public class MetadataCredentialResolver extends AbstractCriteriaFilteringCredentialResolver implements net.shibboleth.utilities.java.support.component.InitializableComponent
Credentials may be resolved either by directly supplying an instance of RoleDescriptor
in
the input CriteriaSet
, or by looking up the role descriptor via a supplied RoleDescriptorResolver
.
The following resolution modes and associated Criterion
inputs are supported:
Direct resolution from a supplied RoleDescriptor
:
RoleDescriptorCriterion
- requiredUsageCriterion
- optional; if absent, the effective value
UsageType.UNSPECIFIED
will be used for credential resolution.RoleDescriptorResolver
:
EntityIdCriterion
- requiredEntityRoleCriterion
- requiredProtocolCriterion
- optional; if absent, credentials will be resolved from all matching roles,
regardless of protocol support.UsageCriterion
- optional; if absent, the effective value
UsageType.UNSPECIFIED
will be used for credential resolution.
In order to support resolution from a metadata source using EntityIdCriterion
+ EntityRoleCriterion
,
an instance of RoleDescriptorResolver
must be supplied. Otherwise it is optional.
An instance of KeyInfoCredentialResolver
must always be supplied.
Modifier and Type | Field and Description |
---|---|
private boolean |
isInitialized
Initialization flag.
|
private org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver |
keyInfoCredentialResolver
Credential resolver used to resolve credentials from role descriptor KeyInfo elements.
|
private org.slf4j.Logger |
log
Class logger.
|
private RoleDescriptorResolver |
roleDescriptorResolver
Metadata RoleDescriptor resolver which is the source of credentials.
|
Constructor and Description |
---|
MetadataCredentialResolver() |
Modifier and Type | Method and Description |
---|---|
protected void |
extractCredentials(HashSet<org.opensaml.security.credential.Credential> accumulator,
KeyDescriptor keyDescriptor,
String entityID,
org.opensaml.security.credential.UsageType mdUsage)
Extract the credentials from the specified KeyDescriptor.
|
protected org.opensaml.security.credential.UsageType |
getEffectiveUsageInput(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet)
Get the effective
UsageType input to use. |
org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver |
getKeyInfoCredentialResolver()
Get the KeyInfo credential resolver used by this entityDescriptorResolver resolver to handle KeyInfo elements.
|
RoleDescriptorResolver |
getRoleDescriptorResolver()
Get the metadata RoleDescriptor resolver instance used by this resolver.
|
protected Iterable<RoleDescriptor> |
getRoleDescriptors(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet,
String entityID,
QName role,
String protocol)
Get the list of role descriptors which match the given entityID, role and protocol.
|
void |
initialize() |
boolean |
isInitialized() |
protected boolean |
matchUsage(org.opensaml.security.credential.UsageType metadataUsage,
org.opensaml.security.credential.UsageType criteriaUsage)
Match usage enum type values from entityDescriptorResolver KeyDescriptor and from credential criteria.
|
protected void |
processRoleDescriptor(HashSet<org.opensaml.security.credential.Credential> accumulator,
RoleDescriptor roleDescriptor,
String entityID,
org.opensaml.security.credential.UsageType usage)
Process a RoleDescriptor by examing each of its KeyDescriptors.
|
protected Collection<org.opensaml.security.credential.Credential> |
resolveFromMetadata(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet,
String entityID,
QName role,
String protocol,
org.opensaml.security.credential.UsageType usage)
Resolves credentials using this resolver's configured instance of
RoleDescriptorResolver . |
protected Collection<org.opensaml.security.credential.Credential> |
resolveFromRoleDescriptor(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet,
RoleDescriptor roleDescriptor,
org.opensaml.security.credential.UsageType usage)
Resolves credentials using a supplied instance of
RoleDescriptor . |
protected Iterable<org.opensaml.security.credential.Credential> |
resolveFromSource(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet) |
void |
setKeyInfoCredentialResolver(org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver resolver)
Set the KeyInfo credential resolver used by this entityDescriptorResolver resolver to handle KeyInfo elements.
|
void |
setRoleDescriptorResolver(RoleDescriptorResolver resolver)
Set the metadata RoleDescriptor resolver instance used by this resolver.
|
isSatisfyAllPredicates, resolve, setSatisfyAllPredicates
resolveSingle
@Nonnull private final org.slf4j.Logger log
@Nullable private RoleDescriptorResolver roleDescriptorResolver
@NonnullAfterInit private org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver keyInfoCredentialResolver
private boolean isInitialized
public boolean isInitialized()
isInitialized
in interface net.shibboleth.utilities.java.support.component.InitializableComponent
public void initialize() throws net.shibboleth.utilities.java.support.component.ComponentInitializationException
initialize
in interface net.shibboleth.utilities.java.support.component.InitializableComponent
net.shibboleth.utilities.java.support.component.ComponentInitializationException
@Nullable public RoleDescriptorResolver getRoleDescriptorResolver()
This is optional. If not supplied, credentials may only be resolved via
input of a RoleDescriptorCriterion
.
public void setRoleDescriptorResolver(@Nullable RoleDescriptorResolver resolver)
This is optional. If not supplied, credentials may only be resolved via
input of a RoleDescriptorCriterion
.
resolver
- the new RoleDescriptorResolver to use@NonnullAfterInit public org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver getKeyInfoCredentialResolver()
public void setKeyInfoCredentialResolver(@Nonnull org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver resolver)
resolver
- the new KeyInfoCredentialResolver to use@Nonnull protected Iterable<org.opensaml.security.credential.Credential> resolveFromSource(@Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet) throws net.shibboleth.utilities.java.support.resolver.ResolverException
resolveFromSource
in class AbstractCriteriaFilteringCredentialResolver
net.shibboleth.utilities.java.support.resolver.ResolverException
@Nonnull protected org.opensaml.security.credential.UsageType getEffectiveUsageInput(@Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet)
UsageType
input to use.criteriaSet
- the criteria set being processed@Nonnull protected Collection<org.opensaml.security.credential.Credential> resolveFromRoleDescriptor(@Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet, @Nonnull RoleDescriptor roleDescriptor, @Nonnull org.opensaml.security.credential.UsageType usage) throws net.shibboleth.utilities.java.support.resolver.ResolverException
RoleDescriptor
.criteriaSet
- the criteria set being processedroleDescriptor
- the role descriptor being processedusage
- intended usage of resolved credentialsnet.shibboleth.utilities.java.support.resolver.ResolverException
- thrown if the key, certificate, or CRL information is represented in an unsupported
format@Nonnull protected Collection<org.opensaml.security.credential.Credential> resolveFromMetadata(@Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet, @Nonnull @NotEmpty String entityID, @Nonnull QName role, @Nullable String protocol, @Nonnull org.opensaml.security.credential.UsageType usage) throws net.shibboleth.utilities.java.support.resolver.ResolverException
RoleDescriptorResolver
.criteriaSet
- the criteria set being processedentityID
- entityID of the credential ownerrole
- role in which the entity is operatingprotocol
- protocol over which the entity is operating (may be null)usage
- intended usage of resolved credentialsnet.shibboleth.utilities.java.support.resolver.ResolverException
- thrown if the key, certificate, or CRL information is represented in an unsupported
formatprotected void processRoleDescriptor(@Nonnull HashSet<org.opensaml.security.credential.Credential> accumulator, @Nonnull RoleDescriptor roleDescriptor, @Nullable String entityID, @Nonnull org.opensaml.security.credential.UsageType usage) throws net.shibboleth.utilities.java.support.resolver.ResolverException
accumulator
- the set of credentials being accumulated for return to the callerroleDescriptor
- the KeyDescriptor being processedentityID
- the entity ID of the KeyDescriptor being processedusage
- the credential usage type specified as resolve inputnet.shibboleth.utilities.java.support.resolver.ResolverException
- if there is a problem resolving credentials from the KeyDescriptor's KeyInfo elementprotected void extractCredentials(@Nonnull HashSet<org.opensaml.security.credential.Credential> accumulator, @Nonnull KeyDescriptor keyDescriptor, @Nullable String entityID, @Nonnull org.opensaml.security.credential.UsageType mdUsage) throws net.shibboleth.utilities.java.support.resolver.ResolverException
accumulator
- the set of credentials being accumulated for return to the callerkeyDescriptor
- the KeyDescriptor being processedentityID
- the entity ID of the KeyDescriptor being processedmdUsage
- the effective credential usage type in effect for the resolved credentialsnet.shibboleth.utilities.java.support.resolver.ResolverException
- if there is a problem resolving credentials from the KeyDescriptor's KeyInfo elementprotected boolean matchUsage(@Nonnull org.opensaml.security.credential.UsageType metadataUsage, @Nonnull org.opensaml.security.credential.UsageType criteriaUsage)
metadataUsage
- the value from the 'use' attribute of a entityDescriptorResolver KeyDescriptor elementcriteriaUsage
- the value from credential criteria@Nonnull protected Iterable<RoleDescriptor> getRoleDescriptors(@Nonnull net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet, @Nonnull String entityID, @Nonnull QName role, @Nullable String protocol) throws net.shibboleth.utilities.java.support.resolver.ResolverException
criteriaSet
- criteria set being processedentityID
- entity ID of the credential ownerrole
- role in which the entity is operatingprotocol
- protocol over which the entity is operating (may be null)net.shibboleth.utilities.java.support.resolver.ResolverException
- thrown if there is an error retrieving role descriptors
from the entityDescriptorResolver providerCopyright © 1999–2020 Shibboleth Consortium. All rights reserved.