issrg.saml
Class SAMLAATokenParser

java.lang.Object
  extended by issrg.saml.SAMLAATokenParser
All Implemented Interfaces:
AuthzTokenParser, RoleBasedAuthzTokenParser
Direct Known Subclasses:
VOMSSAMLAATokenParser

public abstract class SAMLAATokenParser
extends java.lang.Object
implements RoleBasedAuthzTokenParser

Author:
Linying Su

Nested Class Summary
 class SAMLAATokenParser.StaticKeyInfoCredentialResolver
           
 
Field Summary
static Credentials NullCreds
           
 RoleHierarchyPolicy roleHierarchy
           
 SignatureVerifier SV
           
 
Constructor Summary
SAMLAATokenParser()
          Creates a new instance of SAMLAuthTokenParser
SAMLAATokenParser(java.util.Map m, SignatureVerifier signatureVerifier)
          The constructor takes the Map of Assignment Rules, as returned by the PolicyParser and the Signature Verifier, which can be null.
SAMLAATokenParser(RoleHierarchyPolicy rhpn, SignatureVerifier signatureVerifier)
          The constructor uses the Role Hierarchy policy and the Signature Verifier to subsequently decode the Attribute Certificates.
 
Method Summary
 Response buildResponseFromXML(org.w3c.dom.Element res)
          this method builds a SAML response object from the given SAML XML
 ParsedToken decode(java.lang.Object token)
          This method decodes a given saml response.
 ParsedToken decodePlainAssertions(Assertion[] assertions)
          this method returns a parsed token from a SAML assertion
 ParsedToken decodeRawAttributes(issrg.saml.SAMLAATokenParser.RawAttributes token)
          this method is used to decode an Attributes object, which represents the all attributes in a SAML assertion.
 ParsedToken decodeSAMLAssertions(java.lang.Object[] assertions)
          to parse the assertion into a ParsedToken
 issrg.saml.SAMLAATokenParser.RawAttributes getAttributes(Assertion[] assertions)
          this method returns RawAttributes, which represent a set of SAML attributes
 java.util.Map getAuthzTokenParsingRules()
          This method returns the Authorisation Token Parsing Rules, as a Map with a single entry with the key issrg.pba.rbac.RoleHierarchyPolicy.class and the value being the RoleHierarchyPolicy used by this RoleBasedACParser.
 java.lang.Object[] getSAMLAssertions(Response response)
          this method return a SAML assertions from the given SAML response
 SignatureVerifier getSignatureVerifier()
          This method returns the SignatureVerifier used by this RoleBasedACParser.
 void primaryCheck(java.lang.Object token, RoleHierarchyPolicy rh)
          to check whether the token is a SAML response and the Role Hierarch is available otherwise to throw an exception.
 void setAuthzTokenParsingRules(java.util.Map m)
          This method sets the Authorisation Token Parsing Rules.
 void setRoleHierarchy(RoleHierarchyPolicy rhpn)
          This method sets the Authorisation Token Parsing Rules by directly specifying the Role Hierarchy to be used.
 void setSignatureVerifier(SignatureVerifier signatureVerifier)
          This method sets the SignatureVerifier to be used to validate the X.509 Attribute Certificates.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

roleHierarchy

public RoleHierarchyPolicy roleHierarchy

NullCreds

public static final Credentials NullCreds

SV

public SignatureVerifier SV
Constructor Detail

SAMLAATokenParser

public SAMLAATokenParser()
Creates a new instance of SAMLAuthTokenParser


SAMLAATokenParser

public SAMLAATokenParser(RoleHierarchyPolicy rhpn,
                         SignatureVerifier signatureVerifier)
The constructor uses the Role Hierarchy policy and the Signature Verifier to subsequently decode the Attribute Certificates. If Signature Verifier is specified, it will be used to validate digital signatures on the ACs; otherwise signature verification will be ignored (e.g. for testing purposes - not recommended for real life deployments).

Parameters:
rhpn - is the RoleHierarchyPolicy used to decode the role values in the Attribute Certificates; can't be null
signatureVerifier - will be used to validate digital signatures; if null, no signature verification will be performed (NOT RECOMMENDED FOR REAL DEPLOYMENT AS INSECURE!)

SAMLAATokenParser

public SAMLAATokenParser(java.util.Map m,
                         SignatureVerifier signatureVerifier)
The constructor takes the Map of Assignment Rules, as returned by the PolicyParser and the Signature Verifier, which can be null. The Map of Assignment Rules must contain a RoleHierarchyPolicy under the key issrg.pba.rbac.RoleHierarchyPolicy.class.

Parameters:
m - is the map of assignment rules to use
signatureVerifier - will be used to validate digital signatures; if null, no signature verification will be performed (NOT RECOMMENDED FOR REAL DEPLOYMENT AS INSECURE!)
Method Detail

getAuthzTokenParsingRules

public java.util.Map getAuthzTokenParsingRules()
This method returns the Authorisation Token Parsing Rules, as a Map with a single entry with the key issrg.pba.rbac.RoleHierarchyPolicy.class and the value being the RoleHierarchyPolicy used by this RoleBasedACParser.

Specified by:
getAuthzTokenParsingRules in interface AuthzTokenParser
Returns:
Map of rules; this implementation fills a single entry with the key issrg.pba.rbac.RoleHierarchyPolicy.class and the value being the RoleHierarchyPolicy; if the RoleHierarchyPolicy has not been set, the Map does not contain any entries

setSignatureVerifier

public void setSignatureVerifier(SignatureVerifier signatureVerifier)
This method sets the SignatureVerifier to be used to validate the X.509 Attribute Certificates.

Specified by:
setSignatureVerifier in interface AuthzTokenParser
Parameters:
signatureVerifier - is the SignatureVerifier used to validate the ACs; if null, no signature verification will be performed (SHOULD NOT BE USED IN PRODUCTION SCENARIOS!)

getSignatureVerifier

public SignatureVerifier getSignatureVerifier()
This method returns the SignatureVerifier used by this RoleBasedACParser.

Specified by:
getSignatureVerifier in interface AuthzTokenParser
Returns:
SignatureVerifier used by this RoleBasedACParser, or null, if no signature verification is being performed.

setAuthzTokenParsingRules

public void setAuthzTokenParsingRules(java.util.Map m)
This method sets the Authorisation Token Parsing Rules. It should contain a issrg.pba.rbac.RoleHierarchyPolicy in the entry with the key issrg.pba.rbac.RoleHierarchyPolicy.class.

Specified by:
setAuthzTokenParsingRules in interface AuthzTokenParser
Parameters:
m - - the Map of rules with a RoleHierarchyPolicy inside

setRoleHierarchy

public void setRoleHierarchy(RoleHierarchyPolicy rhpn)
This method sets the Authorisation Token Parsing Rules by directly specifying the Role Hierarchy to be used.

Specified by:
setRoleHierarchy in interface RoleBasedAuthzTokenParser
Parameters:
rhpn - - the RoleHierarchyPolicy to be used; if null, decoding the ACs will always fail

decode

public ParsedToken decode(java.lang.Object token)
                   throws PbaException
This method decodes a given saml response. It can not be null. The object is an instance of org.w3c.dom.Element.

Specified by:
decode in interface AuthzTokenParser
Parameters:
token - is the object of SAML XML.
Returns:
the ParsedToken representing SAML Attributes
Throws:
PbaException, - if no Role Hierarchy Policy has been specified through the constructor or either of the methods, or if there was a problem when decoding the Authorisation Token
PbaException - if any error occurs; for example, the given object is not a proper Authorisation Token that the implementation can handle

buildResponseFromXML

public Response buildResponseFromXML(org.w3c.dom.Element res)
                              throws PbaException
this method builds a SAML response object from the given SAML XML

Parameters:
res - is the SAML XML element
Returns:
SAMLResponse is the java object, which represents the SAML
Throws:
PbaException

getSAMLAssertions

public java.lang.Object[] getSAMLAssertions(Response response)
this method return a SAML assertions from the given SAML response

Parameters:
response - is the SAML response object
Returns:
an array of objects, each member is either an Assertion or an EncryptedAssertion object

decodeSAMLAssertions

public ParsedToken decodeSAMLAssertions(java.lang.Object[] assertions)
                                 throws PbaException
to parse the assertion into a ParsedToken

Parameters:
assertion - could be either AssertionType or EncryptedElementType.
Throws:
PbaException

decodePlainAssertions

public ParsedToken decodePlainAssertions(Assertion[] assertions)
                                  throws PbaException
this method returns a parsed token from a SAML assertion

Parameters:
is - the SAML assertion
Throws:
PbaException

primaryCheck

public void primaryCheck(java.lang.Object token,
                         RoleHierarchyPolicy rh)
                  throws PbaException
to check whether the token is a SAML response and the Role Hierarch is available otherwise to throw an exception.

Parameters:
token - is an ResponseType object
Throws:
PbaException

getAttributes

public issrg.saml.SAMLAATokenParser.RawAttributes getAttributes(Assertion[] assertions)
                                                         throws PbaException
this method returns RawAttributes, which represent a set of SAML attributes

Parameters:
assertions - are SAML assertions
Throws:
PbaException

decodeRawAttributes

public ParsedToken decodeRawAttributes(issrg.saml.SAMLAATokenParser.RawAttributes token)
                                throws PbaException
this method is used to decode an Attributes object, which represents the all attributes in a SAML assertion.

Parameters:
vp - is a validity period of these attributes.
attrs - is the Attributes object
Throws:
PbaException