Class AssertionPayloadParser
- java.lang.Object
-
- org.certificateservices.messages.csmessages.BasePayloadParser
-
- org.certificateservices.messages.assertion.AssertionPayloadParser
-
- All Implemented Interfaces:
PayloadParser
public class AssertionPayloadParser extends BasePayloadParser
Assertion Payload Parser used to parse and generate Assertion Tickets such as:- Distributed Authorization Ticket
- User Data Ticket
- Approval Ticket
Uses SAML Core 2.0 and SAMLP 2.0 as underlying message structures.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classAssertionPayloadParser.AssertionLSResourceResolver
-
Field Summary
Fields Modifier and Type Field Description static java.lang.StringALL_DEPARTMENTS_ATTRIBUTE_VALUEstatic java.lang.StringANY_DESTINATIONstatic java.lang.StringATTRIBUTE_NAME_APPROVALIDstatic java.lang.StringATTRIBUTE_NAME_APPROVEDREQUESTSstatic java.lang.StringATTRIBUTE_NAME_APPROVERSstatic java.lang.StringATTRIBUTE_NAME_DEPARTMENTSstatic java.lang.StringATTRIBUTE_NAME_DESTINATIONIDstatic java.lang.StringATTRIBUTE_NAME_DISPLAYNAMEstatic java.lang.StringATTRIBUTE_NAME_ROLESstatic java.lang.StringATTRIBUTE_NAME_TOKENTYPEstatic java.lang.StringATTRIBUTE_NAME_TYPEstatic java.lang.StringATTRIBUTE_NAME_USERDATAstatic java.lang.StringNAMESPACEstatic java.lang.StringSAMLP_NAMESPACE-
Fields inherited from class org.certificateservices.messages.csmessages.BasePayloadParser
config, csMessageObjectFactory, customCSMessageParser, payloadVersion, secProv
-
-
Constructor Summary
Constructors Constructor Description AssertionPayloadParser()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description byte[]genApprovalTicket(java.lang.String issuer, java.util.Date notBefore, java.util.Date notOnOrAfter, java.lang.String subjectId, java.lang.String approvalId, java.util.List<java.lang.String> approvalRequests, java.lang.String destinationId, java.util.List<Approver> approvers, java.util.List<java.security.cert.X509Certificate> receipients)Method to generate a Approval Ticket with an signed assertion containing the approval id and related Approval Requestsbyte[]genDistributedAuthorizationRequest(java.lang.String subjectId)Method to generate a Role Attribute Query message (Distributed Authorization Request) for given subject.byte[]genDistributedAuthorizationTicket(java.lang.String inResponseTo, java.lang.String issuer, java.util.Date notBefore, java.util.Date notOnOrAfter, java.lang.String subjectId, java.util.List<java.lang.String> roles, java.util.List<java.lang.String> departments, java.util.List<java.security.cert.X509Certificate> receipients)Method to generate a Distributed Authorization Ticket with an signed assertion containing the subjects Roles encrypted enveloped into a successful SAMLP Response.byte[]genDistributedAuthorizationTicket(java.lang.String inResponseTo, java.lang.String issuer, java.util.Date notBefore, java.util.Date notOnOrAfter, java.lang.String subjectId, java.util.List<java.lang.String> roles, java.util.List<java.security.cert.X509Certificate> receipients)byte[]genFailureMessage(java.lang.String inResponseTo, ResponseStatusCodes statusCode, java.lang.String failureMessage)Method to generate a failure message to a attribute query message.byte[]genUserDataRequest(java.lang.String subjectId, java.lang.String tokenType)Method to generate a User Data Attribute Query message (User Data Request) for given subject.byte[]genUserDataTicket(java.lang.String inResponseTo, java.lang.String issuer, java.util.Date notBefore, java.util.Date notOnOrAfter, java.lang.String subjectId, java.lang.String displayName, java.lang.String tokenType, java.util.List<FieldValue> fieldValues, java.util.List<java.security.cert.X509Certificate> receipients)Method to generate a User Data Ticket with an signed assertion containing the token request data encrypted enveloped into a successful SAMLP Response.javax.xml.bind.JAXBElement<AssertionType>getAssertionFromResponseType(ResponseType responseType)Help method to extract a Assertion to be included in a CSMessasge from a response typejava.util.List<javax.xml.bind.JAXBElement<AssertionType>>getAssertionsFromCSMessage(CSMessage csmessage)Method to return a list of valid assertions from CSMessage.java.security.cert.X509CertificategetCertificateFromAssertion(javax.xml.bind.JAXBElement<AssertionType> assertion)Help method to get the first signing certificate from a digital signature.protected java.lang.StringgetDefaultPayloadVersion()java.lang.StringgetJAXBPackage()Method that returns the JAXBPackage Name for the package name containing the JAXB classes.java.lang.StringgetNameSpace()java.io.InputStreamgetSchemaAsInputStream(java.lang.String payLoadVersion)Method that should return the location of the schema for a given payLoadVersion, it should be accessable as a class resource using getClass().getResourceAsStream()protected java.lang.String[]getSupportedVersions()AssertionTypeEnumgetTypeOfAssertion(javax.xml.bind.JAXBElement<AssertionType> assertion)Help method to get type of assertion from AssertionType saml attribute.voidinit(java.util.Properties config, MessageSecurityProvider secProv)Default initializer setting the parser and config properties.AssertionDataparseAndDecryptAssertion(javax.xml.bind.JAXBElement<AssertionType> assertion)Method to parse and decrypt an assertion of any type.javax.xml.bind.JAXBElement<AssertionType>parseApprovalTicket(byte[] response)Method to parse and verify approval ticketjava.util.List<AssertionData>parseAssertions(java.util.List<javax.xml.bind.JAXBElement<AssertionType>> assertions)Method to parse (but not decrypt encrypted attributes) an assertion, usually used by clients of approval tickets, where the approvers data cannot be read since it's probably only intended for more sensitive systems.AttributeQueryDataparseAttributeQuery(byte[] attributeQuery)Method to parse an attribute query into a more manageable data structure.ResponseTypeparseAttributeQueryResponse(byte[] response)Method to parse a response of a attribute query.voidschemaValidateAssertion(java.lang.Object assertion)Method to validate a JAXB Object against Assertion Schema.-
Methods inherited from class org.certificateservices.messages.csmessages.BasePayloadParser
generateGetApprovalRequest, generateIsApprovedRequest, getAssertions, getCSMessageParser, getPayload, getPayloadVersion, getRelatedSchemas, getResponseStatus, init, isPayloadVersionSupported, parseMessage, parseMessage, parseMessage, setPayloadVersion
-
-
-
-
Field Detail
-
NAMESPACE
public static java.lang.String NAMESPACE
-
SAMLP_NAMESPACE
public static java.lang.String SAMLP_NAMESPACE
-
ANY_DESTINATION
public static java.lang.String ANY_DESTINATION
-
ATTRIBUTE_NAME_TYPE
public static final java.lang.String ATTRIBUTE_NAME_TYPE
- See Also:
- Constant Field Values
-
ATTRIBUTE_NAME_DISPLAYNAME
public static final java.lang.String ATTRIBUTE_NAME_DISPLAYNAME
- See Also:
- Constant Field Values
-
ATTRIBUTE_NAME_ROLES
public static final java.lang.String ATTRIBUTE_NAME_ROLES
- See Also:
- Constant Field Values
-
ATTRIBUTE_NAME_DEPARTMENTS
public static final java.lang.String ATTRIBUTE_NAME_DEPARTMENTS
- See Also:
- Constant Field Values
-
ATTRIBUTE_NAME_USERDATA
public static final java.lang.String ATTRIBUTE_NAME_USERDATA
- See Also:
- Constant Field Values
-
ATTRIBUTE_NAME_TOKENTYPE
public static final java.lang.String ATTRIBUTE_NAME_TOKENTYPE
- See Also:
- Constant Field Values
-
ATTRIBUTE_NAME_DESTINATIONID
public static final java.lang.String ATTRIBUTE_NAME_DESTINATIONID
- See Also:
- Constant Field Values
-
ATTRIBUTE_NAME_APPROVALID
public static final java.lang.String ATTRIBUTE_NAME_APPROVALID
- See Also:
- Constant Field Values
-
ATTRIBUTE_NAME_APPROVEDREQUESTS
public static final java.lang.String ATTRIBUTE_NAME_APPROVEDREQUESTS
- See Also:
- Constant Field Values
-
ATTRIBUTE_NAME_APPROVERS
public static final java.lang.String ATTRIBUTE_NAME_APPROVERS
- See Also:
- Constant Field Values
-
ALL_DEPARTMENTS_ATTRIBUTE_VALUE
public static final java.lang.String ALL_DEPARTMENTS_ATTRIBUTE_VALUE
- See Also:
- Constant Field Values
-
-
Method Detail
-
init
public void init(java.util.Properties config, MessageSecurityProvider secProv) throws MessageProcessingExceptionDescription copied from class:BasePayloadParserDefault initializer setting the parser and config properties.- Specified by:
initin interfacePayloadParser- Overrides:
initin classBasePayloadParser- Parameters:
config- the configuration of the parser.secProv- the related message security provider.- Throws:
MessageProcessingException- if configuration contained bad configuration of security provider.- See Also:
PayloadParser.init(java.util.Properties, MessageSecurityProvider)
-
getNameSpace
public java.lang.String getNameSpace()
- Returns:
- the related pay load elements unique name space.
- See Also:
PayloadParser.getNameSpace()
-
getJAXBPackage
public java.lang.String getJAXBPackage()
Description copied from interface:PayloadParserMethod that returns the JAXBPackage Name for the package name containing the JAXB classes. For multiple package names use a ':' without spaces.- See Also:
PayloadParser.getJAXBPackage()
-
getSchemaAsInputStream
public java.io.InputStream getSchemaAsInputStream(java.lang.String payLoadVersion) throws MessageContentException, MessageProcessingExceptionDescription copied from interface:PayloadParserMethod that should return the location of the schema for a given payLoadVersion, it should be accessable as a class resource using getClass().getResourceAsStream()- Throws:
MessageContentException- if given version isn't supported.MessageProcessingException- if problems occurred setting up the stream.- See Also:
PayloadParser.getSchemaAsInputStream(java.lang.String)
-
getSupportedVersions
protected java.lang.String[] getSupportedVersions()
- Specified by:
getSupportedVersionsin classBasePayloadParser- Returns:
- an array of version numbers of payload that is supported by this parser.
-
getDefaultPayloadVersion
protected java.lang.String getDefaultPayloadVersion()
- Specified by:
getDefaultPayloadVersionin classBasePayloadParser- Returns:
- returns the payload version used by default when generating request messages.
-
schemaValidateAssertion
public void schemaValidateAssertion(java.lang.Object assertion) throws MessageContentExceptionMethod to validate a JAXB Object against Assertion Schema.- Throws:
MessageContentException
-
genDistributedAuthorizationRequest
public byte[] genDistributedAuthorizationRequest(java.lang.String subjectId) throws MessageContentException, MessageProcessingExceptionMethod to generate a Role Attribute Query message (Distributed Authorization Request) for given subject.This method will generate an unsigned SAMLP Attribute Query Message
- Parameters:
subjectId- The unique id of the user to look-up, could be UPN or SAM account name depending on implementation.- Returns:
- a generated SAMLP Attribute Query Message
- Throws:
MessageContentException- if given parameters where invalidMessageProcessingException- if internal error occurred generating the message.
-
genUserDataRequest
public byte[] genUserDataRequest(java.lang.String subjectId, java.lang.String tokenType) throws MessageContentException, MessageProcessingExceptionMethod to generate a User Data Attribute Query message (User Data Request) for given subject.This method will generate an unsigned SAMLP Attribute Query Message
- Parameters:
subjectId- The unique id of the user to look-up, could be UPN or SAM account name depending on implementation.tokenType- token type of the related user data (optional)- Returns:
- a generated SAMLP Attribute Query Message
- Throws:
MessageContentException- if given parameters where invalidMessageProcessingException- if internal error occurred generating the message.
-
genDistributedAuthorizationTicket
public byte[] genDistributedAuthorizationTicket(java.lang.String inResponseTo, java.lang.String issuer, java.util.Date notBefore, java.util.Date notOnOrAfter, java.lang.String subjectId, java.util.List<java.lang.String> roles, java.util.List<java.security.cert.X509Certificate> receipients) throws MessageContentException, MessageProcessingException
-
genDistributedAuthorizationTicket
public byte[] genDistributedAuthorizationTicket(java.lang.String inResponseTo, java.lang.String issuer, java.util.Date notBefore, java.util.Date notOnOrAfter, java.lang.String subjectId, java.util.List<java.lang.String> roles, java.util.List<java.lang.String> departments, java.util.List<java.security.cert.X509Certificate> receipients) throws MessageContentException, MessageProcessingExceptionMethod to generate a Distributed Authorization Ticket with an signed assertion containing the subjects Roles encrypted enveloped into a successful SAMLP Response.- Parameters:
inResponseTo- The ID of the attribute query requestissuer- the issuer of the assertion.notBefore- beginning of the validity of the ticket.notOnOrAfter- end validity of the ticket.subjectId- the subject id string having the roles.roles- a list of roles the user has.departments- a list of departments the user belongs to, null for no departments attribute.receipients- list of certificates the roles will be encrypted for.- Returns:
- a generated and signed SAMLP message.
- Throws:
MessageContentException- if parameters where invalid.MessageProcessingException- if internal problems occurred generated the message.
-
genUserDataTicket
public byte[] genUserDataTicket(java.lang.String inResponseTo, java.lang.String issuer, java.util.Date notBefore, java.util.Date notOnOrAfter, java.lang.String subjectId, java.lang.String displayName, java.lang.String tokenType, java.util.List<FieldValue> fieldValues, java.util.List<java.security.cert.X509Certificate> receipients) throws MessageContentException, MessageProcessingExceptionMethod to generate a User Data Ticket with an signed assertion containing the token request data encrypted enveloped into a successful SAMLP Response.- Parameters:
inResponseTo- The ID of the attribute query requestissuer- the issuer of the assertion.notBefore- beginning of the validity of the ticket.notOnOrAfter- end validity of the ticket.subjectId- the subject id string having the roles.tokenType- the related token type associated with the user data. Unencrypted (optional, use null not to set this attribute).displayName- unencrypted display name of the related user (optional, use null not to set this attribute).fieldValues- list of field values that will be encrypted as UserData attribute.receipients- list of certificates the roles will be encrypted for.- Returns:
- a generated and signed SAMLP message.
- Throws:
MessageContentException- if parameters where invalid.MessageProcessingException- if internal problems occurred generated the message.
-
genApprovalTicket
public byte[] genApprovalTicket(java.lang.String issuer, java.util.Date notBefore, java.util.Date notOnOrAfter, java.lang.String subjectId, java.lang.String approvalId, java.util.List<java.lang.String> approvalRequests, java.lang.String destinationId, java.util.List<Approver> approvers, java.util.List<java.security.cert.X509Certificate> receipients) throws MessageContentException, MessageProcessingExceptionMethod to generate a Approval Ticket with an signed assertion containing the approval id and related Approval Requests- Parameters:
issuer- the issuer of the assertion.notBefore- beginning of the validity of the ticket.notOnOrAfter- end validity of the ticket.subjectId- the subject id string having the approval.approvalId- the request unique approval idapprovalRequests- containing one or more AttributeValue with the digest values of the calculated request actions. It's up to the approval workflow engine to to determine how the digest is calculated from an approval request and how to verify that subsequent request matches the given approval.destinationId- the id to the target system processing the ticket. null for ANY destination.approvers- if encrypted approver data should be included, used to send information about an approval to more sensitive inner systems for audit purposes.receipients- receiptents of the encrypted approvers data. null if approvers is null.- Returns:
- a generated and signed SAMLP message.
- Throws:
MessageContentException- if parameters where invalid.MessageProcessingException- if internal problems occurred generated the message.
-
genFailureMessage
public byte[] genFailureMessage(java.lang.String inResponseTo, ResponseStatusCodes statusCode, java.lang.String failureMessage) throws MessageContentException, MessageProcessingExceptionMethod to generate a failure message to a attribute query message.- Parameters:
inResponseTo- the ID of the attribute querystatusCode- the failure code to respond tofailureMessage- a descriptive failure message, may be null.- Returns:
- a SAMLP failure message.
- Throws:
MessageContentException- if parameters where invalid.MessageProcessingException- if internal problems occurred generated the message.
-
parseAttributeQueryResponse
public ResponseType parseAttributeQueryResponse(byte[] response) throws MessageContentException, MessageProcessingException
Method to parse a response of a attribute query. Important, this method does not verify the signature of any included assertions, only parses the message.- Parameters:
response- the attribute query response- Returns:
- a parsed attirbute query response.
- Throws:
MessageContentException- if response message data was invalid.MessageProcessingException- if internal problems occurred generated the message.
-
parseApprovalTicket
public javax.xml.bind.JAXBElement<AssertionType> parseApprovalTicket(byte[] response) throws MessageContentException, MessageProcessingException
Method to parse and verify approval ticketThis method does the following checks:
- Verifies the signature of the assertion
- XML data against XSD
- Checks that the before and notafter dates are valid.
Important this method doesn't check if the signature certificate is trusted to generate tickets, this have to be done manually. To get the signature certificate use the getAssertionSigner() help method.
- Parameters:
response- the attribute query response- Returns:
- a parsed attirbute query response.
- Throws:
MessageContentException- if response message data was invalid.MessageProcessingException- if internal problems occurred generated the message.
-
getCertificateFromAssertion
public java.security.cert.X509Certificate getCertificateFromAssertion(javax.xml.bind.JAXBElement<AssertionType> assertion) throws MessageContentException, MessageProcessingException
Help method to get the first signing certificate from a digital signature.- Parameters:
assertion- to extract certificate from.- Returns:
- the first found certificate in assertion.
- Throws:
MessageContentException- if response message data was invalid.MessageProcessingException- if internal problems occurred generated the message.
-
getAssertionFromResponseType
public javax.xml.bind.JAXBElement<AssertionType> getAssertionFromResponseType(ResponseType responseType)
Help method to extract a Assertion to be included in a CSMessasge from a response type- Parameters:
responseType- the response type to extract from, never null.- Returns:
- the first assertion type of null if no assertion was found.
-
getAssertionsFromCSMessage
public java.util.List<javax.xml.bind.JAXBElement<AssertionType>> getAssertionsFromCSMessage(CSMessage csmessage) throws MessageProcessingException, MessageContentException
Method to return a list of valid assertions from CSMessage. (Expired assertions are filtered out)- Parameters:
csmessage- the message to fetch assertions from.- Returns:
- a list of valid assertions, never null.
- Throws:
MessageProcessingExceptionMessageContentException
-
getTypeOfAssertion
public AssertionTypeEnum getTypeOfAssertion(javax.xml.bind.JAXBElement<AssertionType> assertion) throws MessageContentException
Help method to get type of assertion from AssertionType saml attribute.- Parameters:
assertion- the assertion to lookup type for.- Returns:
- the assertion type.
- Throws:
MessageContentException- if no assertion type could be found.
-
parseAttributeQuery
public AttributeQueryData parseAttributeQuery(byte[] attributeQuery) throws MessageContentException, MessageProcessingException
Method to parse an attribute query into a more manageable data structure.- Parameters:
attributeQuery- the attribute query to parse.- Returns:
- a parsed AttributeQueryData structure.
- Throws:
MessageContentException- if illegal message content was found.MessageProcessingException- if internal problems occurred processing the message.
-
parseAssertions
public java.util.List<AssertionData> parseAssertions(java.util.List<javax.xml.bind.JAXBElement<AssertionType>> assertions) throws MessageContentException, MessageProcessingException
Method to parse (but not decrypt encrypted attributes) an assertion, usually used by clients of approval tickets, where the approvers data cannot be read since it's probably only intended for more sensitive systems. This method is intended to be used by clients and not server systems.- Parameters:
assertions- a list of assertions to parse, UserData and Authorization assertions are skipped and not included.- Returns:
- parsed assertions, not all types of assertions i possible to parse without decryption such as authorization and user data tickets.
- Throws:
MessageContentException- if content of message was invalid.MessageProcessingException- if internal problems occurred parsing the assertions.
-
parseAndDecryptAssertion
public AssertionData parseAndDecryptAssertion(javax.xml.bind.JAXBElement<AssertionType> assertion) throws MessageContentException, MessageProcessingException, NoDecryptionKeyFoundException
Method to parse and decrypt an assertion of any type.- Parameters:
assertion- the assertion to decrypt and parse- Returns:
- an assertion data implementation of the type of assertion.
- Throws:
MessageContentException- if content of message was invalid.MessageProcessingException- if internal problems occurred parsing the assertions.NoDecryptionKeyFoundException- if no key could be found decrypting the assertion.
-
-