com.github.ulisesbocchio.spring.boot.security.saml.configurer.builder

Class MetadataManagerConfigurer

java.lang.Object

org.springframework.security.config.annotation.SecurityConfigurerAdapter<Void,ServiceProviderBuilder>

com.github.ulisesbocchio.spring.boot.security.saml.configurer.builder.MetadataManagerConfigurer

All Implemented Interfaces:

org.springframework.security.config.annotation.SecurityConfigurer<Void,ServiceProviderBuilder>

public class MetadataManagerConfigurer
extends org.springframework.security.config.annotation.SecurityConfigurerAdapter<Void,ServiceProviderBuilder>

Builder configurer that takes care of configuring/customizing the MetadataManager bean.

Common strategy across most internal configurers is to first give priority to a Spring Bean if present in the Context. So if not MetadataManager bean is defined, priority goes to a custom MetadataManager provided explicitly to this configurer through the constructor. And if not provided through the constructor, a default implementation is instantiated that is configurable through the DSL methods.

This configurer also reads the values from SAMLSSOProperties#getMetadataManager() and SAMLSSOProperties#getExtendedDelegate() if no custom MetadataManager is provided, for some DSL methods if they are not used. In other words, the user is able to configure the MetadataManager through the following properties:

     saml.sso.metadata-manager.default-idp
     saml.sso.metadata-manager.hosted-sp-name
     saml.sso.metadata-manager.refresh-check-interval
     saml.sso.extended-delegate.metadata-trusted-keys
     saml.sso.extended-delegate.metadata-trust-check
     saml.sso.extended-delegate.force-metadata-revocation-check
     saml.sso.extended-delegate.metadata-require-signature
     saml.sso.extended-delegate.require-valid-metadata
     saml.sso.local-extended-delegate.metadata-trusted-keys
     saml.sso.local-extended-delegate.metadata-trust-check
     saml.sso.local-extended-delegate.force-metadata-revocation-check
     saml.sso.local-extended-delegate.metadata-require-signature
     saml.sso.local-extended-delegate.require-valid-metadata
     saml.sso.idp.metadata-location
 

Author:

Ulises Bocchio

Constructor Summary

Constructors

Constructor and Description
MetadataManagerConfigurer()
MetadataManagerConfigurer(org.springframework.security.saml.metadata.MetadataManager metadataManager)

Method Summary

Modifier and Type	Method and Description
void	configure(ServiceProviderBuilder builder)
protected org.springframework.security.saml.metadata.ExtendedMetadataDelegate	createDefaultExtendedMetadataDelegate(org.opensaml.saml2.metadata.provider.MetadataProvider provider, org.springframework.security.saml.metadata.ExtendedMetadata extendedMetadata)
protected org.springframework.security.saml.metadata.CachingMetadataManager	createDefaultMetadataManager()
protected org.opensaml.saml2.metadata.provider.MetadataProvider	createDefaultMetadataProvider(String location)
MetadataManagerConfigurer	defaultIDP(String defaultIDP) Sets name of IDP to be used as default.
MetadataManagerConfigurer	forceMetadataRevocationCheck(boolean forceMetadataRevocationCheck) Determines whether check for certificate revocation should always be done as part of the PKIX validation.
MetadataManagerConfigurer	hostedSPName(String hostedSPName) Sets nameId of SP hosted on this machine.
void	init(ServiceProviderBuilder builder)
MetadataManagerConfigurer	localForceMetadataRevocationCheck(boolean forceMetadataRevocationCheck) Determines whether check for certificate revocation should always be done as part of the PKIX validation.
MetadataManagerConfigurer	localMetadataFilter(org.opensaml.saml2.metadata.provider.MetadataFilter filter) Sets the metadata filter applied to the LOCAL metadata.
MetadataManagerConfigurer	localMetadataLocation(String providerLocation) Specify the location of the metadata file to be loaded as ResourceBackedMetadataProvider.
MetadataManagerConfigurer	localMetadataRequireSignature(boolean metadataRequireSignature) When set to true metadata from this provider should only be accepted when correctly signed and verified.
MetadataManagerConfigurer	localMetadataTrustCheck(boolean metadataTrustCheck) When true metadata signature will be verified for trust using PKIX with metadataTrustedKeys as anchors.
MetadataManagerConfigurer	localMetadataTrustedKeys(String... metadataTrustedKeys) Keys stored in the KeyManager which can be used to verify whether signature of the metadata is trusted.
MetadataManagerConfigurer	localRequireValidMetadata(boolean requireValidMetadata) Sets whether the metadata returned by queries must be valid.
MetadataManagerConfigurer	metadataFilter(org.opensaml.saml2.metadata.provider.MetadataFilter filter) Sets the metadata filter applied to the metadata.
MetadataManagerConfigurer	metadataLocations(String... providerLocation) Specify the location(s) of the metadata files to be loaded as ResourceBackedMetadataProvider.
MetadataManagerConfigurer	metadataProvider(org.opensaml.saml2.metadata.provider.MetadataProvider provider) Adds a new MetadataProvider to the MetadataManager.
MetadataManagerConfigurer	metadataProviders(List<org.opensaml.saml2.metadata.provider.MetadataProvider> providers) Sets the provided MetadataProviders in the MetadataManager.
MetadataManagerConfigurer	metadataProviders(org.opensaml.saml2.metadata.provider.MetadataProvider... providers) Sets the provided MetadataProviders in the MetadataManager.
MetadataManagerConfigurer	metadataRequireSignature(boolean metadataRequireSignature) When set to true metadata from this provider should only be accepted when correctly signed and verified.
MetadataManagerConfigurer	metadataTrustCheck(boolean metadataTrustCheck) When true metadata signature will be verified for trust using PKIX with metadataTrustedKeys as anchors.
MetadataManagerConfigurer	metadataTrustedKeys(String... metadataTrustedKeys) Keys stored in the KeyManager which can be used to verify whether signature of the metadata is trusted.
MetadataManagerConfigurer	refreshCheckInterval(long refreshCheckInterval) Interval in milliseconds used for re-verification of metadata and their reload.
MetadataManagerConfigurer	requireValidMetadata(boolean requireValidMetadata) Sets whether the metadata returned by queries must be valid.

Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter

addObjectPostProcessor, and, getBuilder, postProcess, setBuilder

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

MetadataManagerConfigurer

public MetadataManagerConfigurer(org.springframework.security.saml.metadata.MetadataManager metadataManager)

MetadataManagerConfigurer

public MetadataManagerConfigurer()

Method Detail

init

public void init(ServiceProviderBuilder builder)
          throws Exception

Specified by:

init in interface org.springframework.security.config.annotation.SecurityConfigurer<Void,ServiceProviderBuilder>

Overrides:

init in class org.springframework.security.config.annotation.SecurityConfigurerAdapter<Void,ServiceProviderBuilder>

Throws:

Exception

configure

public void configure(ServiceProviderBuilder builder)
               throws Exception

Specified by:

configure in interface org.springframework.security.config.annotation.SecurityConfigurer<Void,ServiceProviderBuilder>

Overrides:

configure in class org.springframework.security.config.annotation.SecurityConfigurerAdapter<Void,ServiceProviderBuilder>

Throws:

Exception

createDefaultMetadataProvider

protected org.opensaml.saml2.metadata.provider.MetadataProvider createDefaultMetadataProvider(String location)
                                                                                       throws org.opensaml.util.resource.ResourceException,
                                                                                              org.opensaml.saml2.metadata.provider.MetadataProviderException

Throws:

org.opensaml.util.resource.ResourceException

org.opensaml.saml2.metadata.provider.MetadataProviderException

createDefaultMetadataManager

protected org.springframework.security.saml.metadata.CachingMetadataManager createDefaultMetadataManager()
                                                                                                  throws org.opensaml.saml2.metadata.provider.MetadataProviderException

Throws:

org.opensaml.saml2.metadata.provider.MetadataProviderException

createDefaultExtendedMetadataDelegate

protected org.springframework.security.saml.metadata.ExtendedMetadataDelegate createDefaultExtendedMetadataDelegate(org.opensaml.saml2.metadata.provider.MetadataProvider provider,
                                                                                                                    org.springframework.security.saml.metadata.ExtendedMetadata extendedMetadata)

defaultIDP

public MetadataManagerConfigurer defaultIDP(String defaultIDP)

Sets name of IDP to be used as default.

Alternatively use property:

      saml.sso.metadata-manager.default-idp
 

Parameters:

defaultIDP - name of IDP to be used as default.

Returns:

this configurer for further customization

hostedSPName

public MetadataManagerConfigurer hostedSPName(String hostedSPName)

Sets nameId of SP hosted on this machine. This can either be called from springContext or automatically during invocation of metadata generation filter.

Alternatively use property:

      saml.sso.metadata-manager.hosted-sp-name
 

Parameters:

hostedSPName - name of metadata describing SP hosted on this machine

Returns:

this configurer for further customization

refreshCheckInterval

public MetadataManagerConfigurer refreshCheckInterval(long refreshCheckInterval)

Interval in milliseconds used for re-verification of metadata and their reload. Upon trigger each provider is asked to return it's metadata, which might trigger their reloading. In case metadata is reloaded the manager is notified and automatically refreshes all internal data by calling refreshMetadata.

In case the value is smaller than zero the timer is not created.

Default is -1.

Alternatively use property:

      saml.sso.metadata-manager.refresh-check-interval
 

Parameters:

refreshCheckInterval - the refresh interval in milliseconds.

Returns:

this configurer for further customization

metadataProvider

public MetadataManagerConfigurer metadataProvider(org.opensaml.saml2.metadata.provider.MetadataProvider provider)

Adds a new MetadataProvider to the MetadataManager. Can be invoked multiple times. Takes precedence over metadataLocations(String...).

Parameters:

provider - the provider to add to the MetadataManager.

Returns:

this configurer for further customization

metadataProviders

public MetadataManagerConfigurer metadataProviders(org.opensaml.saml2.metadata.provider.MetadataProvider... providers)

Sets the provided MetadataProviders in the MetadataManager. Invocation if this method overrides any existing MetadataProvider previously set with metadataProvider(MetadataProvider). Takes precedence over metadataLocations(String...).

Parameters:

providers - the metadata providers to use.

Returns:

this configurer for further customization

metadataLocations

public MetadataManagerConfigurer metadataLocations(String... providerLocation)

Specify the location(s) of the metadata files to be loaded as ResourceBackedMetadataProvider. Not relevant is using metadataProvider(MetadataProvider), metadataProviders(List), or metadataProviders(MetadataProvider...)

Alternatively use property:

      saml.sso.idp.metadata-location
 

Parameters:

providerLocation - the metadata files to load.

Returns:

this configurer for further customization

localMetadataLocation

public MetadataManagerConfigurer localMetadataLocation(String providerLocation)

Specify the location of the metadata file to be loaded as ResourceBackedMetadataProvider. Not relevant is using metadataProvider(MetadataProvider), metadataProviders(List), or metadataProviders(MetadataProvider...)

Alternatively use property:

      saml.sso.idp.local-metadata-location
 

Parameters:

providerLocation - the metadata files to load.

Returns:

this configurer for further customization

metadataProviders

public MetadataManagerConfigurer metadataProviders(List<org.opensaml.saml2.metadata.provider.MetadataProvider> providers)

Sets the provided MetadataProviders in the MetadataManager. Invocation if this method overrides any existing MetadataProvider previously set with metadataProvider(MetadataProvider). Takes precedence over metadataLocations(String...).

Parameters:

providers - the metadata providers to use.

Returns:

this configurer for further customization

metadataFilter

public MetadataManagerConfigurer metadataFilter(org.opensaml.saml2.metadata.provider.MetadataFilter filter)

Sets the metadata filter applied to the metadata.

Parameters:

filter - the metadata filter applied to the metadata

Returns:

this configurer for further customization

forceMetadataRevocationCheck

public MetadataManagerConfigurer forceMetadataRevocationCheck(boolean forceMetadataRevocationCheck)

Determines whether check for certificate revocation should always be done as part of the PKIX validation. Revocation is evaluated by the underlaying JCE implementation and depending on configuration may include CRL and OCSP verification of the certificate in question. When set to false revocation is only performed when MetadataManager includes CRLs. Default is false.

Alternatively use property:

      saml.sso.extended-delegate.force-metadata-revocation-check
 

Parameters:

forceMetadataRevocationCheck - revocation flag.

Returns:

this configurer for further customization

metadataRequireSignature

public MetadataManagerConfigurer metadataRequireSignature(boolean metadataRequireSignature)

When set to true metadata from this provider should only be accepted when correctly signed and verified. Metadata with an invalid signature or signed by a not-trusted credential will be ignored. Default is false.

Alternatively use property:

      saml.sso.extended-delegate.metadata-require-signature
 

Parameters:

metadataRequireSignature - flag to set.

Returns:

this configurer for further customization

metadataTrustCheck

public MetadataManagerConfigurer metadataTrustCheck(boolean metadataTrustCheck)

When true metadata signature will be verified for trust using PKIX with metadataTrustedKeys as anchors. Default is false.

Alternatively use property:

      saml.sso.extended-delegate.metadata-trust-check
 

Parameters:

metadataTrustCheck - flag to set.

Returns:

this configurer for further customization

metadataTrustedKeys

public MetadataManagerConfigurer metadataTrustedKeys(String... metadataTrustedKeys)

Keys stored in the KeyManager which can be used to verify whether signature of the metadata is trusted. If not set any key stored in the keyManager is considered as trusted.

Alternatively use property:

      saml.sso.extended-delegate.metadata-trusted-keys
 

Parameters:

metadataTrustedKeys - the names of the trusted keys.

Returns:

this configurer for further customization

requireValidMetadata

public MetadataManagerConfigurer requireValidMetadata(boolean requireValidMetadata)

Sets whether the metadata returned by queries must be valid. Default is false.

Alternatively use property:

      saml.sso.extended-delegate.require-valid-metadata
 

Parameters:

requireValidMetadata - whether the metadata returned by queries must be valid.

Returns:

this configurer for further customization

localMetadataFilter

public MetadataManagerConfigurer localMetadataFilter(org.opensaml.saml2.metadata.provider.MetadataFilter filter)

Sets the metadata filter applied to the LOCAL metadata.

Parameters:

filter - the metadata filter applied to the metadata

Returns:

this configurer for further customization

localForceMetadataRevocationCheck

public MetadataManagerConfigurer localForceMetadataRevocationCheck(boolean forceMetadataRevocationCheck)

Determines whether check for certificate revocation should always be done as part of the PKIX validation. Revocation is evaluated by the underlaying JCE implementation and depending on configuration may include CRL and OCSP verification of the certificate in question. When set to false revocation is only performed when MetadataManager includes CRLs. For Local Entity Default is false.

Alternatively use property:

      saml.sso.local-extended-delegate.force-metadata-revocation-check
 

Parameters:

forceMetadataRevocationCheck - revocation flag.

Returns:

this configurer for further customization

localMetadataRequireSignature

public MetadataManagerConfigurer localMetadataRequireSignature(boolean metadataRequireSignature)

When set to true metadata from this provider should only be accepted when correctly signed and verified. Metadata with an invalid signature or signed by a not-trusted credential will be ignored. Default is false. For Local Entity

Alternatively use property:

      saml.sso.local-extended-delegate.metadata-require-signature
 

Parameters:

metadataRequireSignature - flag to set.

Returns:

this configurer for further customization

localMetadataTrustCheck

public MetadataManagerConfigurer localMetadataTrustCheck(boolean metadataTrustCheck)

When true metadata signature will be verified for trust using PKIX with metadataTrustedKeys as anchors. For Local Entity Default is false.

Alternatively use property:

      saml.sso.local-extended-delegate.metadata-trust-check
 

Parameters:

metadataTrustCheck - flag to set.

Returns:

this configurer for further customization

localMetadataTrustedKeys

public MetadataManagerConfigurer localMetadataTrustedKeys(String... metadataTrustedKeys)

Keys stored in the KeyManager which can be used to verify whether signature of the metadata is trusted. If not set any key stored in the keyManager is considered as trusted. For Local Entity

Alternatively use property:

      saml.sso.local-extended-delegate.metadata-trusted-keys
 

Parameters:

metadataTrustedKeys - the names of the trusted keys.

Returns:

this configurer for further customization

localRequireValidMetadata

public MetadataManagerConfigurer localRequireValidMetadata(boolean requireValidMetadata)

Sets whether the metadata returned by queries must be valid. For Local Entity Default is false.

Alternatively use property:

      saml.sso.local-extended-delegate.require-valid-metadata
 

Parameters:

requireValidMetadata - whether the metadata returned by queries must be valid.

Returns:

this configurer for further customization