org.opensaml.common.binding.security

Class BaseSAMLSimpleSignatureSecurityPolicyRule

java.lang.Object

org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule

All Implemented Interfaces:

org.opensaml.ws.security.SecurityPolicyRule

Direct Known Subclasses:

SAML2HTTPPostSimpleSignRule, SAML2HTTPRedirectDeflateSignatureRule

public abstract class BaseSAMLSimpleSignatureSecurityPolicyRule
extends Object
implements org.opensaml.ws.security.SecurityPolicyRule

Base class for security rules which verify simple "blob" signatures computed over some components of a request.

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	BaseSAMLSimpleSignatureSecurityPolicyRule(org.opensaml.xml.signature.SignatureTrustEngine engine) Constructor.

Method Summary

Modifier and Type	Method and Description
protected org.opensaml.xml.security.CriteriaSet	buildCriteriaSet(String entityID, SAMLMessageContext samlContext) Build a criteria set suitable for input to the trust engine.
protected String	deriveSignerEntityID(SAMLMessageContext samlContext) Derive the signer's entity ID from the message context.
void	evaluate(org.opensaml.ws.message.MessageContext messageContext)
protected List<org.opensaml.xml.security.credential.Credential>	getRequestCredentials(javax.servlet.http.HttpServletRequest request, SAMLMessageContext samlContext) Extract any candidate validation credentials from the request and/or message context.
protected byte[]	getSignature(javax.servlet.http.HttpServletRequest request) Extract the signature value from the request, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential).
protected String	getSignatureAlgorithm(javax.servlet.http.HttpServletRequest request) Extract the signature algorithm URI value from the request.
protected abstract byte[]	getSignedContent(javax.servlet.http.HttpServletRequest request) Get the content over which to validate the signature, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential).
protected org.opensaml.xml.signature.SignatureTrustEngine	getTrustEngine() Gets the engine used to validate the signature.
protected abstract boolean	ruleHandles(javax.servlet.http.HttpServletRequest request, SAMLMessageContext samlMsgCtx) Determine whether the rule should handle the request, based on the unwrapped HTTP servlet request and/or message context.
protected boolean	validateSignature(byte[] signature, byte[] signedContent, String algorithmURI, org.opensaml.xml.security.CriteriaSet criteriaSet, List<org.opensaml.xml.security.credential.Credential> candidateCredentials) Validate the simple signature.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

BaseSAMLSimpleSignatureSecurityPolicyRule

protected BaseSAMLSimpleSignatureSecurityPolicyRule(org.opensaml.xml.signature.SignatureTrustEngine engine)

Constructor.

Parameters:

engine - the signature trust engine to use for signature validataion

Method Detail

evaluate

public void evaluate(org.opensaml.ws.message.MessageContext messageContext)
              throws org.opensaml.ws.security.SecurityPolicyException

Specified by:

evaluate in interface org.opensaml.ws.security.SecurityPolicyRule

Throws:

org.opensaml.ws.security.SecurityPolicyException

validateSignature

protected boolean validateSignature(byte[] signature,
                                    byte[] signedContent,
                                    String algorithmURI,
                                    org.opensaml.xml.security.CriteriaSet criteriaSet,
                                    List<org.opensaml.xml.security.credential.Credential> candidateCredentials)
                             throws org.opensaml.ws.security.SecurityPolicyException

Validate the simple signature.

Parameters:

signature - the signature value

signedContent - the content that was signed

algorithmURI - the signature algorithm URI which was used to sign the content

criteriaSet - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation

candidateCredentials - the request-derived candidate credential(s) containing the validation key for the signature (optional)

Returns:

true if signature can be verified successfully, false otherwise

Throws:

org.opensaml.ws.security.SecurityPolicyException - thrown if there are errors during the signature validation process

getRequestCredentials

protected List<org.opensaml.xml.security.credential.Credential> getRequestCredentials(javax.servlet.http.HttpServletRequest request,
                                                                                      SAMLMessageContext samlContext)
                                                                               throws org.opensaml.ws.security.SecurityPolicyException

Extract any candidate validation credentials from the request and/or message context. Some bindings allow validataion keys for the simple signature to be supplied, and others do not.

Parameters:

request - the HTTP servlet request being processed

samlContext - the SAML message context being processed

Returns:

a list of candidate validation credentials in the request, or null if none were present

Throws:

org.opensaml.ws.security.SecurityPolicyException - thrown if there is an error during request processing

getTrustEngine

protected org.opensaml.xml.signature.SignatureTrustEngine getTrustEngine()

Gets the engine used to validate the signature.

Returns:

engine engine used to validate the signature

getSignature

protected byte[] getSignature(javax.servlet.http.HttpServletRequest request)
                       throws org.opensaml.ws.security.SecurityPolicyException

Extract the signature value from the request, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential). Defaults to the Base64-decoded value of the HTTP request parameter named Signature.

Parameters:

request - the HTTP servlet request

Returns:

the signature value

Throws:

org.opensaml.ws.security.SecurityPolicyException - thrown if there is an error during request processing

getSignatureAlgorithm

protected String getSignatureAlgorithm(javax.servlet.http.HttpServletRequest request)
                                throws org.opensaml.ws.security.SecurityPolicyException

Extract the signature algorithm URI value from the request. Defaults to the HTTP request parameter named SigAlg.

Parameters:

request - the HTTP servlet request

Returns:

the signature algorithm URI value

Throws:

org.opensaml.ws.security.SecurityPolicyException - thrown if there is an error during request processing

deriveSignerEntityID

protected String deriveSignerEntityID(SAMLMessageContext samlContext)
                               throws org.opensaml.ws.security.SecurityPolicyException

Derive the signer's entity ID from the message context. This is implementation-specific and there is no default. This is primarily an extension point for subclasses.

Parameters:

samlContext - the SAML message context being processed

Returns:

the signer's derived entity ID

Throws:

org.opensaml.ws.security.SecurityPolicyException - thrown if there is an error during request processing

buildCriteriaSet

protected org.opensaml.xml.security.CriteriaSet buildCriteriaSet(String entityID,
                                                                 SAMLMessageContext samlContext)
                                                          throws org.opensaml.ws.security.SecurityPolicyException

Build a criteria set suitable for input to the trust engine.

Parameters:

entityID - the candidate issuer entity ID which is being evaluated

samlContext - the message context which is being evaluated

Returns:

a newly constructly set of criteria suitable for the configured trust engine

Throws:

org.opensaml.ws.security.SecurityPolicyException - thrown if criteria set can not be constructed

getSignedContent

protected abstract byte[] getSignedContent(javax.servlet.http.HttpServletRequest request)
                                    throws org.opensaml.ws.security.SecurityPolicyException

Get the content over which to validate the signature, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential).

Parameters:

request - the HTTP servlet request being processed

Returns:

the signed content extracted from the request, in the format suitable for input to the trust engine.

Throws:

org.opensaml.ws.security.SecurityPolicyException - thrown if there is an error during request processing

ruleHandles

protected abstract boolean ruleHandles(javax.servlet.http.HttpServletRequest request,
                                       SAMLMessageContext samlMsgCtx)
                                throws org.opensaml.ws.security.SecurityPolicyException

Determine whether the rule should handle the request, based on the unwrapped HTTP servlet request and/or message context.

Parameters:

request - the HTTP servlet request being processed

samlMsgCtx - the SAML message context being processed

Returns:

true if the rule should attempt to process the request, otherwise false

Throws:

org.opensaml.ws.security.SecurityPolicyException - thrown if there is an error during request processing