Package se.swedenconnect.opensaml.saml2.response

Class ResponseProcessorImpl

java.lang.Object
se.swedenconnect.opensaml.saml2.response.ResponseProcessorImpl
All Implemented Interfaces:
net.shibboleth.shared.component.Component, net.shibboleth.shared.component.InitializableComponent, ResponseProcessor
public class ResponseProcessorImpl extends Object implements ResponseProcessor, net.shibboleth.shared.component.InitializableComponent
Response processor for SAML Response messages.

Note that initialize() must be invoked before the bean can be used.

Author:
Martin Lindström (martin.lindstrom@litsec.se)

  • Field Details

    • metadataResolver

      protected org.opensaml.saml.metadata.resolver.MetadataResolver metadataResolver
      Metadata resolver for finding IdP and SP metadata.

    • decrypter

      protected SAMLObjectDecrypter decrypter
      The decrypter instance.

    • messageReplayChecker

      protected MessageReplayChecker messageReplayChecker
      The replay checker.

    • metadataCredentialResolver

      protected org.opensaml.saml.security.impl.MetadataCredentialResolver metadataCredentialResolver
      Used to locate certificates from the IdP metadata.

    • signatureTrustEngine

      protected org.opensaml.xmlsec.signature.support.SignatureTrustEngine signatureTrustEngine
      The signature trust engine to be used when validating signatures.

    • signatureProfileValidator

      protected org.opensaml.xmlsec.signature.support.SignaturePrevalidator signatureProfileValidator
      Validator for checking that a Signature is correct with respect to the standards.

    • responseValidator

      protected ResponseValidator responseValidator
      The response validator.

    • assertionValidator

      protected AssertionValidator assertionValidator
      The assertion validator.

    • responseValidationSettings

      protected ResponseValidationSettings responseValidationSettings
      Static response validation settings.

    • requireEncryptedAssertions

      protected boolean requireEncryptedAssertions
      Do we require assertions to be encrypted? The default is true.

    • securityConfiguration

      protected SecurityConfiguration securityConfiguration
      Custom security configuration.

  • Constructor Details

    • ResponseProcessorImpl

      public ResponseProcessorImpl()

  • Method Details

    • processSamlResponse

      public ResponseProcessingResult processSamlResponse(String samlResponse, String relayState, ResponseProcessingInput input, org.opensaml.saml.common.assertion.ValidationContext validationContext) throws ResponseStatusErrorException, ResponseProcessingException
      Processes a SAML response including signature validation and assertion decryption.
      Specified by:
      processSamlResponse in interface ResponseProcessor
      Parameters:
      samlResponse - the base64 encoded SAML response
      relayState - the received relay state
      input - the processing input
      validationContext - optional validation context for controlling the validation and assertion validation process
      Returns:
      a result
      Throws:
      ResponseStatusErrorException - if the response indicates a non-successful Status
      ResponseProcessingException - for other processing errors

    • initialize

      public void initialize() throws net.shibboleth.shared.component.ComponentInitializationException
      Specified by:
      initialize in interface net.shibboleth.shared.component.InitializableComponent
      Throws:
      net.shibboleth.shared.component.ComponentInitializationException

    • isInitialized

      public boolean isInitialized()
      Specified by:
      isInitialized in interface net.shibboleth.shared.component.InitializableComponent

    • createResponseValidator

      protected ResponseValidator createResponseValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine signatureTrustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signatureProfileValidator)
      Sets up the response validator.

      The default implementation creates a ResponseValidator instance. For use within the Swedish eID framework subclasses should create a SwedishEidResponseValidator instance, see the swedish-eid-opensaml library (https://github.com/litsec/swedish-eid-opensaml).

      Parameters:
      signatureTrustEngine - the signature trust engine to be used when validating signatures
      signatureProfileValidator - validator for checking that a Signature is correct with respect to the standards
      Returns:
      the created response validator

    • createAssertionValidator

      protected AssertionValidator createAssertionValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine signatureTrustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signatureProfileValidator)
      Sets up the assertion validator.

      The default implementation creates a AssertionValidator instance. For use within the Swedish eID framework subclasses should create a SwedishEidAssertionValidator instance, see the opensaml-swedish-eid library (https://github.com/swedenconnect/opensaml-swedish-eid).

      Parameters:
      signatureTrustEngine - the signature trust engine to be used when validating signatures
      signatureProfileValidator - validator for checking that a Signature is correct with respect to the standards
      Returns:
      the created assertion validator

    • getAssertionValidationParametersBuilder

      protected AbstractAssertionValidationParametersBuilder<?> getAssertionValidationParametersBuilder()

    • decodeResponse

      protected org.opensaml.saml.saml2.core.Response decodeResponse(String samlResponse) throws ResponseProcessingException
      Decodes the received SAML response message into a Response object.
      Parameters:
      samlResponse - the Base64 encoded SAML response
      Returns:
      a Response object
      Throws:
      ResponseProcessingException - for decoding errors

    • validateResponse

      protected void validateResponse(org.opensaml.saml.saml2.core.Response response, String relayState, ResponseProcessingInput input, org.opensaml.saml.saml2.metadata.EntityDescriptor idpMetadata, org.opensaml.saml.common.assertion.ValidationContext validationContext) throws ResponseValidationException
      Validates the response including its signature.
      Parameters:
      response - the response to verify
      relayState - the relay state that was received
      input - the processing input
      idpMetadata - the IdP metadata
      validationContext - optional validation context
      Throws:
      ResponseValidationException - for validation errors

    • validateRelayState

      protected void validateRelayState(org.opensaml.saml.saml2.core.Response response, String relayState, ResponseProcessingInput input) throws ResponseValidationException
      Validates the received relay state matches what we sent.
      Parameters:
      response - the response
      relayState - the received relay state
      input - the response processing input
      Throws:
      ResponseValidationException - for validation errors

    • validateAssertion

      protected void validateAssertion(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.saml2.core.Response response, ResponseProcessingInput input, org.opensaml.saml.saml2.metadata.EntityDescriptor idpMetadata, org.opensaml.saml.common.assertion.ValidationContext validationContext) throws ResponseValidationException
      Validates the assertion.
      Parameters:
      assertion - the assertion to validate
      response - the response that contained the assertion
      input - the processing input
      idpMetadata - the IdP metadat
      validationContext - optional validation context
      Throws:
      ResponseValidationException - for validation errors

    • buildSignatureValidationCriteriaSet

      protected net.shibboleth.shared.resolver.CriteriaSet buildSignatureValidationCriteriaSet(org.opensaml.saml.saml2.metadata.IDPSSODescriptor descriptor)
      Builds a CriteriaSet for use with signature validation.
      Parameters:
      descriptor - the IDP SSO descriptor
      Returns:
      a CriteriaSet

    • buildSignatureValidationParametersCriterion

      protected org.opensaml.xmlsec.signature.support.SignatureValidationParametersCriterion buildSignatureValidationParametersCriterion()
      Builds a signature validation criterion based on the installed security configuration. This is used during validation of the signature of a response or assertion.
      Returns:
      a {link SignatureValidationParametersCriterion}

    • getMetadata

      protected org.opensaml.saml.saml2.metadata.EntityDescriptor getMetadata(String entityID, QName role)
      Gets the metadata for the given entityID and role (type).
      Parameters:
      entityID - the entity ID
      role - the role
      Returns:
      the entity descriptor or null if no metadata is found

    • getSpMetadata

      protected org.opensaml.saml.saml2.metadata.EntityDescriptor getSpMetadata(String entityID)
      Gets the SAML metadata for a given SP.
      Parameters:
      entityID - the SP entityID
      Returns:
      the SP metadata or null if none is found

    • setMetadataResolver

      public void setMetadataResolver(org.opensaml.saml.metadata.resolver.MetadataResolver metadataResolver)
      Assigns the metadata resolver to use.
      Parameters:
      metadataResolver - the metadata resolver

    • setDecrypter

      public void setDecrypter(SAMLObjectDecrypter decrypter)
      Assigns the decrypter instance.
      Parameters:
      decrypter - the decrypter

    • setMessageReplayChecker

      public void setMessageReplayChecker(MessageReplayChecker messageReplayChecker)
      Assigns the message replay checker to use.
      Parameters:
      messageReplayChecker - message replay checker

    • setResponseValidationSettings

      public void setResponseValidationSettings(ResponseValidationSettings responseValidationSettings)
      Assigns the response validation settings.
      Parameters:
      responseValidationSettings - validation settings

    • setRequireEncryptedAssertions

      public void setRequireEncryptedAssertions(boolean requireEncryptedAssertions)
      Assigns whether we require assertions to be encrypted? The default is true.
      Parameters:
      requireEncryptedAssertions - boolean

    • setSecurityConfiguration

      public void setSecurityConfiguration(SecurityConfiguration securityConfiguration)
      Assigns a custom SecurityConfiguration for the processor.
      Parameters:
      securityConfiguration - custom SecurityConfiguration

    • checkSetterPreconditions

      protected final void checkSetterPreconditions()
      Helper for a setter method to check the standard preconditions.