BaseSAMLSimpleSignatureSecurityPolicyRule (OpenSAML-J 2.6.1 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.opensaml.common.binding.security
Class BaseSAMLSimpleSignatureSecurityPolicyRule

java.lang.Object
  org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule

All Implemented Interfaces:: SecurityPolicyRule

Direct Known Subclasses:: SAML2HTTPPostSimpleSignRule, SAML2HTTPRedirectDeflateSignatureRule

public abstract class BaseSAMLSimpleSignatureSecurityPolicyRule
extends Object
implements SecurityPolicyRule
extends Object
implements SecurityPolicyRule

Base class for security rules which verify simple "blob" signatures computed over some components of a request.

Field Summary
`private org.slf4j.Logger`	`log` Logger.
`private SignatureTrustEngine`	`trustEngine` Signature trust engine used to validate raw signatures.

Constructor Summary
`protected`	`BaseSAMLSimpleSignatureSecurityPolicyRule(SignatureTrustEngine engine)` Constructor.

Method Summary
`protected CriteriaSet`	`buildCriteriaSet(String entityID, SAMLMessageContext samlContext)` Build a criteria set suitable for input to the trust engine.
`protected String`	`deriveSignerEntityID(SAMLMessageContext samlContext)` Derive the signer's entity ID from the message context.
`private void`	`doEvaluate(byte[] signature, byte[] signedContent, String algorithmURI, javax.servlet.http.HttpServletRequest request, SAMLMessageContext samlMsgCtx)` Evaluate the simple signature based on information in the request and/or message context.
`void`	`evaluate(MessageContext messageContext)`
`protected List<Credential>`	`getRequestCredentials(javax.servlet.http.HttpServletRequest request, SAMLMessageContext samlContext)` Extract any candidate validation credentials from the request and/or message context.
`protected byte[]`	`getSignature(javax.servlet.http.HttpServletRequest request)` Extract the signature value from the request, in the form suitable for input into `SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential)`.
`protected String`	`getSignatureAlgorithm(javax.servlet.http.HttpServletRequest request)` Extract the signature algorithm URI value from the request.
`protected abstract byte[]`	`getSignedContent(javax.servlet.http.HttpServletRequest request)` Get the content over which to validate the signature, in the form suitable for input into `SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential)`.
`protected SignatureTrustEngine`	`getTrustEngine()` Gets the engine used to validate the signature.
`protected abstract boolean`	`ruleHandles(javax.servlet.http.HttpServletRequest request, SAMLMessageContext samlMsgCtx)` Determine whether the rule should handle the request, based on the unwrapped HTTP servlet request and/or message context.
`protected boolean`	`validateSignature(byte[] signature, byte[] signedContent, String algorithmURI, CriteriaSet criteriaSet, List<Credential> candidateCredentials)` Validate the simple signature.

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

log

private final org.slf4j.Logger log

Logger.

trustEngine

private SignatureTrustEngine trustEngine

Signature trust engine used to validate raw signatures.

Constructor Detail

BaseSAMLSimpleSignatureSecurityPolicyRule

protected BaseSAMLSimpleSignatureSecurityPolicyRule(SignatureTrustEngine engine)

Constructor.

Parameters:: engine - the signature trust engine to use for signature validataion

Method Detail

evaluate

public void evaluate(MessageContext messageContext)
              throws SecurityPolicyException

Specified by:: evaluate in interface SecurityPolicyRule

Throws:: SecurityPolicyException

doEvaluate

private void doEvaluate(byte[] signature,
                        byte[] signedContent,
                        String algorithmURI,
                        javax.servlet.http.HttpServletRequest request,
                        SAMLMessageContext samlMsgCtx)
                 throws SecurityPolicyException

Evaluate the simple signature based on information in the request and/or message context.

Parameters:: signature - the signature value; signedContent - the content that was signed; algorithmURI - the signature algorithm URI which was used to sign the content; request - the HTTP servlet request being processed; samlMsgCtx - the SAML message context being processed
Throws:: SecurityPolicyException - thrown if there are errors during the signature validation process

validateSignature

protected boolean validateSignature(byte[] signature,
                                    byte[] signedContent,
                                    String algorithmURI,
                                    CriteriaSet criteriaSet,
                                    List<Credential> candidateCredentials)
                             throws SecurityPolicyException

Validate the simple signature.

Parameters:: signature - the signature value; signedContent - the content that was signed; algorithmURI - the signature algorithm URI which was used to sign the content; criteriaSet - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation; candidateCredentials - the request-derived candidate credential(s) containing the validation key for the signature (optional)
Returns:: true if signature can be verified successfully, false otherwise
Throws:: SecurityPolicyException - thrown if there are errors during the signature validation process

getRequestCredentials

protected List<Credential> getRequestCredentials(javax.servlet.http.HttpServletRequest request,
                                                 SAMLMessageContext samlContext)
                                          throws SecurityPolicyException

Extract any candidate validation credentials from the request and/or message context. Some bindings allow validataion keys for the simple signature to be supplied, and others do not.

Parameters:: request - the HTTP servlet request being processed; samlContext - the SAML message context being processed
Returns:: a list of candidate validation credentials in the request, or null if none were present
Throws:: SecurityPolicyException - thrown if there is an error during request processing

getTrustEngine

protected SignatureTrustEngine getTrustEngine()

Gets the engine used to validate the signature.

Returns:: engine engine used to validate the signature

getSignature

protected byte[] getSignature(javax.servlet.http.HttpServletRequest request)
                       throws SecurityPolicyException

Extract the signature value from the request, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential). Defaults to the Base64-decoded value of the HTTP request parameter named Signature.

Parameters:: request - the HTTP servlet request
Returns:: the signature value
Throws:: SecurityPolicyException - thrown if there is an error during request processing

getSignatureAlgorithm

protected String getSignatureAlgorithm(javax.servlet.http.HttpServletRequest request)
                                throws SecurityPolicyException

Extract the signature algorithm URI value from the request. Defaults to the HTTP request parameter named SigAlg.

Parameters:: request - the HTTP servlet request
Returns:: the signature algorithm URI value
Throws:: SecurityPolicyException - thrown if there is an error during request processing

deriveSignerEntityID

protected String deriveSignerEntityID(SAMLMessageContext samlContext)
                               throws SecurityPolicyException

Derive the signer's entity ID from the message context. This is implementation-specific and there is no default. This is primarily an extension point for subclasses.

Parameters:: samlContext - the SAML message context being processed
Returns:: the signer's derived entity ID
Throws:: SecurityPolicyException - thrown if there is an error during request processing

buildCriteriaSet

protected CriteriaSet buildCriteriaSet(String entityID,
                                       SAMLMessageContext samlContext)
                                throws SecurityPolicyException

Build a criteria set suitable for input to the trust engine.

Parameters:: entityID - the candidate issuer entity ID which is being evaluated; samlContext - the message context which is being evaluated
Returns:: a newly constructly set of criteria suitable for the configured trust engine
Throws:: SecurityPolicyException - thrown if criteria set can not be constructed

getSignedContent

protected abstract byte[] getSignedContent(javax.servlet.http.HttpServletRequest request)
                                    throws SecurityPolicyException

Get the content over which to validate the signature, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential).

Parameters:: request - the HTTP servlet request being processed
Returns:: the signed content extracted from the request, in the format suitable for input to the trust engine.
Throws:: SecurityPolicyException - thrown if there is an error during request processing

ruleHandles

protected abstract boolean ruleHandles(javax.servlet.http.HttpServletRequest request,
                                       SAMLMessageContext samlMsgCtx)
                                throws SecurityPolicyException

Determine whether the rule should handle the request, based on the unwrapped HTTP servlet request and/or message context.

Parameters:: request - the HTTP servlet request being processed; samlMsgCtx - the SAML message context being processed
Returns:: true if the rule should attempt to process the request, otherwise false
Throws:: SecurityPolicyException - thrown if there is an error during request processing