AddDelegationRestrictionToAssertions (Shibboleth IdP :: SAML Profile Implementation 3.3.2 API)

java.lang.Object
- net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
- - org.opensaml.profile.action.AbstractProfileAction<InboundMessageType,OutboundMessageType>
  - - org.opensaml.profile.action.AbstractConditionalProfileAction<InboundMessageType,OutboundMessageType>
    - - net.shibboleth.idp.profile.AbstractProfileAction
      - net.shibboleth.idp.saml.saml2.profile.delegation.impl.AddDelegationRestrictionToAssertions

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, org.opensaml.profile.action.ProfileAction, org.springframework.beans.factory.Aware, org.springframework.context.MessageSource, org.springframework.context.MessageSourceAware, org.springframework.webflow.execution.Action
```
public class AddDelegationRestrictionToAssertions
extends AbstractProfileAction
```
Action which adds a DelegationRestrictionType Condition to each Assertion contained within the outbound Response.
If the inbound assertion token specified in LibertySSOSContext contains an existing DelegationRestrictionType condition, it is cloned, and the current SAML presenter entityID is added as a new Delegate. Otherwise a new instance of DelegationRestrictionType is created and a single new Delegate added.

In both cases the new delegate entityID is obtained from the SAMLPresenterEntityContext located using the corresponding lookup function. The new delegate is augmented with the SAML subject confirmation method obtained from the current LibertySSOSContext.

Event:

EventIds.INVALID_MSG_CTX, EventIds.INVALID_PROFILE_CTX, EventIds.MESSAGE_PROC_ERROR

Field Summary

Fields
Modifier and Type	Field and Description
`private List<org.opensaml.saml.saml2.core.Assertion>`	`assertions` List of assertions to modify.
`private org.opensaml.saml.saml2.core.Assertion`	`attestedAssertion` The delegated Assertion that was attested.
`private String`	`attestedSubjectConfirmationMethod` The subject confirmation method successfully used to confirm the assertion by the presenter.
`private DateTime`	`delegationInstant` The instant of delegation.
`private Function<org.opensaml.profile.context.ProfileRequestContext,LibertySSOSContext>`	`libertyContextLookupStrategy` Function used to resolve the Liberty context to populate.
`private org.slf4j.Logger`	`log` Class logger.
`private Function<org.opensaml.profile.context.ProfileRequestContext,org.opensaml.saml.common.messaging.context.SAMLPresenterEntityContext>`	`presenterContextLookupStrategy` Strategy used to locate the SAMLPresenterEntityContext.
`private String`	`presenterEntityID` The presenting entity which successfully attested the Assertion token.
`private Function<org.opensaml.profile.context.ProfileRequestContext,org.opensaml.saml.saml2.core.Response>`	`responseLookupStrategy` Strategy used to locate the Response to operate on.

Constructor Summary

Constructors
Constructor and Description

AddDelegationRestrictionToAssertions()
Constructor.

Constructors
Constructor and Description
`AddDelegationRestrictionToAssertions()` Constructor.

Method Summary

Methods
Modifier and Type	Method and Description
`protected void`	`addDelegationRestriction(org.opensaml.profile.context.ProfileRequestContext profileRequestContext, org.opensaml.saml.saml2.core.Conditions conditions)` Add a delegation restriction condition to the specified conditions.
`protected org.opensaml.saml.ext.saml2delrestrict.Delegate`	`buildDelegate(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)` Build the Delegate child for the DelegationRestrictionType Condition, based on the current request context.
`protected org.opensaml.saml.ext.saml2delrestrict.DelegationRestrictionType`	`buildDelegationRestriction(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)` Using the existing attested Assertion from the presenter as a context, build the appropriate DelegationRestrictionType Condition.
`protected void`	`doExecute(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)`
`protected boolean`	`doPreExecute(org.opensaml.profile.context.ProfileRequestContext profileRequestContext)`
`protected org.opensaml.saml.ext.saml2delrestrict.DelegationRestrictionType`	`getDelegationRestrictionCondition(org.opensaml.saml.saml2.core.Conditions conditions)` Get the DelegationRestrictionType Condition from the supplied Conditions, if present.
`void`	`setLibertyContextLookupStrategy(Function<org.opensaml.profile.context.ProfileRequestContext,LibertySSOSContext> strategy)` Set the strategy used to locate the `LibertySSOSContext` to populate.
`void`	`setPresenterLookupStrategy(Function<org.opensaml.profile.context.ProfileRequestContext,org.opensaml.saml.common.messaging.context.SAMLPresenterEntityContext> strategy)` Set the strategy used to locate the `SAMLPresenterEntityContext`.
`void`	`setResponseLookupStrategy(Function<org.opensaml.profile.context.ProfileRequestContext,org.opensaml.saml.saml2.core.Response> strategy)` Set the strategy used to locate the Response to operate on.

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction
doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction
getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction
doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent
initialize, isInitialized

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

responseLookupStrategy

@Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,org.opensaml.saml.saml2.core.Response> responseLookupStrategy

Strategy used to locate the Response to operate on.

presenterContextLookupStrategy

@Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,org.opensaml.saml.common.messaging.context.SAMLPresenterEntityContext> presenterContextLookupStrategy

Strategy used to locate the SAMLPresenterEntityContext.

libertyContextLookupStrategy

@Nonnull
private Function<org.opensaml.profile.context.ProfileRequestContext,LibertySSOSContext> libertyContextLookupStrategy

Function used to resolve the Liberty context to populate.

assertions

@Nullable
private List<org.opensaml.saml.saml2.core.Assertion> assertions

List of assertions to modify.

attestedAssertion

@Nullable
private org.opensaml.saml.saml2.core.Assertion attestedAssertion

The delegated Assertion that was attested.

attestedSubjectConfirmationMethod
```
@Nullable
private String attestedSubjectConfirmationMethod
```
The subject confirmation method successfully used to confirm the assertion by the presenter.

presenterEntityID
```
@Nullable
private String presenterEntityID
```
The presenting entity which successfully attested the Assertion token.

delegationInstant

@Nullable
private DateTime delegationInstant

The instant of delegation.

Constructor Detail
- AddDelegationRestrictionToAssertions
```
public AddDelegationRestrictionToAssertions()
```
  Constructor.

Method Detail

setLibertyContextLookupStrategy

public void setLibertyContextLookupStrategy(@Nonnull
                                   Function<org.opensaml.profile.context.ProfileRequestContext,LibertySSOSContext> strategy)

Set the strategy used to locate the LibertySSOSContext to populate.

Parameters:: strategy - lookup strategy

setResponseLookupStrategy

public void setResponseLookupStrategy(@Nonnull
                             Function<org.opensaml.profile.context.ProfileRequestContext,org.opensaml.saml.saml2.core.Response> strategy)

Set the strategy used to locate the Response to operate on.

Parameters:: strategy - lookup strategy

setPresenterLookupStrategy

public void setPresenterLookupStrategy(@Nonnull
                              Function<org.opensaml.profile.context.ProfileRequestContext,org.opensaml.saml.common.messaging.context.SAMLPresenterEntityContext> strategy)

Set the strategy used to locate the SAMLPresenterEntityContext.

Parameters:: strategy - lookup strategy

doPreExecute

protected boolean doPreExecute(@Nonnull
                   org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Overrides:: doPreExecute in class org.opensaml.profile.action.AbstractConditionalProfileAction

doExecute

protected void doExecute(@Nonnull
             org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Overrides:: doExecute in class org.opensaml.profile.action.AbstractProfileAction

addDelegationRestriction

protected void addDelegationRestriction(@Nonnull
                            org.opensaml.profile.context.ProfileRequestContext profileRequestContext,
                            @Nonnull
                            org.opensaml.saml.saml2.core.Conditions conditions)

Add a delegation restriction condition to the specified conditions.

Parameters:: profileRequestContext - the current profile request context; conditions - the conditions instance to modify

buildDelegationRestriction

@Nullable
protected org.opensaml.saml.ext.saml2delrestrict.DelegationRestrictionType buildDelegationRestriction(@Nonnull
                                                                                                   org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Using the existing attested Assertion from the presenter as a context, build the appropriate DelegationRestrictionType Condition.

Parameters:: profileRequestContext - the current profile request context
Returns:: new DelegationRestrictionType Condition, or null if the condition could not be build

getDelegationRestrictionCondition

@Nullable
protected org.opensaml.saml.ext.saml2delrestrict.DelegationRestrictionType getDelegationRestrictionCondition(@Nullable
                                                                                                          org.opensaml.saml.saml2.core.Conditions conditions)

Get the DelegationRestrictionType Condition from the supplied Conditions, if present.

Parameters:: conditions - the Assertion Conditions to process
Returns:: the DelegationRestrictionType Condition object, or null if not present

buildDelegate

@Nonnull
protected org.opensaml.saml.ext.saml2delrestrict.Delegate buildDelegate(@Nonnull
                                                                    org.opensaml.profile.context.ProfileRequestContext profileRequestContext)

Build the Delegate child for the DelegationRestrictionType Condition, based on the current request context.

Parameters:: profileRequestContext - the
Returns:: the new Delegate instance

Class AddDelegationRestrictionToAssertions

Field Summary

Constructor Summary

Method Summary

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

Methods inherited from class java.lang.Object

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent