Package org.opensaml.saml.common.binding.security.impl

Class SAMLMDClientCertAuthSecurityHandler

java.lang.Object
net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
org.opensaml.messaging.handler.AbstractMessageHandler
org.opensaml.security.messaging.impl.BaseTrustEngineSecurityHandler<X509Credential>
org.opensaml.security.messaging.impl.BaseClientCertAuthSecurityHandler
org.opensaml.saml.common.binding.security.impl.SAMLMDClientCertAuthSecurityHandler
All Implemented Interfaces:
Component, DestructableComponent, InitializableComponent, MessageHandler
public class SAMLMDClientCertAuthSecurityHandler extends BaseClientCertAuthSecurityHandler
SAML specialization of BaseClientCertAuthSecurityHandler which provides support for X509Credential trust engine validation based on SAML metadata.

The authenticatable entity data is read from and stored to the subcontext identified by getEntityContextClass(), which defaults to SAMLPeerEntityContext.

  • Field Details

  • Constructor Details

    • SAMLMDClientCertAuthSecurityHandler

      public SAMLMDClientCertAuthSecurityHandler()
      Constructor.

  • Method Details

    • getEntityContextClass

      @Nonnull public Class<? extends AbstractAuthenticatableSAMLEntityContext> getEntityContextClass()
      Get the class type holding the authenticatable SAML entity data.

      Defaults to: SAMLPeerEntityContext.

      Returns:
      the entity context class type

    • setEntityContextClass

      public void setEntityContextClass(@Nonnull Class<? extends AbstractAuthenticatableSAMLEntityContext> clazz)
      Set the class type holding the authenticatable SAML entity data.

      Defaults to: SAMLPeerEntityContext.

      Parameters:
      clazz - the entity context class type

    • buildCriteriaSet

      @Nonnull protected CriteriaSet buildCriteriaSet(@Nullable String entityID, @Nonnull MessageContext messageContext) throws MessageHandlerException
      Subclasses are required to implement this method to build a criteria set for the trust engine according to trust engine and application-specific needs.
      Overrides:
      buildCriteriaSet in class BaseClientCertAuthSecurityHandler
      Parameters:
      entityID - the candidate issuer entity ID which is being evaluated
      messageContext - the message context which is being evaluated
      Returns:
      a newly constructly set of criteria suitable for the configured trust engine
      Throws:
      MessageHandlerException - thrown if criteria set can not be constructed

    • getCertificatePresenterEntityID

      @Nullable protected String getCertificatePresenterEntityID(@Nonnull MessageContext messageContext)
      Get the entity ID of the presenter of the client TLS certificate, as will be used for trust evaluation purposes.

      This tends to be performed in a protcol-specific manner, so it is therefore abstract and must be implemented in a concrete subclass.

      Specified by:
      getCertificatePresenterEntityID in class BaseClientCertAuthSecurityHandler
      Parameters:
      messageContext - the current message context
      Returns:
      the entity ID of the client TLS certificate presenter

    • setAuthenticatedCertificatePresenterEntityID

      protected void setAuthenticatedCertificatePresenterEntityID(@Nonnull MessageContext messageContext, @Nullable String entityID)
      Store the successfully authenticated derived entity ID of the certificate presenter in the message context.

      This tends to be performed in a protocol-specific manner, so it is therefore abstract and must be implemented in a concrete subclass.

      Specified by:
      setAuthenticatedCertificatePresenterEntityID in class BaseClientCertAuthSecurityHandler
      Parameters:
      messageContext - the current message context
      entityID - the successfully authenticated derived entity ID of the client TLS certificate presenter

    • setAuthenticatedState

      protected void setAuthenticatedState(@Nonnull MessageContext messageContext, boolean authenticated)
      Store the indicated message authentication state in the message context.

      This tends to be performed in a protocol-specific manner, so it is therefore abstract and must be implemented in a concrete subclass.

      Specified by:
      setAuthenticatedState in class BaseClientCertAuthSecurityHandler
      Parameters:
      messageContext - the current message context
      authenticated - flag indicating what authentication state to store