|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectedu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver
public class MetadataPKIXValidationInformationResolver
An implementation of PKIXValidationInformationResolver
which resolves PKIXValidationInformation
based
on information stored in SAML 2 metadata. Validation information is retrieved from Shibboleth-specific metadata
extensions to EntityDescriptor
and EntitiesDescriptor
elements, represented by instances of
ShibbolethMetadataKeyAuthority
.
Resolution of trusted names for an entity is also supported, based on KeyName
information contained within
the KeyInfo
of a role descriptor's KeyDescriptor
element.
Nested Class Summary | |
---|---|
protected class |
MetadataPKIXValidationInformationResolver.MetadataCacheKey
A class which serves as the key into the cache of information previously resolved. |
protected class |
MetadataPKIXValidationInformationResolver.MetadataProviderObserver
An observer that clears the credential cache if the underlying metadata changes. |
Field Summary | |
---|---|
static int |
KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT
Default value for Shibboleth KeyAuthority verify depth. |
Constructor Summary | |
---|---|
MetadataPKIXValidationInformationResolver(org.opensaml.saml2.metadata.provider.MetadataProvider metadataProvider)
Constructor. |
Method Summary | |
---|---|
protected void |
cacheExtensionsInfo(org.opensaml.saml2.common.Extensions extensions,
List<org.opensaml.xml.security.x509.PKIXValidationInformation> pkixInfo)
Adds resolved PKIX validation information to the cache. |
protected void |
cachePKIXInfo(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey,
List<org.opensaml.xml.security.x509.PKIXValidationInformation> pkixInfo)
Adds resolved PKIX validation information to the cache. |
protected void |
cacheTrustedNames(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey,
Set<String> names)
Adds resolved trusted name information to the cache. |
protected void |
checkCriteriaRequirements(org.opensaml.xml.security.CriteriaSet criteriaSet)
Check that all necessary criteria are available. |
protected String |
getExtensionsParentName(org.opensaml.saml2.common.Extensions extensions)
Get the name of the parent element of an Extensions element in metadata, mostly
useful for logging purposes. |
protected ReadWriteLock |
getReadWriteLock()
Get the lock instance used to synchronize access to the caches. |
protected List<org.opensaml.saml2.metadata.RoleDescriptor> |
getRoleDescriptors(String entityID,
QName role,
String protocol)
Get the list of metadata role descriptors which match the given entityID, role and protocol. |
protected Set<String> |
getTrustedNames(org.opensaml.xml.signature.KeyInfo keyInfo)
Extract trusted names from a KeyInfo element. |
protected List<X509Certificate> |
getX509Certificates(org.opensaml.xml.signature.KeyInfo keyInfo)
Extract certificates from a KeyInfo element. |
protected List<X509CRL> |
getX509CRLs(org.opensaml.xml.signature.KeyInfo keyInfo)
Extract CRL's from a KeyInfo element. |
protected boolean |
matchUsage(org.opensaml.xml.security.credential.UsageType metadataUsage,
org.opensaml.xml.security.credential.UsageType criteriaUsage)
Match usage enum type values from metadata KeyDescriptor and from specified resolution criteria. |
Iterable<org.opensaml.xml.security.x509.PKIXValidationInformation> |
resolve(org.opensaml.xml.security.CriteriaSet criteriaSet)
|
protected List<org.opensaml.xml.security.x509.PKIXValidationInformation> |
resolvePKIXInfo(org.opensaml.saml2.common.Extensions extensions)
Retrieves validation information from the metadata extension element. |
protected List<org.opensaml.xml.security.x509.PKIXValidationInformation> |
resolvePKIXInfo(org.opensaml.saml2.metadata.RoleDescriptor roleDescriptor)
Retrieves validation information from the provided role descriptor. |
protected org.opensaml.xml.security.x509.PKIXValidationInformation |
resolvePKIXInfo(ShibbolethMetadataKeyAuthority keyAuthority)
Retrieves validation information from the Shibboleth KeyAuthority metadata extension element. |
org.opensaml.xml.security.x509.PKIXValidationInformation |
resolveSingle(org.opensaml.xml.security.CriteriaSet criteriaSet)
|
Set<String> |
resolveTrustedNames(org.opensaml.xml.security.CriteriaSet criteriaSet)
|
protected List<org.opensaml.xml.security.x509.PKIXValidationInformation> |
retrieveExtensionsInfoFromCache(org.opensaml.saml2.common.Extensions extensions)
Retrieves pre-resolved PKIX validation information from the cache. |
protected List<org.opensaml.xml.security.x509.PKIXValidationInformation> |
retrievePKIXInfoFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)
Retrieves pre-resolved PKIX validation information from the cache. |
protected List<org.opensaml.xml.security.x509.PKIXValidationInformation> |
retrievePKIXInfoFromMetadata(String entityID,
QName role,
String protocol,
org.opensaml.xml.security.credential.UsageType usage)
Retrieves validation information from the provided metadata. |
protected Set<String> |
retrieveTrustedNamesFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)
Retrieves pre-resolved trusted names from the cache. |
protected Set<String> |
retrieveTrustedNamesFromMetadata(String entityID,
QName role,
String protocol,
org.opensaml.xml.security.credential.UsageType usage)
Retrieves trusted name information from the provided metadata. |
boolean |
supportsTrustedNameResolution()
|
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static final int KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT
Constructor Detail |
---|
public MetadataPKIXValidationInformationResolver(org.opensaml.saml2.metadata.provider.MetadataProvider metadataProvider)
metadataProvider
- provider of the metadata
IllegalArgumentException
- thrown if the supplied provider is nullMethod Detail |
---|
public org.opensaml.xml.security.x509.PKIXValidationInformation resolveSingle(org.opensaml.xml.security.CriteriaSet criteriaSet) throws org.opensaml.xml.security.SecurityException
resolveSingle
in interface org.opensaml.xml.security.Resolver<org.opensaml.xml.security.x509.PKIXValidationInformation,org.opensaml.xml.security.CriteriaSet>
org.opensaml.xml.security.SecurityException
public Iterable<org.opensaml.xml.security.x509.PKIXValidationInformation> resolve(org.opensaml.xml.security.CriteriaSet criteriaSet) throws org.opensaml.xml.security.SecurityException
resolve
in interface org.opensaml.xml.security.Resolver<org.opensaml.xml.security.x509.PKIXValidationInformation,org.opensaml.xml.security.CriteriaSet>
org.opensaml.xml.security.SecurityException
public Set<String> resolveTrustedNames(org.opensaml.xml.security.CriteriaSet criteriaSet) throws org.opensaml.xml.security.SecurityException, UnsupportedOperationException
resolveTrustedNames
in interface org.opensaml.xml.security.x509.PKIXValidationInformationResolver
org.opensaml.xml.security.SecurityException
UnsupportedOperationException
public boolean supportsTrustedNameResolution()
supportsTrustedNameResolution
in interface org.opensaml.xml.security.x509.PKIXValidationInformationResolver
protected ReadWriteLock getReadWriteLock()
protected void checkCriteriaRequirements(org.opensaml.xml.security.CriteriaSet criteriaSet)
criteriaSet
- the criteria set to evaluateprotected List<org.opensaml.xml.security.x509.PKIXValidationInformation> retrievePKIXInfoFromMetadata(String entityID, QName role, String protocol, org.opensaml.xml.security.credential.UsageType usage) throws org.opensaml.xml.security.SecurityException
entityID
- entity ID for which to resolve validation informationrole
- role in which the entity is operatingprotocol
- protocol over which the entity is operating (may be null)usage
- usage specifier for role descriptor key descriptors to evaluate
org.opensaml.xml.security.SecurityException
- thrown if the key, certificate, or CRL information is represented in an unsupported
formatprotected List<org.opensaml.xml.security.x509.PKIXValidationInformation> resolvePKIXInfo(org.opensaml.saml2.metadata.RoleDescriptor roleDescriptor) throws org.opensaml.xml.security.SecurityException
roleDescriptor
- the role descriptor from which to resolve information.
org.opensaml.xml.security.SecurityException
- thrown if the key, certificate, or CRL information is represented in an unsupported
formatprotected List<org.opensaml.xml.security.x509.PKIXValidationInformation> resolvePKIXInfo(org.opensaml.saml2.common.Extensions extensions) throws org.opensaml.xml.security.SecurityException
extensions
- the extension element from which to resolve information
org.opensaml.xml.security.SecurityException
- thrown if the key, certificate, or CRL information is represented in an unsupported
formatprotected org.opensaml.xml.security.x509.PKIXValidationInformation resolvePKIXInfo(ShibbolethMetadataKeyAuthority keyAuthority) throws org.opensaml.xml.security.SecurityException
keyAuthority
- the Shibboleth KeyAuthority element from which to resolve information
org.opensaml.xml.security.SecurityException
- thrown if the key, certificate, or CRL information is represented in an unsupported
formatprotected List<X509Certificate> getX509Certificates(org.opensaml.xml.signature.KeyInfo keyInfo) throws org.opensaml.xml.security.SecurityException
keyInfo
- the KeyInfo instance from which to extract certificates
org.opensaml.xml.security.SecurityException
- thrown if the certificate information is represented in an unsupported formatprotected List<X509CRL> getX509CRLs(org.opensaml.xml.signature.KeyInfo keyInfo) throws org.opensaml.xml.security.SecurityException
keyInfo
- the KeyInfo instance from which to extract CRL's
org.opensaml.xml.security.SecurityException
- thrown if the CRL information is represented in an unsupported formatprotected Set<String> retrieveTrustedNamesFromMetadata(String entityID, QName role, String protocol, org.opensaml.xml.security.credential.UsageType usage) throws org.opensaml.xml.security.SecurityException
entityID
- entity ID for which to resolve trusted namesrole
- role in which the entity is operatingprotocol
- protocol over which the entity is operating (may be null)usage
- usage specifier for role descriptor key descriptors to evaluate
org.opensaml.xml.security.SecurityException
- thrown if there is an error extracting trusted name informationprotected Set<String> getTrustedNames(org.opensaml.xml.signature.KeyInfo keyInfo)
keyInfo
- the KeyInfo instance from which to extract trusted names
protected boolean matchUsage(org.opensaml.xml.security.credential.UsageType metadataUsage, org.opensaml.xml.security.credential.UsageType criteriaUsage)
metadataUsage
- the value from the 'use' attribute of a metadata KeyDescriptor elementcriteriaUsage
- the value from specified criteria
protected List<org.opensaml.saml2.metadata.RoleDescriptor> getRoleDescriptors(String entityID, QName role, String protocol) throws org.opensaml.xml.security.SecurityException
entityID
- entity ID of the metadata entity descriptor to resolverole
- role in which the entity is operatingprotocol
- protocol over which the entity is operating (may be null)
org.opensaml.xml.security.SecurityException
- thrown if there is an error retrieving role descriptors from the metadata providerprotected List<org.opensaml.xml.security.x509.PKIXValidationInformation> retrievePKIXInfoFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)
cacheKey
- the key to the metadata cache
protected List<org.opensaml.xml.security.x509.PKIXValidationInformation> retrieveExtensionsInfoFromCache(org.opensaml.saml2.common.Extensions extensions)
extensions
- the key to the metadata cache
protected Set<String> retrieveTrustedNamesFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)
cacheKey
- the key to the metadata cache
protected void cachePKIXInfo(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey, List<org.opensaml.xml.security.x509.PKIXValidationInformation> pkixInfo)
cacheKey
- the key for caching the informationpkixInfo
- collection of PKIX information to cacheprotected void cacheExtensionsInfo(org.opensaml.saml2.common.Extensions extensions, List<org.opensaml.xml.security.x509.PKIXValidationInformation> pkixInfo)
extensions
- the key for caching the informationpkixInfo
- collection of PKIX information to cacheprotected void cacheTrustedNames(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey, Set<String> names)
cacheKey
- the key for caching the informationnames
- collection of names to cacheprotected String getExtensionsParentName(org.opensaml.saml2.common.Extensions extensions)
Extensions
element in metadata, mostly
useful for logging purposes.
If the parent is an EntityDescriptor, return the entityID value. If an EntitiesDescriptor,
return the name value.
extensions
- the Extensions element
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |