Package org.opensaml.storage

Class RevocationCache

java.lang.Object

net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent

org.opensaml.storage.RevocationCache

All Implemented Interfaces:

Component, DestructableComponent, IdentifiableComponent, IdentifiedComponent, InitializableComponent

@ThreadSafeAfterInit
public class RevocationCache
extends AbstractIdentifiableInitializableComponent

Stores and checks for revocation entries.

This class is thread-safe and uses a synchronized method to prevent race conditions within the underlying store (lacking an atomic "check and insert" operation).

Since:

4.2.0

Field Summary

Fields

Modifier and Type	Field	Description
private Duration	expires	Default lifetime of revocation entry.
private org.slf4j.Logger	log	Logger.
private StorageService	storage	Backing storage for the replay cache.
private boolean	strict	Flag controlling behavior on storage failure.

Constructor Summary

Constructors

Constructor	Description
RevocationCache()	Constructor.

Method Summary

Modifier and Type	Method	Description
void	doInitialize()
String	getRevocationRecord(String context, String s)	Attempts to read back a revocation record for a given context and key.
StorageService	getStorage()	Get the backing store for the cache.
boolean	isRevoked(String context, String s)	Returns true iff the value has been revoked.
boolean	isStrict()	Get the strictness flag.
boolean	revoke(String context, String key)	Invokes revoke(String, String, Duration) with a default expiration parameter.
boolean	revoke(String context, String key, String value)	Invokes revoke(String, String, String, Duration) with a default expiration parameter.
boolean	revoke(String context, String s, String value, Duration exp)	Returns true if the value is successfully revoked.
boolean	revoke(String context, String key, Duration exp)	Invokes revoke(String, String, String, Duration) with a placeholder value parameter.
void	setEntryExpiration(Duration entryExpiration)	Set the default revocation entry expiration.
void	setStorage(StorageService storageService)	Set the backing store for the cache.
void	setStrict(boolean flag)	Set the strictness flag.
boolean	unrevoke(String context, String s)	Remove a revocation record.

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent

setId

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent

getId

Methods inherited from class net.shibboleth.utilities.java.support.component.AbstractInitializableComponent

destroy, doDestroy, initialize, isDestroyed, isInitialized

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface net.shibboleth.utilities.java.support.component.IdentifiedComponent

getId

Field Detail

log

@Nonnull
private final org.slf4j.Logger log

Logger.

storage

@NonnullAfterInit
private StorageService storage

Backing storage for the replay cache.

strict

private boolean strict

Flag controlling behavior on storage failure.

expires

@Nonnull
@Positive
private Duration expires

Default lifetime of revocation entry. Default value: 6 hours

Constructor Detail

RevocationCache

public RevocationCache()

Constructor.

Method Detail

setEntryExpiration

public void setEntryExpiration(@Positive
                               Duration entryExpiration)

Set the default revocation entry expiration.

Parameters:

entryExpiration - lifetime of an revocation entry in milliseconds

getStorage

@NonnullAfterInit
public StorageService getStorage()

Get the backing store for the cache.

Returns:

the backing store.

setStorage

public void setStorage(@Nonnull
                       StorageService storageService)

Set the backing store for the cache.

Parameters:

storageService - backing store to use

isStrict

public boolean isStrict()

Get the strictness flag.

Returns:

true iff we should treat storage failures as a revocation

setStrict

public void setStrict(boolean flag)

Set the strictness flag.

Parameters:

flag - true iff we should treat storage failures as a revocation

doInitialize

public void doInitialize()
                  throws ComponentInitializationException

Overrides:

doInitialize in class AbstractIdentifiedInitializableComponent

Throws:

ComponentInitializationException

revoke

public boolean revoke(@Nonnull @NotEmpty
                      String context,
                      @Nonnull @NotEmpty
                      String key)

Invokes revoke(String, String, Duration) with a default expiration parameter.

Parameters:

context - a context label to subdivide the cache

key - key to revoke

Returns:

true if key has successfully been listed as revoked in the cache

revoke

public boolean revoke(@Nonnull @NotEmpty
                      String context,
                      @Nonnull @NotEmpty
                      String key,
                      @Nonnull
                      Duration exp)

Invokes revoke(String, String, String, Duration) with a placeholder value parameter.

Parameters:

context - a context label to subdivide the cache

key - key to revoke

exp - entry expiration

Returns:

true if key has successfully been listed as revoked in the cache

Since:

4.3.0

revoke

public boolean revoke(@Nonnull @NotEmpty
                      String context,
                      @Nonnull @NotEmpty
                      String key,
                      @Nonnull @NotEmpty
                      String value)

Invokes revoke(String, String, String, Duration) with a default expiration parameter.

If the key has already been revoked, expiration is updated.

Parameters:

context - a context label to subdivide the cache

key - key to revoke

value - value to insert into revocation record

Returns:

true if key has successfully been listed as revoked in the cache

Since:

4.3.0

revoke

public boolean revoke(@Nonnull @NotEmpty
                      String context,
                      @Nonnull @NotEmpty
                      String s,
                      @Nonnull @NotEmpty
                      String value,
                      @Nonnull
                      Duration exp)

Returns true if the value is successfully revoked.

If the key has already been revoked, expiration is updated.

Parameters:

context - a context label to subdivide the cache

s - key to revoke

value - value to insert into revocation record

exp - entry expiration

Returns:

true if key has successfully been listed as revoked in the cache

Since:

4.3.0

unrevoke

public boolean unrevoke(@Nonnull @NotEmpty
                        String context,
                        @Nonnull @NotEmpty
                        String s)

Remove a revocation record.

Parameters:

context - a context label to subdivide the cache

s - value to remove

Returns:

true iff a record was removed

Since:

4.3.0

isRevoked

public boolean isRevoked(@Nonnull @NotEmpty
                         String context,
                         @Nonnull @NotEmpty
                         String s)

Returns true iff the value has been revoked.

Parameters:

context - a context label to subdivide the cache

s - value to check

Returns:

true iff the check value is found in the cache

getRevocationRecord

@Nullable
@NotEmpty
public String getRevocationRecord(@Nonnull @NotEmpty
                                  String context,
                                  @Nonnull @NotEmpty
                                  String s)
                           throws IOException

Attempts to read back a revocation record for a given context and key.

This alternative approach allows revocation records to include richer data, rather than simple presence/absence as a signal.

Parameters:

context - revocation context

s - revocation key

Returns:

the matching record, if found, or null if absent

Throws:

IOException - raised if an error occurs leading to an indeterminate result

Since:

4.3.0