Beginning of expanded signature support. HS signing is now optional and can be appli...
authorwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 16 Mar 2004 22:39:28 +0000 (22:39 +0000)
committerwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Tue, 16 Mar 2004 22:39:28 +0000 (22:39 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@921 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/common/ServiceProviderMapper.java
src/edu/internet2/middleware/shibboleth/common/ShibPOSTProfile.java
src/edu/internet2/middleware/shibboleth/hs/HSServiceProviderMapper.java
src/schemas/origin.xsd

index b25f54e..3bc4173 100644 (file)
@@ -1,49 +1,29 @@
 /*
- * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation
- * for Advanced Internet Development, Inc. All rights reserved
- * 
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * 
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- * 
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution, if any, must include
- * the following acknowledgment: "This product includes software developed by
- * the University Corporation for Advanced Internet Development
- * <http://www.ucaid.edu> Internet2 Project. Alternately, this acknowledegement
- * may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear.
- * 
- * Neither the name of Shibboleth nor the names of its contributors, nor
- * Internet2, nor the University Corporation for Advanced Internet Development,
- * Inc., nor UCAID may be used to endorse or promote products derived from this
- * software without specific prior written permission. For written permission,
- * please contact shibboleth@shibboleth.org
- * 
- * Products derived from this software may not be called Shibboleth, Internet2,
- * UCAID, or the University Corporation for Advanced Internet Development, nor
- * may Shibboleth appear in their name, without prior written permission of the
- * University Corporation for Advanced Internet Development.
- * 
- * 
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
- * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
- * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
- * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
+ * All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
+ * provided that the following conditions are met: Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the
+ * above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other
+ * materials provided with the distribution, if any, must include the following acknowledgment: "This product includes
+ * software developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu> Internet2
+ * Project. Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
+ * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2,
+ * nor the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
+ * products derived from this software without specific prior written permission. For written permission, please
+ * contact shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2,
+ * UCAID, or the University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name,
+ * without prior written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS
+ * PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
+ * NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS
+ * WITH LICENSEE. IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED
+ * INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+ * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
+
 package edu.internet2.middleware.shibboleth.common;
 
 import java.net.URI;
@@ -66,8 +46,8 @@ import edu.internet2.middleware.shibboleth.hs.HSRelyingParty;
  */
 public abstract class ServiceProviderMapper {
 
-       private static Logger log = Logger.getLogger(ServiceProviderMapper.class.getName());
-       protected Map relyingParties = new HashMap();
+       private static Logger   log                             = Logger.getLogger(ServiceProviderMapper.class.getName());
+       protected Map                   relyingParties  = new HashMap();
 
        protected abstract ShibbolethOriginConfig getOriginConfig();
 
@@ -76,8 +56,8 @@ public abstract class ServiceProviderMapper {
                String defaultParty = configuration.getDefaultRelyingPartyName();
                if (defaultParty == null || defaultParty.equals("")) {
                        if (relyingParties.size() != 1) {
-                               log.error(
-                                       "Default Relying Party not specified.  Add a (defaultRelyingParty) attribute to <ShibbolethOriginConfig>.");
+                               log
+                                               .error("Default Relying Party not specified.  Add a (defaultRelyingParty) attribute to <ShibbolethOriginConfig>.");
                                throw new ServiceProviderMapperException("Required configuration not specified.");
                        } else {
                                log.debug("Only one Relying Party loaded.  Using this as the default.");
@@ -106,9 +86,7 @@ public abstract class ServiceProviderMapper {
                }
 
                //OK, just send the default
-               log.info(
-                       "Could not locate Relying Party configuration for ("
-                               + providerIdFromTarget
+               log.info("Could not locate Relying Party configuration for (" + providerIdFromTarget
                                + ").  Using default Relying Party.");
                return new UnknownProviderWrapper(getDefaultRelyingPatry());
        }
@@ -138,16 +116,16 @@ public abstract class ServiceProviderMapper {
                return (RelyingParty) relyingParties.get(defaultParty);
        }
 
-        /**
-         * Base relying party implementation.
-         *
-         * @author Walter Hoehn
-         */
+       /**
+        * Base relying party implementation.
+        * 
+        * @author Walter Hoehn
+        */
        protected abstract class BaseRelyingPartyImpl implements RelyingParty {
 
-               protected RelyingPartyIdentityProvider identityProvider;
-               protected String name;
-               protected String overridenOriginProviderId;
+               protected RelyingPartyIdentityProvider  identityProvider;
+               protected String                                                name;
+               protected String                                                overridenOriginProviderId;
 
                public BaseRelyingPartyImpl(Element partyConfig) throws ServiceProviderMapperException {
 
@@ -180,20 +158,29 @@ public abstract class ServiceProviderMapper {
                        return identityProvider;
                }
 
-                /**
-                 * Default identity provider implementation.
-                 * @author Walter Hoehn
-                 */
+               /**
+                * Default identity provider implementation.
+                * 
+                * @author Walter Hoehn
+                */
                protected class RelyingPartyIdentityProvider implements IdentityProvider {
 
-                       private String providerId;
-                       private Credential responseSigningCredential;
+                       private String          providerId;
+                       private Credential      responseSigningCredential;
+                       private Credential      assertionSigningCredential;
 
                        public RelyingPartyIdentityProvider(String providerId, Credential responseSigningCred) {
                                this.providerId = providerId;
                                this.responseSigningCredential = responseSigningCred;
                        }
 
+                       public RelyingPartyIdentityProvider(String providerId, Credential responseSigningCred,
+                                       Credential assertionSigningCred) {
+                               this.providerId = providerId;
+                               this.responseSigningCredential = responseSigningCred;
+                               this.assertionSigningCredential = assertionSigningCred;
+                       }
+
                        public String getProviderId() {
                                return providerId;
                        }
@@ -203,21 +190,21 @@ public abstract class ServiceProviderMapper {
                        }
 
                        public Credential getAssertionSigningCredential() {
-                               return null;
+                               return assertionSigningCredential;
                        }
 
                }
        }
 
-        /**
-         * Relying party implementation wrapper for relying parties that are federations.
-         * 
-         * @author Walter Hoehn
-         */
+       /**
+        * Relying party implementation wrapper for relying parties that are federations.
+        * 
+        * @author Walter Hoehn
+        */
        class RelyingPartyGroupWrapper implements RelyingParty, HSRelyingParty, AARelyingParty {
 
-               private RelyingParty wrapped;
-               private String providerId;
+               private RelyingParty    wrapped;
+               private String                  providerId;
 
                RelyingPartyGroupWrapper(RelyingParty wrapped, String providerId) {
                        this.wrapped = wrapped;
@@ -239,6 +226,7 @@ public abstract class ServiceProviderMapper {
                public String getProviderId() {
                        return providerId;
                }
+
                public String getHSNameFormatId() {
                        if (!(wrapped instanceof HSRelyingParty)) {
                                return null;
@@ -268,13 +256,14 @@ public abstract class ServiceProviderMapper {
                }
        }
 
-        /**
-         * Relying party implementation wrapper for anonymous service providers.
-         *
-         * @author Walter Hoehn
-         */
+       /**
+        * Relying party implementation wrapper for anonymous service providers.
+        * 
+        * @author Walter Hoehn
+        */
        protected class UnknownProviderWrapper implements RelyingParty, HSRelyingParty, AARelyingParty {
-               protected RelyingParty wrapped;
+
+               protected RelyingParty  wrapped;
 
                protected UnknownProviderWrapper(RelyingParty wrapped) {
                        this.wrapped = wrapped;
index abfb0dd..faafd3e 100755 (executable)
@@ -1,48 +1,27 @@
 /*
- * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation
- * for Advanced Internet Development, Inc. All rights reserved
- * 
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * 
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- * 
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution, if any, must include
- * the following acknowledgment: "This product includes software developed by
- * the University Corporation for Advanced Internet Development
- * <http://www.ucaid.edu> Internet2 Project. Alternately, this acknowledegement
- * may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear.
- * 
- * Neither the name of Shibboleth nor the names of its contributors, nor
- * Internet2, nor the University Corporation for Advanced Internet Development,
- * Inc., nor UCAID may be used to endorse or promote products derived from this
- * software without specific prior written permission. For written permission,
- * please contact shibboleth@shibboleth.org
- * 
- * Products derived from this software may not be called Shibboleth, Internet2,
- * UCAID, or the University Corporation for Advanced Internet Development, nor
- * may Shibboleth appear in their name, without prior written permission of the
- * University Corporation for Advanced Internet Development.
- * 
- * 
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
- * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
- * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
- * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
+ * All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
+ * provided that the following conditions are met: Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the
+ * above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other
+ * materials provided with the distribution, if any, must include the following acknowledgment: "This product includes
+ * software developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu> Internet2
+ * Project. Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
+ * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2,
+ * nor the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
+ * products derived from this software without specific prior written permission. For written permission, please
+ * contact shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2,
+ * UCAID, or the University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name,
+ * without prior written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS
+ * PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
+ * NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS
+ * WITH LICENSEE. IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED
+ * INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+ * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
 
 package edu.internet2.middleware.shibboleth.common;
@@ -85,28 +64,28 @@ import org.w3c.dom.Document;
 import edu.internet2.middleware.shibboleth.hs.HSRelyingParty;
 
 /**
- * Basic Shibboleth POST browser profile implementation with basic support for
- * signing
+ * Basic Shibboleth POST browser profile implementation with basic support for signing
  * 
  * @author Scott Cantor @created April 11, 2002
  */
 public class ShibPOSTProfile {
+
        /** XML Signature algorithm to apply */
-       protected String algorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
+       protected String                algorithm       = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
 
        /** Policy URIs to attach or check against */
-       protected ArrayList policies = new ArrayList();
+       protected ArrayList             policies        = new ArrayList();
 
        /** Official name of issuing site */
-       protected String issuer = null;
+       protected String                issuer          = null;
 
        /** The URL of the receiving SHIRE */
-       protected String receiver = null;
+       protected String                receiver        = null;
 
        /** Seconds allowed to elapse from issuance of response */
-       protected int ttlSeconds = 0;
+       protected int                   ttlSeconds      = 0;
 
-       private static Logger log = Logger.getLogger(ShibPOSTProfile.class.getName());
+       private static Logger   log                     = Logger.getLogger(ShibPOSTProfile.class.getName());
 
        /**
         * SHIRE-side constructor for a ShibPOSTProfile object
@@ -116,11 +95,9 @@ public class ShibPOSTProfile {
         * @param receiver
         *            URL of SHIRE
         * @param ttlSeconds
-        *            Length of time in seconds allowed to elapse from issuance of
-        *            SAML response
+        *            Length of time in seconds allowed to elapse from issuance of SAML response
         * @exception SAMLException
-        *                Raised if a profile implementation cannot be constructed
-        *                from the supplied information
+        *                Raised if a profile implementation cannot be constructed from the supplied information
         */
        public ShibPOSTProfile(Collection policies, String receiver, int ttlSeconds) throws SAMLException {
                if (policies == null || policies.size() == 0 || receiver == null || receiver.length() == 0 || ttlSeconds <= 0)
@@ -130,22 +107,19 @@ public class ShibPOSTProfile {
                this.ttlSeconds = ttlSeconds;
                this.policies.addAll(policies);
        }
+
        /**
         * HS-side constructor for a ShibPOSTProfile object.
-        *  
         */
-       public ShibPOSTProfile() {
-       }
+       public ShibPOSTProfile() {}
 
        /**
-        * Locates an assertion containing a "bearer" AuthenticationStatement in
-        * the response and validates the enclosing assertion with respect to the
-        * POST profile
+        * Locates an assertion containing a "bearer" AuthenticationStatement in the response and validates the enclosing
+        * assertion with respect to the POST profile
         * 
         * @param r
         *            The response to the accepting site
         * @return An SSO assertion
-        * 
         * @throws SAMLException
         *             Thrown if an SSO assertion can't be found
         */
@@ -154,13 +128,12 @@ public class ShibPOSTProfile {
        }
 
        /**
-        * Locates a "bearer" AuthenticationStatement in the assertion and
-        * validates the statement with respect to the POST profile
+        * Locates a "bearer" AuthenticationStatement in the assertion and validates the statement with respect to the POST
+        * profile
         * 
         * @param a
         *            The SSO assertion sent to the accepting site
         * @return A "bearer" authentication statement
-        * 
         * @throws SAMLException
         *             Thrown if an SSO statement can't be found
         */
@@ -188,14 +161,11 @@ public class ShibPOSTProfile {
        }
 
        /**
-        * Parse a Base-64 encoded buffer back into a SAML response and test its
-        * validity against the POST profile, including use of the default replay
-        * cache
+        * Parse a Base-64 encoded buffer back into a SAML response and test its validity against the POST profile,
+        * including use of the default replay cache
         * <P>
-        * 
-        * Also does trust evaluation based on the information available from the
-        * origin site mapper, in accordance with general Shibboleth processing
-        * semantics. Club-specific processing must be performed in a subclass.
+        * Also does trust evaluation based on the information available from the origin site mapper, in accordance with
+        * general Shibboleth processing semantics. Club-specific processing must be performed in a subclass.
         * <P>
         * 
         * @param buf
@@ -206,21 +176,16 @@ public class ShibPOSTProfile {
         *                Thrown if the response cannot be understood or accepted
         */
        public SAMLResponse accept(byte[] buf, StringBuffer originSite) throws SAMLException {
-               // The built-in SAML functionality will do most of the basic non-crypto
-               // checks.
+               // The built-in SAML functionality will do most of the basic non-crypto checks.
                // Note that if the response only contains a status error, it gets
-               // tossed out
-               // as an exception.
+               // tossed out as an exception.
                SAMLResponse r = SAMLPOSTProfile.accept(buf, receiver, ttlSeconds, false);
 
-               if (originSite == null)
-                       originSite = new StringBuffer();
+               if (originSite == null) originSite = new StringBuffer();
 
-               // Now we do some more non-crypto (ie. cheap) work to match up the
-               // origin site
+               // Now we do some more non-crypto (ie. cheap) work to match up the origin site
                // with its associated data. If we can't even find a SSO statement in
-               // the response
-               // we just return the response to the caller, who will presumably
+               // the response we just return the response to the caller, who will presumably
                // notice this.
                SAMLAssertion assertion = null;
                SAMLAuthenticationStatement sso = null;
@@ -237,9 +202,8 @@ public class ShibPOSTProfile {
                // Examine the subject information.
                SAMLSubject subject = sso.getSubject();
                if (subject.getName().getName() == null)
-                       throw new InvalidAssertionException(
-                               SAMLException.RESPONDER,
-                               "ShibPOSTProfile.accept() requires subject name qualifier");
+                       throw new InvalidAssertionException(SAMLException.RESPONDER,
+                                       "ShibPOSTProfile.accept() requires subject name qualifier");
 
                originSite.setLength(0);
                originSite.append(subject.getName().getName());
@@ -250,19 +214,16 @@ public class ShibPOSTProfile {
                Iterator hsNames = mapper.getHandleServiceNames(originSite.toString());
                boolean bFound = false;
                while (!bFound && hsNames.hasNext())
-                       if (hsNames.next().equals(handleService))
-                               bFound = true;
+                       if (hsNames.next().equals(handleService)) bFound = true;
                if (!bFound)
-                       throw new TrustException(
-                               SAMLException.RESPONDER,
-                               "ShibPOSTProfile.accept() detected an untrusted HS for the origin site");
+                       throw new TrustException(SAMLException.RESPONDER,
+                                       "ShibPOSTProfile.accept() detected an untrusted HS for the origin site");
 
                Key hsKey = mapper.getHandleServiceKey(handleService);
                KeyStore ks = mapper.getTrustedRoots();
 
                // Signature verification now takes place. We check the assertion and
-               // the response.
-               // Assertion signing is optional, response signing is mandatory.
+               // the response. Assertion signing is optional, response signing is mandatory.
                try {
                        NDC.push("accept");
                        if (assertion.isSigned()) {
@@ -278,8 +239,7 @@ public class ShibPOSTProfile {
        }
 
        /**
-        * Used by HS to generate a signed SAML response conforming to the POST
-        * profile
+        * Used by HS to generate a signed SAML response conforming to the POST profile
         * <P>
         * 
         * @param recipient
@@ -295,41 +255,13 @@ public class ShibPOSTProfile {
         * @param authInstant
         *            Date and time of authentication being asserted
         * @param bindings
-        *            Set of SAML authorities the relying party may contact
-        *            (optional)
+        *            Set of SAML authorities the relying party may contact (optional)
         * @return SAML response to send to accepting site
         * @exception SAMLException
-        *                Base class of exceptions that may be thrown during
-        *                processing
+        *                Base class of exceptions that may be thrown during processing
         */
-       public SAMLResponse prepare(
-               String recipient,
-               HSRelyingParty relyingParty,
-               SAMLNameIdentifier nameId,
-               String subjectIP,
-               String authMethod,
-               Date authInstant,
-               Collection bindings)
-               throws SAMLException {
-
-               if (relyingParty.getIdentityProvider().getResponseSigningCredential() == null
-                       || relyingParty.getIdentityProvider().getResponseSigningCredential().getPrivateKey() == null) {
-                       throw new InvalidCryptoException(
-                               SAMLException.RESPONDER,
-                               "ShibPOSTProfile.prepare() requires a response key.");
-               }
-
-               String responseAlgorithm;
-               if (relyingParty.getIdentityProvider().getResponseSigningCredential().getCredentialType() == Credential.RSA) {
-                       responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
-               } else if (
-                       relyingParty.getIdentityProvider().getResponseSigningCredential().getCredentialType() == Credential.DSA) {
-                       responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
-               } else {
-                       throw new InvalidCryptoException(
-                               SAMLException.RESPONDER,
-                               "ShibPOSTProfile.prepare() currently only supports signing with RSA and DSA keys.");
-               }
+       public SAMLResponse prepare(String recipient, HSRelyingParty relyingParty, SAMLNameIdentifier nameId,
+                       String subjectIP, String authMethod, Date authInstant, Collection bindings) throws SAMLException {
 
                Document doc = org.opensaml.XML.parserPool.newDocument();
 
@@ -345,19 +277,12 @@ public class ShibPOSTProfile {
                if (relyingParty.isLegacyProvider()) {
                        log.debug("Service Provider is running Shibboleth <= 1.1.  Using old style issuer.");
 
-                       if (relyingParty.getIdentityProvider().getResponseSigningCredential().getX509Certificate() == null) {
-                               throw new SAMLException("Cannot serve old style assertions without an X509 certificate");
-                       }
+                       if (relyingParty.getIdentityProvider().getResponseSigningCredential() == null
+                                       || relyingParty.getIdentityProvider().getResponseSigningCredential().getX509Certificate() == null) { throw new SAMLException(
+                                       "Cannot serve legacy style assertions without an X509 certificate"); }
 
-                       String[] splitDN =
-                               relyingParty
-                                       .getIdentityProvider()
-                                       .getResponseSigningCredential()
-                                       .getX509Certificate()
-                                       .getSubjectDN()
-                                       .getName()
-                                       .split(
-                                       "([Cc][Nn]=|,)");
+                       String[] splitDN = relyingParty.getIdentityProvider().getResponseSigningCredential().getX509Certificate()
+                                       .getSubjectDN().getName().split("([Cc][Nn]=|,)");
                        if (splitDN != null && !(splitDN.equals(""))) {
                                issuer = splitDN[1];
                        } else {
@@ -368,49 +293,56 @@ public class ShibPOSTProfile {
                        issuer = relyingParty.getIdentityProvider().getProviderId();
                }
 
-               SAMLResponse r =
-                       SAMLPOSTProfile.prepare(recipient, issuer, audiences, nameId, subjectIP, authMethod, authInstant, bindings);
+               SAMLResponse r = SAMLPOSTProfile.prepare(recipient, issuer, audiences, nameId, subjectIP, authMethod,
+                               authInstant, bindings);
                r.toDOM(doc);
 
+               //Sign the assertions, if appropriate
                if (relyingParty.getIdentityProvider().getAssertionSigningCredential() != null
-                       && relyingParty.getIdentityProvider().getAssertionSigningCredential().getPrivateKey() != null) {
+                               && relyingParty.getIdentityProvider().getAssertionSigningCredential().getPrivateKey() != null) {
 
                        String assertionAlgorithm;
-                       if (relyingParty.getIdentityProvider().getAssertionSigningCredential().getCredentialType()
-                               == Credential.RSA) {
+                       if (relyingParty.getIdentityProvider().getAssertionSigningCredential().getCredentialType() == Credential.RSA) {
                                assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
-                       } else if (
-                               relyingParty.getIdentityProvider().getAssertionSigningCredential().getCredentialType()
-                                       == Credential.DSA) {
+                       } else if (relyingParty.getIdentityProvider().getAssertionSigningCredential().getCredentialType() == Credential.DSA) {
                                assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
                        } else {
-                               throw new InvalidCryptoException(
-                                       SAMLException.RESPONDER,
-                                       "ShibPOSTProfile.prepare() currently only supports signing with RSA and DSA keys.");
+                               throw new InvalidCryptoException(SAMLException.RESPONDER,
+                                               "ShibPOSTProfile.prepare() currently only supports signing with RSA and DSA keys.");
                        }
 
-                       ((SAMLAssertion) r.getAssertions().next()).sign(
-                               assertionAlgorithm,
-                               relyingParty.getIdentityProvider().getAssertionSigningCredential().getPrivateKey(),
-                               Arrays.asList(
-                                       relyingParty.getIdentityProvider().getAssertionSigningCredential().getX509CertificateChain()));
+                       ((SAMLAssertion) r.getAssertions().next()).sign(assertionAlgorithm, relyingParty.getIdentityProvider()
+                                       .getAssertionSigningCredential().getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider()
+                                       .getAssertionSigningCredential().getX509CertificateChain()));
                }
 
-               r.sign(
-                       responseAlgorithm,
-                       relyingParty.getIdentityProvider().getResponseSigningCredential().getPrivateKey(),
-                       Arrays.asList(relyingParty.getIdentityProvider().getResponseSigningCredential().getX509CertificateChain()));
+               //Sign the response, if appropriate
+               if (relyingParty.getIdentityProvider().getResponseSigningCredential() != null
+                               && relyingParty.getIdentityProvider().getResponseSigningCredential().getPrivateKey() != null) {
+
+                       String responseAlgorithm;
+                       if (relyingParty.getIdentityProvider().getResponseSigningCredential().getCredentialType() == Credential.RSA) {
+                               responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
+                       } else if (relyingParty.getIdentityProvider().getResponseSigningCredential().getCredentialType() == Credential.DSA) {
+                               responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
+                       } else {
+                               throw new InvalidCryptoException(SAMLException.RESPONDER,
+                                               "ShibPOSTProfile.prepare() currently only supports signing with RSA and DSA keys.");
+                       }
+
+                       r.sign(responseAlgorithm,
+                                       relyingParty.getIdentityProvider().getResponseSigningCredential().getPrivateKey(), Arrays
+                                                       .asList(relyingParty.getIdentityProvider().getResponseSigningCredential()
+                                                                       .getX509CertificateChain()));
+               }
 
                return r;
        }
 
        /**
-        * Searches the replay cache for the specified assertion and inserts a
-        * newly seen assertion into the cache
+        * Searches the replay cache for the specified assertion and inserts a newly seen assertion into the cache
         * <P>
-        * 
-        * Also performs garbage collection of the cache by deleting expired
-        * entries.
+        * Also performs garbage collection of the cache by deleting expired entries.
         * 
         * @param a
         *            The assertion to check
@@ -422,10 +354,9 @@ public class ShibPOSTProfile {
        }
 
        /**
-        * Default signature verification algorithm uses an embedded X509
-        * certificate(s) or an explicit key to verify the signature. The
-        * certificate is examined to insure the subject CN matches the signer, and
-        * that it is signed by a trusted CA
+        * Default signature verification algorithm uses an embedded X509 certificate(s) or an explicit key to verify the
+        * signature. The certificate is examined to insure the subject CN matches the signer, and that it is signed by a
+        * trusted CA
         * 
         * @param obj
         *            The object containing the signature
@@ -437,20 +368,18 @@ public class ShibPOSTProfile {
         *            An explicit key to use if a certificate cannot be found
         * @param simple
         *            Verify according to simple SAML signature profile?
-        * 
         * @throws SAMLException
         *             Thrown if the signature cannot be verified
         */
        protected void verifySignature(SAMLSignedObject obj, String signerName, KeyStore ks, Key knownKey)
-               throws SAMLException {
+                       throws SAMLException {
                try {
                        NDC.push("verifySignature");
 
                        if (!obj.isSigned()) {
                                log.error("unable to find a signature");
-                               throw new TrustException(
-                                       SAMLException.RESPONDER,
-                                       "ShibPOSTProfile.verifySignature() given an unsigned object");
+                               throw new TrustException(SAMLException.RESPONDER,
+                                               "ShibPOSTProfile.verifySignature() given an unsigned object");
                        }
 
                        if (knownKey != null) {
@@ -468,9 +397,8 @@ public class ShibPOSTProfile {
                        Iterator certs_from_obj = obj.getX509Certificates();
                        if (!certs_from_obj.hasNext()) {
                                log.error("need certificates inside object to establish trust");
-                               throw new TrustException(
-                                       SAMLException.RESPONDER,
-                                       "ShibPOSTProfile.verifySignature() can't find any certificates");
+                               throw new TrustException(SAMLException.RESPONDER,
+                                               "ShibPOSTProfile.verifySignature() can't find any certificates");
                        }
 
                        // We assume the first one in the set is the end entity cert.
@@ -481,12 +409,11 @@ public class ShibPOSTProfile {
                        log.debug("found entity cert with DN: " + dname);
                        String cname = "CN=" + signerName;
                        if (!dname.equalsIgnoreCase(cname) && !dname.regionMatches(true, 0, cname + ',', 0, cname.length() + 1)) {
-                               log.error(
-                                       "verifySignature() found a mismatch between the entity certificate's DN and the expected signer: "
-                                               + signerName);
-                               throw new TrustException(
-                                       SAMLException.RESPONDER,
-                                       "ShibPOSTProfile.verifySignature() found mismatch between entity certificate and expected signer");
+                               log
+                                               .error("verifySignature() found a mismatch between the entity certificate's DN and the expected signer: "
+                                                               + signerName);
+                               throw new TrustException(SAMLException.RESPONDER,
+                                               "ShibPOSTProfile.verifySignature() found mismatch between entity certificate and expected signer");
                        }
 
                        // Prep a chain between the entity cert and the trusted roots.
@@ -508,16 +435,12 @@ public class ShibPOSTProfile {
                        PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) cpb.build(params);
                } catch (CertPathBuilderException e) {
                        log.error("caught a cert path builder exception: " + e.getMessage());
-                       throw new TrustException(
-                               SAMLException.RESPONDER,
-                               "ShibPOSTProfile.verifySignature() unable to build a PKIX certificate path",
-                               e);
+                       throw new TrustException(SAMLException.RESPONDER,
+                                       "ShibPOSTProfile.verifySignature() unable to build a PKIX certificate path", e);
                } catch (GeneralSecurityException e) {
                        log.error("caught a general security exception: " + e.getMessage());
-                       throw new TrustException(
-                               SAMLException.RESPONDER,
-                               "ShibPOSTProfile.verifySignature() unable to build a PKIX certificate path",
-                               e);
+                       throw new TrustException(SAMLException.RESPONDER,
+                                       "ShibPOSTProfile.verifySignature() unable to build a PKIX certificate path", e);
                } finally {
                        NDC.pop();
                }
index d384753..61440f9 100644 (file)
@@ -1,49 +1,29 @@
 /*
- * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation
- * for Advanced Internet Development, Inc. All rights reserved
- * 
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * 
- * Redistributions of source code must retain the above copyright notice, this
- * list of conditions and the following disclaimer.
- * 
- * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution, if any, must include
- * the following acknowledgment: "This product includes software developed by
- * the University Corporation for Advanced Internet Development
- * <http://www.ucaid.edu> Internet2 Project. Alternately, this acknowledegement
- * may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear.
- * 
- * Neither the name of Shibboleth nor the names of its contributors, nor
- * Internet2, nor the University Corporation for Advanced Internet Development,
- * Inc., nor UCAID may be used to endorse or promote products derived from this
- * software without specific prior written permission. For written permission,
- * please contact shibboleth@shibboleth.org
- * 
- * Products derived from this software may not be called Shibboleth, Internet2,
- * UCAID, or the University Corporation for Advanced Internet Development, nor
- * may Shibboleth appear in their name, without prior written permission of the
- * University Corporation for Advanced Internet Development.
- * 
- * 
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
- * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
- * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
- * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
- * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
+ * All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
+ * provided that the following conditions are met: Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the
+ * above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other
+ * materials provided with the distribution, if any, must include the following acknowledgment: "This product includes
+ * software developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu> Internet2
+ * Project. Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
+ * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2,
+ * nor the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
+ * products derived from this software without specific prior written permission. For written permission, please
+ * contact shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2,
+ * UCAID, or the University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name,
+ * without prior written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS
+ * PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
+ * NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS
+ * WITH LICENSEE. IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED
+ * INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+ * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
  */
+
 package edu.internet2.middleware.shibboleth.hs;
 
 import java.net.MalformedURLException;
@@ -63,42 +43,41 @@ import edu.internet2.middleware.shibboleth.common.ServiceProviderMapperException
 import edu.internet2.middleware.shibboleth.common.ShibbolethOriginConfig;
 
 /**
- * Class for determining the effective relying party for the Shibboleth handle service from the unique id of the service
- * provider.
- *
+ * Class for determining the effective relying party for the Shibboleth handle service from the unique id of the
+ * service provider.
+ * 
  * @author Walter Hoehn
  */
 public class HSServiceProviderMapper extends ServiceProviderMapper {
 
-       private static Logger log = Logger.getLogger(HSServiceProviderMapper.class.getName());
-       private HSConfig configuration;
-       private Credentials credentials;
-       private HSNameMapper nameMapper;
+       private static Logger   log     = Logger.getLogger(HSServiceProviderMapper.class.getName());
+       private HSConfig                configuration;
+       private Credentials             credentials;
+       private HSNameMapper    nameMapper;
 
        /**
-         * Constructs a new service provider mapper for the handle service.
+        * Constructs a new service provider mapper for the handle service.
         * 
-        * @param rawConfig DOM representation of the handle service configuration
-        * @param configuration global handle service configuration
-        * @param credentials credentials for the handle service using this provider mapper
-        * @param nameMapper name mapper for the handle service using this provider mapper
-         *
+        * @param rawConfig
+        *            DOM representation of the handle service configuration
+        * @param configuration
+        *            global handle service configuration
+        * @param credentials
+        *            credentials for the handle service using this provider mapper
+        * @param nameMapper
+        *            name mapper for the handle service using this provider mapper
         * @throws ServiceProviderMapperException
         *             if the configuration is invalid
         */
-       public HSServiceProviderMapper(
-               Element rawConfig,
-               HSConfig configuration,
-               Credentials credentials,
-               HSNameMapper nameMapper)
-               throws ServiceProviderMapperException {
+       public HSServiceProviderMapper(Element rawConfig, HSConfig configuration, Credentials credentials,
+                       HSNameMapper nameMapper) throws ServiceProviderMapperException {
 
                this.configuration = configuration;
                this.credentials = credentials;
                this.nameMapper = nameMapper;
 
-               NodeList itemElements =
-                       rawConfig.getElementsByTagNameNS(ShibbolethOriginConfig.originConfigNamespace, "RelyingParty");
+               NodeList itemElements = rawConfig.getElementsByTagNameNS(ShibbolethOriginConfig.originConfigNamespace,
+                               "RelyingParty");
 
                for (int i = 0; i < itemElements.getLength(); i++) {
                        addRelyingParty((Element) itemElements.item(i));
@@ -121,9 +100,9 @@ public class HSServiceProviderMapper extends ServiceProviderMapper {
                }
        }
 
-        /**
-         * Returns the appropriate relying party for the supplied service provider id.
-         */
+       /**
+        * Returns the appropriate relying party for the supplied service provider id.
+        */
        public HSRelyingParty getRelyingParty(String providerIdFromTarget) {
 
                //If the target did not send a Provider Id, then assume it is a Shib
@@ -140,23 +119,20 @@ public class HSServiceProviderMapper extends ServiceProviderMapper {
                return configuration;
        }
 
-        /**
-         * HS-specific relying party implementation.
-         * @author Walter Hoehn
-         */
+       /**
+        * HS-specific relying party implementation.
+        * 
+        * @author Walter Hoehn
+        */
        class HSRelyingPartyImpl extends BaseRelyingPartyImpl implements HSRelyingParty {
 
-               private URL overridenAAUrl;
-               private URI overridenDefaultAuthMethod;
-               protected String hsNameFormatId;
-               private HSConfig configuration;
+               private URL                     overridenAAUrl;
+               private URI                     overridenDefaultAuthMethod;
+               protected String        hsNameFormatId;
+               private HSConfig        configuration;
 
-               HSRelyingPartyImpl(
-                       Element partyConfig,
-                       HSConfig globalConfig,
-                       Credentials credentials,
-                       HSNameMapper nameMapper)
-                       throws ServiceProviderMapperException {
+               HSRelyingPartyImpl(Element partyConfig, HSConfig globalConfig, Credentials credentials, HSNameMapper nameMapper)
+                               throws ServiceProviderMapperException {
 
                        super(partyConfig);
 
@@ -164,26 +140,28 @@ public class HSServiceProviderMapper extends ServiceProviderMapper {
 
                        //Load a credential for signing
                        String credentialName = ((Element) partyConfig).getAttribute("signingCredential");
+                       boolean signAuthResponses = new Boolean(((Element) partyConfig).getAttribute("signAuthResponses"))
+                                       .booleanValue();
+                       boolean signAuthAssertions = new Boolean(((Element) partyConfig).getAttribute("signAuthAssertions"))
+                                       .booleanValue();
                        Credential credential = credentials.getCredential(credentialName);
 
-                       if (credential == null) {
+                       if ((credential == null) && (signAuthResponses || signAuthAssertions)) {
                                if (credentialName == null || credentialName.equals("")) {
-                                       log.error(
-                                               "Relying Party credential not set.  Add a (signingCredential) attribute to <RelyingParty>.");
+                                       log
+                                                       .error("Relying Party credential not set.  Add a (signingCredential) attribute to <RelyingParty>.");
                                        throw new ServiceProviderMapperException("Required configuration not specified.");
                                } else {
-                                       log.error(
-                                               "Relying Party credential not set.  Add a (signingCredential) attribute to <RelyingParty>.");
+                                       log
+                                                       .error("Relying Party credential not set.  Add a (signingCredential) attribute to <RelyingParty>.");
                                        throw new ServiceProviderMapperException("Required configuration not specified.");
                                }
                        }
 
                        //Load and verify the name format that the HS should use in
                        //assertions for this RelyingParty
-                       NodeList hsNameFormats =
-                               ((Element) partyConfig).getElementsByTagNameNS(
-                                       ShibbolethOriginConfig.originConfigNamespace,
-                                       "HSNameFormat");
+                       NodeList hsNameFormats = ((Element) partyConfig).getElementsByTagNameNS(
+                                       ShibbolethOriginConfig.originConfigNamespace, "HSNameFormat");
                        //If no specification. Make sure we have a default mapping
                        if (hsNameFormats.getLength() < 1) {
                                if (nameMapper.getNameIdentifierMappingById(null) == null) {
@@ -195,9 +173,7 @@ public class HSServiceProviderMapper extends ServiceProviderMapper {
                                //We do have a specification, so make sure it points to a
                                // valid Name Mapping
                                if (hsNameFormats.getLength() > 1) {
-                                       log.warn(
-                                               "Found multiple HSNameFormat specifications for Relying Party ("
-                                                       + name
+                                       log.warn("Found multiple HSNameFormat specifications for Relying Party (" + name
                                                        + ").  Ignoring all but the first.");
                                }
 
@@ -236,10 +212,11 @@ public class HSServiceProviderMapper extends ServiceProviderMapper {
                                }
                        }
 
-                       identityProvider =
-                               new RelyingPartyIdentityProvider(
-                                       overridenOriginProviderId != null ? overridenOriginProviderId : configuration.getProviderId(),
-                                       credential);
+                       identityProvider = new RelyingPartyIdentityProvider(overridenOriginProviderId != null
+                                       ? overridenOriginProviderId
+                                       : configuration.getProviderId(), signAuthResponses ? credential : null, signAuthAssertions
+                                       ? credential
+                                       : null);
                }
 
                public boolean isLegacyProvider() {
@@ -268,15 +245,17 @@ public class HSServiceProviderMapper extends ServiceProviderMapper {
                }
        }
 
-        /**
-         * Relying party wrapper for Shibboleth &lt;=1.1 service providers.
-         * @author Walter Hoehn
-         */
+       /**
+        * Relying party wrapper for Shibboleth &lt;=1.1 service providers.
+        * 
+        * @author Walter Hoehn
+        */
        class LegacyWrapper extends UnknownProviderWrapper implements HSRelyingParty {
 
                LegacyWrapper(HSRelyingParty wrapped) {
                        super(wrapped);
                }
+
                public boolean isLegacyProvider() {
                        return true;
                }
index 42b79d1..1cf4505 100644 (file)
                                                                        </xs:complexType>
                                                                </xs:element>
                                                        </xs:sequence>
-                                                       <xs:attribute name="AAUrl" type="xs:anyURI" use="optional"/>
-                                                       <xs:attribute name="passThruErrors" type="xs:boolean" use="optional"/>
+                                                       <xs:attribute name="name" type="xs:string" use="required"/>
                                                        <xs:attribute name="providerId" type="xs:anyURI" use="optional"/>
                                                        <xs:attribute name="signingCredential" type="xs:string" use="optional"/>
-                                                       <xs:attribute name="name" type="xs:string" use="required"/>
+                                                       <xs:attribute name="AASigningCredential" type="xs:string" use="optional"/>
+                                                       <xs:attribute name="signAuthResponses" type="xs:boolean" use="optional" default="true"/>
+                                                       <xs:attribute name="signAuthAssertions" type="xs:boolean" use="optional" default="false"/>
+                                                       <xs:attribute name="signAttrAssertions" type="xs:boolean" use="optional" default="false"/>
+                                                       <xs:attribute name="signAttrResponses" type="xs:boolean" use="optional" default="false"/>
+                                                       <xs:attribute name="AAUrl" type="xs:anyURI" use="optional"/>
+                                                       <xs:attribute name="passThruErrors" type="xs:boolean" use="optional"/>
                                                        <xs:attribute name="defaultAuthMethod" type="xs:string" use="optional"/>
                                                </xs:complexType>
                                        </xs:element>