org.opensaml.saml.metadata.resolver.impl

Class HTTPMetadataResolver

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent

org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver

org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver

org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver

org.opensaml.saml.metadata.resolver.impl.HTTPMetadataResolver

All Implemented Interfaces:

java.lang.Iterable<EntityDescriptor>, net.shibboleth.utilities.java.support.component.Component, net.shibboleth.utilities.java.support.component.DestructableComponent, net.shibboleth.utilities.java.support.component.IdentifiableComponent, net.shibboleth.utilities.java.support.component.IdentifiedComponent, net.shibboleth.utilities.java.support.component.InitializableComponent, net.shibboleth.utilities.java.support.resolver.Resolver<EntityDescriptor,net.shibboleth.utilities.java.support.resolver.CriteriaSet>, IterableMetadataSource, BatchMetadataResolver, MetadataResolver, RefreshableMetadataResolver

Direct Known Subclasses:

FileBackedHTTPMetadataResolver

public class HTTPMetadataResolver
extends AbstractReloadingMetadataResolver

A metadata provider that pulls metadata using an HTTP GET. Metadata is cached until one of these criteria is met:

• The smallest cacheDuration within the metadata is exceeded
• The earliest validUntil time within the metadata is exceeded
• The maximum cache duration is exceeded

Metadata is filtered prior to determining the cache expiration data. This allows a filter to remove XMLObjects that may effect the cache duration but for which the user of this provider does not care about. It is the responsibility of the caller to re-initialize, via AbstractInitializableComponent.initialize(), if any properties of this provider are changed.

Nested Class Summary

Nested classes/interfaces inherited from class org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver

AbstractBatchMetadataResolver.BatchEntityBackingStore

Nested classes/interfaces inherited from class org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver

AbstractMetadataResolver.EntityBackingStore

Field Summary

Fields

Modifier and Type	Field and Description
private java.lang.String	cachedMetadataETag The ETag provided when the currently cached metadata was fetched.
private java.lang.String	cachedMetadataLastModified The Last-Modified information provided when the currently cached metadata was fetched.
private org.apache.http.impl.client.BasicCredentialsProvider	credentialsProvider HttpClient credentials provider.
private org.apache.http.client.HttpClient	httpClient HTTP Client used to pull the metadata.
private org.slf4j.Logger	log Class logger.
private java.net.URI	metadataURI URL to the Metadata.
private TrustEngine<? super X509Credential>	tlsTrustEngine Optional trust engine used in evaluating server TLS credentials.

Constructor Summary

Constructors

Constructor and Description
HTTPMetadataResolver(org.apache.http.client.HttpClient client, java.lang.String metadataURL) Constructor.
HTTPMetadataResolver(java.util.Timer backgroundTaskTimer, org.apache.http.client.HttpClient client, java.lang.String metadataURL) Constructor.

Method Summary

Modifier and Type	Method and Description
protected org.apache.http.client.protocol.HttpClientContext	buildHttpClientContext() Build the HttpClientContext instance which will be used to invoke the HttpClient request.
protected org.apache.http.client.methods.HttpGet	buildHttpGet() Builds the HttpGet instance used to fetch the metadata.
protected void	checkTLSCredentialTrusted(org.apache.http.client.protocol.HttpClientContext context) Check that trust engine evaluation of the server TLS credential was actually performed.
protected void	doDestroy()
protected byte[]	fetchMetadata() Gets the metadata document from the remote server.
protected byte[]	getMetadataBytesFromResponse(org.apache.http.HttpResponse response) Extracts the raw metadata bytes from the response taking in to account possible deflate and GZip compression.
protected java.lang.String	getMetadataIdentifier() Gets an identifier which may be used to distinguish this metadata in logging statements.
java.lang.String	getMetadataURI() Gets the URL to fetch the metadata.
protected void	processConditionalRetrievalHeaders(org.apache.http.HttpResponse response) Records the ETag and Last-Modified headers, from the response, if they are present.
void	setBasicCredentials(org.apache.http.auth.UsernamePasswordCredentials credentials) Sets the username and password used to access the metadata URL.
void	setBasicCredentialsWithScope(org.apache.http.auth.UsernamePasswordCredentials credentials, org.apache.http.auth.AuthScope scope) Sets the username and password used to access the metadata URL.
void	setTLSTrustEngine(TrustEngine<? super X509Credential> engine) Sets the optional trust engine used in evaluating server TLS credentials.

Methods inherited from class org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver

computeNextRefreshDelay, getExpirationTime, getLastRefresh, getLastUpdate, getMaxRefreshDelay, getMinRefreshDelay, getNextRefresh, getRefreshDelayFactor, initMetadataResolver, inputstreamToByteArray, postProcessMetadata, processCachedMetadata, processNewMetadata, processNonExpiredMetadata, processPreExpiredMetadata, refresh, setCacheSourceMetadata, setMaxRefreshDelay, setMinRefreshDelay, setRefreshDelayFactor, unmarshallMetadata

Methods inherited from class org.opensaml.saml.metadata.resolver.impl.AbstractBatchMetadataResolver

createNewBackingStore, getBackingStore, getCachedFilteredMetadata, getCachedOriginalMetadata, isCacheSourceMetadata, iterator, preProcessNewMetadata, resolve

Methods inherited from class org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver

doInitialize, filterMetadata, getMetadataFilter, getParserPool, getUnmarshallerFactory, indexEntityDescriptor, isFailFastInitialization, isRequireValidMetadata, isValid, lookupEntityID, lookupIndexedEntityID, preProcessEntitiesDescriptor, preProcessEntityDescriptor, releaseMetadataDOM, removeByEntityID, resolveSingle, setBackingStore, setFailFastInitialization, setMetadataFilter, setParserPool, setRequireValidMetadata, unmarshallMetadata

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent

setId

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

getId

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.opensaml.saml.metadata.resolver.MetadataResolver

getMetadataFilter, isRequireValidMetadata, setMetadataFilter, setRequireValidMetadata

Methods inherited from interface net.shibboleth.utilities.java.support.resolver.Resolver

resolve, resolveSingle

Methods inherited from interface net.shibboleth.utilities.java.support.component.IdentifiedComponent

getId

Methods inherited from interface java.lang.Iterable

forEach, spliterator

Field Detail

log

private final org.slf4j.Logger log

Class logger.

httpClient

private org.apache.http.client.HttpClient httpClient

HTTP Client used to pull the metadata.

metadataURI

private java.net.URI metadataURI

URL to the Metadata.

cachedMetadataETag

private java.lang.String cachedMetadataETag

The ETag provided when the currently cached metadata was fetched.

cachedMetadataLastModified

private java.lang.String cachedMetadataLastModified

The Last-Modified information provided when the currently cached metadata was fetched.

credentialsProvider

private org.apache.http.impl.client.BasicCredentialsProvider credentialsProvider

HttpClient credentials provider.

tlsTrustEngine

private TrustEngine<? super X509Credential> tlsTrustEngine

Optional trust engine used in evaluating server TLS credentials.

Constructor Detail

HTTPMetadataResolver

public HTTPMetadataResolver(org.apache.http.client.HttpClient client,
                            java.lang.String metadataURL)
                     throws net.shibboleth.utilities.java.support.resolver.ResolverException

Constructor.

Parameters:

client - HTTP client used to pull in remote metadata

metadataURL - URL to the remove remote metadata

Throws:

net.shibboleth.utilities.java.support.resolver.ResolverException - thrown if the HTTP client is null or the metadata URL provided is invalid

HTTPMetadataResolver

public HTTPMetadataResolver(java.util.Timer backgroundTaskTimer,
                            org.apache.http.client.HttpClient client,
                            java.lang.String metadataURL)
                     throws net.shibboleth.utilities.java.support.resolver.ResolverException

Constructor.

Parameters:

backgroundTaskTimer - timer used to schedule background metadata refresh tasks

client - HTTP client used to pull in remote metadata

metadataURL - URL to the remove remote metadata

Throws:

net.shibboleth.utilities.java.support.resolver.ResolverException - thrown if the HTTP client is null or the metadata URL provided is invalid

Method Detail

getMetadataURI

public java.lang.String getMetadataURI()

Gets the URL to fetch the metadata.

Returns:

the URL to fetch the metadata

setTLSTrustEngine

public void setTLSTrustEngine(@Nullable
                              TrustEngine<? super X509Credential> engine)

Sets the optional trust engine used in evaluating server TLS credentials.

Must be used in conjunction with an HttpClient instance which is configured with a TrustEngineTLSSocketFactory. If this socket factory is not configured, then this will result in no TLS trust evaluation being performed and a ResolverException will ultimately be thrown.

Parameters:

engine - the trust engine instance to use

setBasicCredentials

public void setBasicCredentials(@Nullable
                                org.apache.http.auth.UsernamePasswordCredentials credentials)

Sets the username and password used to access the metadata URL. To disable BASIC authentication pass null for the credentials instance. An AuthScope will be generated based off the metadata URI's hostname and port.

Parameters:

credentials - the username and password credentials

setBasicCredentialsWithScope

public void setBasicCredentialsWithScope(@Nullable
                                         org.apache.http.auth.UsernamePasswordCredentials credentials,
                                         @Nullable
                                         org.apache.http.auth.AuthScope scope)

Sets the username and password used to access the metadata URL. To disable BASIC authentication pass null for the credentials instance.

If the authScope is null, an AuthScope will be generated based off the metadata URI's hostname and port.

Parameters:

credentials - the username and password credentials

scope - the HTTP client auth scope with which to scope the credentials, may be null

doDestroy

protected void doDestroy()

Overrides:

doDestroy in class AbstractReloadingMetadataResolver

getMetadataIdentifier

protected java.lang.String getMetadataIdentifier()

Gets an identifier which may be used to distinguish this metadata in logging statements.

Specified by:

getMetadataIdentifier in class AbstractReloadingMetadataResolver

Returns:

identifier which may be used to distinguish this metadata in logging statements

fetchMetadata

protected byte[] fetchMetadata()
                        throws net.shibboleth.utilities.java.support.resolver.ResolverException

Gets the metadata document from the remote server.

Specified by:

fetchMetadata in class AbstractReloadingMetadataResolver

Returns:

the metadata from remote server, or null if the metadata document has not changed since the last retrieval

Throws:

net.shibboleth.utilities.java.support.resolver.ResolverException - thrown if there is a problem retrieving the metadata from the remote server

checkTLSCredentialTrusted

protected void checkTLSCredentialTrusted(org.apache.http.client.protocol.HttpClientContext context)
                                  throws javax.net.ssl.SSLPeerUnverifiedException

Check that trust engine evaluation of the server TLS credential was actually performed.

Parameters:

context - the current HTTP context instance in use

Throws:

javax.net.ssl.SSLPeerUnverifiedException - thrown if the TLS credential was not actually evaluated by the trust engine

buildHttpGet

protected org.apache.http.client.methods.HttpGet buildHttpGet()

Builds the HttpGet instance used to fetch the metadata. The returned method advertises support for GZIP and deflate compression, enables conditional GETs if the cached metadata came with either an ETag or Last-Modified information, and sets up basic authentication if such is configured.

Returns:

the constructed HttpGet instance

buildHttpClientContext

protected org.apache.http.client.protocol.HttpClientContext buildHttpClientContext()

Build the HttpClientContext instance which will be used to invoke the HttpClient request.

Returns:

a new instance of HttpClientContext

processConditionalRetrievalHeaders

protected void processConditionalRetrievalHeaders(org.apache.http.HttpResponse response)

Records the ETag and Last-Modified headers, from the response, if they are present.

Parameters:

response - GetMethod containing a valid HTTP response

getMetadataBytesFromResponse

protected byte[] getMetadataBytesFromResponse(org.apache.http.HttpResponse response)
                                       throws net.shibboleth.utilities.java.support.resolver.ResolverException

Extracts the raw metadata bytes from the response taking in to account possible deflate and GZip compression.

Parameters:

response - GetMethod containing a valid HTTP response

Returns:

the raw metadata bytes

Throws:

net.shibboleth.utilities.java.support.resolver.ResolverException - thrown if there is a problem getting the raw metadata bytes from the response