private static long defaultLifetime = 1800; // 30 minutes
private ValueHandler valueHandler = new StringValueHandler();
+ /**
+ * Constructs a skeleton attribute with no values.
+ *
+ * @param name
+ * the name of the attribute
+ * @param legacyCompat
+ * boolean indicator of whether or not the legacy namespace hack should be used (this is required for SPs
+ * running old versions of xerces)
+ * @throws SAMLException
+ */
+ public AAAttribute(String name, boolean legacyCompat) throws SAMLException {
+
+ super(name, SHIB_ATTRIBUTE_NAMESPACE_URI, legacyCompat ? new QName("urn:mace:shibboleth:1.0",
+ "AttributeValueType") : null, defaultLifetime, null);
+ }
+
+ /**
+ * Constructs a skeleton attribute with no values.
+ *
+ * @param name
+ * the name of the attribute
+ * @throws SAMLException
+ * if the attribute could not be created
+ */
public AAAttribute(String name) throws SAMLException {
- super(name, SHIB_ATTRIBUTE_NAMESPACE_URI, new QName("urn:mace:shibboleth:1.0", "AttributeValueType"),
- defaultLifetime, null);
+ super(name, SHIB_ATTRIBUTE_NAMESPACE_URI, null, defaultLifetime, null);
}
public AAAttribute(String name, Object[] values) throws SAMLException {
* Returns thhe default "TARGET" attribute to be used with the artifact profile or null if none is specified.
*/
public String getDefaultTarget();
+
+ /**
+ * Boolean indicator of whether or not the legacy schema hack should be used. Older versions of xerces require
+ * (xsi:type="typens:AttributeValueType") on the attribute value to get around a validation bug.
+ */
+ public boolean wantsSchemaHack();
}
private boolean wantsAssertionsSigned = false;
private int preferredArtifactType = 1;
private String defaultTarget;
+ private boolean wantsSchemaHack = false;
public RelyingPartyImpl(Element partyConfig, IdPConfig globalConfig, Credentials credentials,
NameMapper nameMapper) throws ServiceProviderMapperException {
log.debug("Relying party does not want SAML Assertions to be signed.");
}
+ // Decide whether or not to use the schema hack for old xerces
+ attribute = ((Element) partyConfig).getAttribute("schemaHack");
+ if (attribute != null && !attribute.equals("")) {
+ wantsSchemaHack = Boolean.valueOf(attribute).booleanValue();
+ }
+ if (wantsSchemaHack) {
+ log.debug("XML schema hack enabled for this relying party.");
+ }
+
// Set a default target for use in artifact redirects
defaultTarget = ((Element) partyConfig).getAttribute("defaultTarget");
return defaultTarget;
}
+ public boolean wantsSchemaHack() {
+
+ return wantsSchemaHack;
+ }
+
/**
* Default identity provider implementation.
*
return wrapped.getDefaultTarget();
}
+
+ public boolean wantsSchemaHack() {
+
+ return wrapped.wantsSchemaHack();
+ }
}
/**
return wrapped.getDefaultTarget();
}
+
+ public boolean wantsSchemaHack() {
+
+ return wrapped.wantsSchemaHack();
+ }
}
/**
return null;
}
- public SAMLAttribute[] getReleaseAttributes(Principal principal, String requester, URL resource) throws AAException {
+ public SAMLAttribute[] getReleaseAttributes(Principal principal, RelyingParty relyingParty, String requester,
+ URL resource) throws AAException {
try {
URI[] potentialAttributes = arpEngine.listPossibleReleaseAttributes(principal, requester, resource);
- return getReleaseAttributes(principal, requester, resource, potentialAttributes);
+ return getReleaseAttributes(principal, relyingParty, requester, resource, potentialAttributes);
} catch (ArpProcessingException e) {
log.error("An error occurred while processing the ARPs for principal (" + principal.getName() + ") :"
}
}
- public SAMLAttribute[] getReleaseAttributes(Principal principal, String requester, URL resource,
- URI[] attributeNames) throws AAException {
+ public SAMLAttribute[] getReleaseAttributes(Principal principal, RelyingParty relyingParty, String requester,
+ URL resource, URI[] attributeNames) throws AAException {
try {
AAAttributeSet attributeSet = new AAAttributeSet();
for (int i = 0; i < attributeNames.length; i++) {
- AAAttribute attribute = new AAAttribute(attributeNames[i].toString());
+
+ AAAttribute attribute = null;
+ if (relyingParty.wantsSchemaHack()) {
+ attribute = new AAAttribute(attributeNames[i].toString(), true);
+ } else {
+ attribute = new AAAttribute(attributeNames[i].toString(), false);
+ }
+
attributeSet.add(attribute);
}
log.info("Resolving attributes.");
List attributes = null;
try {
- attributes = Arrays.asList(support.getReleaseAttributes(principal, relyingParty.getProviderId(), null));
+ attributes = Arrays.asList(support.getReleaseAttributes(principal, relyingParty, relyingParty.getProviderId(), null));
} catch (AAException e1) {
log.error("Error resolving attributes: " + e1);
eAuthError(response, 90, remoteProviderId, csid);
import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.KeyDescriptor;
import edu.internet2.middleware.shibboleth.metadata.RoleDescriptor;
import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
// Make sure that the suppplied credential is valid for the
// selected relying party
- X509Certificate[] chain = (X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate");
- if (support.getTrust().validate((chain != null && chain.length > 0) ? chain[0] : null, chain, role)) {
+ X509Certificate[] chain = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
+ if (support.getTrust().validate((chain != null && chain.length > 0) ? chain[0] : null, chain, role)) {
log.info("Supplied credential validated for this provider.");
log.info("Request from service provider: (" + relyingParty.getProviderId() + ").");
return relyingParty.getProviderId();
// Map Subject to local principal
Principal principal;
try {
- principal = support.getNameMapper().getPrincipal(attributeQuery.getSubject().getNameIdentifier(), relyingParty,
- relyingParty.getIdentityProvider());
+ principal = support.getNameMapper().getPrincipal(attributeQuery.getSubject().getNameIdentifier(),
+ relyingParty, relyingParty.getIdentityProvider());
log.info("Request is for principal (" + principal.getName() + ").");
}
}
- attrs = support.getReleaseAttributes(principal, effectiveName, null, (URI[]) requestedAttrs
- .toArray(new URI[0]));
+ attrs = support.getReleaseAttributes(principal, relyingParty, effectiveName, null,
+ (URI[]) requestedAttrs.toArray(new URI[0]));
} else {
log.info("Request does not designate specific attributes, resolving all available.");
- attrs = support.getReleaseAttributes(principal, effectiveName, null);
+ attrs = support.getReleaseAttributes(principal, relyingParty, effectiveName, null);
}
log.info("Found " + attrs.length + " attribute(s) for " + principal.getName());
RelyingParty relyingParty, SAMLSubject authNSubject) throws SAMLException {
try {
- SAMLAttribute[] attributes = support.getReleaseAttributes(principal, relyingParty.getProviderId(), null);
+ SAMLAttribute[] attributes = support.getReleaseAttributes(principal, relyingParty, relyingParty
+ .getProviderId(), null);
log.info("Found " + attributes.length + " attribute(s) for " + principal.getName());
// Bail if we didn't get any attributes
<xs:attribute name="signAssertions" type="xs:boolean" use="optional"/>
<xs:attribute name="forceAttributeNoPush" type="xs:boolean" use="optional"/>
<xs:attribute name="defaultToPOSTProfile" type="xs:boolean" use="optional"/>
+ <xs:attribute name="schemaHack" type="xs:boolean" use="optional"/>
<xs:attribute name="defaultAuthMethod" type="xs:string" use="optional"/>
<xs:attribute name="preferredArtifactType" type="xs:integer" use="optional"/>
<xs:attribute name="defaultTarget" type="xs:string" use="optional"/>
projects / java-idp.git / commitdiff