|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectorg.opensaml.ws.security.provider.BaseTrustEngineRule<X509Credential,javax.servlet.ServletRequest>
org.opensaml.ws.security.provider.ClientCertAuthRule
public class ClientCertAuthRule
Policy rule that checks if the client cert used to authenticate the request is valid and trusted.
If the issuer has been previously set in the security policy context by another rule, then that issuer
is used to build a criteria set via #buildCriteriaSet(String, HttpServletRequest, XMLObject,
SecurityPolicyContext)
, and then evaluated via #evaluate(X509Credential, CriteriaSet)
.
If this trust evaluation is successful, the context issuer authentication state will be set to
true
, otherwise it will be set to false
. In either case, rule processing
is then terminated.
If no context issuer was previously set, then rule evaluation will proceed as described in
#evaluateCertificateNameDerivedIssuers(X509Credential, HttpServletRequest, XMLObject,
SecurityPolicyContext)
, based on the currently configured certificate name evaluation options.
If this method returns a non-null issuer entity ID, it will be set as
the issuer in the context, the context's issuer authentication
state will be set to true
and rule processing is terminated.
If the method returns null, the context issuer and issuer authentication state
will remain unmodified and rule processing continues.
Finally rule evaluation will proceed as described in
#evaluateDerivedIssuers(X509Credential, HttpServletRequest, XMLObject, SecurityPolicyContext)
.
This is primarily an extension point by which subclasses may implement specific custom logic.
If this method returns a non-null issuer entity ID, it will be set as
the issuer in the context, the context's issuer authentication
state will be set to true
and rule processing is terminated.
If the method returns null, the context issuer and issuer authentication state
will remain unmodified.
Constructor Summary | |
---|---|
ClientCertAuthRule(TrustEngine<X509Credential> engine,
ClientCertAuthRuleFactory.CertificateNameOptions nameOptions)
Constructor. |
Method Summary | |
---|---|
protected CriteriaSet |
buildCriteriaSet(java.lang.String entityID,
javax.servlet.ServletRequest request,
XMLObject message,
SecurityPolicyContext context)
Subclasses are required to implement this method to build a criteria set for the trust engine according to trust engine and application-specific needs. |
void |
evaluate(javax.servlet.ServletRequest request,
XMLObject message,
SecurityPolicyContext context)
Evaluates the rule against the given request and message. |
protected java.lang.String |
evaluateCertificateNameDerivedIssuers(X509Credential requestCredential,
javax.servlet.ServletRequest request,
XMLObject message,
SecurityPolicyContext context)
Evaluate candidate issuer entity ID's which may be derived from the request credential's entity certificate and which are currently configured. |
protected java.lang.String |
evaluateDerivedIssuers(X509Credential requestCredential,
javax.servlet.ServletRequest request,
XMLObject message,
SecurityPolicyContext context)
Evaluate any candidate issuer entity ID's which may be derived from the credential or other request or message information. |
protected java.lang.String |
evaluateSubjectAltNames(X509Credential requestCredential,
javax.servlet.ServletRequest request,
XMLObject message,
SecurityPolicyContext context)
Evaluate the issuer entity ID as derived from the cert subject alternative names specified by types enumerated in ClientCertAuthRuleXXX#getSubjectAltNames() . |
protected java.lang.String |
evaluateSubjectCommonName(X509Credential requestCredential,
javax.servlet.ServletRequest request,
XMLObject message,
SecurityPolicyContext context)
Evaluate the issuer entity ID as derived from the cert subject common name (CN). |
protected java.lang.String |
evaluateSubjectDN(X509Credential requestCredential,
javax.servlet.ServletRequest request,
XMLObject message,
SecurityPolicyContext context)
Evaluate the issuer entity ID as derived from the cert subject DN. |
protected java.util.List<java.lang.String> |
getAltNames(java.security.cert.X509Certificate cert,
java.lang.Integer altNameType)
Get the list of subject alt name values from the certificate which are of the specified alt name type. |
protected java.lang.String |
getCommonName(java.security.cert.X509Certificate cert)
Get the first common name (CN) value from the subject DN of the specified certificate. |
protected java.lang.String |
getSubjectName(java.security.cert.X509Certificate cert)
Get subject name from a certificate, using the currently configured X500DNHandler and subject DN output format. |
Methods inherited from class org.opensaml.ws.security.provider.BaseTrustEngineRule |
---|
evaluate, getTrustEngine |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public ClientCertAuthRule(TrustEngine<X509Credential> engine, ClientCertAuthRuleFactory.CertificateNameOptions nameOptions)
engine
- Trust engine used to verify the request X509CredentialnameOptions
- options for deriving issuer names from an X.509 certificateMethod Detail |
---|
public void evaluate(javax.servlet.ServletRequest request, XMLObject message, SecurityPolicyContext context) throws SecurityPolicyException
evaluate
in interface SecurityPolicyRule<javax.servlet.ServletRequest>
evaluate
in class BaseTrustEngineRule<X509Credential,javax.servlet.ServletRequest>
request
- the protocol requestmessage
- the incoming messagecontext
- the security policy context to use for evaluation and storage of related state info
SecurityPolicyException
- thrown if the request/message do not meet the requirements of this ruleprotected CriteriaSet buildCriteriaSet(java.lang.String entityID, javax.servlet.ServletRequest request, XMLObject message, SecurityPolicyContext context)
buildCriteriaSet
in class BaseTrustEngineRule<X509Credential,javax.servlet.ServletRequest>
entityID
- the candidate issuer entity ID which is being evaluatedrequest
- the protocol requestmessage
- the incoming messagecontext
- the security policy context to use for evaluation and storage of related state info
protected java.lang.String evaluateDerivedIssuers(X509Credential requestCredential, javax.servlet.ServletRequest request, XMLObject message, SecurityPolicyContext context) throws SecurityPolicyException
This serves primarily as an extension point for subclasses to implement application-specific logic.
If multiple derived candidate entity ID's would satisfy the trust engine criteria, the choice of which one to return as the canonical issuer value is implementation-specific.
requestCredential
- the X509Credential derived from the requestrequest
- the protocol requestmessage
- the incoming messagecontext
- the security policy context to use for evaluation and storage of related state info
SecurityPolicyException
- thrown if there is error during processingprotected java.lang.String evaluateCertificateNameDerivedIssuers(X509Credential requestCredential, javax.servlet.ServletRequest request, XMLObject message, SecurityPolicyContext context) throws SecurityPolicyException
Configured certificate name types are derived as candidate issuers and processed in the following order:
ClientCertAuthRuleXXX#getX500DNHandler()
and using the output format
indicated by ClientCertAuthRuleXXX#getX500SubjectDNFormat()
.ClientCertAuthRuleXXX#getSubjectAltNames()
. Note that this
is a LinkedHashSet, so the order of evaluation is the order or insertion.The first one of the above which is successfully evaluated by the trust engine
using criteria built from BaseTrustEngineRule.buildCriteriaSet(String, javax.servlet.ServletRequest,
XMLObject, SecurityPolicyContext)
will be returned.
requestCredential
- the X509Credential derived from the requestrequest
- the protocol requestmessage
- the incoming messagecontext
- the security policy context to use for evaluation and storage of related state info
SecurityPolicyException
- thrown if there is error during processingprotected java.lang.String evaluateSubjectCommonName(X509Credential requestCredential, javax.servlet.ServletRequest request, XMLObject message, SecurityPolicyContext context) throws SecurityPolicyException
requestCredential
- the X509Credential derived from the requestrequest
- the protocol requestmessage
- the incoming messagecontext
- the security policy context to use for evaluation and storage of related state info
SecurityPolicyException
- thrown if there is error during processingprotected java.lang.String evaluateSubjectDN(X509Credential requestCredential, javax.servlet.ServletRequest request, XMLObject message, SecurityPolicyContext context) throws SecurityPolicyException
requestCredential
- the X509Credential derived from the requestrequest
- the protocol requestmessage
- the incoming messagecontext
- the security policy context to use for evaluation and storage of related state info
SecurityPolicyException
- thrown if there is error during processingprotected java.lang.String evaluateSubjectAltNames(X509Credential requestCredential, javax.servlet.ServletRequest request, XMLObject message, SecurityPolicyContext context) throws SecurityPolicyException
ClientCertAuthRuleXXX#getSubjectAltNames()
.
requestCredential
- the X509Credential derived from the requestrequest
- the protocol requestmessage
- the incoming messagecontext
- the security policy context to use for evaluation and storage of related state info
SecurityPolicyException
- thrown if there is error during processingprotected java.lang.String getCommonName(java.security.cert.X509Certificate cert)
cert
- the certificate being processed
protected java.lang.String getSubjectName(java.security.cert.X509Certificate cert)
cert
- the certificate being processed
protected java.util.List<java.lang.String> getAltNames(java.security.cert.X509Certificate cert, java.lang.Integer altNameType)
cert
- the certificate from which to extract alt namesaltNameType
- the type of alt name to extract
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |