org.opensaml.saml.metadata.resolver.filter.impl

Class SignatureValidationFilter

java.lang.Object

org.opensaml.saml.metadata.resolver.filter.impl.SignatureValidationFilter

All Implemented Interfaces:

MetadataFilter

public class SignatureValidationFilter
extends Object
implements MetadataFilter

A metadata filter that validates XML signatures.

Field Summary

Fields

Modifier and Type	Field and Description
private CriteriaSet	defaultCriteria Set of externally specified default criteria for input to the trust engine.
private com.google.common.base.Function<org.opensaml.core.xml.XMLObject,Set<String>>	dynamicTrustedNamesStrategy Strategy function for extracting dynamic trusted names from signed metadata elements.
private org.slf4j.Logger	log Class logger.
private boolean	requireSignedRoot Indicates whether the metadata root element is required to be signed.
private org.opensaml.xmlsec.signature.support.SignaturePrevalidator	signaturePrevalidator Prevalidator for XML Signature instances.
private org.opensaml.xmlsec.signature.support.SignatureTrustEngine	signatureTrustEngine Trust engine used to validate a signature.

Constructor Summary

Constructors

Constructor and Description
SignatureValidationFilter(org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine) Constructor.

Method Summary

Modifier and Type	Method and Description
protected CriteriaSet	buildCriteriaSet(org.opensaml.xmlsec.signature.SignableXMLObject signedMetadata, String metadataEntryName, boolean isEntityGroup) Build the criteria set which will be used as input to the configured trust engine.
org.opensaml.core.xml.XMLObject	filter(org.opensaml.core.xml.XMLObject metadata)
CriteriaSet	getDefaultCriteria() Get the optional set of default criteria used as input to the trust engine.
com.google.common.base.Function<org.opensaml.core.xml.XMLObject,Set<String>>	getDynamicTrustedNamesStrategy() Get the strategy function for extracting dynamic trusted names from signed metadata elements.
protected String	getGroupName(EntitiesDescriptor group) Get the group's name, or a suitable facsimile if not named.
boolean	getRequireSignature() Deprecated. use instead getRequireSignedRoot()
boolean	getRequireSignedRoot() Get whether incoming metadata's root element is required to be signed.
protected String	getRoleIDToken(String entityID, RoleDescriptor role) Get a string token for logging/debugging purposes that contains role information and containing entityID.
org.opensaml.xmlsec.signature.support.SignaturePrevalidator	getSignaturePrevalidator() Get the validator used to perform pre-validation on Signature tokens.
org.opensaml.xmlsec.signature.support.SignatureTrustEngine	getSignatureTrustEngine() Gets the trust engine used to validate signatures on incoming metadata.
protected void	performPreValidation(org.opensaml.xmlsec.signature.Signature signature, String metadataEntryName) Perform pre-validation on the Signature token.
protected void	processEntityDescriptor(EntityDescriptor entityDescriptor) Process the signatures on the specified EntityDescriptor and any signed children.
protected void	processEntityGroup(EntitiesDescriptor entitiesDescriptor) Process the signatures on the specified EntitiesDescriptor and any signed children.
void	setDefaultCriteria(CriteriaSet newCriteria) Set the optional set of default criteria used as input to the trust engine.
void	setDynamicTrustedNamesStrategy(com.google.common.base.Function<org.opensaml.core.xml.XMLObject,Set<String>> strategy) Get the strategy function for extracting dynamic trusted names from signed metadata elements.
void	setRequireSignature(boolean require) Deprecated. use instead setRequireSignedRoot(boolean)
void	setRequireSignedRoot(boolean require) Set whether incoming metadata's root element is required to be signed.
void	setSignaturePrevalidator(org.opensaml.xmlsec.signature.support.SignaturePrevalidator validator) Set the validator used to perform pre-validation on Signature tokens.
protected void	verifySignature(org.opensaml.xmlsec.signature.SignableXMLObject signedMetadata, String metadataEntryName, boolean isEntityGroup) Evaluate the signature on the signed metadata instance.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

signatureTrustEngine

@Nonnull
private org.opensaml.xmlsec.signature.support.SignatureTrustEngine signatureTrustEngine

Trust engine used to validate a signature.

requireSignedRoot

private boolean requireSignedRoot

Indicates whether the metadata root element is required to be signed.

defaultCriteria

@Nullable
private CriteriaSet defaultCriteria

Set of externally specified default criteria for input to the trust engine.

signaturePrevalidator

@Nullable
private org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator

Prevalidator for XML Signature instances.

dynamicTrustedNamesStrategy

@Nullable
private com.google.common.base.Function<org.opensaml.core.xml.XMLObject,Set<String>> dynamicTrustedNamesStrategy

Strategy function for extracting dynamic trusted names from signed metadata elements.

Constructor Detail

SignatureValidationFilter

public SignatureValidationFilter(@Nonnull @ParameterName(name="engine")
                                 org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)

Constructor.

Signature pre-validator defaults to SAMLSignatureProfileValidator.

Dynamic trusted names strategy defaults to BasicDynamicTrustedNamesStrategy.

Parameters:

engine - the trust engine used to validate signatures on incoming metadata.

Method Detail

getDynamicTrustedNamesStrategy

@Nullable
public com.google.common.base.Function<org.opensaml.core.xml.XMLObject,Set<String>> getDynamicTrustedNamesStrategy()

Get the strategy function for extracting dynamic trusted names from signed metadata elements.

Defaults to: BasicDynamicTrustedNamesStrategy.

Returns:

the function, or null

setDynamicTrustedNamesStrategy

public void setDynamicTrustedNamesStrategy(@Nullable
                                           com.google.common.base.Function<org.opensaml.core.xml.XMLObject,Set<String>> strategy)

Get the strategy function for extracting dynamic trusted names from signed metadata elements.

Defaults to: BasicDynamicTrustedNamesStrategy.

Parameters:

strategy - the function, may be null

getSignatureTrustEngine

@Nonnull
public org.opensaml.xmlsec.signature.support.SignatureTrustEngine getSignatureTrustEngine()

Gets the trust engine used to validate signatures on incoming metadata.

Returns:

trust engine used to validate signatures on incoming metadata

getSignaturePrevalidator

@Nullable
public org.opensaml.xmlsec.signature.support.SignaturePrevalidator getSignaturePrevalidator()

Get the validator used to perform pre-validation on Signature tokens.

Defaults to: SAMLSignatureProfileValidator.

Returns:

the configured Signature validator, or null

setSignaturePrevalidator

public void setSignaturePrevalidator(@Nullable
                                     org.opensaml.xmlsec.signature.support.SignaturePrevalidator validator)

Set the validator used to perform pre-validation on Signature tokens.

Defaults to: SAMLSignatureProfileValidator.

Parameters:

validator - the signature prevalidator to use

getRequireSignedRoot

public boolean getRequireSignedRoot()

Get whether incoming metadata's root element is required to be signed.

Defaults to true.

Returns:

whether incoming metadata is required to be signed

setRequireSignedRoot

public void setRequireSignedRoot(boolean require)

Set whether incoming metadata's root element is required to be signed.

Defaults to true.

Parameters:

require - whether incoming metadata is required to be signed

getRequireSignature

@Deprecated
public boolean getRequireSignature()

Deprecated. use instead getRequireSignedRoot()

Get whether incoming metadata's root element is required to be signed.

Defaults to true.

Returns:

whether incoming metadata is required to be signed

setRequireSignature

@Deprecated
public void setRequireSignature(boolean require)

Deprecated. use instead setRequireSignedRoot(boolean)

Set whether incoming metadata's root element is required to be signed.

Defaults to true.

Parameters:

require - whether incoming metadata is required to be signed

getDefaultCriteria

@Nullable
public CriteriaSet getDefaultCriteria()

Get the optional set of default criteria used as input to the trust engine.

Returns:

the criteria set

setDefaultCriteria

public void setDefaultCriteria(@Nullable
                               CriteriaSet newCriteria)

Set the optional set of default criteria used as input to the trust engine.

Parameters:

newCriteria - the new criteria set to use

filter

@Nullable
public org.opensaml.core.xml.XMLObject filter(@Nullable
                                                        org.opensaml.core.xml.XMLObject metadata)
                                                 throws FilterException

Specified by:

filter in interface MetadataFilter

Throws:

FilterException

processEntityDescriptor

protected void processEntityDescriptor(@Nonnull
                                       EntityDescriptor entityDescriptor)
                                throws FilterException

Process the signatures on the specified EntityDescriptor and any signed children. If signature verification fails on a child, it will be removed from the entity descriptor.

Parameters:

entityDescriptor - the EntityDescriptor to be processed

Throws:

FilterException - thrown if an error occurs during the signature verification process on the root EntityDescriptor specified

processEntityGroup

protected void processEntityGroup(@Nonnull
                                  EntitiesDescriptor entitiesDescriptor)
                           throws FilterException

Process the signatures on the specified EntitiesDescriptor and any signed children. If signature verification fails on a child, it will be removed from the entities descriptor group.

Parameters:

entitiesDescriptor - the EntitiesDescriptor to be processed

Throws:

FilterException - thrown if an error occurs during the signature verification process on the root EntitiesDescriptor specified

verifySignature

protected void verifySignature(@Nonnull
                               org.opensaml.xmlsec.signature.SignableXMLObject signedMetadata,
                               @Nonnull @NotEmpty
                               String metadataEntryName,
                               boolean isEntityGroup)
                        throws FilterException

Evaluate the signature on the signed metadata instance.

Parameters:

signedMetadata - the metadata object whose signature is to be verified

metadataEntryName - the EntityDescriptor entityID, EntitiesDescriptor Name, AffiliationDescriptor affiliationOwnerID, or RoleDescriptor getRoleIDToken(String, RoleDescriptor) corresponding to the element whose signature is being evaluated. This is used exclusively for logging/debugging purposes and should not be used operationally (e.g. for building a criteria set).

isEntityGroup - flag indicating whether the signed object is a metadata group (EntitiesDescriptor), primarily useful for constructing a criteria set for the trust engine

Throws:

FilterException - thrown if the metadata entry's signature can not be established as trusted, or if an error occurs during the signature verification process

performPreValidation

protected void performPreValidation(@Nonnull
                                    org.opensaml.xmlsec.signature.Signature signature,
                                    @Nonnull @NotEmpty
                                    String metadataEntryName)
                             throws FilterException

Perform pre-validation on the Signature token.

Parameters:

signature - the signature to evaluate

metadataEntryName - the EntityDescriptor entityID, EntitiesDescriptor Name, AffiliationDescriptor affiliationOwnerID, or RoleDescriptor getRoleIDToken(String, RoleDescriptor) corresponding to the element whose signature is being evaluated. This is used exclusively for logging/debugging purposes and should not be used operationally (e.g. for building a criteria set).

Throws:

FilterException - thrown if the signature element fails pre-validation

buildCriteriaSet

@Nonnull
protected CriteriaSet buildCriteriaSet(@Nonnull
                                                org.opensaml.xmlsec.signature.SignableXMLObject signedMetadata,
                                                @Nonnull @NotEmpty
                                                String metadataEntryName,
                                                boolean isEntityGroup)

Build the criteria set which will be used as input to the configured trust engine.

Parameters:

signedMetadata - the metadata element whose signature is being verified

metadataEntryName - the EntityDescriptor entityID, EntitiesDescriptor Name, AffiliationDescriptor affiliationOwnerID, or RoleDescriptor getRoleIDToken(String, RoleDescriptor) corresponding to the element whose signature is being evaluated. This is used exclusively for logging/debugging purposes and should not be used operationally (e.g. for building the criteria set).

isEntityGroup - flag indicating whether the signed object is a metadata group (EntitiesDescriptor)

Returns:

the newly constructed criteria set

getRoleIDToken

protected String getRoleIDToken(@Nonnull @NotEmpty
                                String entityID,
                                @Nonnull
                                RoleDescriptor role)

Get a string token for logging/debugging purposes that contains role information and containing entityID.

Parameters:

entityID - the containing entityID

role - the role descriptor

Returns:

the constructed role ID token.

getGroupName

@Nonnull
 @NotEmpty
protected String getGroupName(@Nonnull
                                                  EntitiesDescriptor group)

Get the group's name, or a suitable facsimile if not named.

Parameters:

group - the EntitiesDescriptor

Returns:

a suitable name to use for logging