Package net.shibboleth.idp.authn.impl

Class ValidateExternalAuthentication

java.lang.Object
net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
org.opensaml.profile.action.AbstractProfileAction
org.opensaml.profile.action.AbstractConditionalProfileAction
net.shibboleth.idp.profile.AbstractProfileAction
net.shibboleth.idp.authn.AbstractAuthenticationAction
net.shibboleth.idp.authn.AbstractValidationAction
net.shibboleth.idp.authn.impl.AbstractAuditingValidationAction
net.shibboleth.idp.authn.impl.ValidateExternalAuthentication
All Implemented Interfaces:
PrincipalSupportingComponent, Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action
public class ValidateExternalAuthentication extends AbstractAuditingValidationAction
An action that checks for an ExternalAuthenticationContext and directly produces an AuthenticationResult or records error state based on the contents.
Event:
EventIds.PROCEED_EVENT_ID, AuthnEventIds.INVALID_AUTHN_CTX, AuthnEventIds.AUTHN_EXCEPTION, AuthnEventIds.NO_CREDENTIALS
Precondition:
ProfileRequestContext.getSubcontext(AuthenticationContext.class).getAttemptedFlow() != null
Postcondition:
If AuthenticationContext.getSubcontext(ExternalAuthenticationContext.class) != null, then an AuthenticationResult is saved to the AuthenticationContext on a successful login. On a failed login, the AbstractValidationAction.handleError(ProfileRequestContext, AuthenticationContext, Exception, String) method is called.

  • Field Details

    • DEFAULT_METRIC_NAME

      @Nonnull @NotEmpty private static final String DEFAULT_METRIC_NAME
      Default prefix for metrics.
      See Also:

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.

    • attributeFilterService

      @Nullable private ReloadableService<AttributeFilter> attributeFilterService
      Service used to get the engine used to filter attributes.

    • metadataResolver

      @Nullable private MetadataResolver metadataResolver
      Optional supplemental metadata source for filtering.

    • matchExpression

      @Nullable private Pattern matchExpression
      A regular expression to apply for acceptance testing.

    • extContext

      @Nullable private ExternalAuthenticationContext extContext
      Context containing the result to validate.

    • attributeContext

      @Nullable private AttributeContext attributeContext
      Context for externally supplied inbound attributes.

  • Constructor Details

    • ValidateExternalAuthentication

      public ValidateExternalAuthentication()
      Constructor.

    • ValidateExternalAuthentication

      public ValidateExternalAuthentication(@Nullable ReloadableService<AttributeFilter> filterService)
      Constructor.
      Parameters:
      filterService - optional filter service for inbound attributes
      Since:
      4.0.0

  • Method Details

    • setMatchExpression

      public void setMatchExpression(@Nullable Pattern expression)
      Set a matching expression to apply for username acceptance.
      Parameters:
      expression - a matching expression

    • setMetadataResolver

      public void setMetadataResolver(@Nullable MetadataResolver resolver)
      Set a metadata source to use during filtering.
      Parameters:
      resolver - metadata resolver
      Since:
      4.0.0

    • doPreExecute

      protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action's pre-execute step. Default implementation just returns true.
      Overrides:
      doPreExecute in class AbstractValidationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context
      Returns:
      true iff execution should continue

    • doExecute

      protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext)
      Performs this authentication action. Default implementation throws an exception.
      Overrides:
      doExecute in class AbstractAuthenticationAction
      Parameters:
      profileRequestContext - the current IdP profile request context
      authenticationContext - the current authentication context

    • populateSubject

      @Nonnull protected Subject populateSubject(@Nonnull Subject subject)
      Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.

      Typically this will include attaching a UsernamePrincipal, but this is not a requirement if other components are suitably overridden.

      Specified by:
      populateSubject in class AbstractValidationAction
      Parameters:
      subject - subject to populate
      Returns:
      the input subject

    • checkUsername

      private boolean checkUsername(@Nonnull Subject subject)
      Validate the username if necessary.
      Parameters:
      subject - subject containing a UsernamePrincipal to check
      Returns:
      true iff the username is acceptable

    • getUsername

      @Nullable private String getUsername(@Nonnull Subject subject)
      Get the username from a UsernamePrincipal inside the subject.
      Parameters:
      subject - input subject
      Returns:
      username, or null

    • getAuditFields

      @Nullable protected Map<String,String> getAuditFields(@Nonnull ProfileRequestContext profileRequestContext)
      Subclasses can override this method to supply additional audit fields to store.
      Overrides:
      getAuditFields in class AbstractAuditingValidationAction
      Parameters:
      profileRequestContext - profile request context
      Returns:
      audit fields

    • filterAttributes

      private void filterAttributes()
      Check for inbound attributes and apply filtering.

    • populateFilterContext

      private void populateFilterContext(@Nonnull AttributeFilterContext filterContext)
      Fill in the filter context data.

      This is a very minimally populated context with nothing much set except possibly issuer, based on the AuthenticationAuthorities data.

      Parameters:
      filterContext - context to populate