Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd

The HTTP data connector generates multiple attributes resulting from calling a web service. The connector itself is primarily just a framework for constructing a request to issue using the Apache HttpClient library and processing a response. There is no attempt to standardize a web service interface, but the design is geared towards making simple, templated GET requests and processing XML or JSON result sets using a script. More advanced use cases can be supported by means of pluggable Java interfaces or more advanced scripting.

General Configuration

The connector marries three essential pieces of configuration to be supplied by the deployer:

  • an HttpClient bean and various security and networking parameters necessary to invoke the web service safely

  • request creation

  • response processing

Two options for request creation exist, one for simple GET requests and one for more complex POST requests with a body. Both rely on a <URLTemplate> element to produce the URL, which can be populated with dependency data much like an LDAP search filter or database query. The POST option also supports a <BodyTemplate> element that can similarly generate a request body based on dependency data, typically JSON or XML. With POST, you also can control caching of results (if a results cache is used) by generating a cache entry key using a <CacheKeyTemplate> element.

The only supplied implementation for response processing is script-based, using the <ResponseMapping> element to supply a script to produce attribute data from the response body. For efficiency, the implementation assumes that the response processing script can consume the results in real time, and leaves any buffering of the data to the script, should that be necessary. Support is built-in for limiting the size of the data, allowed content types, and HTTP status codes accepted, to address the most common sanity checks.

At minimum, an httpClientRef attribute must be supplied to provide the client runtime bean to use. This will usually if not always be accompanied by an httpClientSecurityParametersRef attribute to supply security settings, although a few shortcut settings are available for certificate authentication use cases. A complete summary and examples can be found on the HttpClientConfiguration page.

Spring beans may be defined either in additionally loaded Spring resources configured into the Attribute Resolver service's resource collection, or in a central location such as global.xml

Caching Behavior

The built-in caching support (if enabled) keys the cached data for a GET request by the fully populated template URL generated, typically including information about the subject in the URL. For POST requests, you may provide a template for producing an appropriate cache key, or omit it to disable caching.

Customized implementations of the ExecutableSearchBuilder<HTTPSearch> interface MUST implement appropriate cache key semantics, particularly if they inherit from that base class.

Examples

Any examples here omit the Spring beans that define the HTTP client and security parameters to use. Examples of these can be found in the HttpClientConfiguration topic.

 HTTP connector for a JSON-based web service
 <DataConnector id="myHTTP" xsi:type="HTTP"
		httpClientRef="WebServiceHttpClient"
		httpClientSecurityParametersRef="ExampleOrgWSSecurity">
	<URLTemplate>
		<![CDATA[
		https://webservice.example.org/api/subject/$pathEscaper.escape($resolutionContext.principal)/groups
		]]>
	</URLTemplate>

	<ResponseMapping>
		<Script>
		<![CDATA[
		var HashSet = Java.type("java.util.HashSet");
		var HttpClientSupport = Java.type("net.shibboleth.shared.httpclient.HttpClientSupport");
		var IdPAttribute = Java.type("net.shibboleth.idp.attribute.IdPAttribute");
		var StringAttributeValue = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
  
		// Limits length to 64k
		var body = HttpClientSupport.toString(response.getEntity(), "UTF-8", 65536);
		var result = JSON.parse(body);
 
		var attr = new IdPAttribute("group");
		var values = new HashSet();
		if (result.groups != null) {
			for (var i=0; i<result.groups.length; i++) {
				values.add(new StringAttributeValue(result.groups[i].name));
			}
		}
		attr.setValues(values);
		connectorResults.add(attr);
		]]>
		</Script>
	</ResponseMapping>

	<ResultCache expireAfterWrite="PT5M"/>
</DataConnector>

Reference

 Specific XML Attributes

The following attributes may be specified (the only required attribute is httpClientRef).

Name

Type

Default

Description

httpClientRef

Bean ID

Bean ID of the HttpClient instance to use

httpClientSecurityParametersRef

Bean ID

Bean ID of the HttpClientSecurityParameters instance to use (ignored in 5.0 if one of the security shortcut settings are used)

serverCertificate

Resource path

Path of resource containing a server certificate whose public key must match the server's. If set in 5.0, httpClientSecurityParametersRef is ignored, in 5.1 it will be merged into the supplied bean.

certificateAuthority

Resource path

Path of resource containing a certificate authority used to validate the server's certificate. If set in 5.0, httpClientSecurityParametersRef is ignored, in 5.1 it will be merged into the supplied bean.

clientPrivateKey

Resource path

Path of resource containing a private key used to authenticate the client to the server via TLS. If set in 5.0, httpClientSecurityParametersRef is ignored, in 5.1 it will be merged into the supplied bean.

clientCertificate

Resource path


Path of resource containing a certificate used to authenticate the client to the server via TLS. If set in 5.0, httpClientSecurityParametersRef is ignored, in 5.1 it will be merged into the supplied bean.

maxLength

Long

0

Limits size of response body to accept, or 0 for no limit. When used, only  non-chunked responses that include a content length will be accepted.

acceptStatuses

Collection<Integer>

200

Acceptable HTTP status codes

acceptTypes

Collection<String>

Acceptable MIME content types

headerMapRef

Map<String,String>

Bean ID of a map of custom header names and values to set in the HTTP request

mappingStrategyRef

Bean ID

Bean ID of a HTTPResponseMappingStrategy to process the result set in a pluggable way

validatorRef

Bean ID

Bean ID of a Validator to control what constitutes an initialization failure (the default does no validation)

executableSearchBuilderRef

Bean ID

Bean ID of an ExecutableSearchBuilder<HTTPSearch> to produce the request to execute

templateEngine

Bean ID

Bean ID of a org.apache.velocity.app.VelocityEngine to use for processing the URL template, generally unnecessary

failFast

Boolean

false

Whether a failure when verifying the connection during startup is fatal (stops the Attribute filter service from starting). 

 Specific XML Elements

Name

Cardinality

Description

<URLTemplate>

0 or 1

Template of a URL to execute via HTTP GET or POST

<BodyTemplate>

0 or 1

Template for a request body to submit via HTTP POST, requires use of <URLTemplate>

<CacheKeyTemplate>

0 or 1

Template to produce a cache key to associate with the result of an HTTP POST, requires use of <BodyTemplate>

<ResponseMapping>

0 or 1

Inline or external script to execute to process the response body

<ResultCache>

0 or 1

Defines how results should be cached.

<ResultCacheBean>

Bean ID (in the element content) defining how results should be cached as an externally defined com.google.common.cache.Cache<String,Map<String,IdPAttribute>> 

 Common XML Attributes

Name

Type

Default

Description

id

String


Identifier for the DataConnector. This is used for logging, to establish dependencies, and as a target for failover.

activationConditionRef

Bean ID


Bean ID of a condition to decide whether to resolve this connector, see here.
Mutually exclusive with relyingParties and resolutionPhases and variants

relyingParties

Space-delimited list


List of entity IDs for which this connector should be resolved.
Mutually exclusive with activationConditionRef

excludeRelyingParties

Space-delimited list


List of entity IDs for which this connector should not be resolved.
Mutually exclusive with activationConditionRef

resolutionPhases

Space-delimited list


List of resolution phases (i.e. flows) during which this connector should be resolved.
Mutually exclusive with activationConditionRef

excludeResolutionPhases

Space-delimited list


List of resolution phases (i.e. flows) during which this connector should not be resolved.
Mutually exclusive with activationConditionRef

exportAttributes

Space-delimited list


List of attributes produced by the DataConnector that should be directly exported as resolved IdPAttributes without requiring actual AttributeDefinitions.

In the case of a name clash (a DataConnector exports an attribute with the same name as an AttributeDefinition, or another DataConnector exports the same attribute) the DataConnector attribute is NOT added and a warning issued.

noRetryDelay

Duration

0

Time between retries of a failed DataConnector (during the interval, failure is just assumed when the connector is run and no actual connection is attempted)

propagateResolutionExceptions

Boolean

true

Whether connector/plugin failure is fatal to the entire attribute resolution process.
If this is set to false the error is logged and the data connector returns no attributes.

 Common XML Elements

Name

Cardinality

Description

<InputAttributeDefinition>

0 or more

This element identifies an attribute definition which is an input to this data connector

<InputDataConnector>

0 or more

This element identifies a data connector whose attributes are to be input to this data conector

<FailoverDataConnector>   

0 or 1

This element has a single attribute ref="whatever" whose content is the identifier of a data connector to resolve if this data connector fails (for instance due to the external data source being unavailable)

 Properties

These properties are shared by all (non view) users of velocity template rendering (TemplateAttributeDefinition , HTTPConnector , LDAPConnector ,RelationalDatabaseConnector ,StorageServiceConnector and DynamicHTTPMetadataProvider )

Property Name

Default

Controls

idp.velocity.runtime.strictmode

false

How errors in the template are handled. By default, non-existent variables are silently passed through unconverted (e.g. ${foo}).
See this link

idp.velocity.space.gobbling

bc

See this link.

Spring Configuration

Native bean IDs can be injected as follows:

  1. The HttpClient instance and its security settings are injected via the httpClientRef and httpClientSecurityParametersRef attributes.

  2. The builder for the request can be specified as an externally defined bean via the executableSearchBuilderRef attribute (as a replacement for the <URLTemplate> element and related elements). This allows for complete generality of the request-building process.

  3. The processing of the response can be specified with an externally defined bean via the mappingStrategyRef attribute (as a replacement for the <ResponseMapping> element).

  4. The caching of results can be specified as an externally defined bean via the <ResultCacheBean> element (as a replacement for the <ResultCache> element).

  5. A Validator can be specifier as as an externally defined bean via the validatorRef attribute.

  6. Rarely, a non-default Velocity engine can be injected via the templateEngine attribute.

  • No labels