IdPSiteSet (Shibboleth Discovery Service 1.2.1 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

edu.internet2.middleware.shibboleth.wayf
Class IdPSiteSet

java.lang.Object
  edu.internet2.middleware.shibboleth.wayf.IdPSiteSet

All Implemented Interfaces:: org.opensaml.saml2.metadata.provider.ObservableMetadataProvider.Observer

public class IdPSiteSet
extends Object
implements org.opensaml.saml2.metadata.provider.ObservableMetadataProvider.Observer
extends Object
implements org.opensaml.saml2.metadata.provider.ObservableMetadataProvider.Observer

Represents a collection of related sites as described by a single source of metadata. This is usually a federation. When the WAYF looks to see which IdP sites to show, it trims the list so as to not show IdP's which do not trust the SP. This class is opaque outside this file. The three static methods getSitesLists, searchForMatchingOrigins and lookupIdP provide mechanisms for accessing collections of IdPSiteSets.

Field Summary
`private String`	`displayName` What name should we display for this set of entities?
`private String`	`identifier` What does the configuration identify this as?
`private Set<String>`	`idpNames` Is the named IdP in the current metadata set?
`private String`	`location` Where does the metadata exist?
`private static Logger`	`LOG` Handle for error output.
`private org.opensaml.saml2.metadata.provider.ObservableMetadataProvider`	`metadata` The OpenSaml metadata source.
`private Map<Plugin,PluginMetadataParameter>`	`plugins` What parameters do we pass in to which plugin?
`private Set<String>`	`spNames` Is the named SP in the current metadata set?
`private static Timer`	`timer` Time for the HTTP loading.

Constructor Summary
`protected`	`IdPSiteSet(Element element, org.opensaml.xml.parse.ParserPool parserPool, boolean warnOnBadBinding)` Create a new IdPSiteSet as described by the supplied XML segment.

Method Summary
`protected void`	`addPlugin(Plugin plugin)` Declares a plugin to the siteset.
`private org.opensaml.saml2.metadata.provider.MetadataFilter`	`buildCertificateFilter(String param)` Create a new `MetadataFilter` from the specified certificate file.
`private org.opensaml.saml2.metadata.provider.MetadataFilterChain`	`buildFilterChain(Element el, boolean warnOnBadBinding)` Create the filter chain for the metadata.
`private org.apache.commons.httpclient.HttpClient`	`buildHttpClient(Element config, URL metadataURL)` Builds the HTTP client used to fetch metadata.
`private org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider`	`buildHTTPProvider(Element element, URL metadataURL)` Create a suitable `AbstractObservableMetadataProvider` to read data from a URL.
`private X509TrustManager`	`buildNoTrustTrustManager()` Builds a `X509TrustManager` which bypasses all X.509 validation steps.
`private org.opensaml.saml2.metadata.provider.MetadataFilter`	`buildValidUntilFilter(String duration)` Create validUntil Filter from the provided parameter.
`protected boolean`	`containsIdP(String idPName)` For plugin handling we need to know quickly if a metadataset contains the idp.
`protected boolean`	`containsSP(String sPName)` We do not need to look at a set if it doesn't know about the given SP.
`private org.opensaml.saml2.metadata.provider.MetadataFilter`	`createFilter(Element element)` Create a <`MetadataFilter` filter as specified.
`private org.opensaml.xml.security.credential.Credential`	`credentialFor(List<X509Certificate> certificates)` Create a `BasicX509Credential` from the provided certificates.
`private List<org.opensaml.saml2.metadata.EntityDescriptor>`	`getAllEntities(org.opensaml.saml2.metadata.EntitiesDescriptor entitiesDescriptor)` Return all the entities below the entities descriptor (collapsing lists of lists into lists).
`protected String`	`getDisplayName()` Return the human friendly name for this siteset.
`protected org.opensaml.saml2.metadata.EntityDescriptor`	`getEntity(String name)` Return the entity given the name.
`protected String`	`getIdentifier()` Return this sites (internal) identifier.
`protected Map<String,IdPSite>`	`getIdPSites(String searchString, boolean isWAYFprotocol, HandlerConfig config, Collection<IdPSite> searchMatches)` Return all the Idp in the provided entities descriptor.
`private long`	`getMaxRefreshDelay(Element config)` Gets the maximum refresh delay for the metadata provider.
`private int`	`getMinRefreshDelay(Element config)` Gets the minimum refresh delay for the metadata provider.
`private float`	`getRefreshDelayFactor(Element config)` Gets the refresh delay factor for the metadata provider.
`protected IdPSite`	`getSite(String idpName)` Return the idpSite for the given entity name.
`private Timer`	`getTimer()` Initializes (if needed) and returns a timer to be used by the HTTP metadata loader.
`private static boolean`	`hasIdPRole(org.opensaml.saml2.metadata.EntityDescriptor entity, boolean isWAYFprotocol)` Enumerate all the roles and see whether this entity can be an IdP.
`private static boolean`	`hasSPRole(org.opensaml.saml2.metadata.EntityDescriptor entity)` Enumerate all the roles and see whether this entity can be an SP.
`private static boolean`	`isMatch(org.opensaml.saml2.metadata.EntityDescriptor entity, String str, HandlerConfig config)` Based on (Shibboleth IdP/DS) 1.2 Origin.isMatch.
`void`	`onEvent(org.opensaml.saml2.metadata.provider.MetadataProvider provider)` Event handler.
`protected PluginMetadataParameter`	`paramFor(Plugin plugin)` Return the parameter that this plugin uses.
`private void`	`setHttpBasicAuthSettings(org.apache.commons.httpclient.HttpClient httpClient, Element config, URL metadataURL)` Sets the basic authentication properties, if any, for the HTTP client used to fetch metadata.
`private void`	`setHttpProxySettings(org.opensaml.ws.soap.client.http.HttpClientBuilder builder, Element config)` Sets the HTTP proxy properties, if any, for the HTTP client used to fetch metadata.
`private org.opensaml.xml.signature.SignatureTrustEngine`	`trustEngineFor(org.opensaml.xml.security.credential.Credential credential)` Create a new `ExplicitKeySignatureTrustEngine` which understands the provided `Credential`.

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

LOG

private static final Logger LOG

Handle for error output.

timer

private static Timer timer

Time for the HTTP loading. This is one-off initialized as needed.

metadata

private org.opensaml.saml2.metadata.provider.ObservableMetadataProvider metadata

The OpenSaml metadata source.

spNames

private Set<String> spNames

Is the named SP in the current metadata set?

idpNames

private Set<String> idpNames

Is the named IdP in the current metadata set?

identifier

private final String identifier

What does the configuration identify this as?

displayName

private final String displayName

What name should we display for this set of entities?

location

private String location

Where does the metadata exist?

plugins

private final Map<Plugin,PluginMetadataParameter> plugins

What parameters do we pass in to which plugin?

Constructor Detail

IdPSiteSet

protected IdPSiteSet(Element element,
                     org.opensaml.xml.parse.ParserPool parserPool,
                     boolean warnOnBadBinding)
              throws ShibbolethConfigurationException

Create a new IdPSiteSet as described by the supplied XML segment.

Parameters:: element - - configuration details.; parserPool - - the parsers we initialized above.; warnOnBadBinding - if we just warn or give an error if an SP has bad entry points.
Throws:: ShibbolethConfigurationException - - if something goes wrong.

Method Detail

getTimer

private Timer getTimer()

Initializes (if needed) and returns a timer to be used by the HTTP metadata loader.

Returns:: a common, shared time.

getRefreshDelayFactor

private float getRefreshDelayFactor(Element config)

Gets the refresh delay factor for the metadata provider. Inspired by edu.internet2.middleware.shibboleth.common.config.metadata.AbstractReloadingMetadataProviderBeanDefinitionParser

Parameters:: config - provider configuration element
Returns:: refresh delay factor

getMaxRefreshDelay

private long getMaxRefreshDelay(Element config)

Gets the maximum refresh delay for the metadata provider. Inspired by edu.internet2.middleware.shibboleth.common.config.metadata.AbstractReloadingMetadataProviderBeanDefinitionParser

Parameters:: config - provider configuration element
Returns:: the maximum refresh delay, in milliseconds

getMinRefreshDelay

private int getMinRefreshDelay(Element config)

Gets the minimum refresh delay for the metadata provider. Inspired by edu.internet2.middleware.shibboleth.common.config.metadata.AbstractReloadingMetadataProviderBeanDefinitionParser

Parameters:: config - provider configuration element
Returns:: the minimum refresh delay, in milliseconds

buildHttpClient

private org.apache.commons.httpclient.HttpClient buildHttpClient(Element config,
                                                                 URL metadataURL)

Builds the HTTP client used to fetch metadata. Inspired by edu.internet2.middleware.shibboleth.common.config.metadata.HTTPMetadataProviderBeanDefinitionParser

Parameters:: config - the metadata provider configuration element; metadataURL - the URL from which metadata will be fetched
Returns:: the constructed HTTP client

buildNoTrustTrustManager

private X509TrustManager buildNoTrustTrustManager()

Builds a X509TrustManager which bypasses all X.509 validation steps. Inspired by edu.internet2.middleware.shibboleth.common.config.metadata.HTTPMetadataProviderBeanDefinitionParser

Returns:: the trustless trust manager

setHttpProxySettings

private void setHttpProxySettings(org.opensaml.ws.soap.client.http.HttpClientBuilder builder,
                                  Element config)

Sets the HTTP proxy properties, if any, for the HTTP client used to fetch metadata. Inspired by edu.internet2.middleware.shibboleth.common.config.metadata.HTTPMetadataProviderBeanDefinitionParser

Parameters:: builder - the HTTP client builder; config - the metadata provider configuration

setHttpBasicAuthSettings

private void setHttpBasicAuthSettings(org.apache.commons.httpclient.HttpClient httpClient,
                                      Element config,
                                      URL metadataURL)

Sets the basic authentication properties, if any, for the HTTP client used to fetch metadata. Inspired by edu.internet2.middleware.shibboleth.common.config.metadata.HTTPMetadataProviderBeanDefinitionParser

Parameters:: httpClient - the HTTP client; config - the metadata provider configuration; metadataURL - the URL from which metadata will be fetched

buildHTTPProvider

private org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider buildHTTPProvider(Element element,
                                                                                                 URL metadataURL)
                                                                                          throws ShibbolethConfigurationException

Create a suitable AbstractObservableMetadataProvider to read data from a URL. Inspired by edu.internet2.middleware.shibboleth.common.config.metadata.HTTPMetadataProviderBeanDefinitionParser

Parameters:: element - extra parameterization; metadataURL - the URL
Returns:: the provider
Throws:: ShibbolethConfigurationException - if we meet bad parameters

buildFilterChain

private org.opensaml.saml2.metadata.provider.MetadataFilterChain buildFilterChain(Element el,
                                                                                  boolean warnOnBadBinding)
                                                                           throws ShibbolethConfigurationException

Create the filter chain for the metadata.

Parameters:: el - The configuration element; warnOnBadBinding - whether to warn on fail if the binding is bad.
Returns:: the configured filter chain
Throws:: ShibbolethConfigurationException - if any of the lookup fails

createFilter

private org.opensaml.saml2.metadata.provider.MetadataFilter createFilter(Element element)
                                                                  throws ShibbolethConfigurationException

Create a <MetadataFilter filter as specified.

Parameters:: element - the specification.
Returns:: the filter
Throws:: ShibbolethConfigurationException - if there was a

buildValidUntilFilter

private org.opensaml.saml2.metadata.provider.MetadataFilter buildValidUntilFilter(String duration)
                                                                           throws ShibbolethConfigurationException

Create validUntil Filter from the provided parameter.

Parameters:: duration - how long
Returns:: a filter
Throws:: ShibbolethConfigurationException - if the delay is bogus.

buildCertificateFilter

private org.opensaml.saml2.metadata.provider.MetadataFilter buildCertificateFilter(String param)
                                                                            throws ShibbolethConfigurationException

Create a new MetadataFilter from the specified certificate file.

Parameters:: param - The file
Returns:: The filter
Throws:: ShibbolethConfigurationException - if any subsidiary function fails

trustEngineFor

private org.opensaml.xml.signature.SignatureTrustEngine trustEngineFor(org.opensaml.xml.security.credential.Credential credential)

Create a new ExplicitKeySignatureTrustEngine which understands the provided Credential.
Inspired by edu.internet2.middleware.shibboleth.common.config.security.X509CredentialFactoryBean

Parameters:: credential - the input
Returns:: the trust engine.

credentialFor

private org.opensaml.xml.security.credential.Credential credentialFor(List<X509Certificate> certificates)

Create a BasicX509Credential from the provided certificates.
Inspired by edu.internet2.middleware.shibboleth.common.config.security.StaticExplicitKeySignatureTrustEngineFactoryBean

Parameters:: certificates - Certificates from a file.
Returns:: an appropriate credential.

isMatch

private static boolean isMatch(org.opensaml.saml2.metadata.EntityDescriptor entity,
                               String str,
                               HandlerConfig config)

Based on (Shibboleth IdP/DS) 1.2 Origin.isMatch. There must have been a reason for it... [Kindas of] support for the search function in the wayf. This return many false positives but given the aim is to provide input for a pull down list...

Parameters:: entity - The entity to match.; str - The pattern to match against.; config - Provides list of tokens to not lookup
Returns:: Whether this entity matches

getIdPSites

protected Map<String,IdPSite> getIdPSites(String searchString,
                                          boolean isWAYFprotocol,
                                          HandlerConfig config,
                                          Collection<IdPSite> searchMatches)

Return all the Idp in the provided entities descriptor. If SearchMatches is non null it is populated with whatever of the IdPs matches the search string (as noted above).

Parameters:: searchString - to match with; isWAYFprotocol - whether this is Shibboleth or SAML Ds; config - parameter to matching; searchMatches - if non null is filled with such of the sites which match the string
Returns:: the sites which fit.

getIdentifier

protected String getIdentifier()

Return this sites (internal) identifier.

Returns:: the identifier

getDisplayName

protected String getDisplayName()

Return the human friendly name for this siteset.

Returns:: The friendly name

containsSP

protected boolean containsSP(String sPName)

We do not need to look at a set if it doesn't know about the given SP. However if no SP is given (as per 1.1) then we do need to look. This calls lets us know whether this set is a canddiate for looking into.

Parameters:: sPName - the Sp we are interested in.
Returns:: whether the site contains the SP.

containsIdP

protected boolean containsIdP(String idPName)

For plugin handling we need to know quickly if a metadataset contains the idp.

Parameters:: idPName - the IdP we are interested in.
Returns:: whether the site contains the IdP.

addPlugin

protected void addPlugin(Plugin plugin)

Declares a plugin to the siteset.

Parameters:: plugin - what to declare

paramFor

protected PluginMetadataParameter paramFor(Plugin plugin)

Return the parameter that this plugin uses.

Parameters:: plugin - the plugin we are getting the parameter for
Returns:: teh parameter.

getAllEntities

private List<org.opensaml.saml2.metadata.EntityDescriptor> getAllEntities(org.opensaml.saml2.metadata.EntitiesDescriptor entitiesDescriptor)

Return all the entities below the entities descriptor (collapsing lists of lists into lists).

Parameters:: entitiesDescriptor - the entities descriptor
Returns:: the collapsed list.

onEvent

public void onEvent(org.opensaml.saml2.metadata.provider.MetadataProvider provider)

Event handler.

Specified by:: onEvent in interface org.opensaml.saml2.metadata.provider.ObservableMetadataProvider.Observer

Parameters:: provider - the provider we which is refreshing us.

hasIdPRole

private static boolean hasIdPRole(org.opensaml.saml2.metadata.EntityDescriptor entity,
                                  boolean isWAYFprotocol)

Enumerate all the roles and see whether this entity can be an IdP.

Parameters:: entity - the entity under discoussion.; isWAYFprotocol - whether this is a WAF or DS request.
Returns:: true if one of the roles that entity has is IdPSSO

hasSPRole

private static boolean hasSPRole(org.opensaml.saml2.metadata.EntityDescriptor entity)

Enumerate all the roles and see whether this entity can be an SP.

Parameters:: entity - the entity under scrutiny.
Returns:: true if one of the roles that entity has is SPSSO

getSite

protected IdPSite getSite(String idpName)
                   throws WayfException

Return the idpSite for the given entity name.

Parameters:: idpName - the entityname to look up
Returns:: the associated idpSite
Throws:: WayfException - if the metadata couldn't resolve the entityID.

getEntity

protected org.opensaml.saml2.metadata.EntityDescriptor getEntity(String name)
                                                          throws WayfException

Return the entity given the name.

Parameters:: name - the entityID
Returns:: the entity we are looking for.
Throws:: WayfException - if the metadata couldn't resolve the entityID.