org.opensaml.saml.security.impl

Class SAMLMetadataSignatureSigningParametersResolver

java.lang.Object

org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver<SignatureSigningParameters>

org.opensaml.xmlsec.impl.BasicSignatureSigningParametersResolver

org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver

All Implemented Interfaces:

net.shibboleth.utilities.java.support.resolver.Resolver<SignatureSigningParameters,net.shibboleth.utilities.java.support.resolver.CriteriaSet>, SignatureSigningParametersResolver

public class SAMLMetadataSignatureSigningParametersResolver
extends BasicSignatureSigningParametersResolver

A specialization of BasicSignatureSigningParametersResolver which also supports input of SAML metadata, specifically the SigningMethod and DigestMethod extension elements.

In addition to the Criterion inputs documented in BasicSignatureSigningParametersResolver, the following inputs are also supported:

• RoleDescriptorCriterion - optional

Constructor Summary

Constructors

Constructor and Description
SAMLMetadataSignatureSigningParametersResolver()

Method Summary

Modifier and Type	Method and Description
protected boolean	credentialSupportsSigningMethod(Credential credential, SigningMethod signingMethod) Evaluate whether the specified credential is supported for use with the specified SigningMethod.
protected List<XMLObject>	getExtensions(RoleDescriptor roleDescriptor, QName extensionName) Get the extensions indicated by the passed QName.
protected void	resolveAndPopulateCredentialAndSignatureAlgorithm(SignatureSigningParameters params, net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Resolve and populate the signing credential and signature method algorithm URI on the supplied parameters instance.
protected String	resolveReferenceDigestMethod(net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria, com.google.common.base.Predicate<String> whitelistBlacklistPredicate) Resolve and return the digest method algorithm URI to use, including application of whitelist/blacklist policy.

Methods inherited from class org.opensaml.xmlsec.impl.BasicSignatureSigningParametersResolver

credentialSupportsAlgorithm, getAlgorithmRegistry, getAlgorithmRuntimeSupportedPredicate, getEffectiveSignatureAlgorithms, getEffectiveSigningCredentials, getWhitelistBlacklistPredicate, logResult, resolve, resolveCanonicalizationAlgorithm, resolveHMACOutputLength, resolveKeyInfoGenerator, resolveSingle, setAlgorithmRegistry, validate

Methods inherited from class org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver

lookupKeyInfoGenerator, resolveAndPopulateWhiteAndBlacklists, resolveEffectiveBlacklist, resolveEffectiveWhitelist, resolveWhitelistBlacklistPrecedence, resolveWhitelistBlacklistPredicate

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SAMLMetadataSignatureSigningParametersResolver

public SAMLMetadataSignatureSigningParametersResolver()

Method Detail

resolveAndPopulateCredentialAndSignatureAlgorithm

protected void resolveAndPopulateCredentialAndSignatureAlgorithm(@Nonnull
                                                                 SignatureSigningParameters params,
                                                                 @Nonnull
                                                                 net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                                                 @Nonnull
                                                                 com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Resolve and populate the signing credential and signature method algorithm URI on the supplied parameters instance.

Overrides:

resolveAndPopulateCredentialAndSignatureAlgorithm in class BasicSignatureSigningParametersResolver

Parameters:

params - the parameters instance being populated

criteria - the input criteria being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate with which to evaluate the candidate signing method algorithm URIs

credentialSupportsSigningMethod

protected boolean credentialSupportsSigningMethod(@Nonnull
                                                  Credential credential,
                                                  @Nonnull @NotEmpty
                                                  SigningMethod signingMethod)

Evaluate whether the specified credential is supported for use with the specified SigningMethod.

Parameters:

credential - the credential to evaluate

signingMethod - the signing method to evaluate

Returns:

true if credential may be used with the supplied algorithm URI, false otherwise

resolveReferenceDigestMethod

@Nullable
protected String resolveReferenceDigestMethod(@Nonnull
                                                        net.shibboleth.utilities.java.support.resolver.CriteriaSet criteria,
                                                        @Nonnull
                                                        com.google.common.base.Predicate<String> whitelistBlacklistPredicate)

Resolve and return the digest method algorithm URI to use, including application of whitelist/blacklist policy.

Overrides:

resolveReferenceDigestMethod in class BasicSignatureSigningParametersResolver

Parameters:

criteria - the input criteria being evaluated

whitelistBlacklistPredicate - the whitelist/blacklist predicate to use

Returns:

the resolved digest method algorithm URI

getExtensions

@Nullable
protected List<XMLObject> getExtensions(@Nonnull
                                                  RoleDescriptor roleDescriptor,
                                                  @Nonnull
                                                  QName extensionName)

Get the extensions indicated by the passed QName. The passed RoleDescriptor's Extensions element is examined first. If at least 1 such extension is found there, that list is returned. If no such extensions are found on the RoleDescriptor, then the RoleDescriptor's parent EntityDescriptor will be examined, if it exists.

Parameters:

roleDescriptor - the role descriptor instance to examine

extensionName - the extension name for which to search

Returns:

the list of extension XMLObjects found, or null