Package org.apereo.cas.support.saml.web.idp.profile

Class AbstractSamlIdPProfileHandlerController

java.lang.Object
org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController
Direct Known Subclasses:
AbstractSamlSLOProfileHandlerController, ECPSamlIdPProfileHandlerController, SamlIdPInitiatedProfileHandlerController, SamlIdPSaml1ArtifactResolutionProfileHandlerController, SamlIdPSaml2AttributeQueryProfileHandlerController, SSOSamlIdPPostProfileHandlerController, SSOSamlIdPPostSimpleSignProfileHandlerController, SSOSamlIdPProfileCallbackHandlerController
@Controller public abstract class AbstractSamlIdPProfileHandlerController extends Object
A parent controller to handle SAML requests. Specific profile endpoints are handled by extensions. This parent provides the necessary ops for profile endpoint controllers to respond to end points.
Since:
5.0.0

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    protected final SamlProfileHandlerConfigurationContext
    configurationContext
    SAML profile configuration context.

  • Constructor Summary

    Constructors
    Constructor
    Description
    AbstractSamlIdPProfileHandlerController()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    protected void
    autoConfigureCookiePath(jakarta.servlet.http.HttpServletRequest request)
    Auto configure cookie path.
    protected static org.opensaml.messaging.context.MessageContext
    bindRelayStateParameter(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext> authnContext, String relayState)
    Bind relay state parameter.
    protected org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext>
    buildAuthenticationContextPair(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext> authnContext)
    Build authentication context pair pair.
    protected AuthenticatedAssertionContext
    buildCasAssertion(String principal, org.apereo.cas.services.RegisteredService registeredService, Map<String,Object> attributes)
    Build cas assertion.
    protected AuthenticatedAssertionContext
    buildCasAssertion(org.apereo.cas.authentication.Authentication authentication, org.apereo.cas.authentication.principal.Service service, org.apereo.cas.services.RegisteredService registeredService, Map<String,List<Object>> attributesToCombine)
    Build cas assertion.
    protected void
    buildResponseBasedSingleSignOnSession(org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext> context, org.apereo.cas.ticket.TicketGrantingTicket ticketGrantingTicket, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
    Build response based single sign on session.
    protected org.opensaml.core.xml.XMLObject
    buildSamlResponse(jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.http.HttpServletRequest request, org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext> authenticationContext, Optional<AuthenticatedAssertionContext> casAssertion, String binding)
     
    protected String
    constructServiceUrl(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.common.SignableSAMLObject,org.opensaml.messaging.context.MessageContext> pair)
    Construct service url string.
    protected org.opensaml.messaging.context.MessageContext
    decodeSoapRequest(jakarta.servlet.http.HttpServletRequest request)
    Decode soap 11 context.
    protected String
    determineProfileBinding(org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext> authenticationContext)
     
    protected org.apache.commons.lang3.tuple.Pair<org.apereo.cas.support.saml.services.SamlRegisteredService,org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade>
    getRegisteredServiceAndFacade(org.opensaml.saml.saml2.core.AuthnRequest request)
    Gets registered service and facade.
    protected Optional<org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade>
    getSamlMetadataFacadeFor(org.apereo.cas.support.saml.services.SamlRegisteredService registeredService, String entityId)
    Gets saml metadata adaptor for service.
    protected Optional<org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade>
    getSamlMetadataFacadeFor(org.apereo.cas.support.saml.services.SamlRegisteredService registeredService, org.opensaml.saml.saml2.core.RequestAbstractType authnRequest)
    Gets saml metadata adaptor for service.
    protected org.springframework.web.servlet.ModelAndView
    handleSsoPostProfileRequest(jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.http.HttpServletRequest request, org.opensaml.messaging.decoder.servlet.BaseHttpServletRequestXMLMessageDecoder decoder)
     
    org.springframework.web.servlet.ModelAndView
    handleUnauthorizedServiceException(jakarta.servlet.http.HttpServletRequest req, Exception ex)
    Handle unauthorized service exception.
    protected org.springframework.web.servlet.ModelAndView
    initiateAuthenticationRequest(org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext> pair, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.http.HttpServletRequest request)
    Initiate authentication request.
    protected org.springframework.web.servlet.ModelAndView
    issueAuthenticationRequestRedirect(org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.common.SignableSAMLObject,org.opensaml.messaging.context.MessageContext> pair, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
    Redirect request for authentication.
    protected static void
    logCasValidationAssertion(org.apereo.cas.ticket.TicketValidator.ValidationResult assertion)
    Log cas validation assertion.
    protected final org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext>
    retrieveAuthenticationRequest(jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.http.HttpServletRequest request)
     
    protected Optional<org.apereo.cas.ticket.TicketGrantingTicket>
    singleSignOnSessionExists(org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.common.SignableSAMLObject,org.opensaml.messaging.context.MessageContext> pair, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
    Single sign on session exists.
    protected void
    storeAuthenticationRequest(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.common.SignableSAMLObject,org.opensaml.messaging.context.MessageContext> context)
     
    protected void
    verifyAuthenticationContextSignature(org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.common.SignableSAMLObject,org.opensaml.messaging.context.MessageContext> authenticationContext, jakarta.servlet.http.HttpServletRequest request, org.opensaml.saml.saml2.core.RequestAbstractType authnRequest, org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade adaptor, org.apereo.cas.support.saml.services.SamlRegisteredService registeredService)
    Verify authentication context signature.
    protected void
    verifyAuthenticationContextSignature(org.opensaml.messaging.context.MessageContext ctx, jakarta.servlet.http.HttpServletRequest request, org.opensaml.saml.saml2.core.RequestAbstractType authnRequest, org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade adaptor, org.apereo.cas.support.saml.services.SamlRegisteredService registeredService)
    Verify authentication context signature.
    protected org.apache.commons.lang3.tuple.Pair<org.apereo.cas.support.saml.services.SamlRegisteredService,org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade>
    verifySamlAuthenticationRequest(org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext> authenticationContext, jakarta.servlet.http.HttpServletRequest request)
    Verify saml authentication request.
    protected org.apereo.cas.support.saml.services.SamlRegisteredService
    verifySamlRegisteredService(String serviceId)
    Gets registered service and verify.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

  • Constructor Details

    • AbstractSamlIdPProfileHandlerController

      public AbstractSamlIdPProfileHandlerController()

  • Method Details

    • logCasValidationAssertion

      protected static void logCasValidationAssertion(org.apereo.cas.ticket.TicketValidator.ValidationResult assertion)
      Log cas validation assertion.
      Parameters:
      assertion - the assertion

    • bindRelayStateParameter

      protected static org.opensaml.messaging.context.MessageContext bindRelayStateParameter(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext> authnContext, String relayState)
      Bind relay state parameter.
      Parameters:
      request - the request
      response - the response
      authnContext - the authn context
      relayState - the relay state
      Returns:
      the message context

    • handleUnauthorizedServiceException

      @ExceptionHandler({org.apereo.cas.authentication.PrincipalException.class,org.apereo.cas.services.UnauthorizedServiceException.class,org.apereo.cas.support.saml.SamlException.class}) public org.springframework.web.servlet.ModelAndView handleUnauthorizedServiceException(jakarta.servlet.http.HttpServletRequest req, Exception ex)
      Handle unauthorized service exception.
      Parameters:
      req - the req
      ex - the ex
      Returns:
      the model and view

    • getSamlMetadataFacadeFor

      protected Optional<org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade> getSamlMetadataFacadeFor(org.apereo.cas.support.saml.services.SamlRegisteredService registeredService, org.opensaml.saml.saml2.core.RequestAbstractType authnRequest)
      Gets saml metadata adaptor for service.
      Parameters:
      registeredService - the registered service
      authnRequest - the authn request
      Returns:
      the saml metadata adaptor for service

    • getSamlMetadataFacadeFor

      protected Optional<org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade> getSamlMetadataFacadeFor(org.apereo.cas.support.saml.services.SamlRegisteredService registeredService, String entityId)
      Gets saml metadata adaptor for service.
      Parameters:
      registeredService - the registered service
      entityId - the entity id
      Returns:
      the saml metadata adaptor for service

    • verifySamlRegisteredService

      protected org.apereo.cas.support.saml.services.SamlRegisteredService verifySamlRegisteredService(String serviceId)
      Gets registered service and verify.
      Parameters:
      serviceId - the service id
      Returns:
      the registered service and verify

    • buildCasAssertion

      protected AuthenticatedAssertionContext buildCasAssertion(org.apereo.cas.authentication.Authentication authentication, org.apereo.cas.authentication.principal.Service service, org.apereo.cas.services.RegisteredService registeredService, Map<String,List<Object>> attributesToCombine)
      Build cas assertion.
      Parameters:
      authentication - the authentication
      service - the service
      registeredService - the registered service
      attributesToCombine - the attributes to combine
      Returns:
      the assertion

    • buildCasAssertion

      protected AuthenticatedAssertionContext buildCasAssertion(String principal, org.apereo.cas.services.RegisteredService registeredService, Map<String,Object> attributes)
      Build cas assertion.
      Parameters:
      principal - the principal
      registeredService - the registered service
      attributes - the attributes
      Returns:
      the assertion

    • issueAuthenticationRequestRedirect

      protected org.springframework.web.servlet.ModelAndView issueAuthenticationRequestRedirect(org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.common.SignableSAMLObject,org.opensaml.messaging.context.MessageContext> pair, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws Exception
      Redirect request for authentication.
      Parameters:
      pair - the pair
      request - the request
      response - the response
      Returns:
      the model and view
      Throws:
      Exception - the exception

    • constructServiceUrl

      protected String constructServiceUrl(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.common.SignableSAMLObject,org.opensaml.messaging.context.MessageContext> pair) throws Exception
      Construct service url string.
      Parameters:
      request - the request
      response - the response
      pair - the pair
      Returns:
      the string
      Throws:
      Exception - the exception

    • initiateAuthenticationRequest

      protected org.springframework.web.servlet.ModelAndView initiateAuthenticationRequest(org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext> pair, jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.http.HttpServletRequest request) throws Exception
      Initiate authentication request.
      Parameters:
      pair - the pair
      response - the response
      request - the request
      Returns:
      the model and view
      Throws:
      Exception - the exception

    • buildResponseBasedSingleSignOnSession

      protected void buildResponseBasedSingleSignOnSession(org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext> context, org.apereo.cas.ticket.TicketGrantingTicket ticketGrantingTicket, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response) throws Exception
      Build response based single sign on session. The http response before encoding the SAML response is reset to ensure a clean slate from previous attempts, specially when requests/responses are produced rapidly.
      Parameters:
      context - the pair
      ticketGrantingTicket - the authentication
      request - the request
      response - the response
      Throws:
      Exception - the exception

    • buildSamlResponse

      protected org.opensaml.core.xml.XMLObject buildSamlResponse(jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.http.HttpServletRequest request, org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext> authenticationContext, Optional<AuthenticatedAssertionContext> casAssertion, String binding) throws Exception
      Throws:
      Exception

    • buildAuthenticationContextPair

      protected org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext> buildAuthenticationContextPair(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext> authnContext)
      Build authentication context pair pair.
      Parameters:
      request - the request
      response - the response
      authnContext - the authn context
      Returns:
      the pair

    • singleSignOnSessionExists

      protected Optional<org.apereo.cas.ticket.TicketGrantingTicket> singleSignOnSessionExists(org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.common.SignableSAMLObject,org.opensaml.messaging.context.MessageContext> pair, jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Single sign on session exists.
      Parameters:
      pair - the pair
      request - the request
      response - the response
      Returns:
      true/false

    • verifySamlAuthenticationRequest

      protected org.apache.commons.lang3.tuple.Pair<org.apereo.cas.support.saml.services.SamlRegisteredService,org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade> verifySamlAuthenticationRequest(org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext> authenticationContext, jakarta.servlet.http.HttpServletRequest request) throws Exception
      Verify saml authentication request.
      Parameters:
      authenticationContext - the pair
      request - the request
      Returns:
      the pair
      Throws:
      Exception - the exception

    • verifyAuthenticationContextSignature

      protected void verifyAuthenticationContextSignature(org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.common.SignableSAMLObject,org.opensaml.messaging.context.MessageContext> authenticationContext, jakarta.servlet.http.HttpServletRequest request, org.opensaml.saml.saml2.core.RequestAbstractType authnRequest, org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade adaptor, org.apereo.cas.support.saml.services.SamlRegisteredService registeredService) throws Exception
      Verify authentication context signature.
      Parameters:
      authenticationContext - the authentication context
      request - the request
      authnRequest - the authn request
      adaptor - the adaptor
      registeredService - the registered service
      Throws:
      Exception - the exception

    • verifyAuthenticationContextSignature

      protected void verifyAuthenticationContextSignature(org.opensaml.messaging.context.MessageContext ctx, jakarta.servlet.http.HttpServletRequest request, org.opensaml.saml.saml2.core.RequestAbstractType authnRequest, org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade adaptor, org.apereo.cas.support.saml.services.SamlRegisteredService registeredService) throws Exception
      Verify authentication context signature.
      Parameters:
      ctx - the authentication context
      request - the request
      authnRequest - the authn request
      adaptor - the adaptor
      registeredService - the registered service
      Throws:
      Exception - the exception

    • getRegisteredServiceAndFacade

      protected org.apache.commons.lang3.tuple.Pair<org.apereo.cas.support.saml.services.SamlRegisteredService,org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade> getRegisteredServiceAndFacade(org.opensaml.saml.saml2.core.AuthnRequest request)
      Gets registered service and facade.
      Parameters:
      request - the request
      Returns:
      the registered service and facade

    • decodeSoapRequest

      protected org.opensaml.messaging.context.MessageContext decodeSoapRequest(jakarta.servlet.http.HttpServletRequest request)
      Decode soap 11 context.
      Parameters:
      request - the request
      Returns:
      the soap 11 context

    • autoConfigureCookiePath

      protected void autoConfigureCookiePath(jakarta.servlet.http.HttpServletRequest request)
      Auto configure cookie path.
      Parameters:
      request - the request

    • handleSsoPostProfileRequest

      protected org.springframework.web.servlet.ModelAndView handleSsoPostProfileRequest(jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.http.HttpServletRequest request, org.opensaml.messaging.decoder.servlet.BaseHttpServletRequestXMLMessageDecoder decoder)

    • retrieveAuthenticationRequest

      protected final org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext> retrieveAuthenticationRequest(jakarta.servlet.http.HttpServletResponse response, jakarta.servlet.http.HttpServletRequest request)

    • storeAuthenticationRequest

      protected void storeAuthenticationRequest(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response, org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.common.SignableSAMLObject,org.opensaml.messaging.context.MessageContext> context) throws Exception
      Throws:
      Exception

    • determineProfileBinding

      protected String determineProfileBinding(org.apache.commons.lang3.tuple.Pair<? extends org.opensaml.saml.saml2.core.RequestAbstractType,org.opensaml.messaging.context.MessageContext> authenticationContext)