public class SignatureValidationFilter extends Object implements MetadataFilter
Constructor and Description |
---|
SignatureValidationFilter(org.opensaml.xml.signature.SignatureTrustEngine engine)
Constructor.
|
SignatureValidationFilter(org.opensaml.xml.signature.SignatureTrustEngine engine,
org.opensaml.xml.validation.Validator<org.opensaml.xml.signature.Signature> signatureValidator)
Constructor.
|
Modifier and Type | Method and Description |
---|---|
protected org.opensaml.xml.security.CriteriaSet |
buildCriteriaSet(org.opensaml.xml.signature.SignableXMLObject signedMetadata,
String metadataEntryName,
boolean isEntityGroup)
Build the criteria set which will be used as input to the configured trust engine.
|
void |
doFilter(org.opensaml.xml.XMLObject metadata)
Filters the given metadata, perhaps to remove elements that are not wanted.
|
org.opensaml.xml.security.CriteriaSet |
getDefaultCriteria()
Get the set of default criteria used as input to the trust engine.
|
boolean |
getRequireSignature()
Gets whether incoming metadata's root element is required to be signed.
|
protected String |
getRoleIDToken(String entityID,
RoleDescriptor role)
Get a string token for logging/debugging purposes that contains role information and containing entityID.
|
org.opensaml.xml.validation.Validator<org.opensaml.xml.signature.Signature> |
getSignaturePrevalidator()
Get the validator used to perform pre-validation on Signature tokens.
|
org.opensaml.xml.signature.SignatureTrustEngine |
getSignatureTrustEngine()
Gets the trust engine used to validate signatures on incoming metadata.
|
protected void |
performPreValidation(org.opensaml.xml.signature.Signature signature,
String metadataEntryName)
Perform pre-validation on the Signature token.
|
protected void |
processEntityDescriptor(EntityDescriptor entityDescriptor)
Process the signatures on the specified EntityDescriptor and any signed children.
|
protected void |
processEntityGroup(EntitiesDescriptor entitiesDescriptor)
Process the signatures on the specified EntitiesDescriptor and any signed children.
|
void |
setDefaultCriteria(org.opensaml.xml.security.CriteriaSet newCriteria)
Set the set of default criteria used as input to the trust engine.
|
void |
setRequireSignature(boolean require)
Sets whether incoming metadata's root element is required to be signed.
|
protected void |
verifySignature(org.opensaml.xml.signature.SignableXMLObject signedMetadata,
String metadataEntryName,
boolean isEntityGroup)
Evaluate the signature on the signed metadata instance.
|
public SignatureValidationFilter(org.opensaml.xml.signature.SignatureTrustEngine engine)
engine
- the trust engine used to validate signatures on incoming metadata.public SignatureValidationFilter(org.opensaml.xml.signature.SignatureTrustEngine engine, org.opensaml.xml.validation.Validator<org.opensaml.xml.signature.Signature> signatureValidator)
engine
- the trust engine used to validate signatures on incoming metadata.signatureValidator
- optional pre-validator used to validate Signature elements prior to the actual
cryptographic validation operationpublic org.opensaml.xml.signature.SignatureTrustEngine getSignatureTrustEngine()
public org.opensaml.xml.validation.Validator<org.opensaml.xml.signature.Signature> getSignaturePrevalidator()
public boolean getRequireSignature()
public void setRequireSignature(boolean require)
require
- whether incoming metadata is required to be signedpublic org.opensaml.xml.security.CriteriaSet getDefaultCriteria()
public void setDefaultCriteria(org.opensaml.xml.security.CriteriaSet newCriteria)
newCriteria
- the new criteria set to usepublic void doFilter(org.opensaml.xml.XMLObject metadata) throws FilterException
doFilter
in interface MetadataFilter
metadata
- the metadata to be filtered.FilterException
- thrown if an error occurs during the filtering processprotected void processEntityDescriptor(EntityDescriptor entityDescriptor) throws FilterException
entityDescriptor
- the EntityDescriptor to be processedFilterException
- thrown if an error occurs during the signature verification process
on the root EntityDescriptor specifiedprotected void processEntityGroup(EntitiesDescriptor entitiesDescriptor) throws FilterException
entitiesDescriptor
- the EntitiesDescriptor to be processedFilterException
- thrown if an error occurs during the signature verification process
on the root EntitiesDescriptor specifiedprotected void verifySignature(org.opensaml.xml.signature.SignableXMLObject signedMetadata, String metadataEntryName, boolean isEntityGroup) throws FilterException
signedMetadata
- the metadata object whose signature is to be verifiedmetadataEntryName
- the EntityDescriptor entityID, EntitiesDescriptor Name,
AffiliationDescriptor affiliationOwnerID,
or RoleDescriptor getRoleIDToken(String, RoleDescriptor)
corresponding to the element whose signature is being evaluated.
This is used exclusively for logging/debugging purposes and
should not be used operationally (e.g. for building a criteria set).isEntityGroup
- flag indicating whether the signed object is a metadata group (EntitiesDescriptor),
primarily useful for constructing a criteria set for the trust engineFilterException
- thrown if the metadata entry's signature can not be established as trusted,
or if an error occurs during the signature verification processprotected void performPreValidation(org.opensaml.xml.signature.Signature signature, String metadataEntryName) throws FilterException
signature
- the signature to evaluatemetadataEntryName
- the EntityDescriptor entityID, EntitiesDescriptor Name,
AffiliationDescriptor affiliationOwnerID,
or RoleDescriptor getRoleIDToken(String, RoleDescriptor)
corresponding to the element whose signature is being evaluated.
This is used exclusively for logging/debugging purposes and
should not be used operationally (e.g. for building a criteria set).FilterException
- thrown if the signature element fails pre-validationprotected org.opensaml.xml.security.CriteriaSet buildCriteriaSet(org.opensaml.xml.signature.SignableXMLObject signedMetadata, String metadataEntryName, boolean isEntityGroup)
signedMetadata
- the metadata element whose signature is being verifiedmetadataEntryName
- the EntityDescriptor entityID, EntitiesDescriptor Name,
AffiliationDescriptor affiliationOwnerID,
or RoleDescriptor getRoleIDToken(String, RoleDescriptor)
corresponding to the element whose signature is being evaluated.
This is used exclusively for logging/debugging purposes and
should not be used operationally (e.g. for building the criteria set).isEntityGroup
- flag indicating whether the signed object is a metadata group (EntitiesDescriptor)protected String getRoleIDToken(String entityID, RoleDescriptor role)
entityID
- the containing entityIDrole
- the role descriptorCopyright © 1999-2013. All Rights Reserved.