Package net.shibboleth.idp.saml.saml2.profile.delegation.impl

Class AddDelegationRestrictionToAssertions

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction

org.opensaml.profile.action.AbstractConditionalProfileAction

net.shibboleth.idp.profile.AbstractProfileAction

net.shibboleth.idp.saml.saml2.profile.delegation.impl.AddDelegationRestrictionToAssertions

All Implemented Interfaces:

Component, DestructableComponent, InitializableComponent, ProfileAction, Aware, MessageSource, MessageSourceAware, Action

public class AddDelegationRestrictionToAssertions
extends AbstractProfileAction

Action which adds a DelegationRestrictionType Condition to each Assertion contained within the outbound Response.

If the inbound assertion token specified in LibertySSOSContext contains an existing DelegationRestrictionType condition, it is cloned, and the current SAML presenter entityID is added as a new Delegate. Otherwise a new instance of DelegationRestrictionType is created and a single new Delegate added.

In both cases the new delegate entityID is obtained from the SAMLPresenterEntityContext located using the corresponding lookup function. The new delegate is augmented with the SAML subject confirmation method obtained from the current LibertySSOSContext.

Event:

EventIds.INVALID_MSG_CTX, EventIds.INVALID_PROFILE_CTX, EventIds.MESSAGE_PROC_ERROR

Field Summary

Fields

Modifier and Type	Field	Description
private List<Assertion>	assertions	List of assertions to modify.
private Assertion	attestedAssertion	The delegated Assertion that was attested.
private String	attestedSubjectConfirmationMethod	The subject confirmation method successfully used to confirm the assertion by the presenter.
private Instant	delegationInstant	The instant of delegation.
private Function<ProfileRequestContext,LibertySSOSContext>	libertyContextLookupStrategy	Function used to resolve the Liberty context to populate.
private org.slf4j.Logger	log	Class logger.
private Function<ProfileRequestContext,SAMLPresenterEntityContext>	presenterContextLookupStrategy	Strategy used to locate the SAMLPresenterEntityContext.
private String	presenterEntityID	The presenting entity which successfully attested the Assertion token.
private Function<ProfileRequestContext,Response>	responseLookupStrategy	Strategy used to locate the Response to operate on.

Constructor Summary

Constructors

Constructor	Description
AddDelegationRestrictionToAssertions()	Constructor.

Method Summary

Modifier and Type	Method	Description
protected void	addDelegationRestriction(ProfileRequestContext profileRequestContext, Conditions conditions)	Add a delegation restriction condition to the specified conditions.
protected Delegate	buildDelegate(ProfileRequestContext profileRequestContext)	Build the Delegate child for the DelegationRestrictionType Condition, based on the current request context.
protected DelegationRestrictionType	buildDelegationRestriction(ProfileRequestContext profileRequestContext)	Using the existing attested Assertion from the presenter as a context, build the appropriate DelegationRestrictionType Condition.
protected void	doExecute(ProfileRequestContext profileRequestContext)
protected boolean	doPreExecute(ProfileRequestContext profileRequestContext)
protected DelegationRestrictionType	getDelegationRestrictionCondition(Conditions conditions)	Get the DelegationRestrictionType Condition from the supplied Conditions, if present.
void	setLibertyContextLookupStrategy(Function<ProfileRequestContext,LibertySSOSContext> strategy)	Set the strategy used to locate the LibertySSOSContext to populate.
void	setPresenterLookupStrategy(Function<ProfileRequestContext,SAMLPresenterEntityContext> strategy)	Set the strategy used to locate the SAMLPresenterEntityContext.
void	setResponseLookupStrategy(Function<ProfileRequestContext,Response> strategy)	Set the strategy used to locate the Response to operate on.

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

responseLookupStrategy

@Nonnull
private Function<ProfileRequestContext,Response> responseLookupStrategy

Strategy used to locate the Response to operate on.

presenterContextLookupStrategy

@Nonnull
private Function<ProfileRequestContext,SAMLPresenterEntityContext> presenterContextLookupStrategy

Strategy used to locate the SAMLPresenterEntityContext.

libertyContextLookupStrategy

@Nonnull
private Function<ProfileRequestContext,LibertySSOSContext> libertyContextLookupStrategy

Function used to resolve the Liberty context to populate.

assertions

@Nullable
private List<Assertion> assertions

List of assertions to modify.

attestedAssertion

@Nullable
private Assertion attestedAssertion

The delegated Assertion that was attested.

attestedSubjectConfirmationMethod

@Nullable
private String attestedSubjectConfirmationMethod

The subject confirmation method successfully used to confirm the assertion by the presenter.

presenterEntityID

@Nullable
private String presenterEntityID

The presenting entity which successfully attested the Assertion token.

delegationInstant

@Nullable
private Instant delegationInstant

The instant of delegation.

Constructor Detail

AddDelegationRestrictionToAssertions

public AddDelegationRestrictionToAssertions()

Constructor.

Method Detail

setLibertyContextLookupStrategy

public void setLibertyContextLookupStrategy(@Nonnull
                                            Function<ProfileRequestContext,LibertySSOSContext> strategy)

Set the strategy used to locate the LibertySSOSContext to populate.

Parameters:

strategy - lookup strategy

setResponseLookupStrategy

public void setResponseLookupStrategy(@Nonnull
                                      Function<ProfileRequestContext,Response> strategy)

Set the strategy used to locate the Response to operate on.

Parameters:

strategy - lookup strategy

setPresenterLookupStrategy

public void setPresenterLookupStrategy(@Nonnull
                                       Function<ProfileRequestContext,SAMLPresenterEntityContext> strategy)

Set the strategy used to locate the SAMLPresenterEntityContext.

Parameters:

strategy - lookup strategy

doPreExecute

protected boolean doPreExecute(@Nonnull
                               ProfileRequestContext profileRequestContext)

Overrides:

doPreExecute in class AbstractConditionalProfileAction

doExecute

protected void doExecute(@Nonnull
                         ProfileRequestContext profileRequestContext)

Overrides:

doExecute in class AbstractProfileAction

addDelegationRestriction

protected void addDelegationRestriction(@Nonnull
                                        ProfileRequestContext profileRequestContext,
                                        @Nonnull
                                        Conditions conditions)

Add a delegation restriction condition to the specified conditions.

Parameters:

profileRequestContext - the current profile request context

conditions - the conditions instance to modify

buildDelegationRestriction

@Nullable
protected DelegationRestrictionType buildDelegationRestriction(@Nonnull
                                                               ProfileRequestContext profileRequestContext)

Using the existing attested Assertion from the presenter as a context, build the appropriate DelegationRestrictionType Condition.

Parameters:

profileRequestContext - the current profile request context

Returns:

new DelegationRestrictionType Condition, or null if the condition could not be build

getDelegationRestrictionCondition

@Nullable
protected DelegationRestrictionType getDelegationRestrictionCondition(@Nullable
                                                                      Conditions conditions)

Get the DelegationRestrictionType Condition from the supplied Conditions, if present.

Parameters:

conditions - the Assertion Conditions to process

Returns:

the DelegationRestrictionType Condition object, or null if not present

buildDelegate

@Nonnull
protected Delegate buildDelegate(@Nonnull
                                 ProfileRequestContext profileRequestContext)

Build the Delegate child for the DelegationRestrictionType Condition, based on the current request context.

Parameters:

profileRequestContext - the

Returns:

the new Delegate instance