Package net.shibboleth.idp.saml.saml2.profile.delegation.impl

Class AddDelegationRestrictionToAssertions

java.lang.Object
net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
org.opensaml.profile.action.AbstractProfileAction
org.opensaml.profile.action.AbstractConditionalProfileAction
net.shibboleth.idp.profile.AbstractProfileAction
net.shibboleth.idp.saml.saml2.profile.delegation.impl.AddDelegationRestrictionToAssertions
All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
public class AddDelegationRestrictionToAssertions extends AbstractProfileAction
Action which adds a DelegationRestrictionType Condition to each Assertion contained within the outbound Response.

If the inbound assertion token specified in LibertySSOSContext contains an existing DelegationRestrictionType condition, it is cloned, and the current SAML presenter entityID is added as a new Delegate. Otherwise a new instance of DelegationRestrictionType is created and a single new Delegate added.

In both cases the new delegate entityID is obtained from the SAMLPresenterEntityContext located using the corresponding lookup function. The new delegate is augmented with the SAML subject confirmation method obtained from the current LibertySSOSContext.

Event:
EventIds.INVALID_MSG_CTX, EventIds.INVALID_PROFILE_CTX, EventIds.MESSAGE_PROC_ERROR

  • Field Details

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.

    • responseLookupStrategy

      @Nonnull private Function<ProfileRequestContext,Response> responseLookupStrategy
      Strategy used to locate the Response to operate on.

    • presenterContextLookupStrategy

      @Nonnull private Function<ProfileRequestContext,SAMLPresenterEntityContext> presenterContextLookupStrategy
      Strategy used to locate the SAMLPresenterEntityContext.

    • libertyContextLookupStrategy

      @Nonnull private Function<ProfileRequestContext,LibertySSOSContext> libertyContextLookupStrategy
      Function used to resolve the Liberty context to populate.

    • assertions

      @Nullable private List<Assertion> assertions
      List of assertions to modify.

    • attestedAssertion

      @Nullable private Assertion attestedAssertion
      The delegated Assertion that was attested.

    • attestedSubjectConfirmationMethod

      @Nullable private String attestedSubjectConfirmationMethod
      The subject confirmation method successfully used to confirm the assertion by the presenter.

    • presenterEntityID

      @Nullable private String presenterEntityID
      The presenting entity which successfully attested the Assertion token.

    • delegationInstant

      @Nullable private Instant delegationInstant
      The instant of delegation.

  • Constructor Details

    • AddDelegationRestrictionToAssertions

      public AddDelegationRestrictionToAssertions()
      Constructor.

  • Method Details

    • setLibertyContextLookupStrategy

      public void setLibertyContextLookupStrategy(@Nonnull Function<ProfileRequestContext,LibertySSOSContext> strategy)
      Set the strategy used to locate the LibertySSOSContext to populate.
      Parameters:
      strategy - lookup strategy

    • setResponseLookupStrategy

      public void setResponseLookupStrategy(@Nonnull Function<ProfileRequestContext,Response> strategy)
      Set the strategy used to locate the Response to operate on.
      Parameters:
      strategy - lookup strategy

    • setPresenterLookupStrategy

      public void setPresenterLookupStrategy(@Nonnull Function<ProfileRequestContext,SAMLPresenterEntityContext> strategy)
      Set the strategy used to locate the SAMLPresenterEntityContext.
      Parameters:
      strategy - lookup strategy

    • doPreExecute

      protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext)
      Overrides:
      doPreExecute in class AbstractConditionalProfileAction

    • doExecute

      protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext)
      Overrides:
      doExecute in class AbstractProfileAction

    • addDelegationRestriction

      protected void addDelegationRestriction(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull Conditions conditions)
      Add a delegation restriction condition to the specified conditions.
      Parameters:
      profileRequestContext - the current profile request context
      conditions - the conditions instance to modify

    • buildDelegationRestriction

      @Nullable protected DelegationRestrictionType buildDelegationRestriction(@Nonnull ProfileRequestContext profileRequestContext)
      Using the existing attested Assertion from the presenter as a context, build the appropriate DelegationRestrictionType Condition.
      Parameters:
      profileRequestContext - the current profile request context
      Returns:
      new DelegationRestrictionType Condition, or null if the condition could not be build

    • getDelegationRestrictionCondition

      @Nullable protected DelegationRestrictionType getDelegationRestrictionCondition(@Nullable Conditions conditions)
      Get the DelegationRestrictionType Condition from the supplied Conditions, if present.
      Parameters:
      conditions - the Assertion Conditions to process
      Returns:
      the DelegationRestrictionType Condition object, or null if not present

    • buildDelegate

      @Nonnull protected Delegate buildDelegate(@Nonnull ProfileRequestContext profileRequestContext)
      Build the Delegate child for the DelegationRestrictionType Condition, based on the current request context.
      Parameters:
      profileRequestContext - the
      Returns:
      the new Delegate instance