public class DefaultSAML20AssertionValidationContextBuilder extends Object implements com.google.common.base.Function<SAML20AssertionTokenValidationInput,ValidationContext>
ValidationContext
from an instance of SAML20AssertionTokenValidationInput
.Modifier and Type | Field and Description |
---|---|
private org.slf4j.Logger |
log
Logger.
|
private com.google.common.base.Function<net.shibboleth.utilities.java.support.collection.Pair<org.opensaml.messaging.context.MessageContext,Assertion>,net.shibboleth.utilities.java.support.resolver.CriteriaSet> |
signatureCriteriaSetFunction
A function for resolving the signature validation CriteriaSet for a particular function.
|
private boolean |
signatureRequired
Flag indicating whether an Assertion signature is required.
|
Constructor and Description |
---|
DefaultSAML20AssertionValidationContextBuilder()
Constructor.
|
Modifier and Type | Method and Description |
---|---|
ValidationContext |
apply(SAML20AssertionTokenValidationInput input) |
protected Map<String,Object> |
buildStaticParameters(SAML20AssertionTokenValidationInput input)
Build the static parameters map for input to the
ValidationContext . |
protected X509Certificate |
getAttesterCertificate(SAML20AssertionTokenValidationInput input)
Get the attesting entity's
X509Certificate . |
protected String |
getAttesterIPAddress(SAML20AssertionTokenValidationInput input)
Get the attester's IP address.
|
protected PublicKey |
getAttesterPublicKey(SAML20AssertionTokenValidationInput input)
Get the attesting entity's
PublicKey . |
protected net.shibboleth.utilities.java.support.resolver.CriteriaSet |
getSignatureCriteriaSet(SAML20AssertionTokenValidationInput input)
Get the signature validation criteria set.
|
com.google.common.base.Function<net.shibboleth.utilities.java.support.collection.Pair<org.opensaml.messaging.context.MessageContext,Assertion>,net.shibboleth.utilities.java.support.resolver.CriteriaSet> |
getSignatureCriteriaSetFunction()
Get the function for resolving the signature validation CriteriaSet for a particular function.
|
protected Set<InetAddress> |
getValidAddresses(SAML20AssertionTokenValidationInput input)
Get the set of addresses which are valid for subject confirmation.
|
protected Set<String> |
getValidAudiences(SAML20AssertionTokenValidationInput input)
Get the valid audiences for attestation.
|
protected Set<String> |
getValidRecipients(SAML20AssertionTokenValidationInput input)
Get the valid recipient endpoints for attestation.
|
boolean |
isSignatureRequired()
Get the flag indicating whether an Assertion signature is required.
|
void |
setSignatureCriteriaSetFunction(com.google.common.base.Function<net.shibboleth.utilities.java.support.collection.Pair<org.opensaml.messaging.context.MessageContext,Assertion>,net.shibboleth.utilities.java.support.resolver.CriteriaSet> function)
Set the function for resolving the signature validation CriteriaSet for a particular function.
|
void |
setSignatureRequired(boolean flag)
Set the flag indicating whether an Assertion signature is required.
|
private org.slf4j.Logger log
private com.google.common.base.Function<net.shibboleth.utilities.java.support.collection.Pair<org.opensaml.messaging.context.MessageContext,Assertion>,net.shibboleth.utilities.java.support.resolver.CriteriaSet> signatureCriteriaSetFunction
private boolean signatureRequired
public DefaultSAML20AssertionValidationContextBuilder()
public boolean isSignatureRequired()
Defaults to: true
.
public void setSignatureRequired(boolean flag)
Defaults to: true
.
flag
- true if required, false if not@Nullable public com.google.common.base.Function<net.shibboleth.utilities.java.support.collection.Pair<org.opensaml.messaging.context.MessageContext,Assertion>,net.shibboleth.utilities.java.support.resolver.CriteriaSet> getSignatureCriteriaSetFunction()
Defaults to: null
.
public void setSignatureCriteriaSetFunction(@Nullable com.google.common.base.Function<net.shibboleth.utilities.java.support.collection.Pair<org.opensaml.messaging.context.MessageContext,Assertion>,net.shibboleth.utilities.java.support.resolver.CriteriaSet> function)
Defaults to: null
.
function
- the resolving function, may be null@Nullable public ValidationContext apply(@Nullable SAML20AssertionTokenValidationInput input)
apply
in interface com.google.common.base.Function<SAML20AssertionTokenValidationInput,ValidationContext>
@Nonnull protected Map<String,Object> buildStaticParameters(@Nonnull SAML20AssertionTokenValidationInput input)
ValidationContext
.input
- the assertion validation input@Nonnull protected net.shibboleth.utilities.java.support.resolver.CriteriaSet getSignatureCriteriaSet(@Nonnull SAML20AssertionTokenValidationInput input)
This implementation first evaluates the result of applying the function
getSignatureCriteriaSetFunction()
, if configured. If that evaluation did not
produce an EntityIdCriterion
, one is added based on the issuer of the Assertion
.
If that evaluation did not produce an instance of UsageCriterion
, one is added with
the value of UsageType.SIGNING
.
input
- the assertion validation input@Nullable protected X509Certificate getAttesterCertificate(@Nonnull SAML20AssertionTokenValidationInput input)
X509Certificate
.
This implementation returns the client TLS certificate present in the
HttpServletRequest
, or null if one is not present.
input
- the assertion validation input@Nullable protected PublicKey getAttesterPublicKey(@Nonnull SAML20AssertionTokenValidationInput input)
PublicKey
.
This implementation returns null. Subclasses should override to implement specific logic.
input
- the assertion validation input@Nonnull protected Set<String> getValidRecipients(@Nonnull SAML20AssertionTokenValidationInput input)
This implementation returns a set containing the 2 values;
HttpServletRequest.getRequestURL()
AbstractSAMLEntityContext.getEntityId()
input
- the assertion validation input@Nonnull protected Set<InetAddress> getValidAddresses(@Nonnull SAML20AssertionTokenValidationInput input)
This implementation simply returns the set based on
getAttesterIPAddress(SAML20AssertionTokenValidationInput)
, if that produces a value.
Otherwise an empty set is returned.
input
- the assertion validation input@Nonnull protected String getAttesterIPAddress(@Nonnull SAML20AssertionTokenValidationInput input)
This implementation returns the value of ServletRequest.getRemoteAddr()
.
input
- the assertion validation input@Nonnull protected Set<String> getValidAudiences(@Nonnull SAML20AssertionTokenValidationInput input)
This implementation returns a set containing the single entityID held by the message context's
AbstractSAMLEntityContext.getEntityId()
, if present. Otherwise an empty set is returned.
input
- the assertion validation inputCopyright © 1999–2020 Shibboleth Consortium. All rights reserved.