Package net.shibboleth.idp.cas.proxy.impl

Class HttpClientProxyValidator

java.lang.Object
net.shibboleth.idp.cas.proxy.impl.HttpClientProxyValidator
All Implemented Interfaces:
ProxyValidator
public class HttpClientProxyValidator extends Object implements ProxyValidator
Authenticates a CAS proxy callback endpoint using an HttpClient instance to establish the connection and a TrustEngine to verify the TLS certificate presented by the remote peer. The endpoint is validated if and only if the following requirements are met:
  1. Proxy callback URI specifies the https scheme.
  2. The TLS certificate presented by the remote peer is trusted.
  3. The HTTP response status code is approved via setAllowedResponseCodes(Set) (only 200 by default).

  • Field Details

    • HTTPS_SCHEME

      @Nonnull @NotEmpty protected static final String HTTPS_SCHEME
      Required https scheme for proxy callbacks.
      See Also:

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.

    • serviceCtxLookupFunction

      @Nonnull private final Function<ProfileRequestContext,ServiceContext> serviceCtxLookupFunction
      Looks up a ServiceContext from the profile request context.

    • httpClient

      @Nonnull private final org.apache.http.client.HttpClient httpClient
      HTTP client that connects to proxy callback endpoint.

    • securityParameters

      @Nonnull private final HttpClientSecurityParameters securityParameters
      HTTP client security parameters.

    • allowedResponseCodes

      @NotEmpty @NonnullElements private Set<Integer> allowedResponseCodes
      List of HTTP response codes permitted for successful proxy callback.

  • Constructor Details

    • HttpClientProxyValidator

      public HttpClientProxyValidator(@Nonnull org.apache.http.client.HttpClient client, @Nonnull HttpClientSecurityParameters parameters)
      Constructor.
      Parameters:
      client - HttpClient to use
      parameters - security parameters for client

  • Method Details

    • setAllowedResponseCodes

      public void setAllowedResponseCodes(@NotEmpty @NonnullElements Set<Integer> responseCodes)
      Sets the HTTP response codes permitted for successful authentication of the proxy callback URL.
      Parameters:
      responseCodes - One or more HTTP response codes.

    • validate

      public void validate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull URI proxyCallbackUri) throws GeneralSecurityException
      Validates the proxy callback endpoint.
      Specified by:
      validate in interface ProxyValidator
      Parameters:
      profileRequestContext - Profile request context.
      proxyCallbackUri - Proxy callback URI to validate.
      Throws:
      GeneralSecurityException - On validation failure.

    • connect

      protected int connect(@Nonnull URI uri, @Nonnull Service service) throws GeneralSecurityException
      Connect to the given CAS proxy callback endpoint and return the HTTP response code. TLS peer certificate validation is an essential security aspect of establishing the connection.
      Parameters:
      uri - CAS proxy callback URI to connect to.
      service - CAS service requesting the connection.
      Returns:
      HTTP response code.
      Throws:
      GeneralSecurityException - On connection errors, e.g. invalid/untrusted cert.

    • setCASTLSTrustEngineCriteria

      private static void setCASTLSTrustEngineCriteria(org.apache.http.client.protocol.HttpClientContext context, URI requestUri, Service service)
      Install TLS trust criteria.
      Parameters:
      context - client context
      requestUri - URI to obtain hostname
      service - CAS service