Package net.shibboleth.idp.cas.service.impl

Class MetadataServiceRegistry

java.lang.Object

net.shibboleth.idp.cas.service.impl.MetadataServiceRegistry

All Implemented Interfaces:

ServiceRegistry

public class MetadataServiceRegistry
extends Object
implements ServiceRegistry

CAS service registry implementation that queries SAML metadata for a CAS service given a CAS service URL using the following strategy. A MetadataResolver is queried for an EntityDescriptor that meets the following criteria:

1. Defines https://www.apereo.org/cas/protocol in the protocolSupportEnumeration attribute of an SPSSODescriptor element.
2. Defines an AssertionConsumerService element where the Binding URI is "https://www.apereo.org/cas/protocol/login".
3. Matching AssertionConsumerService element also defines a Location attribute where the given service URL starts with the ACS location.

If a single match is found, it is converted to a Service and returned; if more than result is found, a ResolverException is raised, otherwise null is returned.

Two additional aspects of a CAS service may be specified in metadata:

1. allowedToProxy - True if there is an AssertionConsumerService element with a binding of "https://www.apereo.org/cas/protocol/proxy", false otherwise.
2. singleLogoutParticipant - True if there is a SingleLogoutService element with a binding of "https://www.apereo.org/cas/protocol/logout" and a location of "urn:mace:shibboleth:profile:CAS:logout", false otherwise.

See the SAML metadata profile for CAS for the full specification.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	MetadataServiceRegistry.LoginEndpointPredicate	Predicate defines CAS login endpoints so that the metadata index on endpoints can be scoped to the smallest set needed to support CAS entities in SAML metadata.

Field Summary

Fields

Modifier and Type	Field	Description
private final org.slf4j.Logger	log	Class logger.
static final String	LOGIN_BINDING	URI identifying an ACS endpoint that requests CAS service tickets.
static final String	LOGOUT_BINDING	URI identifying a CAS SLO endpoint.
static final String	LOGOUT_LOCATION	URN marking that SLO endpoint is dynamic based on service ticket URL.
private final RoleDescriptorResolver	metadataResolver	SAML metadata resolver.
static final String	PROXY_BINDING	URI identifying a CAS proxy callback endoint.

Constructor Summary

Constructors

Constructor	Description
MetadataServiceRegistry(RoleDescriptorResolver resolver)	Create a new instance that queries the given metadata resolver.

Method Summary

Modifier and Type	Method	Description
protected Service	create(String serviceURL, SPSSODescriptor role)	Create a CAS Service from an input service URL and the matching RoleDescriptor that was resolved from the metadata source.
protected CriteriaSet	criteria(String serviceURL)	Create the set of criteria used to find a unique CAS service given a CAS service URL.
private boolean	hasSingleLogoutService(SPSSODescriptor role)	Checks if the EntityDescriptor has an SLO endpoint.
private boolean	isAuthorizedToProxy(SPSSODescriptor role)	Checks if the EntityDescriptor have a PROXY_BINDING acs.
Service	lookup(String serviceURL)	Looks up a service entry from a service URL.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

LOGIN_BINDING

public static final String LOGIN_BINDING

URI identifying an ACS endpoint that requests CAS service tickets.

See Also:

• Constant Field Values

LOGOUT_BINDING

public static final String LOGOUT_BINDING

URI identifying a CAS SLO endpoint.

See Also:

• Constant Field Values

LOGOUT_LOCATION

public static final String LOGOUT_LOCATION

URN marking that SLO endpoint is dynamic based on service ticket URL.

See Also:

• Constant Field Values

PROXY_BINDING

public static final String PROXY_BINDING

URI identifying a CAS proxy callback endoint.

See Also:

• Constant Field Values

log

private final org.slf4j.Logger log

Class logger.

metadataResolver

@Nonnull
private final RoleDescriptorResolver metadataResolver

SAML metadata resolver.

Constructor Details

MetadataServiceRegistry

public MetadataServiceRegistry(@Nonnull @ParameterName(name="resolver")
 RoleDescriptorResolver resolver)

Create a new instance that queries the given metadata resolver.

Parameters:

resolver - SAML metadata resolver.

Method Details

lookup

@Nullable
public Service lookup(@Nonnull
 String serviceURL)

Description copied from interface: ServiceRegistry

Looks up a service entry from a service URL.

Specified by:

lookup in interface ServiceRegistry

Parameters:

serviceURL - Non-null CAS service URL.

Returns:

Service found in registry or null if no match found.

criteria

@Nonnull
protected CriteriaSet criteria(@Nonnull
 String serviceURL)

Create the set of criteria used to find a unique CAS service given a CAS service URL.

Parameters:

serviceURL - CAS service URL.

Returns:

Metadata resolver criteria set.

create

@Nonnull
protected Service create(@Nonnull
 String serviceURL,
 @Nonnull
 SPSSODescriptor role)

Create a CAS Service from an input service URL and the matching RoleDescriptor that was resolved from the metadata source.

Parameters:

serviceURL - CAS service URL.

role - resolved from metadata.

Returns:

CAS service created from inputs.

isAuthorizedToProxy

private boolean isAuthorizedToProxy(@Nonnull
 SPSSODescriptor role)

Checks if the EntityDescriptor have a PROXY_BINDING acs.

Parameters:

role - what to look at

Returns:

whether is is authorized to proxy

hasSingleLogoutService

private boolean hasSingleLogoutService(@Nonnull
 SPSSODescriptor role)

Checks if the EntityDescriptor has an SLO endpoint.

Parameters:

role - what to look at

Returns:

whether it has an SLO endpoint