The Shibboleth IdP V4 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP5 wiki space for current documentation on the supported version.
SubjectNamePredicate
- Scott Cantor
- Rod Widdowson
The predicate bean named shibboleth.Conditions.SubjectName is another example of an "adapter" and allows a bean of type Predicate<String> to be applied in any situation that would normally expect a Predicate<ProfileRequestContext> and supplies as input the name of the authenticated subject associated with a request (if any).
The adapter handles locating the subject name that applies to the request to supply it to the nested predicate. Only a strongly/fully established subject is supplied, and if the request hasn't proceeded far enough for that to be possible, then the input to the condition will be null.
It is an abstract parent bean, so has to be appropriately constructed, and there are a couple of different ways:
With an argument named
pred, which is an actual Predicate<String> to runWith an argument named
collection, of type Collection<String>, which auto-constructs a condition that checks for the input value in the supplied collection.
The second form is the most common, and is a simple way to implement access control conditions based on short lists of users.
Examples
The example below builds a condition that checks for one of a pair of usernames. The constructor argument is a Spring Expression containing a quoted list of strings. A longer list would probably be easier to supply using a more explicit Spring collection element such as <list>
<bean id="CheckForUser" parent="shibboleth.Conditions.SubjectName" c:collection="#{{'jdoe', 'bsmith'}}"/>