SAMLAuthZServiceBase (Privilege Project 1.0.0 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.opensciencegrid.authz.service
Class SAMLAuthZServiceBase

java.lang.Object
  org.opensciencegrid.authz.service.SAMLAuthZServiceBase

All Implemented Interfaces:: java.rmi.Remote, SAMLRequestPortType

Direct Known Subclasses:: BasicMappingAuthZService

public abstract class SAMLAuthZServiceBase
extends java.lang.Object
implements SAMLRequestPortType

Common implementation for a SAML authorization service: parses the requests, and performs the authorization through an abstract method, to be implemented by the AuthZ service. Status: untested TODO: retrieving the caller identity from the trustmanager

Author:: Markus Lorch, Gabriele Carcassi, John Weigand

Nested Class Summary
`protected class`	`SAMLAuthZServiceBase.AuthzDecision` This inner class is used as return value from the authorize method
`protected class`	`SAMLAuthZServiceBase.FQAN` the Fully Qualified Attribute Name (FQAN) = the VOMS VO-membership/role attribute

Constructor Summary
`SAMLAuthZServiceBase()`

Method Summary
`protected abstract SAMLAuthZServiceBase.AuthzDecision`	`authorize(org.opensaml.SAMLSubject subject, java.lang.String resource, java.util.Iterator actions, java.util.Iterator evidence)` Performs the authorization of the request.
`protected SAMLAuthZServiceBase.FQAN`	`findFQANinSubjectEvidence(java.util.Iterator evidenceIterator, org.opensaml.SAMLSubject querySubject)` Searches the Evidence elements for FQAN attributes.
`protected java.lang.String`	`getFQAN(org.opensaml.SAMLAttributeStatement stmt)` checks if a specific SAMLAttributeStatement holds a FQAN, and returns that FQAN attribute in form of a string returns null if no FQAN (string) attribute could be located
`protected java.util.ArrayList`	`locatePermissibleActions(java.util.Iterator requestedActions, java.util.ArrayList permissibleActionsList)` returns the subset of the requestedActions that are present in the permissibleActions parameter
`SAMLResponseType`	`SAMLRequest(SAMLRequestType samlRequestType)` Main function, recives SAMLRequest and response with a SAMLResponse 1.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SAMLAuthZServiceBase

public SAMLAuthZServiceBase()

Method Detail

authorize

protected abstract SAMLAuthZServiceBase.AuthzDecision authorize(org.opensaml.SAMLSubject subject,
                                                                java.lang.String resource,
                                                                java.util.Iterator actions,
                                                                java.util.Iterator evidence)
                                                         throws org.opensaml.SAMLException

Performs the authorization of the request. The abstract authorize method must be implemented by an a concrete subclass that implements an authorization service. At a minimum the implementation should: - evaluate subject, resource and requested actions - return SAMLDecision.DENY, SAMLDecision.PERMIT, or SAMLDecision.INDETERMINATE if a decision could not be reached (e.g. service not authoritative for resource) - set member variable responseIssuer - set member variable responseActions (authorized actions if Decision=Permit, otherwise a copy of the requested actions) in addition it may - evaluate presented subject evidence (e.g. VOMS FQAN, other privilege attributes, or certificate chain) - create XACMLObligation objects and add tehm to the responseObligations member variable

Throws:: org.opensaml.SAMLException

SAMLRequest

public SAMLResponseType SAMLRequest(SAMLRequestType samlRequestType)
                             throws java.rmi.RemoteException

Main function, recives SAMLRequest and response with a SAMLResponse 1. parse request, can request be serviced by this code? 2. parse authorization query 3. call authorize method implementation of concrete subclass, which will return decision object 4. verify and process authorization response from authorize method 5. create and return SAML response if obligations were provided return ObligatedAuthorizationDecisionStatement else return a standard AuthorizationDecisionStatement with the appropriate decision

Specified by:: SAMLRequest in interface SAMLRequestPortType

Throws:: java.rmi.RemoteException

getFQAN

protected java.lang.String getFQAN(org.opensaml.SAMLAttributeStatement stmt)
                            throws org.opensaml.SAMLException

checks if a specific SAMLAttributeStatement holds a FQAN, and returns that FQAN attribute in form of a string returns null if no FQAN (string) attribute could be located

Throws:: org.opensaml.SAMLException

findFQANinSubjectEvidence

protected SAMLAuthZServiceBase.FQAN findFQANinSubjectEvidence(java.util.Iterator evidenceIterator,
                                                              org.opensaml.SAMLSubject querySubject)
                                                       throws org.opensaml.SAMLException

Searches the Evidence elements for FQAN attributes. Returns the first FQAN found that matches the querySubject These are what GUMS needs to perform the authorization and determine the username.

Throws:: org.opensaml.SAMLException

locatePermissibleActions

protected java.util.ArrayList locatePermissibleActions(java.util.Iterator requestedActions,
                                                       java.util.ArrayList permissibleActionsList)

returns the subset of the requestedActions that are present in the permissibleActions parameter