org.opensaml.saml.metadata.resolver.impl

Class AbstractDynamicHTTPMetadataResolver

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent

org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver

org.opensaml.saml.metadata.resolver.impl.AbstractDynamicMetadataResolver

org.opensaml.saml.metadata.resolver.impl.AbstractDynamicHTTPMetadataResolver

All Implemented Interfaces:

net.shibboleth.utilities.java.support.component.Component, net.shibboleth.utilities.java.support.component.DestructableComponent, net.shibboleth.utilities.java.support.component.IdentifiableComponent, net.shibboleth.utilities.java.support.component.IdentifiedComponent, net.shibboleth.utilities.java.support.component.InitializableComponent, net.shibboleth.utilities.java.support.resolver.Resolver<EntityDescriptor,net.shibboleth.utilities.java.support.resolver.CriteriaSet>, ClearableMetadataResolver, DynamicMetadataResolver, MetadataResolver

Direct Known Subclasses:

FunctionDrivenDynamicHTTPMetadataResolver

public abstract class AbstractDynamicHTTPMetadataResolver
extends AbstractDynamicMetadataResolver

Abstract subclass for dynamic metadata resolvers that implement metadata resolution based on HTTP requests.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
class	AbstractDynamicHTTPMetadataResolver.BasicMetadataResponseHandler Basic HttpClient response handler for processing metadata fetch requests.

Nested classes/interfaces inherited from class org.opensaml.saml.metadata.resolver.impl.AbstractDynamicMetadataResolver

AbstractDynamicMetadataResolver.BackingStoreCleanupSweeper, AbstractDynamicMetadataResolver.DefaultCacheKeyGenerator, AbstractDynamicMetadataResolver.DynamicEntityBackingStore, AbstractDynamicMetadataResolver.EntityManagementData, AbstractDynamicMetadataResolver.PersistentCacheInitializationMetrics

Nested classes/interfaces inherited from class org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver

AbstractMetadataResolver.EntityBackingStore

Field Summary

Fields

Modifier and Type	Field and Description
private CredentialsProvider	credentialsProvider Deprecated. use httpClientSecurityParameters.
static String[]	DEFAULT_CONTENT_TYPES Default list of supported content MIME types.
private HttpClient	httpClient HTTP Client used to pull the metadata.
private org.opensaml.security.httpclient.HttpClientSecurityParameters	httpClientSecurityParameters Optional HttpClient security parameters.
private Logger	log Class logger.
static String	MDC_ATTRIB_CURRENT_REQUEST_URI MDC attribute representing the current request URI.
private ResponseHandler<org.opensaml.core.xml.XMLObject>	responseHandler HttpClient ResponseHandler instance to use.
private List<String>	supportedContentTypes List of supported MIME types for use in Accept request header and validation of response Content-Type header.
private String	supportedContentTypesValue Generated Accept request header value.
private Set<com.google.common.net.MediaType>	supportedMediaTypes Supported MediaType instances, constructed from the supportedContentTypes list.
private org.opensaml.security.trust.TrustEngine<? super org.opensaml.security.x509.X509Credential>	tlsTrustEngine Deprecated. use httpClientSecurityParameters.

Fields inherited from class org.opensaml.saml.metadata.resolver.impl.AbstractDynamicMetadataResolver

METRIC_GAUGE_NUM_LIVE_ENTITYIDS, METRIC_GAUGE_PERSISTENT_CACHE_INIT, METRIC_RATIOGAUGE_FETCH_TO_RESOLVE, METRIC_TIMER_FETCH_FROM_ORIGIN_SOURCE, METRIC_TIMER_RESOLVE

Constructor Summary

Constructors

Constructor and Description
AbstractDynamicHTTPMetadataResolver(HttpClient client) Constructor.
AbstractDynamicHTTPMetadataResolver(Timer backgroundTaskTimer, HttpClient client) Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
protected HttpClientContext	buildHttpClientContext() Deprecated. use buildHttpClientContext(HttpUriRequest)
protected HttpClientContext	buildHttpClientContext(HttpUriRequest request) Build the HttpClientContext instance which will be used to invoke the HttpClient request.
protected HttpUriRequest	buildHttpRequest(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria) Build an appropriate instance of HttpUriRequest based on the input criteria set.
protected abstract String	buildRequestURL(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria) Build the request URL based on the input criteria set.
protected void	checkTLSCredentialTrusted(HttpClientContext context, HttpUriRequest request) Deprecated. use HttpClientSecuritySupport.checkTLSCredentialEvaluated(HttpClientContext, String)
protected void	doDestroy()
protected org.opensaml.core.xml.XMLObject	fetchFromOriginSource(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria) Fetch the metadata from the origin source.
protected org.opensaml.security.httpclient.HttpClientSecurityParameters	getHttpClientSecurityParameters() Get the instance of HttpClientSecurityParameters which provides various parameters to influence the security behavior of the HttpClient instance.
List<String>	getSupportedContentTypes() Get the list of supported MIME types for use in Accept request header and validation of response Content-Type header.
protected Set<com.google.common.net.MediaType>	getSupportedMediaTypes() Get the list of supported MIME MediaType instances used in validation of the response Content-Type header.
protected void	initMetadataResolver() Subclasses should override this method to perform any initialization logic necessary.
void	setBasicCredentials(UsernamePasswordCredentials credentials) Deprecated. use setHttpClientSecurityParameters(HttpClientSecurityParameters)
void	setBasicCredentialsWithScope(UsernamePasswordCredentials credentials, AuthScope scope) Deprecated. use setHttpClientSecurityParameters(HttpClientSecurityParameters)
void	setCredentialsProvider(CredentialsProvider provider) Deprecated. use setHttpClientSecurityParameters(HttpClientSecurityParameters)
void	setHttpClientSecurityParameters(org.opensaml.security.httpclient.HttpClientSecurityParameters params) Set an instance of HttpClientSecurityParameters which provides various parameters to influence the security behavior of the HttpClient instance.
void	setSupportedContentTypes(List<String> types) Set the list of supported MIME types for use in Accept request header and validation of response Content-Type header.
void	setTLSTrustEngine(org.opensaml.security.trust.TrustEngine<? super org.opensaml.security.x509.X509Credential> engine) Deprecated. use setHttpClientSecurityParameters(HttpClientSecurityParameters)

Methods inherited from class org.opensaml.saml.metadata.resolver.impl.AbstractDynamicMetadataResolver

clear, clear, computeExpirationTime, computeRefreshTriggerTime, createNewBackingStore, getBackgroundInitializationFromCacheDelay, getBackingStore, getCleanupTaskInterval, getExpirationWarningThreshold, getIndexes, getInitializationFromCachePredicate, getMaxCacheDuration, getMaxIdleEntityData, getMetricsBaseName, getMinCacheDuration, getNegativeLookupCacheDuration, getPersistentCacheKeyGenerator, getPersistentCacheManager, getRefreshDelayFactor, indexEntityDescriptor, indexesEnabled, initializeFromPersistentCache, isInitializeFromPersistentCacheInBackground, isPersistentCachingEnabled, isRemoveIdleEntityData, lookupCriteria, lookupEntityID, prepareForFiltering, preProcessEntityDescriptor, processNewMetadata, processNewMetadata, processNonEntityIDFetchedEntittiesDescriptor, processNonEntityIDFetchedEntityDescriptor, processPersistentCacheEntry, removeByEntityID, resolve, resolveEntityID, resolveEntityIDs, resolveFromOriginSource, resolveFromOriginSource, resolveFromOriginSourceWithEntityID, resolveFromOriginSourceWithoutEntityID, setBackgroundInitializationFromCacheDelay, setCleanupTaskInterval, setExpirationWarningThreshold, setIndexes, setInitializationFromCachePredicate, setInitializeFromPersistentCacheInBackground, setMaxCacheDuration, setMaxIdleEntityData, setMetricsBaseName, setMinCacheDuration, setNegativeLookupCacheDuration, setPersistentCacheKeyGenerator, setPersistentCacheManager, setRefreshDelayFactor, setRemoveIdleEntityData, shouldAttemptRefresh

Methods inherited from class org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver

doInitialize, filterMetadata, getCriterionPredicateRegistry, getLogPrefix, getMetadataFilter, getParserPool, getUnmarshallerFactory, isFailFastInitialization, isRequireValidMetadata, isSatisfyAnyPredicates, isUseDefaultPredicateRegistry, isValid, lookupIndexedEntityID, predicateFilterCandidates, preProcessEntitiesDescriptor, releaseMetadataDOM, resolveSingle, setBackingStore, setCriterionPredicateRegistry, setFailFastInitialization, setMetadataFilter, setParserPool, setRequireValidMetadata, setSatisfyAnyPredicates, setUseDefaultPredicateRegistry, unmarshallMetadata

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent

setId

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

getId

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.opensaml.saml.metadata.resolver.MetadataResolver

getMetadataFilter, isRequireValidMetadata, setMetadataFilter, setRequireValidMetadata

Methods inherited from interface net.shibboleth.utilities.java.support.resolver.Resolver

resolveSingle

Methods inherited from interface net.shibboleth.utilities.java.support.component.IdentifiedComponent

getId

Field Detail

DEFAULT_CONTENT_TYPES

public static final String[] DEFAULT_CONTENT_TYPES

Default list of supported content MIME types.

MDC_ATTRIB_CURRENT_REQUEST_URI

public static final String MDC_ATTRIB_CURRENT_REQUEST_URI

MDC attribute representing the current request URI. Will be available during the execution of the configured ResponseHandler.

log

@Nonnull
private final Logger log

Class logger.

httpClient

@Nonnull
private HttpClient httpClient

HTTP Client used to pull the metadata.

supportedContentTypes

@NonnullAfterInit
private List<String> supportedContentTypes

List of supported MIME types for use in Accept request header and validation of response Content-Type header.

supportedContentTypesValue

@NonnullAfterInit
private String supportedContentTypesValue

Generated Accept request header value.

supportedMediaTypes

@NonnullAfterInit
private Set<com.google.common.net.MediaType> supportedMediaTypes

Supported MediaType instances, constructed from the supportedContentTypes list.

responseHandler

@Nonnull
private ResponseHandler<org.opensaml.core.xml.XMLObject> responseHandler

HttpClient ResponseHandler instance to use.

credentialsProvider

@Nullable
private CredentialsProvider credentialsProvider

Deprecated. use httpClientSecurityParameters.

HttpClient credentials provider.

tlsTrustEngine

@Nullable
private org.opensaml.security.trust.TrustEngine<? super org.opensaml.security.x509.X509Credential> tlsTrustEngine

Deprecated. use httpClientSecurityParameters.

Optional trust engine used in evaluating server TLS credentials.

httpClientSecurityParameters

@Nullable
private org.opensaml.security.httpclient.HttpClientSecurityParameters httpClientSecurityParameters

Optional HttpClient security parameters.

Constructor Detail

AbstractDynamicHTTPMetadataResolver

public AbstractDynamicHTTPMetadataResolver(@Nonnull
                                   HttpClient client)

Constructor.

Parameters:

client - the instance of HttpClient used to fetch remote metadata

AbstractDynamicHTTPMetadataResolver

public AbstractDynamicHTTPMetadataResolver(@Nullable
                                   Timer backgroundTaskTimer,
                                   @Nonnull
                                   HttpClient client)

Constructor.

Parameters:

backgroundTaskTimer - the Timer instance used to run resolver background managment tasks

client - the instance of HttpClient used to fetch remote metadata

Method Detail

setTLSTrustEngine

public void setTLSTrustEngine(@Nullable
                     org.opensaml.security.trust.TrustEngine<? super org.opensaml.security.x509.X509Credential> engine)

Deprecated. use setHttpClientSecurityParameters(HttpClientSecurityParameters)

Sets the optional trust engine used in evaluating server TLS credentials.

See TLS socket factory requirements documented for setHttpClientSecurityParameters(HttpClientSecurityParameters).

Parameters:

engine - the trust engine instance to use

setCredentialsProvider

public void setCredentialsProvider(@Nullable
                          CredentialsProvider provider)

Deprecated. use setHttpClientSecurityParameters(HttpClientSecurityParameters)

Set an instance of CredentialsProvider used for authentication by the HttpClient instance.

Parameters:

provider - the credentials provider

setBasicCredentials

public void setBasicCredentials(@Nullable
                       UsernamePasswordCredentials credentials)

Deprecated. use setHttpClientSecurityParameters(HttpClientSecurityParameters)

A convenience method to set a (single) username and password used to access metadata. To disable BASIC authentication pass null for the credentials instance.

An AuthScope will be generated which specifies any host, port, scheme and realm.

To specify multiple usernames and passwords for multiple host, port, scheme, and realm combinations, instead provide an instance of CredentialsProvider via setCredentialsProvider(CredentialsProvider).

Parameters:

credentials - the username and password credentials

setBasicCredentialsWithScope

public void setBasicCredentialsWithScope(@Nullable
                                UsernamePasswordCredentials credentials,
                                @Nullable
                                AuthScope scope)

Deprecated. use setHttpClientSecurityParameters(HttpClientSecurityParameters)

A convenience method to set a (single) username and password used to access metadata. To disable BASIC authentication pass null for the credentials instance.

If the authScope is null, an AuthScope will be generated which specifies any host, port, scheme and realm.

To specify multiple usernames and passwords for multiple host, port, scheme, and realm combinations, instead provide an instance of CredentialsProvider via setCredentialsProvider(CredentialsProvider).

Parameters:

credentials - the username and password credentials

scope - the HTTP client auth scope with which to scope the credentials, may be null

getHttpClientSecurityParameters

@Nullable
protected org.opensaml.security.httpclient.HttpClientSecurityParameters getHttpClientSecurityParameters()

Get the instance of HttpClientSecurityParameters which provides various parameters to influence the security behavior of the HttpClient instance.

Returns:

the parameters instance, or null

setHttpClientSecurityParameters

public void setHttpClientSecurityParameters(@Nullable
                                   org.opensaml.security.httpclient.HttpClientSecurityParameters params)

Set an instance of HttpClientSecurityParameters which provides various parameters to influence the security behavior of the HttpClient instance.

For all TLS-related parameters, must be used in conjunction with an HttpClient instance which is configured with either a:

• a net.shibboleth.utilities.java.support.httpclient.TLSSocketFactory
• SecurityEnhancedTLSSocketFactory which wraps an instance of net.shibboleth.utilities.java.support.httpclient.TLSSocketFactory, with the latter likely configured in a "no trust" configuration. This variant is required if either a trust engine or a client TLS credential is to be used.
For convenience methods for building a net.shibboleth.utilities.java.support.httpclient.TLSSocketFactory, see net.shibboleth.utilities.java.support.httpclient.HttpClientSupport.

If the appropriate TLS socket factory is not configured and a trust engine is specified, then this will result in no TLS trust evaluation being performed and a ResolverException will ultimately be thrown.

Parameters:

params - the security parameters

getSupportedMediaTypes

@NonnullAfterInit
@NotLive
@Unmodifiable
protected Set<com.google.common.net.MediaType> getSupportedMediaTypes()

Get the list of supported MIME MediaType instances used in validation of the response Content-Type header.

Is generated at init time from getSupportedContentTypes().

Returns:

the supported content types

getSupportedContentTypes

@NonnullAfterInit
@NotLive
@Unmodifiable
public List<String> getSupportedContentTypes()

Get the list of supported MIME types for use in Accept request header and validation of response Content-Type header.

Returns:

the supported content types

setSupportedContentTypes

public void setSupportedContentTypes(@Nullable
                            List<String> types)

Set the list of supported MIME types for use in Accept request header and validation of response Content-Type header. Values will be effectively lower-cased at runtime.

Parameters:

types - the new supported content types to set

initMetadataResolver

protected void initMetadataResolver()
                             throws net.shibboleth.utilities.java.support.component.ComponentInitializationException

Subclasses should override this method to perform any initialization logic necessary. Default implementation is a no-op.

Overrides:

initMetadataResolver in class AbstractDynamicMetadataResolver

Throws:

net.shibboleth.utilities.java.support.component.ComponentInitializationException - thrown if there is a problem initializing the provider

doDestroy

protected void doDestroy()

Overrides:

doDestroy in class AbstractDynamicMetadataResolver

fetchFromOriginSource

@Nullable
protected org.opensaml.core.xml.XMLObject fetchFromOriginSource(@Nonnull
                                                             net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)
                                                         throws IOException

Fetch the metadata from the origin source.

Specified by:

fetchFromOriginSource in class AbstractDynamicMetadataResolver

Parameters:

criteria - the input criteria set

Returns:

the resolved metadata root XMLObject, or null if metadata could not be fetched

Throws:

IOException - if there is a fatal error fetching metadata from the origin source

checkTLSCredentialTrusted

@Deprecated
protected void checkTLSCredentialTrusted(HttpClientContext context,
                                        HttpUriRequest request)
                                  throws SSLPeerUnverifiedException

Deprecated. use HttpClientSecuritySupport.checkTLSCredentialEvaluated(HttpClientContext, String)

Check that trust engine evaluation of the server TLS credential was actually performed.

Parameters:

context - the current HTTP context instance in use

request - the HTTP URI request

Throws:

SSLPeerUnverifiedException - thrown if the TLS credential was not actually evaluated by the trust engine

buildHttpRequest

@Nullable
protected HttpUriRequest buildHttpRequest(@Nonnull
                                       net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)

Build an appropriate instance of HttpUriRequest based on the input criteria set.

Parameters:

criteria - the input criteria set

Returns:

the newly constructed request, or null if it can not be built from the supplied criteria

buildRequestURL

@Nullable
protected abstract String buildRequestURL(@Nonnull
                              net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria)

Build the request URL based on the input criteria set.

Parameters:

criteria - the input criteria set

Returns:

the request URL, or null if it can not be built based on the supplied criteria

buildHttpClientContext

protected HttpClientContext buildHttpClientContext()

Deprecated. use buildHttpClientContext(HttpUriRequest)

Build the HttpClientContext instance which will be used to invoke the HttpClient request.

Returns:

a new instance of HttpClientContext

buildHttpClientContext

protected HttpClientContext buildHttpClientContext(@Nullable
                                       HttpUriRequest request)

Build the HttpClientContext instance which will be used to invoke the HttpClient request.

Parameters:

request - the current HTTP request

Returns:

a new instance of HttpClientContext