BaseSAMLSimpleSignatureSecurityPolicyRule (OpenSAML-J 2.5.1-1 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.opensaml.common.binding.security
Class BaseSAMLSimpleSignatureSecurityPolicyRule

java.lang.Object
  org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule

All Implemented Interfaces:: org.opensaml.ws.security.SecurityPolicyRule

Direct Known Subclasses:: SAML2HTTPPostSimpleSignRule, SAML2HTTPRedirectDeflateSignatureRule

public abstract class BaseSAMLSimpleSignatureSecurityPolicyRule
extends java.lang.Object
implements org.opensaml.ws.security.SecurityPolicyRule
extends java.lang.Object
implements org.opensaml.ws.security.SecurityPolicyRule

Base class for security rules which verify simple "blob" signatures computed over some components of a request.

Constructor Summary
`protected`	`BaseSAMLSimpleSignatureSecurityPolicyRule(org.opensaml.xml.signature.SignatureTrustEngine engine)` Constructor.

Method Summary
`protected org.opensaml.xml.security.CriteriaSet`	`buildCriteriaSet(java.lang.String entityID, SAMLMessageContext samlContext)` Build a criteria set suitable for input to the trust engine.
`protected java.lang.String`	`deriveSignerEntityID(SAMLMessageContext samlContext)` Derive the signer's entity ID from the message context.
`void`	`evaluate(org.opensaml.ws.message.MessageContext messageContext)`
`protected java.util.List<org.opensaml.xml.security.credential.Credential>`	`getRequestCredentials(javax.servlet.http.HttpServletRequest request, SAMLMessageContext samlContext)` Extract any candidate validation credentials from the request and/or message context.
`protected byte[]`	`getSignature(javax.servlet.http.HttpServletRequest request)` Extract the signature value from the request, in the form suitable for input into `SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential)`.
`protected java.lang.String`	`getSignatureAlgorithm(javax.servlet.http.HttpServletRequest request)` Extract the signature algorithm URI value from the request.
`protected abstract byte[]`	`getSignedContent(javax.servlet.http.HttpServletRequest request)` Get the content over which to validate the signature, in the form suitable for input into `SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential)`.
`protected org.opensaml.xml.signature.SignatureTrustEngine`	`getTrustEngine()` Gets the engine used to validate the signature.
`protected abstract boolean`	`ruleHandles(javax.servlet.http.HttpServletRequest request, SAMLMessageContext samlMsgCtx)` Determine whether the rule should handle the request, based on the unwrapped HTTP servlet request and/or message context.
`protected boolean`	`validateSignature(byte[] signature, byte[] signedContent, java.lang.String algorithmURI, org.opensaml.xml.security.CriteriaSet criteriaSet, java.util.List<org.opensaml.xml.security.credential.Credential> candidateCredentials)` Validate the simple signature.

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail

BaseSAMLSimpleSignatureSecurityPolicyRule

protected BaseSAMLSimpleSignatureSecurityPolicyRule(org.opensaml.xml.signature.SignatureTrustEngine engine)

Constructor.

Parameters:: engine - the signature trust engine to use for signature validataion

Method Detail

evaluate

public void evaluate(org.opensaml.ws.message.MessageContext messageContext)
              throws org.opensaml.ws.security.SecurityPolicyException

Specified by:: evaluate in interface org.opensaml.ws.security.SecurityPolicyRule

Throws:: org.opensaml.ws.security.SecurityPolicyException

validateSignature

protected boolean validateSignature(byte[] signature,
                                    byte[] signedContent,
                                    java.lang.String algorithmURI,
                                    org.opensaml.xml.security.CriteriaSet criteriaSet,
                                    java.util.List<org.opensaml.xml.security.credential.Credential> candidateCredentials)
                             throws org.opensaml.ws.security.SecurityPolicyException

Validate the simple signature.

Parameters:: signature - the signature value; signedContent - the content that was signed; algorithmURI - the signature algorithm URI which was used to sign the content; criteriaSet - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation; candidateCredentials - the request-derived candidate credential(s) containing the validation key for the signature (optional)
Returns:: true if signature can be verified successfully, false otherwise
Throws:: org.opensaml.ws.security.SecurityPolicyException - thrown if there are errors during the signature validation process

getRequestCredentials

protected java.util.List<org.opensaml.xml.security.credential.Credential> getRequestCredentials(javax.servlet.http.HttpServletRequest request,
                                                                                                SAMLMessageContext samlContext)
                                                                                         throws org.opensaml.ws.security.SecurityPolicyException

Extract any candidate validation credentials from the request and/or message context. Some bindings allow validataion keys for the simple signature to be supplied, and others do not.

Parameters:: request - the HTTP servlet request being processed; samlContext - the SAML message context being processed
Returns:: a list of candidate validation credentials in the request, or null if none were present
Throws:: org.opensaml.ws.security.SecurityPolicyException - thrown if there is an error during request processing

getTrustEngine

protected org.opensaml.xml.signature.SignatureTrustEngine getTrustEngine()

Gets the engine used to validate the signature.

Returns:: engine engine used to validate the signature

getSignature

protected byte[] getSignature(javax.servlet.http.HttpServletRequest request)
                       throws org.opensaml.ws.security.SecurityPolicyException

Extract the signature value from the request, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential). Defaults to the Base64-decoded value of the HTTP request parameter named Signature.

Parameters:: request - the HTTP servlet request
Returns:: the signature value
Throws:: org.opensaml.ws.security.SecurityPolicyException - thrown if there is an error during request processing

getSignatureAlgorithm

protected java.lang.String getSignatureAlgorithm(javax.servlet.http.HttpServletRequest request)
                                          throws org.opensaml.ws.security.SecurityPolicyException

Extract the signature algorithm URI value from the request. Defaults to the HTTP request parameter named SigAlg.

Parameters:: request - the HTTP servlet request
Returns:: the signature algorithm URI value
Throws:: org.opensaml.ws.security.SecurityPolicyException - thrown if there is an error during request processing

deriveSignerEntityID

protected java.lang.String deriveSignerEntityID(SAMLMessageContext samlContext)
                                         throws org.opensaml.ws.security.SecurityPolicyException

Derive the signer's entity ID from the message context. This is implementation-specific and there is no default. This is primarily an extension point for subclasses.

Parameters:: samlContext - the SAML message context being processed
Returns:: the signer's derived entity ID
Throws:: org.opensaml.ws.security.SecurityPolicyException - thrown if there is an error during request processing

buildCriteriaSet

protected org.opensaml.xml.security.CriteriaSet buildCriteriaSet(java.lang.String entityID,
                                                                 SAMLMessageContext samlContext)
                                                          throws org.opensaml.ws.security.SecurityPolicyException

Build a criteria set suitable for input to the trust engine.

Parameters:: entityID - the candidate issuer entity ID which is being evaluated; samlContext - the message context which is being evaluated
Returns:: a newly constructly set of criteria suitable for the configured trust engine
Throws:: org.opensaml.ws.security.SecurityPolicyException - thrown if criteria set can not be constructed

getSignedContent

protected abstract byte[] getSignedContent(javax.servlet.http.HttpServletRequest request)
                                    throws org.opensaml.ws.security.SecurityPolicyException

Get the content over which to validate the signature, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential).

Parameters:: request - the HTTP servlet request being processed
Returns:: the signed content extracted from the request, in the format suitable for input to the trust engine.
Throws:: org.opensaml.ws.security.SecurityPolicyException - thrown if there is an error during request processing

ruleHandles

protected abstract boolean ruleHandles(javax.servlet.http.HttpServletRequest request,
                                       SAMLMessageContext samlMsgCtx)
                                throws org.opensaml.ws.security.SecurityPolicyException

Determine whether the rule should handle the request, based on the unwrapped HTTP servlet request and/or message context.

Parameters:: request - the HTTP servlet request being processed; samlMsgCtx - the SAML message context being processed
Returns:: true if the rule should attempt to process the request, otherwise false
Throws:: org.opensaml.ws.security.SecurityPolicyException - thrown if there is an error during request processing