Better algorithm for determining SSO profile in effect for a given request. Default...
authorwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 18 Mar 2005 20:45:44 +0000 (20:45 +0000)
committerwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 18 Mar 2005 20:45:44 +0000 (20:45 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1317 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/common/RelyingParty.java
src/edu/internet2/middleware/shibboleth/common/ServiceProviderMapper.java
src/edu/internet2/middleware/shibboleth/idp/provider/ShibbolethV1SSOHandler.java
src/schemas/shibboleth-idpconfig-1.0.xsd

index 9868215..6f93945 100644 (file)
@@ -97,4 +97,10 @@ public interface RelyingParty extends ServiceProvider {
         * Artifact).
         */
        public boolean forceAttributeNoPush();
+
+       /**
+        * A boolean indication of whether the default SSO browser profile should be POST or Artifact. "true" indicates POST
+        * and "false" indicates Artifact.
+        */
+       public boolean defaultToPOSTProfile();
 }
index 472fc31..ba44ab0 100644 (file)
@@ -225,6 +225,7 @@ public class ServiceProviderMapper {
                private boolean passThruIsOverriden = false;
                private boolean forceAttributePush = false;
                private boolean forceAttributeNoPush = false;
+               private boolean defaultToPOST = true;
 
                public RelyingPartyImpl(Element partyConfig, IdPConfig globalConfig, Credentials credentials,
                                NameMapper nameMapper) throws ServiceProviderMapperException {
@@ -275,6 +276,17 @@ public class ServiceProviderMapper {
                                passThruIsOverriden = true;
                        }
 
+                       // SSO profile defaulting
+                       attribute = ((Element) partyConfig).getAttribute("defaultToPOSTProfile");
+                       if (attribute != null && !attribute.equals("")) {
+                               defaultToPOST = Boolean.valueOf(attribute).booleanValue();
+                               if (defaultToPOST) {
+                                       log.debug("Relying party defaults to POST profile.");
+                               } else {
+                                       log.debug("Relying party defaults to Artifact profile.");
+                               }
+                       }
+
                        // Determine whether or not we are forcing attribute push on or off
                        String forcePush = ((Element) partyConfig).getAttribute("forceAttributePush");
                        String forceNoPush = ((Element) partyConfig).getAttribute("forceAttributeNoPush");
@@ -406,6 +418,11 @@ public class ServiceProviderMapper {
                        return forceAttributeNoPush;
                }
 
+               public boolean defaultToPOSTProfile() {
+
+                       return defaultToPOST;
+               }
+
                /**
                 * Default identity provider implementation.
                 * 
@@ -438,6 +455,7 @@ public class ServiceProviderMapper {
                                return credential;
                        }
                }
+
        }
 
        /**
@@ -505,6 +523,11 @@ public class ServiceProviderMapper {
 
                        return wrapped.forceAttributeNoPush();
                }
+
+               public boolean defaultToPOSTProfile() {
+
+                       return wrapped.defaultToPOSTProfile();
+               }
        }
 
        /**
@@ -572,6 +595,11 @@ public class ServiceProviderMapper {
 
                        return false;
                }
+
+               public boolean defaultToPOSTProfile() {
+
+                       return true;
+               }
        }
 
        /**
index b499628..9775353 100644 (file)
@@ -184,7 +184,7 @@ public class ShibbolethV1SSOHandler extends BaseHandler implements IdPProtocolHa
                        ArrayList assertions = new ArrayList();
 
                        // Is this artifact or POST?
-                       boolean artifactProfile = useArtifactProfile(provider, acceptanceURL);
+                       boolean artifactProfile = useArtifactProfile(provider, acceptanceURL, relyingParty);
 
                        // TODO make sure we support adding signatures to attribute assertion
 
@@ -457,28 +457,55 @@ public class ShibbolethV1SSOHandler extends BaseHandler implements IdPProtocolHa
        /**
         * Boolean indication of which browser profile is in effect. "true" indicates Artifact and "false" indicates POST.
         */
-       private static boolean useArtifactProfile(EntityDescriptor provider, String acceptanceURL) {
+       private static boolean useArtifactProfile(EntityDescriptor provider, String acceptanceURL, RelyingParty relyingParty) {
 
-               // TODO this logic needs to be updated
+               boolean artifactMeta = false;
+               boolean postMeta = false;
 
-               // Default to POST if we have no metadata
-               if (provider == null) { return false; }
+               // Look at the metadata bindings, if we can find them
+               if (provider != null) {
+                       SPSSODescriptor sp = provider.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
 
-               // Default to POST if we have incomplete metadata
-               SPSSODescriptor sp = provider.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
-               if (sp == null) { return false; }
+                       if (sp != null) {
 
-               // Look at the bindings.. prefer POST if we have multiple
-               Iterator endpoints = sp.getAssertionConsumerServiceManager().getEndpoints();
-               while (endpoints.hasNext()) {
-                       Endpoint ep = (Endpoint) endpoints.next();
-                       if (acceptanceURL.equals(ep.getLocation()) && SAMLBrowserProfile.PROFILE_POST_URI.equals(ep.getBinding())) { return false; }
-                       if (acceptanceURL.equals(ep.getLocation())
-                                       && SAMLBrowserProfile.PROFILE_ARTIFACT_URI.equals(ep.getBinding())) { return true; }
+                               Iterator endpoints = sp.getAssertionConsumerServiceManager().getEndpoints();
+                               while (endpoints.hasNext()) {
+                                       Endpoint ep = (Endpoint) endpoints.next();
+                                       if (acceptanceURL.equals(ep.getLocation())
+                                                       && SAMLBrowserProfile.PROFILE_POST_URI.equals(ep.getBinding())) {
+                                               log.debug("Metadata indicates support for POST profile.");
+                                               postMeta = true;
+                                               continue;
+                                       }
+                               }
+                               endpoints = sp.getAssertionConsumerServiceManager().getEndpoints();
+                               while (endpoints.hasNext()) {
+                                       Endpoint ep = (Endpoint) endpoints.next();
+                                       if (acceptanceURL.equals(ep.getLocation())
+                                                       && SAMLBrowserProfile.PROFILE_ARTIFACT_URI.equals(ep.getBinding())) {
+                                               log.debug("Metadata indicates support for Artifact profile.");
+                                               artifactMeta = true;
+                                               continue;
+                                       }
+                               }
+                       }
                }
 
-               // Default to POST if we have incomplete metadata
-               return false;
+               // If we have metadata for both, use the relying party default
+               if (!(artifactMeta && postMeta)) {
+
+                       // If we only have metadata for one, use it
+                       if (artifactMeta) { return true; }
+                       if (postMeta) { return false; }
+
+               }
+
+               // If we have missing or incomplete metadata, use relying party default
+               if (relyingParty.defaultToPOSTProfile()) {
+                       return false;
+               } else {
+                       return true;
+               }
        }
 
        /**
index 7c35e7d..209c81b 100644 (file)
@@ -60,6 +60,7 @@
                                                        <xs:attribute name="passThruErrors" type="xs:boolean" use="optional"/>
                                                        <xs:attribute name="forceAttributePush" type="xs:boolean" use="optional"/>
                                                        <xs:attribute name="forceAttributeNoPush" type="xs:boolean" use="optional"/>
+                                                       <xs:attribute name="defaultToPOSTProfile" type="xs:boolean" use="optional"/>
                                                        <xs:attribute name="defaultAuthMethod" type="xs:string" use="optional"/>
                                                </xs:complexType>
                                        </xs:element>