Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD

org.opensaml.saml2.metadata.provider
Class SignatureValidationFilter

java.lang.Object
  extended by org.opensaml.saml2.metadata.provider.SignatureValidationFilter
All Implemented Interfaces:
MetadataFilter
public class SignatureValidationFilter
extends java.lang.Object
implements MetadataFilter

A metadata filter that validates XML signatures.

Constructor Summary
SignatureValidationFilter(org.opensaml.xml.signature.SignatureTrustEngine engine)
          Constructor.
SignatureValidationFilter(org.opensaml.xml.signature.SignatureTrustEngine engine, org.opensaml.xml.validation.Validator<org.opensaml.xml.signature.Signature> signatureValidator)
          Constructor.
 
Method Summary
protected  org.opensaml.xml.security.CriteriaSet buildCriteriaSet(org.opensaml.xml.signature.SignableXMLObject signedMetadata, java.lang.String metadataEntryName, boolean isEntityGroup)
          Build the criteria set which will be used as input to the configured trust engine.
 void doFilter(org.opensaml.xml.XMLObject metadata)
          Filters the given metadata, perhaps to remove elements that are not wanted.
 org.opensaml.xml.security.CriteriaSet getDefaultCriteria()
          Get the set of default criteria used as input to the trust engine.
 boolean getRequireSignature()
          Gets whether incoming metadata's root element is required to be signed.
protected  java.lang.String getRoleIDToken(java.lang.String entityID, RoleDescriptor role)
          Get a string token for logging/debugging purposes that contains role information and containing entityID.
 org.opensaml.xml.validation.Validator<org.opensaml.xml.signature.Signature> getSignaturePrevalidator()
          Get the validator used to perform pre-validation on Signature tokens.
 org.opensaml.xml.signature.SignatureTrustEngine getSignatureTrustEngine()
          Gets the trust engine used to validate signatures on incoming metadata.
protected  void performPreValidation(org.opensaml.xml.signature.Signature signature, java.lang.String metadataEntryName)
          Perform pre-validation on the Signature token.
protected  void processEntityDescriptor(EntityDescriptor entityDescriptor)
          Process the signatures on the specified EntityDescriptor and any signed children.
protected  void processEntityGroup(EntitiesDescriptor entitiesDescriptor)
          Process the signatures on the specified EntitiesDescriptor and any signed children.
 void setDefaultCriteria(org.opensaml.xml.security.CriteriaSet newCriteria)
          Set the set of default criteria used as input to the trust engine.
 void setRequireSignature(boolean require)
          Sets whether incoming metadata's root element is required to be signed.
protected  void verifySignature(org.opensaml.xml.signature.SignableXMLObject signedMetadata, java.lang.String metadataEntryName, boolean isEntityGroup)
          Evaluate the signature on the signed metadata instance.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

SignatureValidationFilter

public SignatureValidationFilter(org.opensaml.xml.signature.SignatureTrustEngine engine)
Constructor.

Parameters:
engine - the trust engine used to validate signatures on incoming metadata.

SignatureValidationFilter

public SignatureValidationFilter(org.opensaml.xml.signature.SignatureTrustEngine engine,
                                 org.opensaml.xml.validation.Validator<org.opensaml.xml.signature.Signature> signatureValidator)
Constructor.

Parameters:
engine - the trust engine used to validate signatures on incoming metadata.
signatureValidator - optional pre-validator used to validate Signature elements prior to the actual cryptographic validation operation
Method Detail

getSignatureTrustEngine

public org.opensaml.xml.signature.SignatureTrustEngine getSignatureTrustEngine()
Gets the trust engine used to validate signatures on incoming metadata.

Returns:
trust engine used to validate signatures on incoming metadata

getSignaturePrevalidator

public org.opensaml.xml.validation.Validator<org.opensaml.xml.signature.Signature> getSignaturePrevalidator()
Get the validator used to perform pre-validation on Signature tokens.

Returns:
the configured Signature validator, or null

getRequireSignature

public boolean getRequireSignature()
Gets whether incoming metadata's root element is required to be signed.

Returns:
whether incoming metadata is required to be signed

setRequireSignature

public void setRequireSignature(boolean require)
Sets whether incoming metadata's root element is required to be signed.

Parameters:
require - whether incoming metadata is required to be signed

getDefaultCriteria

public org.opensaml.xml.security.CriteriaSet getDefaultCriteria()
Get the set of default criteria used as input to the trust engine.

Returns:
the criteria set

setDefaultCriteria

public void setDefaultCriteria(org.opensaml.xml.security.CriteriaSet newCriteria)
Set the set of default criteria used as input to the trust engine.

Parameters:
newCriteria - the new criteria set to use

doFilter

public void doFilter(org.opensaml.xml.XMLObject metadata)
              throws FilterException
Filters the given metadata, perhaps to remove elements that are not wanted.

Specified by:
doFilter in interface MetadataFilter
Parameters:
metadata - the metadata to be filtered.
Throws:
FilterException - thrown if an error occurs during the filtering process

processEntityDescriptor

protected void processEntityDescriptor(EntityDescriptor entityDescriptor)
                                throws FilterException
Process the signatures on the specified EntityDescriptor and any signed children. If signature verification fails on a child, it will be removed from the entity descriptor.

Parameters:
entityDescriptor - the EntityDescriptor to be processed
Throws:
FilterException - thrown if an error occurs during the signature verification process on the root EntityDescriptor specified

processEntityGroup

protected void processEntityGroup(EntitiesDescriptor entitiesDescriptor)
                           throws FilterException
Process the signatures on the specified EntitiesDescriptor and any signed children. If signature verification fails on a child, it will be removed from the entities descriptor group.

Parameters:
entitiesDescriptor - the EntitiesDescriptor to be processed
Throws:
FilterException - thrown if an error occurs during the signature verification process on the root EntitiesDescriptor specified

verifySignature

protected void verifySignature(org.opensaml.xml.signature.SignableXMLObject signedMetadata,
                               java.lang.String metadataEntryName,
                               boolean isEntityGroup)
                        throws FilterException
Evaluate the signature on the signed metadata instance.

Parameters:
signedMetadata - the metadata object whose signature is to be verified
metadataEntryName - the EntityDescriptor entityID, EntitiesDescriptor Name, AffiliationDescriptor affiliationOwnerID, or RoleDescriptor getRoleIDToken(String, RoleDescriptor) corresponding to the element whose signature is being evaluated. This is used exclusively for logging/debugging purposes and should not be used operationally (e.g. for building a criteria set).
isEntityGroup - flag indicating whether the signed object is a metadata group (EntitiesDescriptor), primarily useful for constructing a criteria set for the trust engine
Throws:
FilterException - thrown if the metadata entry's signature can not be established as trusted, or if an error occurs during the signature verification process

performPreValidation

protected void performPreValidation(org.opensaml.xml.signature.Signature signature,
                                    java.lang.String metadataEntryName)
                             throws FilterException
Perform pre-validation on the Signature token.

Parameters:
signature - the signature to evaluate
metadataEntryName - the EntityDescriptor entityID, EntitiesDescriptor Name, AffiliationDescriptor affiliationOwnerID, or RoleDescriptor getRoleIDToken(String, RoleDescriptor) corresponding to the element whose signature is being evaluated. This is used exclusively for logging/debugging purposes and should not be used operationally (e.g. for building a criteria set).
Throws:
FilterException - thrown if the signature element fails pre-validation

buildCriteriaSet

protected org.opensaml.xml.security.CriteriaSet buildCriteriaSet(org.opensaml.xml.signature.SignableXMLObject signedMetadata,
                                                                 java.lang.String metadataEntryName,
                                                                 boolean isEntityGroup)
Build the criteria set which will be used as input to the configured trust engine.

Parameters:
signedMetadata - the metadata element whose signature is being verified
metadataEntryName - the EntityDescriptor entityID, EntitiesDescriptor Name, AffiliationDescriptor affiliationOwnerID, or RoleDescriptor getRoleIDToken(String, RoleDescriptor) corresponding to the element whose signature is being evaluated. This is used exclusively for logging/debugging purposes and should not be used operationally (e.g. for building the criteria set).
isEntityGroup - flag indicating whether the signed object is a metadata group (EntitiesDescriptor)
Returns:
the newly constructed criteria set

getRoleIDToken

protected java.lang.String getRoleIDToken(java.lang.String entityID,
                                          RoleDescriptor role)
Get a string token for logging/debugging purposes that contains role information and containing entityID.

Parameters:
entityID - the containing entityID
role - the role descriptor
Returns:
the constructed role ID token.
Overview  Package   Class  Use  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES    
SUMMARY: NESTED | FIELD | CONSTR | METHOD DETAIL: FIELD | CONSTR | METHOD
Copyright © 2006-2011 Internet2. All Rights Reserved.