org.opensaml.saml.common.binding.security.impl

Class BaseSAMLSimpleSignatureSecurityHandler

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.messaging.handler.AbstractMessageHandler

org.opensaml.saml.common.binding.security.impl.BaseSAMLSimpleSignatureSecurityHandler

All Implemented Interfaces:

net.shibboleth.utilities.java.support.component.Component, net.shibboleth.utilities.java.support.component.DestructableComponent, net.shibboleth.utilities.java.support.component.InitializableComponent, MessageHandler

Direct Known Subclasses:

SAML2HTTPPostSimpleSignSecurityHandler, SAML2HTTPRedirectDeflateSignatureSecurityHandler

public abstract class BaseSAMLSimpleSignatureSecurityHandler
extends AbstractMessageHandler

Base class for security-oriented message handlers which verify simple "blob" signatures computed over some components of a request.

Field Summary

Fields

Modifier and Type	Field and Description
private javax.servlet.http.HttpServletRequest	httpServletRequest The HttpServletRequest being processed.
private org.slf4j.Logger	log Logger.
private SAMLPeerEntityContext	peerContext The context representing the SAML peer entity.
private SAMLProtocolContext	samlProtocolContext The SAML protocol context in operation.
private SignatureTrustEngine	trustEngine Signature trust engine used to validate raw signatures.

Constructor Summary

Constructors

Constructor and Description
BaseSAMLSimpleSignatureSecurityHandler()

Method Summary

Modifier and Type	Method and Description
protected net.shibboleth.utilities.java.support.resolver.CriteriaSet	buildCriteriaSet(java.lang.String entityID, MessageContext messageContext) Build a criteria set suitable for input to the trust engine.
protected java.lang.String	deriveSignerEntityID(MessageContext messageContext) Derive the signer's entity ID from the message context.
private void	doEvaluate(byte[] signature, byte[] signedContent, java.lang.String algorithmURI, MessageContext messageContext) Evaluate the simple signature based on information in the request and/or message context.
protected void	doInitialize()
protected void	doInvoke(MessageContext messageContext) Performs the handler logic.
protected boolean	doPreInvoke(MessageContext messageContext) Called prior to execution, handlers may override this method to perform pre-processing for a request.
javax.servlet.http.HttpServletRequest	getHttpServletRequest() Get the HTTP servlet request being processed.
protected java.util.List<Credential>	getRequestCredentials(MessageContext messageContext) Extract any candidate validation credentials from the request and/or message context.
protected byte[]	getSignature() Extract the signature value from the request, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential).
protected java.lang.String	getSignatureAlgorithm() Extract the signature algorithm URI value from the request.
protected abstract byte[]	getSignedContent() Get the content over which to validate the signature, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential).
protected SignatureTrustEngine	getTrustEngine() Gets the engine used to validate the signature.
protected abstract boolean	ruleHandles(MessageContext messageContext) Determine whether the rule should handle the request, based on the unwrapped HTTP servlet request and/or message context.
void	setHttpServletRequest(javax.servlet.http.HttpServletRequest request) Set the HTTP servlet request being processed.
protected boolean	validateSignature(byte[] signature, byte[] signedContent, java.lang.String algorithmURI, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet, java.util.List<Credential> candidateCredentials) Validate the simple signature.

Methods inherited from class org.opensaml.messaging.handler.AbstractMessageHandler

doPostInvoke, doPostInvoke, getLogPrefix, invoke

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Logger.

httpServletRequest

@NonnullAfterInit
private javax.servlet.http.HttpServletRequest httpServletRequest

The HttpServletRequest being processed.

peerContext

@Nullable
private SAMLPeerEntityContext peerContext

The context representing the SAML peer entity.

samlProtocolContext

@Nullable
private SAMLProtocolContext samlProtocolContext

The SAML protocol context in operation.

trustEngine

@Nullable
private SignatureTrustEngine trustEngine

Signature trust engine used to validate raw signatures.

Constructor Detail

BaseSAMLSimpleSignatureSecurityHandler

public BaseSAMLSimpleSignatureSecurityHandler()

Method Detail

getTrustEngine

@Nullable
protected SignatureTrustEngine getTrustEngine()

Gets the engine used to validate the signature.

Returns:

engine engine used to validate the signature

getHttpServletRequest

@NonnullAfterInit
public javax.servlet.http.HttpServletRequest getHttpServletRequest()

Get the HTTP servlet request being processed.

Returns:

Returns the request.

setHttpServletRequest

public void setHttpServletRequest(@Nonnull
                                  javax.servlet.http.HttpServletRequest request)

Set the HTTP servlet request being processed.

Parameters:

request - The to set.

doInitialize

protected void doInitialize()
                     throws net.shibboleth.utilities.java.support.component.ComponentInitializationException

Overrides:

doInitialize in class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

Throws:

net.shibboleth.utilities.java.support.component.ComponentInitializationException

doPreInvoke

protected boolean doPreInvoke(@Nonnull
                              MessageContext messageContext)
                       throws MessageHandlerException

Called prior to execution, handlers may override this method to perform pre-processing for a request.

If false is returned, execution will not proceed.

If returning successfully, the last step should be to return the result of the superclass version of this method.

Overrides:

doPreInvoke in class AbstractMessageHandler

Parameters:

messageContext - the message context on which to invoke the handler

Returns:

true iff execution should proceed

Throws:

MessageHandlerException - if there is a problem executing the handler pre-routine

doInvoke

protected void doInvoke(@Nonnull
                        MessageContext messageContext)
                 throws MessageHandlerException

Performs the handler logic.

Specified by:

doInvoke in class AbstractMessageHandler

Parameters:

messageContext - the message context on which to invoke the handler

Throws:

MessageHandlerException - if there is an error invoking the handler on the message context

doEvaluate

private void doEvaluate(@Nonnull @NotEmpty
                        byte[] signature,
                        @Nonnull @NotEmpty
                        byte[] signedContent,
                        @Nonnull @NotEmpty
                        java.lang.String algorithmURI,
                        @Nonnull
                        MessageContext messageContext)
                 throws MessageHandlerException

Evaluate the simple signature based on information in the request and/or message context.

Parameters:

signature - the signature value

signedContent - the content that was signed

algorithmURI - the signature algorithm URI which was used to sign the content

messageContext - the SAML message context being processed

Throws:

MessageHandlerException - thrown if there are errors during the signature validation process

validateSignature

protected boolean validateSignature(@Nonnull @NotEmpty
                                    byte[] signature,
                                    @Nonnull @NotEmpty
                                    byte[] signedContent,
                                    @Nonnull @NotEmpty
                                    java.lang.String algorithmURI,
                                    @Nonnull
                                    net.shibboleth.utilities.java.support.resolver.CriteriaSet criteriaSet,
                                    @Nonnull @NonnullElements
                                    java.util.List<Credential> candidateCredentials)
                             throws MessageHandlerException

Validate the simple signature.

Parameters:

signature - the signature value

signedContent - the content that was signed

algorithmURI - the signature algorithm URI which was used to sign the content

criteriaSet - criteria used to describe and/or resolve the information which serves as the basis for trust evaluation

candidateCredentials - the request-derived candidate credential(s) containing the validation key for the signature (optional)

Returns:

true if signature can be verified successfully, false otherwise

Throws:

MessageHandlerException - thrown if there are errors during the signature validation process

getRequestCredentials

@Nonnull
 @NonnullElements
protected java.util.List<Credential> getRequestCredentials(@Nonnull
                                                                                      MessageContext messageContext)
                                                                               throws MessageHandlerException

Extract any candidate validation credentials from the request and/or message context. Some bindings allow validataion keys for the simple signature to be supplied, and others do not.

Parameters:

messageContext - the SAML message context being processed

Returns:

a list of candidate validation credentials in the request, or null if none were present

Throws:

MessageHandlerException - thrown if there is an error during request processing

getSignature

@Nullable
protected byte[] getSignature()
                                 throws MessageHandlerException

Extract the signature value from the request, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential). Defaults to the Base64-decoded value of the HTTP request parameter named Signature.

Returns:

the signature value

Throws:

MessageHandlerException - thrown if there is an error during request processing

getSignatureAlgorithm

@Nullable
protected java.lang.String getSignatureAlgorithm()
                                                    throws MessageHandlerException

Extract the signature algorithm URI value from the request. Defaults to the HTTP request parameter named SigAlg.

Returns:

the signature algorithm URI value

Throws:

MessageHandlerException - thrown if there is an error during request processing

deriveSignerEntityID

@Nullable
protected java.lang.String deriveSignerEntityID(@Nonnull
                                                          MessageContext messageContext)
                                                   throws MessageHandlerException

Derive the signer's entity ID from the message context. This is implementation-specific and there is no default. This is primarily an extension point for subclasses.

Parameters:

messageContext - the SAML message context being processed

Returns:

the signer's derived entity ID

Throws:

MessageHandlerException - thrown if there is an error during request processing

buildCriteriaSet

@Nonnull
protected net.shibboleth.utilities.java.support.resolver.CriteriaSet buildCriteriaSet(@Nullable
                                                                                               java.lang.String entityID,
                                                                                               @Nonnull
                                                                                               MessageContext messageContext)
                                                                                        throws MessageHandlerException

Build a criteria set suitable for input to the trust engine.

Parameters:

entityID - the candidate issuer entity ID which is being evaluated

messageContext - the message context which is being evaluated

Returns:

a newly constructly set of criteria suitable for the configured trust engine

Throws:

MessageHandlerException - thrown if criteria set can not be constructed

getSignedContent

@Nullable
protected abstract byte[] getSignedContent()
                                              throws MessageHandlerException

Get the content over which to validate the signature, in the form suitable for input into SignatureTrustEngine.validate(byte[], byte[], String, CriteriaSet, Credential).

Returns:

the signed content extracted from the request, in the format suitable for input to the trust engine.

Throws:

MessageHandlerException - thrown if there is an error during request processing

ruleHandles

protected abstract boolean ruleHandles(@Nonnull
                                       MessageContext messageContext)
                                throws MessageHandlerException

Determine whether the rule should handle the request, based on the unwrapped HTTP servlet request and/or message context.

Parameters:

messageContext - the SAML message context being processed

Returns:

true if the rule should attempt to process the request, otherwise false

Throws:

MessageHandlerException - thrown if there is an error during request processing