net.shibboleth.idp.authn

Class AuthenticationFlowDescriptor

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent

net.shibboleth.idp.authn.AuthenticationFlowDescriptor

All Implemented Interfaces:

com.google.common.base.Predicate<org.opensaml.profile.context.ProfileRequestContext>, PrincipalSupportingComponent, net.shibboleth.utilities.java.support.component.Component, net.shibboleth.utilities.java.support.component.DestructableComponent, net.shibboleth.utilities.java.support.component.IdentifiableComponent, net.shibboleth.utilities.java.support.component.IdentifiedComponent, net.shibboleth.utilities.java.support.component.InitializableComponent, org.opensaml.storage.StorageSerializer<AuthenticationResult>

public class AuthenticationFlowDescriptor
extends net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent
implements PrincipalSupportingComponent, com.google.common.base.Predicate<org.opensaml.profile.context.ProfileRequestContext>, org.opensaml.storage.StorageSerializer<AuthenticationResult>

A descriptor for an authentication flow.

A flow models a sequence of profile actions that performs authentication in a particular way and satisfies various constraints that may apply to an authentication request. Some of these constraints are directly exposed as properties of the flow, and others can be found by examining the list of extended Principals that the flow exposes.

Field Summary

Fields

Modifier and Type	Field and Description
private com.google.common.base.Predicate<org.opensaml.profile.context.ProfileRequestContext>	activationCondition Predicate that must be true for this flow to be usable for a given request.
static String	FLOW_ID_PREFIX Prefix convention for flow IDs.
private long	inactivityTimeout Maximum amount of time in milliseconds, since last usage, a flow should be considered active.
private long	lifetime Maximum amount of time in milliseconds, since first usage, a flow should be considered active.
private org.opensaml.storage.StorageSerializer<AuthenticationResult>	resultSerializer Custom serializer for the results generated by this flow.
static long	STORAGE_EXPIRATION_OFFSET Additional allowance for storage of result records to avoid race conditions during use.
private Subject	supportedPrincipals Supported principals, indexed by type, that the flow can produce.
private boolean	supportsForced Whether this flow supports forced authentication.
private boolean	supportsNonBrowser Whether this flow supports non-browser clients.
private boolean	supportsPassive Whether this flow supports passive authentication.

Constructor Summary

Constructors

Constructor and Description
AuthenticationFlowDescriptor() Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
boolean	apply(org.opensaml.profile.context.ProfileRequestContext input)
AuthenticationResult	deserialize(long version, String context, String key, String value, Long expiration)
protected void	doInitialize()
boolean	equals(Object obj)
long	getInactivityTimeout() Get the maximum amount of time in milliseconds, since the last usage, a flow should be considered active.
long	getLifetime() Get the maximum amount of time in milliseconds, since first usage, a flow should be considered active.
Collection<Principal>	getSupportedPrincipals() Get a collection of supported non-user-specific principals that the flow may produce when it operates.
<T extends Principal> Set<T>	getSupportedPrincipals(Class<T> c) Get an immutable set of supported custom principals that the component produces, supports, contains, etc.
int	hashCode()
boolean	isForcedAuthenticationSupported() Get whether this flow supports forced authentication.
boolean	isNonBrowserSupported() Get whether this flow supports non-browser clients.
boolean	isPassiveAuthenticationSupported() Get whether this flow supports passive authentication.
boolean	isResultActive(AuthenticationResult result) Check if a result generated by this flow is still active.
String	serialize(AuthenticationResult instance)
void	setActivationCondition(com.google.common.base.Predicate<org.opensaml.profile.context.ProfileRequestContext> condition) Set the activation condition in the form of a Predicate such that iff the condition evaluates to true should the corresponding flow be allowed/possible.
void	setForcedAuthenticationSupported(boolean isSupported) Set whether this flow supports forced authentication.
void	setInactivityTimeout(long timeout) Set the maximum amount of time in milliseconds, since the last usage, a flow should be considered active.
void	setLifetime(long flowLifetime) Set the maximum amount of time in milliseconds, since first usage, a flow should be considered active.
void	setNonBrowserSupported(boolean isSupported) Set whether this flow supports non-browser clients.
void	setPassiveAuthenticationSupported(boolean isSupported) Set whether this flow supports passive authentication.
void	setResultSerializer(org.opensaml.storage.StorageSerializer<AuthenticationResult> serializer) Set a custom serializer for results produced by this flow.
<T extends Principal> void	setSupportedPrincipals(Collection<T> principals) Set supported non-user-specific principals that the flow may produce when it operates.
String	toString()

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent

setId

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

getId

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Methods inherited from interface net.shibboleth.utilities.java.support.component.IdentifiedComponent

getId

Field Detail

FLOW_ID_PREFIX

@Nonnull
@NotEmpty
public static final String FLOW_ID_PREFIX

Prefix convention for flow IDs.

See Also:

Constant Field Values

STORAGE_EXPIRATION_OFFSET

public static final long STORAGE_EXPIRATION_OFFSET

Additional allowance for storage of result records to avoid race conditions during use.

supportsNonBrowser

private boolean supportsNonBrowser

Whether this flow supports non-browser clients.

supportsPassive

private boolean supportsPassive

Whether this flow supports passive authentication.

supportsForced

private boolean supportsForced

Whether this flow supports forced authentication.

lifetime

@Duration
@NonNegative
private long lifetime

Maximum amount of time in milliseconds, since first usage, a flow should be considered active.

inactivityTimeout

@Duration
@Positive
private long inactivityTimeout

Maximum amount of time in milliseconds, since last usage, a flow should be considered active.

supportedPrincipals

@Nonnull
private Subject supportedPrincipals

Supported principals, indexed by type, that the flow can produce. Implemented for the moment using the Subject class for convenience to allow for class-based lookup in the getSupportedPrincipals(java.lang.Class<T>) method.

activationCondition

@Nonnull
private com.google.common.base.Predicate<org.opensaml.profile.context.ProfileRequestContext> activationCondition

Predicate that must be true for this flow to be usable for a given request.

resultSerializer

@Nullable
private org.opensaml.storage.StorageSerializer<AuthenticationResult> resultSerializer

Custom serializer for the results generated by this flow.

Constructor Detail

AuthenticationFlowDescriptor

public AuthenticationFlowDescriptor()

Constructor.

Method Detail

isNonBrowserSupported

public boolean isNonBrowserSupported()

Get whether this flow supports non-browser clients.

Returns:

whether this flow supports non-browser clients

setNonBrowserSupported

public void setNonBrowserSupported(boolean isSupported)

Set whether this flow supports non-browser clients.

Parameters:

isSupported - whether this flow supports non-browser clients

isPassiveAuthenticationSupported

public boolean isPassiveAuthenticationSupported()

Get whether this flow supports passive authentication.

Returns:

whether this flow supports passive authentication

setPassiveAuthenticationSupported

public void setPassiveAuthenticationSupported(boolean isSupported)

Set whether this flow supports passive authentication.

Parameters:

isSupported - whether this flow supports passive authentication

isForcedAuthenticationSupported

public boolean isForcedAuthenticationSupported()

Get whether this flow supports forced authentication.

Returns:

whether this flow supports forced authentication

setForcedAuthenticationSupported

public void setForcedAuthenticationSupported(boolean isSupported)

Set whether this flow supports forced authentication.

Parameters:

isSupported - whether this flow supports forced authentication.

getLifetime

@NonNegative
public long getLifetime()

Get the maximum amount of time in milliseconds, since first usage, a flow should be considered active. A value of 0 indicates that there is no upper limit on the lifetime on an active flow.

Returns:

maximum amount of time in milliseconds a flow should be considered active, never less than 0

setLifetime

public void setLifetime(@Duration@NonNegative
               long flowLifetime)

Set the maximum amount of time in milliseconds, since first usage, a flow should be considered active. A value of 0 indicates that there is no upper limit on the lifetime on an active flow.

Parameters:

flowLifetime - the lifetime for the flow, must be 0 or greater

getInactivityTimeout

@Positive
public long getInactivityTimeout()

Get the maximum amount of time in milliseconds, since the last usage, a flow should be considered active.

Defaults to 30 minutes.

Returns:

the duration

setInactivityTimeout

public void setInactivityTimeout(@Duration@Positive
                        long timeout)

Set the maximum amount of time in milliseconds, since the last usage, a flow should be considered active.

Parameters:

timeout - the flow inactivity timeout, must be greater than zero

isResultActive

public boolean isResultActive(@Nonnull
                     AuthenticationResult result)

Check if a result generated by this flow is still active.

Parameters:

result - AuthenticationResult to check

Returns:

true iff the result remains valid

getSupportedPrincipals

@Nonnull
@NonnullElements
@Unmodifiable
public <T extends Principal> Set<T> getSupportedPrincipals(@Nonnull
                                                                                       Class<T> c)

Get an immutable set of supported custom principals that the component produces, supports, contains, etc.

Specified by:

getSupportedPrincipals in interface PrincipalSupportingComponent

Type Parameters:

T - type of Principal to inquire on

Parameters:

c - type of Principal to inquire on

Returns:

a set of matching principals

getSupportedPrincipals

@Nonnull
@NonnullElements
public Collection<Principal> getSupportedPrincipals()

Get a collection of supported non-user-specific principals that the flow may produce when it operates.

The Collection.remove(java.lang.Object) method is not supported.

Returns:

a live collection of supported principals

setSupportedPrincipals

public <T extends Principal> void setSupportedPrincipals(@Nonnull@NonnullElements
                                                Collection<T> principals)

Set supported non-user-specific principals that the flow may produce when it operates.

Type Parameters:

T - a type of principal to add, if not generic

Parameters:

principals - supported principals to add

setActivationCondition

public void setActivationCondition(@Nonnull
                          com.google.common.base.Predicate<org.opensaml.profile.context.ProfileRequestContext> condition)

Set the activation condition in the form of a Predicate such that iff the condition evaluates to true should the corresponding flow be allowed/possible.

Parameters:

condition - predicate that controls activation of the flow

apply

public boolean apply(org.opensaml.profile.context.ProfileRequestContext input)

Specified by:

apply in interface com.google.common.base.Predicate<org.opensaml.profile.context.ProfileRequestContext>

setResultSerializer

public void setResultSerializer(@Nonnull
                       org.opensaml.storage.StorageSerializer<AuthenticationResult> serializer)

Set a custom serializer for results produced by this flow.

Parameters:

serializer - the custom serializer

doInitialize

protected void doInitialize()
                     throws net.shibboleth.utilities.java.support.component.ComponentInitializationException

Overrides:

doInitialize in class net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

Throws:

net.shibboleth.utilities.java.support.component.ComponentInitializationException

serialize

@Nonnull
@NotEmpty
public String serialize(@Nonnull
                                AuthenticationResult instance)
                 throws IOException

Specified by:

serialize in interface org.opensaml.storage.StorageSerializer<AuthenticationResult>

Throws:

IOException

deserialize

@Nonnull
public AuthenticationResult deserialize(long version,
                                       @Nonnull@NotEmpty
                                       String context,
                                       @Nonnull@NotEmpty
                                       String key,
                                       @Nonnull@NotEmpty
                                       String value,
                                       @Nonnull
                                       Long expiration)
                                 throws IOException

Specified by:

deserialize in interface org.opensaml.storage.StorageSerializer<AuthenticationResult>

Throws:

IOException

hashCode

public int hashCode()

Overrides:

hashCode in class Object

equals

public boolean equals(Object obj)

Specified by:

equals in interface com.google.common.base.Predicate<org.opensaml.profile.context.ProfileRequestContext>

Overrides:

equals in class Object

toString

public String toString()

Overrides:

toString in class Object