Some refactoring in profile handlers to expose explicit methods for the determination
[java-idp.git] / src / main / java / edu / internet2 / middleware / shibboleth / idp / profile / AbstractSAMLProfileHandler.java
index 6e37287..3010232 100644 (file)
@@ -501,9 +501,7 @@ public abstract class AbstractSAMLProfileHandler extends
             AbstractSAMLProfileConfiguration profileConfig = (AbstractSAMLProfileConfiguration) requestContext
                     .getProfileConfiguration();
             if (profileConfig != null) {
-                if (profileConfig.getSignResponses() == CryptoOperationRequirementLevel.always
-                        || (profileConfig.getSignResponses() == CryptoOperationRequirementLevel.conditional && !encoder
-                                .providesMessageIntegrity(requestContext))) {
+                if (isSignResponse(requestContext)) {
                     Credential signingCredential = profileConfig.getSigningCredential();
                     if (signingCredential == null) {
                         signingCredential = requestContext.getRelyingPartyConfiguration().getDefaultSigningCredential();
@@ -535,6 +533,36 @@ public abstract class AbstractSAMLProfileHandler extends
     }
 
     /**
+     * Determine whether responses should be signed.
+     * 
+     * @param requestContext the current request context
+     * @return true if responses should be signed, false otherwise
+     * @throws ProfileException if there is a problem determining whether responses should be signed
+     */
+    protected boolean isSignResponse(BaseSAMLProfileRequestContext requestContext) throws ProfileException {
+        
+        SAMLMessageEncoder encoder = getOutboundMessageEncoder(requestContext);
+        
+        AbstractSAMLProfileConfiguration profileConfig = 
+            (AbstractSAMLProfileConfiguration) requestContext.getProfileConfiguration();
+        
+        if (profileConfig != null) {
+            try {
+                return profileConfig.getSignResponses() == CryptoOperationRequirementLevel.always
+                    || (profileConfig.getSignResponses() == CryptoOperationRequirementLevel.conditional 
+                        && !encoder.providesMessageIntegrity(requestContext));
+            } catch (MessageEncodingException e) {
+                log.error("Unable to determine if outbound encoding '{}' provides message integrity protection",
+                        encoder.getBindingURI());
+                throw new ProfileException("Unable to determine if outbound response should be signed");
+            }
+        } else {
+            return false;
+        }
+        
+    }
+
+    /**
      * Get the outbound message encoder to use.
      * 
      * <p>The default implementation uses the binding URI from the