Converting to OpenSAML metadata implementation.
authorwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 12 Jul 2006 21:02:10 +0000 (21:02 +0000)
committerwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 12 Jul 2006 21:02:10 +0000 (21:02 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1973 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/idp/provider/ADFS_SSOHandler.java
src/edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_1ArtifactQueryHandler.java
src/edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_AttributeQueryHandler.java
src/edu/internet2/middleware/shibboleth/idp/provider/SSOHandler.java
src/edu/internet2/middleware/shibboleth/idp/provider/ShibbolethV1SSOHandler.java

index f46940e..81f6f57 100644 (file)
@@ -15,6 +15,7 @@ import java.util.Arrays;
 import java.util.Collection;
 import java.util.Date;
 import java.util.Iterator;
+import java.util.List;
 import java.util.Vector;
 
 import javax.servlet.RequestDispatcher;
@@ -42,6 +43,10 @@ import org.opensaml.SAMLStatement;
 import org.opensaml.SAMLSubject;
 import org.opensaml.SAMLSubjectStatement;
 import org.opensaml.XML;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.Endpoint;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 
@@ -53,9 +58,6 @@ import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationExcepti
 import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
 import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
 import edu.internet2.middleware.shibboleth.idp.InvalidClientDataException;
-import edu.internet2.middleware.shibboleth.metadata.Endpoint;
-import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
 
 /**
  * <code>ProtocolHandler</code> implementation that responds to ADFS SSO flows as specified in "WS-Federation: Passive
@@ -120,7 +122,7 @@ public class ADFS_SSOHandler extends SSOHandler implements IdPProtocolHandler {
                        RelyingParty relyingParty = support.getServiceProviderMapper().getRelyingParty(remoteProviderId);
 
                        // Grab the metadata for the provider
-                       EntityDescriptor descriptor = support.lookup(relyingParty.getProviderId());
+                       EntityDescriptor descriptor = support.getEntityDescriptor(relyingParty.getProviderId());
                        if (descriptor == null) {
                                log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
                                throw new InvalidClientDataException(
@@ -149,6 +151,8 @@ public class ADFS_SSOHandler extends SSOHandler implements IdPProtocolHandler {
                        } else {
                                Endpoint endpoint = sp.getAssertionConsumerServiceManager().getEndpointByBinding(
                                                ADFS_SSOHandler.WS_FED_PROTOCOL_ENUM);
+                               
+                               
                                if (endpoint == null || endpoint.getLocation() == null) {
                                        log.error("No Assertion consumer service URL is available for provider ("
                                                        + relyingParty.getProviderId() + ") via request the SSO request or the metadata.");
@@ -342,10 +346,11 @@ public class ADFS_SSOHandler extends SSOHandler implements IdPProtocolHandler {
        private static boolean isValidAssertionConsumerURL(SPSSODescriptor descriptor, String shireURL)
                        throws InvalidClientDataException {
 
-               Iterator endpoints = descriptor.getAssertionConsumerServiceManager().getEndpoints();
-               while (endpoints.hasNext()) {
-                       if (shireURL.equals(((Endpoint) endpoints.next()).getLocation())) { return true; }
+               List<AssertionConsumerService> endpoints = descriptor.getAssertionConsumerServices();
+               for (AssertionConsumerService acs : endpoints) {
+                       if (shireURL.equals(acs.getLocation())) { return true; }
                }
+
                log.info("Supplied consumer URL not found in metadata.");
                return false;
        }
index 39a4c5f..80dff33 100644 (file)
@@ -33,14 +33,15 @@ import org.opensaml.SAMLRequest;
 import org.opensaml.SAMLResponse;
 import org.opensaml.XML;
 import org.opensaml.artifact.Artifact;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.w3c.dom.Element;
 
 import edu.internet2.middleware.shibboleth.artifact.ArtifactMapping;
 import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
 import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
 import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
-import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.RoleDescriptor;
 
 /**
  * @author Walter Hoehn
@@ -73,21 +74,20 @@ public class SAMLv1_1ArtifactQueryHandler extends BaseServiceHandler implements
 
                // Pull credential from request
                X509Certificate[] chain = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
-               if (chain == null || chain.length == 0 || chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253).equals("")) {
+               if (chain == null || chain.length == 0
+                               || chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253).equals("")) {
                        // The spec says that mutual authentication is required for the
                        // artifact profile
                        if (samlRequest.isSigned()) {
                                log.info("Request is signed, will authenticate it later.");
-                       }
-                       else {
+                       } else {
                                log.info("Request is from an unauthenticated serviceprovider.");
                                throw new SAMLException(SAMLException.REQUESTER,
                                                "SAML Artifacts cannot be dereferenced for unauthenticated requesters.");
                        }
-               }
-               else {
-                       log.info("Request contains TLS credential: (" + chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253)
-                               + ").");
+               } else {
+                       log.info("Request contains TLS credential: ("
+                                       + chain[0].getSubjectX500Principal().getName(X500Principal.RFC2253) + ").");
                }
                ArrayList<SAMLAssertion> assertions = new ArrayList<SAMLAssertion>();
                Iterator artifacts = samlRequest.getArtifacts();
@@ -117,20 +117,27 @@ public class SAMLv1_1ArtifactQueryHandler extends BaseServiceHandler implements
                        } else {
                                SAMLAssertion assertion = mapping.getAssertion();
                                // See if we have metadata for this provider
-                               EntityDescriptor provider = support.lookup(mapping.getServiceProviderId());
+                               EntityDescriptor provider = null;
+                               try {
+                                       provider = support.getEntityDescriptor(mapping.getServiceProviderId());
+                               } catch (MetadataProviderException e) {
+                                       log.error("Metadata lookup for provider (" + mapping.getServiceProviderId()
+                                                       + ") encountered an error: " + e);
+                               }
                                if (provider == null) {
                                        log.info("No metadata found for provider: (" + mapping.getServiceProviderId() + ").");
                                        throw new SAMLException(SAMLException.REQUESTER, "Invalid service provider.");
                                }
-                               RoleDescriptor role = provider.getSPSSODescriptor(XML.SAML11_PROTOCOL_ENUM);
+                               SPSSODescriptor role = provider.getSPSSODescriptor(XML.SAML11_PROTOCOL_ENUM);
                                if (role == null) {
-                                       log.info("SPSSO role not found in metadata for provider: (" + mapping.getServiceProviderId()
-                                                               + ").");
+                                       log
+                                                       .info("SPSSO role not found in metadata for provider: (" + mapping.getServiceProviderId()
+                                                                       + ").");
                                        throw new SAMLException(SAMLException.REQUESTER, "Invalid service provider role.");
                                }
 
                                boolean authenticated = false;
-                               
+
                                // Make sure that the suppplied credential is valid for the provider to which the artifact was issued
                                if (chain != null && chain.length > 0) {
                                        if (!support.getTrust().validate(chain[0], chain, role)) {
@@ -145,8 +152,7 @@ public class SAMLv1_1ArtifactQueryHandler extends BaseServiceHandler implements
                                if (samlRequest.isSigned()) {
                                        if (!support.getTrust().validate(samlRequest, role)) {
                                                log.error("Signed SAML request message did NOT contain a valid signature from provider ("
-                                                               + mapping.getServiceProviderId()
-                                                               + "), to whom this artifact was issued.");
+                                                               + mapping.getServiceProviderId() + "), to whom this artifact was issued.");
                                                throw new SAMLException(SAMLException.REQUESTER, "Invalid signature.");
                                        }
                                        authenticated = true;
index 2d73577..1f03677 100644 (file)
@@ -48,6 +48,8 @@ import org.opensaml.SAMLResponse;
 import org.opensaml.SAMLStatement;
 import org.opensaml.SAMLSubject;
 import org.opensaml.XML;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.w3c.dom.Element;
 
 import edu.internet2.middleware.shibboleth.aa.AAException;
@@ -58,10 +60,6 @@ import edu.internet2.middleware.shibboleth.common.RelyingParty;
 import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
 import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
 import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
-import edu.internet2.middleware.shibboleth.metadata.AttributeRequesterDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.RoleDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
 
 /**
  * @author Walter Hoehn
@@ -90,15 +88,16 @@ public class SAMLv1_AttributeQueryHandler extends BaseServiceHandler implements
                        throws InvalidProviderCredentialException {
 
                // See if we have metadata for this provider
-               EntityDescriptor provider = support.lookup(assertedId);
+               EntityDescriptor provider = support.getEntityDescriptor(assertedId);
                if (provider == null) {
                        log.info("No metadata found for providerId: (" + assertedId + ").");
                        return null;
                } else {
                        log.info("Metadata found for providerId: (" + assertedId + ").");
                }
+               //TODO this is a shib-specific thing... need to figure out what to do
                RoleDescriptor ar_role = provider.getAttributeRequesterDescriptor(XML.SAML11_PROTOCOL_ENUM);
-               RoleDescriptor sp_role = provider.getSPSSODescriptor(XML.SAML11_PROTOCOL_ENUM);
+               SPSSODescriptor sp_role = provider.getSPSSODescriptor(XML.SAML11_PROTOCOL_ENUM);
                if (ar_role == null && sp_role == null) {
                        log.info("SPSSO and Stand-Alone Requester roles not found in metadata for provider: (" + assertedId + ").");
                        return null;
index e5f6333..cbf7921 100644 (file)
@@ -19,13 +19,16 @@ package edu.internet2.middleware.shibboleth.idp.provider;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.util.Date;
-import java.util.Iterator;
+import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 
 import org.apache.log4j.Logger;
 import org.opensaml.SAMLException;
 import org.opensaml.SAMLNameIdentifier;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.NameIDFormat;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
 import org.w3c.dom.Element;
 
 import edu.internet2.middleware.shibboleth.common.LocalPrincipal;
@@ -36,8 +39,6 @@ import edu.internet2.middleware.shibboleth.common.RelyingParty;
 import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationException;
 import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
 import edu.internet2.middleware.shibboleth.idp.InvalidClientDataException;
-import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
 
 /**
  * @author Walter Hoehn
@@ -101,15 +102,13 @@ public abstract class SSOHandler extends BaseHandler implements IdPProtocolHandl
                // If we have preferred Name Identifier formats from the metadata, see if the we can find one that is configured
                // for this relying party
                SPSSODescriptor role;
-               if (descriptor != null
-                               && (role = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM)) != null) {
-                       Iterator spPreferredFormats = role.getNameIDFormats();
-                       while (spPreferredFormats.hasNext()) {
-
-                               String preferredFormat = (String) spPreferredFormats.next();
+               if (descriptor != null && (role = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM)) != null) {
+                       List<NameIDFormat> spPreferredFormats = role.getNameIDFormats();
+                       for (NameIDFormat preferredFormat : spPreferredFormats) {
                                for (int i = 0; availableMappings != null && i < availableMappings.length; i++) {
                                        NameIdentifierMapping mapping = mapper.getNameIdentifierMappingById(availableMappings[i]);
-                                       if (mapping != null && preferredFormat.equals(mapping.getNameIdentifierFormat().toString())) {
+                                       if (mapping != null
+                                                       && preferredFormat.getFormat().equals(mapping.getNameIdentifierFormat().toString())) {
                                                log.debug("Found a supported name identifier format that "
                                                                + "matches the metadata for the relying party: ("
                                                                + mapping.getNameIdentifierFormat().toString() + ").");
index 4b5b0c0..7136c27 100644 (file)
@@ -25,6 +25,7 @@ import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
 import java.util.Iterator;
+import java.util.List;
 import java.util.Vector;
 
 import javax.servlet.RequestDispatcher;
@@ -50,6 +51,10 @@ import org.opensaml.SAMLStatement;
 import org.opensaml.SAMLSubject;
 import org.opensaml.SAMLSubjectStatement;
 import org.opensaml.artifact.Artifact;
+import org.opensaml.saml2.metadata.AssertionConsumerService;
+import org.opensaml.saml2.metadata.EntityDescriptor;
+import org.opensaml.saml2.metadata.SPSSODescriptor;
+import org.opensaml.saml2.metadata.provider.MetadataProviderException;
 import org.w3c.dom.Element;
 
 import edu.internet2.middleware.shibboleth.aa.AAException;
@@ -60,9 +65,6 @@ import edu.internet2.middleware.shibboleth.common.ShibbolethConfigurationExcepti
 import edu.internet2.middleware.shibboleth.idp.IdPProtocolHandler;
 import edu.internet2.middleware.shibboleth.idp.IdPProtocolSupport;
 import edu.internet2.middleware.shibboleth.idp.InvalidClientDataException;
-import edu.internet2.middleware.shibboleth.metadata.Endpoint;
-import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
-import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
 
 /**
  * <code>ProtocolHandler</code> implementation that responds to SSO flows as specified in "Shibboleth Architecture:
@@ -124,7 +126,13 @@ public class ShibbolethV1SSOHandler extends SSOHandler implements IdPProtocolHan
                        }
 
                        // Grab the metadata for the provider
-                       EntityDescriptor descriptor = support.lookup(relyingParty.getProviderId());
+                       EntityDescriptor descriptor = null;
+                       try {
+                               descriptor = support.getEntityDescriptor(relyingParty.getProviderId());
+                       } catch (MetadataProviderException e1) {
+                               log.error("Metadata lookup for provider (" + relyingParty.getProviderId() + ") encountered an error: "
+                                               + e1);
+                       }
 
                        // Make sure that the selected relying party configuration is appropriate for this
                        // acceptance URL
@@ -206,7 +214,7 @@ public class ShibbolethV1SSOHandler extends SSOHandler implements IdPProtocolHan
                if (descriptor != null) {
                        SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
                        if (sp != null) {
-                               if (sp.getWantAssertionsSigned()) {
+                               if (sp.wantAssertionsSigned().getValue()) {
                                        metaDataIndicatesSignAssertions = true;
                                }
                        }
@@ -290,7 +298,7 @@ public class ShibbolethV1SSOHandler extends SSOHandler implements IdPProtocolHan
                if (descriptor != null) {
                        SPSSODescriptor sp = descriptor.getSPSSODescriptor(org.opensaml.XML.SAML11_PROTOCOL_ENUM);
                        if (sp != null) {
-                               if (sp.getWantAssertionsSigned()) {
+                               if (sp.wantAssertionsSigned().getValue()) {
                                        metaDataIndicatesSignAssertions = true;
                                }
                        }
@@ -479,17 +487,15 @@ public class ShibbolethV1SSOHandler extends SSOHandler implements IdPProtocolHan
                        if (sp != null) {
 
                                // See if this is the default endpoint location.
-                               Endpoint defaultEndpoint = sp.getAssertionConsumerServiceManager().getDefaultEndpoint();
-                               if (defaultEndpoint.getLocation().equals(acceptanceURL)) {
-
+                               AssertionConsumerService defaultEndpoint = sp.getDefaultAssertionConsumerService();
+                               if (defaultEndpoint != null && defaultEndpoint.getLocation().equals(acceptanceURL)) {
                                        // If we recognize the default binding, this is the one to use.
                                        if (defaultEndpoint.getBinding().equals(SAMLBrowserProfile.PROFILE_POST_URI)) return false;
                                        else if (defaultEndpoint.getBinding().equals(SAMLBrowserProfile.PROFILE_ARTIFACT_URI)) return true;
                                }
-
-                               Iterator endpoints = sp.getAssertionConsumerServiceManager().getEndpoints();
-                               while (endpoints.hasNext()) {
-                                       Endpoint ep = (Endpoint) endpoints.next();
+                               // If not, look through everything we have
+                               List<AssertionConsumerService> endpoints = sp.getAssertionConsumerServices();
+                               for (AssertionConsumerService ep : endpoints) {
                                        if (acceptanceURL.equals(ep.getLocation())
                                                        && SAMLBrowserProfile.PROFILE_POST_URI.equals(ep.getBinding())) {
                                                log.debug("Metadata indicates support for POST profile.");
@@ -497,9 +503,9 @@ public class ShibbolethV1SSOHandler extends SSOHandler implements IdPProtocolHan
                                                continue;
                                        }
                                }
-                               endpoints = sp.getAssertionConsumerServiceManager().getEndpoints();
-                               while (endpoints.hasNext()) {
-                                       Endpoint ep = (Endpoint) endpoints.next();
+
+                               endpoints = sp.getAssertionConsumerServices();
+                               for (AssertionConsumerService ep : endpoints) {
                                        if (acceptanceURL.equals(ep.getLocation())
                                                        && SAMLBrowserProfile.PROFILE_ARTIFACT_URI.equals(ep.getBinding())) {
                                                log.debug("Metadata indicates support for Artifact profile.");
@@ -558,9 +564,9 @@ public class ShibbolethV1SSOHandler extends SSOHandler implements IdPProtocolHan
                        return false;
                }
 
-               Iterator endpoints = sp.getAssertionConsumerServiceManager().getEndpoints();
-               while (endpoints.hasNext()) {
-                       if (shireURL.equals(((Endpoint) endpoints.next()).getLocation())) { return true; }
+               List<AssertionConsumerService> endpoints = sp.getAssertionConsumerServices();
+               for (AssertionConsumerService endpoint : endpoints) {
+                       if (shireURL.equals(endpoint.getLocation())) { return true; }
                }
                log.info("Supplied consumer URL not found in metadata.");
                return false;