Class BaseSAMLSimpleSignatureSecurityHandler

All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent, MessageHandler
Direct Known Subclasses:
SAML2HTTPPostSimpleSignSecurityHandler, SAML2HTTPRedirectDeflateSignatureSecurityHandler

public abstract class BaseSAMLSimpleSignatureSecurityHandler
extends AbstractMessageHandler
Base class for security-oriented message handlers which verify simple "blob" signatures computed over some components of a request.
  • Field Details

    • log

      @Nonnull private final org.slf4j.Logger log
      Logger.
    • httpServletRequest

      @NonnullAfterInit private javax.servlet.http.HttpServletRequest httpServletRequest
      The HttpServletRequest being processed.
    • peerContext

      @Nullable private SAMLPeerEntityContext peerContext
      The context representing the SAML peer entity.
    • samlProtocolContext

      @Nullable private SAMLProtocolContext samlProtocolContext
      The SAML protocol context in operation.
    • trustEngine

      @Nullable private SignatureTrustEngine trustEngine
      Signature trust engine used to validate raw signatures.
  • Constructor Details

    • BaseSAMLSimpleSignatureSecurityHandler

      public BaseSAMLSimpleSignatureSecurityHandler()
  • Method Details

    • getTrustEngine

      @Nullable protected SignatureTrustEngine getTrustEngine()
      Gets the engine used to validate the signature.
      Returns:
      engine engine used to validate the signature
    • getHttpServletRequest

      @NonnullAfterInit public javax.servlet.http.HttpServletRequest getHttpServletRequest()
      Get the HTTP servlet request being processed.
      Returns:
      Returns the request.
    • setHttpServletRequest

      public void setHttpServletRequest​(@Nonnull javax.servlet.http.HttpServletRequest request)
      Set the HTTP servlet request being processed.
      Parameters:
      request - The to set.
    • doInitialize

      protected void doInitialize() throws ComponentInitializationException
      Overrides:
      doInitialize in class AbstractInitializableComponent
      Throws:
      ComponentInitializationException
    • doPreInvoke

      protected boolean doPreInvoke​(@Nonnull MessageContext messageContext) throws MessageHandlerException
      Called prior to execution, handlers may override this method to perform pre-processing for a request.

      The default impl applies the Predicate set via the AbstractMessageHandler.setActivationCondition(Predicate).

      If false is returned, execution will not proceed.

      Subclasses which override this method should generally invoke the super version of this method first, so that the activation condition will be applied up front, and immediately return false if the super version returns false. This avoids unnecessary execution of the remaining pre-invocation code if the handler ultimately will not execute.

      Overrides:
      doPreInvoke in class AbstractMessageHandler
      Parameters:
      messageContext - the message context on which to invoke the handler
      Returns:
      true iff execution should proceed
      Throws:
      MessageHandlerException - if there is a problem executing the handler pre-routine
    • doInvoke

      protected void doInvoke​(@Nonnull MessageContext messageContext) throws MessageHandlerException
      Performs the handler logic.
      Specified by:
      doInvoke in class AbstractMessageHandler
      Parameters:
      messageContext - the message context on which to invoke the handler
      Throws:
      MessageHandlerException - if there is an error invoking the handler on the message context
    • doEvaluate

      private void doEvaluate​(@Nonnull @NotEmpty byte[] signature, @Nonnull @NotEmpty byte[] signedContent, @Nonnull @NotEmpty String algorithmURI, @Nonnull MessageContext messageContext) throws MessageHandlerException
      Evaluate the simple signature based on information in the request and/or message context.
      Parameters:
      signature - the signature value
      signedContent - the content that was signed
      algorithmURI - the signature algorithm URI which was used to sign the content
      messageContext - the SAML message context being processed
      Throws:
      MessageHandlerException - thrown if there are errors during the signature validation process
    • validateSignature

      protected boolean validateSignature​(@Nonnull @NotEmpty byte[] signature, @Nonnull @NotEmpty byte[] signedContent, @Nonnull @NotEmpty String algorithmURI, @Nonnull CriteriaSet criteriaSet, @Nonnull @NonnullElements List<Credential> candidateCredentials) throws MessageHandlerException
      Validate the simple signature.
      Parameters:
      signature - the signature value
      signedContent - the content that was signed
      algorithmURI - the signature algorithm URI which was used to sign the content
      criteriaSet - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation
      candidateCredentials - the request-derived candidate credential(s) containing the validation key for the signature (optional)
      Returns:
      true if signature can be verified successfully, false otherwise
      Throws:
      MessageHandlerException - thrown if there are errors during the signature validation process
    • getRequestCredentials

      @Nonnull @NonnullElements protected List<Credential> getRequestCredentials​(@Nonnull MessageContext messageContext) throws MessageHandlerException
      Extract any candidate validation credentials from the request and/or message context. Some bindings allow validataion keys for the simple signature to be supplied, and others do not.
      Parameters:
      messageContext - the SAML message context being processed
      Returns:
      a list of candidate validation credentials in the request, or null if none were present
      Throws:
      MessageHandlerException - thrown if there is an error during request processing
    • getSignature

      @Nullable protected byte[] getSignature() throws MessageHandlerException
      Extract the signature value from the request, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential). Defaults to the Base64-decoded value of the HTTP request parameter named Signature.
      Returns:
      the signature value
      Throws:
      MessageHandlerException - thrown if there is an error during request processing
    • getSignatureAlgorithm

      @Nullable protected String getSignatureAlgorithm() throws MessageHandlerException
      Extract the signature algorithm URI value from the request. Defaults to the HTTP request parameter named SigAlg.
      Returns:
      the signature algorithm URI value
      Throws:
      MessageHandlerException - thrown if there is an error during request processing
    • deriveSignerEntityID

      @Nullable protected String deriveSignerEntityID​(@Nonnull MessageContext messageContext) throws MessageHandlerException
      Derive the signer's entity ID from the message context. This is implementation-specific and there is no default. This is primarily an extension point for subclasses.
      Parameters:
      messageContext - the SAML message context being processed
      Returns:
      the signer's derived entity ID
      Throws:
      MessageHandlerException - thrown if there is an error during request processing
    • buildCriteriaSet

      @Nonnull protected CriteriaSet buildCriteriaSet​(@Nullable String entityID, @Nonnull MessageContext messageContext) throws MessageHandlerException
      Build a criteria set suitable for input to the trust engine.
      Parameters:
      entityID - the candidate issuer entity ID which is being evaluated
      messageContext - the message context which is being evaluated
      Returns:
      a newly constructly set of criteria suitable for the configured trust engine
      Throws:
      MessageHandlerException - thrown if criteria set can not be constructed
    • getSignedContent

      @Nullable protected abstract byte[] getSignedContent() throws MessageHandlerException
      Get the content over which to validate the signature, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential).
      Returns:
      the signed content extracted from the request, in the format suitable for input to the trust engine.
      Throws:
      MessageHandlerException - thrown if there is an error during request processing
    • ruleHandles

      protected abstract boolean ruleHandles​(@Nonnull MessageContext messageContext) throws MessageHandlerException
      Determine whether the rule should handle the request, based on the unwrapped HTTP servlet request and/or message context.
      Parameters:
      messageContext - the SAML message context being processed
      Returns:
      true if the rule should attempt to process the request, otherwise false
      Throws:
      MessageHandlerException - thrown if there is an error during request processing