org.opensaml.security
Class MetadataCredentialResolver

java.lang.Object
  extended by org.opensaml.xml.security.credential.AbstractCredentialResolver
      extended by org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver
          extended by org.opensaml.security.MetadataCredentialResolver
All Implemented Interfaces:
org.opensaml.xml.security.credential.CredentialResolver, org.opensaml.xml.security.Resolver<org.opensaml.xml.security.credential.Credential,org.opensaml.xml.security.CriteriaSet>

public class MetadataCredentialResolver
extends org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver

A credential resolver capable of resolving credentials from SAML 2 metadata; The instance of CriteriaSet passed to AbstractCriteriaFilteringCredentialResolver.resolve(CriteriaSet) and AbstractCredentialResolver.resolveSingle(CriteriaSet) must minimally contain 2 criteria: EntityIDCriteria and MetadataCriteria. The values for EntityIDCriteria.getEntityID() and MetadataCriteria.getRole() are mandatory. If the protocol value obtained via MetadataCriteria.getProtocol() is not supplied, credentials will be resolved from all matching roles, regardless of protocol support. Specification of a UsageCriteria is optional. If usage criteria is absent from the criteria set, the effective value UsageType.UNSPECIFIED will be used for credential resolution. This credential resolver will cache the resolved the credentials in a memory-sensitive cache. If the metadata provider is an ObservableMetadataProvider this resolver will also clear its cache when the underlying metadata changes.


Nested Class Summary
protected  class MetadataCredentialResolver.MetadataCacheKey
          A class which serves as the key into the cache of credentials previously resolved.
protected  class MetadataCredentialResolver.MetadataProviderObserver
          An observer that clears the credential cache if the underlying metadata changes.
 
Constructor Summary
MetadataCredentialResolver(MetadataProvider metadataProvider)
          Constructor.
 
Method Summary
protected  void cacheCredentials(MetadataCredentialResolver.MetadataCacheKey cacheKey, java.util.Collection<org.opensaml.xml.security.credential.Credential> credentials)
          Adds resolved credentials to the cache.
protected  void checkCriteriaRequirements(org.opensaml.xml.security.CriteriaSet criteriaSet)
          Check that all necessary credential criteria are available.
 org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver getKeyInfoCredentialResolver()
          Get the KeyInfo credential resolver used by this metadata resolver to handle KeyInfo elements.
protected  java.util.concurrent.locks.ReadWriteLock getReadWriteLock()
          Get the lock instance used to synchronize access to the credential cache.
protected  java.util.List<RoleDescriptor> getRoleDescriptors(java.lang.String entityID, javax.xml.namespace.QName role, java.lang.String protocol)
          Get the list of metadata role descriptors which match the given entityID, role and protocol.
protected  boolean matchUsage(org.opensaml.xml.security.credential.UsageType metadataUsage, org.opensaml.xml.security.credential.UsageType criteriaUsage)
          Match usage enum type values from metadata KeyDescriptor and from credential criteria.
protected  java.lang.Iterable<org.opensaml.xml.security.credential.Credential> resolveFromSource(org.opensaml.xml.security.CriteriaSet criteriaSet)
          
protected  java.util.Collection<org.opensaml.xml.security.credential.Credential> retrieveFromCache(MetadataCredentialResolver.MetadataCacheKey cacheKey)
          Retrieves pre-resolved credentials from the cache.
protected  java.util.Collection<org.opensaml.xml.security.credential.Credential> retrieveFromMetadata(java.lang.String entityID, javax.xml.namespace.QName role, java.lang.String protocol, org.opensaml.xml.security.credential.UsageType usage)
          Retrieves credentials from the provided metadata.
 void setKeyInfoCredentialResolver(org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver keyInfoResolver)
          Set the KeyInfo credential resolver used by this metadata resolver to handle KeyInfo elements.
 
Methods inherited from class org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver
isMeetAllCriteria, isUnevaluableSatisfies, resolve, setMeetAllCriteria, setUnevaluableSatisfies
 
Methods inherited from class org.opensaml.xml.security.credential.AbstractCredentialResolver
resolveSingle
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

MetadataCredentialResolver

public MetadataCredentialResolver(MetadataProvider metadataProvider)
Constructor.

Parameters:
metadataProvider - provider of the metadata
Throws:
java.lang.IllegalArgumentException - thrown if the supplied provider is null
Method Detail

getKeyInfoCredentialResolver

public org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver getKeyInfoCredentialResolver()
Get the KeyInfo credential resolver used by this metadata resolver to handle KeyInfo elements.

Returns:
KeyInfo credential resolver

setKeyInfoCredentialResolver

public void setKeyInfoCredentialResolver(org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver keyInfoResolver)
Set the KeyInfo credential resolver used by this metadata resolver to handle KeyInfo elements.

Parameters:
keyInfoResolver - the new KeyInfoCredentialResolver to use

getReadWriteLock

protected java.util.concurrent.locks.ReadWriteLock getReadWriteLock()
Get the lock instance used to synchronize access to the credential cache.

Returns:
a read-write lock instance

resolveFromSource

protected java.lang.Iterable<org.opensaml.xml.security.credential.Credential> resolveFromSource(org.opensaml.xml.security.CriteriaSet criteriaSet)
                                                                                         throws org.opensaml.xml.security.SecurityException

Specified by:
resolveFromSource in class org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver
Throws:
org.opensaml.xml.security.SecurityException

checkCriteriaRequirements

protected void checkCriteriaRequirements(org.opensaml.xml.security.CriteriaSet criteriaSet)
Check that all necessary credential criteria are available.

Parameters:
criteriaSet - the credential set to evaluate

retrieveFromCache

protected java.util.Collection<org.opensaml.xml.security.credential.Credential> retrieveFromCache(MetadataCredentialResolver.MetadataCacheKey cacheKey)
Retrieves pre-resolved credentials from the cache.

Parameters:
cacheKey - the key to the metadata cache
Returns:
the collection of cached credentials or null

retrieveFromMetadata

protected java.util.Collection<org.opensaml.xml.security.credential.Credential> retrieveFromMetadata(java.lang.String entityID,
                                                                                                     javax.xml.namespace.QName role,
                                                                                                     java.lang.String protocol,
                                                                                                     org.opensaml.xml.security.credential.UsageType usage)
                                                                                              throws org.opensaml.xml.security.SecurityException
Retrieves credentials from the provided metadata.

Parameters:
entityID - entityID of the credential owner
role - role in which the entity is operating
protocol - protocol over which the entity is operating (may be null)
usage - intended usage of resolved credentials
Returns:
the resolved credentials or null
Throws:
org.opensaml.xml.security.SecurityException - thrown if the key, certificate, or CRL information is represented in an unsupported format

matchUsage

protected boolean matchUsage(org.opensaml.xml.security.credential.UsageType metadataUsage,
                             org.opensaml.xml.security.credential.UsageType criteriaUsage)
Match usage enum type values from metadata KeyDescriptor and from credential criteria.

Parameters:
metadataUsage - the value from the 'use' attribute of a metadata KeyDescriptor element
criteriaUsage - the value from credential criteria
Returns:
true if the two usage specifiers match for purposes of resolving credentials, false otherwise

getRoleDescriptors

protected java.util.List<RoleDescriptor> getRoleDescriptors(java.lang.String entityID,
                                                            javax.xml.namespace.QName role,
                                                            java.lang.String protocol)
                                                     throws org.opensaml.xml.security.SecurityException
Get the list of metadata role descriptors which match the given entityID, role and protocol.

Parameters:
entityID - entity ID of the credential owner
role - role in which the entity is operating
protocol - protocol over which the entity is operating (may be null)
Returns:
a list of role descriptors matching the given parameters, or null
Throws:
org.opensaml.xml.security.SecurityException - thrown if there is an error retrieving role descriptors from the metadata provider

cacheCredentials

protected void cacheCredentials(MetadataCredentialResolver.MetadataCacheKey cacheKey,
                                java.util.Collection<org.opensaml.xml.security.credential.Credential> credentials)
Adds resolved credentials to the cache.

Parameters:
cacheKey - the key for caching the credentials
credentials - collection of credentials to cache


Copyright © 2006-2012 Internet2. All Rights Reserved.