net.shibboleth.idp.saml.saml2.profile.delegation.impl

Class AddDelegationRestrictionToAssertions

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction<InboundMessageType,OutboundMessageType>

org.opensaml.profile.action.AbstractConditionalProfileAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.profile.AbstractProfileAction

net.shibboleth.idp.saml.saml2.profile.delegation.impl.AddDelegationRestrictionToAssertions

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, org.springframework.beans.factory.Aware, org.springframework.context.MessageSource, org.springframework.context.MessageSourceAware, org.springframework.webflow.execution.Action

public class AddDelegationRestrictionToAssertions
extends AbstractProfileAction

Action which adds a DelegationRestrictionType Condition to each Assertion contained within the outbound Response.

If the inbound assertion token specified in LibertySSOSContext contains an existing DelegationRestrictionType condition, it is cloned, and the current SAML presenter entityID is added as a new Delegate. Otherwise a new instance of DelegationRestrictionType is created and a single new Delegate added.

In both cases the new delegate entityID is obtained from the SAMLPresenterEntityContext located using the corresponding lookup function. The new delegate is augmented with the SAML subject confirmation method obtained from the current LibertySSOSContext.

Event:

EventIds.INVALID_MSG_CTX, EventIds.INVALID_PROFILE_CTX, EventIds.MESSAGE_PROC_ERROR

Field Summary

Fields

Modifier and Type	Field and Description
private List<Assertion>	assertions List of assertions to modify.
private Assertion	attestedAssertion The delegated Assertion that was attested.
private String	attestedSubjectConfirmationMethod The subject confirmation method successfully used to confirm the assertion by the presenter.
private org.joda.time.DateTime	delegationInstant The instant of delegation.
private com.google.common.base.Function<ProfileRequestContext,LibertySSOSContext>	libertyContextLookupStrategy Function used to resolve the Liberty context to populate.
private org.slf4j.Logger	log Class logger.
private com.google.common.base.Function<ProfileRequestContext,SAMLPresenterEntityContext>	presenterContextLookupStrategy Strategy used to locate the SAMLPresenterEntityContext.
private String	presenterEntityID The presenting entity which successfully attested the Assertion token.
private com.google.common.base.Function<ProfileRequestContext,Response>	responseLookupStrategy Strategy used to locate the Response to operate on.

Constructor Summary

Constructors

Constructor and Description
AddDelegationRestrictionToAssertions() Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
protected void	addDelegationRestriction(ProfileRequestContext profileRequestContext, Conditions conditions) Add a delegation restriction condition to the specified conditions.
protected Delegate	buildDelegate(ProfileRequestContext profileRequestContext) Build the Delegate child for the DelegationRestrictionType Condition, based on the current request context.
protected DelegationRestrictionType	buildDelegationRestriction(ProfileRequestContext profileRequestContext) Using the existing attested Assertion from the presenter as a context, build the appropriate DelegationRestrictionType Condition.
protected void	doExecute(ProfileRequestContext profileRequestContext)
protected boolean	doPreExecute(ProfileRequestContext profileRequestContext)
protected DelegationRestrictionType	getDelegationRestrictionCondition(Conditions conditions) Get the DelegationRestrictionType Condition from the supplied Conditions, if present.
void	setLibertyContextLookupStrategy(com.google.common.base.Function<ProfileRequestContext,LibertySSOSContext> strategy) Set the strategy used to locate the LibertySSOSContext to populate.
void	setPresenterLookupStrategy(com.google.common.base.Function<ProfileRequestContext,SAMLPresenterEntityContext> strategy) Set the strategy used to locate the SAMLPresenterEntityContext.
void	setResponseLookupStrategy(com.google.common.base.Function<ProfileRequestContext,Response> strategy) Set the strategy used to locate the Response to operate on.

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

responseLookupStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,Response> responseLookupStrategy

Strategy used to locate the Response to operate on.

presenterContextLookupStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,SAMLPresenterEntityContext> presenterContextLookupStrategy

Strategy used to locate the SAMLPresenterEntityContext.

libertyContextLookupStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,LibertySSOSContext> libertyContextLookupStrategy

Function used to resolve the Liberty context to populate.

assertions

@Nullable
private List<Assertion> assertions

List of assertions to modify.

attestedAssertion

@Nullable
private Assertion attestedAssertion

The delegated Assertion that was attested.

attestedSubjectConfirmationMethod

@Nullable
private String attestedSubjectConfirmationMethod

The subject confirmation method successfully used to confirm the assertion by the presenter.

presenterEntityID

@Nullable
private String presenterEntityID

The presenting entity which successfully attested the Assertion token.

delegationInstant

@Nullable
private org.joda.time.DateTime delegationInstant

The instant of delegation.

Constructor Detail

AddDelegationRestrictionToAssertions

public AddDelegationRestrictionToAssertions()

Constructor.

Method Detail

setLibertyContextLookupStrategy

public void setLibertyContextLookupStrategy(@Nonnull
                                   com.google.common.base.Function<ProfileRequestContext,LibertySSOSContext> strategy)

Set the strategy used to locate the LibertySSOSContext to populate.

Parameters:

strategy - lookup strategy

setResponseLookupStrategy

public void setResponseLookupStrategy(@Nonnull
                             com.google.common.base.Function<ProfileRequestContext,Response> strategy)

Set the strategy used to locate the Response to operate on.

Parameters:

strategy - lookup strategy

setPresenterLookupStrategy

public void setPresenterLookupStrategy(@Nonnull
                              com.google.common.base.Function<ProfileRequestContext,SAMLPresenterEntityContext> strategy)

Set the strategy used to locate the SAMLPresenterEntityContext.

Parameters:

strategy - lookup strategy

doPreExecute

protected boolean doPreExecute(@Nonnull
                   ProfileRequestContext profileRequestContext)

Overrides:

doPreExecute in class AbstractConditionalProfileAction

doExecute

protected void doExecute(@Nonnull
             ProfileRequestContext profileRequestContext)

Overrides:

doExecute in class AbstractProfileAction

addDelegationRestriction

protected void addDelegationRestriction(@Nonnull
                            ProfileRequestContext profileRequestContext,
                            @Nonnull
                            Conditions conditions)

Add a delegation restriction condition to the specified conditions.

Parameters:

profileRequestContext - the current profile request context

conditions - the conditions instance to modify

buildDelegationRestriction

@Nullable
protected DelegationRestrictionType buildDelegationRestriction(@Nonnull
                                                            ProfileRequestContext profileRequestContext)

Using the existing attested Assertion from the presenter as a context, build the appropriate DelegationRestrictionType Condition.

Parameters:

profileRequestContext - the current profile request context

Returns:

new DelegationRestrictionType Condition, or null if the condition could not be build

getDelegationRestrictionCondition

@Nullable
protected DelegationRestrictionType getDelegationRestrictionCondition(@Nullable
                                                                   Conditions conditions)

Get the DelegationRestrictionType Condition from the supplied Conditions, if present.

Parameters:

conditions - the Assertion Conditions to process

Returns:

the DelegationRestrictionType Condition object, or null if not present

buildDelegate

@Nonnull
protected Delegate buildDelegate(@Nonnull
                             ProfileRequestContext profileRequestContext)

Build the Delegate child for the DelegationRestrictionType Condition, based on the current request context.

Parameters:

profileRequestContext - the

Returns:

the new Delegate instance