net.shibboleth.idp.saml.nameid.impl

Class ComputedPersistentIdGenerationStrategy

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

net.shibboleth.idp.saml.nameid.impl.ComputedPersistentIdGenerationStrategy

All Implemented Interfaces:

PersistentIdGenerationStrategy, Component, DestructableComponent, InitializableComponent

public class ComputedPersistentIdGenerationStrategy
extends AbstractInitializableComponent
implements PersistentIdGenerationStrategy

The basis of a PersistentIdGenerationStrategy that generates a unique ID by computing the hash of a given attribute value, the entity ID of the inbound message issuer, and a provided salt.

The original implementation and values in common use relied on base64 encoding of the result, but due to discovery of the lack of appropriate case handling of identifiers by applications, the ability to use base32 has been added to eliminate the possibility of case conflicts.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	ComputedPersistentIdGenerationStrategy.Encoding Post-digest encoding types.

Field Summary

Fields

Modifier and Type	Field and Description
private String	algorithm JCE digest algorithm name to use.
private ComputedPersistentIdGenerationStrategy.Encoding	encoding The encoding to apply to the digest.
private Map<String,Map<String,String>>	exceptionMap Override map to block or re-issue identifiers.
private org.slf4j.Logger	log Class logger.
private byte[]	salt Salt used when computing the ID.
static String	WILDCARD_OVERRIDE An override trigger to apply to all relying parties.

Constructor Summary

Constructors

Constructor and Description
ComputedPersistentIdGenerationStrategy() Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
protected void	doInitialize()
String	generate(String assertingPartyId, String relyingPartyId, String principalName, String sourceId) Get a Persistent ID that corresponds to the inputs.
String	getAlgorithm() Get the JCE algorithm name of the digest algorithm to use (default is SHA).
private byte[]	getEffectiveSalt(String principalName, String relyingPartyId) Get the effective salt to apply for a particular principal/RP pair, or null to refuse to generate one.
ComputedPersistentIdGenerationStrategy.Encoding	getEncoding() Get the post-digest encoding to use.
byte[]	getSalt() Get the salt used when computing the ID.
void	setAlgorithm(String alg) Set the JCE algorithm name of the digest algorithm to use (default is SHA).
void	setEncodedSalt(String newValue) Set the base64-encoded salt used when computing the ID.
void	setEncoding(ComputedPersistentIdGenerationStrategy.Encoding enc) Set the post-digest encoding to use.
void	setExceptionMap(Map<String,Map<String,String>> map) Install map of exceptions that override standard generation.
void	setSalt(byte[] newValue) Set the salt used when computing the ID.

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

WILDCARD_OVERRIDE

@Nonnull
@NotEmpty
public static final String WILDCARD_OVERRIDE

An override trigger to apply to all relying parties.

See Also:

Constant Field Values

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

salt

@NonnullAfterInit
private byte[] salt

Salt used when computing the ID.

algorithm

@Nonnull
@NotEmpty
private String algorithm

JCE digest algorithm name to use.

encoding

@Nonnull
private ComputedPersistentIdGenerationStrategy.Encoding encoding

The encoding to apply to the digest.

exceptionMap

@Nonnull
private Map<String,Map<String,String>> exceptionMap

Override map to block or re-issue identifiers.

Constructor Detail

ComputedPersistentIdGenerationStrategy

public ComputedPersistentIdGenerationStrategy()

Constructor.

Method Detail

getSalt

@NonnullAfterInit
public byte[] getSalt()

Get the salt used when computing the ID.

Returns:

salt used when computing the ID

setSalt

public void setSalt(@Nullable
           byte[] newValue)

Set the salt used when computing the ID.

An empty/null input is ignored.

Parameters:

newValue - used when computing the ID

setEncodedSalt

public void setEncodedSalt(@Nullable
                  String newValue)

Set the base64-encoded salt used when computing the ID.

An empty/null input is ignored.

Parameters:

newValue - used when computing the ID

Since:

3.3.0

getAlgorithm

@Nonnull
@NotEmpty
public String getAlgorithm()

Get the JCE algorithm name of the digest algorithm to use (default is SHA).

Returns:

JCE message digest algorithm

Since:

3.4.0

setAlgorithm

public void setAlgorithm(@Nonnull@NotEmpty
                String alg)

Set the JCE algorithm name of the digest algorithm to use (default is SHA).

Parameters:

alg - JCE message digest algorithm

getEncoding

@Nonnull
public ComputedPersistentIdGenerationStrategy.Encoding getEncoding()

Get the post-digest encoding to use.

Returns:

encoding

Since:

3.4.0

setEncoding

public void setEncoding(@Nonnull
               ComputedPersistentIdGenerationStrategy.Encoding enc)

Set the post-digest encoding to use.

Parameters:

enc - encoding

setExceptionMap

public void setExceptionMap(@Nullable@NotEmpty
                   Map<String,Map<String,String>> map)

Install map of exceptions that override standard generation.

The map is keyed by principal name (or '*' for all), and the values are a map of relying party to salt overrides. A relying party of '*' applies to all parties. A null mapped value implies that no value should be generated, while a string value is fed into the computation in place of the default salt. Specific rules trump wildcarded rules.

Parameters:

map - exceptions to apply

doInitialize

protected void doInitialize()
                     throws ComponentInitializationException

Overrides:

doInitialize in class AbstractInitializableComponent

Throws:

ComponentInitializationException

generate

@Nonnull
@NotEmpty
public String generate(@Nonnull@NotEmpty
                               String assertingPartyId,
                               @Nonnull@NotEmpty
                               String relyingPartyId,
                               @Nonnull@NotEmpty
                               String principalName,
                               @Nonnull@NotEmpty
                               String sourceId)
                throws SAMLException

Get a Persistent ID that corresponds to the inputs.

This may be generated directly from the inputs or retrieved from some other source.

Specified by:

generate in interface PersistentIdGenerationStrategy

Parameters:

assertingPartyId - the asserting party providing the identifier

relyingPartyId - the relying party for whom we're obtaining the identifier

principalName - name of the subject

sourceId - an underlying identifier for the subject

Returns:

the identifier

Throws:

SAMLException - if an error occurs generating the identifier

getEffectiveSalt

@Nullable
private byte[] getEffectiveSalt(@Nonnull@NotEmpty
                               String principalName,
                               @Nonnull@NotEmpty
                               String relyingPartyId)

Get the effective salt to apply for a particular principal/RP pair, or null to refuse to generate one.

Parameters:

principalName - name of subject

relyingPartyId - name of relying party scope

Returns:

salt to use