public class SignatureValidationFilter extends Object implements MetadataFilter
Constructor and Description |
---|
SignatureValidationFilter(SignatureTrustEngine engine)
Constructor.
|
SignatureValidationFilter(SignatureTrustEngine engine,
Validator<Signature> signatureValidator)
Constructor.
|
Modifier and Type | Method and Description |
---|---|
protected CriteriaSet |
buildCriteriaSet(SignableXMLObject signedMetadata,
String metadataEntryName,
boolean isEntityGroup)
Build the criteria set which will be used as input to the configured trust engine.
|
void |
doFilter(XMLObject metadata)
Filters the given metadata, perhaps to remove elements that are not wanted.
|
CriteriaSet |
getDefaultCriteria()
Get the set of default criteria used as input to the trust engine.
|
boolean |
getRequireSignature()
Gets whether incoming metadata's root element is required to be signed.
|
protected String |
getRoleIDToken(String entityID,
RoleDescriptor role)
Get a string token for logging/debugging purposes that contains role information and containing entityID.
|
Validator<Signature> |
getSignaturePrevalidator()
Get the validator used to perform pre-validation on Signature tokens.
|
SignatureTrustEngine |
getSignatureTrustEngine()
Gets the trust engine used to validate signatures on incoming metadata.
|
protected void |
performPreValidation(Signature signature,
String metadataEntryName)
Perform pre-validation on the Signature token.
|
protected void |
processEntityDescriptor(EntityDescriptor entityDescriptor)
Process the signatures on the specified EntityDescriptor and any signed children.
|
protected void |
processEntityGroup(EntitiesDescriptor entitiesDescriptor)
Process the signatures on the specified EntitiesDescriptor and any signed children.
|
void |
setDefaultCriteria(CriteriaSet newCriteria)
Set the set of default criteria used as input to the trust engine.
|
void |
setRequireSignature(boolean require)
Sets whether incoming metadata's root element is required to be signed.
|
protected void |
verifySignature(SignableXMLObject signedMetadata,
String metadataEntryName,
boolean isEntityGroup)
Evaluate the signature on the signed metadata instance.
|
public SignatureValidationFilter(SignatureTrustEngine engine)
engine
- the trust engine used to validate signatures on incoming metadata.public SignatureValidationFilter(SignatureTrustEngine engine, Validator<Signature> signatureValidator)
engine
- the trust engine used to validate signatures on incoming metadata.signatureValidator
- optional pre-validator used to validate Signature elements prior to the actual
cryptographic validation operationpublic SignatureTrustEngine getSignatureTrustEngine()
public Validator<Signature> getSignaturePrevalidator()
public boolean getRequireSignature()
public void setRequireSignature(boolean require)
require
- whether incoming metadata is required to be signedpublic CriteriaSet getDefaultCriteria()
public void setDefaultCriteria(CriteriaSet newCriteria)
newCriteria
- the new criteria set to usepublic void doFilter(XMLObject metadata) throws FilterException
doFilter
in interface MetadataFilter
metadata
- the metadata to be filtered.FilterException
- thrown if an error occurs during the filtering processprotected void processEntityDescriptor(EntityDescriptor entityDescriptor) throws FilterException
entityDescriptor
- the EntityDescriptor to be processedFilterException
- thrown if an error occurs during the signature verification process
on the root EntityDescriptor specifiedprotected void processEntityGroup(EntitiesDescriptor entitiesDescriptor) throws FilterException
entitiesDescriptor
- the EntitiesDescriptor to be processedFilterException
- thrown if an error occurs during the signature verification process
on the root EntitiesDescriptor specifiedprotected void verifySignature(SignableXMLObject signedMetadata, String metadataEntryName, boolean isEntityGroup) throws FilterException
signedMetadata
- the metadata object whose signature is to be verifiedmetadataEntryName
- the EntityDescriptor entityID, EntitiesDescriptor Name,
AffiliationDescriptor affiliationOwnerID,
or RoleDescriptor getRoleIDToken(String, RoleDescriptor)
corresponding to the element whose signature is being evaluated.
This is used exclusively for logging/debugging purposes and
should not be used operationally (e.g. for building a criteria set).isEntityGroup
- flag indicating whether the signed object is a metadata group (EntitiesDescriptor),
primarily useful for constructing a criteria set for the trust engineFilterException
- thrown if the metadata entry's signature can not be established as trusted,
or if an error occurs during the signature verification processprotected void performPreValidation(Signature signature, String metadataEntryName) throws FilterException
signature
- the signature to evaluatemetadataEntryName
- the EntityDescriptor entityID, EntitiesDescriptor Name,
AffiliationDescriptor affiliationOwnerID,
or RoleDescriptor getRoleIDToken(String, RoleDescriptor)
corresponding to the element whose signature is being evaluated.
This is used exclusively for logging/debugging purposes and
should not be used operationally (e.g. for building a criteria set).FilterException
- thrown if the signature element fails pre-validationprotected CriteriaSet buildCriteriaSet(SignableXMLObject signedMetadata, String metadataEntryName, boolean isEntityGroup)
signedMetadata
- the metadata element whose signature is being verifiedmetadataEntryName
- the EntityDescriptor entityID, EntitiesDescriptor Name,
AffiliationDescriptor affiliationOwnerID,
or RoleDescriptor getRoleIDToken(String, RoleDescriptor)
corresponding to the element whose signature is being evaluated.
This is used exclusively for logging/debugging purposes and
should not be used operationally (e.g. for building the criteria set).isEntityGroup
- flag indicating whether the signed object is a metadata group (EntitiesDescriptor)protected String getRoleIDToken(String entityID, RoleDescriptor role)
entityID
- the containing entityIDrole
- the role descriptorCopyright © 2018 JBoss by Red Hat. All rights reserved.