MetadataCredentialResolver (OpenSAML-J 2.5.3 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.opensaml.security
Class MetadataCredentialResolver

java.lang.Object
  org.opensaml.xml.security.credential.AbstractCredentialResolver
      org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver
          org.opensaml.security.MetadataCredentialResolver

All Implemented Interfaces:: CredentialResolver, Resolver<Credential,CriteriaSet>

public class MetadataCredentialResolver
extends AbstractCriteriaFilteringCredentialResolver
extends AbstractCriteriaFilteringCredentialResolver

A credential resolver capable of resolving credentials from SAML 2 metadata; The instance of CriteriaSet passed to AbstractCriteriaFilteringCredentialResolver.resolve(CriteriaSet) and AbstractCredentialResolver.resolveSingle(CriteriaSet) must minimally contain 2 criteria: EntityIDCriteria and MetadataCriteria. The values for EntityIDCriteria.getEntityID() and MetadataCriteria.getRole() are mandatory. If the protocol value obtained via MetadataCriteria.getProtocol() is not supplied, credentials will be resolved from all matching roles, regardless of protocol support. Specification of a UsageCriteria is optional. If usage criteria is absent from the criteria set, the effective value UsageType.UNSPECIFIED will be used for credential resolution. This credential resolver will cache the resolved the credentials in a memory-sensitive cache. If the metadata provider is an ObservableMetadataProvider this resolver will also clear its cache when the underlying metadata changes.

Nested Class Summary
`protected class`	`MetadataCredentialResolver.MetadataCacheKey` A class which serves as the key into the cache of credentials previously resolved.
`protected class`	`MetadataCredentialResolver.MetadataProviderObserver` An observer that clears the credential cache if the underlying metadata changes.

Field Summary
`private Map<MetadataCredentialResolver.MetadataCacheKey,SoftReference<Collection<Credential>>>`	`cache` Cache of resolved credentials.
`private KeyInfoCredentialResolver`	`keyInfoCredentialResolver` Credential resolver used to resolve credentials from role descriptor KeyInfo elements.
`private org.slf4j.Logger`	`log` Class logger.
`private MetadataProvider`	`metadata` Metadata provider from which to fetch the credentials.
`private ReadWriteLock`	`rwlock` Lock used to synchronize access to the credential cache.

Constructor Summary
`MetadataCredentialResolver(MetadataProvider metadataProvider)` Constructor.

Method Summary
`protected void`	`cacheCredentials(MetadataCredentialResolver.MetadataCacheKey cacheKey, Collection<Credential> credentials)` Adds resolved credentials to the cache.
`protected void`	`checkCriteriaRequirements(CriteriaSet criteriaSet)` Check that all necessary credential criteria are available.
`KeyInfoCredentialResolver`	`getKeyInfoCredentialResolver()` Get the KeyInfo credential resolver used by this metadata resolver to handle KeyInfo elements.
`protected ReadWriteLock`	`getReadWriteLock()` Get the lock instance used to synchronize access to the credential cache.
`protected List<RoleDescriptor>`	`getRoleDescriptors(String entityID, QName role, String protocol)` Get the list of metadata role descriptors which match the given entityID, role and protocol.
`protected boolean`	`matchUsage(UsageType metadataUsage, UsageType criteriaUsage)` Match usage enum type values from metadata KeyDescriptor and from credential criteria.
`protected Iterable<Credential>`	`resolveFromSource(CriteriaSet criteriaSet)`
`protected Collection<Credential>`	`retrieveFromCache(MetadataCredentialResolver.MetadataCacheKey cacheKey)` Retrieves pre-resolved credentials from the cache.
`protected Collection<Credential>`	`retrieveFromMetadata(String entityID, QName role, String protocol, UsageType usage)` Retrieves credentials from the provided metadata.
`void`	`setKeyInfoCredentialResolver(KeyInfoCredentialResolver keyInfoResolver)` Set the KeyInfo credential resolver used by this metadata resolver to handle KeyInfo elements.

Methods inherited from class org.opensaml.xml.security.credential.AbstractCriteriaFilteringCredentialResolver
`isMeetAllCriteria, isUnevaluableSatisfies, resolve, setMeetAllCriteria, setUnevaluableSatisfies`

Methods inherited from class org.opensaml.xml.security.credential.AbstractCredentialResolver
`resolveSingle`

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

log

private final org.slf4j.Logger log

Class logger.

metadata

private MetadataProvider metadata

Metadata provider from which to fetch the credentials.

cache

private Map<MetadataCredentialResolver.MetadataCacheKey,SoftReference<Collection<Credential>>> cache

Cache of resolved credentials. [MetadataCacheKey, Credentials]

keyInfoCredentialResolver

private KeyInfoCredentialResolver keyInfoCredentialResolver

Credential resolver used to resolve credentials from role descriptor KeyInfo elements.

rwlock

private ReadWriteLock rwlock

Lock used to synchronize access to the credential cache.

Constructor Detail

MetadataCredentialResolver

public MetadataCredentialResolver(MetadataProvider metadataProvider)

Constructor.

Parameters:: metadataProvider - provider of the metadata
Throws:: IllegalArgumentException - thrown if the supplied provider is null

Method Detail

getKeyInfoCredentialResolver

public KeyInfoCredentialResolver getKeyInfoCredentialResolver()

Get the KeyInfo credential resolver used by this metadata resolver to handle KeyInfo elements.

Returns:: KeyInfo credential resolver

setKeyInfoCredentialResolver

public void setKeyInfoCredentialResolver(KeyInfoCredentialResolver keyInfoResolver)

Set the KeyInfo credential resolver used by this metadata resolver to handle KeyInfo elements.

Parameters:: keyInfoResolver - the new KeyInfoCredentialResolver to use

getReadWriteLock

protected ReadWriteLock getReadWriteLock()

Get the lock instance used to synchronize access to the credential cache.

Returns:: a read-write lock instance

resolveFromSource

protected Iterable<Credential> resolveFromSource(CriteriaSet criteriaSet)
                                          throws SecurityException

Specified by:: resolveFromSource in class AbstractCriteriaFilteringCredentialResolver

Throws:: SecurityException

checkCriteriaRequirements

protected void checkCriteriaRequirements(CriteriaSet criteriaSet)

Check that all necessary credential criteria are available.

Parameters:: criteriaSet - the credential set to evaluate

retrieveFromCache

protected Collection<Credential> retrieveFromCache(MetadataCredentialResolver.MetadataCacheKey cacheKey)

Retrieves pre-resolved credentials from the cache.

Parameters:: cacheKey - the key to the metadata cache
Returns:: the collection of cached credentials or null

retrieveFromMetadata

protected Collection<Credential> retrieveFromMetadata(String entityID,
                                                      QName role,
                                                      String protocol,
                                                      UsageType usage)
                                               throws SecurityException

Retrieves credentials from the provided metadata.

Parameters:: entityID - entityID of the credential owner; role - role in which the entity is operating; protocol - protocol over which the entity is operating (may be null); usage - intended usage of resolved credentials
Returns:: the resolved credentials or null
Throws:: SecurityException - thrown if the key, certificate, or CRL information is represented in an unsupported format

matchUsage

protected boolean matchUsage(UsageType metadataUsage,
                             UsageType criteriaUsage)

Match usage enum type values from metadata KeyDescriptor and from credential criteria.

Parameters:: metadataUsage - the value from the 'use' attribute of a metadata KeyDescriptor element; criteriaUsage - the value from credential criteria
Returns:: true if the two usage specifiers match for purposes of resolving credentials, false otherwise

getRoleDescriptors

protected List<RoleDescriptor> getRoleDescriptors(String entityID,
                                                  QName role,
                                                  String protocol)
                                           throws SecurityException

Get the list of metadata role descriptors which match the given entityID, role and protocol.

Parameters:: entityID - entity ID of the credential owner; role - role in which the entity is operating; protocol - protocol over which the entity is operating (may be null)
Returns:: a list of role descriptors matching the given parameters, or null
Throws:: SecurityException - thrown if there is an error retrieving role descriptors from the metadata provider

cacheCredentials

protected void cacheCredentials(MetadataCredentialResolver.MetadataCacheKey cacheKey,
                                Collection<Credential> credentials)

Adds resolved credentials to the cache.

Parameters:: cacheKey - the key for caching the credentials; credentials - collection of credentials to cache