Package org.opensaml.saml.saml2.wssecurity.messaging.impl

Class DefaultSAML20AssertionValidationContextBuilder

java.lang.Object

org.opensaml.saml.saml2.wssecurity.messaging.impl.DefaultSAML20AssertionValidationContextBuilder

All Implemented Interfaces:

Function<SAML20AssertionTokenValidationInput,ValidationContext>

public class DefaultSAML20AssertionValidationContextBuilder
extends Object
implements Function<SAML20AssertionTokenValidationInput,ValidationContext>

Function which implements default behavior for building an instance of ValidationContext from an instance of SAML20AssertionTokenValidationInput.

Field Summary

Fields

Modifier and Type	Field	Description
private org.slf4j.Logger	log	Logger.
private Function<Pair<MessageContext,Assertion>,CriteriaSet>	signatureCriteriaSetFunction	A function for resolving the signature validation CriteriaSet for a particular function.
private boolean	signatureRequired	Flag indicating whether an Assertion signature is required.

Constructor Summary

Constructors

Constructor	Description
DefaultSAML20AssertionValidationContextBuilder()	Constructor.

Method Summary

Modifier and Type	Method	Description
ValidationContext	apply(SAML20AssertionTokenValidationInput input)
protected Map<String,Object>	buildStaticParameters(SAML20AssertionTokenValidationInput input)	Build the static parameters map for input to the ValidationContext.
protected X509Certificate	getAttesterCertificate(SAML20AssertionTokenValidationInput input)	Get the attesting entity's X509Certificate.
protected String	getAttesterIPAddress(SAML20AssertionTokenValidationInput input)	Get the attester's IP address.
protected PublicKey	getAttesterPublicKey(SAML20AssertionTokenValidationInput input)	Get the attesting entity's PublicKey.
protected CriteriaSet	getSignatureCriteriaSet(SAML20AssertionTokenValidationInput input)	Get the signature validation criteria set.
Function<Pair<MessageContext,Assertion>,CriteriaSet>	getSignatureCriteriaSetFunction()	Get the function for resolving the signature validation CriteriaSet for a particular function.
protected Set<InetAddress>	getValidAddresses(SAML20AssertionTokenValidationInput input)	Get the set of addresses which are valid for subject confirmation.
protected Set<String>	getValidAudiences(SAML20AssertionTokenValidationInput input)	Get the valid audiences for attestation.
protected Set<String>	getValidRecipients(SAML20AssertionTokenValidationInput input)	Get the valid recipient endpoints for attestation.
boolean	isSignatureRequired()	Get the flag indicating whether an Assertion signature is required.
void	setSignatureCriteriaSetFunction(Function<Pair<MessageContext,Assertion>,CriteriaSet> function)	Set the function for resolving the signature validation CriteriaSet for a particular function.
void	setSignatureRequired(boolean flag)	Set the flag indicating whether an Assertion signature is required.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface java.util.function.Function

andThen, compose

Field Details

log

@Nullable
private org.slf4j.Logger log

Logger.

signatureCriteriaSetFunction

private Function<Pair<MessageContext,Assertion>,CriteriaSet> signatureCriteriaSetFunction

A function for resolving the signature validation CriteriaSet for a particular function.

signatureRequired

private boolean signatureRequired

Flag indicating whether an Assertion signature is required.

Constructor Details

DefaultSAML20AssertionValidationContextBuilder

public DefaultSAML20AssertionValidationContextBuilder()

Constructor.

Method Details

isSignatureRequired

public boolean isSignatureRequired()

Get the flag indicating whether an Assertion signature is required.

Defaults to: true.

Returns:

true if required, false if not

setSignatureRequired

public void setSignatureRequired(boolean flag)

Set the flag indicating whether an Assertion signature is required.

Defaults to: true.

Parameters:

flag - true if required, false if not

getSignatureCriteriaSetFunction

@Nullable
public Function<Pair<MessageContext,Assertion>,CriteriaSet> getSignatureCriteriaSetFunction()

Get the function for resolving the signature validation CriteriaSet for a particular function.

Defaults to: null.

Returns:

a criteria set instance, or null

setSignatureCriteriaSetFunction

public void setSignatureCriteriaSetFunction(@Nullable
 Function<Pair<MessageContext,Assertion>,CriteriaSet> function)

Set the function for resolving the signature validation CriteriaSet for a particular function.

Defaults to: null.

Parameters:

function - the resolving function, may be null

apply

@Nullable
public ValidationContext apply(@Nullable
 SAML20AssertionTokenValidationInput input)

Specified by:

apply in interface Function<SAML20AssertionTokenValidationInput,ValidationContext>

buildStaticParameters

@Nonnull
protected Map<String,Object> buildStaticParameters(@Nonnull
 SAML20AssertionTokenValidationInput input)

Build the static parameters map for input to the ValidationContext.

Parameters:

input - the assertion validation input

Returns:

the static parameters map

getSignatureCriteriaSet

@Nonnull
protected CriteriaSet getSignatureCriteriaSet(@Nonnull
 SAML20AssertionTokenValidationInput input)

Get the signature validation criteria set.

This implementation first evaluates the result of applying the function getSignatureCriteriaSetFunction(), if configured. If that evaluation did not produce an EntityIdCriterion, one is added based on the issuer of the Assertion. If that evaluation did not produce an instance of UsageCriterion, one is added with the value of UsageType.SIGNING.

Parameters:

input - the assertion validation input

Returns:

the criteria set based on the message context data

getAttesterCertificate

@Nullable
protected X509Certificate getAttesterCertificate(@Nonnull
 SAML20AssertionTokenValidationInput input)

Get the attesting entity's X509Certificate.

This implementation returns the client TLS certificate present in the HttpServletRequest, or null if one is not present.

Parameters:

input - the assertion validation input

Returns:

the entity certificate, or null

getAttesterPublicKey

@Nullable
protected PublicKey getAttesterPublicKey(@Nonnull
 SAML20AssertionTokenValidationInput input)

Get the attesting entity's PublicKey.

This implementation returns null. Subclasses should override to implement specific logic.

Parameters:

input - the assertion validation input

Returns:

the entity public key, or null

getValidRecipients

@Nonnull
protected Set<String> getValidRecipients(@Nonnull
 SAML20AssertionTokenValidationInput input)

Get the valid recipient endpoints for attestation.

This implementation returns a set containing the 2 values;

1. HttpServletRequest.getRequestURL()
2. if present, AbstractSAMLEntityContext.getEntityId()

Parameters:

input - the assertion validation input

Returns:

set of recipient endpoint URI's

getValidAddresses

@Nonnull
protected Set<InetAddress> getValidAddresses(@Nonnull
 SAML20AssertionTokenValidationInput input)

Get the set of addresses which are valid for subject confirmation.

This implementation simply returns the set based on getAttesterIPAddress(SAML20AssertionTokenValidationInput), if that produces a value. Otherwise an empty set is returned.

Parameters:

input - the assertion validation input

Returns:

the set of valid addresses

getAttesterIPAddress

@Nonnull
protected String getAttesterIPAddress(@Nonnull
 SAML20AssertionTokenValidationInput input)

Get the attester's IP address.

This implementation returns the value of ServletRequest.getRemoteAddr().

Parameters:

input - the assertion validation input

Returns:

the IP address of the attester

getValidAudiences

@Nonnull
protected Set<String> getValidAudiences(@Nonnull
 SAML20AssertionTokenValidationInput input)

Get the valid audiences for attestation.

This implementation returns a set containing the single entityID held by the message context's AbstractSAMLEntityContext.getEntityId(), if present. Otherwise an empty set is returned.

Parameters:

input - the assertion validation input

Returns:

set of audience URI's