se.litsec.opensaml.saml2.common.response

Class ResponseProcessorImpl

java.lang.Object

se.litsec.opensaml.saml2.common.response.ResponseProcessorImpl

All Implemented Interfaces:

ResponseProcessor

public class ResponseProcessorImpl
extends Object
implements ResponseProcessor

Response processor for SAML Response messages.

Note that initialize() must be invoked before the bean can be used.

Author:

Martin Lindström (martin.lindstrom@litsec.se)

Field Summary

Fields

Modifier and Type	Field and Description
protected AssertionValidator	assertionValidator The assertion validator.
protected SAMLObjectDecrypter	decrypter The decrypter instance.
protected MessageReplayChecker	messageReplayChecker The replay checker.
protected MetadataCredentialResolver	metadataCredentialResolver Used to locate certificates from the IdP metadata.
protected ResponseValidationSettings	responseValidationSettings Static response validation settings.
protected ResponseValidator	responseValidator The response validator.
protected SignaturePrevalidator	signatureProfileValidator Validator for checking the a Signature is correct with respect to the standards.
protected SignatureTrustEngine	signatureTrustEngine The signature trust engine to be used when validating signatures.

Constructor Summary

Constructors

Constructor and Description
ResponseProcessorImpl()

Method Summary

Modifier and Type	Method and Description
protected AssertionValidator	createAssertionValidator(SignatureTrustEngine signatureTrustEngine, SignaturePrevalidator signatureProfileValidator) Sets up the assertion validator.
protected ResponseValidator	createResponseValidator(SignatureTrustEngine signatureTrustEngine, SignaturePrevalidator signatureProfileValidator) Sets up the response validator.
protected Response	decodeResponse(String samlResponse) Decodes the received SAML response message into a Response object.
void	initialize() Initializes the component.
ResponseProcessingResult	processSamlResponse(String samlResponse, String relayState, ResponseProcessingInput input, PeerMetadataResolver peerMetadataResolver, ValidationContext validationContext) Processes a SAML response including signature validation and assertion decryption.
void	setDecrypter(SAMLObjectDecrypter decrypter) Assigns the decrypter instance.
void	setMessageReplayChecker(MessageReplayChecker messageReplayChecker) Assigns the message replay checker to use.
void	setResponseValidationSettings(ResponseValidationSettings responseValidationSettings) Assigns the response validation settings.
protected void	validateAssertion(Assertion assertion, Response response, ResponseProcessingInput input, EntityDescriptor idpMetadata, ValidationContext validationContext) Validates the assertion.
protected void	validateRelayState(Response response, String relayState, ResponseProcessingInput input) Validates the received relay state matches what we sent.
protected void	validateResponse(Response response, String relayState, ResponseProcessingInput input, EntityDescriptor idpMetadata, ValidationContext validationContext) Validates the response including its signature.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

decrypter

protected SAMLObjectDecrypter decrypter

The decrypter instance.

messageReplayChecker

protected MessageReplayChecker messageReplayChecker

The replay checker.

metadataCredentialResolver

protected MetadataCredentialResolver metadataCredentialResolver

Used to locate certificates from the IdP metadata.

signatureTrustEngine

protected SignatureTrustEngine signatureTrustEngine

The signature trust engine to be used when validating signatures.

signatureProfileValidator

protected SignaturePrevalidator signatureProfileValidator

Validator for checking the a Signature is correct with respect to the standards.

responseValidator

protected ResponseValidator responseValidator

The response validator.

assertionValidator

protected AssertionValidator assertionValidator

The assertion validator.

responseValidationSettings

protected ResponseValidationSettings responseValidationSettings

Static response validation settings.

Constructor Detail

ResponseProcessorImpl

public ResponseProcessorImpl()

Method Detail

processSamlResponse

public ResponseProcessingResult processSamlResponse(String samlResponse,
                                                    String relayState,
                                                    ResponseProcessingInput input,
                                                    PeerMetadataResolver peerMetadataResolver,
                                                    ValidationContext validationContext)
                                             throws ResponseStatusErrorException,
                                                    ResponseProcessingException

Processes a SAML response including signature validation and assertion decryption.

Specified by:

processSamlResponse in interface ResponseProcessor

Parameters:

samlResponse - the base64 encoded SAML response

relayState - the received relay state

input - the processing input

peerMetadataResolver - a resolver for finding the peer metadata entry

validationContext - optional validation context for controlling the validation and assertion validation process

Returns:

a result

Throws:

ResponseStatusErrorException - if the response indicates a non-successful Status

ResponseProcessingException - for other processing errors

initialize

public void initialize()
                throws Exception

Initializes the component.

Throws:

Exception - for initialization errors

createResponseValidator

protected ResponseValidator createResponseValidator(SignatureTrustEngine signatureTrustEngine,
                                                    SignaturePrevalidator signatureProfileValidator)

Sets up the response validator.

The default implementation creates a ResponseValidator instance. For use within the Swedish eID framework subclasses should create a SwedishEidResponseValidator instance, see the swedish-eid-opensaml library (https://github.com/litsec/swedish-eid-opensaml).

Parameters:

signatureTrustEngine - the signature trust engine to be used when validating signatures

signatureProfileValidator - validator for checking the a Signature is correct with respect to the standards

Returns:

the created response validator

createAssertionValidator

protected AssertionValidator createAssertionValidator(SignatureTrustEngine signatureTrustEngine,
                                                      SignaturePrevalidator signatureProfileValidator)

Sets up the assertion validator.

The default implementation creates a AssertionValidator instance. For use within the Swedish eID framework subclasses should create a SwedishEidAssertionValidator instance, see the swedish-eid-opensaml library (https://github.com/litsec/swedish-eid-opensaml).

Parameters:

signatureTrustEngine - the signature trust engine to be used when validating signatures

signatureProfileValidator - validator for checking the a Signature is correct with respect to the standards

Returns:

the created assertion validator

decodeResponse

protected Response decodeResponse(String samlResponse)
                           throws ResponseProcessingException

Decodes the received SAML response message into a Response object.

Parameters:

samlResponse - the Base64 encoded SAML response

Returns:

a Response object

Throws:

ResponseProcessingException - for decoding errors

validateResponse

protected void validateResponse(Response response,
                                String relayState,
                                ResponseProcessingInput input,
                                EntityDescriptor idpMetadata,
                                ValidationContext validationContext)
                         throws ResponseValidationException

Validates the response including its signature.

Parameters:

response - the response to verify

relayState - the relay state that was received

input - the processing input

idpMetadata - the IdP metadata

validationContext - optional validation context

Throws:

ResponseValidationException - for validation errors

validateRelayState

protected void validateRelayState(Response response,
                                  String relayState,
                                  ResponseProcessingInput input)
                           throws ResponseValidationException

Validates the received relay state matches what we sent.

Parameters:

response - the response

relayState - the received relay state

input - the response processing input

Throws:

ResponseValidationException - for validation errors

validateAssertion

protected void validateAssertion(Assertion assertion,
                                 Response response,
                                 ResponseProcessingInput input,
                                 EntityDescriptor idpMetadata,
                                 ValidationContext validationContext)
                          throws ResponseValidationException

Validates the assertion.

Parameters:

assertion - the assertion to validate

response - the response that contained the assertion

input - the processing input

idpMetadata - the IdP metadat

validationContext - optional validation context

Throws:

ResponseValidationException - for validation errors

setDecrypter

public void setDecrypter(SAMLObjectDecrypter decrypter)

Assigns the decrypter instance.

Parameters:

decrypter - the decrypter

setMessageReplayChecker

public void setMessageReplayChecker(MessageReplayChecker messageReplayChecker)

Assigns the message replay checker to use.

Parameters:

messageReplayChecker - message replay checker

setResponseValidationSettings

public void setResponseValidationSettings(ResponseValidationSettings responseValidationSettings)

Assigns the response validation settings.

Parameters:

responseValidationSettings - validation settings