public class SignatureValidationFilter extends Object implements MetadataFilter
Constructor and Description |
---|
SignatureValidationFilter(SignatureTrustEngine engine)
Constructor.
|
Modifier and Type | Method and Description |
---|---|
protected net.shibboleth.utilities.java.support.resolver.CriteriaSet |
buildCriteriaSet(SignableXMLObject signedMetadata,
String metadataEntryName,
boolean isEntityGroup)
Build the criteria set which will be used as input to the configured trust engine.
|
XMLObject |
filter(XMLObject metadata)
Filters the given metadata, perhaps to remove elements that are not wanted.
|
net.shibboleth.utilities.java.support.resolver.CriteriaSet |
getDefaultCriteria()
Get the optional set of default criteria used as input to the trust engine.
|
com.google.common.base.Function<XMLObject,Set<String>> |
getDynamicTrustedNamesStrategy()
Get the strategy function for extracting dynamic trusted names from signed metadata elements.
|
boolean |
getRequireSignature()
Get whether incoming metadata's root element is required to be signed.
|
protected String |
getRoleIDToken(String entityID,
RoleDescriptor role)
Get a string token for logging/debugging purposes that contains role information and containing entityID.
|
SignaturePrevalidator |
getSignaturePrevalidator()
Get the validator used to perform pre-validation on Signature tokens.
|
SignatureTrustEngine |
getSignatureTrustEngine()
Gets the trust engine used to validate signatures on incoming metadata.
|
protected void |
performPreValidation(Signature signature,
String metadataEntryName)
Perform pre-validation on the Signature token.
|
protected void |
processEntityDescriptor(EntityDescriptor entityDescriptor)
Process the signatures on the specified EntityDescriptor and any signed children.
|
protected void |
processEntityGroup(EntitiesDescriptor entitiesDescriptor)
Process the signatures on the specified EntitiesDescriptor and any signed children.
|
void |
setDefaultCriteria(net.shibboleth.utilities.java.support.resolver.CriteriaSet newCriteria)
Set the optional set of default criteria used as input to the trust engine.
|
void |
setDynamicTrustedNamesStrategy(com.google.common.base.Function<XMLObject,Set<String>> strategy)
Get the strategy function for extracting dynamic trusted names from signed metadata elements.
|
void |
setRequireSignature(boolean require)
Set whether incoming metadata's root element is required to be signed.
|
void |
setSignaturePrevalidator(SignaturePrevalidator validator)
Set the validator used to perform pre-validation on Signature tokens.
|
protected void |
verifySignature(SignableXMLObject signedMetadata,
String metadataEntryName,
boolean isEntityGroup)
Evaluate the signature on the signed metadata instance.
|
public SignatureValidationFilter(@Nonnull SignatureTrustEngine engine)
Signature pre-validator defaults to SAMLSignatureProfileValidator
.
Dynamic trusted names strategy defaults to BasicDynamicTrustedNamesStrategy
.
engine
- the trust engine used to validate signatures on incoming metadata.@Nullable public com.google.common.base.Function<XMLObject,Set<String>> getDynamicTrustedNamesStrategy()
Defaults to: BasicDynamicTrustedNamesStrategy
.
public void setDynamicTrustedNamesStrategy(@Nullable com.google.common.base.Function<XMLObject,Set<String>> strategy)
Defaults to: BasicDynamicTrustedNamesStrategy
.
strategy
- the function, may be null@Nonnull public SignatureTrustEngine getSignatureTrustEngine()
@Nullable public SignaturePrevalidator getSignaturePrevalidator()
Defaults to: SAMLSignatureProfileValidator
.
public void setSignaturePrevalidator(@Nullable SignaturePrevalidator validator)
Defaults to: SAMLSignatureProfileValidator
.
validator
- the signature prevalidator to usepublic boolean getRequireSignature()
Defaults to true
.
public void setRequireSignature(boolean require)
Defaults to true
.
require
- whether incoming metadata is required to be signed@Nullable public net.shibboleth.utilities.java.support.resolver.CriteriaSet getDefaultCriteria()
public void setDefaultCriteria(@Nullable net.shibboleth.utilities.java.support.resolver.CriteriaSet newCriteria)
newCriteria
- the new criteria set to use@Nullable public XMLObject filter(@Nullable XMLObject metadata) throws FilterException
filter
in interface MetadataFilter
metadata
- the metadata to be filtered.FilterException
- thrown if an error occurs during the filtering processprotected void processEntityDescriptor(@Nonnull EntityDescriptor entityDescriptor) throws FilterException
entityDescriptor
- the EntityDescriptor to be processedFilterException
- thrown if an error occurs during the signature verification process
on the root EntityDescriptor specifiedprotected void processEntityGroup(@Nonnull EntitiesDescriptor entitiesDescriptor) throws FilterException
entitiesDescriptor
- the EntitiesDescriptor to be processedFilterException
- thrown if an error occurs during the signature verification process
on the root EntitiesDescriptor specifiedprotected void verifySignature(@Nonnull SignableXMLObject signedMetadata, @Nonnull @NotEmpty String metadataEntryName, boolean isEntityGroup) throws FilterException
signedMetadata
- the metadata object whose signature is to be verifiedmetadataEntryName
- the EntityDescriptor entityID, EntitiesDescriptor Name,
AffiliationDescriptor affiliationOwnerID,
or RoleDescriptor getRoleIDToken(String, RoleDescriptor)
corresponding to the element whose signature is being evaluated.
This is used exclusively for logging/debugging purposes and
should not be used operationally (e.g. for building a criteria set).isEntityGroup
- flag indicating whether the signed object is a metadata group (EntitiesDescriptor),
primarily useful for constructing a criteria set for the trust engineFilterException
- thrown if the metadata entry's signature can not be established as trusted,
or if an error occurs during the signature verification processprotected void performPreValidation(@Nonnull Signature signature, @Nonnull @NotEmpty String metadataEntryName) throws FilterException
signature
- the signature to evaluatemetadataEntryName
- the EntityDescriptor entityID, EntitiesDescriptor Name,
AffiliationDescriptor affiliationOwnerID,
or RoleDescriptor getRoleIDToken(String, RoleDescriptor)
corresponding to the element whose signature is being evaluated.
This is used exclusively for logging/debugging purposes and
should not be used operationally (e.g. for building a criteria set).FilterException
- thrown if the signature element fails pre-validation@Nonnull protected net.shibboleth.utilities.java.support.resolver.CriteriaSet buildCriteriaSet(@Nonnull SignableXMLObject signedMetadata, @Nonnull @NotEmpty String metadataEntryName, boolean isEntityGroup)
signedMetadata
- the metadata element whose signature is being verifiedmetadataEntryName
- the EntityDescriptor entityID, EntitiesDescriptor Name,
AffiliationDescriptor affiliationOwnerID,
or RoleDescriptor getRoleIDToken(String, RoleDescriptor)
corresponding to the element whose signature is being evaluated.
This is used exclusively for logging/debugging purposes and
should not be used operationally (e.g. for building the criteria set).isEntityGroup
- flag indicating whether the signed object is a metadata group (EntitiesDescriptor)protected String getRoleIDToken(@Nonnull @NotEmpty String entityID, @Nonnull RoleDescriptor role)
entityID
- the containing entityIDrole
- the role descriptorCopyright © 2018. All rights reserved.