import edu.internet2.middleware.shibboleth.common.ShibbolethOriginConfig;
/**
+ * Class for determining the effective relying party for the Shibboleth attribute authority from the unique id of the
+ * service provider.
+ *
* @author Walter Hoehn
*/
public class AAServiceProviderMapper extends ServiceProviderMapper {
private static Logger log = Logger.getLogger(AAServiceProviderMapper.class.getName());
private AAConfig configuration;
+ /**
+ * Constructs a new service provider mapper for the attribute authority.
+ *
+ * @param rawConfig DOM representation of the attribute authority configuration
+ * @param configuration global attribute authority configuration
+ *
+ * @throws ServiceProviderMapperException
+ * if the configuration is invalid
+ */
public AAServiceProviderMapper(Element rawConfig, AAConfig configuration) throws ServiceProviderMapperException {
this.configuration = configuration;
}
}
+ /**
+ * Returns the appropriate relying party for the supplied service provider id.
+ */
public AARelyingParty getRelyingParty(String providerIdFromTarget) {
return (AARelyingParty) getRelyingPartyImpl(providerIdFromTarget);
}
+ protected ShibbolethOriginConfig getOriginConfig() {
+ return configuration;
+ }
+
+ /**
+ * AA-specific relying party implementation.
+ * @author Walter Hoehn
+ */
class AARelyingPartyImpl extends BaseRelyingPartyImpl {
private AAConfig aaConfig;
}
}
-
- protected ShibbolethOriginConfig getOriginConfig() {
- return configuration;
- }
}
import edu.internet2.middleware.shibboleth.hs.HSNameIdentifierMapping;
/**
+ * Base class for processing name identifier mapping configuration.
+ *
* @author Walter Hoehn
*/
public abstract class BaseNameIdentifierMapping implements NameIdentifierMapping {
import java.security.interfaces.RSAPrivateKey;
/**
+ * Used to prove identity or integrity of transmitted messages.
+ *
* @author Walter Hoehn
- *
*/
public class Credential {
public static int RSA = 1;
public static int DSA = 2;
- private int type = 0;
+ private int type = UNKNOWN;
private Key key;
private X509Certificate[] certs;
+ /**
+ * Creates a X509 credential.
+ *
+ * @param certChain certificate chain corresponding to the private key
+ * @param key the RSA or DSA private key
+ */
public Credential(X509Certificate[] certChain, PrivateKey key) {
if (key instanceof RSAPrivateKey) {
type = RSA;
public X509Certificate[] getX509CertificateChain() {
return certs;
}
-}
\ No newline at end of file
+}
import org.w3c.dom.Element;
/**
+ * Defines a method for loading a credential from a particular storage mechanism.
* @author Walter Hoehn
- *
*/
public interface CredentialResolver {
+
+ /**
+ * Loads a credential as specified by the XML configuration.
+ *
+ * @param e DOM representation of credential resolver configuration
+ *
+ * @return the credential
+ *
+ * @throws CredentialFactoryException
+ * if the credential could not be loaded
+ */
Credential loadCredential(Element e) throws CredentialFactoryException;
-}
\ No newline at end of file
+}
import sun.security.util.DerValue;
/**
+ * Uses {@link CredentialResolver} implementations to create {@link Credential}s.
+ *
* @author Walter Hoehn
- *
*/
public class Credentials {
private static Logger log = Logger.getLogger(Credentials.class.getName());
private Hashtable data = new Hashtable();
+ /**
+ * Creates credentials based on XML configuration.
+ * @param e DOM representation of credentials configuration
+ */
public Credentials(Element e) {
if (!e.getLocalName().equals("Credentials")) {
}
}
+/**
+ * Loads a credential from a file. Supports DER, PEM, encrypted PEM, PKCS8, and encrypted PKCS8 for RSA and DSA.
+ * @author Walter Hoehn
+ */
class FileCredentialResolver implements CredentialResolver {
private static Logger log = Logger.getLogger(FileCredentialResolver.class.getName());
}
/**
- *
- * Loads a specified bundle of certs individually and returns an array of <code>Certificate</code> objects. This
- * is needed because the standard <code>CertificateFactory.getCertificates(InputStream)</code> method bails out
+ * Loads a specified bundle of certs individually and returns an array of {@link Certificate} objects. This
+ * is needed because the standard {@link CertificateFactory#getCertificates(InputStream)} method bails out
* when it has trouble loading any cert and cannot handle "comments".
*/
private Certificate[] loadCertificates(InputStream inStream, String certType) throws CredentialFactoryException {
* @throws InvalidCertificateChainException
* thrown if a chain cannot be constructed from the specified elements
*/
-
protected void walkChain(X509Certificate[] chainSource, ArrayList chainDest) throws CredentialFactoryException {
X509Certificate currentCert = (X509Certificate) chainDest.get(chainDest.size() - 1);
* @param privKey
* the private key
*/
-
protected boolean isMatchingKey(PublicKey pubKey, PrivateKey privKey) {
try {
}
+/**
+ * Loads a credential from a Java keystore.
+ * @author Walter Hoehn
+ */
class KeystoreCredentialResolver implements CredentialResolver {
private static Logger log = Logger.getLogger(KeystoreCredentialResolver.class.getName());
}
}
+/**
+ * Uses implementation specified in the configuration to load a credential.
+ *
+ * @author Walter Hoehn
+ */
class CustomCredentialResolver implements CredentialResolver {
private static Logger log = Logger.getLogger(CustomCredentialResolver.class.getName());
private static Logger log = Logger.getLogger(NameMapper.class.getName());
protected Map byFormat = new HashMap();
private static Map registeredMappingTypes = Collections.synchronizedMap(new HashMap());
- /** Indicated of whether mappings have been added */
+ /** true if mappings have been added */
protected boolean initialized = false;
/** Mapping to use if no other mappings have been added */
protected SharedMemoryShibHandle defaultMapping;
}
/**
- * Constructs name mapper and loads a default name mapping.
+ * Constructs the name mapper and loads a default name mapping.
*/
public NameMapper() {
try {
}
/**
- * Adds a <code>NameIdentifierMapping</code> to this <code>NameMapper</code>, registering it according to its
- * format.
+ * Adds a {@link NameIdentifierMapping} to this name mapper, registering it according to its format.
*
* @param mapping
* the mapping to add
}
/**
- * Returns the <code>NameIdentifierMapping</code> registered for a given format
+ * Returns the {@link NameIdentifierMapping} registered for a given format.
*
* @param format
* the registered format
- * @return the mapping or <tt>null</tt> if no mapping is registered for the given format
+ * @return the mapping or <code>null</code> if no mapping is registered for the given format
*/
public NameIdentifierMapping getNameIdentifierMapping(URI format) {
if (!initialized) {
* the provider handling the request
* @return the local principal
* @throws NameIdentifierMappingException
- * If the <code>NameMapper</code> encounters an internal error
+ * If the {@link NameMapper} encounters an internal error
* @throws InvalidNameIdentifierException
- * If the <code>SAMLNameIdentifier</code> contains invalid data
+ * If the {@link SAMLNameIdentifier} contains invalid data
*/
public AuthNPrincipal getPrincipal(SAMLNameIdentifier nameId, ServiceProvider sProv, IdentityProvider idProv)
throws NameIdentifierMappingException, InvalidNameIdentifierException {
import org.w3c.dom.Element;
/**
- * <code>NameMapping</code> implementation that creates a principal from a
- * shared principal name.
+ * {@link NameIdentifierMapping} implementation to use when the SAML name identifier format matches the Shibboleth
+ * internal representation of the principal.
*
* @author Walter Hoehn
*/
import edu.internet2.middleware.shibboleth.hs.HSRelyingParty;
/**
+ * Base class for determining the effective relying party from the unique id of the service provider. Checks first for
+ * an exact match on the service provider, then for membership in a federation. Uses the default relying party if
+ * neither is found.
+ *
* @author Walter Hoehn
- *
*/
public abstract class ServiceProviderMapper {
return (RelyingParty) relyingParties.get(defaultParty);
}
+ /**
+ * Base relying party implementation.
+ *
+ * @author Walter Hoehn
+ */
protected abstract class BaseRelyingPartyImpl implements RelyingParty {
protected RelyingPartyIdentityProvider identityProvider;
protected String name;
protected String overridenOriginProviderId;
- /**
- * Shared construction
- */
public BaseRelyingPartyImpl(Element partyConfig) throws ServiceProviderMapperException {
//Get party name
return identityProvider;
}
+ /**
+ * Default identity provider implementation.
+ * @author Walter Hoehn
+ */
protected class RelyingPartyIdentityProvider implements IdentityProvider {
private String providerId;
}
}
+ /**
+ * Relying party implementation wrapper for relying parties that are federations.
+ *
+ * @author Walter Hoehn
+ */
class RelyingPartyGroupWrapper implements RelyingParty, HSRelyingParty, AARelyingParty {
private RelyingParty wrapped;
}
}
+ /**
+ * Relying party implementation wrapper for anonymous service providers.
+ *
+ * @author Walter Hoehn
+ */
protected class UnknownProviderWrapper implements RelyingParty, HSRelyingParty, AARelyingParty {
protected RelyingParty wrapped;
import edu.internet2.middleware.shibboleth.common.ServiceProvider;
/**
- * Defines a mechanism for generating SAML Name Identifiers from <code>AuthNPrincipal</code>
- * objects.
+ * Adds a mechanism to the {@link NameIdentifierMapping} interface for generating SAML Name Identifiers from
+ * {@link AuthNPrincipal} objects.
*
* @author Walter Hoehn
*/
public interface HSNameIdentifierMapping extends NameIdentifierMapping {
/**
- * @return the id of this mapping or <tt>null</tt> is it is not
+ * @return the id of this mapping or <code>null</code> is it is not
* configured with one
*/
public String getId();
/**
- *
* Maps a local principal to a SAML Name Identifier.
*
* @param id
- * the id under which the effective <code>HSNameIdentifierMapping</code>
+ * the id under which the effective {@link HSNameIdentifierMapping}
* is registered
* @param principal
* the principal to map
* the provider initiating the request
* @param idProv
* the provider handling the request
- * @return @throws
- * NameIdentifierMappingException If the <code>NameMapper</code>
+ * @return the SAML name identifier
+
+ * @throws NameIdentifierMappingException If the {@link NameMapper}
* encounters an internal error
*/
public SAMLNameIdentifier getNameIdentifierName(
import edu.internet2.middleware.shibboleth.common.ShibbolethOriginConfig;
/**
+ * Class for determining the effective relying party for the Shibboleth handle service from the unique id of the service
+ * provider.
+ *
* @author Walter Hoehn
*/
public class HSServiceProviderMapper extends ServiceProviderMapper {
private Credentials credentials;
private HSNameMapper nameMapper;
+ /**
+ * Constructs a new service provider mapper for the handle service.
+ *
+ * @param rawConfig DOM representation of the handle service configuration
+ * @param configuration global handle service configuration
+ * @param credentials credentials for the handle service using this provider mapper
+ * @param nameMapper name mapper for the handle service using this provider mapper
+ *
+ * @throws ServiceProviderMapperException
+ * if the configuration is invalid
+ */
public HSServiceProviderMapper(
Element rawConfig,
HSConfig configuration,
}
}
+ /**
+ * Returns the appropriate relying party for the supplied service provider id.
+ */
public HSRelyingParty getRelyingParty(String providerIdFromTarget) {
//If the target did not send a Provider Id, then assume it is a Shib
return (HSRelyingParty) getRelyingPartyImpl(providerIdFromTarget);
}
+
+ protected ShibbolethOriginConfig getOriginConfig() {
+ return configuration;
+ }
+
+ /**
+ * HS-specific relying party implementation.
+ * @author Walter Hoehn
+ */
class HSRelyingPartyImpl extends BaseRelyingPartyImpl implements HSRelyingParty {
private URL overridenAAUrl;
}
}
+ /**
+ * Relying party wrapper for Shibboleth <=1.1 service providers.
+ * @author Walter Hoehn
+ */
class LegacyWrapper extends UnknownProviderWrapper implements HSRelyingParty {
LegacyWrapper(HSRelyingParty wrapped) {
}
}
- protected ShibbolethOriginConfig getOriginConfig() {
- return configuration;
- }
-
}
/*
- * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation
- * for Advanced Internet Development, Inc. All rights reserved
+ * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
+ * All rights reserved
*
*
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
+ * following conditions are met:
*
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
+ * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
+ * disclaimer.
*
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution, if any, must include
- * the following acknowledgment: "This product includes software developed by
- * the University Corporation for Advanced Internet Development
- * <http://www.ucaid.edu> Internet2 Project. Alternately, this acknowledegement
- * may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear.
+ * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided with the distribution, if any, must include the
+ * following acknowledgment: "This product includes software developed by the University Corporation for Advanced
+ * Internet Development <http://www.ucaid.edu> Internet2 Project. Alternately, this acknowledegement may appear in the
+ * software itself, if and wherever such third-party acknowledgments normally appear.
*
- * Neither the name of Shibboleth nor the names of its contributors, nor
- * Internet2, nor the University Corporation for Advanced Internet Development,
- * Inc., nor UCAID may be used to endorse or promote products derived from this
- * software without specific prior written permission. For written permission,
- * please contact shibboleth@shibboleth.org
+ * Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor the University Corporation for
+ * Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote products derived from this software
+ * without specific prior written permission. For written permission, please contact shibboleth@shibboleth.org
*
- * Products derived from this software may not be called Shibboleth, Internet2,
- * UCAID, or the University Corporation for Advanced Internet Development, nor
- * may Shibboleth appear in their name, without prior written permission of the
+ * Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the University Corporation for
+ * Advanced Internet Development, nor may Shibboleth appear in their name, without prior written permission of the
* University Corporation for Advanced Internet Development.
*
*
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
- * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
- * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
- * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE,
+ * ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
+ * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+ * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
package edu.internet2.middleware.shibboleth.hs.provider;
import edu.internet2.middleware.shibboleth.common.NameIdentifierMappingException;
/**
- * Base class for <code>NameIdentifierMapping</code> implementations that
- * support Shibboleth Attribute Query Handles.
+ * Base class for {@link NameIdentifierMapping} implementations that support Shibboleth Attribute Query Handles.
*
* @author Walter Hoehn
*/
import edu.internet2.middleware.shibboleth.hs.HSNameIdentifierMapping;
/**
- * <code>HSNameIdentifierMapping</code> implementation that uses symmetric
- * encryption to securely transport principal data inside Shibboleth Attribute
- * Query Handles.
+ * {@link HSNameIdentifierMapping} implementation that uses symmetric encryption to store principal data inside
+ * Shibboleth Attribute Query Handles.
*
* @author Walter Hoehn
*/
import edu.internet2.middleware.shibboleth.hs.HSNameIdentifierMapping;
/**
- * <code>HSNameIdentifierMapping</code> implementation that uses an in-memory
- * cache to store mappings between principal names and Shibboleth Attribute Query Handles.
+ * {@link HSNameIdentifierMapping} implementation that uses an in-memory cache to store mappings between principal names
+ * and Shibboleth Attribute Query Handles.
*
* @author Walter Hoehn
*/