org.opensaml.saml.saml2.profile.impl

Class EncryptNameIDs

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction<InboundMessageType,OutboundMessageType>

org.opensaml.profile.action.AbstractConditionalProfileAction

org.opensaml.saml.saml2.profile.impl.AbstractEncryptAction

org.opensaml.saml.saml2.profile.impl.EncryptNameIDs

All Implemented Interfaces:

net.shibboleth.utilities.java.support.component.Component, net.shibboleth.utilities.java.support.component.DestructableComponent, net.shibboleth.utilities.java.support.component.InitializableComponent, ProfileAction

public class EncryptNameIDs
extends AbstractEncryptAction

Action that encrypts all NameIDs in a message obtained from a lookup strategy, by default the outbound message context.

Specific formats may be excluded from encryption, by default excluding the "entity" format.

Field Summary

Fields

Modifier and Type	Field and Description
private java.util.Set<java.lang.String>	excludedFormats Formats to exclude from encryption.
private org.slf4j.Logger	log Class logger.
private SAMLObject	message The message to operate on.
private com.google.common.base.Function<ProfileRequestContext,SAMLObject>	messageLookupStrategy Strategy used to locate the message to operate on.

Constructor Summary

Constructors

Constructor and Description
EncryptNameIDs() Constructor.

Method Summary

Modifier and Type	Method and Description
protected void	doExecute(ProfileRequestContext profileRequestContext) Performs this action.
protected boolean	doPreExecute(ProfileRequestContext profileRequestContext) Called prior to execution, actions may override this method to perform pre-processing for a request.
protected EncryptionParameters	getApplicableParameters(EncryptionContext ctx) Return the right set of parameters for the operation to be performed, or none if no encryption should occur.
private void	processAssertion(Assertion assertion) Decrypt any EncryptedID found in an assertion and replace it with the result.
private void	processLogoutRequest(LogoutRequest request) Encrypt a NameID found in a LogoutRequest and replace it with the result.
private void	processManageNameIDRequest(ManageNameIDRequest request) Encrypt a NameID found in a ManageNameIDRequest and replace it with the result.
private void	processNameIDMappingRequest(NameIDMappingRequest request) Encrypt a NameID found in a NameIDMappingRequest and replace it with the result.
private void	processNameIDMappingResponse(NameIDMappingResponse response) Encrypt a NameID found in a NameIDMappingResponse and replace it with the result.
private void	processSubject(Subject subject) Encrypt any NameIDs found in a subject and replace them with the result.
void	setExcludedFormats(java.util.Collection<java.lang.String> formats) Set the NameID formats to ignore and leave unencrypted.
void	setMessageLookupStrategy(com.google.common.base.Function<ProfileRequestContext,SAMLObject> strategy) Set the strategy used to locate the Response to operate on.
private boolean	shouldEncrypt(NameID name) Return true iff the NameID should be encrypted.

Methods inherited from class org.opensaml.saml.saml2.profile.impl.AbstractEncryptAction

getEncrypter, setEncryptionContextLookupStrategy, setKeyPlacementLookupStrategy, setRecipientLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

messageLookupStrategy

@Nonnull
private com.google.common.base.Function<ProfileRequestContext,SAMLObject> messageLookupStrategy

Strategy used to locate the message to operate on.

excludedFormats

@Nonnull
 @NonnullElements
private java.util.Set<java.lang.String> excludedFormats

Formats to exclude from encryption.

message

@Nullable
private SAMLObject message

The message to operate on.

Constructor Detail

EncryptNameIDs

public EncryptNameIDs()

Constructor.

Method Detail

setMessageLookupStrategy

public void setMessageLookupStrategy(@Nonnull
                                     com.google.common.base.Function<ProfileRequestContext,SAMLObject> strategy)

Set the strategy used to locate the Response to operate on.

Parameters:

strategy - strategy used to locate the Response to operate on

setExcludedFormats

public void setExcludedFormats(@Nonnull @NonnullElements
                               java.util.Collection<java.lang.String> formats)

Set the NameID formats to ignore and leave unencrypted.

Parameters:

formats - formats to exclude

getApplicableParameters

@Nullable
protected EncryptionParameters getApplicableParameters(@Nullable
                                                                 EncryptionContext ctx)

Return the right set of parameters for the operation to be performed, or none if no encryption should occur.

Specified by:

getApplicableParameters in class AbstractEncryptAction

Parameters:

ctx - possibly null input context to pull parameters from

Returns:

the right parameter set, or null for none

doPreExecute

protected boolean doPreExecute(@Nonnull
                               ProfileRequestContext profileRequestContext)

Called prior to execution, actions may override this method to perform pre-processing for a request.

If false is returned, execution will not proceed, and the action should attach an EventContext to the context tree to signal how to continue with overall workflow processing.

If returning successfully, the last step should be to return the result of the superclass version of this method.

Overrides:

doPreExecute in class AbstractEncryptAction

Parameters:

profileRequestContext - the current IdP profile request context

Returns:

true iff execution should proceed

doExecute

protected void doExecute(@Nonnull
                         ProfileRequestContext profileRequestContext)

Performs this action. Actions must override this method to perform their work.

Overrides:

doExecute in class AbstractProfileAction

Parameters:

profileRequestContext - the current IdP profile request context

shouldEncrypt

private boolean shouldEncrypt(@Nullable
                              NameID name)

Return true iff the NameID should be encrypted.

Parameters:

name - NameID to check

Returns:

true iff encryption should happen

processSubject

private void processSubject(@Nullable
                            Subject subject)
                     throws EncryptionException

Encrypt any NameIDs found in a subject and replace them with the result.

Parameters:

subject - subject to operate on

Throws:

EncryptionException - if an error occurs

processLogoutRequest

private void processLogoutRequest(@Nonnull
                                  LogoutRequest request)
                           throws EncryptionException

Encrypt a NameID found in a LogoutRequest and replace it with the result.

Parameters:

request - request to operate on

Throws:

EncryptionException - if an error occurs

processManageNameIDRequest

private void processManageNameIDRequest(@Nonnull
                                        ManageNameIDRequest request)
                                 throws EncryptionException

Encrypt a NameID found in a ManageNameIDRequest and replace it with the result.

Parameters:

request - request to operate on

Throws:

EncryptionException - if an error occurs

processNameIDMappingRequest

private void processNameIDMappingRequest(@Nonnull
                                         NameIDMappingRequest request)
                                  throws EncryptionException

Encrypt a NameID found in a NameIDMappingRequest and replace it with the result.

Parameters:

request - request to operate on

Throws:

EncryptionException - if an error occurs

processNameIDMappingResponse

private void processNameIDMappingResponse(@Nonnull
                                          NameIDMappingResponse response)
                                   throws EncryptionException

Encrypt a NameID found in a NameIDMappingResponse and replace it with the result.

Parameters:

response - response to operate on

Throws:

EncryptionException - if an error occurs

processAssertion

private void processAssertion(@Nonnull
                              Assertion assertion)
                       throws EncryptionException

Decrypt any EncryptedID found in an assertion and replace it with the result.

Parameters:

assertion - assertion to operate on

Throws:

EncryptionException - if an error occurs