edu.internet2.middleware.shibboleth.idp.profile

クラス AbstractSAMLProfileHandler

java.lang.Object

edu.internet2.middleware.shibboleth.common.profile.provider.AbstractRequestURIMappedProfileHandler<HTTPInTransport,HTTPOutTransport>

edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler<SAMLMDRelyingPartyConfigurationManager,Session>

edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler

すべての実装されたインタフェース:

ProfileHandler<HTTPInTransport,HTTPOutTransport>

直系の既知のサブクラス:

AbstractSAML1ProfileHandler, AbstractSAML2ProfileHandler

public abstract class AbstractSAMLProfileHandler
extends AbstractShibbolethProfileHandler<SAMLMDRelyingPartyConfigurationManager,Session>

Base class for SAML profile handlers.

コンストラクタの概要

コンストラクタ

修飾子	コンストラクタと説明
protected	AbstractSAMLProfileHandler() Constructor.

メソッドの概要

メソッド

修飾子とタイプ	メソッドと説明
protected void	encodeResponse(BaseSAMLProfileRequestContext requestContext) Encodes the request's SAML response and writes it to the servlet response.
protected void	filterNameIDAttributesByFormats(Collection<BaseAttribute<?>> attributes, Collection<String> acceptableFormats) Filters a collection of attributes removing those attributes that can not be encoded in to a name identifier of an acceptable format.
protected <T extends SAMLNameIdentifierEncoder> void	filterNameIDAttributesByProtocol(Collection<BaseAttribute<?>> attributes, Class<T> nameIdEncoderType) Filters a collection of attributes removing those attributes which do not have an associated encoder of a given type.
protected org.slf4j.Logger	getAduitLog() 推奨されていません。 Gets the audit log for this handler.
protected org.slf4j.Logger	getAuditLog() Gets the audit log for this handler.
protected List<String>	getEntitySupportedFormats(RoleDescriptor role) Gets the list of name identifier formats supported for a given role.
IdentifierGenerator	getIdGenerator() Gets an ID generator which may be used for SAML assertions, requests, etc.
String	getInboundBinding() Gets the SAML message binding used by inbound messages.
protected SAMLMessageDecoder	getInboundMessageDecoder(BaseSAMLProfileRequestContext requestContext) Get the inbound message decoder to use.
Map<String,SAMLMessageDecoder>	getMessageDecoders() Gets all the SAML message decoders configured for the IdP indexed by SAML binding URI.
Map<String,SAMLMessageEncoder>	getMessageEncoders() Gets all the SAML message encoders configured for the IdP indexed by SAML binding URI.
MetadataCredentialResolver	getMetadataCredentialResolver() A convenience method for obtaining a metadata credential resolver for the current metadata provider.
MetadataProvider	getMetadataProvider() A convenience method for retrieving the SAML metadata provider from the relying party manager.
protected SAMLMessageEncoder	getOutboundMessageEncoder(BaseSAMLProfileRequestContext requestContext) Get the outbound message encoder to use.
RelyingPartyConfiguration	getRelyingPartyConfiguration(String relyingPartyId) Gets the relying party configuration for the given entity.
protected String	getRequiredNameIDFormat(BaseSAMLProfileRequestContext requestContext) Gets the name identifier format required to be sent back to the relying party.
SecurityPolicyResolver	getSecurityPolicyResolver() Gets the resolver used to determine active security policy for an incoming request.
protected List<String>	getSupportedNameFormats(BaseSAMLProfileRequestContext requestContext) Gets the name identifier formats to use when creating identifiers for the relying party.
List<String>	getSupportedOutboundBindings() Gets the SAML message bindings that may be used by outbound messages.
protected Session	getUserSession(InTransport inTransport) Gets the user's session, if there is one.
protected Session	getUserSession(String principalName) Gets the user's session based on their principal name.
protected boolean	isSignResponse(BaseSAMLProfileRequestContext requestContext) Determine whether responses should be signed.
protected void	populateAssertingPartyInformation(BaseSAMLProfileRequestContext requestContext) Populates the request context with information about the asserting party.
protected void	populateProfileInformation(BaseSAMLProfileRequestContext requestContext) Populates the request context with the information about the profile.
protected void	populateRelyingPartyInformation(BaseSAMLProfileRequestContext requestContext) Populates the request context with information about the relying party.
protected void	populateRequestContext(BaseSAMLProfileRequestContext requestContext) Populates the request context with information.
protected abstract void	populateSAMLMessageInformation(BaseSAMLProfileRequestContext requestContext) Populates the request context with information from the inbound SAML message.
protected abstract void	populateUserInformation(BaseSAMLProfileRequestContext requestContext) Populates the request context with the information about the user if they have an existing session.
protected abstract Endpoint	selectEndpoint(BaseSAMLProfileRequestContext requestContext) Selects the appropriate endpoint for the relying party and stores it in the request context.
protected <T extends SAMLNameIdentifierEncoder> Pair<BaseAttribute,T>	selectNameIDAttributeAndEncoder(Class<T> nameIdEncoderType, BaseSAMLProfileRequestContext requestContext) Attempts to select the most fitting name identifier attribute, and associated encoder, for a request.
protected <T extends SAMLNameIdentifierEncoder> Pair<BaseAttribute,T>	selectNameIDAttributeAndEncoder(Collection<BaseAttribute<?>> attributes, Class<T> nameIdEncoderType, String[] formatPrecedence) Selects a name identifier attribute from a collection of attributes.
void	setIdGenerator(IdentifierGenerator generator) Gets an ID generator which may be used for SAML assertions, requests, etc.
void	setInboundBinding(String binding) Sets the SAML message binding used by inbound messages.
void	setMessageDecoders(Map<String,SAMLMessageDecoder> decoders) Sets all the SAML message decoders configured for the IdP indexed by SAML binding URI.
void	setMessageEncoders(Map<String,SAMLMessageEncoder> encoders) Sets all the SAML message encoders configured for the IdP indexed by SAML binding URI.
void	setSecurityPolicyResolver(SecurityPolicyResolver resolver) Sets the resolver used to determine active security policy for an incoming request.
void	setSupportedOutboundBindings(List<String> bindings) Sets the SAML message bindings that may be used by outbound messages.
protected void	writeAuditLogEntry(BaseSAMLProfileRequestContext context) Writes an audit log entry indicating the successful response to the attribute request.

クラスから継承されたメソッド edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler

getBuilderFactory, getParserPool, getProfileConfiguration, getProfileId, getRelyingPartyConfigurationManager, getSessionManager, getStorageService, setParserPool, setRelyingPartyConfigurationManager, setSessionManager, setStorageService

クラスから継承されたメソッド edu.internet2.middleware.shibboleth.common.profile.provider.AbstractRequestURIMappedProfileHandler

getRequestPaths, setRequestPaths

クラスから継承されたメソッド java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

インタフェースから継承されたメソッド edu.internet2.middleware.shibboleth.common.profile.ProfileHandler

processRequest

コンストラクタの詳細

AbstractSAMLProfileHandler

protected AbstractSAMLProfileHandler()

Constructor.

メソッドの詳細

getSecurityPolicyResolver

public SecurityPolicyResolver getSecurityPolicyResolver()

Gets the resolver used to determine active security policy for an incoming request.

戻り値:

resolver used to determine active security policy for an incoming request

setSecurityPolicyResolver

public void setSecurityPolicyResolver(SecurityPolicyResolver resolver)

Sets the resolver used to determine active security policy for an incoming request.

パラメータ:

resolver - resolver used to determine active security policy for an incoming request

getAduitLog

protected org.slf4j.Logger getAduitLog()

推奨されていません。 Gets the audit log for this handler.

戻り値:

audit log for this handler

getAuditLog

protected org.slf4j.Logger getAuditLog()

Gets the audit log for this handler.

戻り値:

audit log for this handler

getIdGenerator

public IdentifierGenerator getIdGenerator()

Gets an ID generator which may be used for SAML assertions, requests, etc.

戻り値:

ID generator

getInboundBinding

public String getInboundBinding()

Gets the SAML message binding used by inbound messages.

戻り値:

SAML message binding used by inbound messages

getMessageDecoders

public Map<String,SAMLMessageDecoder> getMessageDecoders()

Gets all the SAML message decoders configured for the IdP indexed by SAML binding URI.

戻り値:

SAML message decoders configured for the IdP indexed by SAML binding URI

getMessageEncoders

public Map<String,SAMLMessageEncoder> getMessageEncoders()

Gets all the SAML message encoders configured for the IdP indexed by SAML binding URI.

戻り値:

SAML message encoders configured for the IdP indexed by SAML binding URI

getMetadataProvider

public MetadataProvider getMetadataProvider()

A convenience method for retrieving the SAML metadata provider from the relying party manager.

戻り値:

the metadata provider or null

getMetadataCredentialResolver

public MetadataCredentialResolver getMetadataCredentialResolver()

A convenience method for obtaining a metadata credential resolver for the current metadata provider.

戻り値:

the metadata credential resolver or null

getSupportedOutboundBindings

public List<String> getSupportedOutboundBindings()

Gets the SAML message bindings that may be used by outbound messages.

戻り値:

SAML message bindings that may be used by outbound messages

getUserSession

protected Session getUserSession(InTransport inTransport)

Gets the user's session, if there is one.

パラメータ:

inTransport - current inbound transport

戻り値:

user's session

getUserSession

protected Session getUserSession(String principalName)

Gets the user's session based on their principal name.

パラメータ:

principalName - user's principal name

戻り値:

the user's session

setIdGenerator

public void setIdGenerator(IdentifierGenerator generator)

Gets an ID generator which may be used for SAML assertions, requests, etc.

パラメータ:

generator - an ID generator which may be used for SAML assertions, requests, etc

setInboundBinding

public void setInboundBinding(String binding)

Sets the SAML message binding used by inbound messages.

パラメータ:

binding - SAML message binding used by inbound messages

setMessageDecoders

public void setMessageDecoders(Map<String,SAMLMessageDecoder> decoders)

Sets all the SAML message decoders configured for the IdP indexed by SAML binding URI.

パラメータ:

decoders - SAML message decoders configured for the IdP indexed by SAML binding URI

setMessageEncoders

public void setMessageEncoders(Map<String,SAMLMessageEncoder> encoders)

Sets all the SAML message encoders configured for the IdP indexed by SAML binding URI.

パラメータ:

encoders - SAML message encoders configured for the IdP indexed by SAML binding URI

setSupportedOutboundBindings

public void setSupportedOutboundBindings(List<String> bindings)

Sets the SAML message bindings that may be used by outbound messages.

パラメータ:

bindings - SAML message bindings that may be used by outbound messages

getRelyingPartyConfiguration

public RelyingPartyConfiguration getRelyingPartyConfiguration(String relyingPartyId)

Gets the relying party configuration for the given entity. This is only a convenience method and is equivalent to retrieving the relying party configuration by invoking AbstractShibbolethProfileHandler.getRelyingPartyConfigurationManager() and then invoking RelyingPartyConfigurationManager.getRelyingPartyConfiguration(String).

オーバーライド:

getRelyingPartyConfiguration クラス内 AbstractShibbolethProfileHandler<SAMLMDRelyingPartyConfigurationManager,Session>

パラメータ:

relyingPartyId - ID of the relying party

戻り値:

the relying party configuration or null

populateRequestContext

protected void populateRequestContext(BaseSAMLProfileRequestContext requestContext)
                               throws ProfileException

Populates the request context with information. This method requires the the following request context properties to be populated: inbound message transport, peer entity ID, metadata provider This methods populates the following request context properties: user's session, user's principal name, service authentication method, peer entity metadata, relying party configuration, local entity ID, outbound message issuer, local entity metadata

パラメータ:

requestContext - current request context

例外:

ProfileException - thrown if there is a problem looking up the relying party's metadata

populateRelyingPartyInformation

protected void populateRelyingPartyInformation(BaseSAMLProfileRequestContext requestContext)
                                        throws ProfileException

Populates the request context with information about the relying party. This method requires the the following request context properties to be populated: inbound message issuer This methods populates the following request context properties: peer entityID, peer entity metadata, relying party configuration

パラメータ:

requestContext - current request context

例外:

ProfileException - thrown if there is a problem looking up the relying party's metadata

populateAssertingPartyInformation

protected void populateAssertingPartyInformation(BaseSAMLProfileRequestContext requestContext)
                                          throws ProfileException

Populates the request context with information about the asserting party. Unless overridden, populateRequestContext(BaseSAMLProfileRequestContext) has already invoked populateRelyingPartyInformation(BaseSAMLProfileRequestContext) has already been invoked and the properties it provides are available in the request context. This method requires the the following request context properties to be populated: metadata provider, relying party configuration This methods populates the following request context properties: local entity ID, outbound message issuer, local entity metadata

パラメータ:

requestContext - current request context

例外:

ProfileException - thrown if there is a problem looking up the asserting party's metadata

populateSAMLMessageInformation

protected abstract void populateSAMLMessageInformation(BaseSAMLProfileRequestContext requestContext)
                                                throws ProfileException

Populates the request context with information from the inbound SAML message. Unless overridden, populateRequestContext(BaseSAMLProfileRequestContext) has already invoked populateRelyingPartyInformation(BaseSAMLProfileRequestContext),and populateAssertingPartyInformation(BaseSAMLProfileRequestContext) have already been invoked and the properties they provide are available in the request context.

パラメータ:

requestContext - current request context

例外:

ProfileException - thrown if there is a problem populating the request context with information

populateProfileInformation

protected void populateProfileInformation(BaseSAMLProfileRequestContext requestContext)
                                   throws ProfileException

Populates the request context with the information about the profile. Unless overridden, populateRequestContext(BaseSAMLProfileRequestContext) has already invoked populateRelyingPartyInformation(BaseSAMLProfileRequestContext), populateAssertingPartyInformation(BaseSAMLProfileRequestContext), and populateSAMLMessageInformation(BaseSAMLProfileRequestContext) have already been invoked and the properties they provide are available in the request context. This method requires the the following request context properties to be populated: relying party configuration This methods populates the following request context properties: communication profile ID, profile configuration, outbound message artifact type, peer entity endpoint

パラメータ:

requestContext - current request context

例外:

ProfileException - thrown if there is a problem populating the profile information

selectNameIDAttributeAndEncoder

protected <T extends SAMLNameIdentifierEncoder> Pair<BaseAttribute,T> selectNameIDAttributeAndEncoder(Class<T> nameIdEncoderType,
                                                                                          BaseSAMLProfileRequestContext requestContext)
                                                                                           throws ProfileException

Attempts to select the most fitting name identifier attribute, and associated encoder, for a request. If no attributes for the request subject are available no name identifier is constructed. If a specific name format is required, as returned by getRequiredNameIDFormat(BaseSAMLProfileRequestContext), then either an attribute with an encoder supporting that format is selected or an exception is thrown. If no specific format is required then an attribute supporting a format listed as supported by the relying party is used. If the relying party does not list any supported formats then any attribute supporting the correct name identifier type is used.

型パラメータ:

T - type of name identifier encoder the attribute must support

パラメータ:

nameIdEncoderType - type of name identifier encoder the attribute must support

requestContext - the current request context

戻り値:

the select attribute, and its encoder, to be used to build the name identifier

例外:

ProfileException - thrown if a specific name identifier format was required but not supported

filterNameIDAttributesByProtocol

protected <T extends SAMLNameIdentifierEncoder> void filterNameIDAttributesByProtocol(Collection<BaseAttribute<?>> attributes,
                                                                          Class<T> nameIdEncoderType)

Filters a collection of attributes removing those attributes which do not have an associated encoder of a given type.

型パラメータ:

T - the type of the encoder

パラメータ:

attributes - the attributes to be filtered, may not contain null values

nameIdEncoderType - the type of the encoder, may not be null

例外:

ProfileException

filterNameIDAttributesByFormats

protected void filterNameIDAttributesByFormats(Collection<BaseAttribute<?>> attributes,
                                   Collection<String> acceptableFormats)

Filters a collection of attributes removing those attributes that can not be encoded in to a name identifier of an acceptable format.

パラメータ:

attributes - the attributes to be filtered, may not contain null values

acceptableFormats - name identifier formats which are acceptable, a null or empty collection means any format is acceptable

getRequiredNameIDFormat

protected String getRequiredNameIDFormat(BaseSAMLProfileRequestContext requestContext)

Gets the name identifier format required to be sent back to the relying party. This implementation of this method returns null. Profile handler implementations should override this method if an incoming request is capable of requiring a specific format.

パラメータ:

requestContext - current request context

戻り値:

the required name ID format or null if no specific format is required

getSupportedNameFormats

protected List<String> getSupportedNameFormats(BaseSAMLProfileRequestContext requestContext)
                                        throws ProfileException

Gets the name identifier formats to use when creating identifiers for the relying party.

パラメータ:

requestContext - current request context

戻り値:

list of formats, in preference order, that may be used with the relying party, or an empty list for no preference

例外:

ProfileException - thrown if there is a problem determining the name identifier format to use

getEntitySupportedFormats

protected List<String> getEntitySupportedFormats(RoleDescriptor role)

Gets the list of name identifier formats supported for a given role.

パラメータ:

role - the role to get the list of supported name identifier formats

戻り値:

list of supported name identifier formats

selectNameIDAttributeAndEncoder

protected <T extends SAMLNameIdentifierEncoder> Pair<BaseAttribute,T> selectNameIDAttributeAndEncoder(Collection<BaseAttribute<?>> attributes,
                                                                                          Class<T> nameIdEncoderType,
                                                                                          String[] formatPrecedence)

Selects a name identifier attribute from a collection of attributes. If an ordered precedence of name identifier formats is given then the attribute that produces a name identifier with the highest precedence is selected. If no precedence is given, or no attribute support a format listed in the precedence list then the first attribute which can be encoded in to name identifier is chosen.

型パラメータ:

T - type name identifier

パラメータ:

attributes - attributes from which the identifier is selected, may not contain null values

nameIdEncoderType - encoder to be used to encode the selected attribute

formatPrecedence - precedence of name identifier formats, may not contain null values

戻り値:

the attribute to be encoded and the encoder to use

populateUserInformation

protected abstract void populateUserInformation(BaseSAMLProfileRequestContext requestContext)
                                         throws ProfileException

Populates the request context with the information about the user if they have an existing session. Unless overridden, populateRequestContext(BaseSAMLProfileRequestContext) has already invoked populateRelyingPartyInformation(BaseSAMLProfileRequestContext), populateAssertingPartyInformation(BaseSAMLProfileRequestContext), populateProfileInformation(BaseSAMLProfileRequestContext), and populateSAMLMessageInformation(BaseSAMLProfileRequestContext) have already been invoked and the properties they provide are available in the request context. This method should populate: user's session, user's principal name, and service authentication method

パラメータ:

requestContext - current request context

例外:

ProfileException - thrown if there is a problem populating the user's information

selectEndpoint

protected abstract Endpoint selectEndpoint(BaseSAMLProfileRequestContext requestContext)
                                    throws ProfileException

Selects the appropriate endpoint for the relying party and stores it in the request context.

パラメータ:

requestContext - current request context

戻り値:

Endpoint selected from the information provided in the request context

例外:

ProfileException - thrown if there is a problem selecting a response endpoint

encodeResponse

protected void encodeResponse(BaseSAMLProfileRequestContext requestContext)
                       throws ProfileException

Encodes the request's SAML response and writes it to the servlet response.

パラメータ:

requestContext - current request context

例外:

ProfileException - thrown if no message encoder is registered for this profiles binding

isSignResponse

protected boolean isSignResponse(BaseSAMLProfileRequestContext requestContext)
                          throws ProfileException

Determine whether responses should be signed.

パラメータ:

requestContext - the current request context

戻り値:

true if responses should be signed, false otherwise

例外:

ProfileException - if there is a problem determining whether responses should be signed

getOutboundMessageEncoder

protected SAMLMessageEncoder getOutboundMessageEncoder(BaseSAMLProfileRequestContext requestContext)
                                                throws ProfileException

Get the outbound message encoder to use.

The default implementation uses the binding URI from the SAMLMessageContext.getPeerEntityEndpoint() to lookup the encoder from the supported message encoders defined in getMessageEncoders().

Subclasses may override to implement a different mechanism to determine the encoder to use, such as for example cases where an active intermediary actor sits between this provider and the peer entity endpoint (e.g. the SAML 2 ECP case).

パラメータ:

requestContext - current request context

戻り値:

the message encoder to use

例外:

ProfileException - if the encoder to use can not be resolved based on the request context

getInboundMessageDecoder

protected SAMLMessageDecoder getInboundMessageDecoder(BaseSAMLProfileRequestContext requestContext)
                                               throws ProfileException

Get the inbound message decoder to use.

The default implementation uses the binding URI from getInboundBinding() to lookup the decoder from the supported message decoders defined in getMessageDecoders().

Subclasses may override to implement a different mechanism to determine the decoder to use.

パラメータ:

requestContext - current request context

戻り値:

the message decoder to use

例外:

ProfileException - if the decoder to use can not be resolved based on the request context

writeAuditLogEntry

protected void writeAuditLogEntry(BaseSAMLProfileRequestContext context)

Writes an audit log entry indicating the successful response to the attribute request.

パラメータ:

context - current request context