net.shibboleth.idp.authn.impl.ValidateX509Certificate

All Implemented Interfaces:: PrincipalSupportingComponent, Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action

public class ValidateX509Certificate
extends AbstractValidationAction

An action that checks for a CertificateContext containing X509Certificate objects, and directly produces an AuthenticationResult based on that identity, after optionally validating the certificate(s) against a TrustEngine.

Event:

EventIds.PROCEED_EVENT_ID, AuthnEventIds.INVALID_CREDENTIALS, AuthnEventIds.NO_CREDENTIALS

Precondition:

ProfileRequestContext.getSubcontext(AuthenticationContext.class).getAttemptedFlow() != null

Postcondition:

If AuthenticationContext.getSubcontext(CertificateContext.class) != null, then an AuthenticationResult is saved to the AuthenticationContext on a successful validation. On a failure, the AbstractValidationAction.handleError(ProfileRequestContext, AuthenticationContext, Exception, String) method is called.

Field Summary

Fields
Modifier and Type	Field	Description
`private CertificateContext`	`certContext`	CertificateContext containing the credentials to validate.
`private static String`	`DEFAULT_METRIC_NAME`	Default prefix for metrics.
`private org.slf4j.Logger`	`log`	Class logger.
`private boolean`	`saveCertificateToCredentialSet`	Whether to save the certificate in the Java Subject's public credentials.
`private TrustEngine<? super X509Credential>`	`trustEngine`	Optional trust engine to validate certificates against.

Constructor Summary

Constructors

Constructor Description

ValidateX509Certificate()
Constructor.

Method Summary

Modifier and Type	Method	Description
`protected void`	`doExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)`	Performs this authentication action.
`protected boolean`	`doPreExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)`	Performs this authentication action's pre-execute step.
`protected Subject`	`populateSubject(Subject subject)`	Subclasses must override this method to complete the population of the `Subject` with `Principal` and credential information based on the validation they perform.
`void`	`setSaveCertificateToCredentialSet(boolean flag)`	Set whether to save the certificate in the Java Subject's public credentials.
`void`	`setTrustEngine(TrustEngine<? super X509Credential> tm)`	Set a `TrustEngine` to use.

Methods inherited from class net.shibboleth.idp.authn.AbstractValidationAction

addDefaultPrincipals, buildAuthenticationResult, getClassifiedErrors, getCleanupHook, getMetricName, getRequesterLookupStrategy, getResponderLookupStrategy, getResultCachingPredicate, getSubject, getSupportedPrincipals, handleError, handleError, handleWarning, recordFailure, recordFailure, recordSuccess, recordSuccess, setAddDefaultPrincipals, setClassifiedMessages, setCleanupHook, setMetricName, setRequesterLookupStrategy, setResponderLookupStrategy, setResultCachingPredicate, setSupportedPrincipals

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

doExecute, doPreExecute, setAuthenticationContextLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Details
- DEFAULT_METRIC_NAME
  
  @Nonnull @NotEmpty private static final String DEFAULT_METRIC_NAME
  
  Default prefix for metrics.
  
  See Also:
  
  Constant Field Values
- log
  
  @Nonnull private final org.slf4j.Logger log
  
  Class logger.
- trustEngine
  
  @Nullable private TrustEngine<? super X509Credential> trustEngine
  
  Optional trust engine to validate certificates against.
- certContext
  
  @Nullable private CertificateContext certContext
  
  CertificateContext containing the credentials to validate.
- saveCertificateToCredentialSet
  
  private boolean saveCertificateToCredentialSet
  
  Whether to save the certificate in the Java Subject's public credentials.
Constructor Details
- ValidateX509Certificate
  
  public ValidateX509Certificate()
  
  Constructor.
Method Details
- setTrustEngine
  
  public void setTrustEngine(@Nullable TrustEngine<? super X509Credential> tm)
  
  Set a TrustEngine to use.
  
  Parameters:
  
  tm - trust engine to use
- setSaveCertificateToCredentialSet
  
  public void setSaveCertificateToCredentialSet(boolean flag)
  
  Set whether to save the certificate in the Java Subject's public credentials.
  Defaults to true
  
  Parameters:
  
  flag - flag to set
  
  Since:
  
  4.1.0
- doPreExecute
  
  protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
  
  Performs this authentication action's pre-execute step. Default implementation just returns true.
  
  Overrides:
  
  doPreExecute in class AbstractValidationAction
  
  Parameters:
  
  profileRequestContext - the current IdP profile request context
  
  authenticationContext - the current authentication context
  
  Returns:
  
  true iff execution should continue
- doExecute
  
  protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
  
  Performs this authentication action. Default implementation throws an exception.
  
  Overrides:
  
  doExecute in class AbstractAuthenticationAction
  
  Parameters:
  
  profileRequestContext - the current IdP profile request context
  
  authenticationContext - the current authentication context
- populateSubject
  
  @Nonnull protected Subject populateSubject(@Nonnull Subject subject)
  
  Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.
  Typically this will include attaching a UsernamePrincipal, but this is not a requirement if other components are suitably overridden.
  
  Specified by:
  
  populateSubject in class AbstractValidationAction
  
  Parameters:
  
  subject - subject to populate
  
  Returns:
  
  the input subject

Class ValidateX509Certificate

Field Summary

Constructor Summary

Method Summary

Methods inherited from class net.shibboleth.idp.authn.AbstractValidationAction

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

Methods inherited from class java.lang.Object

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

Field Details

DEFAULT_METRIC_NAME

log

trustEngine

certContext

saveCertificateToCredentialSet

Constructor Details

ValidateX509Certificate

Method Details

setTrustEngine

setSaveCertificateToCredentialSet

doPreExecute

doExecute

populateSubject