Package org.opensaml.saml.security.impl

Class MetadataCredentialResolver

java.lang.Object
org.opensaml.security.credential.impl.AbstractCredentialResolver
org.opensaml.security.credential.impl.AbstractCriteriaFilteringCredentialResolver
org.opensaml.saml.security.impl.MetadataCredentialResolver
All Implemented Interfaces:
Component, InitializableComponent, Resolver<Credential,​CriteriaSet>, CredentialResolver
public class MetadataCredentialResolver
extends AbstractCriteriaFilteringCredentialResolver
implements InitializableComponent
A credential resolver capable of resolving credentials from SAML 2 metadata.

Credentials may be resolved either by directly supplying an instance of RoleDescriptor in the input CriteriaSet, or by looking up the role descriptor via a supplied RoleDescriptorResolver.

The following resolution modes and associated Criterion inputs are supported:

Direct resolution from a supplied RoleDescriptor:

Resolution from a metadata source using a RoleDescriptorResolver:

In order to support resolution from a metadata source using EntityIdCriterion + EntityRoleCriterion, an instance of RoleDescriptorResolver must be supplied. Otherwise it is optional.

An instance of KeyInfoCredentialResolver must always be supplied.

  • Field Details

    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.

    • roleDescriptorResolver

      @Nullable private RoleDescriptorResolver roleDescriptorResolver
      Metadata RoleDescriptor resolver which is the source of credentials.

    • keyInfoCredentialResolver

      @NonnullAfterInit private KeyInfoCredentialResolver keyInfoCredentialResolver
      Credential resolver used to resolve credentials from role descriptor KeyInfo elements.

    • isInitialized

      private boolean isInitialized
      Initialization flag.

  • Constructor Details

    • MetadataCredentialResolver

      public MetadataCredentialResolver()

  • Method Details

    • isInitialized

      public boolean isInitialized()
      Specified by:
      isInitialized in interface InitializableComponent

    • initialize

      public void initialize() throws ComponentInitializationException
      Specified by:
      initialize in interface InitializableComponent
      Throws:
      ComponentInitializationException

    • getRoleDescriptorResolver

      @Nullable public RoleDescriptorResolver getRoleDescriptorResolver()
      Get the metadata RoleDescriptor resolver instance used by this resolver.

      This is optional. If not supplied, credentials may only be resolved via input of a RoleDescriptorCriterion.

      Returns:
      the resolver's RoleDescriptor metadata resolver instance

    • setRoleDescriptorResolver

      public void setRoleDescriptorResolver​(@Nullable RoleDescriptorResolver resolver)
      Set the metadata RoleDescriptor resolver instance used by this resolver.

      This is optional. If not supplied, credentials may only be resolved via input of a RoleDescriptorCriterion.

      Parameters:
      resolver - the new RoleDescriptorResolver to use

    • getKeyInfoCredentialResolver

      @NonnullAfterInit public KeyInfoCredentialResolver getKeyInfoCredentialResolver()
      Get the KeyInfo credential resolver used by this entityDescriptorResolver resolver to handle KeyInfo elements.
      Returns:
      KeyInfo credential resolver

    • setKeyInfoCredentialResolver

      public void setKeyInfoCredentialResolver​(@Nonnull KeyInfoCredentialResolver resolver)
      Set the KeyInfo credential resolver used by this entityDescriptorResolver resolver to handle KeyInfo elements.
      Parameters:
      resolver - the new KeyInfoCredentialResolver to use

    • resolveFromSource

      @Nonnull protected Iterable<Credential> resolveFromSource​(@Nonnull CriteriaSet criteriaSet) throws ResolverException
      Subclasses are required to implement this method to resolve credentials from the implementation-specific type of underlying credential source.
      Specified by:
      resolveFromSource in class AbstractCriteriaFilteringCredentialResolver
      Parameters:
      criteriaSet - the set of criteria used to resolve credentials from the credential source
      Returns:
      an Iterable for the resolved set of credentials
      Throws:
      ResolverException - thrown if there is an error resolving credentials from the credential source

    • getEffectiveUsageInput

      @Nonnull protected UsageType getEffectiveUsageInput​(@Nonnull CriteriaSet criteriaSet)
      Get the effective UsageType input to use.
      Parameters:
      criteriaSet - the criteria set being processed
      Returns:
      the effective usage value

    • resolveFromRoleDescriptor

      @Nonnull protected Collection<Credential> resolveFromRoleDescriptor​(@Nonnull CriteriaSet criteriaSet, @Nonnull RoleDescriptor roleDescriptor, @Nonnull UsageType usage) throws ResolverException
      Resolves credentials using a supplied instance of RoleDescriptor.
      Parameters:
      criteriaSet - the criteria set being processed
      roleDescriptor - the role descriptor being processed
      usage - intended usage of resolved credentials
      Returns:
      the resolved credentials or null
      Throws:
      ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format

    • resolveFromMetadata

      @Nonnull protected Collection<Credential> resolveFromMetadata​(@Nonnull CriteriaSet criteriaSet, @Nonnull @NotEmpty String entityID, @Nonnull QName role, @Nullable String protocol, @Nonnull UsageType usage) throws ResolverException
      Resolves credentials using this resolver's configured instance of RoleDescriptorResolver.
      Parameters:
      criteriaSet - the criteria set being processed
      entityID - entityID of the credential owner
      role - role in which the entity is operating
      protocol - protocol over which the entity is operating (may be null)
      usage - intended usage of resolved credentials
      Returns:
      the resolved credentials or null
      Throws:
      ResolverException - thrown if the key, certificate, or CRL information is represented in an unsupported format

    • processRoleDescriptor

      protected void processRoleDescriptor​(@Nonnull Collection<Credential> accumulator, @Nonnull RoleDescriptor roleDescriptor, @Nullable String entityID, @Nonnull UsageType usage) throws ResolverException
      Process a RoleDescriptor by examing each of its KeyDescriptors.
      Parameters:
      accumulator - the collection of credentials being accumulated for return to the caller
      roleDescriptor - the KeyDescriptor being processed
      entityID - the entity ID of the KeyDescriptor being processed
      usage - the credential usage type specified as resolve input
      Throws:
      ResolverException - if there is a problem resolving credentials from the KeyDescriptor's KeyInfo element

    • extractCredentials

      protected void extractCredentials​(@Nonnull Collection<Credential> accumulator, @Nonnull KeyDescriptor keyDescriptor, @Nullable String entityID, @Nonnull UsageType mdUsage) throws ResolverException
      Extract the credentials from the specified KeyDescriptor. First the credentials are looking up in object metadata cache. If they are not found there, then they will be resolved from the KeyDescriptor's KeyInfo and then cached in the KeyDescriptor's object metadata before returning.
      Parameters:
      accumulator - the collection of credentials being accumulated for return to the caller
      keyDescriptor - the KeyDescriptor being processed
      entityID - the entity ID of the KeyDescriptor being processed
      mdUsage - the effective credential usage type in effect for the resolved credentials
      Throws:
      ResolverException - if there is a problem resolving credentials from the KeyDescriptor's KeyInfo element

    • matchUsage

      protected boolean matchUsage​(@Nonnull UsageType metadataUsage, @Nonnull UsageType criteriaUsage)
      Match usage enum type values from entityDescriptorResolver KeyDescriptor and from credential criteria.
      Parameters:
      metadataUsage - the value from the 'use' attribute of a entityDescriptorResolver KeyDescriptor element
      criteriaUsage - the value from credential criteria
      Returns:
      true if the two usage specifiers match for purposes of resolving credentials, false otherwise

    • getRoleDescriptors

      @Nonnull protected Iterable<RoleDescriptor> getRoleDescriptors​(@Nonnull CriteriaSet criteriaSet, @Nonnull String entityID, @Nonnull QName role, @Nullable String protocol) throws ResolverException
      Get the list of role descriptors which match the given entityID, role and protocol.
      Parameters:
      criteriaSet - criteria set being processed
      entityID - entity ID of the credential owner
      role - role in which the entity is operating
      protocol - protocol over which the entity is operating (may be null)
      Returns:
      a list of role descriptors matching the given parameters, or null
      Throws:
      ResolverException - thrown if there is an error retrieving role descriptors from the entityDescriptorResolver provider