otherwise false
      Throws:
      MessageHandlerException - thrown if there is an error during request processing