The Shibboleth IdP V4 software will leave support on September 1, 2024.

SubjectNamePredicate

Owned by Scott Cantor
Last updated: Sept 06, 2021 by Rod Widdowson
1 min read

The predicate bean named shibboleth.Conditions.SubjectName is another example of an "adapter" and allows a bean of type Predicate<String> to be applied in any situation that would normally expect a Predicate<ProfileRequestContext> and supplies as input the name of the authenticated subject associated with a request (if any).

The adapter handles locating the subject name that applies to the request to supply it to the nested predicate. Only a strongly/fully established subject is supplied, and if the request hasn't proceeded far enough for that to be possible, then the input to the condition will be null.

It is an abstract parent bean, so has to be appropriately constructed, and there are a couple of different ways:

  1. With an argument named pred, which is an actual Predicate<String> to run

  2. With an argument named collection, of type Collection<String>, which auto-constructs a condition that checks for the input value in the supplied collection.

The second form is the most common, and is a simple way to implement access control conditions based on short lists of users.

Examples

The example below builds a condition that checks for one of a pair of usernames. The constructor argument is a Spring Expression containing a quoted list of strings. A longer list would probably be easier to supply using a more explicit Spring collection element such as <list>

<bean id="CheckForUser" parent="shibboleth.Conditions.SubjectName" c:collection="#{{'jdoe', 'bsmith'}}"/>