|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectedu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver
public class MetadataPKIXValidationInformationResolver
An implementation of PKIXValidationInformationResolver
which resolves PKIXValidationInformation
based
on information stored in SAML 2 metadata. Validation information is retrieved from Shibboleth-specific metadata
extensions to EntityDescriptor
and EntitiesDescriptor
elements, represented by instances of
ShibbolethMetadataKeyAuthority
.
Resolution of trusted names for an entity is also supported, based on KeyName
information contained within
the KeyInfo
of a role descriptor's KeyDescriptor
element.
Nested Class Summary | |
---|---|
protected class |
MetadataPKIXValidationInformationResolver.MetadataCacheKey
A class which serves as the key into the cache of information previously resolved. |
protected class |
MetadataPKIXValidationInformationResolver.MetadataProviderObserver
An observer that clears the credential cache if the underlying metadata changes. |
Field Summary | |
---|---|
private Map<MetadataPKIXValidationInformationResolver.MetadataCacheKey,SoftReference<Set<String>>> |
entityNamesCache
Cache of resolved info. |
private Map<MetadataPKIXValidationInformationResolver.MetadataCacheKey,SoftReference<List<PKIXValidationInformation>>> |
entityPKIXCache
Cache of resolved info. |
private Map<org.opensaml.saml2.common.Extensions,SoftReference<List<PKIXValidationInformation>>> |
extensionsCache
Cache of resolved info. |
static int |
KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT
Default value for Shibboleth KeyAuthority verify depth. |
private org.slf4j.Logger |
log
Class logger. |
private org.opensaml.saml2.metadata.provider.MetadataProvider |
metadata
Metadata provider from which to fetch the credentials. |
private ReadWriteLock |
rwlock
Lock used to synchronize access to the caches. |
Constructor Summary | |
---|---|
MetadataPKIXValidationInformationResolver(org.opensaml.saml2.metadata.provider.MetadataProvider metadataProvider)
Constructor. |
Method Summary | |
---|---|
protected void |
cacheExtensionsInfo(org.opensaml.saml2.common.Extensions extensions,
List<PKIXValidationInformation> pkixInfo)
Adds resolved PKIX validation information to the cache. |
protected void |
cachePKIXInfo(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey,
List<PKIXValidationInformation> pkixInfo)
Adds resolved PKIX validation information to the cache. |
protected void |
cacheTrustedNames(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey,
Set<String> names)
Adds resolved trusted name information to the cache. |
protected void |
checkCriteriaRequirements(CriteriaSet criteriaSet)
Check that all necessary criteria are available. |
protected String |
getExtensionsParentName(org.opensaml.saml2.common.Extensions extensions)
Get the name of the parent element of an Extensions element in metadata, mostly
useful for logging purposes. |
protected ReadWriteLock |
getReadWriteLock()
Get the lock instance used to synchronize access to the caches. |
protected List<org.opensaml.saml2.metadata.RoleDescriptor> |
getRoleDescriptors(String entityID,
QName role,
String protocol)
Get the list of metadata role descriptors which match the given entityID, role and protocol. |
protected Set<String> |
getTrustedNames(KeyInfo keyInfo)
Extract trusted names from a KeyInfo element. |
protected List<X509Certificate> |
getX509Certificates(KeyInfo keyInfo)
Extract certificates from a KeyInfo element. |
protected List<X509CRL> |
getX509CRLs(KeyInfo keyInfo)
Extract CRL's from a KeyInfo element. |
protected boolean |
matchUsage(UsageType metadataUsage,
UsageType criteriaUsage)
Match usage enum type values from metadata KeyDescriptor and from specified resolution criteria. |
Iterable<PKIXValidationInformation> |
resolve(CriteriaSet criteriaSet)
|
protected List<PKIXValidationInformation> |
resolvePKIXInfo(org.opensaml.saml2.common.Extensions extensions)
Retrieves validation information from the metadata extension element. |
protected List<PKIXValidationInformation> |
resolvePKIXInfo(org.opensaml.saml2.metadata.RoleDescriptor roleDescriptor)
Retrieves validation information from the provided role descriptor. |
protected PKIXValidationInformation |
resolvePKIXInfo(ShibbolethMetadataKeyAuthority keyAuthority)
Retrieves validation information from the Shibboleth KeyAuthority metadata extension element. |
PKIXValidationInformation |
resolveSingle(CriteriaSet criteriaSet)
|
Set<String> |
resolveTrustedNames(CriteriaSet criteriaSet)
|
protected List<PKIXValidationInformation> |
retrieveExtensionsInfoFromCache(org.opensaml.saml2.common.Extensions extensions)
Retrieves pre-resolved PKIX validation information from the cache. |
protected List<PKIXValidationInformation> |
retrievePKIXInfoFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)
Retrieves pre-resolved PKIX validation information from the cache. |
protected List<PKIXValidationInformation> |
retrievePKIXInfoFromMetadata(String entityID,
QName role,
String protocol,
UsageType usage)
Retrieves validation information from the provided metadata. |
protected Set<String> |
retrieveTrustedNamesFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)
Retrieves pre-resolved trusted names from the cache. |
protected Set<String> |
retrieveTrustedNamesFromMetadata(String entityID,
QName role,
String protocol,
UsageType usage)
Retrieves trusted name information from the provided metadata. |
boolean |
supportsTrustedNameResolution()
|
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static final int KEY_AUTHORITY_VERIFY_DEPTH_DEFAULT
private final org.slf4j.Logger log
private org.opensaml.saml2.metadata.provider.MetadataProvider metadata
private Map<MetadataPKIXValidationInformationResolver.MetadataCacheKey,SoftReference<List<PKIXValidationInformation>>> entityPKIXCache
private Map<org.opensaml.saml2.common.Extensions,SoftReference<List<PKIXValidationInformation>>> extensionsCache
private Map<MetadataPKIXValidationInformationResolver.MetadataCacheKey,SoftReference<Set<String>>> entityNamesCache
private ReadWriteLock rwlock
Constructor Detail |
---|
public MetadataPKIXValidationInformationResolver(org.opensaml.saml2.metadata.provider.MetadataProvider metadataProvider)
metadataProvider
- provider of the metadata
IllegalArgumentException
- thrown if the supplied provider is nullMethod Detail |
---|
public PKIXValidationInformation resolveSingle(CriteriaSet criteriaSet) throws SecurityException
resolveSingle
in interface Resolver<PKIXValidationInformation,CriteriaSet>
SecurityException
public Iterable<PKIXValidationInformation> resolve(CriteriaSet criteriaSet) throws SecurityException
resolve
in interface Resolver<PKIXValidationInformation,CriteriaSet>
SecurityException
public Set<String> resolveTrustedNames(CriteriaSet criteriaSet) throws SecurityException, UnsupportedOperationException
resolveTrustedNames
in interface PKIXValidationInformationResolver
SecurityException
UnsupportedOperationException
public boolean supportsTrustedNameResolution()
supportsTrustedNameResolution
in interface PKIXValidationInformationResolver
protected ReadWriteLock getReadWriteLock()
protected void checkCriteriaRequirements(CriteriaSet criteriaSet)
criteriaSet
- the criteria set to evaluateprotected List<PKIXValidationInformation> retrievePKIXInfoFromMetadata(String entityID, QName role, String protocol, UsageType usage) throws SecurityException
entityID
- entity ID for which to resolve validation informationrole
- role in which the entity is operatingprotocol
- protocol over which the entity is operating (may be null)usage
- usage specifier for role descriptor key descriptors to evaluate
SecurityException
- thrown if the key, certificate, or CRL information is represented in an unsupported
formatprotected List<PKIXValidationInformation> resolvePKIXInfo(org.opensaml.saml2.metadata.RoleDescriptor roleDescriptor) throws SecurityException
roleDescriptor
- the role descriptor from which to resolve information.
SecurityException
- thrown if the key, certificate, or CRL information is represented in an unsupported
formatprotected List<PKIXValidationInformation> resolvePKIXInfo(org.opensaml.saml2.common.Extensions extensions) throws SecurityException
extensions
- the extension element from which to resolve information
SecurityException
- thrown if the key, certificate, or CRL information is represented in an unsupported
formatprotected PKIXValidationInformation resolvePKIXInfo(ShibbolethMetadataKeyAuthority keyAuthority) throws SecurityException
keyAuthority
- the Shibboleth KeyAuthority element from which to resolve information
SecurityException
- thrown if the key, certificate, or CRL information is represented in an unsupported
formatprotected List<X509Certificate> getX509Certificates(KeyInfo keyInfo) throws SecurityException
keyInfo
- the KeyInfo instance from which to extract certificates
SecurityException
- thrown if the certificate information is represented in an unsupported formatprotected List<X509CRL> getX509CRLs(KeyInfo keyInfo) throws SecurityException
keyInfo
- the KeyInfo instance from which to extract CRL's
SecurityException
- thrown if the CRL information is represented in an unsupported formatprotected Set<String> retrieveTrustedNamesFromMetadata(String entityID, QName role, String protocol, UsageType usage) throws SecurityException
entityID
- entity ID for which to resolve trusted namesrole
- role in which the entity is operatingprotocol
- protocol over which the entity is operating (may be null)usage
- usage specifier for role descriptor key descriptors to evaluate
SecurityException
- thrown if there is an error extracting trusted name informationprotected Set<String> getTrustedNames(KeyInfo keyInfo)
keyInfo
- the KeyInfo instance from which to extract trusted names
protected boolean matchUsage(UsageType metadataUsage, UsageType criteriaUsage)
metadataUsage
- the value from the 'use' attribute of a metadata KeyDescriptor elementcriteriaUsage
- the value from specified criteria
protected List<org.opensaml.saml2.metadata.RoleDescriptor> getRoleDescriptors(String entityID, QName role, String protocol) throws SecurityException
entityID
- entity ID of the metadata entity descriptor to resolverole
- role in which the entity is operatingprotocol
- protocol over which the entity is operating (may be null)
SecurityException
- thrown if there is an error retrieving role descriptors from the metadata providerprotected List<PKIXValidationInformation> retrievePKIXInfoFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)
cacheKey
- the key to the metadata cache
protected List<PKIXValidationInformation> retrieveExtensionsInfoFromCache(org.opensaml.saml2.common.Extensions extensions)
extensions
- the key to the metadata cache
protected Set<String> retrieveTrustedNamesFromCache(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey)
cacheKey
- the key to the metadata cache
protected void cachePKIXInfo(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey, List<PKIXValidationInformation> pkixInfo)
cacheKey
- the key for caching the informationpkixInfo
- collection of PKIX information to cacheprotected void cacheExtensionsInfo(org.opensaml.saml2.common.Extensions extensions, List<PKIXValidationInformation> pkixInfo)
extensions
- the key for caching the informationpkixInfo
- collection of PKIX information to cacheprotected void cacheTrustedNames(MetadataPKIXValidationInformationResolver.MetadataCacheKey cacheKey, Set<String> names)
cacheKey
- the key for caching the informationnames
- collection of names to cacheprotected String getExtensionsParentName(org.opensaml.saml2.common.Extensions extensions)
Extensions
element in metadata, mostly
useful for logging purposes.
If the parent is an EntityDescriptor, return the entityID value. If an EntitiesDescriptor,
return the name value.
extensions
- the Extensions element
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |