Make it easier to use other replication services within the storage service - SIDP-242
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 29 Oct 2008 08:40:20 +0000 (08:40 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 29 Oct 2008 08:40:20 +0000 (08:40 +0000)
Switch to using SHA-1 hash as signatures of session cookies (no longer need a secret key, just an arry of random bytes)

git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/branches/REL_2@2792 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

20 files changed:
doc/RELEASE-NOTES.txt
src/installer/resources/conf-tmpl/tc-config.xml
src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java
src/main/java/edu/internet2/middleware/shibboleth/idp/authn/LoginContext.java
src/main/java/edu/internet2/middleware/shibboleth/idp/authn/LoginContextEntry.java [new file with mode: 0644]
src/main/java/edu/internet2/middleware/shibboleth/idp/authn/Saml2LoginContext.java
src/main/java/edu/internet2/middleware/shibboleth/idp/authn/ShibbolethSSOLoginContext.java
src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/ArtifactResolution.java
src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/ArtifactResolution.java
src/main/java/edu/internet2/middleware/shibboleth/idp/session/AuthenticationMethodInformation.java
src/main/java/edu/internet2/middleware/shibboleth/idp/session/IdPSessionFilter.java
src/main/java/edu/internet2/middleware/shibboleth/idp/session/ServiceInformation.java
src/main/java/edu/internet2/middleware/shibboleth/idp/session/Session.java
src/main/java/edu/internet2/middleware/shibboleth/idp/session/impl/AuthenticationMethodInformationImpl.java
src/main/java/edu/internet2/middleware/shibboleth/idp/session/impl/ServiceInformationImpl.java
src/main/java/edu/internet2/middleware/shibboleth/idp/session/impl/SessionImpl.java
src/main/java/edu/internet2/middleware/shibboleth/idp/session/impl/SessionManagerEntry.java [new file with mode: 0644]
src/main/java/edu/internet2/middleware/shibboleth/idp/session/impl/SessionManagerImpl.java
src/test/java/edu/internet2/middleware/shibboleth/idp/system/conf1/SAML1ArtifactResolutionTest.java
src/test/java/edu/internet2/middleware/shibboleth/idp/system/conf1/SAML2ArtifactResolutionTest.java

index 904fe47..df17554 100644 (file)
@@ -34,4 +34,5 @@ Changes in Release 2.1.0
 [SIDP-229] - IdP Metadata changes to KeyDescriptor not fully flushed from IdP cache
 [SIDP-230] - sanity check provided credentials
 [SIDP-233] - Typo on operation name - public void setAuthenticationDurection(long duration)
-[SIDP-237] - Re-run of install.sh does not create war again
\ No newline at end of file
+[SIDP-237] - Re-run of install.sh does not create war again
+[SIDP-242] - Cleanup StorageService entry classes
\ No newline at end of file
index 9b6925d..c79f5a0 100644 (file)
@@ -2,34 +2,34 @@
 
 <tc:tc-config xmlns:tc="http://www.terracotta.org/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://www.terracotta.org/config http://www.terracotta.org/schema/terracotta-4.xsd">
-    
+
     <!--
         Terracotta configuration file for Shibboleth.
-    
+        
         Complete documentation on the contents of this file may be found here:
         http://terracotta.org/web/display/docs/Configuration+Guide+and+Reference
     -->
-    
+
     <servers>
         <!-- EXAMPLE SERVER CONFIGURATION -->
-        <!--
-        <server name="UNIQUE_ID" host="HOST">
+        <!-- 
+            <server name="UNIQUE_ID" host="HOST">
             <dso>
-                <persistence>
-                    <mode>permanent-store</mode>
-                </persistence>
+            <persistence>
+            <mode>permanent-store</mode>
+            </persistence>
             </dso>
             
             <logs>$IDP_HOME$/cluster/server/logs</logs>
             <data>$IDP_HOME$/cluster/server/data</data>
             <statistics>$IDP_HOME$/cluster/server/stats</statistics>
-        </server>        
+            </server>
         -->
         <!-- START Terracotta server definitions -->
 
 
         <!-- END Terracotta server definitions -->
-        
+
         <ha>
             <mode>networked-active-passive</mode>
             <networked-active-passive>
             </networked-active-passive>
         </ha>
     </servers>
-    
+
     <system>
         <configuration-model>production</configuration-model>
     </system>
-    
+
     <clients>
         <logs>$IDP_HOME$/cluster/client/logs-%i</logs>
         <statistics>$IDP_HOME$/cluster/client/stats-%i</statistics>
     </clients>
-    
+
     <application>
         <dso>
+            <additional-boot-jar-classes>
+                <include>javax.security.auth.Subject</include>
+                <include>javax.security.auth.Subject$SecureSet</include>
+                <include>javax.security.auth.x500.X500Principal</include>
+                <include>javax.security.auth.kerberos.KerberosPrincipal</include>
+            </additional-boot-jar-classes>
             <roots>
                 <root>
                     <root-name>storageService</root-name>
                     <field-name>edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService.store</field-name>
                 </root>
             </roots>
+            <instrumented-classes>
+                <include>
+                    <class-expression>edu.vt.middleware.ldap.jaas.LdapPrincipal</class-expression>
+                    <honor-transient>true</honor-transient>
+                </include>
+                <include>
+                    <class-expression>edu.vt.middleware.ldap.jaas.LdapCredential</class-expression>
+                    <honor-transient>true</honor-transient>
+                </include>
+                <include>
+                    <class-expression>edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException</class-expression>
+                    <honor-transient>true</honor-transient>
+                </include>
+                <include>
+                    <class-expression>org.opensaml.util.storage.AbstractExpiringObject</class-expression>
+                    <honor-transient>true</honor-transient>
+                </include>
+                <include>
+                    <class-expression>edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.IdEntry</class-expression>
+                    <honor-transient>true</honor-transient>
+                </include>
+                <include>
+                    <class-expression>edu.internet2.middleware.shibboleth.idp.authn.LoginContextEntry</class-expression>
+                    <honor-transient>true</honor-transient>
+                </include>
+                <include>
+                    <class-expression>edu.internet2.middleware.shibboleth.idp.authn.LoginContext</class-expression>
+                    <honor-transient>true</honor-transient>
+                </include>
+                <include>
+                    <class-expression>edu.internet2.middleware.shibboleth.idp.authn.ShibbolethSSOLoginContext</class-expression>
+                    <honor-transient>true</honor-transient>
+                </include>
+                <include>
+                    <class-expression>edu.internet2.middleware.shibboleth.idp.authn.Saml2LoginContext</class-expression>
+                    <honor-transient>true</honor-transient>
+                </include>
+                <include>
+                    <class-expression>edu.internet2.middleware.shibboleth.idp.session.impl.AuthenticationMethodInformationImpl</class-expression>
+                    <honor-transient>true</honor-transient>
+                </include>
+                <include>
+                    <class-expression>org.opensaml.util.storage.ReplayCacheEntry</class-expression>
+                    <honor-transient>true</honor-transient>
+                </include>
+                <include>
+                    <class-expression>edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerEntry</class-expression>
+                    <honor-transient>true</honor-transient>
+                </include>
+                <include>
+                    <class-expression>edu.internet2.middleware.shibboleth.common.session.impl.AbstractSession</class-expression>
+                    <honor-transient>true</honor-transient>
+                </include>
+                <include>
+                    <class-expression>edu.internet2.middleware.shibboleth.idp.session.impl.SessionImpl</class-expression>
+                    <honor-transient>true</honor-transient>
+                </include>
+                <include>
+                    <class-expression>edu.internet2.middleware.shibboleth.idp.session.impl.ServiceInformationImpl</class-expression>
+                    <honor-transient>true</honor-transient>
+                </include>
+                <include>
+                    <class-expression>org.opensaml.common.binding.artifact.BasicSAMLArtifactMapEntry</class-expression>
+                    <honor-transient>true</honor-transient>
+                </include>
+            </instrumented-classes>
+            <locks>
+                <autolock auto-synchronized="false">
+                    <method-expression>* edu.vt.middleware.ldap.jaas.LdapPrincipal.*(..)</method-expression>
+                    <lock-level>write</lock-level>
+                </autolock>
+                <autolock auto-synchronized="false">
+                    <method-expression>* edu.internet2.middleware.shibboleth.idp.authn.LoginContext.set*(..)</method-expression>
+                    <lock-level>write</lock-level>
+                </autolock>
+                <autolock auto-synchronized="false">
+                    <method-expression>* edu.internet2.middleware.shibboleth.idp.authn.LoginContext.get*(..)</method-expression>
+                    <lock-level>read</lock-level>
+                </autolock>
+                <autolock auto-synchronized="false">
+                    <method-expression>* edu.internet2.middleware.shibboleth.idp.authn.ShibbolethSSOLoginContext.set*(..)</method-expression>
+                    <lock-level>write</lock-level>
+                </autolock>
+                <autolock auto-synchronized="false">
+                    <method-expression>* edu.internet2.middleware.shibboleth.idp.authn.ShibbolethSSOLoginContext.get*(..)</method-expression>
+                    <lock-level>read</lock-level>
+                </autolock>
+                <autolock auto-synchronized="false">
+                    <method-expression>* edu.internet2.middleware.shibboleth.idp.authn.Saml2LoginContext.set*(..)</method-expression>
+                    <lock-level>write</lock-level>
+                </autolock>
+                <autolock auto-synchronized="false">
+                    <method-expression>* edu.internet2.middleware.shibboleth.idp.authn.Saml2LoginContext.get*(..)</method-expression>
+                    <lock-level>read</lock-level>
+                </autolock>
+                <autolock auto-synchronized="false">
+                    <method-expression>* edu.internet2.middleware.shibboleth.common.session.impl.AbstractSession.set*(..)</method-expression>
+                    <lock-level>write</lock-level>
+                </autolock>
+                <autolock auto-synchronized="false">
+                    <method-expression>* edu.internet2.middleware.shibboleth.common.session.impl.AbstractSession.get*(..)</method-expression>
+                    <lock-level>read</lock-level>
+                </autolock>
+                <autolock auto-synchronized="false">
+                    <method-expression>* edu.internet2.middleware.shibboleth.idp.session.impl.SessionImpl.set*(..)</method-expression>
+                    <lock-level>write</lock-level>
+                </autolock>
+                <autolock auto-synchronized="false">
+                    <method-expression>* edu.internet2.middleware.shibboleth.idp.session.impl.SessionImpl.get*(..)</method-expression>
+                    <lock-level>read</lock-level>
+                </autolock>
+                <autolock auto-synchronized="false">
+                    <method-expression>* edu.internet2.middleware.shibboleth.idp.session.impl.AuthenticationMethodInformationImpl.set*(..)</method-expression>
+                    <lock-level>write</lock-level>
+                </autolock>
+                <autolock auto-synchronized="false">
+                    <method-expression>* edu.internet2.middleware.shibboleth.idp.session.impl.AuthenticationMethodInformationImpl.get*(..)</method-expression>
+                    <lock-level>read</lock-level>
+                </autolock>
+                <autolock auto-synchronized="false">
+                    <method-expression>* edu.internet2.middleware.shibboleth.idp.session.impl.ServiceInformationImpl.set*(..)</method-expression>
+                    <lock-level>write</lock-level>
+                </autolock>
+                <autolock auto-synchronized="false">
+                    <method-expression>* edu.internet2.middleware.shibboleth.idp.session.impl.ServiceInformationImpl.get*(..)</method-expression>
+                    <lock-level>read</lock-level>
+                </autolock>
+            </locks>
         </dso>
     </application>
-    
+
 </tc:tc-config>
\ No newline at end of file
index 847d2ad..38327f6 100644 (file)
@@ -18,6 +18,7 @@ package edu.internet2.middleware.shibboleth.idp.authn;
 
 import java.io.IOException;
 import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.Principal;
 import java.util.ArrayList;
@@ -28,8 +29,6 @@ import java.util.Map;
 import java.util.Set;
 import java.util.Map.Entry;
 
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
 import javax.security.auth.Subject;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletConfig;
@@ -43,7 +42,6 @@ import org.joda.time.DateTime;
 import org.opensaml.common.IdentifierGenerator;
 import org.opensaml.common.impl.SecureRandomIdentifierGenerator;
 import org.opensaml.saml2.core.AuthnContext;
-import org.opensaml.util.storage.ExpiringObject;
 import org.opensaml.util.storage.StorageService;
 import org.opensaml.ws.transport.http.HTTPTransportUtils;
 import org.opensaml.xml.util.Base64;
@@ -547,6 +545,8 @@ public class AuthenticationEngine extends HttpServlet {
      */
     protected void validateSuccessfulAuthentication(LoginContext loginContext, HttpServletRequest httpRequest)
             throws AuthenticationException {
+        LOG.debug("Validating authentication was performed successfully");
+        
         String errorMessage = DatatypeHelper.safeTrimOrNullString((String) httpRequest
                 .getAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY));
         if (errorMessage != null) {
@@ -636,8 +636,8 @@ public class AuthenticationEngine extends HttpServlet {
      */
     protected void updateUserSession(LoginContext loginContext, Subject authenticationSubject,
             String authenticationMethod, HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
-
         Principal authenticationPrincipal = authenticationSubject.getPrincipals().iterator().next();
+        LOG.debug("Updating session information for principal {}", authenticationPrincipal.getName());
 
         Session idpSession = (Session) httpRequest.getAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE);
         if (idpSession == null) {
@@ -718,13 +718,12 @@ public class AuthenticationEngine extends HttpServlet {
         byte[] sessionId = userSession.getSessionID().getBytes();
 
         String signature = null;
-        SecretKey signingKey = userSession.getSessionSecretKey();
         try {
-            Mac mac = Mac.getInstance("HmacSHA256");
-            mac.init(signingKey);
-            mac.update(remoteAddress);
-            mac.update(sessionId);
-            signature = Base64.encodeBytes(mac.doFinal());
+            MessageDigest digester = MessageDigest.getInstance("SHA");
+            digester.update(userSession.getSessionSecret());
+            digester.update(remoteAddress);
+            digester.update(sessionId);
+            signature = Base64.encodeBytes(digester.digest());
         } catch (GeneralSecurityException e) {
             LOG.error("Unable to compute signature over session cookie material", e);
         }
@@ -748,49 +747,4 @@ public class AuthenticationEngine extends HttpServlet {
 
         httpResponse.addCookie(sessionCookie);
     }
-
-    /** Storage service entry for login contexts. */
-    public class LoginContextEntry implements ExpiringObject {
-
-        /** Stored login context. */
-        private LoginContext loginCtx;
-
-        /** Time the entry expires. */
-        private DateTime expirationTime;
-
-        /**
-         * Constructor.
-         * 
-         * @param ctx context to store
-         * @param lifetime lifetime of the entry
-         */
-        public LoginContextEntry(LoginContext ctx, long lifetime) {
-            loginCtx = ctx;
-            expirationTime = new DateTime().plus(lifetime);
-        }
-
-        /**
-         * Gets the login context.
-         * 
-         * @return login context
-         */
-        public LoginContext getLoginContext() {
-            return loginCtx;
-        }
-
-        /** {@inheritDoc} */
-        public DateTime getExpirationTime() {
-            return expirationTime;
-        }
-
-        /** {@inheritDoc} */
-        public boolean isExpired() {
-            return expirationTime.isBeforeNow();
-        }
-
-        /** {@inheritDoc} */
-        public void onExpire() {
-
-        }
-    }
 }
\ No newline at end of file
index 657b92a..633aa0d 100644 (file)
@@ -43,9 +43,7 @@ import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInfor
  * 
  * The {@link AuthenticationEngine} should set the {@link LoginContext#setAuthenticationAttempted()},
  * {@link LoginContext#setPrincipalAuthenticated(boolean)},
- * {@link LoginContext#setAuthenticationFailure(AuthenticationException)},
- * 
- * appropriately.
+ * {@link LoginContext#setAuthenticationFailure(AuthenticationException)}, appropriately.
  */
 public class LoginContext implements Serializable {
 
@@ -117,7 +115,7 @@ public class LoginContext implements Serializable {
      * 
      * @return authentication method that was used when attempting to authenticate the user
      */
-    public String getAttemptedAuthnMethod() {
+    public synchronized String getAttemptedAuthnMethod() {
         return attemptedAuthnMethod;
     }
 
@@ -126,7 +124,7 @@ public class LoginContext implements Serializable {
      * 
      * @return if authentication has been attempted for this user
      */
-    public boolean getAuthenticationAttempted() {
+    public synchronized boolean getAuthenticationAttempted() {
         return authnAttempted;
     }
 
@@ -135,7 +133,7 @@ public class LoginContext implements Serializable {
      * 
      * @return The duration of authentication, or zero if none was set.
      */
-    public long getAuthenticationDuration() {
+    public synchronized long getAuthenticationDuration() {
         return authenticationMethodInformation.getAuthenticationDuration();
     }
 
@@ -144,7 +142,7 @@ public class LoginContext implements Serializable {
      * 
      * @return the URL of the authentication engine
      */
-    public String getAuthenticationEngineURL() {
+    public synchronized String getAuthenticationEngineURL() {
         return authnEngineURL;
     }
 
@@ -153,7 +151,7 @@ public class LoginContext implements Serializable {
      * 
      * @return error that occurred during authentication
      */
-    public AuthenticationException getAuthenticationFailure() {
+    public synchronized AuthenticationException getAuthenticationFailure() {
         return authnException;
     }
 
@@ -162,7 +160,7 @@ public class LoginContext implements Serializable {
      * 
      * @return The instant of authentication, or <code>null</code> if none was set.
      */
-    public DateTime getAuthenticationInstant() {
+    public synchronized DateTime getAuthenticationInstant() {
         return authenticationMethodInformation.getAuthenticationInstant();
     }
 
@@ -171,7 +169,7 @@ public class LoginContext implements Serializable {
      * 
      * @return The method used to authenticate the user.
      */
-    public String getAuthenticationMethod() {
+    public synchronized String getAuthenticationMethod() {
         return authenticationMethodInformation.getAuthenticationMethod();
     }
 
@@ -180,7 +178,7 @@ public class LoginContext implements Serializable {
      * 
      * @return information about the authentication event.
      */
-    public AuthenticationMethodInformation getAuthenticationMethodInformation() {
+    public synchronized AuthenticationMethodInformation getAuthenticationMethodInformation() {
         return authenticationMethodInformation;
     }
 
@@ -189,7 +187,7 @@ public class LoginContext implements Serializable {
      * 
      * @return the ID of the user, or <code>null</code> if authentication failed.
      */
-    public String getPrincipalName() {
+    public synchronized String getPrincipalName() {
         return authenticationMethodInformation.getAuthenticationPrincipal().getName();
     }
 
@@ -198,7 +196,7 @@ public class LoginContext implements Serializable {
      * 
      * @return the URL of the profile handler that is invoking the Authentication Manager.
      */
-    public String getProfileHandlerURL() {
+    public synchronized String getProfileHandlerURL() {
         return profileHandlerURL;
     }
 
@@ -209,7 +207,7 @@ public class LoginContext implements Serializable {
      * 
      * @return The object, or <code>null</code> is no object exists for the key.
      */
-    public Object getProperty(String key) {
+    public synchronized Object getProperty(String key) {
         return propsMap.get(key);
     }
 
@@ -218,7 +216,7 @@ public class LoginContext implements Serializable {
      * 
      * @return entity ID of the relying party
      */
-    public String getRelyingPartyId() {
+    public synchronized String getRelyingPartyId() {
         return relyingPartyId;
     }
 
@@ -228,7 +226,7 @@ public class LoginContext implements Serializable {
      * 
      * @return an list of authentication method identifiers
      */
-    public List<String> getRequestedAuthenticationMethods() {
+    public synchronized List<String> getRequestedAuthenticationMethods() {
         return requestAuthenticationMethods;
     }
 
@@ -237,7 +235,7 @@ public class LoginContext implements Serializable {
      * 
      * @return the Session id
      */
-    public String getSessionID() {
+    public synchronized String getSessionID() {
         return sessionID;
     }
 
@@ -246,7 +244,7 @@ public class LoginContext implements Serializable {
      * 
      * @return <code>true</code> if the authentication manager must re-authenticate the user.
      */
-    public boolean isForceAuthRequired() {
+    public synchronized boolean isForceAuthRequired() {
         return forceAuth;
     }
 
@@ -255,7 +253,7 @@ public class LoginContext implements Serializable {
      * 
      * @return <code>true</code> if the authentication manager must not interact with the users UI.
      */
-    public boolean isPassiveAuthRequired() {
+    public synchronized boolean isPassiveAuthRequired() {
         return passiveAuth;
     }
 
@@ -264,7 +262,7 @@ public class LoginContext implements Serializable {
      * 
      * @return <code>true</code> is the user was successfully authenticated.
      */
-    public boolean isPrincipalAuthenticated() {
+    public synchronized boolean isPrincipalAuthenticated() {
         return principalAuthenticated;
     }
 
@@ -273,7 +271,7 @@ public class LoginContext implements Serializable {
      * 
      * @param method authentication method that was used when attempting to authenticate the user
      */
-    public void setAttemptedAuthnMethod(String method) {
+    public synchronized void setAttemptedAuthnMethod(String method) {
         attemptedAuthnMethod = method;
     }
 
@@ -282,7 +280,7 @@ public class LoginContext implements Serializable {
      * 
      * This method should be called by an {@link LoginHandler} while processing a request.
      */
-    public void setAuthenticationAttempted() {
+    public synchronized void setAuthenticationAttempted() {
         authnAttempted = true;
     }
 
@@ -293,7 +291,7 @@ public class LoginContext implements Serializable {
      * 
      * @deprecated this information is contained in the {@link AuthenticationMethodInformation}
      */
-    public void setAuthenticationDuration(long duration) {
+    public synchronized void setAuthenticationDuration(long duration) {
     }
 
     /**
@@ -301,7 +299,7 @@ public class LoginContext implements Serializable {
      * 
      * @param url the URL of the authentication engine
      */
-    public void setAuthenticationEngineURL(String url) {
+    public synchronized void setAuthenticationEngineURL(String url) {
         authnEngineURL = url;
     }
 
@@ -310,7 +308,7 @@ public class LoginContext implements Serializable {
      * 
      * @param error error that occurred during authentication
      */
-    public void setAuthenticationFailure(AuthenticationException error) {
+    public synchronized void setAuthenticationFailure(AuthenticationException error) {
         authnException = error;
     }
 
@@ -321,7 +319,7 @@ public class LoginContext implements Serializable {
      * 
      * @deprecated this information is contained in the {@link AuthenticationMethodInformation}
      */
-    public void setAuthenticationInstant(final DateTime instant) {
+    public synchronized void setAuthenticationInstant(final DateTime instant) {
     }
 
     /**
@@ -331,7 +329,7 @@ public class LoginContext implements Serializable {
      * 
      * @deprecated this information is contained in the {@link AuthenticationMethodInformation}
      */
-    public void setAuthenticationMethod(String method) {
+    public synchronized void setAuthenticationMethod(String method) {
     }
 
     /**
@@ -339,7 +337,7 @@ public class LoginContext implements Serializable {
      * 
      * @param info information about the authentication event
      */
-    public void setAuthenticationMethodInformation(AuthenticationMethodInformation info) {
+    public synchronized void setAuthenticationMethodInformation(AuthenticationMethodInformation info) {
         authenticationMethodInformation = info;
     }
 
@@ -348,7 +346,7 @@ public class LoginContext implements Serializable {
      * 
      * @param force if the authentication manager must re-authenticate the user.
      */
-    public void setForceAuthRequired(boolean force) {
+    public synchronized void setForceAuthRequired(boolean force) {
         forceAuth = force;
     }
 
@@ -357,7 +355,7 @@ public class LoginContext implements Serializable {
      * 
      * @param passive if the authentication manager must not interact with the users UI.
      */
-    public void setPassiveAuthRequired(boolean passive) {
+    public synchronized void setPassiveAuthRequired(boolean passive) {
         passiveAuth = passive;
     }
 
@@ -366,7 +364,7 @@ public class LoginContext implements Serializable {
      * 
      * @param authnOK if authentication succeeded;
      */
-    public void setPrincipalAuthenticated(boolean authnOK) {
+    public synchronized void setPrincipalAuthenticated(boolean authnOK) {
         this.principalAuthenticated = authnOK;
     }
 
@@ -377,7 +375,7 @@ public class LoginContext implements Serializable {
      * 
      * @deprecated this information is contained in the {@link AuthenticationMethodInformation}
      */
-    public void setPrincipalName(String id) {
+    public synchronized void setPrincipalName(String id) {
 
     }
 
@@ -386,7 +384,7 @@ public class LoginContext implements Serializable {
      * 
      * @param url The URL of the profile handler that invoked the AuthenticationManager/
      */
-    public void setProfileHandlerURL(String url) {
+    public synchronized void setProfileHandlerURL(String url) {
         profileHandlerURL = url;
     }
 
@@ -398,7 +396,7 @@ public class LoginContext implements Serializable {
      * @param key The key to set.
      * @param obj The object to associate with key.
      */
-    public void setProperty(String key, final Serializable obj) {
+    public synchronized void setProperty(String key, final Serializable obj) {
         propsMap.put(key, obj);
     }
 
@@ -407,7 +405,7 @@ public class LoginContext implements Serializable {
      * 
      * @param id entity ID of the relying party
      */
-    public void setRelyingParty(String id) {
+    public synchronized void setRelyingParty(String id) {
         relyingPartyId = id;
     }
 
@@ -416,7 +414,7 @@ public class LoginContext implements Serializable {
      * 
      * @param id the Session ID
      */
-    public void setSessionID(String id) {
+    public synchronized void setSessionID(String id) {
         sessionID = id;
     }
 }
\ No newline at end of file
diff --git a/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/LoginContextEntry.java b/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/LoginContextEntry.java
new file mode 100644 (file)
index 0000000..6b97bf4
--- /dev/null
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2008 University Corporation for Advanced Internet Development, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn;
+
+import org.joda.time.DateTime;
+import org.opensaml.util.storage.AbstractExpiringObject;
+
+/** Storage service entry for login contexts. */
+public class LoginContextEntry extends AbstractExpiringObject {
+
+    /** Serial version UID. */
+    private static final long serialVersionUID = -1528197153404835381L;
+    
+    /** Stored login context. */
+    private LoginContext loginCtx;
+
+    /**
+     * Constructor.
+     * 
+     * @param ctx context to store
+     * @param lifetime lifetime of the entry
+     */
+    public LoginContextEntry(LoginContext ctx, long lifetime) {
+        super(new DateTime().plus(lifetime));
+        loginCtx = ctx;
+    }
+
+    /**
+     * Gets the login context.
+     * 
+     * @return login context
+     */
+    public LoginContext getLoginContext() {
+        return loginCtx;
+    }
+}
\ No newline at end of file
index e3921b8..0fa5987 100644 (file)
@@ -94,7 +94,7 @@ public class Saml2LoginContext extends LoginContext implements Serializable {
      * 
      * @throws UnmarshallingException thrown if the serialized form on the authentication request can be unmarshalled
      */
-    public AuthnRequest getAuthenticationRequest() throws UnmarshallingException {
+    public synchronized AuthnRequest getAuthenticationRequest() throws UnmarshallingException {
         if (authnRequest == null) {
             authnRequest = deserializeRequest(serialAuthnRequest);
         }
@@ -103,11 +103,11 @@ public class Saml2LoginContext extends LoginContext implements Serializable {
     }
     
     /**
-     * Gets the relay state from the orginating authentication request.
+     * Gets the relay state from the originating authentication request.
      * 
-     * @return relay state from the orginating authentication request
+     * @return relay state from the originating authentication request
      */
-    public String getRelayState(){
+    public synchronized String getRelayState(){
         return relayState;
     }
 
@@ -116,7 +116,7 @@ public class Saml2LoginContext extends LoginContext implements Serializable {
      * 
      * @return requested authentication context information or null
      */
-    public RequestedAuthnContext getRequestedAuthenticationContext() {
+    public synchronized RequestedAuthnContext getRequestedAuthenticationContext() {
         try {
             AuthnRequest request = getAuthenticationRequest();
             return request.getRequestedAuthnContext();
index 659c318..919fc4c 100644 (file)
@@ -38,7 +38,7 @@ public class ShibbolethSSOLoginContext extends LoginContext {
      * 
      * @return service provider assertion consumer service URL
      */
-    public String getSpAssertionConsumerService() {
+    public synchronized String getSpAssertionConsumerService() {
         return spAssertionConsumerService;
     }
 
@@ -47,7 +47,7 @@ public class ShibbolethSSOLoginContext extends LoginContext {
      * 
      * @param url service provider assertion consumer service URL
      */
-    public void setSpAssertionConsumerService(String url) {
+    public synchronized void setSpAssertionConsumerService(String url) {
         spAssertionConsumerService = url;
     }
 
@@ -56,7 +56,7 @@ public class ShibbolethSSOLoginContext extends LoginContext {
      * 
      * @return service provider target URL
      */
-    public String getSpTarget() {
+    public synchronized String getSpTarget() {
         return spTarget;
     }
 
@@ -65,7 +65,7 @@ public class ShibbolethSSOLoginContext extends LoginContext {
      * 
      * @param url service provider target URL
      */
-    public void setSpTarget(String url) {
+    public synchronized void setSpTarget(String url) {
         spTarget = url;
     }
 }
\ No newline at end of file
index 1afe410..34f42b7 100644 (file)
@@ -24,7 +24,7 @@ import org.joda.time.DateTime;
 import org.opensaml.common.SAMLObjectBuilder;
 import org.opensaml.common.binding.BasicEndpointSelector;
 import org.opensaml.common.binding.artifact.SAMLArtifactMap;
-import org.opensaml.common.binding.artifact.SAMLArtifactMap.SAMLArtifactMapEntry;
+import org.opensaml.common.binding.artifact.SAMLArtifactMapEntry;
 import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml1.binding.SAML1ArtifactMessageContext;
index d4e4e95..755cd1a 100644 (file)
@@ -21,7 +21,7 @@ import org.opensaml.common.SAMLObject;
 import org.opensaml.common.SAMLObjectBuilder;
 import org.opensaml.common.binding.BasicEndpointSelector;
 import org.opensaml.common.binding.artifact.SAMLArtifactMap;
-import org.opensaml.common.binding.artifact.SAMLArtifactMap.SAMLArtifactMapEntry;
+import org.opensaml.common.binding.artifact.SAMLArtifactMapEntry;
 import org.opensaml.common.binding.decoding.SAMLMessageDecoder;
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.binding.SAML2ArtifactMessageContext;
index 6ed3cf6..021a948 100644 (file)
@@ -16,6 +16,7 @@
 
 package edu.internet2.middleware.shibboleth.idp.session;
 
+import java.io.Serializable;
 import java.security.Principal;
 
 import javax.security.auth.Subject;
@@ -23,7 +24,7 @@ import javax.security.auth.Subject;
 import org.joda.time.DateTime;
 
 /** Information about an authentication method employed by a user. */
-public interface AuthenticationMethodInformation {
+public interface AuthenticationMethodInformation extends Serializable {
 
     /**
      * Gets the Subject created by this authentication method.
index 3bbb3be..484dd0a 100644 (file)
@@ -18,10 +18,9 @@ package edu.internet2.middleware.shibboleth.idp.session;
 
 import java.io.IOException;
 import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
 import java.util.Arrays;
 
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
@@ -152,15 +151,12 @@ public class IdPSessionFilter implements Filter {
         Session userSession = sessionManager.getSession(sessionId);
 
         if (userSession != null) {
-            SecretKey signingKey = userSession.getSessionSecretKey();
             try {
-                Mac mac = Mac.getInstance("HmacSHA256");
-                mac.init(signingKey);
-                mac.update(remoteAddressBytes);
-                mac.update(sessionIdBytes);
-                byte[] signature = mac.doFinal();
-
-                if (!Arrays.equals(signature, signatureBytes)) {
+                MessageDigest digester = MessageDigest.getInstance("SHA");
+                digester.update(userSession.getSessionSecret());
+                digester.update(remoteAddressBytes);
+                digester.update(sessionIdBytes);
+                if (!Arrays.equals(digester.digest(), signatureBytes)) {
                     log.error("Session cookie signature did not match, the session cookie has been tampered with");
                     return null;
                 }
index 40195f3..5645255 100644 (file)
 
 package edu.internet2.middleware.shibboleth.idp.session;
 
+import java.io.Serializable;
+
 import org.joda.time.DateTime;
 
 /** Information about a service a user has logged in to. */
-public interface ServiceInformation {
+public interface ServiceInformation extends Serializable {
 
     /**
      * Gets the unique identifier for the service.
index 24e63b8..4fa56ba 100644 (file)
@@ -18,8 +18,6 @@ package edu.internet2.middleware.shibboleth.idp.session;
 
 import java.util.Map;
 
-import javax.crypto.SecretKey;
-
 /**
  * Session information for user logged into the IdP.
  */
@@ -27,13 +25,13 @@ public interface Session extends edu.internet2.middleware.shibboleth.common.sess
 
     /** Name of the HTTP request attribute to which a users IdP session is bound. */
     public static final String HTTP_SESSION_BINDING_ATTRIBUTE = "ShibbolethIdPSession";
-    
+
     /**
-     * A secret key associated with this session.
+     * A secret associated with this session.
      * 
-     * @return secret key associated with this session
+     * @return secret associated with this session
      */
-    public SecretKey getSessionSecretKey();
+    public byte[] getSessionSecret();
 
     /**
      * Gets the methods by which the user has authenticated to the IdP.
index d0e4e44..96aba35 100644 (file)
@@ -21,14 +21,16 @@ import java.security.Principal;
 import javax.security.auth.Subject;
 
 import org.joda.time.DateTime;
+import org.joda.time.chrono.ISOChronology;
 
 import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
 
-/**
- * Information about an authentication method employed by a user.
- */
+/** Information about an authentication method employed by a user. */
 public class AuthenticationMethodInformationImpl implements AuthenticationMethodInformation {
 
+    /** Serial version UID. */
+    private static final long serialVersionUID = -2108905664641155003L;
+
     /** Subject created by this authentication mechanism. */
     private Subject authenticationSubject;
 
@@ -39,13 +41,13 @@ public class AuthenticationMethodInformationImpl implements AuthenticationMethod
     private String authenticationMethod;
 
     /** The timestamp at which authentication occurred. */
-    private DateTime authenticationInstant;
+    private long authenticationInstant;
 
     /** The lifetime of the authentication method. */
     private long authenticationDuration;
 
     /** Time when this method expires. */
-    private DateTime expirationInstant;
+    private long expirationInstant;
 
     /**
      * Default constructor.  This constructor does NOT add the given principal to the given subject.
@@ -66,48 +68,48 @@ public class AuthenticationMethodInformationImpl implements AuthenticationMethod
         authenticationSubject = subject;
         authenticationPrincipal = principal;
         authenticationMethod = method;
-        authenticationInstant = instant;
+        authenticationInstant = instant.toDateTime(ISOChronology.getInstanceUTC()).getMillis();
         authenticationDuration = duration;
-        expirationInstant = instant.plus(duration);
+        expirationInstant = authenticationInstant + duration;
     }
 
     /** {@inheritDoc} */
-    public Subject getAuthenticationSubject() {
+    public synchronized Subject getAuthenticationSubject() {
         return authenticationSubject;
     }
 
     /** {@inheritDoc} */
-    public Principal getAuthenticationPrincipal() {
+    public synchronized Principal getAuthenticationPrincipal() {
         return authenticationPrincipal;
     }
 
     /** {@inheritDoc} */
-    public String getAuthenticationMethod() {
+    public synchronized String getAuthenticationMethod() {
         return authenticationMethod;
     }
 
     /** {@inheritDoc} */
-    public DateTime getAuthenticationInstant() {
-        return authenticationInstant;
+    public synchronized DateTime getAuthenticationInstant() {
+        return new DateTime(authenticationInstant, ISOChronology.getInstanceUTC());
     }
 
     /** {@inheritDoc} */
-    public long getAuthenticationDuration() {
+    public synchronized long getAuthenticationDuration() {
         return authenticationDuration;
     }
 
     /** {@inheritDoc} */
-    public boolean isExpired() {
-        return expirationInstant.isBeforeNow();
+    public synchronized boolean isExpired() {
+        return new DateTime(expirationInstant, ISOChronology.getInstanceUTC()).isBeforeNow();
     }
 
     /** {@inheritDoc} */
-    public int hashCode() {
+    public synchronized int hashCode() {
         return authenticationMethod.hashCode();
     }
 
     /** {@inheritDoc} */
-    public boolean equals(Object obj) {
+    public synchronized boolean equals(Object obj) {
         if (obj == this) {
             return true;
         }
index b41f384..7beac29 100644 (file)
 package edu.internet2.middleware.shibboleth.idp.session.impl;
 
 import org.joda.time.DateTime;
+import org.joda.time.chrono.ISOChronology;
 
 import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
 import edu.internet2.middleware.shibboleth.idp.session.ServiceInformation;
 
 /** Information about a service a user has logged in to. */
 public class ServiceInformationImpl implements ServiceInformation {
+    
+    /** Serial version UID. */
+    private static final long serialVersionUID = 1185342879825302743L;
 
     /** Entity ID of the service. */
     private String entityID;
 
     /** Instant the user was authenticated to the service. */
-    private DateTime authenticationInstant;
+    private long authenticationInstant;
 
     /** Authentication method used to authenticate the user to the service. */
     private AuthenticationMethodInformation methodInfo;
@@ -42,32 +46,32 @@ public class ServiceInformationImpl implements ServiceInformation {
      */
     public ServiceInformationImpl(String id, DateTime loginInstant, AuthenticationMethodInformation method) {
         entityID = id;
-        authenticationInstant = loginInstant;
+        authenticationInstant = loginInstant.toDateTime(ISOChronology.getInstanceUTC()).getMillis();
         methodInfo = method;
     }
 
     /** {@inheritDoc} */
-    public String getEntityID() {
+    public synchronized String getEntityID() {
         return entityID;
     }
 
     /** {@inheritDoc} */
-    public DateTime getLoginInstant() {
-        return authenticationInstant;
+    public synchronized DateTime getLoginInstant() {
+        return new DateTime(authenticationInstant, ISOChronology.getInstanceUTC());
     }
 
     /** {@inheritDoc} */
-    public AuthenticationMethodInformation getAuthenticationMethod() {
+    public synchronized AuthenticationMethodInformation getAuthenticationMethod() {
         return methodInfo;
     }
 
     /** {@inheritDoc} */
-    public int hashCode() {
+    public synchronized int hashCode() {
         return entityID.hashCode();
     }
 
     /** {@inheritDoc} */
-    public boolean equals(Object obj) {
+    public synchronized boolean equals(Object obj) {
         if (obj == this) {
             return true;
         }
index 5c6dae0..c181b8f 100644 (file)
 
 package edu.internet2.middleware.shibboleth.idp.session.impl;
 
-import java.util.HashMap;
 import java.util.Map;
-
-import javax.crypto.SecretKey;
+import java.util.concurrent.ConcurrentHashMap;
 
 import edu.internet2.middleware.shibboleth.common.session.impl.AbstractSession;
 import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
@@ -31,44 +29,43 @@ public class SessionImpl extends AbstractSession implements Session {
 
     /** Serial version UID. */
     private static final long serialVersionUID = 2927868242208211623L;
-    
+
     /** Secret key associated with the session. */
-    private SecretKey sessionKey;
+    private byte[] sessionSecret;
 
     /** The list of methods used to authenticate the user. */
-    private HashMap<String, AuthenticationMethodInformation> authnMethods;
+    private Map<String, AuthenticationMethodInformation> authnMethods;
 
     /** The list of services to which the user has logged in. */
-    private HashMap<String, ServiceInformation> servicesInformation;
+    private Map<String, ServiceInformation> servicesInformation;
 
     /**
      * Constructor.
      * 
      * @param sessionId ID of the session
-     * @param key a secret key to associate with the session
+     * @param secret a secret to associate with the session
      * @param timeout inactivity timeout for the session in milliseconds
      */
-    public SessionImpl(String sessionId, SecretKey key, long timeout) {
+    public SessionImpl(String sessionId, byte[] secret, long timeout) {
         super(sessionId, timeout);
 
-        sessionKey = key;
-        
-        authnMethods = new HashMap<String, AuthenticationMethodInformation>();
-        servicesInformation = new HashMap<String, ServiceInformation>();
+        sessionSecret = secret;
+        authnMethods = new ConcurrentHashMap<String, AuthenticationMethodInformation>();
+        servicesInformation = new ConcurrentHashMap<String, ServiceInformation>();
     }
-    
+
     /** {@inheritDoc} */
-    public SecretKey getSessionSecretKey() {
-        return sessionKey;
+    public synchronized byte[] getSessionSecret() {
+        return sessionSecret;
     }
 
     /** {@inheritDoc} */
-    public Map<String, AuthenticationMethodInformation> getAuthenticationMethods() {
+    public synchronized Map<String, AuthenticationMethodInformation> getAuthenticationMethods() {
         return authnMethods;
     }
 
     /** {@inheritDoc} */
-    public Map<String, ServiceInformation> getServicesInformation() {
+    public synchronized Map<String, ServiceInformation> getServicesInformation() {
         return servicesInformation;
     }
 
@@ -79,7 +76,7 @@ public class SessionImpl extends AbstractSession implements Session {
      * 
      * @return the service information or null
      */
-    public ServiceInformation getServiceInformation(String entityId) {
+    public synchronized ServiceInformation getServiceInformation(String entityId) {
         return servicesInformation.get(entityId);
     }
 }
\ No newline at end of file
diff --git a/src/main/java/edu/internet2/middleware/shibboleth/idp/session/impl/SessionManagerEntry.java b/src/main/java/edu/internet2/middleware/shibboleth/idp/session/impl/SessionManagerEntry.java
new file mode 100644 (file)
index 0000000..23ce958
--- /dev/null
@@ -0,0 +1,94 @@
+/*
+ * Copyright 2008 University Corporation for Advanced Internet Development, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * Copyright 2008 University Corporation for Advanced Internet Development, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.session.impl;
+
+import java.util.List;
+import java.util.Vector;
+
+import org.joda.time.DateTime;
+import org.opensaml.util.storage.AbstractExpiringObject;
+
+import edu.internet2.middleware.shibboleth.idp.session.Session;
+
+/** Session store entry. */
+public class SessionManagerEntry extends AbstractExpiringObject {
+    
+    /** Serial version UID. */
+    private static final long serialVersionUID = -9160494097986587739L;
+
+    /** User's session. */
+    private Session userSession;
+
+    /** Indexes for this session. */
+    private List<String> indexes;
+
+    /**
+     * Constructor.
+     * 
+     * @param session user session
+     * @param lifetime lifetime of session
+     */
+    public SessionManagerEntry(Session session, long lifetime) {
+        super(new DateTime().plus(lifetime));
+        userSession = session;
+        indexes = new Vector<String>();
+        indexes.add(userSession.getSessionID());
+    }
+
+    /**
+     * Gets the user session.
+     * 
+     * @return user session
+     */
+    public Session getSession() {
+        return userSession;
+    }
+
+    /**
+     * Gets the ID of the user session.
+     * 
+     * @return ID of the user session
+     */
+    public String getSessionId() {
+        return userSession.getSessionID();
+    }
+
+    /**
+     * Gets the list of indexes for this session.
+     * 
+     * @return list of indexes for this session
+     */
+    public List<String> getSessionIndexes() {
+        return indexes;
+    }
+}
\ No newline at end of file
index fe6da01..b8b9465 100644 (file)
 
 package edu.internet2.middleware.shibboleth.idp.session.impl;
 
-import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
-import java.util.List;
-import java.util.Vector;
-
-import javax.crypto.KeyGenerator;
 
 import org.apache.commons.ssl.util.Hex;
-import org.joda.time.DateTime;
-import org.opensaml.util.storage.ExpiringObject;
 import org.opensaml.util.storage.StorageService;
 import org.opensaml.xml.util.DatatypeHelper;
 import org.slf4j.Logger;
@@ -52,9 +45,6 @@ public class SessionManagerImpl implements SessionManager<Session>, ApplicationC
     /** Spring context used to publish login and logout events. */
     private ApplicationContext appCtx;
 
-    /** Generator used to create secret keys associated with the session. */
-    private KeyGenerator secretKeyGen;
-
     /** Number of random bits within a session ID. */
     private final int sessionIDSize = 32;
 
@@ -80,12 +70,6 @@ public class SessionManagerImpl implements SessionManager<Session>, ApplicationC
         sessionStore = storageService;
         partition = "session";
         sessionLifetime = lifetime;
-
-        try {
-            secretKeyGen = KeyGenerator.getInstance("AES");
-        } catch (NoSuchAlgorithmException e) {
-            log.error("AES key generation is not supported", e);
-        }
     }
 
     /**
@@ -112,8 +96,11 @@ public class SessionManagerImpl implements SessionManager<Session>, ApplicationC
         byte[] sid = new byte[sessionIDSize];
         prng.nextBytes(sid);
         String sessionID = Hex.encode(sid);
+        
+        byte[] sessionSecret = new byte[16];
+        prng.nextBytes(sessionSecret);
 
-        Session session = new SessionImpl(sessionID, secretKeyGen.generateKey(), sessionLifetime);
+        Session session = new SessionImpl(sessionID, sessionSecret, sessionLifetime);
         SessionManagerEntry sessionEntry = new SessionManagerEntry(session, sessionLifetime);
         sessionStore.put(partition, sessionID, sessionEntry);
 
@@ -129,12 +116,15 @@ public class SessionManagerImpl implements SessionManager<Session>, ApplicationC
         byte[] sid = new byte[sessionIDSize];
         prng.nextBytes(sid);
         String sessionID = Hex.encode(sid);
+        
+        byte[] sessionSecret = new byte[16];
+        prng.nextBytes(sessionSecret);
 
-        MDC.put("idpSessionId", sessionID);
-
-        Session session = new SessionImpl(sessionID, secretKeyGen.generateKey(), sessionLifetime);
+        Session session = new SessionImpl(sessionID, sessionSecret, sessionLifetime);
         SessionManagerEntry sessionEntry = new SessionManagerEntry(session, sessionLifetime);
         sessionStore.put(partition, sessionID, sessionEntry);
+        
+        MDC.put("idpSessionId", sessionID);
         log.trace("Created session {}", sessionID);
         return session;
     }
@@ -224,72 +214,4 @@ public class SessionManagerImpl implements SessionManager<Session>, ApplicationC
         }
         appCtx = rootContext;
     }
-
-    /** Session store entry. */
-    public class SessionManagerEntry implements ExpiringObject {
-
-        /** User's session. */
-        private Session userSession;
-
-        /** Indexes for this session. */
-        private List<String> indexes;
-
-        /** Time this entry expires. */
-        private DateTime expirationTime;
-
-        /**
-         * Constructor.
-         * 
-         * @param session user session
-         * @param lifetime lifetime of session
-         */
-        public SessionManagerEntry(Session session, long lifetime) {
-            userSession = session;
-            expirationTime = new DateTime().plus(lifetime);
-            indexes = new Vector<String>();
-            indexes.add(userSession.getSessionID());
-        }
-
-        /** {@inheritDoc} */
-        public DateTime getExpirationTime() {
-            return expirationTime;
-        }
-
-        /**
-         * Gets the user session.
-         * 
-         * @return user session
-         */
-        public Session getSession() {
-            return userSession;
-        }
-
-        /**
-         * Gets the ID of the user session.
-         * 
-         * @return ID of the user session
-         */
-        public String getSessionId() {
-            return userSession.getSessionID();
-        }
-
-        /**
-         * Gets the list of indexes for this session.
-         * 
-         * @return list of indexes for this session
-         */
-        public List<String> getSessionIndexes() {
-            return indexes;
-        }
-
-        /** {@inheritDoc} */
-        public boolean isExpired() {
-            return expirationTime.isBeforeNow();
-        }
-
-        /** {@inheritDoc} */
-        public void onExpire() {
-
-        }
-    }
 }
\ No newline at end of file
index 1c4d4d3..c88e8a3 100644 (file)
@@ -22,7 +22,7 @@ import java.security.SecureRandom;
 import org.joda.time.DateTime;
 import org.opensaml.common.SAMLObjectBuilder;
 import org.opensaml.common.binding.artifact.SAMLArtifactMap;
-import org.opensaml.common.binding.artifact.SAMLArtifactMap.SAMLArtifactMapEntry;
+import org.opensaml.common.binding.artifact.SAMLArtifactMapEntry;
 import org.opensaml.saml1.binding.artifact.SAML1ArtifactType0002;
 import org.opensaml.saml1.core.Assertion;
 import org.opensaml.saml1.core.AssertionArtifact;
index 7778256..cfc1edc 100644 (file)
@@ -23,7 +23,7 @@ import java.security.SecureRandom;
 import org.joda.time.DateTime;
 import org.opensaml.common.SAMLObjectBuilder;
 import org.opensaml.common.binding.artifact.SAMLArtifactMap;
-import org.opensaml.common.binding.artifact.SAMLArtifactMap.SAMLArtifactMapEntry;
+import org.opensaml.common.binding.artifact.SAMLArtifactMapEntry;
 import org.opensaml.saml2.binding.artifact.SAML2ArtifactType0004;
 import org.opensaml.saml2.core.Artifact;
 import org.opensaml.saml2.core.ArtifactResolve;