org.opensaml.saml2.metadata.provider

Class SignatureValidationFilter

java.lang.Object

org.opensaml.saml2.metadata.provider.SignatureValidationFilter

All Implemented Interfaces:

MetadataFilter

public class SignatureValidationFilter
extends Object
implements MetadataFilter

A metadata filter that validates XML signatures.

Constructor Summary

Constructors

Constructor and Description
SignatureValidationFilter(org.opensaml.xml.signature.SignatureTrustEngine engine) Constructor.
SignatureValidationFilter(org.opensaml.xml.signature.SignatureTrustEngine engine, org.opensaml.xml.validation.Validator<org.opensaml.xml.signature.Signature> signatureValidator) Constructor.

Method Summary

Modifier and Type	Method and Description
protected org.opensaml.xml.security.CriteriaSet	buildCriteriaSet(org.opensaml.xml.signature.SignableXMLObject signedMetadata, String metadataEntryName, boolean isEntityGroup) Build the criteria set which will be used as input to the configured trust engine.
void	doFilter(org.opensaml.xml.XMLObject metadata) Filters the given metadata, perhaps to remove elements that are not wanted.
org.opensaml.xml.security.CriteriaSet	getDefaultCriteria() Get the set of default criteria used as input to the trust engine.
boolean	getRequireSignature() Gets whether incoming metadata's root element is required to be signed.
protected String	getRoleIDToken(String entityID, RoleDescriptor role) Get a string token for logging/debugging purposes that contains role information and containing entityID.
org.opensaml.xml.validation.Validator<org.opensaml.xml.signature.Signature>	getSignaturePrevalidator() Get the validator used to perform pre-validation on Signature tokens.
org.opensaml.xml.signature.SignatureTrustEngine	getSignatureTrustEngine() Gets the trust engine used to validate signatures on incoming metadata.
protected void	performPreValidation(org.opensaml.xml.signature.Signature signature, String metadataEntryName) Perform pre-validation on the Signature token.
protected void	processEntityDescriptor(EntityDescriptor entityDescriptor) Process the signatures on the specified EntityDescriptor and any signed children.
protected void	processEntityGroup(EntitiesDescriptor entitiesDescriptor) Process the signatures on the specified EntitiesDescriptor and any signed children.
void	setDefaultCriteria(org.opensaml.xml.security.CriteriaSet newCriteria) Set the set of default criteria used as input to the trust engine.
void	setRequireSignature(boolean require) Sets whether incoming metadata's root element is required to be signed.
protected void	verifySignature(org.opensaml.xml.signature.SignableXMLObject signedMetadata, String metadataEntryName, boolean isEntityGroup) Evaluate the signature on the signed metadata instance.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SignatureValidationFilter

public SignatureValidationFilter(org.opensaml.xml.signature.SignatureTrustEngine engine)

Constructor.

Parameters:

engine - the trust engine used to validate signatures on incoming metadata.

SignatureValidationFilter

public SignatureValidationFilter(org.opensaml.xml.signature.SignatureTrustEngine engine,
                                 org.opensaml.xml.validation.Validator<org.opensaml.xml.signature.Signature> signatureValidator)

Constructor.

Parameters:

engine - the trust engine used to validate signatures on incoming metadata.

signatureValidator - optional pre-validator used to validate Signature elements prior to the actual cryptographic validation operation

Method Detail

getSignatureTrustEngine

public org.opensaml.xml.signature.SignatureTrustEngine getSignatureTrustEngine()

Gets the trust engine used to validate signatures on incoming metadata.

Returns:

trust engine used to validate signatures on incoming metadata

getSignaturePrevalidator

public org.opensaml.xml.validation.Validator<org.opensaml.xml.signature.Signature> getSignaturePrevalidator()

Get the validator used to perform pre-validation on Signature tokens.

Returns:

the configured Signature validator, or null

getRequireSignature

public boolean getRequireSignature()

Gets whether incoming metadata's root element is required to be signed.

Returns:

whether incoming metadata is required to be signed

setRequireSignature

public void setRequireSignature(boolean require)

Sets whether incoming metadata's root element is required to be signed.

Parameters:

require - whether incoming metadata is required to be signed

getDefaultCriteria

public org.opensaml.xml.security.CriteriaSet getDefaultCriteria()

Get the set of default criteria used as input to the trust engine.

Returns:

the criteria set

setDefaultCriteria

public void setDefaultCriteria(org.opensaml.xml.security.CriteriaSet newCriteria)

Set the set of default criteria used as input to the trust engine.

Parameters:

newCriteria - the new criteria set to use

doFilter

public void doFilter(org.opensaml.xml.XMLObject metadata)
              throws FilterException

Filters the given metadata, perhaps to remove elements that are not wanted.

Specified by:

doFilter in interface MetadataFilter

Parameters:

metadata - the metadata to be filtered.

Throws:

FilterException - thrown if an error occurs during the filtering process

processEntityDescriptor

protected void processEntityDescriptor(EntityDescriptor entityDescriptor)
                                throws FilterException

Process the signatures on the specified EntityDescriptor and any signed children. If signature verification fails on a child, it will be removed from the entity descriptor.

Parameters:

entityDescriptor - the EntityDescriptor to be processed

Throws:

FilterException - thrown if an error occurs during the signature verification process on the root EntityDescriptor specified

processEntityGroup

protected void processEntityGroup(EntitiesDescriptor entitiesDescriptor)
                           throws FilterException

Process the signatures on the specified EntitiesDescriptor and any signed children. If signature verification fails on a child, it will be removed from the entities descriptor group.

Parameters:

entitiesDescriptor - the EntitiesDescriptor to be processed

Throws:

FilterException - thrown if an error occurs during the signature verification process on the root EntitiesDescriptor specified

verifySignature

protected void verifySignature(org.opensaml.xml.signature.SignableXMLObject signedMetadata,
                               String metadataEntryName,
                               boolean isEntityGroup)
                        throws FilterException

Evaluate the signature on the signed metadata instance.

Parameters:

signedMetadata - the metadata object whose signature is to be verified

metadataEntryName - the EntityDescriptor entityID, EntitiesDescriptor Name, AffiliationDescriptor affiliationOwnerID, or RoleDescriptor getRoleIDToken(String, RoleDescriptor) corresponding to the element whose signature is being evaluated. This is used exclusively for logging/debugging purposes and should not be used operationally (e.g. for building a criteria set).

isEntityGroup - flag indicating whether the signed object is a metadata group (EntitiesDescriptor), primarily useful for constructing a criteria set for the trust engine

Throws:

FilterException - thrown if the metadata entry's signature can not be established as trusted, or if an error occurs during the signature verification process

performPreValidation

protected void performPreValidation(org.opensaml.xml.signature.Signature signature,
                                    String metadataEntryName)
                             throws FilterException

Perform pre-validation on the Signature token.

Parameters:

signature - the signature to evaluate

metadataEntryName - the EntityDescriptor entityID, EntitiesDescriptor Name, AffiliationDescriptor affiliationOwnerID, or RoleDescriptor getRoleIDToken(String, RoleDescriptor) corresponding to the element whose signature is being evaluated. This is used exclusively for logging/debugging purposes and should not be used operationally (e.g. for building a criteria set).

Throws:

FilterException - thrown if the signature element fails pre-validation

buildCriteriaSet

protected org.opensaml.xml.security.CriteriaSet buildCriteriaSet(org.opensaml.xml.signature.SignableXMLObject signedMetadata,
                                                                 String metadataEntryName,
                                                                 boolean isEntityGroup)

Build the criteria set which will be used as input to the configured trust engine.

Parameters:

signedMetadata - the metadata element whose signature is being verified

metadataEntryName - the EntityDescriptor entityID, EntitiesDescriptor Name, AffiliationDescriptor affiliationOwnerID, or RoleDescriptor getRoleIDToken(String, RoleDescriptor) corresponding to the element whose signature is being evaluated. This is used exclusively for logging/debugging purposes and should not be used operationally (e.g. for building the criteria set).

isEntityGroup - flag indicating whether the signed object is a metadata group (EntitiesDescriptor)

Returns:

the newly constructed criteria set

getRoleIDToken

protected String getRoleIDToken(String entityID,
                                RoleDescriptor role)

Get a string token for logging/debugging purposes that contains role information and containing entityID.

Parameters:

entityID - the containing entityID

role - the role descriptor

Returns:

the constructed role ID token.