Class ResponseProcessorImpl
java.lang.Object
se.swedenconnect.opensaml.saml2.response.ResponseProcessorImpl
- All Implemented Interfaces:
net.shibboleth.shared.component.Component
,net.shibboleth.shared.component.InitializableComponent
,ResponseProcessor
public class ResponseProcessorImpl
extends Object
implements ResponseProcessor, net.shibboleth.shared.component.InitializableComponent
Response processor for SAML Response messages.
Note that initialize()
must be invoked before the bean can be used.
- Author:
- Martin Lindström (martin.lindstrom@litsec.se)
-
Field Summary
Modifier and TypeFieldDescriptionprotected AssertionValidator
The assertion validator.protected SAMLObjectDecrypter
The decrypter instance.protected MessageReplayChecker
The replay checker.protected org.opensaml.saml.security.impl.MetadataCredentialResolver
Used to locate certificates from the IdP metadata.protected org.opensaml.saml.metadata.resolver.MetadataResolver
Metadata resolver for finding IdP and SP metadata.protected boolean
Do we require assertions to be encrypted?protected ResponseValidationSettings
Static response validation settings.protected ResponseValidator
The response validator.protected SecurityConfiguration
Custom security configuration.protected org.opensaml.xmlsec.signature.support.SignaturePrevalidator
Validator for checking that a Signature is correct with respect to the standards.protected org.opensaml.xmlsec.signature.support.SignatureTrustEngine
The signature trust engine to be used when validating signatures. -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected net.shibboleth.shared.resolver.CriteriaSet
buildSignatureValidationCriteriaSet
(org.opensaml.saml.saml2.metadata.IDPSSODescriptor descriptor) Builds aCriteriaSet
for use with signature validation.protected org.opensaml.xmlsec.signature.support.SignatureValidationParametersCriterion
Builds a signature validation criterion based on the installed security configuration.protected final void
Helper for a setter method to check the standard preconditions.protected AssertionValidator
createAssertionValidator
(org.opensaml.xmlsec.signature.support.SignatureTrustEngine signatureTrustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signatureProfileValidator) Sets up the assertion validator.protected ResponseValidator
createResponseValidator
(org.opensaml.xmlsec.signature.support.SignatureTrustEngine signatureTrustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signatureProfileValidator) Sets up the response validator.protected org.opensaml.saml.saml2.core.Response
decodeResponse
(String samlResponse) Decodes the received SAML response message into aResponse
object.protected AbstractAssertionValidationParametersBuilder
<?> protected org.opensaml.saml.saml2.metadata.EntityDescriptor
getMetadata
(String entityID, QName role) Gets the metadata for the given entityID and role (type).protected org.opensaml.saml.saml2.metadata.EntityDescriptor
getSpMetadata
(String entityID) Gets the SAML metadata for a given SP.void
boolean
processSamlResponse
(String samlResponse, String relayState, ResponseProcessingInput input, org.opensaml.saml.common.assertion.ValidationContext validationContext) Processes a SAML response including signature validation and assertion decryption.void
setDecrypter
(SAMLObjectDecrypter decrypter) Assigns the decrypter instance.void
setMessageReplayChecker
(MessageReplayChecker messageReplayChecker) Assigns the message replay checker to use.void
setMetadataResolver
(org.opensaml.saml.metadata.resolver.MetadataResolver metadataResolver) Assigns the metadata resolver to use.void
setRequireEncryptedAssertions
(boolean requireEncryptedAssertions) Assigns whether we require assertions to be encrypted?void
setResponseValidationSettings
(ResponseValidationSettings responseValidationSettings) Assigns the response validation settings.void
setSecurityConfiguration
(SecurityConfiguration securityConfiguration) Assigns a customSecurityConfiguration
for the processor.protected void
validateAssertion
(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.saml2.core.Response response, ResponseProcessingInput input, org.opensaml.saml.saml2.metadata.EntityDescriptor idpMetadata, org.opensaml.saml.common.assertion.ValidationContext validationContext) Validates the assertion.protected void
validateRelayState
(org.opensaml.saml.saml2.core.Response response, String relayState, ResponseProcessingInput input) Validates the received relay state matches what we sent.protected void
validateResponse
(org.opensaml.saml.saml2.core.Response response, String relayState, ResponseProcessingInput input, org.opensaml.saml.saml2.metadata.EntityDescriptor idpMetadata, org.opensaml.saml.common.assertion.ValidationContext validationContext) Validates the response including its signature.
-
Field Details
-
metadataResolver
protected org.opensaml.saml.metadata.resolver.MetadataResolver metadataResolverMetadata resolver for finding IdP and SP metadata. -
decrypter
The decrypter instance. -
messageReplayChecker
The replay checker. -
metadataCredentialResolver
protected org.opensaml.saml.security.impl.MetadataCredentialResolver metadataCredentialResolverUsed to locate certificates from the IdP metadata. -
signatureTrustEngine
protected org.opensaml.xmlsec.signature.support.SignatureTrustEngine signatureTrustEngineThe signature trust engine to be used when validating signatures. -
signatureProfileValidator
protected org.opensaml.xmlsec.signature.support.SignaturePrevalidator signatureProfileValidatorValidator for checking that a Signature is correct with respect to the standards. -
responseValidator
The response validator. -
assertionValidator
The assertion validator. -
responseValidationSettings
Static response validation settings. -
requireEncryptedAssertions
protected boolean requireEncryptedAssertionsDo we require assertions to be encrypted? The default istrue
. -
securityConfiguration
Custom security configuration.
-
-
Constructor Details
-
ResponseProcessorImpl
public ResponseProcessorImpl()
-
-
Method Details
-
processSamlResponse
public ResponseProcessingResult processSamlResponse(String samlResponse, String relayState, ResponseProcessingInput input, org.opensaml.saml.common.assertion.ValidationContext validationContext) throws ResponseStatusErrorException, ResponseProcessingException Processes a SAML response including signature validation and assertion decryption.- Specified by:
processSamlResponse
in interfaceResponseProcessor
- Parameters:
samlResponse
- the base64 encoded SAML responserelayState
- the received relay stateinput
- the processing inputvalidationContext
- optional validation context for controlling the validation and assertion validation process- Returns:
- a result
- Throws:
ResponseStatusErrorException
- if the response indicates a non-successfulStatus
ResponseProcessingException
- for other processing errors
-
initialize
public void initialize() throws net.shibboleth.shared.component.ComponentInitializationException- Specified by:
initialize
in interfacenet.shibboleth.shared.component.InitializableComponent
- Throws:
net.shibboleth.shared.component.ComponentInitializationException
-
isInitialized
public boolean isInitialized()- Specified by:
isInitialized
in interfacenet.shibboleth.shared.component.InitializableComponent
-
createResponseValidator
protected ResponseValidator createResponseValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine signatureTrustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signatureProfileValidator) Sets up the response validator.The default implementation creates a
ResponseValidator
instance. For use within the Swedish eID framework subclasses should create aSwedishEidResponseValidator
instance, see the swedish-eid-opensaml library (https://github.com/litsec/swedish-eid-opensaml).- Parameters:
signatureTrustEngine
- the signature trust engine to be used when validating signaturessignatureProfileValidator
- validator for checking that a Signature is correct with respect to the standards- Returns:
- the created response validator
-
createAssertionValidator
protected AssertionValidator createAssertionValidator(org.opensaml.xmlsec.signature.support.SignatureTrustEngine signatureTrustEngine, org.opensaml.xmlsec.signature.support.SignaturePrevalidator signatureProfileValidator) Sets up the assertion validator.The default implementation creates a
AssertionValidator
instance. For use within the Swedish eID framework subclasses should create aSwedishEidAssertionValidator
instance, see the opensaml-swedish-eid library (https://github.com/swedenconnect/opensaml-swedish-eid).- Parameters:
signatureTrustEngine
- the signature trust engine to be used when validating signaturessignatureProfileValidator
- validator for checking that a Signature is correct with respect to the standards- Returns:
- the created assertion validator
-
getAssertionValidationParametersBuilder
-
decodeResponse
protected org.opensaml.saml.saml2.core.Response decodeResponse(String samlResponse) throws ResponseProcessingException Decodes the received SAML response message into aResponse
object.- Parameters:
samlResponse
- the Base64 encoded SAML response- Returns:
- a
Response
object - Throws:
ResponseProcessingException
- for decoding errors
-
validateResponse
protected void validateResponse(org.opensaml.saml.saml2.core.Response response, String relayState, ResponseProcessingInput input, org.opensaml.saml.saml2.metadata.EntityDescriptor idpMetadata, org.opensaml.saml.common.assertion.ValidationContext validationContext) throws ResponseValidationException Validates the response including its signature.- Parameters:
response
- the response to verifyrelayState
- the relay state that was receivedinput
- the processing inputidpMetadata
- the IdP metadatavalidationContext
- optional validation context- Throws:
ResponseValidationException
- for validation errors
-
validateRelayState
protected void validateRelayState(org.opensaml.saml.saml2.core.Response response, String relayState, ResponseProcessingInput input) throws ResponseValidationException Validates the received relay state matches what we sent.- Parameters:
response
- the responserelayState
- the received relay stateinput
- the response processing input- Throws:
ResponseValidationException
- for validation errors
-
validateAssertion
protected void validateAssertion(org.opensaml.saml.saml2.core.Assertion assertion, org.opensaml.saml.saml2.core.Response response, ResponseProcessingInput input, org.opensaml.saml.saml2.metadata.EntityDescriptor idpMetadata, org.opensaml.saml.common.assertion.ValidationContext validationContext) throws ResponseValidationException Validates the assertion.- Parameters:
assertion
- the assertion to validateresponse
- the response that contained the assertioninput
- the processing inputidpMetadata
- the IdP metadatvalidationContext
- optional validation context- Throws:
ResponseValidationException
- for validation errors
-
buildSignatureValidationCriteriaSet
protected net.shibboleth.shared.resolver.CriteriaSet buildSignatureValidationCriteriaSet(org.opensaml.saml.saml2.metadata.IDPSSODescriptor descriptor) Builds aCriteriaSet
for use with signature validation.- Parameters:
descriptor
- the IDP SSO descriptor- Returns:
- a
CriteriaSet
-
buildSignatureValidationParametersCriterion
protected org.opensaml.xmlsec.signature.support.SignatureValidationParametersCriterion buildSignatureValidationParametersCriterion()Builds a signature validation criterion based on the installed security configuration. This is used during validation of the signature of a response or assertion.- Returns:
- a {link SignatureValidationParametersCriterion}
-
getMetadata
protected org.opensaml.saml.saml2.metadata.EntityDescriptor getMetadata(String entityID, QName role) Gets the metadata for the given entityID and role (type).- Parameters:
entityID
- the entity IDrole
- the role- Returns:
- the entity descriptor or null if no metadata is found
-
getSpMetadata
Gets the SAML metadata for a given SP.- Parameters:
entityID
- the SP entityID- Returns:
- the SP metadata or null if none is found
-
setMetadataResolver
public void setMetadataResolver(org.opensaml.saml.metadata.resolver.MetadataResolver metadataResolver) Assigns the metadata resolver to use.- Parameters:
metadataResolver
- the metadata resolver
-
setDecrypter
Assigns the decrypter instance.- Parameters:
decrypter
- the decrypter
-
setMessageReplayChecker
Assigns the message replay checker to use.- Parameters:
messageReplayChecker
- message replay checker
-
setResponseValidationSettings
Assigns the response validation settings.- Parameters:
responseValidationSettings
- validation settings
-
setRequireEncryptedAssertions
public void setRequireEncryptedAssertions(boolean requireEncryptedAssertions) Assigns whether we require assertions to be encrypted? The default istrue
.- Parameters:
requireEncryptedAssertions
- boolean
-
setSecurityConfiguration
Assigns a customSecurityConfiguration
for the processor.- Parameters:
securityConfiguration
- customSecurityConfiguration
-
checkSetterPreconditions
protected final void checkSetterPreconditions()Helper for a setter method to check the standard preconditions.
-