issrg.saml
Class SAMLAATokenParser

java.lang.Object
  issrg.saml.SAMLAATokenParser

All Implemented Interfaces:

AuthzTokenParser, RoleBasedAuthzTokenParser

Direct Known Subclasses:

VOMSSAMLAATokenParser

public abstract class SAMLAATokenParser
extends java.lang.Object
implements RoleBasedAuthzTokenParser

Author:

Linying Su

Nested Class Summary

class

SAMLAATokenParser.StaticKeyInfoCredentialResolver

Field Summary

static Credentials	NullCreds
RoleHierarchyPolicy	roleHierarchy
SignatureVerifier	SV

Constructor Summary

SAMLAATokenParser()
Creates a new instance of SAMLAuthTokenParser

SAMLAATokenParser(java.util.Map m, SignatureVerifier signatureVerifier)
The constructor takes the Map of Assignment Rules, as returned by the PolicyParser and the Signature Verifier, which can be null.

SAMLAATokenParser(RoleHierarchyPolicy rhpn, SignatureVerifier signatureVerifier)
The constructor uses the Role Hierarchy policy and the Signature Verifier to subsequently decode the Attribute Certificates.

Method Summary

Response	buildResponseFromXML(org.w3c.dom.Element res) this method builds a SAML response object from the given SAML XML
ParsedToken	decode(java.lang.Object token) This method decodes a given saml response.
ParsedToken	decodePlainAssertions(Assertion[] assertions) this method returns a parsed token from a SAML assertion
ParsedToken	decodeRawAttributes(issrg.saml.SAMLAATokenParser.RawAttributes token) this method is used to decode an Attributes object, which represents the all attributes in a SAML assertion.
ParsedToken	decodeSAMLAssertions(java.lang.Object[] assertions) to parse the assertion into a ParsedToken
issrg.saml.SAMLAATokenParser.RawAttributes	getAttributes(Assertion[] assertions) this method returns RawAttributes, which represent a set of SAML attributes
java.util.Map	getAuthzTokenParsingRules() This method returns the Authorisation Token Parsing Rules, as a Map with a single entry with the key issrg.pba.rbac.RoleHierarchyPolicy.class and the value being the RoleHierarchyPolicy used by this RoleBasedACParser.
java.lang.Object[]	getSAMLAssertions(Response response) this method return a SAML assertions from the given SAML response
SignatureVerifier	getSignatureVerifier() This method returns the SignatureVerifier used by this RoleBasedACParser.
void	primaryCheck(java.lang.Object token, RoleHierarchyPolicy rh) to check whether the token is a SAML response and the Role Hierarch is available otherwise to throw an exception.
void	setAuthzTokenParsingRules(java.util.Map m) This method sets the Authorisation Token Parsing Rules.
void	setRoleHierarchy(RoleHierarchyPolicy rhpn) This method sets the Authorisation Token Parsing Rules by directly specifying the Role Hierarchy to be used.
void	setSignatureVerifier(SignatureVerifier signatureVerifier) This method sets the SignatureVerifier to be used to validate the X.509 Attribute Certificates.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

roleHierarchy

public RoleHierarchyPolicy roleHierarchy

NullCreds

public static final Credentials NullCreds

SV

public SignatureVerifier SV

Constructor Detail

SAMLAATokenParser

public SAMLAATokenParser()

Creates a new instance of SAMLAuthTokenParser

SAMLAATokenParser

public SAMLAATokenParser(RoleHierarchyPolicy rhpn,
                         SignatureVerifier signatureVerifier)

The constructor uses the Role Hierarchy policy and the Signature Verifier to subsequently decode the Attribute Certificates. If Signature Verifier is specified, it will be used to validate digital signatures on the ACs; otherwise signature verification will be ignored (e.g. for testing purposes - not recommended for real life deployments).

Parameters:

rhpn - is the RoleHierarchyPolicy used to decode the role values in the Attribute Certificates; can't be null

signatureVerifier - will be used to validate digital signatures; if null, no signature verification will be performed (NOT RECOMMENDED FOR REAL DEPLOYMENT AS INSECURE!)

SAMLAATokenParser

public SAMLAATokenParser(java.util.Map m,
                         SignatureVerifier signatureVerifier)

The constructor takes the Map of Assignment Rules, as returned by the PolicyParser and the Signature Verifier, which can be null. The Map of Assignment Rules must contain a RoleHierarchyPolicy under the key issrg.pba.rbac.RoleHierarchyPolicy.class.

Parameters:

m - is the map of assignment rules to use

signatureVerifier - will be used to validate digital signatures; if null, no signature verification will be performed (NOT RECOMMENDED FOR REAL DEPLOYMENT AS INSECURE!)

Method Detail

getAuthzTokenParsingRules

public java.util.Map getAuthzTokenParsingRules()

This method returns the Authorisation Token Parsing Rules, as a Map with a single entry with the key issrg.pba.rbac.RoleHierarchyPolicy.class and the value being the RoleHierarchyPolicy used by this RoleBasedACParser.

Specified by:

getAuthzTokenParsingRules in interface AuthzTokenParser

Returns:

Map of rules; this implementation fills a single entry with the key issrg.pba.rbac.RoleHierarchyPolicy.class and the value being the RoleHierarchyPolicy; if the RoleHierarchyPolicy has not been set, the Map does not contain any entries

setSignatureVerifier

public void setSignatureVerifier(SignatureVerifier signatureVerifier)

This method sets the SignatureVerifier to be used to validate the X.509 Attribute Certificates.

Specified by:

setSignatureVerifier in interface AuthzTokenParser

Parameters:

signatureVerifier - is the SignatureVerifier used to validate the ACs; if null, no signature verification will be performed (SHOULD NOT BE USED IN PRODUCTION SCENARIOS!)

getSignatureVerifier

public SignatureVerifier getSignatureVerifier()

This method returns the SignatureVerifier used by this RoleBasedACParser.

Specified by:

getSignatureVerifier in interface AuthzTokenParser

Returns:

SignatureVerifier used by this RoleBasedACParser, or null, if no signature verification is being performed.

setAuthzTokenParsingRules

public void setAuthzTokenParsingRules(java.util.Map m)

This method sets the Authorisation Token Parsing Rules. It should contain a issrg.pba.rbac.RoleHierarchyPolicy in the entry with the key issrg.pba.rbac.RoleHierarchyPolicy.class.

Specified by:

setAuthzTokenParsingRules in interface AuthzTokenParser

Parameters:

m - - the Map of rules with a RoleHierarchyPolicy inside

setRoleHierarchy

public void setRoleHierarchy(RoleHierarchyPolicy rhpn)

This method sets the Authorisation Token Parsing Rules by directly specifying the Role Hierarchy to be used.

Specified by:

setRoleHierarchy in interface RoleBasedAuthzTokenParser

Parameters:

rhpn - - the RoleHierarchyPolicy to be used; if null, decoding the ACs will always fail

decode

public ParsedToken decode(java.lang.Object token)
                   throws PbaException

This method decodes a given saml response. It can not be null. The object is an instance of org.w3c.dom.Element.

Specified by:

decode in interface AuthzTokenParser

Parameters:

token - is the object of SAML XML.

Returns:

the ParsedToken representing SAML Attributes

Throws:

PbaException, - if no Role Hierarchy Policy has been specified through the constructor or either of the methods, or if there was a problem when decoding the Authorisation Token

PbaException - if any error occurs; for example, the given object is not a proper Authorisation Token that the implementation can handle

buildResponseFromXML

public Response buildResponseFromXML(org.w3c.dom.Element res)
                              throws PbaException

this method builds a SAML response object from the given SAML XML

Parameters:

res - is the SAML XML element

Returns:

SAMLResponse is the java object, which represents the SAML

Throws:

PbaException

getSAMLAssertions

public java.lang.Object[] getSAMLAssertions(Response response)

this method return a SAML assertions from the given SAML response

Parameters:

response - is the SAML response object

Returns:

an array of objects, each member is either an Assertion or an EncryptedAssertion object

decodeSAMLAssertions

public ParsedToken decodeSAMLAssertions(java.lang.Object[] assertions)
                                 throws PbaException

to parse the assertion into a ParsedToken

Parameters:

assertion - could be either AssertionType or EncryptedElementType.

Throws:

PbaException

decodePlainAssertions

public ParsedToken decodePlainAssertions(Assertion[] assertions)
                                  throws PbaException

this method returns a parsed token from a SAML assertion

Parameters:

is - the SAML assertion

Throws:

PbaException

primaryCheck

public void primaryCheck(java.lang.Object token,
                         RoleHierarchyPolicy rh)
                  throws PbaException

to check whether the token is a SAML response and the Role Hierarch is available otherwise to throw an exception.

Parameters:

token - is an ResponseType object

Throws:

PbaException

getAttributes

public issrg.saml.SAMLAATokenParser.RawAttributes getAttributes(Assertion[] assertions)
                                                         throws PbaException

this method returns RawAttributes, which represent a set of SAML attributes

Parameters:

assertions - are SAML assertions

Throws:

PbaException

decodeRawAttributes

public ParsedToken decodeRawAttributes(issrg.saml.SAMLAATokenParser.RawAttributes token)
                                throws PbaException

this method is used to decode an Attributes object, which represents the all attributes in a SAML assertion.

Parameters:

vp - is a validity period of these attributes.

attrs - is the Attributes object

Throws:

PbaException