MetadataCredentialResolver (OpenSAML :: SAML Provider Implementations 3.4.6 API)

java.lang.Object
- org.opensaml.security.credential.impl.AbstractCredentialResolver
- - org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver
  - - org.opensaml.saml.security.impl.MetadataCredentialResolver

All Implemented Interfaces:

net.shibboleth.utilities.java.support.component.Component, net.shibboleth.utilities.java.support.component.InitializableComponent, net.shibboleth.utilities.java.support.resolver.Resolver<org.opensaml.security.credential.Credential,net.shibboleth.utilities.java.support.resolver.CriteriaSet>, org.opensaml.security.credential.CredentialResolver
```
public class MetadataCredentialResolver
extends AbstractCriteriaFilteringCredentialResolver
implements net.shibboleth.utilities.java.support.component.InitializableComponent
```
A credential resolver capable of resolving credentials from SAML 2 metadata.
Credentials may be resolved either by directly supplying an instance of RoleDescriptor in the input CriteriaSet, or by looking up the role descriptor via a supplied RoleDescriptorResolver.

The following resolution modes and associated Criterion inputs are supported: Direct resolution from a supplied RoleDescriptor:
- RoleDescriptorCriterion - required
- UsageCriterion - optional; if absent, the effective value UsageType.UNSPECIFIED will be used for credential resolution.
Resolution from a metadata source using a RoleDescriptorResolver:
- EntityIdCriterion - required
- EntityRoleCriterion - required
- ProtocolCriterion - optional; if absent, credentials will be resolved from all matching roles, regardless of protocol support.
- UsageCriterion - optional; if absent, the effective value UsageType.UNSPECIFIED will be used for credential resolution.
In order to support resolution from a metadata source using EntityIdCriterion + EntityRoleCriterion, an instance of RoleDescriptorResolver must be supplied. Otherwise it is optional.

An instance of KeyInfoCredentialResolver must always be supplied.

Field Summary

Fields
Modifier and Type	Field and Description
`private boolean`	`isInitialized` Initialization flag.
`private org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver`	`keyInfoCredentialResolver` Credential resolver used to resolve credentials from role descriptor KeyInfo elements.
`private Logger`	`log` Class logger.
`private RoleDescriptorResolver`	`roleDescriptorResolver` Metadata RoleDescriptor resolver which is the source of credentials.

Constructor Summary

Constructors
Constructor and Description

MetadataCredentialResolver()

Constructors
Constructor and Description
`MetadataCredentialResolver()`

Method Summary

Methods
Modifier and Type	Method and Description
`protected void`	`extractCredentials(HashSet<org.opensaml.security.credential.Credential> accumulator, KeyDescriptor keyDescriptor, String entityID, org.opensaml.security.credential.UsageType mdUsage)` Extract the credentials from the specified KeyDescriptor.
`protected org.opensaml.security.credential.UsageType`	`getEffectiveUsageInput(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet)` Get the effective `UsageType` input to use.
`org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver`	`getKeyInfoCredentialResolver()` Get the KeyInfo credential resolver used by this entityDescriptorResolver resolver to handle KeyInfo elements.
`RoleDescriptorResolver`	`getRoleDescriptorResolver()` Get the metadata RoleDescriptor resolver instance used by this resolver.
`protected Iterable<RoleDescriptor>`	`getRoleDescriptors(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet, String entityID, QName role, String protocol)` Get the list of role descriptors which match the given entityID, role and protocol.
`void`	`initialize()`
`boolean`	`isInitialized()`
`protected boolean`	`matchUsage(org.opensaml.security.credential.UsageType metadataUsage, org.opensaml.security.credential.UsageType criteriaUsage)` Match usage enum type values from entityDescriptorResolver KeyDescriptor and from credential criteria.
`protected void`	`processRoleDescriptor(HashSet<org.opensaml.security.credential.Credential> accumulator, RoleDescriptor roleDescriptor, String entityID, org.opensaml.security.credential.UsageType usage)` Process a RoleDescriptor by examing each of its KeyDescriptors.
`protected Collection<org.opensaml.security.credential.Credential>`	`resolveFromMetadata(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet, String entityID, QName role, String protocol, org.opensaml.security.credential.UsageType usage)` Resolves credentials using this resolver's configured instance of `RoleDescriptorResolver`.
`protected Collection<org.opensaml.security.credential.Credential>`	`resolveFromRoleDescriptor(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet, RoleDescriptor roleDescriptor, org.opensaml.security.credential.UsageType usage)` Resolves credentials using a supplied instance of `RoleDescriptor`.
`protected Iterable<org.opensaml.security.credential.Credential>`	`resolveFromSource(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet)`
`void`	`setKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver resolver)` Set the KeyInfo credential resolver used by this entityDescriptorResolver resolver to handle KeyInfo elements.
`void`	`setRoleDescriptorResolver(RoleDescriptorResolver resolver)` Set the metadata RoleDescriptor resolver instance used by this resolver.

Methods inherited from class org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver
isSatisfyAllPredicates, resolve, setSatisfyAllPredicates

Methods inherited from class org.opensaml.security.credential.impl.AbstractCredentialResolver
resolveSingle

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail
- log
```
@Nonnull
private final Logger log
```
  Class logger.
- roleDescriptorResolver
```
@Nullable
private RoleDescriptorResolver roleDescriptorResolver
```
  Metadata RoleDescriptor resolver which is the source of credentials.
- keyInfoCredentialResolver
```
@NonnullAfterInit
private org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver keyInfoCredentialResolver
```
  Credential resolver used to resolve credentials from role descriptor KeyInfo elements.
- isInitialized
```
private boolean isInitialized
```
  Initialization flag.

Constructor Detail
- MetadataCredentialResolver
```
public MetadataCredentialResolver()
```

Method Detail

isInitialized
```
public boolean isInitialized()
```
Specified by:

isInitialized in interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize
```
public void initialize()
                throws net.shibboleth.utilities.java.support.component.ComponentInitializationException
```
Specified by:

initialize in interface net.shibboleth.utilities.java.support.component.InitializableComponent

Throws:

net.shibboleth.utilities.java.support.component.ComponentInitializationException

getRoleDescriptorResolver
```
@Nullable
public RoleDescriptorResolver getRoleDescriptorResolver()
```
Get the metadata RoleDescriptor resolver instance used by this resolver.
This is optional. If not supplied, credentials may only be resolved via input of a RoleDescriptorCriterion.

Returns:
the resolver's RoleDescriptor metadata resolver instance

setRoleDescriptorResolver
```
public void setRoleDescriptorResolver(@Nullable
                             RoleDescriptorResolver resolver)
```
Set the metadata RoleDescriptor resolver instance used by this resolver.
This is optional. If not supplied, credentials may only be resolved via input of a RoleDescriptorCriterion.

Parameters:
resolver - the new RoleDescriptorResolver to use

getKeyInfoCredentialResolver
```
@NonnullAfterInit
public org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver getKeyInfoCredentialResolver()
```
Get the KeyInfo credential resolver used by this entityDescriptorResolver resolver to handle KeyInfo elements.

Returns:
KeyInfo credential resolver

setKeyInfoCredentialResolver
```
public void setKeyInfoCredentialResolver(@Nonnull
                                org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver resolver)
```
Set the KeyInfo credential resolver used by this entityDescriptorResolver resolver to handle KeyInfo elements.

Parameters:
resolver - the new KeyInfoCredentialResolver to use

resolveFromSource

@Nonnull
protected Iterable<org.opensaml.security.credential.Credential> resolveFromSource(@Nonnull
                                                                              net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet)
                                                                           throws net.shibboleth.utilities.java.support.resolver.ResolverException

Specified by:: resolveFromSource in class AbstractCriteriaFilteringCredentialResolver
Throws:: net.shibboleth.utilities.java.support.resolver.ResolverException

getEffectiveUsageInput

@Nonnull
protected org.opensaml.security.credential.UsageType getEffectiveUsageInput(@Nonnull
                                                                        net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet)

Get the effective UsageType input to use.

Parameters:: criteriaSet - the criteria set being processed
Returns:: the effective usage value

resolveFromRoleDescriptor

@Nonnull
protected Collection<org.opensaml.security.credential.Credential> resolveFromRoleDescriptor(@Nonnull
                                                                                        net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet,
                                                                                        @Nonnull
                                                                                        RoleDescriptor roleDescriptor,
                                                                                        @Nonnull
                                                                                        org.opensaml.security.credential.UsageType usage)
                                                                                     throws net.shibboleth.utilities.java.support.resolver.ResolverException

Resolves credentials using a supplied instance of RoleDescriptor.

Parameters:: criteriaSet - the criteria set being processed; roleDescriptor - the role descriptor being processed; usage - intended usage of resolved credentials
Returns:: the resolved credentials or null
Throws:: net.shibboleth.utilities.java.support.resolver.ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format

resolveFromMetadata

@Nonnull
protected Collection<org.opensaml.security.credential.Credential> resolveFromMetadata(@Nonnull
                                                                                  net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet,
                                                                                  @Nonnull@NotEmpty
                                                                                  String entityID,
                                                                                  @Nonnull
                                                                                  QName role,
                                                                                  @Nullable
                                                                                  String protocol,
                                                                                  @Nonnull
                                                                                  org.opensaml.security.credential.UsageType usage)
                                                                               throws net.shibboleth.utilities.java.support.resolver.ResolverException

Resolves credentials using this resolver's configured instance of RoleDescriptorResolver.

Parameters:: criteriaSet - the criteria set being processed; entityID - entityID of the credential owner; role - role in which the entity is operating; protocol - protocol over which the entity is operating (may be null); usage - intended usage of resolved credentials
Returns:: the resolved credentials or null
Throws:: net.shibboleth.utilities.java.support.resolver.ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format

processRoleDescriptor

protected void processRoleDescriptor(@Nonnull
                         HashSet<org.opensaml.security.credential.Credential> accumulator,
                         @Nonnull
                         RoleDescriptor roleDescriptor,
                         @Nullable
                         String entityID,
                         @Nonnull
                         org.opensaml.security.credential.UsageType usage)
                              throws net.shibboleth.utilities.java.support.resolver.ResolverException

Process a RoleDescriptor by examing each of its KeyDescriptors.

Parameters:: accumulator - the set of credentials being accumulated for return to the caller; roleDescriptor - the KeyDescriptor being processed; entityID - the entity ID of the KeyDescriptor being processed; usage - the credential usage type specified as resolve input
Throws:: net.shibboleth.utilities.java.support.resolver.ResolverException - if there is a problem resolving credentials from the KeyDescriptor's KeyInfo element

extractCredentials
```
protected void extractCredentials(@Nonnull
                      HashSet<org.opensaml.security.credential.Credential> accumulator,
                      @Nonnull
                      KeyDescriptor keyDescriptor,
                      @Nullable
                      String entityID,
                      @Nonnull
                      org.opensaml.security.credential.UsageType mdUsage)
                           throws net.shibboleth.utilities.java.support.resolver.ResolverException
```
Extract the credentials from the specified KeyDescriptor. First the credentials are looking up in object metadata cache. If they are not found there, then they will be resolved from the KeyDescriptor's KeyInfo and then cached in the KeyDescriptor's object metadata before returning.

Parameters:
accumulator - the set of credentials being accumulated for return to the caller
keyDescriptor - the KeyDescriptor being processed
entityID - the entity ID of the KeyDescriptor being processed
mdUsage - the effective credential usage type in effect for the resolved credentials

Throws:

net.shibboleth.utilities.java.support.resolver.ResolverException - if there is a problem resolving credentials from the KeyDescriptor's KeyInfo element

matchUsage
```
protected boolean matchUsage(@Nonnull
                 org.opensaml.security.credential.UsageType metadataUsage,
                 @Nonnull
                 org.opensaml.security.credential.UsageType criteriaUsage)
```
Match usage enum type values from entityDescriptorResolver KeyDescriptor and from credential criteria.

Parameters:
metadataUsage - the value from the 'use' attribute of a entityDescriptorResolver KeyDescriptor element
criteriaUsage - the value from credential criteria

Returns:
true if the two usage specifiers match for purposes of resolving credentials, false otherwise

getRoleDescriptors

@Nonnull
protected Iterable<RoleDescriptor> getRoleDescriptors(@Nonnull
                                                  net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet,
                                                  @Nonnull
                                                  String entityID,
                                                  @Nonnull
                                                  QName role,
                                                  @Nullable
                                                  String protocol)
                                               throws net.shibboleth.utilities.java.support.resolver.ResolverException

Get the list of role descriptors which match the given entityID, role and protocol.

Parameters:: criteriaSet - criteria set being processed; entityID - entity ID of the credential owner; role - role in which the entity is operating; protocol - protocol over which the entity is operating (may be null)
Returns:: a list of role descriptors matching the given parameters, or null
Throws:: net.shibboleth.utilities.java.support.resolver.ResolverException - thrown if there is an error retrieving role descriptors from the entityDescriptorResolver provider

Class MetadataCredentialResolver

Field Summary

Constructor Summary

Method Summary

Methods inherited from class org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver

Methods inherited from class org.opensaml.security.credential.impl.AbstractCredentialResolver

Methods inherited from class java.lang.Object

Field Detail

log

roleDescriptorResolver

keyInfoCredentialResolver

isInitialized

Constructor Detail

MetadataCredentialResolver

Method Detail

isInitialized

initialize

getRoleDescriptorResolver

setRoleDescriptorResolver

getKeyInfoCredentialResolver

setKeyInfoCredentialResolver