org.opensaml.saml.saml2.profile.impl

Class AddNameIDToSubjects

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction

org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects

All Implemented Interfaces:

net.shibboleth.utilities.java.support.component.Component, net.shibboleth.utilities.java.support.component.DestructableComponent, net.shibboleth.utilities.java.support.component.InitializableComponent, ProfileAction

public class AddNameIDToSubjects
extends AbstractProfileAction

Action that builds a NameID and adds it to the Subject of all the assertions found in a Response. The message to update is returned by a lookup strategy, by default the message returned by InOutOperationContext.getOutboundMessageContext().

If no Response exists, then an Assertion directly in the outbound message context will be used or created by the default lookup strategy.

If no Subject exists in the assertions found, it will be cretaed.

The source of the NameID is one of a set of candidate SAML2NameIDGenerator plugins injected into the action. The plugin(s) to attempt to use are derived from the Format value, which is established by a lookup strategy.

In addition, the generation process is influenced by the requested NameIDPolicy, which is evaluated using a pluggable predicate.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
private class	AddNameIDToSubjects.AssertionStrategy Default strategy for obtaining assertions to modify.
static class	AddNameIDToSubjects.NameIDPolicyLookupFunction Lookup function that returns the NameIDPolicy from an AuthnRequest message returned from a lookup function, by default the inbound message.
static class	AddNameIDToSubjects.RequesterIdFromIssuerFunction Lookup function that returns RequestAbstractType.getIssuer() from a request message returned from a lookup function, by default the inbound message.

Field Summary

Fields

Modifier and Type	Field and Description
private java.util.List<Assertion>	assertions Response to modify.
private com.google.common.base.Function<ProfileRequestContext,java.util.List<Assertion>>	assertionsLookupStrategy Strategy used to locate the Response to operate on.
private com.google.common.base.Function<ProfileRequestContext,java.util.List<java.lang.String>>	formatLookupStrategy Strategy used to determine the formats to try.
private java.util.List<java.lang.String>	formats Formats to try.
private SAML2NameIDGenerator	generator Generator to use.
private net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy	idGenerator The generator to use.
private com.google.common.base.Function<ProfileRequestContext,net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy>	idGeneratorLookupStrategy Strategy used to locate the IdentifierGenerationStrategy to use.
private java.lang.String	issuerId EntityID to populate into Issuer element.
private com.google.common.base.Function<ProfileRequestContext,java.lang.String>	issuerLookupStrategy Strategy used to obtain the response issuer value.
private org.slf4j.Logger	log Class logger.
private SAMLObjectBuilder<NameID>	nameIdBuilder Builder for NameID objects.
private com.google.common.base.Predicate<ProfileRequestContext>	nameIDPolicyPredicate Predicate to validate NameIDPolicy.
private boolean	overwriteExisting Flag controlling whether to overwrite an existing NameID.
private AuthnRequest	request Request to examine.
private com.google.common.base.Function<ProfileRequestContext,AuthnRequest>	requestLookupStrategy Strategy used to locate the AuthnRequest to operate on, if any.
private java.lang.String	requiredFormat Format required by requested NameIDPolicy.
private SAMLObjectBuilder<Subject>	subjectBuilder Builder for Subject objects.

Constructor Summary

Constructors

Constructor and Description
AddNameIDToSubjects() Constructor.

Method Summary

Modifier and Type	Method and Description
private NameID	cloneNameID(NameID nameId) Create an efficient field-wise copy of a NameID.
protected void	doExecute(ProfileRequestContext profileRequestContext) Performs this action.
protected void	doInitialize()
protected boolean	doPreExecute(ProfileRequestContext profileRequestContext) Called prior to execution, actions may override this method to perform pre-processing for a request.
private NameID	generateNameID(ProfileRequestContext profileRequestContext) Attempt to generate a NameID using each of the candidate Formats and plugins.
private Subject	getAssertionSubject(Assertion assertion) Get the subject to which the name identifier will be added.
private java.lang.String	getRequiredFormat(ProfileRequestContext profileRequestContext) Extract a format required by the inbound request, if present.
void	setAssertionsLookupStrategy(com.google.common.base.Function<ProfileRequestContext,java.util.List<Assertion>> strategy) Set the strategy used to locate the Assertions to operate on.
void	setFormatLookupStrategy(com.google.common.base.Function<ProfileRequestContext,java.util.List<java.lang.String>> strategy) Set the strategy function to use to obtain the formats to try.
void	setIdentifierGeneratorLookupStrategy(com.google.common.base.Function<ProfileRequestContext,net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy> strategy) Set the strategy used to locate the IdentifierGenerationStrategy to use.
void	setIssuerLookupStrategy(com.google.common.base.Function<ProfileRequestContext,java.lang.String> strategy) Set the strategy used to locate the issuer value to use.
void	setNameIDGenerator(SAML2NameIDGenerator theGenerator) Set the generator to use.
void	setNameIDPolicyPredicate(com.google.common.base.Predicate<ProfileRequestContext> predicate) Set the predicate used to evaluate the NameIDPolicy.
void	setOverwriteExisting(boolean flag) Set whether to overwrite any existing NameID objects found.
void	setRequestLookupStrategy(com.google.common.base.Function<ProfileRequestContext,AuthnRequest> strategy) Set the strategy used to locate the AuthnRequest to examine, if any.

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

subjectBuilder

@Nonnull
private SAMLObjectBuilder<Subject> subjectBuilder

Builder for Subject objects.

nameIdBuilder

@Nonnull
private SAMLObjectBuilder<NameID> nameIdBuilder

Builder for NameID objects.

overwriteExisting

private boolean overwriteExisting

Flag controlling whether to overwrite an existing NameID.

requestLookupStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,AuthnRequest> requestLookupStrategy

Strategy used to locate the AuthnRequest to operate on, if any.

assertionsLookupStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,java.util.List<Assertion>> assertionsLookupStrategy

Strategy used to locate the Response to operate on.

idGeneratorLookupStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy> idGeneratorLookupStrategy

Strategy used to locate the IdentifierGenerationStrategy to use.

issuerLookupStrategy

@Nullable
private com.google.common.base.Function<ProfileRequestContext,java.lang.String> issuerLookupStrategy

Strategy used to obtain the response issuer value.

nameIDPolicyPredicate

@Nonnull
private com.google.common.base.Predicate<ProfileRequestContext> nameIDPolicyPredicate

Predicate to validate NameIDPolicy.

formatLookupStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,java.util.List<java.lang.String>> formatLookupStrategy

Strategy used to determine the formats to try.

generator

@NonnullAfterInit
private SAML2NameIDGenerator generator

Generator to use.

formats

@Nonnull
 @NonnullElements
private java.util.List<java.lang.String> formats

Formats to try.

requiredFormat

@Nullable
private java.lang.String requiredFormat

Format required by requested NameIDPolicy.

request

@Nullable
private AuthnRequest request

Request to examine.

assertions

@Nullable
private java.util.List<Assertion> assertions

Response to modify.

idGenerator

@Nullable
private net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy idGenerator

The generator to use.

issuerId

@Nullable
private java.lang.String issuerId

EntityID to populate into Issuer element.

Constructor Detail

AddNameIDToSubjects

public AddNameIDToSubjects()
                    throws net.shibboleth.utilities.java.support.component.ComponentInitializationException

Constructor.

Throws:

net.shibboleth.utilities.java.support.component.ComponentInitializationException - if an error occurs initializing default predicate.

Method Detail

setOverwriteExisting

public void setOverwriteExisting(boolean flag)

Set whether to overwrite any existing NameID objects found.

Parameters:

flag - true iff the action should overwrite any existing objects

setRequestLookupStrategy

public void setRequestLookupStrategy(@Nonnull
                                     com.google.common.base.Function<ProfileRequestContext,AuthnRequest> strategy)

Set the strategy used to locate the AuthnRequest to examine, if any.

Parameters:

strategy - strategy used to locate the AuthnRequest

setAssertionsLookupStrategy

public void setAssertionsLookupStrategy(@Nonnull
                                        com.google.common.base.Function<ProfileRequestContext,java.util.List<Assertion>> strategy)

Set the strategy used to locate the Assertions to operate on.

Parameters:

strategy - lookup strategy

setIdentifierGeneratorLookupStrategy

public void setIdentifierGeneratorLookupStrategy(@Nonnull
                                                 com.google.common.base.Function<ProfileRequestContext,net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy> strategy)

Set the strategy used to locate the IdentifierGenerationStrategy to use.

Parameters:

strategy - lookup strategy

setIssuerLookupStrategy

public void setIssuerLookupStrategy(@Nullable
                                    com.google.common.base.Function<ProfileRequestContext,java.lang.String> strategy)

Set the strategy used to locate the issuer value to use.

Parameters:

strategy - lookup strategy

setNameIDPolicyPredicate

public void setNameIDPolicyPredicate(@Nonnull
                                     com.google.common.base.Predicate<ProfileRequestContext> predicate)

Set the predicate used to evaluate the NameIDPolicy.

Parameters:

predicate - predicate used to evaluate the NameIDPolicy

setFormatLookupStrategy

public void setFormatLookupStrategy(@Nonnull
                                    com.google.common.base.Function<ProfileRequestContext,java.util.List<java.lang.String>> strategy)

Set the strategy function to use to obtain the formats to try.

Parameters:

strategy - format lookup strategy

setNameIDGenerator

public void setNameIDGenerator(@Nullable
                               SAML2NameIDGenerator theGenerator)

Set the generator to use.

Parameters:

theGenerator - the generator to use

doInitialize

protected void doInitialize()
                     throws net.shibboleth.utilities.java.support.component.ComponentInitializationException

Overrides:

doInitialize in class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

Throws:

net.shibboleth.utilities.java.support.component.ComponentInitializationException

doPreExecute

protected boolean doPreExecute(@Nonnull
                               ProfileRequestContext profileRequestContext)

Called prior to execution, actions may override this method to perform pre-processing for a request.

If false is returned, execution will not proceed, and the action should attach an EventContext to the context tree to signal how to continue with overall workflow processing.

If returning successfully, the last step should be to return the result of the superclass version of this method.

Overrides:

doPreExecute in class AbstractProfileAction

Parameters:

profileRequestContext - the current IdP profile request context

Returns:

true iff execution should proceed

doExecute

protected void doExecute(@Nonnull
                         ProfileRequestContext profileRequestContext)

Performs this action. Actions must override this method to perform their work.

Overrides:

doExecute in class AbstractProfileAction

Parameters:

profileRequestContext - the current IdP profile request context

getRequiredFormat

@Nullable
private java.lang.String getRequiredFormat(@Nonnull
                                                     ProfileRequestContext profileRequestContext)

Extract a format required by the inbound request, if present.

Parameters:

profileRequestContext - current profile request context

Returns:

a format dictated by the request, or null

generateNameID

@Nullable
private NameID generateNameID(@Nonnull
                                        ProfileRequestContext profileRequestContext)

Attempt to generate a NameID using each of the candidate Formats and plugins.

Parameters:

profileRequestContext - current profile request context

Returns:

a generated NameID or null

getAssertionSubject

@Nonnull
private Subject getAssertionSubject(@Nonnull
                                             Assertion assertion)

Get the subject to which the name identifier will be added.

Parameters:

assertion - the assertion being modified

Returns:

the assertion to which the name identifier will be added

cloneNameID

@Nonnull
private NameID cloneNameID(@Nonnull
                                    NameID nameId)

Create an efficient field-wise copy of a NameID.

Parameters:

nameId - the object to clone

Returns:

the copy