public class SignatureValidationFilter extends Object implements MetadataFilter
Modifier and Type | Field and Description |
---|---|
private net.shibboleth.utilities.java.support.resolver.CriteriaSet |
defaultCriteria
Set of externally specified default criteria for input to the trust engine.
|
private com.google.common.base.Function<org.opensaml.core.xml.XMLObject,Set<String>> |
dynamicTrustedNamesStrategy
Strategy function for extracting dynamic trusted names from signed metadata elements.
|
private org.slf4j.Logger |
log
Class logger.
|
private boolean |
requireSignedRoot
Indicates whether the metadata root element is required to be signed.
|
private org.opensaml.xmlsec.signature.support.SignaturePrevalidator |
signaturePrevalidator
Prevalidator for XML Signature instances.
|
private org.opensaml.xmlsec.signature.support.SignatureTrustEngine |
signatureTrustEngine
Trust engine used to validate a signature.
|
Constructor and Description |
---|
SignatureValidationFilter(org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
Constructor.
|
Modifier and Type | Method and Description |
---|---|
protected net.shibboleth.utilities.java.support.resolver.CriteriaSet |
buildCriteriaSet(org.opensaml.xmlsec.signature.SignableXMLObject signedMetadata,
String metadataEntryName,
boolean isEntityGroup)
Build the criteria set which will be used as input to the configured trust engine.
|
org.opensaml.core.xml.XMLObject |
filter(org.opensaml.core.xml.XMLObject metadata) |
net.shibboleth.utilities.java.support.resolver.CriteriaSet |
getDefaultCriteria()
Get the optional set of default criteria used as input to the trust engine.
|
com.google.common.base.Function<org.opensaml.core.xml.XMLObject,Set<String>> |
getDynamicTrustedNamesStrategy()
Get the strategy function for extracting dynamic trusted names from signed metadata elements.
|
protected String |
getGroupName(EntitiesDescriptor group)
Get the group's name, or a suitable facsimile if not named.
|
boolean |
getRequireSignature()
Deprecated.
use instead
getRequireSignedRoot() |
boolean |
getRequireSignedRoot()
Get whether incoming metadata's root element is required to be signed.
|
protected String |
getRoleIDToken(String entityID,
RoleDescriptor role)
Get a string token for logging/debugging purposes that contains role information and containing entityID.
|
org.opensaml.xmlsec.signature.support.SignaturePrevalidator |
getSignaturePrevalidator()
Get the validator used to perform pre-validation on Signature tokens.
|
org.opensaml.xmlsec.signature.support.SignatureTrustEngine |
getSignatureTrustEngine()
Gets the trust engine used to validate signatures on incoming metadata.
|
protected void |
performPreValidation(org.opensaml.xmlsec.signature.Signature signature,
String metadataEntryName)
Perform pre-validation on the Signature token.
|
protected void |
processEntityDescriptor(EntityDescriptor entityDescriptor)
Process the signatures on the specified EntityDescriptor and any signed children.
|
protected void |
processEntityGroup(EntitiesDescriptor entitiesDescriptor)
Process the signatures on the specified EntitiesDescriptor and any signed children.
|
void |
setDefaultCriteria(net.shibboleth.utilities.java.support.resolver.CriteriaSet newCriteria)
Set the optional set of default criteria used as input to the trust engine.
|
void |
setDynamicTrustedNamesStrategy(com.google.common.base.Function<org.opensaml.core.xml.XMLObject,Set<String>> strategy)
Get the strategy function for extracting dynamic trusted names from signed metadata elements.
|
void |
setRequireSignature(boolean require)
Deprecated.
use instead
setRequireSignedRoot(boolean) |
void |
setRequireSignedRoot(boolean require)
Set whether incoming metadata's root element is required to be signed.
|
void |
setSignaturePrevalidator(org.opensaml.xmlsec.signature.support.SignaturePrevalidator validator)
Set the validator used to perform pre-validation on Signature tokens.
|
protected void |
verifySignature(org.opensaml.xmlsec.signature.SignableXMLObject signedMetadata,
String metadataEntryName,
boolean isEntityGroup)
Evaluate the signature on the signed metadata instance.
|
@Nonnull private final org.slf4j.Logger log
@Nonnull private org.opensaml.xmlsec.signature.support.SignatureTrustEngine signatureTrustEngine
private boolean requireSignedRoot
@Nullable private net.shibboleth.utilities.java.support.resolver.CriteriaSet defaultCriteria
@Nullable private org.opensaml.xmlsec.signature.support.SignaturePrevalidator signaturePrevalidator
public SignatureValidationFilter(@Nonnull org.opensaml.xmlsec.signature.support.SignatureTrustEngine engine)
Signature pre-validator defaults to SAMLSignatureProfileValidator
.
Dynamic trusted names strategy defaults to BasicDynamicTrustedNamesStrategy
.
engine
- the trust engine used to validate signatures on incoming metadata.@Nullable public com.google.common.base.Function<org.opensaml.core.xml.XMLObject,Set<String>> getDynamicTrustedNamesStrategy()
Defaults to: BasicDynamicTrustedNamesStrategy
.
public void setDynamicTrustedNamesStrategy(@Nullable com.google.common.base.Function<org.opensaml.core.xml.XMLObject,Set<String>> strategy)
Defaults to: BasicDynamicTrustedNamesStrategy
.
strategy
- the function, may be null@Nonnull public org.opensaml.xmlsec.signature.support.SignatureTrustEngine getSignatureTrustEngine()
@Nullable public org.opensaml.xmlsec.signature.support.SignaturePrevalidator getSignaturePrevalidator()
Defaults to: SAMLSignatureProfileValidator
.
public void setSignaturePrevalidator(@Nullable org.opensaml.xmlsec.signature.support.SignaturePrevalidator validator)
Defaults to: SAMLSignatureProfileValidator
.
validator
- the signature prevalidator to usepublic boolean getRequireSignedRoot()
Defaults to true
.
public void setRequireSignedRoot(boolean require)
Defaults to true
.
require
- whether incoming metadata is required to be signed@Deprecated public boolean getRequireSignature()
getRequireSignedRoot()
Defaults to true
.
@Deprecated public void setRequireSignature(boolean require)
setRequireSignedRoot(boolean)
Defaults to true
.
require
- whether incoming metadata is required to be signed@Nullable public net.shibboleth.utilities.java.support.resolver.CriteriaSet getDefaultCriteria()
public void setDefaultCriteria(@Nullable net.shibboleth.utilities.java.support.resolver.CriteriaSet newCriteria)
newCriteria
- the new criteria set to use@Nullable public org.opensaml.core.xml.XMLObject filter(@Nullable org.opensaml.core.xml.XMLObject metadata) throws FilterException
filter
in interface MetadataFilter
FilterException
protected void processEntityDescriptor(@Nonnull EntityDescriptor entityDescriptor) throws FilterException
entityDescriptor
- the EntityDescriptor to be processedFilterException
- thrown if an error occurs during the signature verification process
on the root EntityDescriptor specifiedprotected void processEntityGroup(@Nonnull EntitiesDescriptor entitiesDescriptor) throws FilterException
entitiesDescriptor
- the EntitiesDescriptor to be processedFilterException
- thrown if an error occurs during the signature verification process
on the root EntitiesDescriptor specifiedprotected void verifySignature(@Nonnull org.opensaml.xmlsec.signature.SignableXMLObject signedMetadata, @Nonnull @NotEmpty String metadataEntryName, boolean isEntityGroup) throws FilterException
signedMetadata
- the metadata object whose signature is to be verifiedmetadataEntryName
- the EntityDescriptor entityID, EntitiesDescriptor Name,
AffiliationDescriptor affiliationOwnerID,
or RoleDescriptor getRoleIDToken(String, RoleDescriptor)
corresponding to the element whose signature is being evaluated.
This is used exclusively for logging/debugging purposes and
should not be used operationally (e.g. for building a criteria set).isEntityGroup
- flag indicating whether the signed object is a metadata group (EntitiesDescriptor),
primarily useful for constructing a criteria set for the trust engineFilterException
- thrown if the metadata entry's signature can not be established as trusted,
or if an error occurs during the signature verification processprotected void performPreValidation(@Nonnull org.opensaml.xmlsec.signature.Signature signature, @Nonnull @NotEmpty String metadataEntryName) throws FilterException
signature
- the signature to evaluatemetadataEntryName
- the EntityDescriptor entityID, EntitiesDescriptor Name,
AffiliationDescriptor affiliationOwnerID,
or RoleDescriptor getRoleIDToken(String, RoleDescriptor)
corresponding to the element whose signature is being evaluated.
This is used exclusively for logging/debugging purposes and
should not be used operationally (e.g. for building a criteria set).FilterException
- thrown if the signature element fails pre-validation@Nonnull protected net.shibboleth.utilities.java.support.resolver.CriteriaSet buildCriteriaSet(@Nonnull org.opensaml.xmlsec.signature.SignableXMLObject signedMetadata, @Nonnull @NotEmpty String metadataEntryName, boolean isEntityGroup)
signedMetadata
- the metadata element whose signature is being verifiedmetadataEntryName
- the EntityDescriptor entityID, EntitiesDescriptor Name,
AffiliationDescriptor affiliationOwnerID,
or RoleDescriptor getRoleIDToken(String, RoleDescriptor)
corresponding to the element whose signature is being evaluated.
This is used exclusively for logging/debugging purposes and
should not be used operationally (e.g. for building the criteria set).isEntityGroup
- flag indicating whether the signed object is a metadata group (EntitiesDescriptor)protected String getRoleIDToken(@Nonnull @NotEmpty String entityID, @Nonnull RoleDescriptor role)
entityID
- the containing entityIDrole
- the role descriptor@Nonnull @NotEmpty protected String getGroupName(@Nonnull EntitiesDescriptor group)
group
- the EntitiesDescriptor
Copyright © 1999–2020 Shibboleth Consortium. All rights reserved.