Package org.opensaml.saml.metadata.resolver.filter.impl

Class SignatureValidationFilter

  • All Implemented Interfaces:
    MetadataFilter
    public class SignatureValidationFilter
extends Object
implements MetadataFilter
    A metadata filter that validates XML signatures.

    • Field Detail

      • log

        @Nonnull
private final org.slf4j.Logger log
        Class logger.

      • signatureTrustEngine

        @Nonnull
private SignatureTrustEngine signatureTrustEngine
        Trust engine used to validate a signature.

      • requireSignedRoot

        private boolean requireSignedRoot
        Indicates whether the metadata root element is required to be signed.

      • alwaysVerifyTrustedSource

        private boolean alwaysVerifyTrustedSource
        Flag indicating whether the root signature of a trusted source should always be verified.

      • defaultCriteria

        @Nullable
private CriteriaSet defaultCriteria
        Set of externally specified default criteria for input to the trust engine.

      • signaturePrevalidator

        @Nullable
private SignaturePrevalidator signaturePrevalidator
        Prevalidator for XML Signature instances.

      • dynamicTrustedNamesStrategy

        @Nullable
private Function<XMLObject,​Set<String>> dynamicTrustedNamesStrategy
        Strategy function for extracting dynamic trusted names from signed metadata elements.

    • Method Detail

      • isAlwaysVerifyTrustedSource

        public boolean isAlwaysVerifyTrustedSource()
        Get the flag indicating whether the root signature of a trusted source should always be verified.
        Returns:
        true if root signature should always be verified, false if should be dynamically determined

      • setAlwaysVerifyTrustedSource

        public void setAlwaysVerifyTrustedSource​(boolean flag)
        Set the flag indicating whether the root signature of a trusted source should always be verified.
        Parameters:
        flag - true if root signature should always be verified, false if should be dynamically determined

      • getDynamicTrustedNamesStrategy

        @Nullable
public Function<XMLObject,​Set<String>> getDynamicTrustedNamesStrategy()
        Get the strategy function for extracting dynamic trusted names from signed metadata elements.

        Defaults to: BasicDynamicTrustedNamesStrategy.

        Returns:
        the function, or null

      • setDynamicTrustedNamesStrategy

        public void setDynamicTrustedNamesStrategy​(@Nullable
                                           Function<XMLObject,​Set<String>> strategy)
        Get the strategy function for extracting dynamic trusted names from signed metadata elements.

        Defaults to: BasicDynamicTrustedNamesStrategy.

        Parameters:
        strategy - the function, may be null

      • getSignatureTrustEngine

        @Nonnull
public SignatureTrustEngine getSignatureTrustEngine()
        Gets the trust engine used to validate signatures on incoming metadata.
        Returns:
        trust engine used to validate signatures on incoming metadata

      • getSignaturePrevalidator

        @Nullable
public SignaturePrevalidator getSignaturePrevalidator()
        Get the validator used to perform pre-validation on Signature tokens.

        Defaults to: SAMLSignatureProfileValidator.

        Returns:
        the configured Signature validator, or null

      • setSignaturePrevalidator

        public void setSignaturePrevalidator​(@Nullable
                                     SignaturePrevalidator validator)
        Set the validator used to perform pre-validation on Signature tokens.

        Defaults to: SAMLSignatureProfileValidator.

        Parameters:
        validator - the signature prevalidator to use

      • getRequireSignedRoot

        public boolean getRequireSignedRoot()
        Get whether incoming metadata's root element is required to be signed.

        Defaults to true.

        Returns:
        whether incoming metadata is required to be signed

      • setRequireSignedRoot

        public void setRequireSignedRoot​(boolean require)
        Set whether incoming metadata's root element is required to be signed.

        Defaults to true.

        Parameters:
        require - whether incoming metadata is required to be signed

      • getDefaultCriteria

        @Nullable
public CriteriaSet getDefaultCriteria()
        Get the optional set of default criteria used as input to the trust engine.
        Returns:
        the criteria set

      • setDefaultCriteria

        public void setDefaultCriteria​(@Nullable
                               CriteriaSet newCriteria)
        Set the optional set of default criteria used as input to the trust engine.
        Parameters:
        newCriteria - the new criteria set to use

      • processEntityDescriptor

        protected void processEntityDescriptor​(@Nonnull
                                       EntityDescriptor entityDescriptor,
                                       @Nonnull
                                       MetadataFilterContext context,
                                       boolean isRoot)
                                throws FilterException
        Process the signatures on the specified EntityDescriptor and any signed children. If signature verification fails on a child, it will be removed from the entity descriptor.
        Parameters:
        entityDescriptor - the EntityDescriptor to be processed
        context - the current filter context
        isRoot - true if the element being processed is the XML document root, false if not
        Throws:
        FilterException - thrown if an error occurs during the signature verification process on the root EntityDescriptor specified

      • processEntityGroup

        protected void processEntityGroup​(@Nonnull
                                  EntitiesDescriptor entitiesDescriptor,
                                  @Nonnull
                                  MetadataFilterContext context,
                                  boolean isRoot)
                           throws FilterException
        Process the signatures on the specified EntitiesDescriptor and any signed children. If signature verification fails on a child, it will be removed from the entities descriptor group.
        Parameters:
        entitiesDescriptor - the EntitiesDescriptor to be processed
        context - the current filter context
        isRoot - true if the element being processed is the XML document root, false if not
        Throws:
        FilterException - thrown if an error occurs during the signature verification process on the root EntitiesDescriptor specified

      • verifySignature

        protected void verifySignature​(@Nonnull
                               SignableXMLObject signedMetadata,
                               @Nonnull @NotEmpty
                               String metadataEntryName,
                               boolean isEntityGroup)
                        throws FilterException
        Evaluate the signature on the signed metadata instance.
        Parameters:
        signedMetadata - the metadata object whose signature is to be verified
        metadataEntryName - the EntityDescriptor entityID, EntitiesDescriptor Name, AffiliationDescriptor affiliationOwnerID, or RoleDescriptor getRoleIDToken(String, RoleDescriptor) corresponding to the element whose signature is being evaluated. This is used exclusively for logging/debugging purposes and should not be used operationally (e.g. for building a criteria set).
        isEntityGroup - flag indicating whether the signed object is a metadata group (EntitiesDescriptor), primarily useful for constructing a criteria set for the trust engine
        Throws:
        FilterException - thrown if the metadata entry's signature can not be established as trusted, or if an error occurs during the signature verification process

      • performPreValidation

        protected void performPreValidation​(@Nonnull
                                    Signature signature,
                                    @Nonnull @NotEmpty
                                    String metadataEntryName)
                             throws FilterException
        Perform pre-validation on the Signature token.
        Parameters:
        signature - the signature to evaluate
        metadataEntryName - the EntityDescriptor entityID, EntitiesDescriptor Name, AffiliationDescriptor affiliationOwnerID, or RoleDescriptor getRoleIDToken(String, RoleDescriptor) corresponding to the element whose signature is being evaluated. This is used exclusively for logging/debugging purposes and should not be used operationally (e.g. for building a criteria set).
        Throws:
        FilterException - thrown if the signature element fails pre-validation

      • buildCriteriaSet

        @Nonnull
protected CriteriaSet buildCriteriaSet​(@Nonnull
                                       SignableXMLObject signedMetadata,
                                       @Nonnull @NotEmpty
                                       String metadataEntryName,
                                       boolean isEntityGroup)
        Build the criteria set which will be used as input to the configured trust engine.
        Parameters:
        signedMetadata - the metadata element whose signature is being verified
        metadataEntryName - the EntityDescriptor entityID, EntitiesDescriptor Name, AffiliationDescriptor affiliationOwnerID, or RoleDescriptor getRoleIDToken(String, RoleDescriptor) corresponding to the element whose signature is being evaluated. This is used exclusively for logging/debugging purposes and should not be used operationally (e.g. for building the criteria set).
        isEntityGroup - flag indicating whether the signed object is a metadata group (EntitiesDescriptor)
        Returns:
        the newly constructed criteria set

      • getRoleIDToken

        protected String getRoleIDToken​(@Nonnull @NotEmpty
                                String entityID,
                                @Nonnull
                                RoleDescriptor role)
        Get a string token for logging/debugging purposes that contains role information and containing entityID.
        Parameters:
        entityID - the containing entityID
        role - the role descriptor
        Returns:
        the constructed role ID token.

      • isSkipRootSignature

        protected boolean isSkipRootSignature​(@Nonnull
                                      MetadataFilterContext context)
        Determine whether validation of signature on the document root should be skipped.
        Parameters:
        context - the metadata filter context
        Returns:
        true if root signature validation should be skipped, false if not