Class ValidateX509Certificate

All Implemented Interfaces:
PrincipalSupportingComponent, Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action

public class ValidateX509Certificate
extends AbstractValidationAction
An action that checks for a CertificateContext containing X509Certificate objects, and directly produces an AuthenticationResult based on that identity, after optionally validating the certificate(s) against a TrustEngine.
Event:
EventIds.PROCEED_EVENT_ID, AuthnEventIds.INVALID_CREDENTIALS, AuthnEventIds.NO_CREDENTIALS
Precondition:
ProfileRequestContext.getSubcontext(AuthenticationContext.class).getAttemptedFlow() != null
Postcondition:
If AuthenticationContext.getSubcontext(CertificateContext.class) != null, then an AuthenticationResult is saved to the AuthenticationContext on a successful validation. On a failure, the AbstractValidationAction.handleError(ProfileRequestContext, AuthenticationContext, Exception, String) method is called.
  • Field Details

    • DEFAULT_METRIC_NAME

      @Nonnull @NotEmpty private static final String DEFAULT_METRIC_NAME
      Default prefix for metrics.
      See Also:
      Constant Field Values
    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.
    • trustEngine

      @Nullable private TrustEngine<? super X509Credential> trustEngine
      Optional trust engine to validate certificates against.
    • certContext

      @Nullable private CertificateContext certContext
      CertificateContext containing the credentials to validate.
    • saveCertificateToCredentialSet

      private boolean saveCertificateToCredentialSet
      Whether to save the certificate in the Java Subject's public credentials.
  • Constructor Details

    • ValidateX509Certificate

      public ValidateX509Certificate()
      Constructor.
  • Method Details

    • setTrustEngine

      public void setTrustEngine​(@Nullable TrustEngine<? super X509Credential> tm)
      Set a TrustEngine to use.
      Parameters:
      tm - trust engine to use
    • setSaveCertificateToCredentialSet

      public void setSaveCertificateToCredentialSet​(boolean flag)
      Set whether to save the certificate in the Java Subject's public credentials.

      Defaults to true

      Parameters:
      flag - flag to set
      Since:
      4.1.0
    • doPreExecute

      protected boolean doPreExecute​(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action's pre-execute step. Default implementation just returns true.
      Overrides:
      doPreExecute in class AbstractValidationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context
      Returns:
      true iff execution should continue
    • doExecute

      protected void doExecute​(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action. Default implementation throws an exception.
      Overrides:
      doExecute in class AbstractAuthenticationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context
    • populateSubject

      @Nonnull protected Subject populateSubject​(@Nonnull Subject subject)
      Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.

      Typically this will include attaching a UsernamePrincipal, but this is not a requirement if other components are suitably overridden.

      Specified by:
      populateSubject in class AbstractValidationAction
      Parameters:
      subject - subject to populate
      Returns:
      the input subject