Class EvaluateDelegationPolicy
- java.lang.Object
-
- net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
-
- org.opensaml.profile.action.AbstractProfileAction
-
- org.opensaml.profile.action.AbstractConditionalProfileAction
-
- net.shibboleth.idp.profile.AbstractProfileAction
-
- net.shibboleth.idp.saml.saml2.profile.delegation.impl.EvaluateDelegationPolicy
-
- All Implemented Interfaces:
Component,DestructableComponent,InitializableComponent,ProfileAction,Aware,MessageSource,MessageSourceAware,Action
public class EvaluateDelegationPolicy extends AbstractProfileAction
Action which implements policy controls to decide whether an SSO request based on a delegatedAssertiontoken is allowed to proceed.Two policy checks are performed:
-
The active
SSOSProfileConfigurationis resolved and its predicate is applied. If the predicate evaluates to false, the request is not allowed. An example predicate commonly used here isAllowedSAMLPresentersPredicate. -
The length of the delegation chain as indicated in the inbound assertion token's
DelegationRestrictionTypecondition is evaluated against a policy maximum resolved via the strategy set bysetPolicyMaxChainLengthStrategy(Function), or fromBrowserSSOProfileConfiguration.DEFAULT_DELEGATION_CHAIN_LENGTHif no value can otherwise be resolved. If the chain ofDelegatechild elements is greater than or equal to the resolved policy max chain length, the request is not allowed. The default policy resolution strategy is to look at the firstDelegationPolicycontained within the inbound assertion token'sAdvice.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description classEvaluateDelegationPolicy.PolicyMaxChainLengthStrategyDefault strategy used to resolve the policy maximum token delegation chain length.
-
Field Summary
Fields Modifier and Type Field Description private AssertionassertionTokenThe inbound delegated assertion token being evaluated.private Function<ProfileRequestContext,Assertion>assertionTokenStrategyFunction used to resolve the assertion token to process.private booleandelegationAllowedWhether the request is allowed to proceed.private org.slf4j.LoggerlogLogger.private LongpolicyMaxChainLengthThe policy maximum token delegation chain length.private Function<ProfileRequestContext,Long>policyMaxChainLengthStrategyFunction used to resolve the policy maximum delegation chain length.private Function<ProfileRequestContext,RelyingPartyContext>relyingPartyContextLookupStrategyStrategy used to lookup the RelyingPartyContext.private LongtokenChainLengthThe actual token delegation chain length.
-
Constructor Summary
Constructors Constructor Description EvaluateDelegationPolicy()Constructor.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected booleancheckAllowedDelegate(ProfileRequestContext profileRequestContext)Apply policy control.protected booleancheckTokenDelegationChainLength(ProfileRequestContext profileRequestContext)Apply policy control which checks the actual token chain length against the policy maximum chain length.protected voiddoExecute(ProfileRequestContext profileRequestContext)protected booleandoPreExecute(ProfileRequestContext profileRequestContext)protected booleandoPreExecuteInbound(ProfileRequestContext profileRequestContext)Pre-execute actions on the inbound message.protected booleandoPreExecuteRelyingParty(ProfileRequestContext profileRequestContext)Pre-execute actions on the relying party context info.protected DelegationRestrictionTypegetDelegationRestrictionCondition(Conditions conditions)Get the DelegationRestrictionType Condition from the supplied Conditions, if present.protected LonggetPolicyMaxDelegationChainLength(ProfileRequestContext profileRequestContext)Get the effective maximum delegation chain length allowed by policy.protected LonggetTokenDelegationChainLength(Assertion token)Get the length of the delegation chain in the presented token.voidsetAssertionTokenStrategy(Function<ProfileRequestContext,Assertion> strategy)Set the strategy used to locate the inbound assertion token to process.voidsetPolicyMaxChainLengthStrategy(Function<ProfileRequestContext,Long> strategy)Set the strategy used to resolve the policy maximum delegation chain length.voidsetRelyingPartyContextLookupStrategy(Function<ProfileRequestContext,RelyingPartyContext> strategy)Set the strategy used to locate the currentRelyingPartyContext.-
Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction
doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy
-
Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction
getActivationCondition, setActivationCondition
-
Methods inherited from class org.opensaml.profile.action.AbstractProfileAction
doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse
-
Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent
initialize, isInitialized
-
-
-
-
Field Detail
-
log
@Nonnull private org.slf4j.Logger log
Logger.
-
relyingPartyContextLookupStrategy
@Nonnull private Function<ProfileRequestContext,RelyingPartyContext> relyingPartyContextLookupStrategy
Strategy used to lookup the RelyingPartyContext.
-
assertionTokenStrategy
@Nonnull private Function<ProfileRequestContext,Assertion> assertionTokenStrategy
Function used to resolve the assertion token to process.
-
policyMaxChainLengthStrategy
@Nonnull private Function<ProfileRequestContext,Long> policyMaxChainLengthStrategy
Function used to resolve the policy maximum delegation chain length.
-
assertionToken
private Assertion assertionToken
The inbound delegated assertion token being evaluated.
-
policyMaxChainLength
private Long policyMaxChainLength
The policy maximum token delegation chain length.
-
tokenChainLength
private Long tokenChainLength
The actual token delegation chain length.
-
delegationAllowed
private boolean delegationAllowed
Whether the request is allowed to proceed.
-
-
Method Detail
-
setPolicyMaxChainLengthStrategy
public void setPolicyMaxChainLengthStrategy(@Nonnull Function<ProfileRequestContext,Long> strategy)Set the strategy used to resolve the policy maximum delegation chain length.- Parameters:
strategy- the strategy
-
setAssertionTokenStrategy
public void setAssertionTokenStrategy(@Nonnull Function<ProfileRequestContext,Assertion> strategy)Set the strategy used to locate the inbound assertion token to process.- Parameters:
strategy- lookup strategy
-
setRelyingPartyContextLookupStrategy
public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext,RelyingPartyContext> strategy)Set the strategy used to locate the currentRelyingPartyContext.- Parameters:
strategy- strategy used to locate the currentRelyingPartyContext
-
doPreExecute
protected boolean doPreExecute(ProfileRequestContext profileRequestContext)
- Overrides:
doPreExecutein classAbstractConditionalProfileAction
-
doPreExecuteInbound
protected boolean doPreExecuteInbound(@Nonnull ProfileRequestContext profileRequestContext)Pre-execute actions on the inbound message.- Parameters:
profileRequestContext- the current profile request context- Returns:
- true iff
doExecute(ProfileRequestContext)should proceed
-
doPreExecuteRelyingParty
protected boolean doPreExecuteRelyingParty(@Nonnull ProfileRequestContext profileRequestContext)Pre-execute actions on the relying party context info.- Parameters:
profileRequestContext- the current profile request context- Returns:
- true iff
doExecute(ProfileRequestContext)should proceed
-
doExecute
protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext)- Overrides:
doExecutein classAbstractProfileAction
-
checkAllowedDelegate
protected boolean checkAllowedDelegate(@Nonnull ProfileRequestContext profileRequestContext)Apply policy control.- Parameters:
profileRequestContext- the current request context- Returns:
- true if check passes, false if not
-
checkTokenDelegationChainLength
protected boolean checkTokenDelegationChainLength(@Nonnull ProfileRequestContext profileRequestContext)Apply policy control which checks the actual token chain length against the policy maximum chain length.- Parameters:
profileRequestContext- the current request context- Returns:
- true if check passes, false if not
-
getTokenDelegationChainLength
protected Long getTokenDelegationChainLength(@Nonnull Assertion token)
Get the length of the delegation chain in the presented token.- Parameters:
token- the token to evaluate- Returns:
- the token delegation chain length
-
getDelegationRestrictionCondition
protected DelegationRestrictionType getDelegationRestrictionCondition(@Nullable Conditions conditions)
Get the DelegationRestrictionType Condition from the supplied Conditions, if present.- Parameters:
conditions- the Assertion Conditions to process- Returns:
- the DelegationRestrictionType Condition object, or null if not present
-
getPolicyMaxDelegationChainLength
@Nonnull protected Long getPolicyMaxDelegationChainLength(@Nonnull ProfileRequestContext profileRequestContext)
Get the effective maximum delegation chain length allowed by policy.- Parameters:
profileRequestContext- the current request context- Returns:
- the policy max delegation chain policy length
-
-