org.opensaml.ws.security.provider
Class ClientCertAuthRule

java.lang.Object
  extended by org.opensaml.ws.security.provider.BaseTrustEngineRule<org.opensaml.xml.security.x509.X509Credential>
      extended by org.opensaml.ws.security.provider.ClientCertAuthRule
All Implemented Interfaces:
SecurityPolicyRule

public class ClientCertAuthRule
extends BaseTrustEngineRule<org.opensaml.xml.security.x509.X509Credential>

Policy rule that checks if the client cert used to authenticate the request is valid and trusted.

This rule is only evaluated if the message context contains a peer X509Credential as returned from the inbound message context's inbound message transport Transport.getPeerCredential().

The entity ID used to perform trust evaluation of the X509 credential is first retrieved via getCertificatePresenterEntityID(MessageContext). If this value is non-null, trust evaluation proceeds on that basis. If trust evaluation using this entity ID is successful, the message context's inbound transport authentication state will be set to true and processing is terminated. If unsuccessful, a SecurityPolicyException is thrown.

If a non-null value was available from getCertificatePresenterEntityID(MessageContext), then rule evaluation will be attempted as described in evaluateCertificateNameDerivedPresenters(X509Credential, MessageContext), based on the currently configured certificate name evaluation options. If this method returns a non-null certificate presenter entity ID, it will be set on the message context by calling setAuthenticatedCertificatePresenterEntityID(MessageContext, String) The message context's inbound transport authentication state will be set to true via Transport.setAuthenticated(boolean). Rule processing is then terminated. If the method returns null, the client certificate presenter entity ID and inbound transport authentication state will remain unmodified and rule processing continues.

Finally rule evaluation will proceed as described in evaluateDerivedPresenters(X509Credential, MessageContext). This is primarily an extension point by which subclasses may implement specific custom logic. If this method returns a non-null client certificate presenter entity ID, it will be set via setAuthenticatedCertificatePresenterEntityID(MessageContext, String), the message context's inbound transport authentication state will be set to true and rule processing is terminated. If the method returns null, the client certificate presenter entity ID and transport authentication state will remain unmodified.


Constructor Summary
ClientCertAuthRule(org.opensaml.xml.security.trust.TrustEngine<org.opensaml.xml.security.x509.X509Credential> engine, CertificateNameOptions nameOptions)
          Constructor.
 
Method Summary
protected  org.opensaml.xml.security.CriteriaSet buildCriteriaSet(String entityID, MessageContext messageContext)
          Subclasses are required to implement this method to build a criteria set for the trust engine according to trust engine and application-specific needs.
protected  void doEvaluate(org.opensaml.xml.security.x509.X509Credential requestCredential, MessageContext messageContext)
          Evaluate the request credential.
 void evaluate(MessageContext messageContext)
          Evaluates the message context against the rule.
protected  String evaluateCertificateNameDerivedIssuers(org.opensaml.xml.security.x509.X509Credential requestCredential, MessageContext messageContext)
          Deprecated. Use evaluateCertificateNameDerivedPresenters(X509Credential,MessageContext) instead
protected  String evaluateCertificateNameDerivedPresenters(org.opensaml.xml.security.x509.X509Credential requestCredential, MessageContext messageContext)
          Evaluate candidate presenter entity ID's which may be derived from the request credential's entity certificate according to the options supplied via CertificateNameOptions.
protected  String evaluateDerivedIssuers(org.opensaml.xml.security.x509.X509Credential requestCredential, MessageContext messageContext)
          Deprecated. Use evaluateDerivedPresenters(X509Credential,MessageContext) instead
protected  String evaluateDerivedPresenters(org.opensaml.xml.security.x509.X509Credential requestCredential, MessageContext messageContext)
          Evaluate any candidate presenter entity ID's which may be derived from the credential or other message context information.
protected  String evaluateSubjectAltNames(org.opensaml.xml.security.x509.X509Credential requestCredential, MessageContext messageContext)
          Evaluate the presenter entity ID as derived from the cert subject alternative names specified by types enumerated in CertificateNameOptions.getSubjectAltNames().
protected  String evaluateSubjectCommonName(org.opensaml.xml.security.x509.X509Credential requestCredential, MessageContext messageContext)
          Evaluate the presenter entity ID as derived from the cert subject common name (CN).
protected  String evaluateSubjectDN(org.opensaml.xml.security.x509.X509Credential requestCredential, MessageContext messageContext)
          Evaluate the presenter entity ID as derived from the cert subject DN.
protected  List<String> getAltNames(X509Certificate cert, Integer altNameType)
          Get the list of subject alt name values from the certificate which are of the specified alt name type.
protected  CertificateNameOptions getCertificateNameOptions()
          Get the currently configured certificate name options.
protected  String getCertificatePresenterEntityID(MessageContext messageContext)
          Get the entity ID of the presenter of the client TLS certificate, as will be used for trust evaluation purposes.
protected  String getCommonName(X509Certificate cert)
          Get the first common name (CN) value from the subject DN of the specified certificate.
protected  String getSubjectName(X509Certificate cert)
          Get subject name from a certificate, using the currently configured X500DNHandler and subject DN output format.
protected  void setAuthenticatedCertificatePresenterEntityID(MessageContext messageContext, String entityID)
          Store the sucessfully authenticated derived entity ID of the certificate presenter in the message context.
 
Methods inherited from class org.opensaml.ws.security.provider.BaseTrustEngineRule
evaluate, evaluate, getTrustEngine
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

ClientCertAuthRule

public ClientCertAuthRule(org.opensaml.xml.security.trust.TrustEngine<org.opensaml.xml.security.x509.X509Credential> engine,
                          CertificateNameOptions nameOptions)
Constructor.

Parameters:
engine - Trust engine used to verify the request X509Credential
nameOptions - options for deriving certificate presenter entity ID's from an X.509 certificate
Method Detail

evaluate

public void evaluate(MessageContext messageContext)
              throws SecurityPolicyException
Evaluates the message context against the rule.

Parameters:
messageContext - the message context being evaluated
Throws:
SecurityPolicyException - thrown if the message context does not meet the requirements of the rule, or if there is a non-recoverable error during evaluation

getCertificateNameOptions

protected CertificateNameOptions getCertificateNameOptions()
Get the currently configured certificate name options.

Returns:
the certificate name options

doEvaluate

protected void doEvaluate(org.opensaml.xml.security.x509.X509Credential requestCredential,
                          MessageContext messageContext)
                   throws SecurityPolicyException
Evaluate the request credential.

Parameters:
requestCredential - the X509Credential derived from the request
messageContext - the message context being evaluated
Throws:
SecurityPolicyException - thrown if a certificate presenter entity ID available from the message context and the client certificate token can not be establishd as trusted on that basis, or if there is error during evaluation processing

getCertificatePresenterEntityID

protected String getCertificatePresenterEntityID(MessageContext messageContext)
Get the entity ID of the presenter of the client TLS certificate, as will be used for trust evaluation purposes.

The default behavior is to return the value of MessageContext.getInboundMessageIssuer(). Subclasses may override to implement different logic.

Parameters:
messageContext - the current message context
Returns:
the entity ID of the client TLS certificate presenter

setAuthenticatedCertificatePresenterEntityID

protected void setAuthenticatedCertificatePresenterEntityID(MessageContext messageContext,
                                                            String entityID)
Store the sucessfully authenticated derived entity ID of the certificate presenter in the message context.

The default behavior is to set the value by calling MessageContext.setInboundMessageIssuer(String). Subclasses may override to implement different logic.

Parameters:
messageContext - the current message context
entityID - the successfully authenticated derived entity ID of the client TLS certificate presenter

buildCriteriaSet

protected org.opensaml.xml.security.CriteriaSet buildCriteriaSet(String entityID,
                                                                 MessageContext messageContext)
                                                          throws SecurityPolicyException
Subclasses are required to implement this method to build a criteria set for the trust engine according to trust engine and application-specific needs.

Specified by:
buildCriteriaSet in class BaseTrustEngineRule<org.opensaml.xml.security.x509.X509Credential>
Parameters:
entityID - the candidate issuer entity ID which is being evaluated
messageContext - the message context which is being evaluated
Returns:
a newly constructly set of criteria suitable for the configured trust engine
Throws:
SecurityPolicyException - thrown if criteria set can not be constructed

evaluateDerivedIssuers

protected String evaluateDerivedIssuers(org.opensaml.xml.security.x509.X509Credential requestCredential,
                                        MessageContext messageContext)
                                 throws SecurityPolicyException
Deprecated. Use evaluateDerivedPresenters(X509Credential,MessageContext) instead

Evaluate any candidate presenter entity ID's which may be derived from the credential or other message context information.

This serves primarily as an extension point for subclasses to implement application-specific logic.

If multiple derived candidate entity ID's would satisfy the trust engine criteria, the choice of which one to return as the canonical presenter entity ID value is implementation-specific.

Parameters:
requestCredential - the X509Credential derived from the request
messageContext - the message context being evaluated
Returns:
a presenter entity ID which was successfully evaluated by the trust engine
Throws:
SecurityPolicyException - thrown if there is error during processing

evaluateDerivedPresenters

protected String evaluateDerivedPresenters(org.opensaml.xml.security.x509.X509Credential requestCredential,
                                           MessageContext messageContext)
                                    throws SecurityPolicyException
Evaluate any candidate presenter entity ID's which may be derived from the credential or other message context information.

This serves primarily as an extension point for subclasses to implement application-specific logic.

If multiple derived candidate entity ID's would satisfy the trust engine criteria, the choice of which one to return as the canonical presenter entity ID value is implementation-specific.

Parameters:
requestCredential - the X509Credential derived from the request
messageContext - the message context being evaluated
Returns:
a presenter entity ID which was successfully evaluated by the trust engine
Throws:
SecurityPolicyException - thrown if there is error during processing

evaluateCertificateNameDerivedIssuers

protected String evaluateCertificateNameDerivedIssuers(org.opensaml.xml.security.x509.X509Credential requestCredential,
                                                       MessageContext messageContext)
                                                throws SecurityPolicyException
Deprecated. Use evaluateCertificateNameDerivedPresenters(X509Credential,MessageContext) instead

Evaluate candidate presenter entity ID's which may be derived from the request credential's entity certificate according to the options supplied via CertificateNameOptions.

Configured certificate name types are derived as candidate presenter entity ID's and processed in the following order:

  1. The certificate subject DN string as serialized by the X500DNHandler obtained via CertificateNameOptions.getX500DNHandler() and using the output format indicated by CertificateNameOptions.getX500SubjectDNFormat().
  2. Subject alternative names of the types configured via CertificateNameOptions.getSubjectAltNames(). Note that this is a LinkedHashSet, so the order of evaluation is the order of insertion.
  3. The first common name (CN) value appearing in the certificate subject DN.

The first one of the above which is successfully evaluated by the trust engine using criteria built from BaseTrustEngineRule.buildCriteriaSet(String, MessageContext) will be returned.

Parameters:
requestCredential - the X509Credential derived from the request
messageContext - the message context being evaluated
Returns:
a certificate presenter entity ID which was successfully evaluated by the trust engine
Throws:
SecurityPolicyException - thrown if there is error during processing

evaluateCertificateNameDerivedPresenters

protected String evaluateCertificateNameDerivedPresenters(org.opensaml.xml.security.x509.X509Credential requestCredential,
                                                          MessageContext messageContext)
                                                   throws SecurityPolicyException
Evaluate candidate presenter entity ID's which may be derived from the request credential's entity certificate according to the options supplied via CertificateNameOptions.

Configured certificate name types are derived as candidate presenter entity ID's and processed in the following order:

  1. The certificate subject DN string as serialized by the X500DNHandler obtained via CertificateNameOptions.getX500DNHandler() and using the output format indicated by CertificateNameOptions.getX500SubjectDNFormat().
  2. Subject alternative names of the types configured via CertificateNameOptions.getSubjectAltNames(). Note that this is a LinkedHashSet, so the order of evaluation is the order of insertion.
  3. The first common name (CN) value appearing in the certificate subject DN.

The first one of the above which is successfully evaluated by the trust engine using criteria built from BaseTrustEngineRule.buildCriteriaSet(String, MessageContext) will be returned.

Parameters:
requestCredential - the X509Credential derived from the request
messageContext - the message context being evaluated
Returns:
a certificate presenter entity ID which was successfully evaluated by the trust engine
Throws:
SecurityPolicyException - thrown if there is error during processing

evaluateSubjectCommonName

protected String evaluateSubjectCommonName(org.opensaml.xml.security.x509.X509Credential requestCredential,
                                           MessageContext messageContext)
                                    throws SecurityPolicyException
Evaluate the presenter entity ID as derived from the cert subject common name (CN). Only the first CN value from the subject DN is evaluated.

Parameters:
requestCredential - the X509Credential derived from the request
messageContext - the message context being evaluated
Returns:
a presenter entity ID which was successfully evaluated by the trust engine
Throws:
SecurityPolicyException - thrown if there is error during processing

evaluateSubjectDN

protected String evaluateSubjectDN(org.opensaml.xml.security.x509.X509Credential requestCredential,
                                   MessageContext messageContext)
                            throws SecurityPolicyException
Evaluate the presenter entity ID as derived from the cert subject DN.

Parameters:
requestCredential - the X509Credential derived from the request
messageContext - the message context being evaluated
Returns:
a presenter entity ID which was successfully evaluated by the trust engine
Throws:
SecurityPolicyException - thrown if there is error during processing

evaluateSubjectAltNames

protected String evaluateSubjectAltNames(org.opensaml.xml.security.x509.X509Credential requestCredential,
                                         MessageContext messageContext)
                                  throws SecurityPolicyException
Evaluate the presenter entity ID as derived from the cert subject alternative names specified by types enumerated in CertificateNameOptions.getSubjectAltNames().

Parameters:
requestCredential - the X509Credential derived from the request
messageContext - the message context being evaluated
Returns:
a presenter entity ID which was successfully evaluated by the trust engine
Throws:
SecurityPolicyException - thrown if there is error during processing

getCommonName

protected String getCommonName(X509Certificate cert)
Get the first common name (CN) value from the subject DN of the specified certificate.

Parameters:
cert - the certificate being processed
Returns:
the first CN value, or null if there are none

getSubjectName

protected String getSubjectName(X509Certificate cert)
Get subject name from a certificate, using the currently configured X500DNHandler and subject DN output format.

Parameters:
cert - the certificate being processed
Returns:
the subject name

getAltNames

protected List<String> getAltNames(X509Certificate cert,
                                   Integer altNameType)
Get the list of subject alt name values from the certificate which are of the specified alt name type.

Parameters:
cert - the certificate from which to extract alt names
altNameType - the type of alt name to extract
Returns:
the list of certificate subject alt names


Copyright © 2006-2013 Internet2. All Rights Reserved.