edu.internet2.middleware.shibboleth.idp.profile.saml2

クラス AbstractSAML2ProfileHandler

java.lang.Object

edu.internet2.middleware.shibboleth.common.profile.provider.AbstractRequestURIMappedProfileHandler<HTTPInTransport,HTTPOutTransport>

edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler<SAMLMDRelyingPartyConfigurationManager,Session>

edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler

edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler

すべての実装されたインタフェース:

ProfileHandler<HTTPInTransport,HTTPOutTransport>

直系の既知のサブクラス:

ArtifactResolution, AttributeQueryProfileHandler, SLOProfileHandler, SSOProfileHandler

public abstract class AbstractSAML2ProfileHandler
extends AbstractSAMLProfileHandler

Common implementation details for profile handlers.

ネストされたクラスの概要

ネストされたクラス

修飾子とタイプ	クラスと説明
protected class	AbstractSAML2ProfileHandler.SAML2AuditLogEntry SAML 2 specific audit log entry.

フィールドの概要

フィールド

修飾子とタイプ	フィールドと説明
static SAMLVersion	SAML_VERSION SAML Version for this profile handler.

コンストラクタの概要

コンストラクタ

修飾子	コンストラクタと説明
protected	AbstractSAML2ProfileHandler() Constructor.

メソッドの概要

メソッド

修飾子とタイプ	メソッドと説明
protected Assertion	buildAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext, org.joda.time.DateTime issueInstant) Builds a basic assertion with its id, issue instant, SAML version, issuer, subject, and conditions populated.
protected AttributeStatement	buildAttributeStatement(BaseSAML2ProfileRequestContext<?,?,?> requestContext) Executes a query for attributes and builds a SAML attribute statement from the results.
protected Conditions	buildConditions(BaseSAML2ProfileRequestContext<?,?,?> requestContext, org.joda.time.DateTime issueInstant) Builds a SAML assertion condition set.
protected Issuer	buildEntityIssuer(BaseSAML2ProfileRequestContext<?,?,?> requestContext) Creates an Issuer populated with information about the relying party.
protected Response	buildErrorResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext) Constructs an SAML response message carrying a request error.
protected NameID	buildNameId(BaseSAML2ProfileRequestContext<?,?,?> requestContext) Builds a NameID appropriate for this request.
protected Response	buildResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext, String subjectConfirmationMethod, List<Statement> statements) Builds a response to the attribute query within the request context.
protected Status	buildStatus(String topLevelCode, String secondLevelCode, String failureMessage) Build a status message, with an optional second-level failure message.
protected Subject	buildSubject(BaseSAML2ProfileRequestContext<?,?,?> requestContext, String confirmationMethod, org.joda.time.DateTime issueInstant) Builds the SAML subject for the user for the service provider.
protected SubjectConfirmation	buildSubjectConfirmation(BaseSAML2ProfileRequestContext<?,?,?> requestContext, String confirmationMethod, org.joda.time.DateTime issueInstant) Builds the SubjectConfirmation appropriate for this request.
protected void	checkSamlVersion(BaseSAML2ProfileRequestContext<?,?,?> requestContext) Checks that the SAML major version for a request is 2.
protected Encrypter	getEncrypter(String peerEntityId) Gets an encrypter that may be used encrypt content to a given peer.
protected Credential	getKeyEncryptionCredential(String peerEntityId) Gets the credential that can be used to encrypt encryption keys for a peer.
protected String	getSessionIndexFromNameID(NameID nameIdentifier) Creates a properly-delimited string representation from the given SAML2 NameID for session indexing purposes.
protected boolean	isEncryptAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext) Determine whether issued assertions should be encrypted.
protected boolean	isEncryptNameID(BaseSAML2ProfileRequestContext<?,?,?> requestContext) Determine whether NameID's should be encrypted.
protected boolean	isRequestRequiresEncryptNameID(BaseSAML2ProfileRequestContext<?,?,?> requestContext) Determine whether information in the SAML request requires the issued NameID to be encrypted.
protected boolean	isSignAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext) Determine whether issued assertions should be signed.
protected void	populateRequestContext(BaseSAMLProfileRequestContext requestContext) Populates the request context with information.
protected void	populateStatusResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext, StatusResponseType response) Populates the response's id, in response to, issue instant, version, and issuer properties.
protected void	populateUserInformation(BaseSAMLProfileRequestContext requestContext) Populates the request context with the information about the user.
protected void	postProcessAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext, Assertion assertion) Extension point for for subclasses to post-process the Assertion before it is signed and encrypted.
protected void	postProcessResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext, Response samlResponse) Extension point for for subclasses to post-process the Response before it is signed and encoded.
protected void	resolveAttributes(BaseSAML2ProfileRequestContext<?,?,?> requestContext) Resolves the attributes for the principal.
protected void	resolvePrincipal(BaseSAML2ProfileRequestContext<?,?,?> requestContext) Resolves the principal name of the subject of the request.
protected void	signAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext, Assertion assertion) Signs the given assertion if either the current profile configuration or the relying party configuration contains signing credentials.
protected void	writeAuditLogEntry(BaseSAMLProfileRequestContext context) Writes an audit log entry indicating the successful response to the attribute request.

クラスから継承されたメソッド edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler

encodeResponse, filterNameIDAttributesByFormats, filterNameIDAttributesByProtocol, getAduitLog, getAuditLog, getEntitySupportedFormats, getIdGenerator, getInboundBinding, getInboundMessageDecoder, getMessageDecoders, getMessageEncoders, getMetadataCredentialResolver, getMetadataProvider, getOutboundMessageEncoder, getRelyingPartyConfiguration, getRequiredNameIDFormat, getSecurityPolicyResolver, getSupportedNameFormats, getSupportedOutboundBindings, getUserSession, getUserSession, isSignResponse, populateAssertingPartyInformation, populateProfileInformation, populateRelyingPartyInformation, populateSAMLMessageInformation, selectEndpoint, selectNameIDAttributeAndEncoder, selectNameIDAttributeAndEncoder, setIdGenerator, setInboundBinding, setMessageDecoders, setMessageEncoders, setSecurityPolicyResolver, setSupportedOutboundBindings

クラスから継承されたメソッド edu.internet2.middleware.shibboleth.common.profile.provider.AbstractShibbolethProfileHandler

getBuilderFactory, getParserPool, getProfileConfiguration, getProfileId, getRelyingPartyConfigurationManager, getSessionManager, getStorageService, setParserPool, setRelyingPartyConfigurationManager, setSessionManager, setStorageService

クラスから継承されたメソッド edu.internet2.middleware.shibboleth.common.profile.provider.AbstractRequestURIMappedProfileHandler

getRequestPaths, setRequestPaths

クラスから継承されたメソッド java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

インタフェースから継承されたメソッド edu.internet2.middleware.shibboleth.common.profile.ProfileHandler

processRequest

フィールドの詳細

SAML_VERSION

public static final SAMLVersion SAML_VERSION

SAML Version for this profile handler.

コンストラクタの詳細

AbstractSAML2ProfileHandler

protected AbstractSAML2ProfileHandler()

Constructor.

メソッドの詳細

populateRequestContext

protected void populateRequestContext(BaseSAMLProfileRequestContext requestContext)
                               throws ProfileException

Populates the request context with information. This method requires the the following request context properties to be populated: inbound message transport, peer entity ID, metadata provider This methods populates the following request context properties: user's session, user's principal name, service authentication method, peer entity metadata, relying party configuration, local entity ID, outbound message issuer, local entity metadata

オーバーライド:

populateRequestContext クラス内 AbstractSAMLProfileHandler

パラメータ:

requestContext - current request context

例外:

ProfileException - thrown if there is a problem looking up the relying party's metadata

populateUserInformation

protected void populateUserInformation(BaseSAMLProfileRequestContext requestContext)

Populates the request context with the information about the user. This method requires the the following request context properties to be populated: inbound message transport, relying party ID This methods populates the following request context properties: user's session, user's principal name, and service authentication method

定義:

populateUserInformation クラス内 AbstractSAMLProfileHandler

パラメータ:

requestContext - current request context

checkSamlVersion

protected void checkSamlVersion(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                         throws ProfileException

Checks that the SAML major version for a request is 2.

パラメータ:

requestContext - current request context containing the SAML message

例外:

ProfileException - thrown if the major version of the SAML request is not 2

buildResponse

protected Response buildResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                     String subjectConfirmationMethod,
                     List<Statement> statements)
                          throws ProfileException

Builds a response to the attribute query within the request context.

パラメータ:

requestContext - current request context

subjectConfirmationMethod - confirmation method used for the subject

statements - the statements to include in the response

戻り値:

the built response

例外:

ProfileException - thrown if there is a problem creating the SAML response

isEncryptAssertion

protected boolean isEncryptAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                              throws ProfileException

Determine whether issued assertions should be encrypted.

パラメータ:

requestContext - the current request context

戻り値:

true if assertions should be encrypted, false otherwise

例外:

ProfileException - if there is a problem determining whether assertions should be encrypted

postProcessResponse

protected void postProcessResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                       Response samlResponse)
                            throws ProfileException

Extension point for for subclasses to post-process the Response before it is signed and encoded.

パラメータ:

requestContext - the current request context

samlResponse - the SAML Response being built

例外:

ProfileException - if there was an error processing the response

postProcessAssertion

protected void postProcessAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                        Assertion assertion)
                             throws ProfileException

Extension point for for subclasses to post-process the Assertion before it is signed and encrypted.

パラメータ:

requestContext - the current request context

assertion - the SAML Assertion being built

例外:

ProfileException - if there is an error processing the assertion

buildAssertion

protected Assertion buildAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                       org.joda.time.DateTime issueInstant)

Builds a basic assertion with its id, issue instant, SAML version, issuer, subject, and conditions populated.

パラメータ:

requestContext - current request context

issueInstant - time to use as assertion issue instant

戻り値:

the built assertion

buildEntityIssuer

protected Issuer buildEntityIssuer(BaseSAML2ProfileRequestContext<?,?,?> requestContext)

Creates an Issuer populated with information about the relying party.

パラメータ:

requestContext - current request context

戻り値:

the built issuer

buildConditions

protected Conditions buildConditions(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                         org.joda.time.DateTime issueInstant)

Builds a SAML assertion condition set. The following fields are set; not before, not on or after, audience restrictions, and proxy restrictions.

パラメータ:

requestContext - current request context

issueInstant - timestamp the assertion was created

戻り値:

constructed conditions

populateStatusResponse

protected void populateStatusResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                          StatusResponseType response)

Populates the response's id, in response to, issue instant, version, and issuer properties.

パラメータ:

requestContext - current request context

response - the response to populate

resolveAttributes

protected void resolveAttributes(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                          throws ProfileException

Resolves the attributes for the principal.

パラメータ:

requestContext - current request context

例外:

ProfileException - thrown if there is a problem resolved attributes

buildAttributeStatement

protected AttributeStatement buildAttributeStatement(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                                              throws ProfileException

Executes a query for attributes and builds a SAML attribute statement from the results.

パラメータ:

requestContext - current request context

戻り値:

attribute statement resulting from the query

例外:

ProfileException - thrown if there is a problem making the query

resolvePrincipal

protected void resolvePrincipal(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                         throws ProfileException

Resolves the principal name of the subject of the request.

パラメータ:

requestContext - current request context

例外:

ProfileException - thrown if the principal name can not be resolved

signAssertion

protected void signAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                 Assertion assertion)
                      throws ProfileException

Signs the given assertion if either the current profile configuration or the relying party configuration contains signing credentials.

パラメータ:

requestContext - current request context

assertion - assertion to sign

例外:

ProfileException - thrown if the metadata can not be located for the relying party or, if signing is required, if a signing credential is not configured

isSignAssertion

protected boolean isSignAssertion(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                           throws ProfileException

Determine whether issued assertions should be signed.

パラメータ:

requestContext - the current request context

戻り値:

true if assertions should be signed, false otherwise

例外:

ProfileException - if there is a problem determining whether assertions should be signed

buildStatus

protected Status buildStatus(String topLevelCode,
                 String secondLevelCode,
                 String failureMessage)

Build a status message, with an optional second-level failure message.

パラメータ:

topLevelCode - The top-level status code. Should be from saml-core-2.0-os, sec. 3.2.2.2

secondLevelCode - An optional second-level failure code. Should be from saml-core-2.0-is, sec 3.2.2.2. If null, no second-level Status element will be set.

failureMessage - An optional second-level failure message

戻り値:

a Status object.

buildSubject

protected Subject buildSubject(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                   String confirmationMethod,
                   org.joda.time.DateTime issueInstant)
                        throws ProfileException

Builds the SAML subject for the user for the service provider.

パラメータ:

requestContext - current request context

confirmationMethod - subject confirmation method used for the subject

issueInstant - instant the subject confirmation data should reflect for issuance

戻り値:

SAML subject for the user for the service provider

例外:

ProfileException - thrown if a NameID can not be created either because there was a problem encoding the name ID attribute or because there are no supported name formats

isEncryptNameID

protected boolean isEncryptNameID(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                           throws ProfileException

Determine whether NameID's should be encrypted.

パラメータ:

requestContext - the current request context

戻り値:

true if NameID's should be encrypted, false otherwise

例外:

ProfileException - if there is a problem determining whether NameID's should be encrypted

isRequestRequiresEncryptNameID

protected boolean isRequestRequiresEncryptNameID(BaseSAML2ProfileRequestContext<?,?,?> requestContext)

Determine whether information in the SAML request requires the issued NameID to be encrypted.

パラメータ:

requestContext - the current request context

戻り値:

true if the request indicates NameID encryption is required, false otherwise

buildSubjectConfirmation

protected SubjectConfirmation buildSubjectConfirmation(BaseSAML2ProfileRequestContext<?,?,?> requestContext,
                                           String confirmationMethod,
                                           org.joda.time.DateTime issueInstant)

Builds the SubjectConfirmation appropriate for this request.

パラメータ:

requestContext - current request context

confirmationMethod - confirmation method to use for the request

issueInstant - issue instant of the response

戻り値:

the constructed subject confirmation

buildNameId

protected NameID buildNameId(BaseSAML2ProfileRequestContext<?,?,?> requestContext)
                      throws ProfileException

Builds a NameID appropriate for this request. NameIDs are built by inspecting the SAML request and metadata, picking a name format that was requested by the relying party or is mutually supported by both the relying party and asserting party as described in their metadata entries. Once a set of supported name formats is determined the principals attributes are inspected for an attribute supported an attribute encoder whose category is one of the supported name formats.

パラメータ:

requestContext - current request context

戻り値:

the NameID appropriate for this request

例外:

ProfileException - thrown if a NameID can not be created either because there was a problem encoding the name ID attribute or because there are no supported name formats

buildErrorResponse

protected Response buildErrorResponse(BaseSAML2ProfileRequestContext<?,?,?> requestContext)

Constructs an SAML response message carrying a request error.

パラメータ:

requestContext - current request context

戻り値:

the constructed error response

getEncrypter

protected Encrypter getEncrypter(String peerEntityId)
                          throws SecurityException

Gets an encrypter that may be used encrypt content to a given peer.

パラメータ:

peerEntityId - entity ID of the peer

戻り値:

encrypter that may be used encrypt content to a given peer

例外:

SecurityException - thrown if there is a problem constructing the encrypter. This normally occurs if the key encryption credential for the peer can not be resolved or a required encryption algorithm is not supported by the VM's JCE.

getKeyEncryptionCredential

protected Credential getKeyEncryptionCredential(String peerEntityId)
                                         throws SecurityException

Gets the credential that can be used to encrypt encryption keys for a peer.

パラメータ:

peerEntityId - entity ID of the peer

戻り値:

credential that can be used to encrypt encryption keys for a peer

例外:

SecurityException - thrown if there is a problem resolving the credential from the peer's metadata

getSessionIndexFromNameID

protected String getSessionIndexFromNameID(NameID nameIdentifier)

Creates a properly-delimited string representation from the given SAML2 NameID for session indexing purposes.

パラメータ:

nameIdentifier - the NameID to create string representation from

戻り値:

a usable session index based on the input

writeAuditLogEntry

protected void writeAuditLogEntry(BaseSAMLProfileRequestContext context)

Writes an audit log entry indicating the successful response to the attribute request.

オーバーライド:

writeAuditLogEntry クラス内 AbstractSAMLProfileHandler

パラメータ:

context - current request context