Class MetadataServiceRegistry

java.lang.Object
net.shibboleth.idp.cas.service.impl.MetadataServiceRegistry
All Implemented Interfaces:
ServiceRegistry

public class MetadataServiceRegistry
extends Object
implements ServiceRegistry
CAS service registry implementation that queries SAML metadata for a CAS service given a CAS service URL using the following strategy. A MetadataResolver is queried for an EntityDescriptor that meets the following criteria:
  1. Defines https://www.apereo.org/cas/protocol in the protocolSupportEnumeration attribute of an SPSSODescriptor element.
  2. Defines an AssertionConsumerService element where the Binding URI is "https://www.apereo.org/cas/protocol/login".
  3. Matching AssertionConsumerService element also defines a Location attribute where the given service URL starts with the ACS location.
If a single match is found, it is converted to a Service and returned; if more than result is found, a ResolverException is raised, otherwise null is returned.

Two additional aspects of a CAS service may be specified in metadata:

  1. allowedToProxy - True if there is an AssertionConsumerService element with a binding of "https://www.apereo.org/cas/protocol/proxy", false otherwise.
  2. singleLogoutParticipant - True if there is a SingleLogoutService element with a binding of "https://www.apereo.org/cas/protocol/logout" and a location of "urn:mace:shibboleth:profile:CAS:logout", false otherwise.
See the SAML metadata profile for CAS for the full specification.
  • Field Details

    • LOGIN_BINDING

      public static final String LOGIN_BINDING
      URI identifying an ACS endpoint that requests CAS service tickets.
      See Also:
      Constant Field Values
    • LOGOUT_BINDING

      public static final String LOGOUT_BINDING
      URI identifying a CAS SLO endpoint.
      See Also:
      Constant Field Values
    • LOGOUT_LOCATION

      public static final String LOGOUT_LOCATION
      URN marking that SLO endpoint is dynamic based on service ticket URL.
      See Also:
      Constant Field Values
    • PROXY_BINDING

      public static final String PROXY_BINDING
      URI identifying a CAS proxy callback endoint.
      See Also:
      Constant Field Values
    • log

      private final org.slf4j.Logger log
      Class logger.
    • metadataResolver

      @Nonnull private final RoleDescriptorResolver metadataResolver
      SAML metadata resolver.
  • Constructor Details

    • MetadataServiceRegistry

      public MetadataServiceRegistry​(@Nonnull @ParameterName(name="resolver") RoleDescriptorResolver resolver)
      Create a new instance that queries the given metadata resolver.
      Parameters:
      resolver - SAML metadata resolver.
  • Method Details

    • lookup

      @Nullable public Service lookup​(@Nonnull String serviceURL)
      Description copied from interface: ServiceRegistry
      Looks up a service entry from a service URL.
      Specified by:
      lookup in interface ServiceRegistry
      Parameters:
      serviceURL - Non-null CAS service URL.
      Returns:
      Service found in registry or null if no match found.
    • criteria

      @Nonnull protected CriteriaSet criteria​(@Nonnull String serviceURL)
      Create the set of criteria used to find a unique CAS service given a CAS service URL.
      Parameters:
      serviceURL - CAS service URL.
      Returns:
      Metadata resolver criteria set.
    • create

      @Nonnull protected Service create​(@Nonnull String serviceURL, @Nonnull SPSSODescriptor role)
      Create a CAS Service from an input service URL and the matching RoleDescriptor that was resolved from the metadata source.
      Parameters:
      serviceURL - CAS service URL.
      role - resolved from metadata.
      Returns:
      CAS service created from inputs.
    • isAuthorizedToProxy

      private boolean isAuthorizedToProxy​(@Nonnull SPSSODescriptor role)
      Checks if the EntityDescriptor have a PROXY_BINDING acs.
      Parameters:
      role - what to look at
      Returns:
      whether is is authorized to proxy
    • hasSingleLogoutService

      private boolean hasSingleLogoutService​(@Nonnull SPSSODescriptor role)
      Checks if the EntityDescriptor has an SLO endpoint.
      Parameters:
      role - what to look at
      Returns:
      whether it has an SLO endpoint