net.shibboleth.idp.saml.saml2.profile.delegation.impl

Class AddDelegationPolicyToAssertion

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction<InboundMessageType,OutboundMessageType>

org.opensaml.profile.action.AbstractConditionalProfileAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.profile.AbstractProfileAction

net.shibboleth.idp.saml.saml2.profile.delegation.impl.AddDelegationPolicyToAssertion

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, org.springframework.beans.factory.Aware, org.springframework.context.MessageSource, org.springframework.context.MessageSourceAware, org.springframework.webflow.execution.Action

@Prototype
public class AddDelegationPolicyToAssertion
extends AbstractProfileAction

Action which adds a DelegationPolicy element to the Advice of an Assertion.

The assertion to modify is determined by the strategy set by setAssertionLookupStrategy(Function).

The maximum chain delegation length value for the added policy element is as follows:

1. If an inbound assertion token is present as determined by the strategy set by setAssertionTokenStrategy(Function), the value is obtained from the policy contained within the first DelegationPolicy element of that assertion's Advice element.
2. Otherwise the request is assumed to be the initial SSO request, so the value is determined by the requesting SP's profile configuration value BrowserSSOProfileConfiguration.getMaximumTokenDelegationChainLength().
3. If neither of these approaches produces a value, a default value is used DEFAULT_POLICY_MAX_CHAIN_LENGTH

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
private class	AddDelegationPolicyToAssertion.AssertionStrategy Default strategy for obtaining assertion to modify.

Field Summary

Fields

Modifier and Type	Field and Description
private Assertion	assertion The assertion to modify.
private com.google.common.base.Function<ProfileRequestContext,Assertion>	assertionLookupStrategy Strategy used to locate the Assertion to operate on.
private com.google.common.base.Function<ProfileRequestContext,Assertion>	assertionTokenStrategy Function used to resolve the inbound assertion token to process.
private Assertion	attestedAssertion The inbound delegated Assertion that was attested.
static Long	DEFAULT_POLICY_MAX_CHAIN_LENGTH Default policy max chain length, when can't otherwise be derived.
private org.slf4j.Logger	log Logger.
private Long	maxChainLength The max token delegation chain length value to add.
private com.google.common.base.Function<ProfileRequestContext,RelyingPartyContext>	relyingPartyContextLookupStrategy Strategy used to lookup the RelyingPartyContext.

Constructor Summary

Constructors

Constructor and Description
AddDelegationPolicyToAssertion() Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
protected void	doExecute(ProfileRequestContext profileRequestContext)
protected boolean	doPreExecute(ProfileRequestContext profileRequestContext)
protected Long	resolveMaxChainLength(ProfileRequestContext profileRequestContext) Resolve the max token delegation chain length value to add to the assertion.
void	setAssertionLookupStrategy(com.google.common.base.Function<ProfileRequestContext,Assertion> strategy) Set the strategy used to locate the Assertion to operate on.
void	setAssertionTokenStrategy(com.google.common.base.Function<ProfileRequestContext,Assertion> strategy) Set the strategy used to locate the inbound assertion token to process.
void	setRelyingPartyContextLookupStrategy(com.google.common.base.Function<ProfileRequestContext,RelyingPartyContext> strategy) Set the strategy used to locate the current RelyingPartyContext.

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

DEFAULT_POLICY_MAX_CHAIN_LENGTH

public static final Long DEFAULT_POLICY_MAX_CHAIN_LENGTH

Default policy max chain length, when can't otherwise be derived.

log

private org.slf4j.Logger log

Logger.

assertionLookupStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,Assertion> assertionLookupStrategy

Strategy used to locate the Assertion to operate on.

assertionTokenStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,Assertion> assertionTokenStrategy

Function used to resolve the inbound assertion token to process.

relyingPartyContextLookupStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,RelyingPartyContext> relyingPartyContextLookupStrategy

Strategy used to lookup the RelyingPartyContext.

assertion

@Nullable
private Assertion assertion

The assertion to modify.

attestedAssertion

@Nullable
private Assertion attestedAssertion

The inbound delegated Assertion that was attested.

maxChainLength

@Nullable
private Long maxChainLength

The max token delegation chain length value to add.

Constructor Detail

AddDelegationPolicyToAssertion

public AddDelegationPolicyToAssertion()

Constructor.

Method Detail

setAssertionTokenStrategy

public void setAssertionTokenStrategy(@Nonnull
                             com.google.common.base.Function<ProfileRequestContext,Assertion> strategy)

Set the strategy used to locate the inbound assertion token to process.

Parameters:

strategy - lookup strategy

setRelyingPartyContextLookupStrategy

public void setRelyingPartyContextLookupStrategy(@Nonnull
                                        com.google.common.base.Function<ProfileRequestContext,RelyingPartyContext> strategy)

Set the strategy used to locate the current RelyingPartyContext.

Parameters:

strategy - strategy used to locate the current RelyingPartyContext

setAssertionLookupStrategy

public void setAssertionLookupStrategy(@Nonnull
                              com.google.common.base.Function<ProfileRequestContext,Assertion> strategy)

Set the strategy used to locate the Assertion to operate on.

Parameters:

strategy - strategy used to locate the Assertion to operate on

doPreExecute

protected boolean doPreExecute(@Nonnull
                   ProfileRequestContext profileRequestContext)

Overrides:

doPreExecute in class AbstractConditionalProfileAction

doExecute

protected void doExecute(@Nonnull
             ProfileRequestContext profileRequestContext)

Overrides:

doExecute in class AbstractProfileAction

resolveMaxChainLength

@Nonnull
protected Long resolveMaxChainLength(@Nonnull
                                 ProfileRequestContext profileRequestContext)

Resolve the max token delegation chain length value to add to the assertion.

Parameters:

profileRequestContext - the current profile request context

Returns:

the max chain length value