Package net.shibboleth.idp.authn.impl

Class ValidateRemoteUser

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction

org.opensaml.profile.action.AbstractConditionalProfileAction

net.shibboleth.idp.profile.AbstractProfileAction

net.shibboleth.idp.authn.AbstractAuthenticationAction

net.shibboleth.idp.authn.AbstractValidationAction

net.shibboleth.idp.authn.impl.AbstractAuditingValidationAction

net.shibboleth.idp.authn.impl.ValidateRemoteUser

All Implemented Interfaces:

PrincipalSupportingComponent, Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action

public class ValidateRemoteUser
extends AbstractAuditingValidationAction

An action that checks for a UsernameContext and directly produces an AuthenticationResult based on that identity.

Various optional properties are supported to control the validation process.

Event:

EventIds.PROCEED_EVENT_ID, AuthnEventIds.INVALID_CREDENTIALS, AuthnEventIds.NO_CREDENTIALS

Precondition:

ProfileRequestContext.getSubcontext(AuthenticationContext.class, false).getAttemptedFlow() != null

Postcondition:

If AuthenticationContext.getSubcontext(UsernameContext.class, false).getUsername() != null, then an AuthenticationResult is saved to the AuthenticationContext.

Field Summary

Fields

Modifier and Type	Field	Description
private Set<String>	allowedUsernames	Usernames to accept.
private static final String	DEFAULT_METRIC_NAME	Default prefix for metrics.
private Set<String>	deniedUsernames	Usernames to deny.
private final org.slf4j.Logger	log	Class logger.
private Pattern	matchExpression	A regular expression to apply for acceptance testing.
private UsernameContext	usernameContext	Username context identifying identity to validate.

Constructor Summary

Constructors

Constructor	Description
ValidateRemoteUser()	Constructor.

Method Summary

Modifier and Type	Method	Description
protected void	doExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)	Performs this authentication action.
protected boolean	doPreExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext)	Performs this authentication action's pre-execute step.
private boolean	isAuthenticated(String username)	Check whitelist, blacklist, and matching expression for acceptance.
protected Subject	populateSubject(Subject subject)	Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.
void	setAllowedUsernames(Collection<String> allowed)	Set the allowed usernames.
void	setDeniedUsernames(Collection<String> denied)	Set the denied usernames.
void	setMatchExpression(Pattern expression)	Set a matching expression to apply for acceptance.

Methods inherited from class net.shibboleth.idp.authn.impl.AbstractAuditingValidationAction

doAudit, doExecute, getAuditContext, getAuditFields, recordFailure, recordSuccess, setAuditContextCreationStrategy, setPopulateAuditContextAction, setWriteAuditLogAction

Methods inherited from class net.shibboleth.idp.authn.AbstractValidationAction

addDefaultPrincipals, buildAuthenticationResult, getClassifiedErrors, getCleanupHook, getMetricName, getRequesterLookupStrategy, getResponderLookupStrategy, getResultCachingPredicate, getSubject, getSupportedPrincipals, handleError, handleError, handleWarning, recordFailure, recordSuccess, setAddDefaultPrincipals, setClassifiedMessages, setCleanupHook, setMetricName, setRequesterLookupStrategy, setResponderLookupStrategy, setResultCachingPredicate, setSupportedPrincipals

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

doExecute, doPreExecute, setAuthenticationContextLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

execute, getBean, getBean, getMessage, getMessage, getMessage, getParameter, getParameter, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletRequestSupplier, getHttpServletResponse, getHttpServletResponseSupplier, getLogPrefix, setHttpServletRequest, setHttpServletRequestSupplier, setHttpServletResponse, setHttpServletResponseSupplier

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Details

DEFAULT_METRIC_NAME

@Nonnull
@NotEmpty
private static final String DEFAULT_METRIC_NAME

Default prefix for metrics.

See Also:

• Constant Field Values

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

allowedUsernames

@Nonnull
@NonnullElements
private Set<String> allowedUsernames

Usernames to accept.

deniedUsernames

@Nonnull
@NonnullElements
private Set<String> deniedUsernames

Usernames to deny.

matchExpression

@Nullable
private Pattern matchExpression

A regular expression to apply for acceptance testing.

usernameContext

@Nullable
private UsernameContext usernameContext

Username context identifying identity to validate.

Constructor Details

ValidateRemoteUser

public ValidateRemoteUser()

Constructor.

Method Details

setAllowedUsernames

public void setAllowedUsernames(@Nullable @NonnullElements
 Collection<String> allowed)

Set the allowed usernames.

Parameters:

allowed - usernames to allow

setDeniedUsernames

public void setDeniedUsernames(@Nullable @NonnullElements
 Collection<String> denied)

Set the denied usernames.

Parameters:

denied - usernames to deny

setMatchExpression

public void setMatchExpression(@Nullable
 Pattern expression)

Set a matching expression to apply for acceptance.

Parameters:

expression - a matching expression

doPreExecute

protected boolean doPreExecute(@Nonnull
 ProfileRequestContext profileRequestContext,
 @Nonnull
 AuthenticationContext authenticationContext)

Performs this authentication action's pre-execute step. Default implementation just returns true.

Overrides:

doPreExecute in class AbstractValidationAction

Parameters:

profileRequestContext - the current IdP profile request context

authenticationContext - the current authentication context

Returns:

true iff execution should continue

doExecute

protected void doExecute(@Nonnull
 ProfileRequestContext profileRequestContext,
 @Nonnull
 AuthenticationContext authenticationContext)

Performs this authentication action. Default implementation throws an exception.

Overrides:

doExecute in class AbstractAuthenticationAction

Parameters:

profileRequestContext - the current IdP profile request context

authenticationContext - the current authentication context

isAuthenticated

private boolean isAuthenticated(@Nonnull @NotEmpty
 String username)

Check whitelist, blacklist, and matching expression for acceptance.

Parameters:

username - the username to evaluate

Returns:

true iff the username is acceptable

populateSubject

@Nonnull
protected Subject populateSubject(@Nonnull
 Subject subject)

Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.

Typically this will include attaching a UsernamePrincipal, but this is not a requirement if other components are suitably overridden.

Specified by:

populateSubject in class AbstractValidationAction

Parameters:

subject - subject to populate

Returns:

the input subject