net.shibboleth.idp.authn

Class AbstractValidationAction<InboundMessageType,OutboundMessageType>

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction<InboundMessageType,OutboundMessageType>

org.opensaml.profile.action.AbstractConditionalProfileAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.profile.AbstractProfileAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.authn.AbstractAuthenticationAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.authn.AbstractValidationAction<InboundMessageType,OutboundMessageType>

Type Parameters:

InboundMessageType - type of in-bound message

OutboundMessageType - type of out-bound message

All Implemented Interfaces:

PrincipalSupportingComponent, net.shibboleth.utilities.java.support.component.Component, net.shibboleth.utilities.java.support.component.DestructableComponent, net.shibboleth.utilities.java.support.component.InitializableComponent, org.opensaml.profile.action.ProfileAction<InboundMessageType,OutboundMessageType>, Aware, MessageSource, MessageSourceAware, org.springframework.webflow.execution.Action

public abstract class AbstractValidationAction<InboundMessageType,OutboundMessageType>
extends AbstractAuthenticationAction<InboundMessageType,OutboundMessageType>
implements PrincipalSupportingComponent

A base class for authentication related actions that validate credentials and produce an AuthenticationResult.

Event:

AuthnEventIds.REQUEST_UNSUPPORTED

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
private class	AbstractValidationAction.MessageChecker A predicate that examines a message to see if it contains a particular String.

Field Summary

Fields

Modifier and Type	Field and Description
private Subject	authenticatedSubject Basis for AuthenticationResult.
private Map<String,Collection<String>>	classifiedMessages Error messages associated with a specific error condition token.
private boolean	clearErrorContext Indicates whether to clear any existing AuthenticationErrorContext before execution.
private Logger	log Class logger.
private boolean	principalsAdded Track whether custom principals have been explicitly set (including the empty set).
private com.google.common.base.Function<org.opensaml.profile.context.ProfileRequestContext,String>	requesterLookupStrategy Function used to obtain the requester ID.
private com.google.common.base.Function<org.opensaml.profile.context.ProfileRequestContext,String>	responderLookupStrategy Function used to obtain the responder ID.
private com.google.common.base.Predicate<org.opensaml.profile.context.ProfileRequestContext>	resultCachingPredicate Predicate to apply when setting AuthenticationResult cacheability.

Constructor Summary

Constructors

Constructor and Description
AbstractValidationAction() Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
protected void	buildAuthenticationResult(org.opensaml.profile.context.ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext, AuthenticationContext authenticationContext) Normally called upon successful completion of credential validation, calls the populateSubject(Subject) abstract method, stores an AuthenticationResult in the AuthenticationContext, and attaches a SubjectCanonicalizationContext to the ProfileRequestContext in preparation for c14n to occur.
protected boolean	doPreExecute(org.opensaml.profile.context.ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext, AuthenticationContext authenticationContext) Performs this authentication action's pre-execute step.
Map<String,Collection<String>>	getClassifiedErrors() Get the error messages classified by specific error conditions.
com.google.common.base.Predicate<org.opensaml.profile.context.ProfileRequestContext>	getResultCachingPredicate() Get predicate to apply to determine cacheability of AuthenticationResult.
protected Subject	getSubject() Get the subject to be produced by successful execution of this action.
<T extends Principal> Set<T>	getSupportedPrincipals(Class<T> c) Get an immutable set of supported custom principals that the component produces, supports, contains, etc.
protected void	handleError(org.opensaml.profile.context.ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext, AuthenticationContext authenticationContext, Exception e, String eventId) Adds an exception encountered during the action to an AuthenticationErrorContext, creating one if necessary, beneath the AuthenticationContext.
protected void	handleError(org.opensaml.profile.context.ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext, AuthenticationContext authenticationContext, String message, String eventId) Evaluates a message as a potential match as a "classified" error and if matched, the classification label is attached to an AuthenticationErrorContext and used as the resulting event for the action.
protected void	handleWarning(org.opensaml.profile.context.ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext, AuthenticationContext authenticationContext, String message, String eventId) Evaluates a message as a potential match as a "classified" warning and if matched, the classification label is attached to an AuthenticationWarningContext and used as the resulting event for the action.
protected abstract Subject	populateSubject(Subject subject) Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.
void	setClassifiedMessages(Map<String,Collection<String>> messages) Set the error messages indicating an unknown username.
void	setRequesterLookupStrategy(com.google.common.base.Function<org.opensaml.profile.context.ProfileRequestContext,String> strategy) Set the strategy used to locate the requester ID for canonicalization.
void	setResponderLookupStrategy(com.google.common.base.Function<org.opensaml.profile.context.ProfileRequestContext,String> strategy) Set the strategy used to locate the responder ID for canonicalization.
void	setResultCachingPredicate(com.google.common.base.Predicate<org.opensaml.profile.context.ProfileRequestContext> predicate) Set predicate to apply to determine cacheability of AuthenticationResult.
<T extends Principal> void	setSupportedPrincipals(Collection<T> principals) Set supported non-user-specific principals that the action will include in the subjects it generates.

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

doExecute, doExecute, doPreExecute, setLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

@Nonnull
private final Logger log

Class logger.

authenticatedSubject

@Nonnull
private final Subject authenticatedSubject

Basis for AuthenticationResult.

principalsAdded

private boolean principalsAdded

Track whether custom principals have been explicitly set (including the empty set).

clearErrorContext

private boolean clearErrorContext

Indicates whether to clear any existing AuthenticationErrorContext before execution.

classifiedMessages

@Nonnull
@NonnullElements
private Map<String,Collection<String>> classifiedMessages

Error messages associated with a specific error condition token.

resultCachingPredicate

@Nullable
private com.google.common.base.Predicate<org.opensaml.profile.context.ProfileRequestContext> resultCachingPredicate

Predicate to apply when setting AuthenticationResult cacheability.

requesterLookupStrategy

@Nullable
private com.google.common.base.Function<org.opensaml.profile.context.ProfileRequestContext,String> requesterLookupStrategy

Function used to obtain the requester ID.

responderLookupStrategy

@Nullable
private com.google.common.base.Function<org.opensaml.profile.context.ProfileRequestContext,String> responderLookupStrategy

Function used to obtain the responder ID.

Constructor Detail

AbstractValidationAction

public AbstractValidationAction()

Constructor.

Method Detail

getClassifiedErrors

@Nonnull
@NonnullElements
@Unmodifiable
@NotLive
public Map<String,Collection<String>> getClassifiedErrors()

Get the error messages classified by specific error conditions.

Returns:

classified error message map

setClassifiedMessages

public void setClassifiedMessages(@Nonnull@NonnullElements
                         Map<String,Collection<String>> messages)

Set the error messages indicating an unknown username.

Parameters:

messages - the "unknown username" error messages to set

getResultCachingPredicate

@Nullable
public com.google.common.base.Predicate<org.opensaml.profile.context.ProfileRequestContext> getResultCachingPredicate()

Get predicate to apply to determine cacheability of AuthenticationResult.

Returns:

predicate to apply, or null

setResultCachingPredicate

public void setResultCachingPredicate(@Nullable
                             com.google.common.base.Predicate<org.opensaml.profile.context.ProfileRequestContext> predicate)

Set predicate to apply to determine cacheability of AuthenticationResult.

Parameters:

predicate - predicate to apply, or null

setRequesterLookupStrategy

public void setRequesterLookupStrategy(@Nullable
                              com.google.common.base.Function<org.opensaml.profile.context.ProfileRequestContext,String> strategy)

Set the strategy used to locate the requester ID for canonicalization.

Parameters:

strategy - lookup strategy

setResponderLookupStrategy

public void setResponderLookupStrategy(@Nullable
                              com.google.common.base.Function<org.opensaml.profile.context.ProfileRequestContext,String> strategy)

Set the strategy used to locate the responder ID for canonicalization.

Parameters:

strategy - lookup strategy

getSupportedPrincipals

@Nonnull
@NonnullElements
@Unmodifiable
@NotLive
public <T extends Principal> Set<T> getSupportedPrincipals(@Nonnull
                                                                                               Class<T> c)

Get an immutable set of supported custom principals that the component produces, supports, contains, etc.

Specified by:

getSupportedPrincipals in interface PrincipalSupportingComponent

Type Parameters:

T - type of Principal to inquire on

Parameters:

c - type of Principal to inquire on

Returns:

a set of matching principals

setSupportedPrincipals

public <T extends Principal> void setSupportedPrincipals(@Nonnull@NonnullElements
                                                Collection<T> principals)

Set supported non-user-specific principals that the action will include in the subjects it generates.

Type Parameters:

T - a type of principal to add, if not generic

Parameters:

principals - supported principals to include

getSubject

@Nonnull
protected Subject getSubject()

Get the subject to be produced by successful execution of this action.

Returns:

the subject meant as the result of this action

doPreExecute

protected boolean doPreExecute(@Nonnull
                   org.opensaml.profile.context.ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext,
                   @Nonnull
                   AuthenticationContext authenticationContext)

Performs this authentication action's pre-execute step. Default implementation just returns true.

Overrides:

doPreExecute in class AbstractAuthenticationAction<InboundMessageType,OutboundMessageType>

Parameters:

profileRequestContext - the current IdP profile request context

authenticationContext - the current authentication context

Returns:

true iff execution should continue

buildAuthenticationResult

protected void buildAuthenticationResult(@Nonnull
                             org.opensaml.profile.context.ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext,
                             @Nonnull
                             AuthenticationContext authenticationContext)

Normally called upon successful completion of credential validation, calls the populateSubject(Subject) abstract method, stores an AuthenticationResult in the AuthenticationContext, and attaches a SubjectCanonicalizationContext to the ProfileRequestContext in preparation for c14n to occur.

Parameters:

profileRequestContext - the current profile request context

authenticationContext - the current authentication context

populateSubject

@Nonnull
protected abstract Subject populateSubject(@Nonnull
                              Subject subject)

Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.

Typically this will include attaching a UsernamePrincipal, but this is not a requirement if other components are suitably overridden.

Parameters:

subject - subject to populate

Returns:

the input subject

handleError

protected void handleError(@Nonnull
               org.opensaml.profile.context.ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext,
               @Nonnull
               AuthenticationContext authenticationContext,
               @Nonnull
               Exception e,
               @Nonnull@NotEmpty
               String eventId)

Adds an exception encountered during the action to an AuthenticationErrorContext, creating one if necessary, beneath the AuthenticationContext.

The exception message is evaluated as a potential match as a "classified" error and if matched, the classification label is attached to the AuthenticationErrorContext and used as the resulting event for the action.

Parameters:

profileRequestContext - the current profile request context

authenticationContext - the current authentication context

e - the exception to process

eventId - the event to "return" via an EventContext if the exception message is not classified

handleError

protected void handleError(@Nonnull
               org.opensaml.profile.context.ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext,
               @Nonnull
               AuthenticationContext authenticationContext,
               @Nullable
               String message,
               @Nonnull@NotEmpty
               String eventId)

Evaluates a message as a potential match as a "classified" error and if matched, the classification label is attached to an AuthenticationErrorContext and used as the resulting event for the action.

If no match, the supplied eventId is used as the result.

If multiple matches, the first matching label is used as the result, but each match is added to the context.

Parameters:

profileRequestContext - the current profile request context

authenticationContext - the current authentication context

message - to process

eventId - the event to "return" via an EventContext if the message is not classified

handleWarning

protected void handleWarning(@Nonnull
                 org.opensaml.profile.context.ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext,
                 @Nonnull
                 AuthenticationContext authenticationContext,
                 @Nullable
                 String message,
                 @Nonnull@NotEmpty
                 String eventId)

Evaluates a message as a potential match as a "classified" warning and if matched, the classification label is attached to an AuthenticationWarningContext and used as the resulting event for the action.

If no match, the supplied eventId is used as the result.

If multiple matches, the first matching label is used as the result, but each match is added to the context.

Parameters:

profileRequestContext - the current profile request context

authenticationContext - the current authentication context

message - to process

eventId - the event to "return" via an EventContext if the message is not classified