Class AuthenticationFlowDescriptor

All Implemented Interfaces:
Predicate<ProfileRequestContext>, PrincipalSupportingComponent, FlowDescriptor, Component, DestructableComponent, IdentifiableComponent, IdentifiedComponent, InitializableComponent, StorageSerializer<AuthenticationResult>, Ordered

public class AuthenticationFlowDescriptor
extends AbstractIdentifiableInitializableComponent
implements FlowDescriptor, PrincipalSupportingComponent, Predicate<ProfileRequestContext>, StorageSerializer<AuthenticationResult>, Ordered
A descriptor for an authentication flow.

A flow models a sequence of profile actions that performs authentication in a particular way and satisfies various constraints that may apply to an authentication request. Some of these constraints are directly exposed as properties of the flow, and others can be found by examining the list of extended Principals that the flow exposes.

  • Field Details

    • FLOW_ID_PREFIX

      @Nonnull @NotEmpty public static final String FLOW_ID_PREFIX
      Prefix convention for flow IDs.
      See Also:
      Constant Field Values
    • STORAGE_EXPIRATION_OFFSET

      @Nonnull public static final Duration STORAGE_EXPIRATION_OFFSET
      Additional allowance for storage of result records to avoid race conditions during use.
    • order

      private int order
      Spring auto-wiring order.
    • supportsNonBrowser

      private boolean supportsNonBrowser
      Whether this flow supports non-browser clients.
    • supportsPassive

      private boolean supportsPassive
      Whether this flow supports passive authentication.
    • supportsForced

      private boolean supportsForced
      Whether this flow supports forced authentication.
    • proxyRestrictionsEnforced

      private boolean proxyRestrictionsEnforced
      Whether this flow should honor proxy restrictions toward RPs.
    • proxyScopingEnforced

      private boolean proxyScopingEnforced
      Whether this flow should honor proxy scoping restrictions toward IdPs.
    • discoveryRequired

      private boolean discoveryRequired
      Whether this flow should invoke discovery if no authenticating authority populated.
    • reuseCondition

      @Nonnull private Predicate<ProfileRequestContext> reuseCondition
      Whether this flow allows reuse of its results.
    • lifetime

      @Nullable private Duration lifetime
      Maximum amount of time since first usage that a flow should be considered active.
    • inactivityTimeout

      @Nonnull private Duration inactivityTimeout
      Maximum amount of time since last usage that a flow should be considered active.
    • stringBasedPrincipals

      @Nonnull private Set<String> stringBasedPrincipals
      Supported principals provided by delimited strings, for post-initialization override via PrincipalServiceManager.
    • supportedPrincipals

      @Nonnull private Subject supportedPrincipals
      Supported principals, indexed by type, that the flow can produce. Implemented for the moment using the Subject class for convenience to allow for class-based lookup in the getSupportedPrincipals(java.lang.Class<T>) method.
    • activationCondition

      @Nonnull private Predicate<ProfileRequestContext> activationCondition
      Predicate that must be true for this flow to be usable for a given request.
    • resultSerializer

      @Nullable private StorageSerializer<AuthenticationResult> resultSerializer
      Custom serializer for the results generated by this flow.
    • principalWeightMap

      @Nullable @NonnullElements private Map<Principal,​Integer> principalWeightMap
      Weighted sort oredering of custom Principals produced by flow(s).
    • principalServiceManager

      @Nullable private PrincipalServiceManager principalServiceManager
      Access to principal services.
    • subjectDecorator

      @Nullable private BiConsumer<ProfileRequestContext,​Subject> subjectDecorator
      Customizes subject prior to triggering subject canonicalization.
  • Constructor Details

    • AuthenticationFlowDescriptor

      public AuthenticationFlowDescriptor()
      Constructor.
  • Method Details

    • getOrder

      public int getOrder()
      Specified by:
      getOrder in interface Ordered
    • setOrder

      public void setOrder​(int priority)
      Set the order/priority value for the bean.
      Parameters:
      priority - priority value
    • isNonBrowserSupported

      public boolean isNonBrowserSupported()
      Get whether this flow supports non-browser clients.
      Returns:
      whether this flow supports non-browser clients
    • setNonBrowserSupported

      public void setNonBrowserSupported​(boolean isSupported)
      Set whether this flow supports non-browser clients.
      Parameters:
      isSupported - whether this flow supports non-browser clients
    • isPassiveAuthenticationSupported

      public boolean isPassiveAuthenticationSupported()
      Get whether this flow supports passive authentication.
      Returns:
      whether this flow supports passive authentication
    • setPassiveAuthenticationSupported

      public void setPassiveAuthenticationSupported​(boolean isSupported)
      Set whether this flow supports passive authentication.
      Parameters:
      isSupported - whether this flow supports passive authentication
    • isForcedAuthenticationSupported

      public boolean isForcedAuthenticationSupported()
      Get whether this flow supports forced authentication.
      Returns:
      whether this flow supports forced authentication
    • setForcedAuthenticationSupported

      public void setForcedAuthenticationSupported​(boolean isSupported)
      Set whether this flow supports forced authentication.
      Parameters:
      isSupported - whether this flow supports forced authentication.
    • isProxyRestrictionsEnforced

      public boolean isProxyRestrictionsEnforced()
      Gets whether this flow's results should honor restrictions on proxying toward RPs.
      Returns:
      true iff proxying restrictions issued by IdPs should be honored
      Since:
      4.0.0
    • setProxyRestrictionsEnforced

      public void setProxyRestrictionsEnforced​(boolean flag)
      Sets whether this flow's results should honor restrictions on proxying toward RPs

      Defaults to true.

      Parameters:
      flag - flag to set
      Since:
      4.0.0
    • isProxyScopingEnforced

      public boolean isProxyScopingEnforced()
      Gets whether this flow's results should honor restrictions on proxying toward IdPs.
      Returns:
      true iff proxying restrictions issued by RPs should be honored
      Since:
      4.0.0
    • setProxyScopingEnforced

      public void setProxyScopingEnforced​(boolean flag)
      Sets whether this flow's results should honor restrictions on proxying toward IdPs.

      Defaults to false. Should be enabled for flows that represent proxied authentication.

      Parameters:
      flag - flag to set
      Since:
      4.0.0
    • isDiscoveryRequired

      public boolean isDiscoveryRequired()
      Gets whether to invoke discovery subflow if AuthenticationContext.getAuthenticatingAuthority() is null.
      Returns:
      whether to invoke discovery
      Since:
      4.0.0
    • setDiscoveryRequired

      public void setDiscoveryRequired​(boolean flag)
      Sets whether to invoke discovery subflow if AuthenticationContext.getAuthenticatingAuthority() is null.

      Defaults to false.

      Parameters:
      flag - flag to set
      Since:
      4.0.0
    • getReuseCondition

      @Nonnull public Predicate<ProfileRequestContext> getReuseCondition()
      Get condition controlling whether results from this flow should be reused for SSO.
      Returns:
      condition
      Since:
      4.0.1
    • setReuseCondition

      public void setReuseCondition​(@Nonnull Predicate<ProfileRequestContext> condition)
      Set condition controlling whether results from this flow should be reused for SSO.

      Defaults to a built-in condition that applies SP-imposed proxying rules on hop count when the flow is configured to enforce this.

      Parameters:
      condition - condition to set
      Since:
      3.4.0
    • getSubjectDecorator

      @Nullable public BiConsumer<ProfileRequestContext,​Subject> getSubjectDecorator()
      Gets a subject decorating component called prior to completing authentication and passing control to subject canonicalization.
      Returns:
      subject decorator
      Since:
      4.1.0
    • setSubjectDecorator

      public void setSubjectDecorator​(@Nullable BiConsumer<ProfileRequestContext,​Subject> decorator)
      Sets a subject decorating component called prior to completing authentication and passing control to subject canonicalization.
      Parameters:
      decorator -
      Since:
      4.1.0
    • getLifetime

      @Nullable public Duration getLifetime()
      Get the maximum amount of time, since first usage, a flow should be considered active. A null indicates that there is no upper limit on the lifetime on an active flow.
      Returns:
      maximum amount of time a flow should be considered active
    • setLifetime

      public void setLifetime​(@Nullable Duration flowLifetime)
      Set the maximum amount of time, since first usage, a flow should be considered active. A null value indicates that there is no upper limit on the lifetime on an active flow.
      Parameters:
      flowLifetime - the lifetime for the flow
    • getInactivityTimeout

      @Nonnull public Duration getInactivityTimeout()
      Get the maximum amount of time, since the last usage, a flow should be considered active.

      Defaults to 30 minutes.

      Returns:
      the duration
    • setInactivityTimeout

      public void setInactivityTimeout​(@Nonnull Duration timeout)
      Set the maximum amount of time, since the last usage, a flow should be considered active.
      Parameters:
      timeout - the flow inactivity timeout, must be greater than zero
    • isResultActive

      public boolean isResultActive​(@Nonnull AuthenticationResult result)
      Check if a result generated by this flow is still active.
      Parameters:
      result - AuthenticationResult to check
      Returns:
      true iff the result remains valid
    • getSupportedPrincipals

      @Nonnull @NonnullElements @Unmodifiable public <T extends Principal> Set<T> getSupportedPrincipals​(@Nonnull Class<T> c)
      Get an immutable set of supported custom principals that the component produces, supports, contains, etc.
      Specified by:
      getSupportedPrincipals in interface PrincipalSupportingComponent
      Type Parameters:
      T - type of Principal to inquire on
      Parameters:
      c - type of Principal to inquire on
      Returns:
      a set of matching principals
    • getSupportedPrincipals

      @Nonnull @NonnullElements public Collection<Principal> getSupportedPrincipals()
      Get a collection of supported non-user-specific principals that the flow may produce when it operates.

      The Collection.remove(java.lang.Object) method is not supported.

      Returns:
      a live collection of supported principals
    • setSupportedPrincipals

      public void setSupportedPrincipals​(@Nonnull @NonnullElements Collection<Principal> principals)
      Set supported non-user-specific principals that the flow may produce when it operates.
      Parameters:
      principals - supported principals to add
    • setSupportedPrincipalsByString

      public void setSupportedPrincipalsByString​(@Nonnull @NonnullElements Collection<String> principals)
      Set supported non-user-specific principals that the flow may produce when it operates.

      The principals must be prefixed by the ID of the relevant PrincipalService followed by a '/'.

      Setting an empty list will leave any existing set unchanged. This is primarily provided to allow property-based override of an XML-based collection established with the previous method.

      Parameters:
      principals - supported principals to add
      Since:
      4.1.0
    • setActivationCondition

      public void setActivationCondition​(@Nonnull Predicate<ProfileRequestContext> condition)
      Set the activation condition in the form of a Predicate such that iff the condition evaluates to true should the corresponding flow be allowed/possible.
      Parameters:
      condition - predicate that controls activation of the flow
    • test

      public boolean test​(@Nullable ProfileRequestContext input)
      Specified by:
      test in interface Predicate<ProfileRequestContext>
    • setResultSerializer

      public void setResultSerializer​(@Nonnull StorageSerializer<AuthenticationResult> serializer)
      Set a custom serializer for results produced by this flow.
      Parameters:
      serializer - the custom serializer
    • setPrincipalWeightMap

      public void setPrincipalWeightMap​(@Nullable @NonnullElements Map<Principal,​Integer> map)
      Set the map of Principals to weight values to impose a sort order on any matching Principals found in the authentication result.

      This was moved from a stand-alone bean into the descriptor beans in order to eliminate stand-alone beans from the flow descriptor configuration files(s).

      Parameters:
      map - map to set
      Since:
      4.0.0
    • setPrincipalServiceManager

      public void setPrincipalServiceManager​(@Nullable PrincipalServiceManager manager)
      Sets a PrincipalServiceManager to use for string-based principal processing.
      Parameters:
      manager - manager to set
      Since:
      4.0.1
    • doInitialize

      protected void doInitialize() throws ComponentInitializationException
      Overrides:
      doInitialize in class AbstractIdentifiedInitializableComponent
      Throws:
      ComponentInitializationException
    • newAuthenticationResult

      @Nonnull public AuthenticationResult newAuthenticationResult​(@Nonnull Subject subject)
      Creates a new instance of a compatible AuthenticationResult for use with the corresponding flow.
      Parameters:
      subject - the subject for the result
      Returns:
      the new result
    • serialize

      @Nonnull @NotEmpty public String serialize​(@Nonnull AuthenticationResult instance) throws IOException
      Specified by:
      serialize in interface StorageSerializer<AuthenticationResult>
      Throws:
      IOException
    • deserialize

      @Nonnull public AuthenticationResult deserialize​(long version, @Nonnull @NotEmpty String context, @Nonnull @NotEmpty String key, @Nonnull @NotEmpty String value, @Nonnull Long expiration) throws IOException
      Specified by:
      deserialize in interface StorageSerializer<AuthenticationResult>
      Throws:
      IOException
    • getHighestWeighted

      @Nullable public <T extends Principal> T getHighestWeighted​(@Nonnull @NonnullElements Collection<T> principals)
      Apply the current weighted map to find the highest-weighted object amongst the inputs.
      Type Parameters:
      T - principal type
      Parameters:
      principals - input collection
      Returns:
      the highest weighted as governed by the map set via setPrincipalWeightMap(Map)
      Since:
      4.0.0
    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object
    • equals

      public boolean equals​(Object obj)
      Overrides:
      equals in class Object
    • toString

      public String toString()
      Overrides:
      toString in class Object