net.shibboleth.idp.authn

Class AbstractValidationAction<InboundMessageType,OutboundMessageType>

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

org.opensaml.profile.action.AbstractProfileAction<InboundMessageType,OutboundMessageType>

org.opensaml.profile.action.AbstractConditionalProfileAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.profile.AbstractProfileAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.authn.AbstractAuthenticationAction<InboundMessageType,OutboundMessageType>

net.shibboleth.idp.authn.AbstractValidationAction<InboundMessageType,OutboundMessageType>

Type Parameters:

InboundMessageType - type of in-bound message

OutboundMessageType - type of out-bound message

All Implemented Interfaces:

PrincipalSupportingComponent, Component, DestructableComponent, InitializableComponent, ProfileAction<InboundMessageType,OutboundMessageType>, org.springframework.beans.factory.Aware, org.springframework.context.MessageSource, org.springframework.context.MessageSourceAware, org.springframework.webflow.execution.Action

Direct Known Subclasses:

AbstractUsernamePasswordValidationAction

public abstract class AbstractValidationAction<InboundMessageType,OutboundMessageType>
extends AbstractAuthenticationAction<InboundMessageType,OutboundMessageType>
implements PrincipalSupportingComponent

A base class for authentication related actions that validate credentials and produce an AuthenticationResult.

Event:

EventIds.INVALID_PROFILE_CTX, AuthnEventIds.REQUEST_UNSUPPORTED

Precondition:

ProfileRequestContext.getSubcontext(AuthenticationContext.class).getAttemptedFlow() != null

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
private class	AbstractValidationAction.MessageChecker A predicate that examines a message to see if it contains a particular String.

Field Summary

Fields

Modifier and Type	Field and Description
private boolean	addDefaultPrincipals Whether to inject the authentication flow's default custom principals into the subject.
private Subject	authenticatedSubject Basis for AuthenticationResult.
private Map<String,Collection<String>>	classifiedMessages Error messages associated with a specific error condition token.
private boolean	clearErrorContext Indicates whether to clear any existing AuthenticationErrorContext before execution.
private static String	DEFAULT_METRIC_NAME Default prefix for metrics.
private org.slf4j.Logger	log Class logger.
private String	metricName Base name of metrics.
private com.google.common.base.Function<ProfileRequestContext,String>	requesterLookupStrategy Function used to obtain the requester ID.
private com.google.common.base.Function<ProfileRequestContext,String>	responderLookupStrategy Function used to obtain the responder ID.
private com.google.common.base.Predicate<ProfileRequestContext>	resultCachingPredicate Predicate to apply when setting AuthenticationResult cacheability.

Constructor Summary

Constructors

Constructor and Description
AbstractValidationAction() Constructor.

Method Summary

Methods

Modifier and Type	Method and Description
boolean	addDefaultPrincipals() Get whether to inject the authentication flow's default custom principals into the subject.
protected void	buildAuthenticationResult(ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext, AuthenticationContext authenticationContext) Normally called upon successful completion of credential validation, calls the populateSubject(Subject) abstract method, stores an AuthenticationResult in the AuthenticationContext, and attaches a SubjectCanonicalizationContext to the ProfileRequestContext in preparation for c14n to occur.
protected boolean	doPreExecute(ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext, AuthenticationContext authenticationContext) Performs this authentication action's pre-execute step.
Map<String,Collection<String>>	getClassifiedErrors() Get the error messages classified by specific error conditions.
String	getMetricName() Get the base name to use for metrics reported.
com.google.common.base.Predicate<ProfileRequestContext>	getResultCachingPredicate() Get predicate to apply to determine cacheability of AuthenticationResult.
protected Subject	getSubject() Get the subject to be produced by successful execution of this action.
<T extends Principal> Set<T>	getSupportedPrincipals(Class<T> c) Get an immutable set of supported custom principals that the component produces, supports, contains, etc.
protected void	handleError(ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext, AuthenticationContext authenticationContext, Exception e, String eventId) Adds an exception encountered during the action to an AuthenticationErrorContext, creating one if necessary, beneath the AuthenticationContext.
protected void	handleError(ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext, AuthenticationContext authenticationContext, String message, String eventId) Evaluates a message as a potential match as a "classified" error and if matched, the classification label is attached to an AuthenticationErrorContext and used as the resulting event for the action.
protected void	handleWarning(ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext, AuthenticationContext authenticationContext, String message, String eventId) Evaluates a message as a potential match as a "classified" warning and if matched, the classification label is attached to an AuthenticationWarningContext and used as the resulting event for the action.
protected abstract Subject	populateSubject(Subject subject) Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.
protected void	recordFailure() Record a failed authentication attempt against the configured counter.
protected void	recordSuccess() Record a successful authentication attempt against the configured counter.
void	setAddDefaultPrincipals(boolean flag) Set whether to inject the authentication flow's default custom principals into the subject.
void	setClassifiedMessages(Map<String,Collection<String>> messages) Set the error messages indicating an unknown username.
void	setMetricName(String name) Set the base name to use for metrics reported.
void	setRequesterLookupStrategy(com.google.common.base.Function<ProfileRequestContext,String> strategy) Set the strategy used to locate the requester ID for canonicalization.
void	setResponderLookupStrategy(com.google.common.base.Function<ProfileRequestContext,String> strategy) Set the strategy used to locate the responder ID for canonicalization.
void	setResultCachingPredicate(com.google.common.base.Predicate<ProfileRequestContext> predicate) Set predicate to apply to determine cacheability of AuthenticationResult.
<T extends Principal> void	setSupportedPrincipals(Collection<T> principals) Set supported non-user-specific principals that the action will include in the subjects it generates, in place of any default principals from the flow.

Methods inherited from class net.shibboleth.idp.authn.AbstractAuthenticationAction

doExecute, doExecute, doPreExecute, setLookupStrategy

Methods inherited from class net.shibboleth.idp.profile.AbstractProfileAction

doExecute, execute, getMessage, getMessage, getMessage, getProfileContextLookupStrategy, getRequestContext, getResult, setMessageSource, setProfileContextLookupStrategy

Methods inherited from class org.opensaml.profile.action.AbstractConditionalProfileAction

getActivationCondition, setActivationCondition

Methods inherited from class org.opensaml.profile.action.AbstractProfileAction

doPostExecute, doPostExecute, execute, getHttpServletRequest, getHttpServletResponse, getLogPrefix, setHttpServletRequest, setHttpServletResponse

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, doInitialize, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.InitializableComponent

initialize, isInitialized

Field Detail

DEFAULT_METRIC_NAME

@Nonnull
@NotEmpty
private static final String DEFAULT_METRIC_NAME

Default prefix for metrics.

See Also:

Constant Field Values

log

@Nonnull
private final org.slf4j.Logger log

Class logger.

metricName

@Nonnull
@NotEmpty
private String metricName

Base name of metrics.

authenticatedSubject

@Nonnull
private final Subject authenticatedSubject

Basis for AuthenticationResult.

addDefaultPrincipals

private boolean addDefaultPrincipals

Whether to inject the authentication flow's default custom principals into the subject.

clearErrorContext

private boolean clearErrorContext

Indicates whether to clear any existing AuthenticationErrorContext before execution.

classifiedMessages

@Nonnull
@NonnullElements
private Map<String,Collection<String>> classifiedMessages

Error messages associated with a specific error condition token.

resultCachingPredicate

@Nullable
private com.google.common.base.Predicate<ProfileRequestContext> resultCachingPredicate

Predicate to apply when setting AuthenticationResult cacheability.

requesterLookupStrategy

@Nullable
private com.google.common.base.Function<ProfileRequestContext,String> requesterLookupStrategy

Function used to obtain the requester ID.

responderLookupStrategy

@Nullable
private com.google.common.base.Function<ProfileRequestContext,String> responderLookupStrategy

Function used to obtain the responder ID.

Constructor Detail

AbstractValidationAction

public AbstractValidationAction()

Constructor.

Method Detail

getMetricName

@Nonnull
@NotEmpty
public String getMetricName()

Get the base name to use for metrics reported.

Returns:

root for name of metrics

Since:

3.3.0

setMetricName

public void setMetricName(@Nonnull@NotEmpty
                 String name)

Set the base name to use for metrics reported.

Parameters:

name - root for name of metrics

Since:

3.3.0

addDefaultPrincipals

public boolean addDefaultPrincipals()

Get whether to inject the authentication flow's default custom principals into the subject.

This is the default behavior, and works for static flows in which the principal set can be statically determined from the flow.

Returns:

whether to inject the authentication flow's default custom principals into the subject

setAddDefaultPrincipals

public void setAddDefaultPrincipals(boolean flag)

Set whether to inject the authentication flow's default custom principals into the subject.

Parameters:

flag - flag to set

getClassifiedErrors

@Nonnull
@NonnullElements
@Unmodifiable
@NotLive
public Map<String,Collection<String>> getClassifiedErrors()

Get the error messages classified by specific error conditions.

Returns:

classified error message map

setClassifiedMessages

public void setClassifiedMessages(@Nonnull@NonnullElements
                         Map<String,Collection<String>> messages)

Set the error messages indicating an unknown username.

Parameters:

messages - the "unknown username" error messages to set

getResultCachingPredicate

@Nullable
public com.google.common.base.Predicate<ProfileRequestContext> getResultCachingPredicate()

Get predicate to apply to determine cacheability of AuthenticationResult.

Returns:

predicate to apply, or null

setResultCachingPredicate

public void setResultCachingPredicate(@Nullable
                             com.google.common.base.Predicate<ProfileRequestContext> predicate)

Set predicate to apply to determine cacheability of AuthenticationResult.

Parameters:

predicate - predicate to apply, or null

setRequesterLookupStrategy

public void setRequesterLookupStrategy(@Nullable
                              com.google.common.base.Function<ProfileRequestContext,String> strategy)

Set the strategy used to locate the requester ID for canonicalization.

Parameters:

strategy - lookup strategy

setResponderLookupStrategy

public void setResponderLookupStrategy(@Nullable
                              com.google.common.base.Function<ProfileRequestContext,String> strategy)

Set the strategy used to locate the responder ID for canonicalization.

Parameters:

strategy - lookup strategy

getSupportedPrincipals

@Nonnull
@NonnullElements
@Unmodifiable
@NotLive
public <T extends Principal> Set<T> getSupportedPrincipals(@Nonnull
                                                                                               Class<T> c)

Get an immutable set of supported custom principals that the component produces, supports, contains, etc.

Specified by:

getSupportedPrincipals in interface PrincipalSupportingComponent

Type Parameters:

T - type of Principal to inquire on

Parameters:

c - type of Principal to inquire on

Returns:

a set of matching principals

setSupportedPrincipals

public <T extends Principal> void setSupportedPrincipals(@Nullable@NonnullElements
                                                Collection<T> principals)

Set supported non-user-specific principals that the action will include in the subjects it generates, in place of any default principals from the flow.

Setting to a null or empty collection will maintain the default behavior of relying on the flow.

Type Parameters:

T - a type of principal to add, if not generic

Parameters:

principals - supported principals to include

getSubject

@Nonnull
protected Subject getSubject()

Get the subject to be produced by successful execution of this action.

Returns:

the subject meant as the result of this action

doPreExecute

protected boolean doPreExecute(@Nonnull
                   ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext,
                   @Nonnull
                   AuthenticationContext authenticationContext)

Performs this authentication action's pre-execute step. Default implementation just returns true.

Overrides:

doPreExecute in class AbstractAuthenticationAction<InboundMessageType,OutboundMessageType>

Parameters:

profileRequestContext - the current IdP profile request context

authenticationContext - the current authentication context

Returns:

true iff execution should continue

buildAuthenticationResult

protected void buildAuthenticationResult(@Nonnull
                             ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext,
                             @Nonnull
                             AuthenticationContext authenticationContext)

Normally called upon successful completion of credential validation, calls the populateSubject(Subject) abstract method, stores an AuthenticationResult in the AuthenticationContext, and attaches a SubjectCanonicalizationContext to the ProfileRequestContext in preparation for c14n to occur.

Parameters:

profileRequestContext - the current profile request context

authenticationContext - the current authentication context

populateSubject

@Nonnull
protected abstract Subject populateSubject(@Nonnull
                              Subject subject)

Subclasses must override this method to complete the population of the Subject with Principal and credential information based on the validation they perform.

Typically this will include attaching a UsernamePrincipal, but this is not a requirement if other components are suitably overridden.

Parameters:

subject - subject to populate

Returns:

the input subject

recordSuccess

protected void recordSuccess()

Record a successful authentication attempt against the configured counter.

Since:

3.3.0

recordFailure

protected void recordFailure()

Record a failed authentication attempt against the configured counter.

Since:

3.3.0

handleError

protected void handleError(@Nonnull
               ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext,
               @Nonnull
               AuthenticationContext authenticationContext,
               @Nonnull
               Exception e,
               @Nonnull@NotEmpty
               String eventId)

Adds an exception encountered during the action to an AuthenticationErrorContext, creating one if necessary, beneath the AuthenticationContext.

The exception message is evaluated as a potential match as a "classified" error and if matched, the classification label is attached to the AuthenticationErrorContext and used as the resulting event for the action.

Parameters:

profileRequestContext - the current profile request context

authenticationContext - the current authentication context

e - the exception to process

eventId - the event to "return" via an EventContext if the exception message is not classified

handleError

protected void handleError(@Nonnull
               ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext,
               @Nonnull
               AuthenticationContext authenticationContext,
               @Nullable
               String message,
               @Nonnull@NotEmpty
               String eventId)

Evaluates a message as a potential match as a "classified" error and if matched, the classification label is attached to an AuthenticationErrorContext and used as the resulting event for the action.

If no match, the supplied eventId is used as the result.

If multiple matches, the first matching label is used as the result, but each match is added to the context.

Parameters:

profileRequestContext - the current profile request context

authenticationContext - the current authentication context

message - to process

eventId - the event to "return" via an EventContext if the message is not classified

handleWarning

protected void handleWarning(@Nonnull
                 ProfileRequestContext<InboundMessageType,OutboundMessageType> profileRequestContext,
                 @Nonnull
                 AuthenticationContext authenticationContext,
                 @Nullable
                 String message,
                 @Nonnull@NotEmpty
                 String eventId)

Evaluates a message as a potential match as a "classified" warning and if matched, the classification label is attached to an AuthenticationWarningContext and used as the resulting event for the action.

If no match, the supplied eventId is used as the result.

If multiple matches, the first matching label is used as the result, but each match is added to the context.

Parameters:

profileRequestContext - the current profile request context

authenticationContext - the current authentication context

message - to process

eventId - the event to "return" via an EventContext if the message is not classified