org.opensaml.ws.security.provider
Class ClientCertAuthRule

java.lang.Object
  extended by org.opensaml.ws.security.provider.BaseTrustEngineRule<X509Credential,javax.servlet.ServletRequest>
      extended by org.opensaml.ws.security.provider.ClientCertAuthRule
All Implemented Interfaces:
SecurityPolicyRule<javax.servlet.ServletRequest>
Direct Known Subclasses:
SAMLMDClientCertAuthRuleFactory.SAMLMDClientCertAuthRule

public class ClientCertAuthRule
extends BaseTrustEngineRule<X509Credential,javax.servlet.ServletRequest>

Policy rule that checks if the client cert used to authenticate the request is valid and trusted.

If the issuer has been previously set in the security policy context by another rule, then that issuer is used to build a criteria set via #buildCriteriaSet(String, HttpServletRequest, XMLObject, SecurityPolicyContext), and then evaluated via #evaluate(X509Credential, CriteriaSet). If this trust evaluation is successful, the context issuer authentication state will be set to true, otherwise it will be set to false. In either case, rule processing is then terminated.

If no context issuer was previously set, then rule evaluation will proceed as described in #evaluateCertificateNameDerivedIssuers(X509Credential, HttpServletRequest, XMLObject, SecurityPolicyContext), based on the currently configured certificate name evaluation options. If this method returns a non-null issuer entity ID, it will be set as the issuer in the context, the context's issuer authentication state will be set to true and rule processing is terminated. If the method returns null, the context issuer and issuer authentication state will remain unmodified and rule processing continues.

Finally rule evaluation will proceed as described in #evaluateDerivedIssuers(X509Credential, HttpServletRequest, XMLObject, SecurityPolicyContext). This is primarily an extension point by which subclasses may implement specific custom logic. If this method returns a non-null issuer entity ID, it will be set as the issuer in the context, the context's issuer authentication state will be set to true and rule processing is terminated. If the method returns null, the context issuer and issuer authentication state will remain unmodified.


Constructor Summary
ClientCertAuthRule(TrustEngine<X509Credential> engine, ClientCertAuthRuleFactory.CertificateNameOptions nameOptions)
          Constructor.
 
Method Summary
protected  CriteriaSet buildCriteriaSet(java.lang.String entityID, javax.servlet.ServletRequest request, XMLObject message, SecurityPolicyContext context)
          Subclasses are required to implement this method to build a criteria set for the trust engine according to trust engine and application-specific needs.
 void evaluate(javax.servlet.ServletRequest request, XMLObject message, SecurityPolicyContext context)
          Evaluates the rule against the given request and message.
protected  java.lang.String evaluateCertificateNameDerivedIssuers(X509Credential requestCredential, javax.servlet.ServletRequest request, XMLObject message, SecurityPolicyContext context)
          Evaluate candidate issuer entity ID's which may be derived from the request credential's entity certificate and which are currently configured.
protected  java.lang.String evaluateDerivedIssuers(X509Credential requestCredential, javax.servlet.ServletRequest request, XMLObject message, SecurityPolicyContext context)
          Evaluate any candidate issuer entity ID's which may be derived from the credential or other request or message information.
protected  java.lang.String evaluateSubjectAltNames(X509Credential requestCredential, javax.servlet.ServletRequest request, XMLObject message, SecurityPolicyContext context)
          Evaluate the issuer entity ID as derived from the cert subject alternative names specified by types enumerated in ClientCertAuthRuleXXX#getSubjectAltNames().
protected  java.lang.String evaluateSubjectCommonName(X509Credential requestCredential, javax.servlet.ServletRequest request, XMLObject message, SecurityPolicyContext context)
          Evaluate the issuer entity ID as derived from the cert subject common name (CN).
protected  java.lang.String evaluateSubjectDN(X509Credential requestCredential, javax.servlet.ServletRequest request, XMLObject message, SecurityPolicyContext context)
          Evaluate the issuer entity ID as derived from the cert subject DN.
protected  java.util.List<java.lang.String> getAltNames(java.security.cert.X509Certificate cert, java.lang.Integer altNameType)
          Get the list of subject alt name values from the certificate which are of the specified alt name type.
protected  java.lang.String getCommonName(java.security.cert.X509Certificate cert)
          Get the first common name (CN) value from the subject DN of the specified certificate.
protected  java.lang.String getSubjectName(java.security.cert.X509Certificate cert)
          Get subject name from a certificate, using the currently configured X500DNHandler and subject DN output format.
 
Methods inherited from class org.opensaml.ws.security.provider.BaseTrustEngineRule
evaluate, getTrustEngine
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

ClientCertAuthRule

public ClientCertAuthRule(TrustEngine<X509Credential> engine,
                          ClientCertAuthRuleFactory.CertificateNameOptions nameOptions)
Constructor.

Parameters:
engine - Trust engine used to verify the request X509Credential
nameOptions - options for deriving issuer names from an X.509 certificate
Method Detail

evaluate

public void evaluate(javax.servlet.ServletRequest request,
                     XMLObject message,
                     SecurityPolicyContext context)
              throws SecurityPolicyException
Evaluates the rule against the given request and message.

Specified by:
evaluate in interface SecurityPolicyRule<javax.servlet.ServletRequest>
Specified by:
evaluate in class BaseTrustEngineRule<X509Credential,javax.servlet.ServletRequest>
Parameters:
request - the protocol request
message - the incoming message
context - the security policy context to use for evaluation and storage of related state info
Throws:
SecurityPolicyException - thrown if the request/message do not meet the requirements of this rule

buildCriteriaSet

protected CriteriaSet buildCriteriaSet(java.lang.String entityID,
                                       javax.servlet.ServletRequest request,
                                       XMLObject message,
                                       SecurityPolicyContext context)
Subclasses are required to implement this method to build a criteria set for the trust engine according to trust engine and application-specific needs.

Specified by:
buildCriteriaSet in class BaseTrustEngineRule<X509Credential,javax.servlet.ServletRequest>
Parameters:
entityID - the candidate issuer entity ID which is being evaluated
request - the protocol request
message - the incoming message
context - the security policy context to use for evaluation and storage of related state info
Returns:
a newly constructly set of criteria suitable for the configured trust engine

evaluateDerivedIssuers

protected java.lang.String evaluateDerivedIssuers(X509Credential requestCredential,
                                                  javax.servlet.ServletRequest request,
                                                  XMLObject message,
                                                  SecurityPolicyContext context)
                                           throws SecurityPolicyException
Evaluate any candidate issuer entity ID's which may be derived from the credential or other request or message information.

This serves primarily as an extension point for subclasses to implement application-specific logic.

If multiple derived candidate entity ID's would satisfy the trust engine criteria, the choice of which one to return as the canonical issuer value is implementation-specific.

Parameters:
requestCredential - the X509Credential derived from the request
request - the protocol request
message - the incoming message
context - the security policy context to use for evaluation and storage of related state info
Returns:
an issuer entity ID which was successfully evaluated by the trust engine
Throws:
SecurityPolicyException - thrown if there is error during processing

evaluateCertificateNameDerivedIssuers

protected java.lang.String evaluateCertificateNameDerivedIssuers(X509Credential requestCredential,
                                                                 javax.servlet.ServletRequest request,
                                                                 XMLObject message,
                                                                 SecurityPolicyContext context)
                                                          throws SecurityPolicyException
Evaluate candidate issuer entity ID's which may be derived from the request credential's entity certificate and which are currently configured.

Configured certificate name types are derived as candidate issuers and processed in the following order:

  1. The certificate subject DN string as serialized by the X500DNHandler configured via ClientCertAuthRuleXXX#getX500DNHandler() and using the output format indicated by ClientCertAuthRuleXXX#getX500SubjectDNFormat().
  2. Subject alternative names of the types configured via ClientCertAuthRuleXXX#getSubjectAltNames(). Note that this is a LinkedHashSet, so the order of evaluation is the order or insertion.
  3. The first common name (CN) value appearing in the certificate subject DN.

The first one of the above which is successfully evaluated by the trust engine using criteria built from BaseTrustEngineRule.buildCriteriaSet(String, javax.servlet.ServletRequest, XMLObject, SecurityPolicyContext) will be returned.

Parameters:
requestCredential - the X509Credential derived from the request
request - the protocol request
message - the incoming message
context - the security policy context to use for evaluation and storage of related state info
Returns:
an issuer entity ID which was successfully evaluated by the trust engine
Throws:
SecurityPolicyException - thrown if there is error during processing

evaluateSubjectCommonName

protected java.lang.String evaluateSubjectCommonName(X509Credential requestCredential,
                                                     javax.servlet.ServletRequest request,
                                                     XMLObject message,
                                                     SecurityPolicyContext context)
                                              throws SecurityPolicyException
Evaluate the issuer entity ID as derived from the cert subject common name (CN). Only the first CN value from the subject DN is evaluated.

Parameters:
requestCredential - the X509Credential derived from the request
request - the protocol request
message - the incoming message
context - the security policy context to use for evaluation and storage of related state info
Returns:
an issuer entity ID which was successfully evaluated by the trust engine
Throws:
SecurityPolicyException - thrown if there is error during processing

evaluateSubjectDN

protected java.lang.String evaluateSubjectDN(X509Credential requestCredential,
                                             javax.servlet.ServletRequest request,
                                             XMLObject message,
                                             SecurityPolicyContext context)
                                      throws SecurityPolicyException
Evaluate the issuer entity ID as derived from the cert subject DN.

Parameters:
requestCredential - the X509Credential derived from the request
request - the protocol request
message - the incoming message
context - the security policy context to use for evaluation and storage of related state info
Returns:
an issuer entity ID which was successfully evaluated by the trust engine
Throws:
SecurityPolicyException - thrown if there is error during processing

evaluateSubjectAltNames

protected java.lang.String evaluateSubjectAltNames(X509Credential requestCredential,
                                                   javax.servlet.ServletRequest request,
                                                   XMLObject message,
                                                   SecurityPolicyContext context)
                                            throws SecurityPolicyException
Evaluate the issuer entity ID as derived from the cert subject alternative names specified by types enumerated in ClientCertAuthRuleXXX#getSubjectAltNames().

Parameters:
requestCredential - the X509Credential derived from the request
request - the protocol request
message - the incoming message
context - the security policy context to use for evaluation and storage of related state info
Returns:
an issuer entity ID which was successfully evaluated by the trust engine
Throws:
SecurityPolicyException - thrown if there is error during processing

getCommonName

protected java.lang.String getCommonName(java.security.cert.X509Certificate cert)
Get the first common name (CN) value from the subject DN of the specified certificate.

Parameters:
cert - the certificate being processed
Returns:
the first CN value, or null if there are none

getSubjectName

protected java.lang.String getSubjectName(java.security.cert.X509Certificate cert)
Get subject name from a certificate, using the currently configured X500DNHandler and subject DN output format.

Parameters:
cert - the certificate being processed
Returns:
the subject name

getAltNames

protected java.util.List<java.lang.String> getAltNames(java.security.cert.X509Certificate cert,
                                                       java.lang.Integer altNameType)
Get the list of subject alt name values from the certificate which are of the specified alt name type.

Parameters:
cert - the certificate from which to extract alt names
altNameType - the type of alt name to extract
Returns:
the list of certificate subject alt names