org.opensaml.saml.metadata.resolver.impl

Class HTTPMetadataResolver

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent

org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver

org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver

org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver

org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver

All Implemented Interfaces:

Iterable<EntityDescriptor>, Component, DestructableComponent, IdentifiableComponent, IdentifiedComponent, InitializableComponent, Resolver<EntityDescriptor,CriteriaSet>, IterableMetadataSource, BatchMetadataResolver, ExtendedBatchMetadataResolver, ExtendedRefreshableMetadataResolver, MetadataResolver, RefreshableMetadataResolver

Direct Known Subclasses:

FileBackedHTTPMetadataResolver

public class HTTPMetadataResolver
extends AbstractReloadingMetadataResolver

A metadata provider that pulls metadata using an HTTP GET. Metadata is cached until one of these criteria is met:

• The smallest cacheDuration within the metadata is exceeded
• The earliest validUntil time within the metadata is exceeded
• The maximum cache duration is exceeded

Metadata is filtered prior to determining the cache expiration data. This allows a filter to remove XMLObjects that may effect the cache duration but for which the user of this provider does not care about. It is the responsibility of the caller to re-initialize, via AbstractInitializableComponent.initialize(), if any properties of this provider are changed.

Nested Class Summary

Nested classes/interfaces inherited from class org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver

AbstractBatchMetadataResolver.BatchEntityBackingStore

Nested classes/interfaces inherited from class org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver

AbstractMetadataResolver.EntityBackingStore

Field Summary

Fields

Modifier and Type	Field and Description
private String	cachedMetadataETag The ETag provided when the currently cached metadata was fetched.
private String	cachedMetadataLastModified The Last-Modified information provided when the currently cached metadata was fetched.
private BasicCredentialsProvider	credentialsProvider Deprecated. use httpClientSecurityParameters.
private HttpClient	httpClient HTTP Client used to pull the metadata.
private org.opensaml.security.httpclient.HttpClientSecurityParameters	httpClientSecurityParameters Optional HttpClient security parameters.
private org.slf4j.Logger	log Class logger.
private URI	metadataURI URL to the Metadata.
private org.opensaml.security.trust.TrustEngine<? super org.opensaml.security.x509.X509Credential>	tlsTrustEngine Deprecated. use httpClientSecurityParameters.

Constructor Summary

Constructors

Constructor and Description
HTTPMetadataResolver(HttpClient client, String metadataURL) Constructor.
HTTPMetadataResolver(Timer backgroundTaskTimer, HttpClient client, String metadataURL) Constructor.

Method Summary

Modifier and Type	Method and Description
protected HttpClientContext	buildHttpClientContext() Deprecated. use buildHttpClientContext(HttpUriRequest)
protected HttpClientContext	buildHttpClientContext(HttpUriRequest request) Build the HttpClientContext instance which will be used to invoke the HttpClient request.
protected HttpGet	buildHttpGet() Builds the HttpGet instance used to fetch the metadata.
protected void	checkTLSCredentialTrusted(HttpClientContext context) Deprecated. use HttpClientSecuritySupport.checkTLSCredentialEvaluated(HttpClientContext, String)
protected void	doDestroy()
protected byte[]	fetchMetadata() Gets the metadata document from the remote server.
protected org.opensaml.security.httpclient.HttpClientSecurityParameters	getHttpClientSecurityParameters() Get the instance of HttpClientSecurityParameters which provides various parameters to influence the security behavior of the HttpClient instance.
protected byte[]	getMetadataBytesFromResponse(org.apache.http.HttpResponse response) Extracts the raw metadata bytes from the response taking in to account possible deflate and GZip compression.
protected String	getMetadataIdentifier() Gets an identifier which may be used to distinguish this metadata in logging statements.
String	getMetadataURI() Gets the URL to fetch the metadata.
protected void	processConditionalRetrievalHeaders(org.apache.http.HttpResponse response) Records the ETag and Last-Modified headers, from the response, if they are present.
void	setBasicCredentials(UsernamePasswordCredentials credentials) Deprecated. use setHttpClientSecurityParameters(HttpClientSecurityParameters)
void	setBasicCredentialsWithScope(UsernamePasswordCredentials credentials, AuthScope scope) Deprecated. use setHttpClientSecurityParameters(HttpClientSecurityParameters)
void	setHttpClientSecurityParameters(org.opensaml.security.httpclient.HttpClientSecurityParameters params) Set an instance of HttpClientSecurityParameters which provides various parameters to influence the security behavior of the HttpClient instance.
void	setTLSTrustEngine(org.opensaml.security.trust.TrustEngine<? super org.opensaml.security.x509.X509Credential> engine) Deprecated. use setHttpClientSecurityParameters(HttpClientSecurityParameters)

Methods inherited from class org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver

computeNextRefreshDelay, getExpirationTime, getExpirationWarningThreshold, getLastRefresh, getLastSuccessfulRefresh, getLastUpdate, getMaxRefreshDelay, getMinRefreshDelay, getNextRefresh, getRefreshDelayFactor, initMetadataResolver, inputstreamToByteArray, postProcessMetadata, processCachedMetadata, processNewMetadata, processNonExpiredMetadata, processPreExpiredMetadata, refresh, setCacheSourceMetadata, setExpirationWarningThreshold, setMaxRefreshDelay, setMinRefreshDelay, setRefreshDelayFactor, unmarshallMetadata, wasLastRefreshSuccess

Methods inherited from class org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver

createNewBackingStore, getBackingStore, getCachedFilteredMetadata, getCachedOriginalMetadata, getIndexes, getRootValidUntil, indexEntityDescriptor, isCacheSourceMetadata, isResolveViaPredicatesOnly, isRootValid, iterator, lookupByIndexes, preProcessNewMetadata, resolve, setIndexes, setResolveViaPredicatesOnly

Methods inherited from class org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver

doInitialize, filterMetadata, getCriterionPredicateRegistry, getLogPrefix, getMetadataFilter, getParserPool, getUnmarshallerFactory, isFailFastInitialization, isRequireValidMetadata, isSatisfyAnyPredicates, isUseDefaultPredicateRegistry, isValid, lookupEntityID, lookupIndexedEntityID, predicateFilterCandidates, preProcessEntitiesDescriptor, preProcessEntityDescriptor, releaseMetadataDOM, removeByEntityID, resolveSingle, setBackingStore, setCriterionPredicateRegistry, setFailFastInitialization, setMetadataFilter, setParserPool, setRequireValidMetadata, setSatisfyAnyPredicates, setUseDefaultPredicateRegistry, unmarshallMetadata

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent

setId

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

getId

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.opensaml.saml.metadata.resolver.MetadataResolver

getMetadataFilter, isRequireValidMetadata, setMetadataFilter, setRequireValidMetadata

Methods inherited from interface net.shibboleth.utilities.java.support.resolver.Resolver

resolve, resolveSingle

Methods inherited from interface net.shibboleth.utilities.java.support.component.IdentifiedComponent

getId

Methods inherited from interface java.lang.Iterable

forEach, spliterator

Field Detail

log

private final org.slf4j.Logger log

Class logger.

httpClient

private HttpClient httpClient

HTTP Client used to pull the metadata.

metadataURI

private URI metadataURI

URL to the Metadata.

cachedMetadataETag

private String cachedMetadataETag

The ETag provided when the currently cached metadata was fetched.

cachedMetadataLastModified

private String cachedMetadataLastModified

The Last-Modified information provided when the currently cached metadata was fetched.

credentialsProvider

@Nullable
private BasicCredentialsProvider credentialsProvider

Deprecated. use httpClientSecurityParameters.

HttpClient credentials provider.

tlsTrustEngine

@Nullable
private org.opensaml.security.trust.TrustEngine<? super org.opensaml.security.x509.X509Credential> tlsTrustEngine

Deprecated. use httpClientSecurityParameters.

Optional trust engine used in evaluating server TLS credentials.

httpClientSecurityParameters

@Nullable
private org.opensaml.security.httpclient.HttpClientSecurityParameters httpClientSecurityParameters

Optional HttpClient security parameters.

Constructor Detail

HTTPMetadataResolver

public HTTPMetadataResolver(HttpClient client,
                            String metadataURL)
                     throws ResolverException

Constructor.

Parameters:

client - HTTP client used to pull in remote metadata

metadataURL - URL to the remove remote metadata

Throws:

ResolverException - thrown if the HTTP client is null or the metadata URL provided is invalid

HTTPMetadataResolver

public HTTPMetadataResolver(Timer backgroundTaskTimer,
                            HttpClient client,
                            String metadataURL)
                     throws ResolverException

Constructor.

Parameters:

backgroundTaskTimer - timer used to schedule background metadata refresh tasks

client - HTTP client used to pull in remote metadata

metadataURL - URL to the remove remote metadata

Throws:

ResolverException - thrown if the HTTP client is null or the metadata URL provided is invalid

Method Detail

getMetadataURI

public String getMetadataURI()

Gets the URL to fetch the metadata.

Returns:

the URL to fetch the metadata

setTLSTrustEngine

public void setTLSTrustEngine(@Nullable
                              org.opensaml.security.trust.TrustEngine<? super org.opensaml.security.x509.X509Credential> engine)

Deprecated. use setHttpClientSecurityParameters(HttpClientSecurityParameters)

Sets the optional trust engine used in evaluating server TLS credentials.

See TLS socket factory requirements documented for setHttpClientSecurityParameters(HttpClientSecurityParameters).

Parameters:

engine - the trust engine instance to use

setBasicCredentials

public void setBasicCredentials(@Nullable
                                UsernamePasswordCredentials credentials)

Deprecated. use setHttpClientSecurityParameters(HttpClientSecurityParameters)

Sets the username and password used to access the metadata URL. To disable BASIC authentication pass null for the credentials instance. An AuthScope will be generated based off the metadata URI's hostname and port.

Parameters:

credentials - the username and password credentials

setBasicCredentialsWithScope

public void setBasicCredentialsWithScope(@Nullable
                                         UsernamePasswordCredentials credentials,
                                         @Nullable
                                         AuthScope scope)

Deprecated. use setHttpClientSecurityParameters(HttpClientSecurityParameters)

Sets the username and password used to access the metadata URL. To disable BASIC authentication pass null for the credentials instance.

If the authScope is null, an AuthScope will be generated based off the metadata URI's hostname and port.

Parameters:

credentials - the username and password credentials

scope - the HTTP client auth scope with which to scope the credentials, may be null

getHttpClientSecurityParameters

@Nullable
protected org.opensaml.security.httpclient.HttpClientSecurityParameters getHttpClientSecurityParameters()

Get the instance of HttpClientSecurityParameters which provides various parameters to influence the security behavior of the HttpClient instance.

Returns:

the parameters instance, or null

setHttpClientSecurityParameters

public void setHttpClientSecurityParameters(@Nullable
                                            org.opensaml.security.httpclient.HttpClientSecurityParameters params)

Set an instance of HttpClientSecurityParameters which provides various parameters to influence the security behavior of the HttpClient instance.

For all TLS-related parameters, must be used in conjunction with an HttpClient instance which is configured with either a:

• a TLSSocketFactory
• SecurityEnhancedTLSSocketFactory which wraps an instance of TLSSocketFactory, with the latter likely configured in a "no trust" configuration. This variant is required if either a trust engine or a client TLS credential is to be used.
For convenience methods for building a TLSSocketFactory, see HttpClientSupport.

If the appropriate TLS socket factory is not configured and a trust engine is specified, then this will result in no TLS trust evaluation being performed and a ResolverException will ultimately be thrown.

Parameters:

params - the security parameters

doDestroy

protected void doDestroy()

Overrides:

doDestroy in class AbstractReloadingMetadataResolver

getMetadataIdentifier

protected String getMetadataIdentifier()

Gets an identifier which may be used to distinguish this metadata in logging statements.

Specified by:

getMetadataIdentifier in class AbstractReloadingMetadataResolver

Returns:

identifier which may be used to distinguish this metadata in logging statements

fetchMetadata

protected byte[] fetchMetadata()
                        throws ResolverException

Gets the metadata document from the remote server.

Specified by:

fetchMetadata in class AbstractReloadingMetadataResolver

Returns:

the metadata from remote server, or null if the metadata document has not changed since the last retrieval

Throws:

ResolverException - thrown if there is a problem retrieving the metadata from the remote server

checkTLSCredentialTrusted

@Deprecated
protected void checkTLSCredentialTrusted(HttpClientContext context)
                                              throws SSLPeerUnverifiedException

Deprecated. use HttpClientSecuritySupport.checkTLSCredentialEvaluated(HttpClientContext, String)

Check that trust engine evaluation of the server TLS credential was actually performed.

Parameters:

context - the current HTTP context instance in use

Throws:

SSLPeerUnverifiedException - thrown if the TLS credential was not actually evaluated by the trust engine

buildHttpGet

protected HttpGet buildHttpGet()

Builds the HttpGet instance used to fetch the metadata. The returned method advertises support for GZIP and deflate compression, enables conditional GETs if the cached metadata came with either an ETag or Last-Modified information, and sets up basic authentication if such is configured.

Returns:

the constructed HttpGet instance

buildHttpClientContext

protected HttpClientContext buildHttpClientContext()

Deprecated. use buildHttpClientContext(HttpUriRequest)

Build the HttpClientContext instance which will be used to invoke the HttpClient request.

Returns:

a new instance of HttpClientContext

buildHttpClientContext

protected HttpClientContext buildHttpClientContext(@Nullable
                                                   HttpUriRequest request)

Build the HttpClientContext instance which will be used to invoke the HttpClient request.

Parameters:

request - the current HTTP request

Returns:

a new instance of HttpClientContext

processConditionalRetrievalHeaders

protected void processConditionalRetrievalHeaders(org.apache.http.HttpResponse response)

Records the ETag and Last-Modified headers, from the response, if they are present.

Parameters:

response - GetMethod containing a valid HTTP response

getMetadataBytesFromResponse

protected byte[] getMetadataBytesFromResponse(org.apache.http.HttpResponse response)
                                       throws ResolverException

Extracts the raw metadata bytes from the response taking in to account possible deflate and GZip compression.

Parameters:

response - GetMethod containing a valid HTTP response

Returns:

the raw metadata bytes

Throws:

ResolverException - thrown if there is a problem getting the raw metadata bytes from the response