<xsd:sequence>
<xsd:element name="ErrorHandler" type="ErrorHandlerType" />
<xsd:element name="ProfileHandler" type="RequestHandlerType" minOccurs="0" maxOccurs="unbounded" />
- <xsd:element name="LoginHandler" type="LoginHandlerType" minOccurs="0"
- maxOccurs="unbounded" />
+ <xsd:element name="LoginHandler" type="LoginHandlerType" minOccurs="0" maxOccurs="unbounded" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:extension base="RequestURIMappedProfileHandlerType" />
</xsd:complexContent>
</xsd:complexType>
-
+
<xsd:complexType name="SAMLMetadata">
<xsd:annotation>
<xsd:documentation>Basic handler that returns a general status of the IdP.</xsd:documentation>
<xsd:extension base="RequestURIMappedProfileHandlerType">
<xsd:attribute name="metadataFile" type="xsd:string" use="required">
<xsd:annotation>
- <xsd:documentation>
- Location of the static IdP metadata file.
- </xsd:documentation>
+ <xsd:documentation>Location of the static IdP metadata file.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:extension>
<xsd:extension base="SAML2ProfileHandler" />
</xsd:complexContent>
</xsd:complexType>
-
+
<xsd:complexType name="SAML2ArtifactResolution">
<xsd:annotation>
<xsd:documentation>Configuration type for SAML 2 artifact resolution profile handlers.</xsd:documentation>
<xsd:attribute name="artifactMapRef" type="xsd:string" default="shibboleth.ArtifactMap">
<xsd:annotation>
<xsd:documentation>
- Reference to SAMLArtifactMap used by handler to resolve artifact strings into artifact objects.
+ Reference to SAMLArtifactMap used by handler to resolve artifact strings into artifact
+ objects.
</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
<xsd:extension base="SAML1ProfileHandler" />
</xsd:complexContent>
</xsd:complexType>
-
+
<xsd:complexType name="SAML1ArtifactResolution">
<xsd:annotation>
<xsd:documentation>Configuration type for SAML 1 artifact resolution profile handlers.</xsd:documentation>
<xsd:attribute name="artifactMapRef" type="xsd:string" default="shibboleth.ArtifactMap">
<xsd:annotation>
<xsd:documentation>
- Reference to SAMLArtifactMap used by handler to resolve artifact strings into artifact objects.
+ Reference to SAMLArtifactMap used by handler to resolve artifact strings into artifact
+ objects.
</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:attribute>
<xsd:attribute name="inboundBinding" type="xsd:anyURI" use="required">
<xsd:annotation>
- <xsd:documentation>
- The SAML message binding used by inbound messages.
- </xsd:documentation>
+ <xsd:documentation>The SAML message binding used by inbound messages.</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
- <xsd:attribute name="outboundBindingEnumeration" >
+ <xsd:attribute name="outboundBindingEnumeration">
<xsd:annotation>
<xsd:documentation>
An ordered list of outbound bindings supported by this profile handler. The order provided
<xsd:extension base="ShibbolethProfileHandlerType" />
</xsd:complexContent>
</xsd:complexType>
-
+
<xsd:complexType name="PreviousSession">
<xsd:complexContent>
<xsd:extension base="LoginHandlerType">
<xsd:attribute name="reportPreviousSessionAuthnMethod" type="xsd:boolean" default="false">
<xsd:annotation>
<xsd:documentation>
- Whether this login handler should report its authentication method as PreviousSession
- or the authentication method requested by the peer.
+ Whether this login handler should report its authentication method as PreviousSession or the
+ authentication method requested by the peer.
</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
</xsd:complexContent>
</xsd:complexType>
+ <xsd:complexType name="IPAddress">
+ <xsd:complexContent>
+ <xsd:extension base="LoginHandlerType">
+ <xsd:sequence>
+ <xsd:element name="IPEntry" type="xsd:string" maxOccurs="unbounded">
+ <xsd:annotation>
+ <xsd:documentation>
+ An IP addresses in CIDR notation. For example, a single IP address of 192.168.1.1 would
+ have the CIDR notation of 192.168.1.1/32. For the entire 192.168.0.0 class B network,
+ the CIDR notation would be 192.168.0.0/16.
+ </xsd:documentation>
+ </xsd:annotation>
+ </xsd:element>
+ </xsd:sequence>
+ <xsd:attribute name="username" type="xsd:string">
+ <xsd:annotation>
+ <xsd:documentation>
+ The username that will be presented to the IdP for all IP-address authenticated users.
+ </xsd:documentation>
+ </xsd:annotation>
+ </xsd:attribute>
+ <xsd:attribute name="defaultDeny" type="xsd:boolean">
+ <xsd:annotation>
+ <xsd:documentation>
+ If defaultDeny is true then only the IP addresses listed will be "authenticated." If
+ defaultDeny is false, then all IP addresses except those listed will be authenticated.
+ </xsd:documentation>
+ </xsd:annotation>
+ </xsd:attribute>
+ </xsd:extension>
+ </xsd:complexContent>
+ </xsd:complexType>
+
<xsd:complexType name="LoginHandlerType" abstract="true">
<xsd:annotation>
<xsd:documentation>Base type for authentication handler types.</xsd:documentation>
import edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler;
import edu.internet2.middleware.shibboleth.common.config.profile.JSPErrorHandlerBeanDefinitionParser;
import edu.internet2.middleware.shibboleth.common.config.profile.VelocityErrorHandlerBeanDefinitionParser;
+import edu.internet2.middleware.shibboleth.idp.config.profile.authn.IPAddressLoginHandlerBeanDefinitionParser;
import edu.internet2.middleware.shibboleth.idp.config.profile.authn.PreviousSessionLoginHandlerBeanDefinitionParser;
import edu.internet2.middleware.shibboleth.idp.config.profile.authn.RemoteUserLoginHandlerBeanDefinitionParser;
import edu.internet2.middleware.shibboleth.idp.config.profile.authn.UsernamePasswordLoginHandlerBeanDefinitionParser;
registerBeanDefinitionParser(UsernamePasswordLoginHandlerBeanDefinitionParser.SCHEMA_TYPE,
new UsernamePasswordLoginHandlerBeanDefinitionParser());
+
+ registerBeanDefinitionParser(IPAddressLoginHandlerBeanDefinitionParser.SCHEMA_TYPE,
+ new IPAddressLoginHandlerBeanDefinitionParser());
}
}
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright 2008 University Corporation for Advanced Internet Development, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.config.profile.authn;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import javax.xml.namespace.QName;
+
+import org.opensaml.xml.util.DatatypeHelper;
+import org.opensaml.xml.util.XMLHelper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.support.BeanDefinitionBuilder;
+import org.w3c.dom.Element;
+
+import edu.internet2.middleware.shibboleth.idp.config.profile.ProfileHandlerNamespaceHandler;
+
+/**
+ * Spring bean definition parser for IP address authentication handlers.
+ */
+public class IPAddressLoginHandlerBeanDefinitionParser extends AbstractLoginHandlerBeanDefinitionParser {
+
+ /** Schema type. */
+ public static final QName SCHEMA_TYPE = new QName(ProfileHandlerNamespaceHandler.NAMESPACE, "IPAddress");
+
+ /** Name of ip entry elements. */
+ public static final QName IP_ENTRY_ELEMENT_NAME = new QName(ProfileHandlerNamespaceHandler.NAMESPACE, "IPEntry");
+
+ /** Class logger. */
+ private final Logger log = LoggerFactory.getLogger(IPAddressLoginHandlerBeanDefinitionParser.class);
+
+ /** {@inheritDoc} */
+ protected Class getBeanClass(Element element) {
+ return IPAddressLoginHandlerFactoryBean.class;
+ }
+
+ /** {@inheritDoc} */
+ protected void doParse(Element config, BeanDefinitionBuilder builder) {
+ super.doParse(config, builder);
+
+ boolean defaultDeny = XMLHelper.getAttributeValueAsBoolean(config.getAttributeNodeNS(null, "defaultDeny"));
+ log.debug("Setting defaultDeny to: {}", defaultDeny);
+ builder.addPropertyValue("defaultDeny", defaultDeny);
+
+ String username = DatatypeHelper.safeTrim(config.getAttributeNS(null, "username"));
+ log.debug("Setting username to: {}", username);
+ builder.addPropertyValue("username", username);
+
+ Map<QName, List<Element>> children = XMLHelper.getChildElements(config);
+ List<Element> ipEntries = children.get(IP_ENTRY_ELEMENT_NAME);
+ List<String> addresses = new ArrayList<String>();
+
+ for (Element element : ipEntries) {
+ String address = DatatypeHelper.safeTrimOrNullString(element.getTextContent());
+ if (address != null) {
+ log.debug("Adding IP Address: {}", address);
+ addresses.add(address);
+ }
+ }
+ builder.addPropertyValue("addresses", addresses);
+ }
+}
--- /dev/null
+/*
+ * Copyright 2008 University Corporation for Advanced Internet Development, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.config.profile.authn;
+
+import java.util.List;
+
+import edu.internet2.middleware.shibboleth.idp.authn.provider.IPAddressLoginHandler;
+
+/**
+ * Spring factory for {@link IPAddressLoginHandler}.
+ */
+public class IPAddressLoginHandlerFactoryBean extends AbstractLoginHandlerFactoryBean {
+
+ /** The list of denied or permitted IPs. */
+ private List<String> addresses;
+
+ /** The username to use for IP-address "authenticated" users. */
+ private String username;
+
+ /** Are the IPs in ipList a permitted list or a deny list. */
+ private boolean defaultDeny;
+
+ /** {@inheritDoc} */
+ protected Object createInstance() throws Exception {
+ IPAddressLoginHandler handler = new IPAddressLoginHandler();
+ handler.setUsername(getUsername());
+ handler.setEntries(getAddresses(), isDefaultDeny());
+ populateHandler(handler);
+ return handler;
+ }
+
+ /** {@inheritDoc} */
+ public Class getObjectType() {
+ return IPAddressLoginHandler.class;
+ }
+
+ /**
+ * Get the list of denied or permitted IPs.
+ *
+ * @return list of denied or permitted IPs
+ */
+ public List<String> getAddresses() {
+ return addresses;
+ }
+
+ /**
+ * Set the list of denied or permitted IPs.
+ *
+ * @param newAddresses list of denied or permitted IPs
+ */
+ public void setAddresses(List<String> newAddresses) {
+ addresses = newAddresses;
+ }
+
+ /**
+ * Get the username to use for IP-address "authenticated" users.
+ *
+ * @return username to use for IP-address "authenticated" users
+ */
+ public String getUsername() {
+ return username;
+ }
+
+ /**
+ * Set the username to use for IP-address "authenticated" users.
+ *
+ * @param newUsername username to use for IP-address "authenticated" users
+ */
+ public void setUsername(String newUsername) {
+ username = newUsername;
+ }
+
+ /**
+ * Get whether the IPs in ipList a permitted list or a deny list.
+ *
+ * @return whether the IPs in ipList a permitted list or a deny list
+ */
+ public boolean isDefaultDeny() {
+ return defaultDeny;
+ }
+
+ /**
+ * Set whether the IPs in ipList a permitted list or a deny list.
+ *
+ * @param newDefaultDeny whether the IPs in ipList a permitted list or a deny list.
+ */
+ public void setDefaultDeny(boolean newDefaultDeny) {
+ defaultDeny = newDefaultDeny;
+ }
+
+}