tag for release
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Mon, 25 Jul 2011 13:09:34 +0000 (13:09 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Mon, 25 Jul 2011 13:09:34 +0000 (13:09 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/tags/2.3.2@3054 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

151 files changed:
REL_2/.checkstyle [new file with mode: 0644]
REL_2/.classpath [new file with mode: 0644]
REL_2/.project [new file with mode: 0644]
REL_2/.settings/org.eclipse.jdt.core.prefs [new file with mode: 0644]
REL_2/.settings/org.eclipse.jdt.ui.prefs [new file with mode: 0644]
REL_2/LICENSE.txt [new file with mode: 0644]
REL_2/checkstyle.xml [new file with mode: 0644]
REL_2/doc/CREDITS.txt [new file with mode: 0644]
REL_2/doc/README.txt [new file with mode: 0644]
REL_2/doc/RELEASE-NOTES.txt [new file with mode: 0644]
REL_2/pom.xml [new file with mode: 0644]
REL_2/src/installer/bash/install.sh [new file with mode: 0755]
REL_2/src/installer/bat/cpappend.bat [new file with mode: 0644]
REL_2/src/installer/bat/install.bat [new file with mode: 0755]
REL_2/src/installer/resources/build.xml [new file with mode: 0755]
REL_2/src/installer/resources/conf-tmpl/attribute-filter.xml [new file with mode: 0644]
REL_2/src/installer/resources/conf-tmpl/attribute-resolver.xml [new file with mode: 0644]
REL_2/src/installer/resources/conf-tmpl/handler.xml [new file with mode: 0644]
REL_2/src/installer/resources/conf-tmpl/internal.xml [new file with mode: 0644]
REL_2/src/installer/resources/conf-tmpl/logging.xml [new file with mode: 0644]
REL_2/src/installer/resources/conf-tmpl/login.config [new file with mode: 0644]
REL_2/src/installer/resources/conf-tmpl/relying-party.xml [new file with mode: 0644]
REL_2/src/installer/resources/conf-tmpl/service.xml [new file with mode: 0644]
REL_2/src/installer/resources/install.properties [new file with mode: 0644]
REL_2/src/installer/resources/metadata-tmpl/idp-metadata.xml [new file with mode: 0644]
REL_2/src/main/assembly/bin.xml [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/StatusServlet.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/Version.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationException.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/ForceAuthenticationException.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/LoginContext.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/LoginContextEntry.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/LoginHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/PassiveAuthenticationException.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/Saml2LoginContext.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/ShibbolethSSOLoginContext.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/UsernamePrincipal.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/AbstractLoginHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/ExternalAuthnSystemLoginHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/IPAddressLoginHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/PreviousSessionLoginHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/RemoteUserAuthServlet.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/RemoteUserLoginHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/UsernamePasswordCredential.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/UsernamePasswordLoginHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/UsernamePasswordLoginServlet.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/AbstractSAMLProfileHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/IdPProfileHandlerManagerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/ProfileHandlerGroupBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/ProfileHandlerNamespaceHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/SAMLMetadataHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/StatusHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/authn/AbstractLoginHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/authn/AbstractLoginHandlerFactoryBean.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/authn/ExternalAuthnSystemLoginHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/authn/ExternalAuthnSystemLoginHandlerFactoryBean.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/authn/IPAddressLoginHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/authn/IPAddressLoginHandlerFactoryBean.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/authn/PreviousSessionLoginHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/authn/PreviousSessionLoginHandlerFactoryBean.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/authn/RemoteUserLoginHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/authn/RemoteUserLoginHandlerFactoryBean.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/authn/UsernamePasswordLoginHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/authn/UsernamePasswordLoginHandlerFactoryBean.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/saml1/AbstractSAML1ProfileHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/saml1/SAML1ArtifactResolutionProfileHanderBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/saml1/SAML1AttributeQueryProfileHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/saml1/ShibbolethSSOProfileHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/saml2/AbstractSAML2ProfileHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/saml2/SAML2ArtifactResolutionProfileHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/saml2/SAML2AttributeQueryProfileHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/saml2/SAML2ECPProfileHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/saml2/SAML2SSOProfileHandlerBeanDefinitionParser.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/AbstractSAMLProfileHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/IdPProfileHandlerManager.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/SAMLMetadataProfileHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/StatusProfileHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/AbstractSAML1ProfileHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/ArtifactResolution.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/AttributeQueryProfileHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/BaseSAML1ProfileRequestContext.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSODecoder.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSOEndpointSelector.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml1/ShibbolethSSOProfileHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/AbstractSAML2ProfileHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/ArtifactResolution.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/AttributeQueryProfileHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/BaseSAML2ProfileRequestContext.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/SAML2ECPProfileHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/SSOProfileHandler.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/profile/saml2/UnsolicitedSSODecoder.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/session/AuthenticationMethodInformation.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/session/IdPSessionFilter.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/session/ServiceInformation.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/session/Session.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/session/impl/AuthenticationMethodInformationImpl.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/session/impl/ServiceInformationImpl.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/session/impl/SessionImpl.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/session/impl/SessionManagerEntry.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/session/impl/SessionManagerImpl.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/ui/ServiceContactTag.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/ui/ServiceDescriptionTag.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/ui/ServiceInformationURLTag.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/ui/ServiceLogoTag.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/ui/ServiceNameTag.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/ui/ServicePrivacyURLTag.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/ui/ServiceTagSupport.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/ui/package-info.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/util/HttpServletHelper.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/util/IPRange.java [new file with mode: 0644]
REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/util/NoCacheFilter.java [new file with mode: 0644]
REL_2/src/main/java/overview.html [new file with mode: 0644]
REL_2/src/main/resources/META-INF/spring.handlers [new file with mode: 0644]
REL_2/src/main/resources/META-INF/spring.schemas [new file with mode: 0644]
REL_2/src/main/resources/ehcache.xml [new file with mode: 0644]
REL_2/src/main/resources/logback.xml [new file with mode: 0644]
REL_2/src/main/resources/schema/shibboleth-2.0-idp-profile-handler.xsd [new file with mode: 0644]
REL_2/src/main/webapp/WEB-INF/idpui.tld [new file with mode: 0644]
REL_2/src/main/webapp/WEB-INF/web.xml [new file with mode: 0644]
REL_2/src/main/webapp/error-404.jsp [new file with mode: 0644]
REL_2/src/main/webapp/error.jsp [new file with mode: 0644]
REL_2/src/main/webapp/images/internet2.gif [new file with mode: 0755]
REL_2/src/main/webapp/images/logo.jpg [new file with mode: 0644]
REL_2/src/main/webapp/login-error.jsp [new file with mode: 0644]
REL_2/src/main/webapp/login.css [new file with mode: 0644]
REL_2/src/main/webapp/login.jsp [new file with mode: 0644]
REL_2/src/main/webapp/shibboleth.jsp [new file with mode: 0644]
REL_2/src/test/java/edu/internet2/middleware/shibboleth/idp/ShibTestBootstrap.java [new file with mode: 0644]
REL_2/src/test/java/edu/internet2/middleware/shibboleth/idp/TestCaseBase.java [new file with mode: 0644]
REL_2/src/test/java/edu/internet2/middleware/shibboleth/idp/system/conf1/BaseConf1TestCase.java [new file with mode: 0644]
REL_2/src/test/java/edu/internet2/middleware/shibboleth/idp/system/conf1/LoadConf1Test.java [new file with mode: 0644]
REL_2/src/test/java/edu/internet2/middleware/shibboleth/idp/system/conf1/SAML1ArtifactResolutionTest.java [new file with mode: 0644]
REL_2/src/test/java/edu/internet2/middleware/shibboleth/idp/system/conf1/SAML1AttributeQueryTestCase.java [new file with mode: 0644]
REL_2/src/test/java/edu/internet2/middleware/shibboleth/idp/system/conf1/SAML2ArtifactResolutionTest.java [new file with mode: 0644]
REL_2/src/test/java/edu/internet2/middleware/shibboleth/idp/system/conf1/SAML2AttributeQueryTestCase.java [new file with mode: 0644]
REL_2/src/test/java/edu/internet2/middleware/shibboleth/idp/system/conf1/SAML2SSOTestCase.java [new file with mode: 0644]
REL_2/src/test/java/edu/internet2/middleware/shibboleth/idp/system/conf1/ShibbolethSSOTestCase.java [new file with mode: 0644]
REL_2/src/test/resources/data/conf1/attribute-filter.xml [new file with mode: 0644]
REL_2/src/test/resources/data/conf1/attribute-resolver.xml [new file with mode: 0644]
REL_2/src/test/resources/data/conf1/handler.xml [new file with mode: 0644]
REL_2/src/test/resources/data/conf1/internal.xml [new file with mode: 0644]
REL_2/src/test/resources/data/conf1/login.config [new file with mode: 0644]
REL_2/src/test/resources/data/conf1/relying-party.xml [new file with mode: 0644]
REL_2/src/test/resources/data/conf1/service.xml [new file with mode: 0644]
REL_2/src/test/resources/logback-test.xml [new file with mode: 0644]
REL_2/src/tools/bash/aacli.sh [new file with mode: 0755]
REL_2/src/tools/bash/version.sh [new file with mode: 0755]
REL_2/src/tools/bat/aacli.bat [new file with mode: 0755]
REL_2/src/tools/bat/cpappend.bat [new file with mode: 0755]
REL_2/src/tools/bat/version.bat [new file with mode: 0755]

diff --git a/REL_2/.checkstyle b/REL_2/.checkstyle
new file mode 100644 (file)
index 0000000..82f24a5
--- /dev/null
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<fileset-config file-format-version="1.2.0" simple-config="true" sync-formatter="false">
+  <local-check-config name="Shibboleth" location="checkstyle.xml" type="project" description="Coding standards for Shibboleth">
+    <additional-data name="protect-config-file" value="true"/>
+  </local-check-config>
+  <fileset name="all" enabled="true" check-config-name="Shibboleth" local="true">
+    <file-match-pattern match-pattern="." include-pattern="true"/>
+  </fileset>
+  <filter name="FileTypesFilter" enabled="true">
+    <filter-data value="java"/>
+  </filter>
+</fileset-config>
diff --git a/REL_2/.classpath b/REL_2/.classpath
new file mode 100644 (file)
index 0000000..1797868
--- /dev/null
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<classpath>
+    <classpathentry including="**/*.java" kind="src" path="src/main/java"/>
+    <classpathentry including="**/*.java" kind="src" output="target/test-classes" path="src/test/java"/>
+    <classpathentry kind="con" path="org.eclipse.iam.jdt.core.mavenClasspathContainer"/>
+    <classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
+    <classpathentry kind="output" path="target/classes"/>
+</classpath>
diff --git a/REL_2/.project b/REL_2/.project
new file mode 100644 (file)
index 0000000..db94ec1
--- /dev/null
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+       <name>java-shib-idp2</name>
+       <comment></comment>
+       <projects>
+       </projects>
+       <buildSpec>
+               <buildCommand>
+                       <name>org.eclipse.jdt.core.javabuilder</name>
+                       <arguments>
+                       </arguments>
+               </buildCommand>
+               <buildCommand>
+                       <name>org.eclipse.iam.jdt.core.mavenIncrementalBuilder</name>
+                       <arguments>
+                       </arguments>
+               </buildCommand>
+               <buildCommand>
+                       <name>net.sf.eclipsecs.core.CheckstyleBuilder</name>
+                       <arguments>
+                       </arguments>
+               </buildCommand>
+       </buildSpec>
+       <natures>
+               <nature>org.eclipse.iam.jdt.core.mavenNature</nature>
+               <nature>org.eclipse.jdt.core.javanature</nature>
+               <nature>net.sf.eclipsecs.core.CheckstyleNature</nature>
+       </natures>
+</projectDescription>
diff --git a/REL_2/.settings/org.eclipse.jdt.core.prefs b/REL_2/.settings/org.eclipse.jdt.core.prefs
new file mode 100644 (file)
index 0000000..c31a836
--- /dev/null
@@ -0,0 +1,346 @@
+#Thu Jun 02 08:27:32 EDT 2011
+eclipse.preferences.version=1
+org.eclipse.jdt.core.builder.cleanOutputFolder=ignore
+org.eclipse.jdt.core.codeComplete.argumentPrefixes=
+org.eclipse.jdt.core.codeComplete.argumentSuffixes=
+org.eclipse.jdt.core.codeComplete.fieldPrefixes=
+org.eclipse.jdt.core.codeComplete.fieldSuffixes=
+org.eclipse.jdt.core.codeComplete.localPrefixes=
+org.eclipse.jdt.core.codeComplete.localSuffixes=
+org.eclipse.jdt.core.codeComplete.staticFieldPrefixes=
+org.eclipse.jdt.core.codeComplete.staticFieldSuffixes=
+org.eclipse.jdt.core.compiler.codegen.inlineJsrBytecode=enabled
+org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.5
+org.eclipse.jdt.core.compiler.codegen.unusedLocal=preserve
+org.eclipse.jdt.core.compiler.compliance=1.5
+org.eclipse.jdt.core.compiler.debug.lineNumber=generate
+org.eclipse.jdt.core.compiler.debug.localVariable=generate
+org.eclipse.jdt.core.compiler.debug.sourceFile=generate
+org.eclipse.jdt.core.compiler.problem.annotationSuperInterface=warning
+org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
+org.eclipse.jdt.core.compiler.problem.autoboxing=ignore
+org.eclipse.jdt.core.compiler.problem.deprecation=warning
+org.eclipse.jdt.core.compiler.problem.deprecationInDeprecatedCode=disabled
+org.eclipse.jdt.core.compiler.problem.deprecationWhenOverridingDeprecatedMethod=disabled
+org.eclipse.jdt.core.compiler.problem.discouragedReference=warning
+org.eclipse.jdt.core.compiler.problem.emptyStatement=ignore
+org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
+org.eclipse.jdt.core.compiler.problem.fallthroughCase=ignore
+org.eclipse.jdt.core.compiler.problem.fatalOptionalError=enabled
+org.eclipse.jdt.core.compiler.problem.fieldHiding=ignore
+org.eclipse.jdt.core.compiler.problem.finalParameterBound=warning
+org.eclipse.jdt.core.compiler.problem.finallyBlockNotCompletingNormally=warning
+org.eclipse.jdt.core.compiler.problem.forbiddenReference=error
+org.eclipse.jdt.core.compiler.problem.hiddenCatchBlock=warning
+org.eclipse.jdt.core.compiler.problem.incompatibleNonInheritedInterfaceMethod=warning
+org.eclipse.jdt.core.compiler.problem.incompleteEnumSwitch=ignore
+org.eclipse.jdt.core.compiler.problem.indirectStaticAccess=ignore
+org.eclipse.jdt.core.compiler.problem.localVariableHiding=ignore
+org.eclipse.jdt.core.compiler.problem.methodWithConstructorName=warning
+org.eclipse.jdt.core.compiler.problem.missingDeprecatedAnnotation=ignore
+org.eclipse.jdt.core.compiler.problem.missingOverrideAnnotation=ignore
+org.eclipse.jdt.core.compiler.problem.missingSerialVersion=warning
+org.eclipse.jdt.core.compiler.problem.noEffectAssignment=warning
+org.eclipse.jdt.core.compiler.problem.noImplicitStringConversion=warning
+org.eclipse.jdt.core.compiler.problem.nonExternalizedStringLiteral=ignore
+org.eclipse.jdt.core.compiler.problem.nullReference=ignore
+org.eclipse.jdt.core.compiler.problem.overridingPackageDefaultMethod=warning
+org.eclipse.jdt.core.compiler.problem.parameterAssignment=ignore
+org.eclipse.jdt.core.compiler.problem.possibleAccidentalBooleanAssignment=ignore
+org.eclipse.jdt.core.compiler.problem.potentialNullReference=ignore
+org.eclipse.jdt.core.compiler.problem.rawTypeReference=ignore
+org.eclipse.jdt.core.compiler.problem.redundantNullCheck=ignore
+org.eclipse.jdt.core.compiler.problem.specialParameterHidingField=disabled
+org.eclipse.jdt.core.compiler.problem.staticAccessReceiver=warning
+org.eclipse.jdt.core.compiler.problem.suppressWarnings=enabled
+org.eclipse.jdt.core.compiler.problem.syntheticAccessEmulation=ignore
+org.eclipse.jdt.core.compiler.problem.typeParameterHiding=warning
+org.eclipse.jdt.core.compiler.problem.uncheckedTypeOperation=ignore
+org.eclipse.jdt.core.compiler.problem.undocumentedEmptyBlock=ignore
+org.eclipse.jdt.core.compiler.problem.unhandledWarningToken=warning
+org.eclipse.jdt.core.compiler.problem.unnecessaryElse=ignore
+org.eclipse.jdt.core.compiler.problem.unnecessaryTypeCheck=ignore
+org.eclipse.jdt.core.compiler.problem.unqualifiedFieldAccess=ignore
+org.eclipse.jdt.core.compiler.problem.unusedDeclaredThrownException=ignore
+org.eclipse.jdt.core.compiler.problem.unusedDeclaredThrownExceptionWhenOverriding=disabled
+org.eclipse.jdt.core.compiler.problem.unusedImport=warning
+org.eclipse.jdt.core.compiler.problem.unusedLabel=warning
+org.eclipse.jdt.core.compiler.problem.unusedLocal=warning
+org.eclipse.jdt.core.compiler.problem.unusedParameter=ignore
+org.eclipse.jdt.core.compiler.problem.unusedParameterIncludeDocCommentReference=enabled
+org.eclipse.jdt.core.compiler.problem.unusedParameterWhenImplementingAbstract=disabled
+org.eclipse.jdt.core.compiler.problem.unusedParameterWhenOverridingConcrete=disabled
+org.eclipse.jdt.core.compiler.problem.unusedPrivateMember=warning
+org.eclipse.jdt.core.compiler.problem.varargsArgumentNeedCast=warning
+org.eclipse.jdt.core.compiler.source=1.5
+org.eclipse.jdt.core.formatter.align_type_members_on_columns=false
+org.eclipse.jdt.core.formatter.alignment_for_arguments_in_allocation_expression=16
+org.eclipse.jdt.core.formatter.alignment_for_arguments_in_annotation=16
+org.eclipse.jdt.core.formatter.alignment_for_arguments_in_enum_constant=16
+org.eclipse.jdt.core.formatter.alignment_for_arguments_in_explicit_constructor_call=16
+org.eclipse.jdt.core.formatter.alignment_for_arguments_in_method_invocation=16
+org.eclipse.jdt.core.formatter.alignment_for_arguments_in_qualified_allocation_expression=16
+org.eclipse.jdt.core.formatter.alignment_for_assignment=16
+org.eclipse.jdt.core.formatter.alignment_for_binary_expression=16
+org.eclipse.jdt.core.formatter.alignment_for_compact_if=16
+org.eclipse.jdt.core.formatter.alignment_for_conditional_expression=16
+org.eclipse.jdt.core.formatter.alignment_for_enum_constants=16
+org.eclipse.jdt.core.formatter.alignment_for_expressions_in_array_initializer=16
+org.eclipse.jdt.core.formatter.alignment_for_method_declaration=16
+org.eclipse.jdt.core.formatter.alignment_for_multiple_fields=16
+org.eclipse.jdt.core.formatter.alignment_for_parameters_in_constructor_declaration=16
+org.eclipse.jdt.core.formatter.alignment_for_parameters_in_method_declaration=16
+org.eclipse.jdt.core.formatter.alignment_for_selector_in_method_invocation=16
+org.eclipse.jdt.core.formatter.alignment_for_superclass_in_type_declaration=16
+org.eclipse.jdt.core.formatter.alignment_for_superinterfaces_in_enum_declaration=16
+org.eclipse.jdt.core.formatter.alignment_for_superinterfaces_in_type_declaration=16
+org.eclipse.jdt.core.formatter.alignment_for_throws_clause_in_constructor_declaration=16
+org.eclipse.jdt.core.formatter.alignment_for_throws_clause_in_method_declaration=16
+org.eclipse.jdt.core.formatter.blank_lines_after_imports=1
+org.eclipse.jdt.core.formatter.blank_lines_after_package=1
+org.eclipse.jdt.core.formatter.blank_lines_before_field=1
+org.eclipse.jdt.core.formatter.blank_lines_before_first_class_body_declaration=0
+org.eclipse.jdt.core.formatter.blank_lines_before_imports=1
+org.eclipse.jdt.core.formatter.blank_lines_before_member_type=1
+org.eclipse.jdt.core.formatter.blank_lines_before_method=1
+org.eclipse.jdt.core.formatter.blank_lines_before_new_chunk=1
+org.eclipse.jdt.core.formatter.blank_lines_before_package=1
+org.eclipse.jdt.core.formatter.blank_lines_between_import_groups=1
+org.eclipse.jdt.core.formatter.blank_lines_between_type_declarations=1
+org.eclipse.jdt.core.formatter.brace_position_for_annotation_type_declaration=end_of_line
+org.eclipse.jdt.core.formatter.brace_position_for_anonymous_type_declaration=end_of_line
+org.eclipse.jdt.core.formatter.brace_position_for_array_initializer=end_of_line
+org.eclipse.jdt.core.formatter.brace_position_for_block=end_of_line
+org.eclipse.jdt.core.formatter.brace_position_for_block_in_case=end_of_line
+org.eclipse.jdt.core.formatter.brace_position_for_constructor_declaration=end_of_line
+org.eclipse.jdt.core.formatter.brace_position_for_enum_constant=end_of_line
+org.eclipse.jdt.core.formatter.brace_position_for_enum_declaration=end_of_line
+org.eclipse.jdt.core.formatter.brace_position_for_method_declaration=end_of_line
+org.eclipse.jdt.core.formatter.brace_position_for_switch=end_of_line
+org.eclipse.jdt.core.formatter.brace_position_for_type_declaration=end_of_line
+org.eclipse.jdt.core.formatter.comment.clear_blank_lines=false
+org.eclipse.jdt.core.formatter.comment.clear_blank_lines_in_block_comment=false
+org.eclipse.jdt.core.formatter.comment.clear_blank_lines_in_javadoc_comment=false
+org.eclipse.jdt.core.formatter.comment.format_block_comments=true
+org.eclipse.jdt.core.formatter.comment.format_comments=true
+org.eclipse.jdt.core.formatter.comment.format_header=false
+org.eclipse.jdt.core.formatter.comment.format_html=true
+org.eclipse.jdt.core.formatter.comment.format_javadoc_comments=true
+org.eclipse.jdt.core.formatter.comment.format_line_comments=true
+org.eclipse.jdt.core.formatter.comment.format_source_code=true
+org.eclipse.jdt.core.formatter.comment.indent_parameter_description=true
+org.eclipse.jdt.core.formatter.comment.indent_root_tags=true
+org.eclipse.jdt.core.formatter.comment.insert_new_line_before_root_tags=insert
+org.eclipse.jdt.core.formatter.comment.insert_new_line_for_parameter=do not insert
+org.eclipse.jdt.core.formatter.comment.line_length=120
+org.eclipse.jdt.core.formatter.comment.new_lines_at_block_boundaries=true
+org.eclipse.jdt.core.formatter.comment.new_lines_at_javadoc_boundaries=true
+org.eclipse.jdt.core.formatter.compact_else_if=true
+org.eclipse.jdt.core.formatter.continuation_indentation=2
+org.eclipse.jdt.core.formatter.continuation_indentation_for_array_initializer=2
+org.eclipse.jdt.core.formatter.disabling_tag=@formatter\:off
+org.eclipse.jdt.core.formatter.enabling_tag=@formatter\:on
+org.eclipse.jdt.core.formatter.format_guardian_clause_on_one_line=false
+org.eclipse.jdt.core.formatter.format_line_comment_starting_on_first_column=true
+org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_annotation_declaration_header=true
+org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_enum_constant_header=true
+org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_enum_declaration_header=true
+org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_type_header=true
+org.eclipse.jdt.core.formatter.indent_breaks_compare_to_cases=true
+org.eclipse.jdt.core.formatter.indent_empty_lines=false
+org.eclipse.jdt.core.formatter.indent_statements_compare_to_block=true
+org.eclipse.jdt.core.formatter.indent_statements_compare_to_body=true
+org.eclipse.jdt.core.formatter.indent_switchstatements_compare_to_cases=true
+org.eclipse.jdt.core.formatter.indent_switchstatements_compare_to_switch=true
+org.eclipse.jdt.core.formatter.indentation.size=4
+org.eclipse.jdt.core.formatter.insert_new_line_after_annotation=insert
+org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_local_variable=do not insert
+org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_member=insert
+org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_parameter=do not insert
+org.eclipse.jdt.core.formatter.insert_new_line_after_label=do not insert
+org.eclipse.jdt.core.formatter.insert_new_line_after_opening_brace_in_array_initializer=do not insert
+org.eclipse.jdt.core.formatter.insert_new_line_at_end_of_file_if_missing=do not insert
+org.eclipse.jdt.core.formatter.insert_new_line_before_catch_in_try_statement=do not insert
+org.eclipse.jdt.core.formatter.insert_new_line_before_closing_brace_in_array_initializer=do not insert
+org.eclipse.jdt.core.formatter.insert_new_line_before_else_in_if_statement=do not insert
+org.eclipse.jdt.core.formatter.insert_new_line_before_finally_in_try_statement=do not insert
+org.eclipse.jdt.core.formatter.insert_new_line_before_while_in_do_statement=do not insert
+org.eclipse.jdt.core.formatter.insert_new_line_in_empty_annotation_declaration=do not insert
+org.eclipse.jdt.core.formatter.insert_new_line_in_empty_anonymous_type_declaration=do not insert
+org.eclipse.jdt.core.formatter.insert_new_line_in_empty_block=insert
+org.eclipse.jdt.core.formatter.insert_new_line_in_empty_enum_constant=insert
+org.eclipse.jdt.core.formatter.insert_new_line_in_empty_enum_declaration=insert
+org.eclipse.jdt.core.formatter.insert_new_line_in_empty_method_body=insert
+org.eclipse.jdt.core.formatter.insert_new_line_in_empty_type_declaration=insert
+org.eclipse.jdt.core.formatter.insert_space_after_and_in_type_parameter=insert
+org.eclipse.jdt.core.formatter.insert_space_after_assignment_operator=insert
+org.eclipse.jdt.core.formatter.insert_space_after_at_in_annotation=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_at_in_annotation_type_declaration=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_binary_operator=insert
+org.eclipse.jdt.core.formatter.insert_space_after_closing_angle_bracket_in_type_arguments=insert
+org.eclipse.jdt.core.formatter.insert_space_after_closing_angle_bracket_in_type_parameters=insert
+org.eclipse.jdt.core.formatter.insert_space_after_closing_brace_in_block=insert
+org.eclipse.jdt.core.formatter.insert_space_after_closing_paren_in_cast=insert
+org.eclipse.jdt.core.formatter.insert_space_after_colon_in_assert=insert
+org.eclipse.jdt.core.formatter.insert_space_after_colon_in_case=insert
+org.eclipse.jdt.core.formatter.insert_space_after_colon_in_conditional=insert
+org.eclipse.jdt.core.formatter.insert_space_after_colon_in_for=insert
+org.eclipse.jdt.core.formatter.insert_space_after_colon_in_labeled_statement=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_allocation_expression=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_annotation=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_array_initializer=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_constructor_declaration_parameters=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_constructor_declaration_throws=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_enum_constant_arguments=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_enum_declarations=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_explicitconstructorcall_arguments=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_for_increments=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_for_inits=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_declaration_parameters=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_declaration_throws=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_invocation_arguments=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_multiple_field_declarations=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_multiple_local_declarations=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_parameterized_type_reference=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_superinterfaces=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_type_arguments=insert
+org.eclipse.jdt.core.formatter.insert_space_after_comma_in_type_parameters=insert
+org.eclipse.jdt.core.formatter.insert_space_after_ellipsis=insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_parameterized_type_reference=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_type_arguments=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_type_parameters=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_brace_in_array_initializer=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_bracket_in_array_allocation_expression=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_bracket_in_array_reference=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_annotation=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_cast=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_catch=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_constructor_declaration=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_enum_constant=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_for=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_if=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_method_declaration=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_method_invocation=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_parenthesized_expression=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_switch=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_synchronized=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_while=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_postfix_operator=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_prefix_operator=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_question_in_conditional=insert
+org.eclipse.jdt.core.formatter.insert_space_after_question_in_wildcard=do not insert
+org.eclipse.jdt.core.formatter.insert_space_after_semicolon_in_for=insert
+org.eclipse.jdt.core.formatter.insert_space_after_unary_operator=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_and_in_type_parameter=insert
+org.eclipse.jdt.core.formatter.insert_space_before_assignment_operator=insert
+org.eclipse.jdt.core.formatter.insert_space_before_at_in_annotation_type_declaration=insert
+org.eclipse.jdt.core.formatter.insert_space_before_binary_operator=insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_parameterized_type_reference=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_type_arguments=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_type_parameters=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_brace_in_array_initializer=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_bracket_in_array_allocation_expression=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_bracket_in_array_reference=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_annotation=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_cast=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_catch=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_constructor_declaration=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_enum_constant=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_for=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_if=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_method_declaration=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_method_invocation=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_parenthesized_expression=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_switch=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_synchronized=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_while=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_colon_in_assert=insert
+org.eclipse.jdt.core.formatter.insert_space_before_colon_in_case=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_colon_in_conditional=insert
+org.eclipse.jdt.core.formatter.insert_space_before_colon_in_default=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_colon_in_for=insert
+org.eclipse.jdt.core.formatter.insert_space_before_colon_in_labeled_statement=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_allocation_expression=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_annotation=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_array_initializer=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_constructor_declaration_parameters=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_constructor_declaration_throws=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_enum_constant_arguments=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_enum_declarations=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_explicitconstructorcall_arguments=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_for_increments=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_for_inits=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_declaration_parameters=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_declaration_throws=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_invocation_arguments=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_multiple_field_declarations=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_multiple_local_declarations=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_parameterized_type_reference=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_superinterfaces=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_type_arguments=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_comma_in_type_parameters=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_ellipsis=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_parameterized_type_reference=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_type_arguments=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_type_parameters=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_annotation_type_declaration=insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_anonymous_type_declaration=insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_array_initializer=insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_block=insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_constructor_declaration=insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_enum_constant=insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_enum_declaration=insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_method_declaration=insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_switch=insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_type_declaration=insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_allocation_expression=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_reference=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_type_reference=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_annotation=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_annotation_type_member_declaration=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_catch=insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_constructor_declaration=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_enum_constant=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_for=insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_if=insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_method_declaration=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_method_invocation=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_parenthesized_expression=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_switch=insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_synchronized=insert
+org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_while=insert
+org.eclipse.jdt.core.formatter.insert_space_before_parenthesized_expression_in_return=insert
+org.eclipse.jdt.core.formatter.insert_space_before_parenthesized_expression_in_throw=insert
+org.eclipse.jdt.core.formatter.insert_space_before_postfix_operator=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_prefix_operator=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_question_in_conditional=insert
+org.eclipse.jdt.core.formatter.insert_space_before_question_in_wildcard=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_semicolon=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_semicolon_in_for=do not insert
+org.eclipse.jdt.core.formatter.insert_space_before_unary_operator=do not insert
+org.eclipse.jdt.core.formatter.insert_space_between_brackets_in_array_type_reference=do not insert
+org.eclipse.jdt.core.formatter.insert_space_between_empty_braces_in_array_initializer=do not insert
+org.eclipse.jdt.core.formatter.insert_space_between_empty_brackets_in_array_allocation_expression=do not insert
+org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_annotation_type_member_declaration=do not insert
+org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_constructor_declaration=do not insert
+org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_enum_constant=do not insert
+org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_method_declaration=do not insert
+org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_method_invocation=do not insert
+org.eclipse.jdt.core.formatter.join_lines_in_comments=true
+org.eclipse.jdt.core.formatter.join_wrapped_lines=true
+org.eclipse.jdt.core.formatter.keep_else_statement_on_same_line=false
+org.eclipse.jdt.core.formatter.keep_empty_array_initializer_on_one_line=false
+org.eclipse.jdt.core.formatter.keep_imple_if_on_one_line=false
+org.eclipse.jdt.core.formatter.keep_then_statement_on_same_line=false
+org.eclipse.jdt.core.formatter.lineSplit=120
+org.eclipse.jdt.core.formatter.never_indent_block_comments_on_first_column=false
+org.eclipse.jdt.core.formatter.never_indent_line_comments_on_first_column=false
+org.eclipse.jdt.core.formatter.number_of_blank_lines_at_beginning_of_method_body=0
+org.eclipse.jdt.core.formatter.number_of_empty_lines_to_preserve=1
+org.eclipse.jdt.core.formatter.put_empty_statement_on_new_line=false
+org.eclipse.jdt.core.formatter.tabulation.char=space
+org.eclipse.jdt.core.formatter.tabulation.size=4
+org.eclipse.jdt.core.formatter.use_on_off_tags=false
+org.eclipse.jdt.core.formatter.use_tabs_only_for_leading_indentations=false
+org.eclipse.jdt.core.formatter.wrap_before_binary_operator=true
+org.eclipse.jdt.core.formatter.wrap_outer_expressions_when_nested=true
diff --git a/REL_2/.settings/org.eclipse.jdt.ui.prefs b/REL_2/.settings/org.eclipse.jdt.ui.prefs
new file mode 100644 (file)
index 0000000..b751f95
--- /dev/null
@@ -0,0 +1,64 @@
+#Fri Jun 17 16:40:32 EDT 2011
+cleanup.add_default_serial_version_id=false
+cleanup.add_generated_serial_version_id=true
+cleanup.add_missing_annotations=true
+cleanup.add_missing_deprecated_annotations=true
+cleanup.add_missing_methods=false
+cleanup.add_missing_nls_tags=false
+cleanup.add_missing_override_annotations=false
+cleanup.add_missing_override_annotations_interface_methods=true
+cleanup.add_serial_version_id=true
+cleanup.always_use_blocks=true
+cleanup.always_use_parentheses_in_expressions=false
+cleanup.always_use_this_for_non_static_field_access=false
+cleanup.always_use_this_for_non_static_method_access=false
+cleanup.convert_to_enhanced_for_loop=false
+cleanup.correct_indentation=true
+cleanup.format_source_code=true
+cleanup.format_source_code_changes_only=false
+cleanup.make_local_variable_final=true
+cleanup.make_parameters_final=true
+cleanup.make_private_fields_final=true
+cleanup.make_type_abstract_if_missing_method=false
+cleanup.make_variable_declarations_final=true
+cleanup.never_use_blocks=false
+cleanup.never_use_parentheses_in_expressions=true
+cleanup.organize_imports=true
+cleanup.qualify_static_field_accesses_with_declaring_class=false
+cleanup.qualify_static_member_accesses_through_instances_with_declaring_class=true
+cleanup.qualify_static_member_accesses_through_subtypes_with_declaring_class=true
+cleanup.qualify_static_member_accesses_with_declaring_class=true
+cleanup.qualify_static_method_accesses_with_declaring_class=false
+cleanup.remove_private_constructors=true
+cleanup.remove_trailing_whitespaces=true
+cleanup.remove_trailing_whitespaces_all=true
+cleanup.remove_trailing_whitespaces_ignore_empty=false
+cleanup.remove_unnecessary_casts=true
+cleanup.remove_unnecessary_nls_tags=true
+cleanup.remove_unused_imports=true
+cleanup.remove_unused_local_variables=false
+cleanup.remove_unused_private_fields=true
+cleanup.remove_unused_private_members=false
+cleanup.remove_unused_private_methods=true
+cleanup.remove_unused_private_types=true
+cleanup.sort_members=false
+cleanup.sort_members_all=false
+cleanup.use_blocks=true
+cleanup.use_blocks_only_for_return_and_throw=false
+cleanup.use_parentheses_in_expressions=true
+cleanup.use_this_for_non_static_field_access=false
+cleanup.use_this_for_non_static_field_access_only_if_necessary=true
+cleanup.use_this_for_non_static_method_access=false
+cleanup.use_this_for_non_static_method_access_only_if_necessary=true
+cleanup_profile=_Shibboleth
+cleanup_settings_version=2
+eclipse.preferences.version=1
+formatter_profile=_Shibboleth
+formatter_settings_version=11
+internal.default.compliance=default
+org.eclipse.jdt.ui.exception.name=e
+org.eclipse.jdt.ui.gettersetter.use.is=true
+org.eclipse.jdt.ui.javadoc=true
+org.eclipse.jdt.ui.keywordthis=false
+org.eclipse.jdt.ui.overrideannotation=false
+org.eclipse.jdt.ui.text.custom_code_templates=<?xml version\="1.0" encoding\="UTF-8" standalone\="no"?><templates><template autoinsert\="true" context\="gettercomment_context" deleted\="false" description\="Comment for getter method" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.gettercomment" name\="gettercomment">/**\n * @return Returns the ${bare_field_name}.\n */</template><template autoinsert\="true" context\="settercomment_context" deleted\="false" description\="Comment for setter method" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.settercomment" name\="settercomment">/**\n * @param ${param} The ${bare_field_name} to set.\n */</template><template autoinsert\="false" context\="constructorcomment_context" deleted\="false" description\="Comment for created constructors" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.constructorcomment" name\="constructorcomment">/**\n * Constructor.\n *\n * ${tags}\n */</template><template autoinsert\="false" context\="filecomment_context" deleted\="false" description\="Comment for created Java files" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.filecomment" name\="filecomment">/*\n * Licensed to the University Corporation for Advanced Internet Development, \n * Inc. (UCAID) under one or more contributor license agreements.  See the \n * NOTICE file distributed with this work for additional information regarding\n * copyright ownership. The UCAID licenses this file to You under the Apache \n * License, Version 2.0 (the "License"); you may not use this file except in \n * compliance with the License.  You may obtain a copy of the License at\n *\n *    http\://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an "AS IS" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */</template><template autoinsert\="false" context\="typecomment_context" deleted\="false" description\="Comment for created types" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.typecomment" name\="typecomment">/**\n *\n * ${tags}\n */</template><template autoinsert\="true" context\="fieldcomment_context" deleted\="false" description\="Comment for fields" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.fieldcomment" name\="fieldcomment">/**\n * \n */</template><template autoinsert\="true" context\="methodcomment_context" deleted\="false" description\="Comment for non-overriding methods" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.methodcomment" name\="methodcomment">/**\n * ${tags}\n */</template><template autoinsert\="false" context\="overridecomment_context" deleted\="false" description\="Comment for overriding methods" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.overridecomment" name\="overridecomment">/** {@inheritDoc} */</template><template autoinsert\="true" context\="delegatecomment_context" deleted\="false" description\="Comment for delegate methods" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.delegatecomment" name\="delegatecomment">/**\n * ${tags}\n * ${see_to_target}\n */</template><template autoinsert\="false" context\="newtype_context" deleted\="false" description\="Newly created files" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.newtype" name\="newtype">${filecomment}\n\n${package_declaration}\n\n${typecomment}\n${type_declaration}</template><template autoinsert\="true" context\="classbody_context" deleted\="false" description\="Code in new class type bodies" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.classbody" name\="classbody">\n</template><template autoinsert\="true" context\="interfacebody_context" deleted\="false" description\="Code in new interface type bodies" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.interfacebody" name\="interfacebody">\n</template><template autoinsert\="true" context\="enumbody_context" deleted\="false" description\="Code in new enum type bodies" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.enumbody" name\="enumbody">\n</template><template autoinsert\="true" context\="annotationbody_context" deleted\="false" description\="Code in new annotation type bodies" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.annotationbody" name\="annotationbody">\n</template><template autoinsert\="true" context\="catchblock_context" deleted\="false" description\="Code in new catch blocks" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.catchblock" name\="catchblock">// ${todo} Auto-generated catch block\n${exception_var}.printStackTrace();</template><template autoinsert\="true" context\="methodbody_context" deleted\="false" description\="Code in created method stubs" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.methodbody" name\="methodbody">// ${todo} Auto-generated method stub\n${body_statement}</template><template autoinsert\="true" context\="constructorbody_context" deleted\="false" description\="Code in created constructor stubs" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.constructorbody" name\="constructorbody">${body_statement}\n// ${todo} Auto-generated constructor stub</template><template autoinsert\="true" context\="getterbody_context" deleted\="false" description\="Code in created getters" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.getterbody" name\="getterbody">return ${field};</template><template autoinsert\="true" context\="setterbody_context" deleted\="false" description\="Code in created setters" enabled\="true" id\="org.eclipse.jdt.ui.text.codetemplates.setterbody" name\="setterbody">${field} \= ${param};</template></templates>
diff --git a/REL_2/LICENSE.txt b/REL_2/LICENSE.txt
new file mode 100644 (file)
index 0000000..261eeb9
--- /dev/null
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/REL_2/checkstyle.xml b/REL_2/checkstyle.xml
new file mode 100644 (file)
index 0000000..570bac0
--- /dev/null
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE module PUBLIC "-//Puppy Crawl//DTD Check Configuration 1.3//EN" "http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
+
+<!--
+    This configuration file was written by the eclipse-cs plugin configuration editor
+-->
+<!--
+    Checkstyle-Configuration: Shibboleth Checkstyle
+    Description: none
+-->
+<module name="Checker">
+  <property name="severity" value="warning"/>
+  <module name="TreeWalker">
+    <property name="tabWidth" value="4"/>
+    <module name="JavadocMethod">
+      <property name="allowThrowsTagsForSubclasses" value="true"/>
+    </module>
+    <module name="JavadocType"/>
+    <module name="JavadocVariable"/>
+    <module name="JavadocStyle">
+      <property name="checkEmptyJavadoc" value="true"/>
+    </module>
+    <module name="ConstantName"/>
+    <module name="LocalFinalVariableName"/>
+    <module name="LocalVariableName"/>
+    <module name="MemberName"/>
+    <module name="MethodName"/>
+    <module name="PackageName"/>
+    <module name="ParameterName"/>
+    <module name="StaticVariableName"/>
+    <module name="TypeName"/>
+    <module name="AvoidStarImport"/>
+    <module name="IllegalImport"/>
+    <module name="RedundantImport"/>
+    <module name="UnusedImports"/>
+    <module name="LineLength">
+      <property name="max" value="120"/>
+    </module>
+    <module name="MethodLength">
+      <property name="max" value="50"/>
+    </module>
+    <module name="ParameterNumber">
+      <property name="max" value="5"/>
+    </module>
+    <module name="EmptyForIteratorPad"/>
+    <module name="MethodParamPad"/>
+    <module name="ModifierOrder"/>
+    <module name="AvoidNestedBlocks"/>
+    <module name="EmptyBlock"/>
+    <module name="LeftCurly"/>
+    <module name="NeedBraces"/>
+    <module name="RightCurly"/>
+    <module name="AvoidInlineConditionals"/>
+    <module name="DoubleCheckedLocking"/>
+    <module name="EmptyStatement"/>
+    <module name="EqualsHashCode"/>
+    <module name="HiddenField"/>
+    <module name="IllegalInstantiation"/>
+    <module name="InnerAssignment"/>
+    <module name="MissingSwitchDefault"/>
+    <module name="RedundantThrows"/>
+    <module name="SimplifyBooleanExpression"/>
+    <module name="SimplifyBooleanReturn"/>
+    <module name="FinalClass"/>
+    <module name="HideUtilityClassConstructor"/>
+    <module name="InterfaceIsType"/>
+    <module name="VisibilityModifier"/>
+    <module name="ArrayTypeStyle"/>
+    <module name="UpperEll"/>
+    <module name="AbstractClassName">
+      <property name="format" value="^Abstract.*$|^Base.*$"/>
+    </module>
+    <module name="AnonInnerLength"/>
+    <module name="EmptyForInitializerPad"/>
+    <module name="CovariantEquals"/>
+    <module name="DefaultComesLast"/>
+    <module name="DeclarationOrder"/>
+    <module name="ExplicitInitialization"/>
+    <module name="FallThrough"/>
+    <module name="IllegalCatch"/>
+    <module name="IllegalThrows"/>
+    <module name="JUnitTestCase"/>
+    <module name="MultipleVariableDeclarations"/>
+    <module name="PackageDeclaration"/>
+    <module name="ParameterAssignment"/>
+    <module name="ReturnCount">
+      <property name="max" value="4"/>
+    </module>
+    <module name="StringLiteralEquality"/>
+    <module name="SuperFinalize"/>
+    <module name="ArrayTrailingComma"/>
+    <module name="UnnecessaryParentheses"/>
+    <module name="MutableException"/>
+    <module name="ThrowsCount">
+      <property name="max" value="3"/>
+    </module>
+    <module name="CyclomaticComplexity"/>
+    <module name="TrailingComment"/>
+    <module name="EqualsAvoidNull"/>
+    <module name="ModifiedControlVariable"/>
+  </module>
+  <module name="FileTabCharacter"/>
+  <module name="FileLength">
+    <property name="max" value="1000"/>
+  </module>
+  <module name="Header">
+    <property name="header" value="/*\n * Licensed to the University Corporation for Advanced Internet Development, \n * Inc. (UCAID) under one or more contributor license agreements.  See the \n * NOTICE file distributed with this work for additional information regarding\n * copyright ownership. The UCAID licenses this file to You under the Apache \n * License, Version 2.0 (the &quot;License&quot;); you may not use this file except in \n * compliance with the License.  You may obtain a copy of the License at\n *\n *    http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an &quot;AS IS&quot; BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */"/>
+  </module>
+  <module name="JavadocPackage"/>
+</module>
diff --git a/REL_2/doc/CREDITS.txt b/REL_2/doc/CREDITS.txt
new file mode 100644 (file)
index 0000000..5bdc30d
--- /dev/null
@@ -0,0 +1,46 @@
+Shibboleth Implementation Team
+
+ Documentation
+
+   Nate Klingenstein
+   Internet2
+   
+   Chad La Joie
+   Itumi, LLC
+
+ Programming
+
+   Scott Cantor
+   The Ohio State University
+   
+   Jim Fox
+   University of Washington
+   
+   Chad La Joie
+   Itumi, LLC
+      
+   Will Norris
+   Google, Inc.
+   
+   Rod Widdowson
+   University of Edinburgh
+
+ Project Management
+
+   RL "Bob" Morgan
+   University of Washington
+
+   Steven Carmody
+   Brown University
+
+   Ken Klingenstein
+   Internet2
+
+
+Thanks to: 
+
+    Internet2
+
+    Daniel Fisher, from Virginia Tech, for his work on the LDAP data connector and JAAS module
+    
+    Derek Morr, from Penn State University, for his initial work on the 2.0 IdP authentication engine
\ No newline at end of file
diff --git a/REL_2/doc/README.txt b/REL_2/doc/README.txt
new file mode 100644 (file)
index 0000000..51839f4
--- /dev/null
@@ -0,0 +1,38 @@
+Welcome to Internet2's Shibboleth
+
+Shibboleth is a federated web authentication and attribute exchange system
+based on SAML developed by Internet2 and MACE.
+
+Shibboleth is licensed under the Apache 2.0 license which is provided in the
+LICENSE.txt file.
+
+Shibboleth Project Site:
+http://shibboleth.internet2.edu/
+
+Shibboleth Documentation Site:
+https://wiki.shibboleth.net/confluence/display/SHIB2
+
+Source and binary distributions
+http://shibboleth.internet2.edu/downloads
+
+Bug Tracker:
+https://bugs.internet2.edu/jira
+
+Upgrading 
+====================
+
+from 2.0.0 to 2.1.0
+-------------------
+The following configuration changes must be made to upgrade from 2.0.0 to 2.1.0
+- in internal.xml replace 'org.opensaml.util.storage.MapBasedStorageService' with 
+  'edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService'
+  as the value for the class attribute of bean 'shibboleth.StorageService' (line 82 in the
+  default configuration file)
+  
+- in service.xml add the service 'shibboleth.StorageService' to the whitespace delimited 
+  list of services already present in the service, shibboleth.ServiceServletContextAttributeExporter
+  (service definition starts at line 57 in the default configuration file)
+
+- in internal.xml, replace the string 'org.apache.velocity.runtime.resource.loader.StringResourceLoader' 
+  with 'edu.internet2.middleware.shibboleth.common.util.StringResourceLoader' (this is located at line 
+  41 in the default configuration file)
\ No newline at end of file
diff --git a/REL_2/doc/RELEASE-NOTES.txt b/REL_2/doc/RELEASE-NOTES.txt
new file mode 100644 (file)
index 0000000..ecf7878
--- /dev/null
@@ -0,0 +1,194 @@
+Changes in Release 2.3.2
+=============================================
+[SIDP-500] - shibboleth-identityprovider-2.3.1 installer broken on Windows 7 (64-bit) and Windows XP
+ - Update version of Shib Common library
+
+Changes in Release 2.3.1
+=============================================
+[SIDP-490] - REMOTE_USER handler not detecting empty value
+[SIDP-491] - Stylesheet link in login.jsp is not inside the head tag
+[SIDP-492] - bin/version causes exception
+[SIDP-494] - login.config sample needs updating
+[SIDP-497] - Queries should return the same NameID supplied by the caller
+
+Changes in Release 2.3.0
+=============================================
+[SIDP-272] - Regenerate self-signed certificate with installer task
+[SIDP-404] - Add an install-time setting for the path to web.xml
+[SIDP-429] - Limit metadata SP credential resolution for encryption to RSA keys only
+[SIDP-442] - Add JSESSIONID and ClientIP to MDC
+[SIDP-448] - Create a login handler that provides authn "state" data to an external authentication 
+             system and has that system authenticate the user.
+[SIDP-461] - Add legacy Shib SSO protocol as binding for IdP-initiated SSO for SAML 2.0
+[SIDP-464] - An SPNameQualifier in NameIDPolicy always treated as an affiliation
+[SIDP-468] - Add taglib to simplify rendering login pages.
+[SIDP-469] - eduPersonTargetedID Could Be Separately Commented
+[SIDP-471] - Taglibs appear to be caching SP information
+[SIDP-401] - Quick installer no longer does special things to the Tomcat installation for the "administrator" login
+[SIDP-474] - NPE in taglib processing (bug never released).
+[SIDP-475] - Better login page for IdP
+[SIDP-478] - ECP profile support
+[SIDP-480] - Update POM to add plugin versions, use / publish to Shib.net Repo, and attach generated source and Javadocs
+[SIDP-482] - JSP pages should HTML-encode any strings they handle
+[SIDP-483] - Log Completed, Unencrypted SAML Assertion
+[SIDP-484] - Login stops at AuthnEngine with an empty page
+[SIDP-485] - <img> inside HTML pages must have alt attribute.[SIDP-486] - login.jsp page contains old wiki link
+[SIDP-487] - More login.jsp changes (CR/LF issues, missing period)
+[SIDP-488] - PeerEntityId property not set on SAML queries
+[SIDP-489] - Typos in idpui.tld
+
+Changes in Release 2.2.1
+=============================================
+[SIDP-286] - Configurable validity period for self signed certificate
+[SIDP-417] - Shib deployed to root web context, SSOProfileHandler forwards to "/null/AuthnEngine"
+[SIDP-421] - Error logging SOAP queries
+[SIDP-422] - aacli.sh Exception in thread "main" 
+[SIDP-426] - Forced authentication does not reset the AuthnInstant 
+[SIDP-427] - Incorrect handling of returned authn error in SSO profile handlers
+[SIDP-428] - Address lifecycle issues around use of MetadataCredentialResolverFactory
+[SIDP-431] - Typo in default attribute-resolver.xml
+[SIDP-433] - Update libs for 2.2.1
+[SIDP-434] - More Typos in Default attribute-resolver.xml
+[SIDP-432] - Set explicit caching headers on redirects
+[SIDP-435] - Different principal used for index into session storage and transient ID
+[SIDP-436] - Null AuthnContextClassRef causes NPE
+[SIDP-438] - Improve user experience when switching versions of SAML
+[SIDP-443] - Profile handlers override encoder nameQualifier setting
+[SIDP-447] - Fix for SIDP-417 missed RemoteUserLoginHandler
+[SIDP-450] - NPE with AttributeQueryProfile when there are errors resolving attributes
+[SIDP-452] - Facilitate replay detection to Shibboleth SSO
+[SIDP-453] - Session inactivity timeout being treated as a hard expiration time
+[SIDP-457] - would be nice to include displayName in default attribute resolver
+
+Changes in Release 2.2.0
+=============================================
+[SIDP-416] - MetadataProviderObserver leak, new one added on every login
+[SIDP-415] - SAML name identifier value not logged in audit log
+[SIDP-413] - Change link of example login page
+[SIDP-411] - Check for loginContext != null at login.jsp
+[SIDP-409] - Pass IdP w/o authenticating
+[SIDP-407] - Shibboleth SSO profile handler sets incorrect protocol string in outbound message context
+[SIDP-403] - Use text/xml as the media type for returned metadata unless user agent request metadata media type
+[SIDP-402] - Update 3rd party libraries for 2.2 release
+[SIDP-397] - Remove any unit test that won't be fixed in the 2.X branch, fix the rest
+[SIDP-396] - Previous session LoginHandler used even if authentication method has expired
+[SIDP-392] - NullPointerException in LoginContext when authentication method information is null
+[SIDP-388] - Add eduPersonAssurance attribute to attribute-resolver.xml config example
+[SIDP-386] - Session indexes not cleared when session is destroyed
+[SIDP-384] - Incorrect error message set for expired request in Shibboleth SSO Profile Handler
+[SIDP-382] - Less verbose logging for failed attribute queries due to missing name-id
+[SIDP-381] - Use duration notation for assertion lifetime in example config files
+[SIDP-380] - Use of forwards between profile handlers and authentication engine causes problems for uApprove
+[SIDP-379] - Usage of general AuthenticationException in UsernamePasswordLoginHandler
+[SIDP-374] - Switch to use StaticBasicParserPool instead of BasicParserPool
+[SIDP-373] - The SLF4J MDC state is not being properly cleared when request processing is done.
+[SIDP-368] - Provide more acurate login error to servlet when Username/Password login authentication has failed.
+[SIDP-369] - Allow to have cookie Domain set for login context cookie
+[SIDP-365] - Expose uptime of IdP web application with status handler
+[SIDP-362] - Only log exception message without stack trace for expired SAML messages
+[SIDP-360] - Session isn't being set within the attribute request context during a SAML1 attribute query
+[SIDP-359] - HttpServletHelper.getRelyingPartyConfirmationManager misnamed
+[SIDP-355] - Idp reinstall from source overwrite some config files even when "no overwrite" is specified
+[SIDP-301] - Remove use of events in SessionManager so that different StorageService implementations may be more easily used
+[SIDP-288] - Improve consistency of XML configuration defaults/examples
+[SIDP-275] - Using standard JAAS LoginException in UP LoginHandler servlet
+[SC-63] - Use XML Schema duration syntax instead of integers for duration configuration options
+
+Changes in Release 2.1.5
+=============================================
+[SIDP-353] - Default login.jsp crashes on anonymous RPs
+
+Changes in Release 2.1.4
+=============================================
+[SIDP-340] - Default tc-config.xml causes TCNonPortableObjectError
+[SIDP-342] - NameIdentifier encoder mix-up when the SP doesn't support the first NameIdentifier format
+[SIDP-343] - AuthnInstant is updated even when authentication doesn't happen
+[SIDP-348] - Remove Terracotta Configuration from IdP Install
+[SIDP-249] - LoginContext is not removed from StorageService after Authentication Completes
+[SIDP-350] - Installer does not remember installation directory when upgrading
+[SIDP-351] - Attribute resolution errors shouldn't prevent valid authn statement being returned
+
+Changes in Release 2.1.3
+=============================================
+[SIDP-244] - Error message on invalid ACS could be improved
+[SIDP-247] - Log Exception in UP LoginHandler Servlet
+[SIDP-258] - Authentication Engine does not check to ensure returned authenticaiton mechanism from Login Handler is acceptable to the SP
+[SIDP-263] - Suggest adding defaultSigningCredentialRef to the AnonymousRelyingParty element in the default config
+[SIDP-261] - IPAddressLoginHandler addresses comparison fails
+[SIDP-265] - Distinguish requested AuthMethod and default AuthMethod
+[SIDP-266] - General errors triggers error-404.jsp instead of error.jsp
+[SIDP-271] - AuthenticationEngine doesn't correctly handle passive return from login servlet
+[SIDP-276] - Example RDB Connector, quote principal
+[SIDP-277] - Incorrect null check for request context in UsernamePasswordServlet
+[SIDP-279] - IdP should log NameID for auditing
+[SIDP-281] - Customize login.jsp appearance based on relying party
+[SIDP-285] - Use $IDP_SCOPE$ to populate IdP scope in conf-tmpl\attribute-resolver.xml
+[SIDP-291] - Update libs for 2.1.3 release
+[SIDP-292] - login.jsp: wrong using of the attribute rowspan within the tag <td>
+[SIDP-295] - If no cookies are supported/enabled in user agent (browser), display better error message
+[SIDP-296] - Make LoginContext / IdP Session availabe through the public API
+[SIDP-306] - Remove ClientCertAuth rule from SAML 2 SSO SecurityPolicy in relying-party.xml
+[SIDP-310] - Change default relying-party.xml settings for SAML 2 profiles' encryptNameIds parameter from "conditional" to "never"
+[SIDP-315] - Credential provided by UsernamePasswordLogin handler as attribute
+[SIDP-318] - IdP erroneously logs many normal events as errors
+[SIDP-322] - Exception thrown when SP requests a particular authentication method that is not configured
+[SIDP-324] - Add additional information to Status handler
+
+Changes in Release 2.1.2
+=============================================
+* Significant memory optimizations
+[SIDP-260] - NPE in login-err.jsp
+[SIDP-262] - MIME type on metadata profile handler is incorrect
+[SIDP-267] - check if cookies are set on error.jsp
+[SIDP-268] - Expose Metadata on entityID URL
+
+
+Changes in Release 2.1.1
+=============================================
+[SIDP-248] - Signing code in profile handlers and encoders should not just check that a signing credential is supplied, but that a signing key is available in that credential.
+[SIDP-249] - PreviousSession INFO message printed as ERROR message
+[SIDP-250] - AuthenticationEngine::returnToAuthenticationEngine() static method called before servlet init() when clustered.
+[SIDP-251[ - NPE when SAML1 Attribute Query Handler hit with GET request
+[SIDP-252] - IdPSessionFilter throws ArrayIndexOutOfBoundsException on validation of unexpected cookie
+[SIDP-257] - Previous session is used if the user has an existing session but the SP requests an authentication method that is not currently active.
+[SIDP-259] - Installer does not remove old library versions from IDP_HOME/lib
+
+Changes in Release 2.1.0
+=============================================
+[SIDP-20] - Cannot deploy on Windows. Spring and DOS device names?
+[SIDP-164] - Option to make session cookie secure
+[SIDP-165] - Support for SessionNotOnOrAfter
+[SIDP-167] - Missing tags and incomplete login.jsp
+[SIDP-170] - Attribute Filter refresh won't work with "resource:FileBackedHttpResource"
+[SIDP-171] - Cannot deploy to directories in spaces in the names
+[SIDP-172] - AACLI.BAT should check whether IDP_HOME is defined before testing whether it exists
+[SIDP-175] - Security role name missing in web.xml
+[SIDP-176] - useKeyTab should be set to true
+[SIDP-181] - Released Attributes not logged when using SAML2
+[SIDP-183] - make IdP session available to logging system
+[SIDP-185] - NullPointerException after AttributeQuery when Security Rule fails
+[SIDP-189] - NPE in AbstractSAML2ProfileHandler
+[SIDP-194] - Installer can remember the wrong thing
+[SIDP-196] - IdP continues to use old principal name after forced reauthentication
+[SIDP-197] - Misleading error message for ValidationInfo element in relying-party.xml
+[SIDP-199] - loss of login context when deploying the IdP to tomcat's ROOT context
+[SIDP-201] - IdP sends SAML 1 authentication responses without audience conditions
+[SIDP-202] - Saml2LoginContext unable to deserialize serialized AuthnRequest
+[SIDP-203] - Insufficient information logged to track down errant users
+[SIDP-206] - SessionManagerEntry's back reference to the SessionManager object interferes with clustering
+[SIDP-209] - Enforce SAML 2 metadata SPSSODescriptor/@AuthnRequestsSigned
+[SIDP-212] - Wrong confirmation method used with SAML 1.x artifact profile
+[SIDP-214] - Installer needs to put (at least) bcprov onto the calsspath before it runs ant
+[SIDP-215] - SHIB-JCE.jar missing from 2.1.0 kit
+[SIDP-216] - Second of two signed sources of metadata fail after cache expiration
+[SIDP-222] - Template engine used by LDAP and database connectors throw an NPE on startup
+[SIDP-224] - Add version information in library JAR manifest and provide command line tool to view it
+[SIDP-225] - Credential theft vulnerability in login.jsp
+[SIDP-226] - Cross site scripting vulnerability
+[SIDP-227] - Default relying-party.xml has SAML2-specific security policy rules included in SAML 1 security policies
+[SIDP-228] - Improve error reporting in SAML 2 profile handlers when no encryption key is resolveable for the peer entity ID
+[SIDP-229] - IdP Metadata changes to KeyDescriptor not fully flushed from IdP cache
+[SIDP-230] - sanity check provided credentials
+[SIDP-233] - Typo on operation name - public void setAuthenticationDurection(long duration)
+[SIDP-237] - Re-run of install.sh does not create war again
+[SIDP-242] - Cleanup StorageService entry classes
diff --git a/REL_2/pom.xml b/REL_2/pom.xml
new file mode 100644 (file)
index 0000000..b58e310
--- /dev/null
@@ -0,0 +1,488 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+         
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>edu.internet2.middleware</groupId>
+    <artifactId>shibboleth-identityprovider</artifactId>
+    <version>2.3.2</version>
+
+    <!-- We bundle as a jar here, the installer creates the WAR -->
+    <packaging>jar</packaging>
+
+    <name>Shibboleth Identity Provider</name>
+    <description>
+        The Shibboleth Identity Provider is used by an organization to securely assert information, via SAML, about
+        their users.  This information is then read and acted upon by Service Providers.
+    </description>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <xerces.groupId>org.apache.xerces</xerces.groupId>
+        <xerces.version>2.10.0</xerces.version>
+    </properties>
+
+    <repositories>
+        <repository>
+            <id>shib-release</id>
+            <url>https://shibboleth.net/nexus/content/groups/public</url>
+            <snapshots>
+                <enabled>false</enabled>
+            </snapshots>
+        </repository>
+        <repository>
+            <id>shib-snapshot</id>
+            <url>https://shibboleth.net/nexus/content/repositories/snapshots</url>
+            <releases>
+                <enabled>false</enabled>
+            </releases>
+        </repository>
+    </repositories>
+
+    <dependencies>
+        <!-- Compile dependencies -->
+        <dependency>
+            <groupId>edu.internet2.middleware</groupId>
+            <artifactId>shibboleth-common</artifactId>
+            <version>1.3.2</version>
+        </dependency>
+
+        <!-- Provided dependencies -->
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>servlet-api</artifactId>
+            <version>2.4</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet.jsp</groupId>
+            <artifactId>jsp-api</artifactId>
+            <version>2.0</version>
+        </dependency>
+
+        <!-- Runtime dependencies -->
+        <dependency>
+            <groupId>${xerces.groupId}</groupId>
+            <artifactId>xml-apis</artifactId>
+            <version>${xerces.version}</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>${xerces.groupId}</groupId>
+            <artifactId>xercesImpl</artifactId>
+            <version>${xerces.version}</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>xml-resolver</groupId>
+            <artifactId>xml-resolver</artifactId>
+            <version>1.2</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>xalan</groupId>
+            <artifactId>xalan</artifactId>
+            <version>2.7.1</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.ant</groupId>
+            <artifactId>ant-nodeps</artifactId>
+            <version>1.7.1</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>ant-contrib</groupId>
+            <artifactId>ant-contrib</artifactId>
+            <version>1.0b2</version>
+            <scope>runtime</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>ant</groupId>
+                    <artifactId>ant</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>edu.internet2.middleware</groupId>
+            <artifactId>ant-extensions</artifactId>
+            <version>11Jan2011</version>
+            <scope>runtime</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcprov-jdk14</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>edu.internet2.middleware</groupId>
+            <artifactId>shibboleth-jce</artifactId>
+            <version>1.1.0</version>
+            <scope>runtime</scope>
+        </dependency>
+
+        <!-- Test dependencies -->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>3.8.1</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>xmlunit</groupId>
+            <artifactId>xmlunit</artifactId>
+            <version>1.0</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-test</artifactId>
+            <version>2.5.6.SEC02</version>
+            <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>commons-logging</groupId>
+                    <artifactId>commons-logging</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+    </dependencies>
+
+    <distributionManagement>
+        <repository>
+            <id>release</id>
+            <url>https://shibboleth.net/nexus/content/repositories/releases</url>
+        </repository>
+        <snapshotRepository>
+            <id>snapshot</id>
+            <url>https://shibboleth.net/nexus/content/repositories/snapshots</url>
+        </snapshotRepository>
+    </distributionManagement>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>2.3.2</version>
+                <configuration>
+                    <source>1.5</source>
+                    <target>1.5</target>
+                    <debug>true</debug>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <version>2.2.1</version>
+                <configuration>
+                    <descriptors>
+                        <descriptor>src/main/assembly/bin.xml</descriptor>
+                    </descriptors>
+                    <tarLongFileMode>gnu</tarLongFileMode>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>make-assembly</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>attached</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>2.8</version>
+                <configuration>
+                    <argLine>-Xmx256m</argLine>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+                <version>2.3.1</version>
+                <configuration>
+                    <archive>
+                        <index>true</index>
+                        <manifestEntries>
+                            <Main-Class>edu.internet2.middleware.shibboleth.idp.Version</Main-Class>
+                        </manifestEntries>
+                        <manifestSections>
+                            <manifestSection>
+                                <name>edu/internet2/middleware/shibboleth/idp/</name>
+                                <manifestEntries>
+                                    <Implementation-Title>${project.artifactId}</Implementation-Title>
+                                    <Implementation-Version>${project.version}</Implementation-Version>
+                                    <Implementation-Vendor>shibboleth.internet2.edu</Implementation-Vendor>
+                                </manifestEntries>
+                            </manifestSection>
+                        </manifestSections>
+                    </archive>
+                </configuration>
+            </plugin>
+            <plugin>
+                <artifactId>maven-source-plugin</artifactId>
+                <version>2.1.2</version>
+                <executions>
+                    <execution>
+                        <id>attach-sources</id>
+                        <goals>
+                            <goal>jar</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-javadoc-plugin</artifactId>
+                <version>2.7</version>
+                <executions>
+                    <execution>
+                        <id>attach-javadocs</id>
+                        <goals>
+                            <goal>jar</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <configuration>
+                    <quiet>true</quiet>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+    <reporting>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-javadoc-plugin</artifactId>
+                <version>2.8</version>
+                <configuration>
+                    <links>
+                        <link>http://java.sun.com/j2se/1.5.0/docs/api/</link>
+                        <link>http://joda-time.sourceforge.net/apidocs/</link>
+                        <link>http://static.springsource.org/spring/docs/2.0.x/api/</link>
+                    </links>
+                    <quiet>true</quiet>
+                    <author>false</author>
+                    <version>true</version>
+                    <doctitle>${project.name} ${project.version} Java API.</doctitle>
+                    <windowtitle>${project.name} ${project.version} Java API.</windowtitle>
+                    <overview>src/main/java/overview.html</overview>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jxr-plugin</artifactId>
+                <version>2.2</version>
+                <configuration>
+                    <outputDirectory>${project.reporting.outputDirectory}/xref</outputDirectory>
+                    <doctitle>${project.name} ${project.version} Code Cross-Reference</doctitle>
+                    <windowtitle>${project.name} ${project.version} Java API.</windowtitle>
+                    <javadocDir>${project.reporting.outputDirectory}/apidocs</javadocDir>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-report-plugin</artifactId>
+                <version>2.8.1</version>
+                <configuration>
+                    <outputDirectory>${project.reporting.outputDirectory}/unitTest</outputDirectory>
+                    <xrefLocation>${project.reporting.outputDirectory}/xref</xrefLocation>
+                </configuration>
+            </plugin>
+        </plugins>
+    </reporting>
+
+    <profiles>
+        <profile>
+            <id>release</id>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-javadoc-plugin</artifactId>
+                        <version>2.8</version>
+                        <executions>
+                            <execution>
+                                <id>release-javadoc</id>
+                                <phase>package</phase>
+                                <goals>
+                                    <goal>javadoc</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-jxr-plugin</artifactId>
+                        <version>2.2</version>
+                        <executions>
+                            <execution>
+                                <id>release-jxr</id>
+                                <phase>package</phase>
+                                <goals>
+                                    <goal>jxr</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-surefire-report-plugin</artifactId>
+                        <version>2.9</version>
+                        <executions>
+                            <execution>
+                                <id>release-unitTest</id>
+                                <phase>package</phase>
+                                <goals>
+                                    <goal>report-only</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-assembly-plugin</artifactId>
+                        <version>2.2.1</version>
+                        <executions>
+                            <execution>
+                                <id>make-assembly</id>
+                                <phase>package</phase>
+                                <goals>
+                                    <goal>attached</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-gpg-plugin</artifactId>
+                        <version>1.3</version>
+                        <executions>
+                            <execution>
+                                <id>sign-artifacts</id>
+                                <phase>verify</phase>
+                                <goals>
+                                    <goal>sign</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
+
+    <!-- Project Metadata -->
+    <url>http://shibboleth.internet2.edu/</url>
+
+    <inceptionYear>2006</inceptionYear>
+
+    <licenses>
+        <license>
+            <name>Apache 2</name>
+            <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+            <distribution>repo</distribution>
+        </license>
+    </licenses>
+
+    <organization>
+        <name>Internet2</name>
+        <url>http://www.internet2.edu/</url>
+    </organization>
+
+    <issueManagement>
+        <system>JIRA</system>
+        <url>http://bugs.internet2.edu/</url>
+    </issueManagement>
+
+    <mailingLists>
+        <mailingList>
+            <name>Shibboleth Announce</name>
+            <subscribe>http://shibboleth.internet2.edu/support.html#lists</subscribe>
+            <unsubscribe>http://shibboleth.internet2.edu/support.html#lists</unsubscribe>
+            <post>shibboleth-announce@internet2.edu</post>
+            <archive>https://mail.internet2.edu/wws/arc/shibboleth-announce</archive>
+        </mailingList>
+        <mailingList>
+            <name>Shibboleth Users</name>
+            <subscribe>http://shibboleth.internet2.edu/support.html#lists</subscribe>
+            <unsubscribe>http://shibboleth.internet2.edu/support.html#lists</unsubscribe>
+            <post>shibboleth-users@internet2.edu</post>
+            <archive>https://mail.internet2.edu/wws/arc/shibboleth-users</archive>
+        </mailingList>
+        <mailingList>
+            <name>Shibboleth Development</name>
+            <subscribe>http://shibboleth.internet2.edu/support.html#lists</subscribe>
+            <unsubscribe>http://shibboleth.internet2.edu/support.html#lists</unsubscribe>
+            <post>shibboleth-dev@internet2.edu</post>
+            <archive>https://mail.internet2.edu/wws/arc/shibboleth-dev</archive>
+        </mailingList>
+    </mailingLists>
+
+    <scm>
+        <connection>scm:svn:https://svn.middleware.georgetown.edu/java-idp/</connection>
+        <developerConnection>scm:svn:https://svn.middleware.georgetown.edu/java-idp/</developerConnection>
+        <tag>HEAD</tag>
+        <url>http://svn.middleware.georgetown.edu/view/?root=java-idp</url>
+    </scm>
+
+    <developers>
+        <developer>
+            <id>cantor</id>
+            <name>Scott Cantor</name>
+            <organization>The Ohio State University</organization>
+            <organizationUrl>http://www.osu.edu/</organizationUrl>
+            <roles>
+                <role>developer</role>
+            </roles>
+            <timezone>-5</timezone>
+        </developer>
+        <developer>
+            <id>ndk</id>
+            <name>Nate Klingenstein</name>
+            <organization>Internet2</organization>
+            <organizationUrl>http://www.internet2.edu/</organizationUrl>
+            <roles>
+                <role>documentation</role>
+            </roles>
+            <timezone>-7</timezone>
+        </developer>
+        <developer>
+            <id>lajoie</id>
+            <name>Chad La Joie</name>
+            <organization>Itumi, LLC</organization>
+            <organizationUrl>http://www.itumi.biz/</organizationUrl>
+            <roles>
+                <role>developer</role>
+                <role>documentation</role>
+            </roles>
+            <timezone>-5</timezone>
+        </developer>
+        <developer>
+            <id>wnorris</id>
+            <name>Will Norris</name>
+            <organization>Google, Inc.</organization>
+            <organizationUrl>http://www.google.com/</organizationUrl>
+            <roles>
+                <role>developer</role>
+            </roles>
+            <timezone>-8</timezone>
+        </developer>
+        <developer>
+            <id>rdw</id>
+            <name>Rod Widdowson</name>
+            <organization>University of Edinburgh</organization>
+            <organizationUrl>http://www.ed.ac.uk/</organizationUrl>
+            <roles>
+                <role>developer</role>
+            </roles>
+            <timezone>0</timezone>
+        </developer>
+    </developers>
+
+</project>
diff --git a/REL_2/src/installer/bash/install.sh b/REL_2/src/installer/bash/install.sh
new file mode 100755 (executable)
index 0000000..327bf90
--- /dev/null
@@ -0,0 +1,94 @@
+#! /bin/sh
+
+# OS specific support.  $var _must_ be set to either true or false.
+cygwin=false;
+darwin=false;
+case "`uname`" in
+  CYGWIN*) cygwin=true ;;
+  Darwin*) darwin=true ;;
+esac
+
+#Find the necessary resources
+ANT_HOME=.
+
+if [ -z "$JAVACMD" ] ; then 
+  if [ -n "$JAVA_HOME"  ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 
+      # IBM's JDK on AIX uses strange locations for the executables
+      JAVACMD=$JAVA_HOME/jre/sh/java
+    else
+      JAVACMD=$JAVA_HOME/bin/java
+    fi
+  else
+    JAVACMD=java
+  fi
+fi
+if [ ! -x "$JAVACMD" ] ; then
+  echo "Error: JAVA_HOME is not defined correctly."
+  echo "  We cannot execute $JAVACMD"
+  exit
+fi
+
+if [ -n "$CLASSPATH" ] ; then
+  LOCALCLASSPATH=$CLASSPATH
+fi
+
+# add in the dependency .jar files
+DIRLIBS=${ANT_HOME}/src/installer/lib/*.jar
+for i in ${DIRLIBS}
+do
+    # if the directory is empty, then it will return the input string
+    # this is stupid, so case for it
+    if [ "$i" != "${DIRLIBS}" ] ; then
+      if [ -z "$LOCALCLASSPATH" ] ; then
+        LOCALCLASSPATH=$i
+      else
+        LOCALCLASSPATH="$i":$LOCALCLASSPATH
+      fi
+    fi
+done
+
+if [ -n "$JAVA_HOME" ] ; then
+  if [ -f "$JAVA_HOME/lib/tools.jar" ] ; then
+    LOCALCLASSPATH=$LOCALCLASSPATH:$JAVA_HOME/lib/tools.jar
+  fi
+
+  if [ -f "$JAVA_HOME/lib/classes.zip" ] ; then
+    LOCALCLASSPATH=$LOCALCLASSPATH:$JAVA_HOME/lib/classes.zip
+  fi
+
+  # OSX hack to make Ant work with jikes
+  if $darwin ; then
+    OSXHACK="/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Classes"
+    if [ -d ${OSXHACK} ] ; then
+      for i in ${OSXHACK}/*.jar
+      do
+        JIKESPATH=$JIKESPATH:$i
+      done
+    fi
+  fi
+
+else
+  echo "Warning: JAVA_HOME environment variable is not set."
+  echo "  If build fails because sun.* classes could not be found"
+  echo "  you will need to set the JAVA_HOME environment variable"
+  echo "  to the installation directory of java."
+fi
+
+# supply JIKESPATH to Ant as jikes.class.path
+if [ -n "$JIKESPATH" ] ; then
+  if [ -n "$ANT_OPTS" ] ; then
+    ANT_OPTS="$ANT_OPTS -Djikes.class.path=$JIKESPATH"
+  else
+    ANT_OPTS=-Djikes.class.path=$JIKESPATH
+  fi
+fi
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin; then
+  ANT_HOME=`cygpath --path --windows "$ANT_HOME"`
+  JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
+  LOCALCLASSPATH=`cygpath --path --windows "$LOCALCLASSPATH"`
+fi
+$JAVACMD -classpath "$LOCALCLASSPATH" -Dant.home="${ANT_HOME}" $ANT_OPTS org.apache.tools.ant.Main -e -f src/installer/resources/build.xml "$@"
diff --git a/REL_2/src/installer/bat/cpappend.bat b/REL_2/src/installer/bat/cpappend.bat
new file mode 100644 (file)
index 0000000..9f606aa
--- /dev/null
@@ -0,0 +1,19 @@
+rem ---------------------------------------------------------------------------
+rem Append to CLASSPATH
+rem
+rem $Id$
+rem ---------------------------------------------------------------------------
+
+rem Process the first argument
+if ""%1"" == """" goto end
+set LOCALCLASSPATH=%LOCALCLASSPATH%;%1
+shift
+
+rem Process the remaining arguments
+:setArgs
+if ""%1"" == """" goto doneSetArgs
+set LOCALCLASSPATH=%LOCALCLASSPATH% %1
+shift
+goto setArgs
+:doneSetArgs
+:end
diff --git a/REL_2/src/installer/bat/install.bat b/REL_2/src/installer/bat/install.bat
new file mode 100755 (executable)
index 0000000..a10f8d7
--- /dev/null
@@ -0,0 +1,40 @@
+@echo off
+setlocal
+
+REM Find the necessary resources
+set ANT_HOME=.
+
+REM We need a JVM
+if not defined JAVA_HOME  (
+  echo Error: JAVA_HOME is not defined.
+  exit /b
+)
+
+if not defined JAVACMD (
+  set JAVACMD="%JAVA_HOME%\bin\java.exe"
+)
+
+if not exist %JAVACMD% (
+  echo Error: JAVA_HOME is not defined correctly.
+  echo Cannot execute %JAVACMD%
+  exit /b
+)
+
+if defined CLASSPATH (
+  set LOCALCLASSPATH=%CLASSPATH%
+)
+
+REM add in the dependency .jar files
+for %%i in (%ANT_HOME%\src\installer\lib\*.jar) do (
+       call %ANT_HOME%\cpappend.bat %%i
+)
+
+if exist %JAVA_HOME%\lib\tools.jar (
+    set LOCALCLASSPATH=%LOCALCLASSPATH%;%JAVA_HOME%\lib\tools.jar
+)
+
+if exist %JAVA_HOME%\lib\classes.zip (
+    set LOCALCLASSPATH=%LOCALCLASSPATH%;%JAVA_HOME%\lib\classes.zip
+)
+
+%JAVACMD% -cp "%LOCALCLASSPATH%" -Dant.home="%ANT_HOME%" %ANT_OPTS% org.apache.tools.ant.Main -e -f src/installer/resources/build.xml %*
diff --git a/REL_2/src/installer/resources/build.xml b/REL_2/src/installer/resources/build.xml
new file mode 100755 (executable)
index 0000000..5c27404
--- /dev/null
@@ -0,0 +1,243 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project name="Shibboleth Identity Provider" basedir="../../.." default="install">
+
+    <property name="installer.dir" value="${basedir}/src/installer"/>
+    <property name="resources.dir" value="${installer.dir}/resources"/>
+    <property name="tools.dir" value="${basedir}/src/tools"/>
+    <property name="webapp.dir" value="${basedir}/src/main/webapp"/>
+    <property name="war.name" value="idp"/>
+       
+    <!-- Load property from the environment -->
+    <property environment="env"/>
+
+    <!-- Installation specific property file -->
+    <property file="${resources.dir}/install.properties"/>
+       
+    <!-- Load ant-contrib tasks -->
+    <taskdef resource="net/sf/antcontrib/antlib.xml"/>
+
+    <!-- Load Internet2 ant extensions -->
+    <taskdef resource="edu/internet2/middleware/ant/antlib.xml"/>
+
+    <target name="install" description="Installs the identity provider software.">
+       
+       <echo message="!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"/>
+       <echo message="Be sure you have read the installation/upgrade instructions on the Shibboleth website before proceeding."/>
+       <echo message="!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"/>
+        
+        <input message="Where should the Shibboleth Identity Provider software be installed?" addproperty="idp.home.input" defaultvalue="${idp.home}"/>
+        <var name="idp.home" value="${idp.home.input}"/>
+
+        <pathToAbsolutePath path="${idp.home}" addproperty="idp.home.path"/>
+        <pathToUrl path="${idp.home}" addproperty="idp.home.url"/>
+        
+        <if>
+            <available file="${idp.home.path}" property="idp.home.exists"/>
+            <then>
+                <input message="The directory '${idp.home.path}' already exists.  Would you like to overwrite this Shibboleth configuration?" addproperty="install.config" validargs="yes,no" defaultvalue="no"/>
+            </then>
+            <else>
+                <var name="install.config" value="yes"/>
+            </else>
+        </if>
+
+        <if>
+            <equals arg1="${install.config}" arg2="yes"/>
+            <then>
+                <input message="What is the fully qualified hostname of the Shibboleth Identity Provider server?" addproperty="idp.hostname.input" defaultvalue="${idp.hostname}"/>
+                <var name="idp.hostname" value="${idp.hostname.input}"/>
+
+                <input message="A keystore is about to be generated for you. Please enter a password that will be used to protect it." addproperty="idp.keystore.pass"/>
+
+                <propertyfile file="${resources.dir}/install.properties">
+                    <entry key="idp.home" value="${idp.home.input}"/>
+                    <entry key="idp.hostname" value="${idp.hostname.input}"/>
+                </propertyfile>
+
+                <mkdir dir="${idp.home.path}"/>
+                <mkdir dir="${idp.home.path}/bin"/>
+                <mkdir dir="${idp.home.path}/conf"/>
+                <mkdir dir="${idp.home.path}/credentials"/>
+                <mkdir dir="${idp.home.path}/lib"/>
+                <mkdir dir="${idp.home.path}/lib/endorsed"/>
+                <mkdir dir="${idp.home.path}/logs"/>
+                <mkdir dir="${idp.home.path}/metadata"/>
+                <mkdir dir="${idp.home.path}/war"/>
+
+                <var name="idp.entity.id" value="https://${idp.hostname}/idp/shibboleth"/>
+                <var name="idp.web.xml.name" value="${webapp.dir}/WEB-INF/web.xml"/>
+
+                <regexSplit input="${idp.hostname}" regex="^.*\.(.*\..*$)" addproperty="idp.scope"/>
+
+                <echo message="Generating signing and encryption key, certificate, and keystore. "/>
+               
+               <if>
+                   <isset property="env.IdPCertLifetime"/>
+                       <then>
+                               <var name="idp.cert.lifetime" value="${env.IdPCertLifetime}"/>
+                       </then>
+                       <else>
+                               <var name="idp.cert.lifetime" value="20"/>
+                       </else>
+               </if>
+                       
+                <selfSignedCert hostname="${idp.hostname}" privateKeyFile="${idp.home.path}/credentials/idp.key" certificateFile="${idp.home.path}/credentials/idp.crt" keystoreFile="${idp.home.path}/credentials/idp.jks" keystorePassword="${idp.keystore.pass}" uriSubjectAltNames="${idp.entity.id}" certificateLifetime="${idp.cert.lifetime}"/>
+
+                <copy todir="${idp.home.path}/bin" preservelastmodified="true" overwrite="true">
+                    <fileset dir="${tools.dir}/bash"/>
+                    <fileset dir="${tools.dir}/bat"/>
+                    <filterset begintoken="$" endtoken="$">
+                        <filter token="IDP_HOME" value="${idp.home.path}"/>
+                        <filter token="IDP_VERSION" value="${version}"/>
+                    </filterset>
+                </copy>
+
+                <copy todir="${idp.home.path}/conf" preservelastmodified="true" overwrite="true">
+                    <fileset dir="${resources.dir}/conf-tmpl"/>
+                    <filterset begintoken="$" endtoken="$">
+                        <filter token="IDP_HOME" value="${idp.home.path}"/>
+                        <filter token="IDP_VERSION" value="${version}"/>
+                        <filter token="IDP_ENTITY_ID" value="${idp.entity.id}"/>
+                        <filter token="IDP_SCOPE" value="${idp.scope}"/>
+                        <filter token="IDP_CERTIFICATE" value="${idp.cert}"/>
+                        <filter token="IDP_HOSTNAME" value="${idp.hostname}"/>
+                    </filterset>
+                </copy>
+
+                <stringFromFile input="${idp.home.path}/credentials/idp.crt" addProperty="idp.cert"/>
+                <regexSplit input="${idp.cert}" regex="\A.*-----\s((?:.*\s)*)-----END.*\Z" addproperty="idp.metadata.cert"/>
+                <copy todir="${idp.home.path}/metadata" preservelastmodified="true" overwrite="true">
+                    <fileset dir="${resources.dir}/metadata-tmpl"/>
+                    <filterset begintoken="$" endtoken="$">
+                        <filter token="IDP_ENTITY_ID" value="${idp.entity.id}"/>
+                        <filter token="IDP_SCOPE" value="${idp.scope}"/>
+                        <filter token="IDP_CERTIFICATE" value="${idp.metadata.cert}"/>
+                        <filter token="IDP_HOSTNAME" value="${idp.hostname}"/>
+                    </filterset>
+                </copy>
+            </then>
+            <else>
+                <propertyfile file="${resources.dir}/install.properties">
+                    <entry key="idp.home" value="${idp.home.input}"/>
+                </propertyfile>
+               
+                <if> 
+                    <available file="${idp.home.path}/conf/web.xml" property="idp.web.xml.exists"/>
+                    <then>
+                        <echo message="Using ${idp.home.path}/conf/web.xml rather than default web.xml"/>
+                        <var name="idp.web.xml.name" value="${idp.home.path}/conf/web.xml"/>
+                    </then>
+                    <else>
+                        <var name="idp.web.xml.name" value="${webapp.dir}/WEB-INF/web.xml"/>
+                    </else>
+                </if>
+
+                <!-- 
+                    Even if we're not overwritting the config we should still add new files, for example, files added
+                    in a new release.
+                -->
+                <var name="idp.entity.id" value="https://${idp.hostname}/idp/shibboleth"/>
+                <regexSplit input="${idp.hostname}" regex="^.*\.(.*\..*$)" addproperty="idp.scope"/>
+                <stringFromFile input="${idp.home.path}/credentials/idp.crt" addProperty="idp.cert"/>
+                    
+                <copy todir="${idp.home.path}/bin" preservelastmodified="true" overwrite="false">
+                    <fileset dir="${tools.dir}/bash">
+                        <present present="srconly" targetdir="${idp.home.path}/bin"/>
+                       </fileset>
+                    <fileset dir="${tools.dir}/bat">
+                       <present present="srconly" targetdir="${idp.home.path}/bin"/>
+                       </fileset>
+                    <filterset begintoken="$" endtoken="$">
+                        <filter token="IDP_HOME" value="${idp.home.path}"/>
+                        <filter token="IDP_VERSION" value="${version}"/>
+                    </filterset>
+                </copy>
+
+                <copy todir="${idp.home.path}/conf" preservelastmodified="true" overwrite="false">
+                    <fileset dir="${resources.dir}/conf-tmpl">
+                       <present present="srconly" targetdir="${idp.home.path}/conf"/>
+                       </fileset>
+                    <filterset begintoken="$" endtoken="$">
+                        <filter token="IDP_HOME" value="${idp.home.path}"/>
+                        <filter token="IDP_VERSION" value="${version}"/>
+                        <filter token="IDP_ENTITY_ID" value="${idp.entity.id}"/>
+                        <filter token="IDP_SCOPE" value="${idp.scope}"/>
+                        <filter token="IDP_CERTIFICATE" value="${idp.cert}"/>
+                        <filter token="IDP_HOSTNAME" value="${idp.hostname}"/>
+                    </filterset>
+                </copy>
+            </else>
+        </if>
+                            
+        <chmod file="${idp.home.path}/bin/*.sh" perm="+x"/>
+
+       <delete>
+           <fileset dir="${idp.home.path}/lib" includes="**/*.jar"/>
+        </delete>
+        <copy todir="${idp.home.path}/lib" preservelastmodified="true" overwrite="true">
+            <fileset dir="${basedir}/lib"/>
+        </copy>
+        <copy todir="${idp.home.path}/lib/endorsed" preservelastmodified="true" failonerror="false" overwrite="true">
+            <fileset dir="endorsed"/>
+        </copy>
+
+        <!-- create web.xml -->
+        <copy file="${idp.web.xml.name}" todir="${installer.dir}" preservelastmodified="true" overwrite="true">
+            <filterset begintoken="$" endtoken="$">
+                <filter token="IDP_HOME" value="${idp.home.url}"/>
+            </filterset>
+        </copy>
+
+        <!-- build the war file -->
+        <war warfile="${installer.dir}/${war.name}.war" webxml="${installer.dir}/web.xml">
+            <lib dir="${basedir}/lib" excludes="servlet-api*.jar,jsp-api*.jar"/>
+            <webinf dir="${webapp.dir}/WEB-INF" excludes="web.xml"/>
+            <fileset dir="${webapp.dir}" excludes="WEB-INF/**"/>
+        </war>
+       <copy file="${installer.dir}/${war.name}.war" todir="${idp.home.path}/war" preservelastmodified="true" overwrite="true"/>
+
+        <!-- Remove generated files -->
+        <delete file="${installer.dir}/web.xml"/>
+       <delete file="${installer.dir}/${war.name}.war"/>
+       
+    </target>
+
+    <target name="renew-cert" description="Create a new certificate/key pair."> 
+        <input message="This will create a new set of credentials for your IdP, overwriting existing credentials.  Do you really wish to proceed?" addproperty="renew.cert.do" validargs="yes,no" defaultvalue="no"/> 
+        <if> <equals arg1="${renew.cert.do}" arg2="yes"/> 
+            <then> 
+
+                <input message="Where is the Shibboleth Identity Provider installed?" addproperty="idp.home.input" defaultvalue="${idp.home}"/>
+                <var name="idp.home" value="${idp.home.input}"/>
+              
+                <pathToAbsolutePath path="${idp.home}" addproperty="idp.home.path"/> 
+            
+                <input message="What is the fully qualified hostname of the Shibboleth Identity Provider server?" addproperty="idp.hostname.input" defaultvalue="${idp.hostname}"/> 
+                <var name="idp.hostname" value="${idp.hostname.input}"/> 
+                <var name="idp.entity.id" value="https://${idp.hostname}/idp/shibboleth"/> 
+
+                <echo message="Backing up old credentials"/> 
+                <buildnumber file="${resources.dir}/credentials.buildno"/>
+                <copy todir="${idp.home.path}/credentials" overwrite="true">
+                    <fileset dir="${idp.home.path}/credentials" excludes="*bak*,buildno"/>
+                    <globmapper from="idp.*" to="idp.*.bak.${build.number}"/>
+                </copy>
+
+                <input message="A keystore is about to be generated for you. Please enter a password that will be used to protect it." addproperty="idp.keystore.pass"/> 
+
+                <if>
+                    <isset property="env.IdPCertLifetime"/>
+                    <then>
+                        <var name="idp.cert.lifetime" value="${env.IdPCertLifetime}"/>
+                    </then>
+                    <else>
+                        <var name="idp.cert.lifetime" value="20"/>
+                    </else>
+                </if>
+        
+                <echo message="Generating signing and encryption key, certificate, and keystore. "/> 
+                <selfSignedCert hostname="${idp.hostname}" privateKeyFile="${idp.home.path}/credentials/idp.key" certificateFile="${idp.home.path}/credentials/idp.crt" keystoreFile="${idp.home.path}/credentials/idp.jks" keystorePassword="${idp.keystore.pass}" uriSubjectAltNames="${idp.entity.id}" certificateLifetime="${idp.cert.lifetime}"/> 
+            </then>
+        </if> 
+    </target> 
+</project>
diff --git a/REL_2/src/installer/resources/conf-tmpl/attribute-filter.xml b/REL_2/src/installer/resources/conf-tmpl/attribute-filter.xml
new file mode 100644 (file)
index 0000000..15bb1fb
--- /dev/null
@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+    This file is an EXAMPLE policy file.  While the policy presented in this 
+    example file is functional, it isn't very interesting.
+    
+    Deployers should refer to the Shibboleth 2 documentation for a complete list of components 
+    and their options.
+-->
+<afp:AttributeFilterPolicyGroup xmlns:afp="urn:mace:shibboleth:2.0:afp" xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="ShibbolethFilterPolicy" xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd                                                 urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd                                                 urn:mace:shibboleth:2.0:afp:mf:saml classpath:/schema/shibboleth-2.0-afp-mf-saml.xsd">
+
+    <!--  Release the transient ID to anyone -->
+    <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
+        <afp:PolicyRequirementRule xsi:type="basic:ANY"/>
+
+        <afp:AttributeRule attributeID="transientId">
+            <afp:PermitValueRule xsi:type="basic:ANY"/>
+        </afp:AttributeRule>
+
+    </afp:AttributeFilterPolicy>
+
+
+    <!-- 
+        Release eduPersonEntitlement and the permissible values of eduPersonAffiliation
+        to any SP that is a member of InCommon, UK federation, or SWITCHaai
+    -->
+    <!--
+    <afp:AttributeFilterPolicy>
+        <afp:PolicyRequirementRule xsi:type="basic:OR">
+            <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="urn:mace:incommon" />
+            <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="http://ukfederation.org.uk" />
+            <basic:Rule xsi:type="saml:AttributeRequesterInEntityGroup" groupID="urn:mace:switch.ch:SWITCHaai" />
+        </afp:PolicyRequirementRule>
+
+        <afp:AttributeRule attributeID="eduPersonAffiliation">
+            <afp:PermitValueRule xsi:type="basic:OR">
+                <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" />
+                <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" />
+                <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" />
+                <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" />
+                <basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" />
+                <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" />
+                <basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" />
+                <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" />
+            </afp:PermitValueRule>
+        </afp:AttributeRule>
+
+    </afp:AttributeFilterPolicy>
+    -->
+
+    <!-- 
+        Release the given name of the user to our portal service provider
+    -->
+    <!--
+    <afp:AttributeFilterPolicy>
+        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="urn:example.org:sp:myPortal" />
+
+        <afp:AttributeRule attributeID="givenName">
+            <afp:PermitValueRule xsi:type="basic:ANY" />
+        </afp:AttributeRule>
+    </afp:AttributeFilterPolicy>
+    -->
+
+</afp:AttributeFilterPolicyGroup>
diff --git a/REL_2/src/installer/resources/conf-tmpl/attribute-resolver.xml b/REL_2/src/installer/resources/conf-tmpl/attribute-resolver.xml
new file mode 100644 (file)
index 0000000..1820f00
--- /dev/null
@@ -0,0 +1,334 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+    This file is an EXAMPLE configuration file.  While the configuration presented in this 
+    example file is functional, it isn't very interesting.  However, there are lots of example
+    attributes, encoders, and a couple example data connectors.
+    
+    Not all attribute definitions, data connectors, or principal connectors are demonstrated.
+    Deployers should refer to the Shibboleth 2 documentation for a complete list of components 
+    and their options.
+-->
+<resolver:AttributeResolver xmlns:resolver="urn:mace:shibboleth:2.0:resolver" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:pc="urn:mace:shibboleth:2.0:resolver:pc" xmlns:ad="urn:mace:shibboleth:2.0:resolver:ad" xmlns:dc="urn:mace:shibboleth:2.0:resolver:dc" xmlns:enc="urn:mace:shibboleth:2.0:attribute:encoder" xmlns:sec="urn:mace:shibboleth:2.0:security" xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd                                        urn:mace:shibboleth:2.0:resolver:pc classpath:/schema/shibboleth-2.0-attribute-resolver-pc.xsd                                        urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd                                        urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd                                        urn:mace:shibboleth:2.0:attribute:encoder classpath:/schema/shibboleth-2.0-attribute-encoder.xsd                                        urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd">
+
+    <!-- ========================================== -->
+    <!--      Attribute Definitions                 -->
+    <!-- ========================================== -->
+
+    <!-- Schema: Core schema attributes-->
+    <!--
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid" sourceAttributeID="uid">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="email" sourceAttributeID="mail">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="homePhone" sourceAttributeID="homePhone">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:homePhone" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.20" friendlyName="homePhone" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="homePostalAddress" sourceAttributeID="homePostalAddress">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:homePostalAddress" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.39" friendlyName="homePostalAddress" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="mobileNumber" sourceAttributeID="mobile">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mobile" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.41" friendlyName="mobile" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="pagerNumber" sourceAttributeID="pager">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:pager" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.42" friendlyName="pager" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="commonName" sourceAttributeID="cn">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:cn" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.3" friendlyName="cn" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="surname" sourceAttributeID="sn">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:sn" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.4" friendlyName="sn" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="locality" sourceAttributeID="l">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:l" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.7" friendlyName="l" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="stateProvince" sourceAttributeID="st">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:st" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.8" friendlyName="st" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="street" sourceAttributeID="street">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:street" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.9" friendlyName="street" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="organizationName" sourceAttributeID="o">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:o" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.10" friendlyName="o" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="organizationalUnit" sourceAttributeID="ou">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:ou" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.11" friendlyName="ou" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="title" sourceAttributeID="title">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:title" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.12" friendlyName="title" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="postalAddress" sourceAttributeID="postalAddress">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:postalAddress" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.16" friendlyName="postalAddress" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="postalCode" sourceAttributeID="postalCode">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:postalCode" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.17" friendlyName="postalCode" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="postOfficeBox" sourceAttributeID="postOfficeBox">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:postOfficeBox" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.18" friendlyName="postOfficeBox" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="telephoneNumber" sourceAttributeID="telephoneNumber">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:telephoneNumber" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.20" friendlyName="telephoneNumber" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="givenName" sourceAttributeID="givenName">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:givenName" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="initials" sourceAttributeID="initials">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:initials" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.5.4.43" friendlyName="initials" />
+    </resolver:AttributeDefinition>
+     -->
+
+    <!-- Schema: inetOrgPerson attributes-->
+    <!--
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="departmentNumber" sourceAttributeID="departmentNumber">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" />
+    </resolver:AttributeDefinition>
+    
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="displayName" sourceAttributeID="displayName">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:displayName" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" />
+    </resolver:AttributeDefinition> 
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="employeeNumber" sourceAttributeID="employeeNumber">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:employeeNumber" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.3" friendlyName="employeeNumber" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="employeeType" sourceAttributeID="employeeType">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:employeeType" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.4" friendlyName="employeeType" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="jpegPhoto" sourceAttributeID="jpegPhoto">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:jpegPhoto" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.60" friendlyName="jpegPhoto" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="preferredLanguage" sourceAttributeID="preferredLanguage">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:preferredLanguage" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.39" friendlyName="preferredLanguage" />
+    </resolver:AttributeDefinition>
+    -->
+
+    <!-- Schema: eduPerson attributes -->
+    <!--
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAffiliation" sourceAttributeID="eduPersonAffiliation">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonEntitlement" sourceAttributeID="eduPersonEntitlement">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonNickname" sourceAttributeID="eduPersonNickname">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonNickname" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" friendlyName="eduPersonNickname" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonOrgDN" sourceAttributeID="eduPersonOrgDN">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonOrgDN" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" friendlyName="eduPersonOrgDN" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonOrgUnitDN" sourceAttributeID="eduPersonOrgUnitDN">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" friendlyName="eduPersonOrgUnitDN" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonPrimaryAffiliation" sourceAttributeID="eduPersonPrimaryAffiliation">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" friendlyName="eduPersonPrimaryAffiliation" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonPrimaryOrgUnitDN" sourceAttributeID="eduPersonPrimaryOrgUnitDN">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" friendlyName="eduPersonPrimaryOrgUnitDN" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonPrincipalName" scope="$IDP_SCOPE$" sourceAttributeID="uid">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />
+    </resolver:AttributeDefinition>
+
+    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonScopedAffiliation" scope="$IDP_SCOPE$" sourceAttributeID="eduPersonAffiliation">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" />
+    </resolver:AttributeDefinition>
+    
+    <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAssurance" sourceAttributeID="eduPersonAssurance">
+        <resolver:Dependency ref="myLDAP" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" friendlyName="eduPersonAssurance" />
+    </resolver:AttributeDefinition>
+    -->
+        
+    <!--
+    <resolver:AttributeDefinition xsi:type="ad:SAML2NameID" id="eduPersonTargetedID" 
+                                  nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" sourceAttributeID="computedID">
+        <resolver:Dependency ref="computedID" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML2XMLObject" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
+    </resolver:AttributeDefinition>
+    -->
+    
+    <!-- Do NOT use the version of eduPersonTargetedID defined below unless you understand 
+         why it was deprecated and know that this reason does not apply to you. -->
+    <!--
+    <resolver:AttributeDefinition xsi:type="ad:Scoped" id="eduPersonTargetedID.old" scope="$IDP_SCOPE$" sourceAttributeID="computedID">
+        <resolver:Dependency ref="computedID" />
+        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonTargetedID" />
+    </resolver:AttributeDefinition>
+    -->
+
+    <!-- Name Identifier related attributes -->
+    <resolver:AttributeDefinition id="transientId" xsi:type="ad:TransientId">
+        <resolver:AttributeEncoder xsi:type="enc:SAML1StringNameIdentifier" nameFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
+        <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
+    </resolver:AttributeDefinition>
+
+    <!-- ========================================== -->
+    <!--      Data Connectors                       -->
+    <!-- ========================================== -->
+
+    <!-- Example Static Connector -->
+    <!--
+    <resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
+        <dc:Attribute id="eduPersonAffiliation">
+            <dc:Value>member</dc:Value>
+        </dc:Attribute>
+        <dc:Attribute id="eduPersonEntitlement">
+            <dc:Value>urn:example.org:entitlement:entitlement1</dc:Value>
+            <dc:Value>urn:mace:dir:entitlement:common-lib-terms</dc:Value>
+        </dc:Attribute>
+    </resolver:DataConnector>
+    -->
+
+    <!-- Example Relational Database Connector -->
+    <!--
+    <resolver:DataConnector id="mySIS" xsi:type="dc:RelationalDatabase">
+        <dc:ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
+                                         jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB" 
+                                         jdbcUserName="myid" 
+                                         jdbcPassword="mypassword" />
+        <dc:QueryTemplate>
+            <![CDATA[
+                SELECT * FROM student WHERE gzbtpid = '$requestContext.principalName'
+            ]]>
+        </dc:QueryTemplate>
+
+        <dc:Column columnName="gzbtpid" attributeID="uid" />
+        <dc:Column columnName="fqlft" attributeID="gpa" type="Float" />
+    </resolver:DataConnector>
+     -->
+
+    <!-- Example LDAP Connector -->
+    <!--
+    <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
+        ldapURL="ldap://ldap.example.org" 
+        baseDN="ou=people,dc=example,dc=org" 
+        principal="uid=myservice,ou=system"
+        principalCredential="myServicePassword">
+        <dc:FilterTemplate>
+            <![CDATA[
+                (uid=$requestContext.principalName)
+            ]]>
+        </dc:FilterTemplate>
+    </resolver:DataConnector>
+    -->
+    
+    <!-- Computed targeted ID connector -->
+    <!--
+    <resolver:DataConnector xsi:type="dc:ComputedId"
+                            id="computedID"
+                            generatedAttributeID="computedID"
+                            sourceAttributeID="uid"
+                            salt="your random string here">
+        <resolver:Dependency ref="myLDAP" />
+    </resolver:DataConnector> 
+    -->
+
+    <!-- ========================================== -->
+    <!--      Principal Connectors                  -->
+    <!-- ========================================== -->
+    <resolver:PrincipalConnector xsi:type="pc:Transient" id="shibTransient" nameIDFormat="urn:mace:shibboleth:1.0:nameIdentifier"/>
+    <resolver:PrincipalConnector xsi:type="pc:Transient" id="saml1Unspec" nameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
+    <resolver:PrincipalConnector xsi:type="pc:Transient" id="saml2Transient" nameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
+
+</resolver:AttributeResolver>
diff --git a/REL_2/src/installer/resources/conf-tmpl/handler.xml b/REL_2/src/installer/resources/conf-tmpl/handler.xml
new file mode 100644 (file)
index 0000000..3079e99
--- /dev/null
@@ -0,0 +1,90 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd">
+
+    <!-- Error Handler -->
+    <ph:ErrorHandler xsi:type="ph:JSPErrorHandler" jspPagePath="/error.jsp"/>
+
+    <!-- Profile Handlers -->
+    <!-- 
+        All profile handlers defined below are accessed via the Servlet path "/profile" so if your profile 
+        handler's request path is "/Status" then the full path is "<servletContextName>/profile/Status"
+     -->
+    <ph:ProfileHandler xsi:type="ph:Status">
+        <ph:RequestPath>/Status</ph:RequestPath>
+    </ph:ProfileHandler>
+    
+    <ph:ProfileHandler xsi:type="ph:SAMLMetadata" metadataFile="$IDP_HOME$/metadata/idp-metadata.xml">
+        <ph:RequestPath>/Metadata/SAML</ph:RequestPath>
+    </ph:ProfileHandler>    
+
+    <ph:ProfileHandler xsi:type="ph:ShibbolethSSO" inboundBinding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:profiles:browser-post                                                  urn:oasis:names:tc:SAML:1.0:profiles:artifact-01">
+        <ph:RequestPath>/Shibboleth/SSO</ph:RequestPath>
+    </ph:ProfileHandler>
+    
+    <ph:ProfileHandler xsi:type="ph:SAML1AttributeQuery" inboundBinding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding">
+        <ph:RequestPath>/SAML1/SOAP/AttributeQuery</ph:RequestPath>
+    </ph:ProfileHandler>
+    
+    <ph:ProfileHandler xsi:type="ph:SAML1ArtifactResolution" inboundBinding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" outboundBindingEnumeration="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding">
+        <ph:RequestPath>/SAML1/SOAP/ArtifactResolution</ph:RequestPath>
+    </ph:ProfileHandler>
+    
+    <ph:ProfileHandler xsi:type="ph:SAML2SSO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign                                                 urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST                                                  urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
+        <ph:RequestPath>/SAML2/POST/SSO</ph:RequestPath>
+    </ph:ProfileHandler>
+
+    <ph:ProfileHandler xsi:type="ph:SAML2SSO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign                                                 urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST                                                  urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
+        <ph:RequestPath>/SAML2/POST-SimpleSign/SSO</ph:RequestPath>
+    </ph:ProfileHandler>
+
+    <ph:ProfileHandler xsi:type="ph:SAML2SSO" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign                                                 urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST                                                  urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
+        <ph:RequestPath>/SAML2/Redirect/SSO</ph:RequestPath>
+    </ph:ProfileHandler>
+
+    <ph:ProfileHandler xsi:type="ph:SAML2SSO" inboundBinding="urn:mace:shibboleth:2.0:profiles:AuthnRequest" outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign                                                 urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST                                                  urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact">
+        <ph:RequestPath>/SAML2/Unsolicited/SSO</ph:RequestPath>
+    </ph:ProfileHandler>
+
+    <ph:ProfileHandler xsi:type="ph:SAML2ECP" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
+        <ph:RequestPath>/SAML2/SOAP/ECP</ph:RequestPath>
+    </ph:ProfileHandler>
+
+    <ph:ProfileHandler xsi:type="ph:SAML2AttributeQuery" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
+        <ph:RequestPath>/SAML2/SOAP/AttributeQuery</ph:RequestPath>
+    </ph:ProfileHandler>
+    
+    <ph:ProfileHandler xsi:type="ph:SAML2ArtifactResolution" inboundBinding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" outboundBindingEnumeration="urn:oasis:names:tc:SAML:2.0:bindings:SOAP">
+        <ph:RequestPath>/SAML2/SOAP/ArtifactResolution</ph:RequestPath>
+    </ph:ProfileHandler>
+    
+    <!-- Login Handlers -->
+    <ph:LoginHandler xsi:type="ph:RemoteUser">
+        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
+    </ph:LoginHandler>
+    
+    <!-- Login handler that delegates the act of authentication to an external system. -->
+    <!-- This login handler and the RemoteUser login handler will be merged in the next major release. -->
+    <!--
+    <ph:LoginHandler xsi:type="ph:ExternalAuthn">
+        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
+        <ph:QueryParam name="foo" value="bar" />
+    </ph:LoginHandler>
+    -->
+    
+    <!--  Username/password login handler -->
+    <!-- 
+    <ph:LoginHandler xsi:type="ph:UsernamePassword" 
+                  jaasConfigurationLocation="file://$IDP_HOME$/conf/login.config">
+        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
+    </ph:LoginHandler>
+    -->
+    
+    <!-- 
+        Removal of this login handler will disable SSO support, that is it will require the user to authenticate 
+        on every request.
+    -->
+    <ph:LoginHandler xsi:type="ph:PreviousSession">
+        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession</ph:AuthenticationMethod>
+    </ph:LoginHandler>
+
+</ph:ProfileHandlerGroup>
diff --git a/REL_2/src/installer/resources/conf-tmpl/internal.xml b/REL_2/src/installer/resources/conf-tmpl/internal.xml
new file mode 100644 (file)
index 0000000..9b17e1f
--- /dev/null
@@ -0,0 +1,247 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd                          http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd">
+
+    <bean id="shibboleth.CacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
+
+    <bean id="shibboleth.TaskTimer" class="java.util.Timer" destroy-method="cancel">
+        <constructor-arg value="true" type="boolean"/>
+    </bean>
+    
+    <bean id="shibboleth.LogbackLogging" class="edu.internet2.middleware.shibboleth.common.log.LogbackLoggingService" depends-on="shibboleth.TaskTimer">
+       <constructor-arg ref="shibboleth.TaskTimer"/>
+       <constructor-arg value="$IDP_HOME$/conf/logging.xml"/>
+       <constructor-arg value="600000"/>
+    </bean>
+    
+    <!-- Spring configuration file that bootstraps OpenSAML -->
+    <bean id="shibboleth.OpensamlConfig" class="edu.internet2.middleware.shibboleth.common.config.OpensamlConfigBean" depends-on="shibboleth.LogbackLogging">
+        <constructor-arg>
+            <list>
+                <bean id="shibMetadataExtensions" class="org.opensaml.util.resource.ClasspathResource">
+                    <constructor-arg value="/shibboleth-saml-ext-config.xml"/>
+                </bean>
+            </list>
+        </constructor-arg>
+        <property name="parserPool" ref="shibboleth.ParserPool"/>
+    </bean>
+
+    <bean id="shibboleth.IdGenerator" class="org.opensaml.common.impl.SecureRandomIdentifierGenerator" depends-on="shibboleth.LogbackLogging">
+        <constructor-arg value="SHA1PRNG"/>
+    </bean>
+
+    <bean id="shibboleth.VelocityEngine" class="org.springframework.ui.velocity.VelocityEngineFactoryBean" depends-on="shibboleth.LogbackLogging">
+        <property name="overrideLogging" value="false"/>
+        <property name="velocityProperties">
+            <props>
+                <prop key="runtime.log.logsystem.class">
+                    edu.internet2.middleware.shibboleth.common.util.Slf4JLogChute
+                </prop>
+                <prop key="resource.loader">classpath, string</prop>
+                <prop key="classpath.resource.loader.class">
+                    org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader
+                </prop>
+                <prop key="string.resource.loader.class">
+                    edu.internet2.middleware.shibboleth.common.util.StringResourceLoader
+                </prop>
+            </props>
+        </property>
+    </bean>
+
+    <bean id="shibboleth.TemplateEngine" class="edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.TemplateEngine" depends-on="shibboleth.LogbackLogging">
+        <constructor-arg ref="shibboleth.VelocityEngine"/>
+    </bean>
+
+    <bean id="shibboleth.ParserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" depends-on="shibboleth.LogbackLogging" init-method="initialize">
+        <property name="maxPoolSize" value="100"/>
+        <property name="coalescing" value="true"/>
+        <property name="ignoreComments" value="true"/>
+        <property name="ignoreElementContentWhitespace" value="true"/>
+        <property name="namespaceAware" value="true"/>
+        <property name="builderAttributes">
+            <map>
+                <entry>
+                    <key>
+                        <value>http://apache.org/xml/properties/security-manager</value>
+                    </key>
+                    <bean id="shibboleth.XercesSecurityManager" class="org.apache.xerces.util.SecurityManager"/>
+                </entry>
+            </map>
+        </property>
+        <property name="builderFeatures">
+            <map>
+                <entry>
+                    <key>
+                        <value>http://apache.org/xml/features/disallow-doctype-decl</value>
+                    </key>
+                    <util:constant static-field="java.lang.Boolean.TRUE"/>
+                </entry>
+            </map>
+        </property>
+    </bean>
+
+    <bean id="shibboleth.StorageService" class="edu.internet2.middleware.shibboleth.common.util.EventingMapBasedStorageService" depends-on="shibboleth.LogbackLogging"/>
+
+    <bean id="shibboleth.StorageServiceSweeper" class="org.opensaml.util.storage.ExpiringObjectStorageServiceSweeper" depends-on="shibboleth.LogbackLogging">
+        <constructor-arg ref="shibboleth.TaskTimer"/>
+        <constructor-arg ref="shibboleth.StorageService"/>
+        <constructor-arg value="600000" type="long"/>
+    </bean>
+
+    <bean id="shibboleth.SessionManager" class="edu.internet2.middleware.shibboleth.idp.session.impl.SessionManagerImpl" depends-on="shibboleth.LogbackLogging">
+        <constructor-arg ref="shibboleth.StorageService"/>
+        <constructor-arg value="1800000" type="long"/>
+    </bean>
+
+    <bean id="shibboleth.ArtifactMap" class="org.opensaml.common.binding.artifact.BasicSAMLArtifactMap" depends-on="shibboleth.LogbackLogging">
+        <constructor-arg ref="shibboleth.StorageService"/>
+        <constructor-arg type="long" value="300000"/>
+    </bean>
+    
+    <bean id="shibboleth.ReplayCache" class="org.opensaml.util.storage.ReplayCache" depends-on="shibboleth.LogbackLogging">
+        <constructor-arg ref="shibboleth.StorageService"/>
+        <constructor-arg type="long" value="300000"/>
+    </bean>
+
+    <util:map id="shibboleth.MessageDecoders">
+        <entry>
+            <key>
+                <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign</value>
+            </key>
+            <bean id="shibboleth.SAML2HttpPostSimpleSignDecoder" class="org.opensaml.saml2.binding.decoding.HTTPPostSimpleSignDecoder">
+                <constructor-arg ref="shibboleth.ParserPool"/>
+            </bean>
+        </entry>
+        <entry>
+            <key>
+                <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</value>
+            </key>
+            <bean id="shibboleth.SAML2HttpPostDecoder" class="org.opensaml.saml2.binding.decoding.HTTPPostDecoder">
+                <constructor-arg ref="shibboleth.ParserPool"/>
+            </bean>
+        </entry>
+        <entry>
+            <key>
+                <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect</value>
+            </key>
+            <bean id="shibboleth.SAML2HttpRedirectDecoder" class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder">
+                <constructor-arg ref="shibboleth.ParserPool"/>
+            </bean>
+        </entry>
+        <entry>
+            <key>
+                <value>urn:oasis:names:tc:SAML:2.0:bindings:SOAP</value>
+            </key>
+            <bean id="shibboleth.SAML2HttpSoap11Decoder" class="org.opensaml.saml2.binding.decoding.HTTPSOAP11Decoder">
+                <constructor-arg ref="shibboleth.ParserPool"/>
+            </bean>
+        </entry>
+        <entry>
+            <key>
+                <value>urn:oasis:names:tc:SAML:1.0:profiles:browser-post</value>
+            </key>
+            <bean id="shibboleth.SAML1HttpPostDecoder" class="org.opensaml.saml1.binding.decoding.HTTPPostDecoder">
+                <constructor-arg ref="shibboleth.ArtifactMap"/>
+                <constructor-arg ref="shibboleth.ParserPool"/>
+            </bean>
+        </entry>
+        <entry>
+            <key>
+                <value>urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding</value>
+            </key>
+            <bean id="shibboleth.SAML1HttpSoap11Decoder" class="org.opensaml.saml1.binding.decoding.HTTPSOAP11Decoder">
+                <constructor-arg ref="shibboleth.ArtifactMap"/>
+                <constructor-arg ref="shibboleth.ParserPool"/>
+            </bean>
+        </entry>
+        <entry>
+            <key>
+                <value>urn:mace:shibboleth:1.0:profiles:AuthnRequest</value>
+            </key>
+            <bean id="shibboleth.ShibbolethSSODecoder" class="edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSODecoder">
+            </bean>
+        </entry>
+        <entry>
+            <key>
+                <value>urn:mace:shibboleth:2.0:profiles:AuthnRequest</value>
+            </key>
+            <bean id="shibboleth.UnsolicitedSSODecoder" class="edu.internet2.middleware.shibboleth.idp.profile.saml2.UnsolicitedSSODecoder">
+                <constructor-arg ref="shibboleth.IdGenerator"/>
+            </bean>
+        </entry>
+    </util:map>
+
+    <util:map id="shibboleth.MessageEncoders">
+        <entry>
+            <key>
+                <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign</value>
+            </key>
+            <bean id="shibboleth.SAML2HttpPostSimpleSignEncoder" class="org.opensaml.saml2.binding.encoding.HTTPPostSimpleSignEncoder">
+                <constructor-arg ref="shibboleth.VelocityEngine"/>
+                <constructor-arg value="/templates/saml2-post-simplesign-binding.vm"/>
+            </bean>
+        </entry>
+        <entry>
+            <key>
+                <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST</value>
+            </key>
+            <bean id="shibboleth.SAML2HttpPostEncoder" class="org.opensaml.saml2.binding.encoding.HTTPPostEncoder">
+                <constructor-arg ref="shibboleth.VelocityEngine"/>
+                <constructor-arg value="/templates/saml2-post-binding.vm"/>
+            </bean>
+        </entry>
+        <entry>
+            <key>
+                <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect</value>
+            </key>
+            <bean id="shibboleth.SAML2HttpRedirectEncoder" class="org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder"/>
+        </entry>
+        <entry>
+            <key>
+                <value>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact</value>
+            </key>
+            <bean id="shibboleth.SAML2HTTPArtifactEncoder" class="org.opensaml.saml2.binding.encoding.HTTPArtifactEncoder">
+                <constructor-arg ref="shibboleth.ArtifactMap"/>
+                <constructor-arg ref="shibboleth.VelocityEngine"/>
+                <constructor-arg value="/templates/saml2-post-artifact-binding.vm"/>
+            </bean>
+        </entry>
+        <entry>
+            <key>
+                <value>urn:oasis:names:tc:SAML:2.0:bindings:SOAP</value>
+            </key>
+            <bean id="shibboleth.SAML2HttpSoap11Encoder" class="org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder"/>
+        </entry>
+        <entry>
+            <key>
+                <value>urn:oasis:names:tc:SAML:1.0:profiles:browser-post</value>
+            </key>
+            <bean id="shibboleth.SAML1HttpPostEncoder" class="org.opensaml.saml1.binding.encoding.HTTPPostEncoder">
+                <constructor-arg ref="shibboleth.VelocityEngine"/>
+                <constructor-arg value="/templates/saml1-post-binding.vm"/>
+            </bean>
+        </entry>
+        <entry>
+            <key>
+                <value>urn:oasis:names:tc:SAML:1.0:profiles:artifact-01</value>
+            </key>
+            <bean id="shibboleth.SAML1HttpArtifactEncoder" class="org.opensaml.saml1.binding.encoding.HTTPArtifactEncoder">
+                <constructor-arg ref="shibboleth.ArtifactMap"/>
+            </bean>
+        </entry>
+        <entry>
+            <key>
+                <value>urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding</value>
+            </key>
+            <bean id="shibboleth.SAML1HttpSoap11EncoderBuilder" class="org.opensaml.saml1.binding.encoding.HTTPSOAP11Encoder"/>
+        </entry>
+    </util:map>
+
+    <bean id="shibboleth.ServletAttributeExporter" class="edu.internet2.middleware.shibboleth.common.config.service.ServletContextAttributeExporter" depends-on="shibboleth.LogbackLogging" init-method="initialize">
+        <constructor-arg>
+           <list>
+               <value>shibboleth.SessionManager</value>
+           </list>
+        </constructor-arg>
+    </bean>
+
+</beans>
diff --git a/REL_2/src/installer/resources/conf-tmpl/logging.xml b/REL_2/src/installer/resources/conf-tmpl/logging.xml
new file mode 100644 (file)
index 0000000..2913e5f
--- /dev/null
@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+    
+    <!--
+        Loggers define indicate which packages/categories are logged, at which level, and to which appender.
+        Levels: OFF, ERROR, WARN, INFO, DEBUG, TRACE, ALL
+    -->
+    <!-- Logs IdP, but not OpenSAML, messages -->
+    <logger name="edu.internet2.middleware.shibboleth" level="INFO"/>
+
+    <!-- Logs OpenSAML, but not IdP, messages -->
+    <logger name="org.opensaml" level="WARN"/>
+    
+    <!-- Logs LDAP related messages -->
+    <logger name="edu.vt.middleware.ldap" level="WARN"/>
+    
+    <!-- Logs inbound and outbound protocols messages at DEBUG level -->
+    <!--
+    <logger name="PROTOCOL_MESSAGE" level="DEBUG" />
+    -->
+    
+    <!-- 
+        Normally you should not edit below this point.  These default configurations are sufficient for 
+        almost every system.
+    -->
+
+    <!-- 
+        Logging appenders define where and how logging messages are logged.
+     -->
+    <appender name="IDP_ACCESS" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <File>$IDP_HOME$/logs/idp-access.log</File>
+
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <FileNamePattern>$IDP_HOME$/logs/idp-access-%d{yyyy-MM-dd}.log</FileNamePattern>
+        </rollingPolicy>
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%msg%n</Pattern>
+        </encoder>
+    </appender>
+
+    <appender name="IDP_AUDIT" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <File>$IDP_HOME$/logs/idp-audit.log</File>
+
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <FileNamePattern>$IDP_HOME$/logs/idp-audit-%d{yyyy-MM-dd}.log</FileNamePattern>
+        </rollingPolicy>
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%msg%n</Pattern>
+        </encoder>
+    </appender>
+
+    <appender name="IDP_PROCESS" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <File>$IDP_HOME$/logs/idp-process.log</File>
+        
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <FileNamePattern>$IDP_HOME$/logs/idp-process-%d{yyyy-MM-dd}.log</FileNamePattern>
+        </rollingPolicy>
+
+        <encoder class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+            <charset>UTF-8</charset>
+            <Pattern>%date{HH:mm:ss.SSS} - %level [%logger:%line] - %msg%n</Pattern>
+        </encoder>
+    </appender>
+  
+    <logger name="Shibboleth-Access" level="ALL">
+        <appender-ref ref="IDP_ACCESS"/>
+    </logger>
+    
+    <logger name="Shibboleth-Audit" level="ALL">
+        <appender-ref ref="IDP_AUDIT"/>
+    </logger>
+        
+    <logger name="org.springframework" level="OFF"/>
+    
+    <logger name="org.apache.catalina" level="ERROR"/>
+
+    <root level="ERROR">
+        <appender-ref ref="IDP_PROCESS"/>
+    </root>
+
+</configuration>
diff --git a/REL_2/src/installer/resources/conf-tmpl/login.config b/REL_2/src/installer/resources/conf-tmpl/login.config
new file mode 100644 (file)
index 0000000..9dae5c7
--- /dev/null
@@ -0,0 +1,45 @@
+/*
+  This is the JAAS configuration file used by the Shibboleth IdP.
+  
+  A JAAS configuration file is a grouping of LoginModules defined in the following manner:
+  <LoginModuleClass> <Flag> <ModuleOptions>;
+  
+  LoginModuleClass - fully qualified class name of the LoginModule class
+  Flag             - indicates whether the requirement level for the modules; 
+                         allowed values: required, requisite, sufficient, optional
+  ModuleOptions    - a space delimited list of name="value" options
+  
+  For complete documentation on the format of this file see:
+  http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
+  
+  For LoginModules available within the Sun JVM see:
+  http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/tutorials/LoginConfigFile.html
+  
+  Warning: Do NOT use Sun's JNDI LoginModule to authentication against an LDAP directory,
+  Use the LdapLoginModule that ships with Shibboleth and is demonstrated below.
+
+  Note, the application identifier MUST be ShibUserPassAuth
+*/
+
+
+ShibUserPassAuth {
+
+// Example LDAP authentication
+// See: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass
+/*
+   edu.vt.middleware.ldap.jaas.LdapLoginModule required
+      ldapUrl="ldap://ldap.example.org"
+      baseDn="ou=people,dc=example,dc=org"
+      ssl="true"
+      userFilter="uid={0}";
+*/
+
+// Example Kerberos authentication, requires Sun's JVM
+// See: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass
+/*
+   com.sun.security.auth.module.Krb5LoginModule required
+      useKeyTab="true"
+      keyTab="/path/to/idp/keytab/file";
+*/
+
+};
diff --git a/REL_2/src/installer/resources/conf-tmpl/relying-party.xml b/REL_2/src/installer/resources/conf-tmpl/relying-party.xml
new file mode 100644 (file)
index 0000000..0086224
--- /dev/null
@@ -0,0 +1,177 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This file is an EXAMPLE configuration file.
+
+    This file specifies relying party dependent configurations for the IdP, for example, whether SAML assertions to a 
+    particular relying party should be signed.  It also includes metadata provider and credential definitions used 
+    when answering requests to a relying party.
+-->
+<rp:RelyingPartyGroup xmlns:rp="urn:mace:shibboleth:2.0:relying-party" xmlns:saml="urn:mace:shibboleth:2.0:relying-party:saml" xmlns:metadata="urn:mace:shibboleth:2.0:metadata" xmlns:resource="urn:mace:shibboleth:2.0:resource" xmlns:security="urn:mace:shibboleth:2.0:security" xmlns:samlsec="urn:mace:shibboleth:2.0:security:saml" xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd                                        urn:mace:shibboleth:2.0:relying-party:saml classpath:/schema/shibboleth-2.0-relying-party-saml.xsd                                        urn:mace:shibboleth:2.0:metadata classpath:/schema/shibboleth-2.0-metadata.xsd                                        urn:mace:shibboleth:2.0:resource classpath:/schema/shibboleth-2.0-resource.xsd                                        urn:mace:shibboleth:2.0:security classpath:/schema/shibboleth-2.0-security.xsd                                        urn:mace:shibboleth:2.0:security:saml classpath:/schema/shibboleth-2.0-security-policy-saml.xsd                                        urn:oasis:names:tc:SAML:2.0:metadata classpath:/schema/saml-schema-metadata-2.0.xsd">
+                                       
+    <!-- ========================================== -->
+    <!--      Relying Party Configurations          -->
+    <!-- ========================================== -->
+    <rp:AnonymousRelyingParty provider="$IDP_ENTITY_ID$" defaultSigningCredentialRef="IdPCredential"/>
+    
+    <rp:DefaultRelyingParty provider="$IDP_ENTITY_ID$" defaultSigningCredentialRef="IdPCredential">
+        <!-- 
+            Each attribute in these profiles configuration is set to its default value,
+            that is, the values that would be in effect if those attributes were not present.
+            We list them here so that people are aware of them (since they seem reluctant to 
+            read the documentation).
+        -->
+        <rp:ProfileConfiguration xsi:type="saml:ShibbolethSSOProfile" includeAttributeStatement="false" assertionLifetime="PT5M" signResponses="conditional" signAssertions="never"/>
+                              
+        <rp:ProfileConfiguration xsi:type="saml:SAML1AttributeQueryProfile" assertionLifetime="PT5M" signResponses="conditional" signAssertions="never"/>
+        
+        <rp:ProfileConfiguration xsi:type="saml:SAML1ArtifactResolutionProfile" signResponses="conditional" signAssertions="never"/>
+        
+        <rp:ProfileConfiguration xsi:type="saml:SAML2SSOProfile" includeAttributeStatement="true" assertionLifetime="PT5M" assertionProxyCount="0" signResponses="never" signAssertions="always" encryptAssertions="conditional" encryptNameIds="never"/>
+
+        <rp:ProfileConfiguration xsi:type="saml:SAML2ECPProfile" includeAttributeStatement="true" assertionLifetime="PT5M" assertionProxyCount="0" signResponses="never" signAssertions="always" encryptAssertions="conditional" encryptNameIds="never"/>
+
+        <rp:ProfileConfiguration xsi:type="saml:SAML2AttributeQueryProfile" assertionLifetime="PT5M" assertionProxyCount="0" signResponses="conditional" signAssertions="never" encryptAssertions="conditional" encryptNameIds="never"/>
+        
+        <rp:ProfileConfiguration xsi:type="saml:SAML2ArtifactResolutionProfile" signResponses="never" signAssertions="always" encryptAssertions="conditional" encryptNameIds="never"/>
+        
+    </rp:DefaultRelyingParty>
+        
+    
+    <!-- ========================================== -->
+    <!--      Metadata Configuration                -->
+    <!-- ========================================== -->
+    <!-- MetadataProvider the combining other MetadataProviders -->
+    <metadata:MetadataProvider id="ShibbolethMetadata" xsi:type="metadata:ChainingMetadataProvider">
+    
+       <!-- Load the IdP's own metadata.  This is necessary for artifact support. -->
+        <metadata:MetadataProvider id="IdPMD" xsi:type="metadata:ResourceBackedMetadataProvider">
+            <metadata:MetadataResource xsi:type="resource:FilesystemResource" file="$IDP_HOME$/metadata/idp-metadata.xml"/>
+        </metadata:MetadataProvider>
+        
+        <!-- Example metadata provider. -->
+        <!-- Reads metadata from a URL and store a backup copy on the file system. -->
+        <!-- Validates the signature of the metadata and filters out all by SP entities in order to save memory -->
+        <!-- To use: fill in 'metadataURL' and 'backingFile' properties on MetadataResource element -->
+        <!--
+        <metadata:MetadataProvider id="URLMD" xsi:type="metadata:FileBackedHTTPMetadataProvider"
+                          metadataURL="http://example.org/metadata.xml"
+                          backingFile="$IDP_HOME$/metadata/some-metadata.xml">
+            <metadata:MetadataFilter xsi:type="metadata:ChainingFilter">
+                <metadata:MetadataFilter xsi:type="metadata:RequiredValidUntil" 
+                                maxValidityInterval="P7D" />
+                <metadata:MetadataFilter xsi:type="metadata:SignatureValidation"
+                                trustEngineRef="shibboleth.MetadataTrustEngine"
+                                requireSignedMetadata="true" />
+                   <metadata:MetadataFilter xsi:type="metadata:EntityRoleWhiteList">
+                    <metadata:RetainedRole>samlmd:SPSSODescriptor</metadata:RetainedRole>
+                </metadata:MetadataFilter>
+            </metadata:MetadataFilter>
+        </metadata:MetadataProvider>
+        -->
+        
+    </metadata:MetadataProvider>
+
+    
+    <!-- ========================================== -->
+    <!--     Security Configurations                -->
+    <!-- ========================================== -->
+    <security:Credential id="IdPCredential" xsi:type="security:X509Filesystem">
+        <security:PrivateKey>$IDP_HOME$/credentials/idp.key</security:PrivateKey>
+        <security:Certificate>$IDP_HOME$/credentials/idp.crt</security:Certificate>
+    </security:Credential>
+    
+    <!-- Trust engine used to evaluate the signature on loaded metadata. -->
+    <!--
+    <security:TrustEngine id="shibboleth.MetadataTrustEngine" xsi:type="security:StaticExplicitKeySignature">
+        <security:Credential id="MyFederation1Credentials" xsi:type="security:X509Filesystem">
+            <security:Certificate>$IDP_HOME$/credentials/federation1.crt</security:Certificate>
+        </security:Credential>
+    </security:TrustEngine>
+     -->
+     
+    <!-- DO NOT EDIT BELOW THIS POINT -->
+    <!-- 
+        The following trust engines and rules control every aspect of security related to incoming messages. 
+        Trust engines evaluate various tokens (like digital signatures) for trust worthiness while the 
+        security policies establish a set of checks that an incoming message must pass in order to be considered
+        secure.  Naturally some of these checks require the validation of the tokens evaluated by the trust 
+        engines and so you'll see some rules that reference the declared trust engines.
+    -->
+    <security:TrustEngine id="shibboleth.SignatureTrustEngine" xsi:type="security:SignatureChaining">
+        <security:TrustEngine id="shibboleth.SignatureMetadataExplicitKeyTrustEngine" xsi:type="security:MetadataExplicitKeySignature" metadataProviderRef="ShibbolethMetadata"/>                              
+        <security:TrustEngine id="shibboleth.SignatureMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXSignature" metadataProviderRef="ShibbolethMetadata"/>
+    </security:TrustEngine>
+    
+    <security:TrustEngine id="shibboleth.CredentialTrustEngine" xsi:type="security:Chaining">
+        <security:TrustEngine id="shibboleth.CredentialMetadataExplictKeyTrustEngine" xsi:type="security:MetadataExplicitKey" metadataProviderRef="ShibbolethMetadata"/>
+        <security:TrustEngine id="shibboleth.CredentialMetadataPKIXTrustEngine" xsi:type="security:MetadataPKIXX509Credential" metadataProviderRef="ShibbolethMetadata"/>
+    </security:TrustEngine>
+     
+    <security:SecurityPolicy id="shibboleth.ShibbolethSSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay" required="false"/>
+        <security:Rule xsi:type="samlsec:IssueInstant" required="false"/>
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+    </security:SecurityPolicy>
+    
+    <security:SecurityPolicy id="shibboleth.SAML1AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay"/>
+        <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
+        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+        <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
+    </security:SecurityPolicy>
+    
+    <security:SecurityPolicy id="shibboleth.SAML1ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay"/>
+        <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
+        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+        <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
+    </security:SecurityPolicy>
+
+    <security:SecurityPolicy id="shibboleth.SAML2SSOSecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay"/>
+        <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:SAML2AuthnRequestsSigned"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
+        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
+        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+    </security:SecurityPolicy>
+
+    <security:SecurityPolicy id="shibboleth.SAML2AttributeQuerySecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay"/>
+        <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
+        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
+        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
+        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+        <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
+    </security:SecurityPolicy>
+    
+    <security:SecurityPolicy id="shibboleth.SAML2ArtifactResolutionSecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay"/>
+        <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
+        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
+        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
+        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+        <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
+    </security:SecurityPolicy>
+    
+    <security:SecurityPolicy id="shibboleth.SAML2SLOSecurityPolicy" xsi:type="security:SecurityPolicyType">
+        <security:Rule xsi:type="samlsec:Replay"/>
+        <security:Rule xsi:type="samlsec:IssueInstant"/>
+        <security:Rule xsi:type="samlsec:ProtocolWithXMLSignature" trustEngineRef="shibboleth.SignatureTrustEngine"/>
+        <security:Rule xsi:type="samlsec:SAML2HTTPRedirectSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
+        <security:Rule xsi:type="samlsec:SAML2HTTPPostSimpleSign" trustEngineRef="shibboleth.SignatureTrustEngine"/>
+        <security:Rule xsi:type="security:ClientCertAuth" trustEngineRef="shibboleth.CredentialTrustEngine"/>
+        <security:Rule xsi:type="samlsec:MandatoryIssuer"/>
+        <security:Rule xsi:type="security:MandatoryMessageAuthentication"/>
+    </security:SecurityPolicy>
+    
+</rp:RelyingPartyGroup>
diff --git a/REL_2/src/installer/resources/conf-tmpl/service.xml b/REL_2/src/installer/resources/conf-tmpl/service.xml
new file mode 100644 (file)
index 0000000..ed1b64c
--- /dev/null
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<srv:Services xmlns:srv="urn:mace:shibboleth:2.0:services" xmlns:attribute-afp="urn:mace:shibboleth:2.0:afp" xmlns:attribute-authority="urn:mace:shibboleth:2.0:attribute:authority" xmlns:attribute-resolver="urn:mace:shibboleth:2.0:resolver" xmlns:profile="urn:mace:shibboleth:2.0:idp:profile-handler" xmlns:relyingParty="urn:mace:shibboleth:2.0:relying-party" xmlns:resource="urn:mace:shibboleth:2.0:resource" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:services classpath:/schema/shibboleth-2.0-services.xsd                               urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd                               urn:mace:shibboleth:2.0:attribute:authority classpath:/schema/shibboleth-2.0-attribute-authority.xsd                               urn:mace:shibboleth:2.0:resolver classpath:/schema/shibboleth-2.0-attribute-resolver.xsd                               urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd                               urn:mace:shibboleth:2.0:relying-party classpath:/schema/shibboleth-2.0-relying-party.xsd                               urn:mace:shibboleth:2.0:resource classpath:/schema/shibboleth-2.0-resource.xsd">
+
+    <srv:Service id="shibboleth.AttributeResolver" xsi:type="attribute-resolver:ShibbolethAttributeResolver">
+        <srv:ConfigurationResource file="$IDP_HOME$/conf/attribute-resolver.xml" xsi:type="resource:FilesystemResource"/>
+    </srv:Service>
+
+    <srv:Service id="shibboleth.AttributeFilterEngine" xsi:type="attribute-afp:ShibbolethAttributeFilteringEngine">
+        <srv:ConfigurationResource file="$IDP_HOME$/conf/attribute-filter.xml" xsi:type="resource:FilesystemResource"/>
+    </srv:Service>
+    
+    <srv:Service id="shibboleth.SAML1AttributeAuthority" xsi:type="attribute-authority:SAML1AttributeAuthority" depends-on="shibboleth.AttributeResolver shibboleth.AttributeFilterEngine" resolver="shibboleth.AttributeResolver" filter="shibboleth.AttributeFilterEngine"/>
+             
+    <srv:Service id="shibboleth.SAML2AttributeAuthority" xsi:type="attribute-authority:SAML2AttributeAuthority" depends-on="shibboleth.AttributeResolver shibboleth.AttributeFilterEngine" resolver="shibboleth.AttributeResolver" filter="shibboleth.AttributeFilterEngine"/>
+
+    <srv:Service id="shibboleth.RelyingPartyConfigurationManager" xsi:type="relyingParty:SAMLMDRelyingPartyConfigurationManager" depends-on="shibboleth.SAML1AttributeAuthority shibboleth.SAML2AttributeAuthority">
+        <srv:ConfigurationResource file="$IDP_HOME$/conf/relying-party.xml" xsi:type="resource:FilesystemResource"/>
+    </srv:Service>
+
+    <srv:Service id="shibboleth.HandlerManager" depends-on="shibboleth.RelyingPartyConfigurationManager" xsi:type="profile:IdPProfileHandlerManager">
+        <srv:ConfigurationResource file="$IDP_HOME$/conf/handler.xml" xsi:type="resource:FilesystemResource"/>
+    </srv:Service>
+    
+    <!-- 
+        A special service that exports all services upon which it depends into the ServletContext as an attribute 
+        with the same name as the service's ID.
+    -->
+    <srv:Service id="shibboleth.ServiceServletContextAttributeExporter" depends-on="shibboleth.AttributeResolver shibboleth.AttributeFilterEngine                          shibboleth.SAML1AttributeAuthority shibboleth.SAML2AttributeAuthority                           shibboleth.RelyingPartyConfigurationManager shibboleth.HandlerManager                          shibboleth.StorageService" xsi:type="srv:ServletContextAttributeExporter"/>
+</srv:Services>
diff --git a/REL_2/src/installer/resources/install.properties b/REL_2/src/installer/resources/install.properties
new file mode 100644 (file)
index 0000000..30b5128
--- /dev/null
@@ -0,0 +1,2 @@
+idp.home = /opt/shibboleth-idp
+idp.hostname=idp.example.org
\ No newline at end of file
diff --git a/REL_2/src/installer/resources/metadata-tmpl/idp-metadata.xml b/REL_2/src/installer/resources/metadata-tmpl/idp-metadata.xml
new file mode 100644 (file)
index 0000000..09464be
--- /dev/null
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="$IDP_ENTITY_ID$">
+
+    <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+
+        <Extensions>
+            <shibmd:Scope regexp="false">$IDP_SCOPE$</shibmd:Scope>
+        </Extensions>
+
+        <KeyDescriptor>
+            <ds:KeyInfo>
+                <ds:X509Data>
+                    <ds:X509Certificate>
+$IDP_CERTIFICATE$
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </KeyDescriptor>
+        
+        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://$IDP_HOSTNAME$:8443/idp/profile/SAML1/SOAP/ArtifactResolution" index="1"/>
+
+        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://$IDP_HOSTNAME$:8443/idp/profile/SAML2/SOAP/ArtifactResolution" index="2"/>
+                                   
+        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+
+        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://$IDP_HOSTNAME$/idp/profile/Shibboleth/SSO"/>
+        
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://$IDP_HOSTNAME$/idp/profile/SAML2/POST/SSO"/>
+
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://$IDP_HOSTNAME$/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+        
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://$IDP_HOSTNAME$/idp/profile/SAML2/Redirect/SSO"/>
+    </IDPSSODescriptor>
+
+    <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+
+        <Extensions>
+            <shibmd:Scope regexp="false">$IDP_SCOPE$</shibmd:Scope>
+        </Extensions>
+
+        <KeyDescriptor>
+            <ds:KeyInfo>
+                <ds:X509Data>
+                    <ds:X509Certificate>
+$IDP_CERTIFICATE$
+                    </ds:X509Certificate>
+                </ds:X509Data>
+            </ds:KeyInfo>
+        </KeyDescriptor>
+
+        <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://$IDP_HOSTNAME$:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
+        
+        <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://$IDP_HOSTNAME$:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>
+        
+        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+        
+    </AttributeAuthorityDescriptor>
+    
+</EntityDescriptor>
diff --git a/REL_2/src/main/assembly/bin.xml b/REL_2/src/main/assembly/bin.xml
new file mode 100644 (file)
index 0000000..20a8c01
--- /dev/null
@@ -0,0 +1,107 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Binary distribution, along with dependency jar files -->
+<assembly>
+    <id>bin</id>
+    <formats>
+        <format>tar.gz</format>
+        <format>zip</format>
+    </formats>
+    
+    <dependencySets>
+        <dependencySet>
+            <outputDirectory>/lib</outputDirectory>
+            <excludes>
+                <exclude>org.apache.xerces:*</exclude>
+                <exclude>xalan:*</exclude>
+                <exclude>xml-resolver:*</exclude>
+                <exclude>xml-apis:</exclude>
+                <exclude>org.apache.ant:*</exclude>
+                <exclude>ant-contrib:*</exclude>
+                <exclude>edu.internet2.middleware:ant-extensions:*</exclude>
+            </excludes>
+            <includes>
+                <include>*:jar:*</include>
+            </includes>
+        </dependencySet>
+        <dependencySet>
+            <outputDirectory>src/installer/lib</outputDirectory>
+            <includes>
+                <include>org.apache.ant:*</include>
+                <include>ant-contrib:*</include>
+                <include>edu.internet2.middleware:ant-extensions:*</include>
+                <include>org.bouncycastle:*</include>
+            </includes>
+        </dependencySet>
+        <dependencySet>
+            <outputDirectory>/endorsed</outputDirectory>
+            <includes>
+                <include>org.apache.xerces:*</include>
+                <include>xalan:*</include>
+                <include>xml-resolver:*</include>
+            </includes>
+        </dependencySet>
+    </dependencySets>
+    
+    <fileSets>    
+        <!-- Copy up our installer srcipts into the root of the package -->
+        <fileSet>
+            <directory>src/installer/bash</directory>
+            <outputDirectory/>
+            <includes>
+                <include>*.sh</include>
+            </includes>
+            <fileMode>0755</fileMode>
+            <directoryMode>0755</directoryMode>
+        </fileSet>
+        <fileSet>
+            <directory>src/installer/bat</directory>
+            <outputDirectory/>
+            <includes>
+                <include>*.bat</include>
+            </includes>
+        </fileSet>
+        
+        <!-- Keep our various resource files in the package -->
+        <fileSet>
+            <directory>src/installer/resources</directory>
+            <outputDirectory>/src/installer/resources</outputDirectory>
+        </fileSet>
+        <fileSet>
+            <directory>src/main/webapp</directory>
+            <outputDirectory>/src/main/webapp</outputDirectory>
+        </fileSet>
+        <fileSet>
+            <directory>src/tools</directory>
+            <outputDirectory>src/tools</outputDirectory>
+        </fileSet>
+        
+        <!-- Documentation -->
+        <fileSet>
+            <includes>
+                <include>RELEASE-NOTES*</include>
+                <include>LICENSE*</include>
+            </includes>
+        </fileSet>
+        <fileSet>
+            <directory>doc/</directory>
+            <outputDirectory>/doc</outputDirectory>
+        </fileSet>
+        <fileSet>
+            <directory>target/site/apidocs</directory>
+            <outputDirectory>/doc/api</outputDirectory>
+        </fileSet>
+        <fileSet>
+            <directory>target/site/style</directory>
+            <outputDirectory>/doc/style</outputDirectory>
+        </fileSet>
+        <fileSet>
+            <directory>target/site/unitTest</directory>
+            <outputDirectory>/doc/unitTest</outputDirectory>
+        </fileSet>
+        <fileSet>
+            <directory>target/site/xref</directory>
+            <outputDirectory>/doc/src-xref</outputDirectory>
+        </fileSet>
+    </fileSets>
+    
+</assembly>
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/StatusServlet.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/StatusServlet.java
new file mode 100644 (file)
index 0000000..da8e279
--- /dev/null
@@ -0,0 +1,236 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.httpclient.HttpStatus;
+import org.joda.time.DateTime;
+import org.joda.time.Duration;
+import org.joda.time.chrono.ISOChronology;
+import org.joda.time.format.DateTimeFormatter;
+import org.joda.time.format.ISODateTimeFormat;
+import org.opensaml.xml.security.x509.X509Credential;
+import org.opensaml.xml.util.Base64;
+import org.opensaml.xml.util.DatatypeHelper;
+import org.opensaml.xml.util.LazyList;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolutionException;
+import edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeResolver;
+import edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfiguration;
+import edu.internet2.middleware.shibboleth.common.relyingparty.RelyingPartyConfigurationManager;
+import edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper;
+import edu.internet2.middleware.shibboleth.idp.util.IPRange;
+
+/** A Servlet for displaying the status of the IdP. */
+public class StatusServlet extends HttpServlet {
+
+    /** Serial version UID. */
+    private static final long serialVersionUID = -5280549109235107879L;
+
+    private final String IP_PARAM_NAME = "AllowedIPs";
+    
+    private final Logger log = LoggerFactory.getLogger(StatusServlet.class);
+
+    private LazyList<IPRange> allowedIPs;
+
+    /** Formatter used when print date/times. */
+    private DateTimeFormatter dateFormat;
+
+    /** Time the IdP started up. */
+    private DateTime startTime;
+
+    /** Attribute resolver used by the IdP. */
+    private AttributeResolver<?> attributeResolver;
+
+    /** Relying party configuration manager used by the IdP. */
+    private RelyingPartyConfigurationManager rpConfigManager;
+
+    /** {@inheritDoc} */
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+
+        allowedIPs = new LazyList<IPRange>();
+
+        String cidrBlocks = DatatypeHelper.safeTrimOrNullString(config.getInitParameter(IP_PARAM_NAME));
+        if (cidrBlocks != null) {
+            for (String cidrBlock : cidrBlocks.split(" ")) {
+                allowedIPs.add(IPRange.parseCIDRBlock(cidrBlock));
+            }
+        }
+
+        dateFormat = ISODateTimeFormat.dateTimeNoMillis();
+        startTime = new DateTime(ISOChronology.getInstanceUTC());
+        attributeResolver = HttpServletHelper.getAttributeResolver(config.getServletContext());
+        rpConfigManager = HttpServletHelper.getRelyingPartyConfirmationManager(config.getServletContext());
+    }
+
+    /** {@inheritDoc} */
+    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+        if (!isAuthenticated(request)) {
+            response.sendError(HttpStatus.SC_UNAUTHORIZED);
+            return;
+        }
+
+        response.setContentType("text/plain");
+        PrintWriter output = response.getWriter();
+
+        printOperatingEnvironmentInformation(output);
+        output.println();
+        printIdPInformation(output);
+        output.println();
+        printRelyingPartyConfigurationsInformation(output, request.getParameter("relyingParty"));
+
+        output.flush();
+    }
+
+    /**
+     * Checks whether the client is authenticated.
+     * 
+     * @param request client request
+     * 
+     * @return true if the client is authenticated, false if not
+     */
+    protected boolean isAuthenticated(HttpServletRequest request) throws ServletException {
+        log.debug("Attempting to authenticate client '{}'", request.getRemoteAddr());
+        try {
+            InetAddress clientAddress = InetAddress.getByName(request.getRemoteAddr());
+
+            for (IPRange range : allowedIPs) {
+                if (range.contains(clientAddress)) {
+                    return true;
+                }
+            }
+
+            return false;
+        } catch (UnknownHostException e) {
+            throw new ServletException(e);
+        }
+    }
+
+    /**
+     * Prints out information about the operating environment. This includes the operating system name, version and
+     * architecture, the JDK version, available CPU cores, memory currently used by the JVM process, the maximum amount
+     * of memory that may be used by the JVM, and the current time in UTC.
+     * 
+     * @param out output writer to which information will be written
+     */
+    protected void printOperatingEnvironmentInformation(PrintWriter out) {
+        Runtime runtime = Runtime.getRuntime();
+        DateTime now = new DateTime(ISOChronology.getInstanceUTC());
+
+        out.println("### Operating Environment Information");
+        out.println("operating_system: " + System.getProperty("os.name"));
+        out.println("operating_system_version: " + System.getProperty("os.version"));
+        out.println("operating_system_architecture: " + System.getProperty("os.arch"));
+        out.println("jdk_version: " + System.getProperty("java.version"));
+        out.println("available_cores: " + runtime.availableProcessors());
+        out.println("used_memory: " + runtime.totalMemory() / 1048576 + "MB");
+        out.println("maximum_memory: " + runtime.maxMemory() / 1048576 + "MB");
+        out.println("start_time: " + startTime.toString(dateFormat));
+        out.println("current_time: " + now.toString(dateFormat));
+        out.println("uptime: " + (now.getMillis() - startTime.getMillis()) + "ms");
+    }
+
+    /**
+     * Prints out general IdP information. This includes IdP version, start up time, and whether the attribute resolver
+     * is currently operational.
+     * 
+     * @param out output writer to which information will be written
+     */
+    protected void printIdPInformation(PrintWriter out) {
+        Package pkg = Version.class.getPackage();
+
+        out.println("### Identity Provider Information");
+        out.println("idp_version: " + pkg.getImplementationVersion());
+        out.println("idp_start_time: " + startTime.toString(dateFormat));
+        try {
+            attributeResolver.validate();
+            out.println("attribute_resolver_valid: " + Boolean.TRUE);
+        } catch (AttributeResolutionException e) {
+            out.println("attribute_resolver_valid: " + Boolean.FALSE);
+        }
+    }
+
+    /**
+     * Prints information about relying party configurations. If the given relying party is null then the configuration
+     * for all relying parties is printed. If the relying party ID is not null then the relying party configurations for
+     * that entity is printed.
+     * 
+     * @param out output writer to which information will be written
+     * @param relyingPartyId entity ID of the relying party whose configuration should be printed
+     */
+    protected void printRelyingPartyConfigurationsInformation(PrintWriter out, String relyingPartyId) {
+        out.println("### Relying Party Configurations");
+
+        if (relyingPartyId == null) {
+            for (RelyingPartyConfiguration config : rpConfigManager.getRelyingPartyConfigurations().values()) {
+                printRelyingPartyConfigurationInformation(out, config);
+                out.println();
+            }
+        } else {
+            RelyingPartyConfiguration config = rpConfigManager.getRelyingPartyConfiguration(relyingPartyId);
+            printRelyingPartyConfigurationInformation(out, config);
+            out.println();
+        }
+    }
+
+    /**
+     * Prints out the information for a specific relying party configuration. This information includes the relying
+     * party or relying party group ID, the entity ID of the IdP when it responds when using this configuration, the
+     * default authentication method used for this config, and configured communication profiles.
+     * 
+     * @param out output writer to which information will be written
+     * @param config the relying party configuration
+     */
+    protected void printRelyingPartyConfigurationInformation(PrintWriter out, RelyingPartyConfiguration config) {
+        out.println("relying_party_id: " + config.getRelyingPartyId());
+        out.println("idp_entity_id: " + config.getProviderId());
+
+        if (config.getDefaultAuthenticationMethod() != null) {
+            out.println("default_authentication_method: " + config.getDefaultAuthenticationMethod());
+        } else {
+            out.println("default_authentication_method: none");
+        }
+
+        try {
+            X509Credential signingCredential = (X509Credential) config.getDefaultSigningCredential();
+            out
+                    .println("default_signing_tls_key: "
+                            + Base64.encodeBytes(signingCredential.getEntityCertificate().getEncoded(),
+                                    Base64.DONT_BREAK_LINES));
+        } catch (Throwable t) {
+            // swallow error
+        }
+
+        for (String profileId : config.getProfileConfigurations().keySet()) {
+            out.println("configured_communication_profile: " + profileId);
+        }
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/Version.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/Version.java
new file mode 100644 (file)
index 0000000..0198e4b
--- /dev/null
@@ -0,0 +1,106 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp;
+
+/** Class for printing the version of this IdP. */
+public final class Version {
+
+    /** Name of the IdP. */
+    private static final String NAME;
+
+    /** IdP version. */
+    private static final String VERSION;
+
+    /** IdP major version number. */
+    private static final int MAJOR_VERSION;
+
+    /** IdP minor version number. */
+    private static final int MINOR_VERSION;
+
+    /** IdP micro version number. */
+    private static final int MICRO_VERSION;
+
+    /** Constructor. */
+    private Version() {
+    }
+
+    /**
+     * Main entry point to program.
+     * 
+     * @param args command line arguments
+     */
+    public static void main(String[] args) {
+        Package pkg = Version.class.getPackage();
+        System.out.println(NAME + " version " + VERSION);
+    }
+
+    /**
+     * Gets the name of the IdP.
+     * 
+     * @return name of the IdP
+     */
+    public static String getName() {
+        return NAME;
+    }
+
+    /**
+     * Gets the version of the IdP.
+     * 
+     * @return version of the IdP
+     */
+    public static String getVersion() {
+        return VERSION;
+    }
+
+    /**
+     * Gets the major version number of the IdP.
+     * 
+     * @return major version number of the IdP
+     */
+    public static int getMajorVersion() {
+        return MAJOR_VERSION;
+    }
+
+    /**
+     * Gets the minor version number of the IdP.
+     * 
+     * @return minor version number of the IdP
+     */
+    public static int getMinorVersion() {
+        return MINOR_VERSION;
+    }
+
+    /**
+     * Gets the micro version number of the IdP.
+     * 
+     * @return micro version number of the IdP
+     */
+    public static int getMicroVersion() {
+        return MICRO_VERSION;
+    }
+
+    static {
+        Package pkg = Version.class.getPackage();
+        NAME = pkg.getImplementationTitle().intern();
+        VERSION = pkg.getImplementationVersion().intern();
+        String[] versionParts = VERSION.split("\\.");
+        MAJOR_VERSION = Integer.parseInt(versionParts[0]);
+        MINOR_VERSION = Integer.parseInt(versionParts[1]);
+        MICRO_VERSION = Integer.parseInt(versionParts[2]);
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationEngine.java
new file mode 100644 (file)
index 0000000..50801c8
--- /dev/null
@@ -0,0 +1,809 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.servlet.RequestDispatcher;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.joda.time.DateTime;
+import org.opensaml.saml2.core.AuthnContext;
+import org.opensaml.util.storage.StorageService;
+import org.opensaml.ws.transport.http.HTTPTransportUtils;
+import org.opensaml.xml.util.Base64;
+import org.opensaml.xml.util.DatatypeHelper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import edu.internet2.middleware.shibboleth.common.session.SessionManager;
+import edu.internet2.middleware.shibboleth.common.util.HttpHelper;
+import edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager;
+import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
+import edu.internet2.middleware.shibboleth.idp.session.ServiceInformation;
+import edu.internet2.middleware.shibboleth.idp.session.Session;
+import edu.internet2.middleware.shibboleth.idp.session.impl.AuthenticationMethodInformationImpl;
+import edu.internet2.middleware.shibboleth.idp.session.impl.ServiceInformationImpl;
+import edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper;
+
+/** Manager responsible for handling authentication requests. */
+public class AuthenticationEngine extends HttpServlet {
+
+    /**
+     * Name of the Servlet config init parameter that indicates whether the public credentials of a {@link Subject} are
+     * retained after authentication.
+     */
+    public static final String RETAIN_PUBLIC_CREDENTIALS = "retainSubjectsPublicCredentials";
+
+    /**
+     * Name of the Servlet config init parameter that indicates whether the private credentials of a {@link Subject} are
+     * retained after authentication.
+     */
+    public static final String RETAIN_PRIVATE_CREDENTIALS = "retainSubjectsPrivateCredentials";
+
+    /** Name of the Servlet config init parameter that holds the partition name for login contexts. */
+    public static final String LOGIN_CONTEXT_PARTITION_NAME_INIT_PARAM_NAME = "loginContextPartitionName";
+
+    /** Name of the Servlet config init parameter that holds lifetime of a login context in the storage service. */
+    public static final String LOGIN_CONTEXT_LIFETIME_INIT_PARAM_NAME = "loginContextEntryLifetime";
+
+    /** Name of the IdP Cookie containing the IdP session ID. */
+    public static final String IDP_SESSION_COOKIE_NAME = "_idp_session";
+
+    /** Name of the key under which to bind the storage service key for a login context. */
+    public static final String LOGIN_CONTEXT_KEY_NAME = "_idp_authn_lc_key";
+
+    /** Serial version UID. */
+    private static final long serialVersionUID = -8479060989001890156L;
+
+    /** Class logger. */
+    private static final Logger LOG = LoggerFactory.getLogger(AuthenticationEngine.class);
+
+    // TODO remove once HttpServletHelper does redirects
+    private static ServletContext context;
+
+    /** Storage service used to store {@link LoginContext}s while authentication is in progress. */
+    private static StorageService<String, LoginContextEntry> storageService;
+
+    /** Whether the public credentials of a {@link Subject} are retained after authentication. */
+    private boolean retainSubjectsPublicCredentials;
+
+    /** Whether the private credentials of a {@link Subject} are retained after authentication. */
+    private boolean retainSubjectsPrivateCredentials;
+
+    /** Profile handler manager. */
+    private IdPProfileHandlerManager handlerManager;
+
+    /** Session manager. */
+    private SessionManager<Session> sessionManager;
+
+    /** {@inheritDoc} */
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+
+        String retain = DatatypeHelper.safeTrimOrNullString(config.getInitParameter(RETAIN_PRIVATE_CREDENTIALS));
+        if (retain != null) {
+            retainSubjectsPrivateCredentials = Boolean.parseBoolean(retain);
+        } else {
+            retainSubjectsPrivateCredentials = false;
+        }
+
+        retain = DatatypeHelper.safeTrimOrNullString(config.getInitParameter(RETAIN_PUBLIC_CREDENTIALS));
+        if (retain != null) {
+            retainSubjectsPublicCredentials = Boolean.parseBoolean(retain);
+        } else {
+            retainSubjectsPublicCredentials = false;
+        }
+        context = config.getServletContext();
+        handlerManager = HttpServletHelper.getProfileHandlerManager(context);
+        sessionManager = HttpServletHelper.getSessionManager(context);
+        storageService = (StorageService<String, LoginContextEntry>) HttpServletHelper.getStorageService(context);
+    }
+
+    /**
+     * Returns control back to the authentication engine.
+     * 
+     * @param httpRequest current HTTP request
+     * @param httpResponse current HTTP response
+     */
+    public static void returnToAuthenticationEngine(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
+        LOG.debug("Returning control to authentication engine");
+        LoginContext loginContext = HttpServletHelper.getLoginContext(storageService, context, httpRequest);
+        if (loginContext == null) {
+            LOG.warn("No login context available, unable to return to authentication engine");
+            forwardRequest("/error.jsp", httpRequest, httpResponse);
+        } else {
+            forwardRequest(loginContext.getAuthenticationEngineURL(), httpRequest, httpResponse);
+        }
+    }
+
+    /**
+     * Returns control back to the profile handler that invoked the authentication engine.
+     * 
+     * @param httpRequest current HTTP request
+     * @param httpResponse current HTTP response
+     */
+    public static void returnToProfileHandler(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
+        LOG.debug("Returning control to profile handler");
+        LoginContext loginContext = HttpServletHelper.getLoginContext(storageService, context, httpRequest);
+        if (loginContext == null) {
+            LOG.warn("No login context available, unable to return to profile handler");
+            forwardRequest("/error.jsp", httpRequest, httpResponse);
+        }
+
+        String profileUrl = HttpServletHelper.getContextRelativeUrl(httpRequest, loginContext.getProfileHandlerURL())
+                .buildURL();
+        LOG.debug("Redirecting user to profile handler at {}", profileUrl);
+        try {
+            httpResponse.sendRedirect(profileUrl);
+        } catch (IOException e) {
+            LOG.warn("Error sending user back to profile handler at " + profileUrl, e);
+        }
+    }
+
+    /**
+     * Forwards a request to the given path.
+     * 
+     * @param forwardPath path to forward the request to
+     * @param httpRequest current HTTP request
+     * @param httpResponse current HTTP response
+     */
+    protected static void forwardRequest(String forwardPath, HttpServletRequest httpRequest,
+            HttpServletResponse httpResponse) {
+        try {
+            RequestDispatcher dispatcher = httpRequest.getRequestDispatcher(forwardPath);
+            dispatcher.forward(httpRequest, httpResponse);
+            return;
+        } catch (IOException e) {
+            LOG.error("Unable to return control back to authentication engine", e);
+        } catch (ServletException e) {
+            LOG.error("Unable to return control back to authentication engine", e);
+        }
+    }
+
+    /** {@inheritDoc} */
+    @SuppressWarnings("unchecked")
+    protected void service(HttpServletRequest httpRequest, HttpServletResponse httpResponse) throws ServletException,
+            IOException {
+        LOG.debug("Processing incoming request");
+
+        if (httpResponse.isCommitted()) {
+            LOG.error("HTTP Response already committed");
+        }
+
+        LoginContext loginContext = HttpServletHelper.getLoginContext(storageService, getServletContext(), httpRequest);
+        if (loginContext == null) {
+            LOG.warn("No login context available, unable to proceed with authentication");
+            forwardRequest("/error.jsp", httpRequest, httpResponse);
+            return;
+        }
+
+        if (!loginContext.getAuthenticationAttempted()) {
+            startUserAuthentication(loginContext, httpRequest, httpResponse);
+        } else {
+            completeAuthentication(loginContext, httpRequest, httpResponse);
+        }
+    }
+
+    /**
+     * Begins the authentication process. Determines if forced re-authentication is required or if an existing, active,
+     * authentication method is sufficient. Also determines, when authentication is required, which handler to use
+     * depending on whether passive authentication is required.
+     * 
+     * @param loginContext current login context
+     * @param httpRequest current HTTP request
+     * @param httpResponse current HTTP response
+     */
+    protected void startUserAuthentication(LoginContext loginContext, HttpServletRequest httpRequest,
+            HttpServletResponse httpResponse) {
+        LOG.debug("Beginning user authentication process.");
+        try {
+            Session idpSession = (Session) httpRequest.getAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE);
+            if (idpSession != null) {
+                LOG.debug("Existing IdP session available for principal {}", idpSession.getPrincipalName());
+            }
+
+            Map<String, LoginHandler> possibleLoginHandlers = determinePossibleLoginHandlers(idpSession, loginContext);
+
+            // Filter out possible candidate login handlers by forced and passive authentication requirements
+            if (loginContext.isForceAuthRequired()) {
+                filterByForceAuthentication(idpSession, loginContext, possibleLoginHandlers);
+            }
+
+            if (loginContext.isPassiveAuthRequired()) {
+                filterByPassiveAuthentication(idpSession, loginContext, possibleLoginHandlers);
+            }
+
+            LoginHandler loginHandler = selectLoginHandler(possibleLoginHandlers, loginContext, idpSession);
+            loginContext.setAuthenticationAttempted();
+            loginContext.setAuthenticationEngineURL(HttpHelper.getRequestUriWithoutContext(httpRequest));
+
+            // Send the request to the login handler
+            HttpServletHelper.bindLoginContext(loginContext, storageService, getServletContext(), httpRequest,
+                    httpResponse);
+            loginHandler.login(httpRequest, httpResponse);
+        } catch (AuthenticationException e) {
+            loginContext.setAuthenticationFailure(e);
+            returnToProfileHandler(httpRequest, httpResponse);
+        }
+    }
+
+    /**
+     * Determines which configured login handlers will support the requested authentication methods.
+     * 
+     * @param loginContext current login context
+     * @param idpSession current user's session, or null if they don't have one
+     * 
+     * @return login methods that may be used to authenticate the user
+     * 
+     * @throws AuthenticationException thrown if no login handler meets the given requirements
+     */
+    protected Map<String, LoginHandler> determinePossibleLoginHandlers(Session idpSession, LoginContext loginContext)
+            throws AuthenticationException {
+        Map<String, LoginHandler> supportedLoginHandlers = new HashMap<String, LoginHandler>(
+                handlerManager.getLoginHandlers());
+        LOG.debug("Filtering configured LoginHandlers: {}", supportedLoginHandlers);
+
+        // First, if the service provider requested a particular authentication method, filter out everything but
+        List<String> requestedMethods = loginContext.getRequestedAuthenticationMethods();
+        if (requestedMethods != null && !requestedMethods.isEmpty()) {
+            LOG.debug("Filtering possible login handlers by requested authentication methods: {}", requestedMethods);
+            Iterator<Entry<String, LoginHandler>> supportedLoginHandlerItr = supportedLoginHandlers.entrySet()
+                    .iterator();
+            Entry<String, LoginHandler> supportedLoginHandlerEntry;
+            while (supportedLoginHandlerItr.hasNext()) {
+                supportedLoginHandlerEntry = supportedLoginHandlerItr.next();
+                if (!supportedLoginHandlerEntry.getKey().equals(AuthnContext.PREVIOUS_SESSION_AUTHN_CTX)
+                        && !requestedMethods.contains(supportedLoginHandlerEntry.getKey())) {
+                    LOG.debug(
+                            "Filtering out login handler for authentication {}, it does not provide a requested authentication method",
+                            supportedLoginHandlerEntry.getKey());
+                    supportedLoginHandlerItr.remove();
+                }
+            }
+        }
+
+        // Next, determine, if present, if the previous session handler can be used
+        filterPreviousSessionLoginHandler(supportedLoginHandlers, idpSession, loginContext);
+
+        if (supportedLoginHandlers.isEmpty()) {
+            LOG.warn("No authentication method, requested by the service provider, is supported");
+            throw new AuthenticationException(
+                    "No authentication method, requested by the service provider, is supported");
+        }
+
+        return supportedLoginHandlers;
+    }
+
+    /**
+     * Filters out the previous session login handler if there is no existing IdP session, no active authentication
+     * methods, or if at least one of the active authentication methods do not match the requested authentication
+     * methods.
+     * 
+     * @param supportedLoginHandlers login handlers supported by the authentication engine for this request, never null
+     * @param idpSession current IdP session, may be null if no session currently exists
+     * @param loginContext current login context, never null
+     */
+    protected void filterPreviousSessionLoginHandler(Map<String, LoginHandler> supportedLoginHandlers,
+            Session idpSession, LoginContext loginContext) {
+        if (!supportedLoginHandlers.containsKey(AuthnContext.PREVIOUS_SESSION_AUTHN_CTX)) {
+            return;
+        }
+
+        if (idpSession == null) {
+            LOG.debug("Filtering out previous session login handler because there is no existing IdP session");
+            supportedLoginHandlers.remove(AuthnContext.PREVIOUS_SESSION_AUTHN_CTX);
+            return;
+        }
+        Collection<AuthenticationMethodInformation> currentAuthnMethods = idpSession.getAuthenticationMethods()
+                .values();
+
+        Iterator<AuthenticationMethodInformation> methodItr = currentAuthnMethods.iterator();
+        while (methodItr.hasNext()) {
+            AuthenticationMethodInformation info = methodItr.next();
+            if (info.isExpired()) {
+                methodItr.remove();
+            }
+        }
+        if (currentAuthnMethods.isEmpty()) {
+            LOG.debug("Filtering out previous session login handler because there are no active authentication methods");
+            supportedLoginHandlers.remove(AuthnContext.PREVIOUS_SESSION_AUTHN_CTX);
+            return;
+        }
+
+        List<String> requestedMethods = loginContext.getRequestedAuthenticationMethods();
+        if (requestedMethods != null && !requestedMethods.isEmpty()) {
+            boolean retainPreviousSession = false;
+            for (AuthenticationMethodInformation currentAuthnMethod : currentAuthnMethods) {
+                if (loginContext.getRequestedAuthenticationMethods().contains(
+                        currentAuthnMethod.getAuthenticationMethod())) {
+                    retainPreviousSession = true;
+                    break;
+                }
+            }
+
+            if (!retainPreviousSession) {
+                LOG.debug("Filtering out previous session login handler, no active authentication methods match required methods");
+                supportedLoginHandlers.remove(AuthnContext.PREVIOUS_SESSION_AUTHN_CTX);
+                return;
+            }
+        }
+    }
+
+    /**
+     * Filters out any login handler based on the requirement for forced authentication.
+     * 
+     * During forced authentication any handler that has not previously been used to authenticate the user or any
+     * handlers that have been and support force re-authentication may be used. Filter out any of the other ones.
+     * 
+     * @param idpSession user's current IdP session
+     * @param loginContext current login context
+     * @param loginHandlers login handlers to filter
+     * 
+     * @throws ForceAuthenticationException thrown if no handlers remain after filtering
+     */
+    protected void filterByForceAuthentication(Session idpSession, LoginContext loginContext,
+            Map<String, LoginHandler> loginHandlers) throws ForceAuthenticationException {
+        LOG.debug("Forced authentication is required, filtering possible login handlers accordingly");
+
+        ArrayList<AuthenticationMethodInformation> activeMethods = new ArrayList<AuthenticationMethodInformation>();
+        if (idpSession != null) {
+            activeMethods.addAll(idpSession.getAuthenticationMethods().values());
+        }
+
+        loginHandlers.remove(AuthnContext.PREVIOUS_SESSION_AUTHN_CTX);
+
+        LoginHandler loginHandler;
+        for (AuthenticationMethodInformation activeMethod : activeMethods) {
+            loginHandler = loginHandlers.get(activeMethod.getAuthenticationMethod());
+            if (loginHandler != null && !loginHandler.supportsForceAuthentication()) {
+                for (String handlerSupportedMethods : loginHandler.getSupportedAuthenticationMethods()) {
+                    LOG.debug("Removing LoginHandler {}, it does not support forced re-authentication", loginHandler
+                            .getClass().getName());
+                    loginHandlers.remove(handlerSupportedMethods);
+                }
+            }
+        }
+
+        LOG.debug("Authentication handlers remaining after forced authentication requirement filtering: {}",
+                loginHandlers);
+
+        if (loginHandlers.isEmpty()) {
+            LOG.info("Force authentication requested but no login handlers available to support it");
+            throw new ForceAuthenticationException();
+        }
+    }
+
+    /**
+     * Filters out any login handler that doesn't support passive authentication if the login context indicates passive
+     * authentication is required.
+     * 
+     * @param idpSession user's current IdP session
+     * @param loginContext current login context
+     * @param loginHandlers login handlers to filter
+     * 
+     * @throws PassiveAuthenticationException thrown if no handlers remain after filtering
+     */
+    protected void filterByPassiveAuthentication(Session idpSession, LoginContext loginContext,
+            Map<String, LoginHandler> loginHandlers) throws PassiveAuthenticationException {
+        LOG.debug("Passive authentication is required, filtering poassible login handlers accordingly.");
+
+        if (idpSession == null) {
+            loginHandlers.remove(AuthnContext.PREVIOUS_SESSION_AUTHN_CTX);
+        }
+
+        LoginHandler loginHandler;
+        Iterator<Entry<String, LoginHandler>> authnMethodItr = loginHandlers.entrySet().iterator();
+        while (authnMethodItr.hasNext()) {
+            loginHandler = authnMethodItr.next().getValue();
+            if (!loginHandler.supportsPassive()) {
+                authnMethodItr.remove();
+            }
+        }
+
+        LOG.debug("Authentication handlers remaining after passive authentication requirement filtering: {}",
+                loginHandlers);
+
+        if (loginHandlers.isEmpty()) {
+            LOG.warn("Passive authentication required but no login handlers available to support it");
+            throw new PassiveAuthenticationException();
+        }
+    }
+
+    /**
+     * Selects a login handler from a list of possible login handlers that could be used for the request.
+     * 
+     * @param possibleLoginHandlers list of possible login handlers that could be used for the request
+     * @param loginContext current login context
+     * @param idpSession current IdP session, if one exists
+     * 
+     * @return the login handler to use for this request
+     * 
+     * @throws AuthenticationException thrown if no handler can be used for this request
+     */
+    protected LoginHandler selectLoginHandler(Map<String, LoginHandler> possibleLoginHandlers,
+            LoginContext loginContext, Session idpSession) throws AuthenticationException {
+        LOG.debug("Selecting appropriate login handler from filtered set {}", possibleLoginHandlers);
+        LoginHandler loginHandler;
+        if (idpSession != null && possibleLoginHandlers.containsKey(AuthnContext.PREVIOUS_SESSION_AUTHN_CTX)) {
+            LOG.debug("Authenticating user with previous session LoginHandler");
+            loginHandler = possibleLoginHandlers.get(AuthnContext.PREVIOUS_SESSION_AUTHN_CTX);
+
+            for (AuthenticationMethodInformation authnMethod : idpSession.getAuthenticationMethods().values()) {
+                if (authnMethod.isExpired()) {
+                    continue;
+                }
+
+                if (loginContext.getRequestedAuthenticationMethods().isEmpty()
+                        || loginContext.getRequestedAuthenticationMethods().contains(
+                                authnMethod.getAuthenticationMethod())) {
+                    LOG.debug("Basing previous session authentication on active authentication method {}",
+                            authnMethod.getAuthenticationMethod());
+                    loginContext.setAttemptedAuthnMethod(authnMethod.getAuthenticationMethod());
+                    loginContext.setAuthenticationMethodInformation(authnMethod);
+                    return loginHandler;
+                }
+            }
+        }
+
+        if (loginContext.getDefaultAuthenticationMethod() != null
+                && possibleLoginHandlers.containsKey(loginContext.getDefaultAuthenticationMethod())) {
+            loginHandler = possibleLoginHandlers.get(loginContext.getDefaultAuthenticationMethod());
+            loginContext.setAttemptedAuthnMethod(loginContext.getDefaultAuthenticationMethod());
+        } else {
+            Entry<String, LoginHandler> chosenLoginHandler = possibleLoginHandlers.entrySet().iterator().next();
+            loginContext.setAttemptedAuthnMethod(chosenLoginHandler.getKey());
+            loginHandler = chosenLoginHandler.getValue();
+        }
+
+        LOG.debug("Authenticating user with login handler of type {}", loginHandler.getClass().getName());
+        return loginHandler;
+    }
+
+    /**
+     * Completes the authentication process.
+     * 
+     * The principal name set by the authentication handler is retrieved and pushed in to the login context, a
+     * Shibboleth session is created if needed, information indicating that the user has logged into the service is
+     * recorded and finally control is returned back to the profile handler.
+     * 
+     * @param loginContext current login context
+     * @param httpRequest current HTTP request
+     * @param httpResponse current HTTP response
+     */
+    protected void completeAuthentication(LoginContext loginContext, HttpServletRequest httpRequest,
+            HttpServletResponse httpResponse) {
+        LOG.debug("Completing user authentication process");
+
+        Session idpSession = (Session) httpRequest.getAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE);
+
+        try {
+            // We allow a login handler to override the authentication method in the
+            // event that it supports multiple methods
+            String actualAuthnMethod = DatatypeHelper.safeTrimOrNullString((String) httpRequest
+                    .getAttribute(LoginHandler.AUTHENTICATION_METHOD_KEY));
+            if (actualAuthnMethod != null) {
+                if (!loginContext.getRequestedAuthenticationMethods().isEmpty()
+                        && !loginContext.getRequestedAuthenticationMethods().contains(actualAuthnMethod)) {
+                    String msg = "Relying patry required an authentication method of "
+                            + loginContext.getRequestedAuthenticationMethods() + " but the login handler performed "
+                            + actualAuthnMethod;
+                    LOG.error(msg);
+                    throw new AuthenticationException(msg);
+                }
+            } else {
+                actualAuthnMethod = loginContext.getAttemptedAuthnMethod();
+            }
+
+            // Check to make sure the login handler did the right thing
+            validateSuccessfulAuthentication(loginContext, httpRequest, actualAuthnMethod);
+
+            // Check for an overridden authn instant.
+            DateTime actualAuthnInstant = (DateTime) httpRequest.getAttribute(LoginHandler.AUTHENTICATION_INSTANT_KEY);
+
+            // Get the Subject from the request. If force authentication was required then make sure the
+            // Subject identifies the same user that authenticated before
+            Subject subject = getLoginHandlerSubject(httpRequest);
+            if (loginContext.isForceAuthRequired()) {
+                validateForcedReauthentication(idpSession, actualAuthnMethod, subject);
+
+                // Reset the authn instant.
+                if (actualAuthnInstant == null) {
+                    actualAuthnInstant = new DateTime();
+                }
+            }
+
+            loginContext.setPrincipalAuthenticated(true);
+            updateUserSession(loginContext, subject, actualAuthnMethod, actualAuthnInstant, httpRequest, httpResponse);
+            LOG.debug("User {} authenticated with method {}", loginContext.getPrincipalName(),
+                    loginContext.getAuthenticationMethod());
+        } catch (AuthenticationException e) {
+            LOG.error("Authentication failed with the error:", e);
+            loginContext.setPrincipalAuthenticated(false);
+            loginContext.setAuthenticationFailure(e);
+        }
+
+        returnToProfileHandler(httpRequest, httpResponse);
+    }
+
+    /**
+     * Validates that the authentication was successfully performed by the login handler. An authentication is
+     * considered successful if no error is bound to the request attribute {@link LoginHandler#AUTHENTICATION_ERROR_KEY}
+     * and there is a value for at least one of the following request attributes: {@link LoginHandler#SUBJECT_KEY},
+     * {@link LoginHandler#PRINCIPAL_KEY}, or {@link LoginHandler#PRINCIPAL_NAME_KEY}.
+     * 
+     * @param loginContext current login context
+     * @param httpRequest current HTTP request
+     * @param authenticationMethod the authentication method used to authenticate the user
+     * 
+     * @throws AuthenticationException thrown if the authentication was not successful
+     */
+    protected void validateSuccessfulAuthentication(LoginContext loginContext, HttpServletRequest httpRequest,
+            String authenticationMethod) throws AuthenticationException {
+        LOG.debug("Validating authentication was performed successfully");
+
+        if (authenticationMethod == null) {
+            LOG.error("No authentication method reported by login handler.");
+            throw new AuthenticationException("No authentication method reported by login handler.");
+        }
+
+        String errorMessage = DatatypeHelper.safeTrimOrNullString((String) httpRequest
+                .getAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY));
+        if (errorMessage != null) {
+            LOG.error("Error returned from login handler for authentication method {}:\n{}",
+                    loginContext.getAttemptedAuthnMethod(), errorMessage);
+            throw new AuthenticationException(errorMessage);
+        }
+
+        AuthenticationException authnException = (AuthenticationException) httpRequest
+                .getAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY);
+        if (authnException != null) {
+            throw authnException;
+        }
+
+        Subject subject = (Subject) httpRequest.getAttribute(LoginHandler.SUBJECT_KEY);
+        Principal principal = (Principal) httpRequest.getAttribute(LoginHandler.PRINCIPAL_KEY);
+        String principalName = DatatypeHelper.safeTrimOrNullString((String) httpRequest
+                .getAttribute(LoginHandler.PRINCIPAL_NAME_KEY));
+
+        if (subject == null && principal == null && principalName == null) {
+            LOG.error("No user identified by login handler.");
+            throw new AuthenticationException("No user identified by login handler.");
+        }
+    }
+
+    /**
+     * Gets the subject from the request coming back from the login handler.
+     * 
+     * @param httpRequest request coming back from the login handler
+     * 
+     * @return the {@link Subject} created from the request
+     * 
+     * @throws AuthenticationException thrown if no subject can be retrieved from the request
+     */
+    protected Subject getLoginHandlerSubject(HttpServletRequest httpRequest) throws AuthenticationException {
+        Subject subject = (Subject) httpRequest.getAttribute(LoginHandler.SUBJECT_KEY);
+        Principal principal = (Principal) httpRequest.getAttribute(LoginHandler.PRINCIPAL_KEY);
+        String principalName = DatatypeHelper.safeTrimOrNullString((String) httpRequest
+                .getAttribute(LoginHandler.PRINCIPAL_NAME_KEY));
+
+        if (subject == null && (principal != null || principalName != null)) {
+            subject = new Subject();
+            if (principal == null) {
+                principal = new UsernamePrincipal(principalName);
+            }
+            subject.getPrincipals().add(principal);
+        }
+
+        return subject;
+    }
+
+    /**
+     * If forced authentication was required this method checks to ensure that the re-authenticated subject contains a
+     * principal name that is equal to the principal name associated with the authentication method. If this is the
+     * first time the subject has authenticated with this method than this check always passes.
+     * 
+     * @param idpSession user's IdP session
+     * @param authnMethod method used to authenticate the user
+     * @param subject subject that was authenticated
+     * 
+     * @throws AuthenticationException thrown if this check fails
+     */
+    protected void validateForcedReauthentication(Session idpSession, String authnMethod, Subject subject)
+            throws AuthenticationException {
+        if (idpSession != null) {
+            AuthenticationMethodInformation authnMethodInfo = idpSession.getAuthenticationMethods().get(authnMethod);
+            if (authnMethodInfo != null) {
+                boolean princpalMatch = false;
+                for (Principal princpal : subject.getPrincipals()) {
+                    if (authnMethodInfo.getAuthenticationPrincipal().equals(princpal)) {
+                        princpalMatch = true;
+                        break;
+                    }
+                }
+
+                if (!princpalMatch) {
+                    throw new ForceAuthenticationException(
+                            "Authenticated principal does not match previously authenticated principal");
+                }
+            }
+        }
+    }
+
+    /**
+     * Updates the user's Shibboleth session with authentication information. If no session exists a new one will be
+     * created.
+     * 
+     * @param loginContext current login context
+     * @param authenticationSubject subject created from the authentication method
+     * @param authenticationMethod the method used to authenticate the subject
+     * @param authenticationInstant the time of authentication
+     * @param httpRequest current HTTP request
+     * @param httpResponse current HTTP response
+     */
+    protected void updateUserSession(LoginContext loginContext, Subject authenticationSubject,
+            String authenticationMethod, DateTime authenticationInstant, HttpServletRequest httpRequest,
+            HttpServletResponse httpResponse) {
+        Principal authenticationPrincipal = authenticationSubject.getPrincipals().iterator().next();
+        LOG.debug("Updating session information for principal {}", authenticationPrincipal.getName());
+
+        Session idpSession = (Session) httpRequest.getAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE);
+        if (idpSession == null) {
+            LOG.debug("Creating shibboleth session for principal {}", authenticationPrincipal.getName());
+            idpSession = (Session) sessionManager.createSession();
+            loginContext.setSessionID(idpSession.getSessionID());
+            addSessionCookie(httpRequest, httpResponse, idpSession);
+        }
+
+        // Merge the information in the current session subject with the information from the
+        // login handler subject
+        idpSession.setSubject(mergeSubjects(idpSession.getSubject(), authenticationSubject));
+
+        // Check if an existing authentication method with no updated timestamp was used (i.e. SSO occurred);
+        // if not record the new information
+        AuthenticationMethodInformation authnMethodInfo = idpSession.getAuthenticationMethods().get(
+                authenticationMethod);
+        if (authnMethodInfo == null || authenticationInstant != null) {
+            LOG.debug("Recording authentication and service information in Shibboleth session for principal: {}",
+                    authenticationPrincipal.getName());
+            LoginHandler loginHandler = handlerManager.getLoginHandlers().get(loginContext.getAttemptedAuthnMethod());
+            DateTime authnInstant = authenticationInstant;
+            if (authnInstant == null) {
+                authnInstant = new DateTime();
+            }
+            authnMethodInfo = new AuthenticationMethodInformationImpl(idpSession.getSubject(), authenticationPrincipal,
+                    authenticationMethod, authnInstant, loginHandler.getAuthenticationDuration());
+        }
+
+        loginContext.setAuthenticationMethodInformation(authnMethodInfo);
+        idpSession.getAuthenticationMethods().put(authnMethodInfo.getAuthenticationMethod(), authnMethodInfo);
+        sessionManager.indexSession(idpSession, idpSession.getPrincipalName());
+
+        ServiceInformation serviceInfo = new ServiceInformationImpl(loginContext.getRelyingPartyId(), new DateTime(),
+                authnMethodInfo);
+        idpSession.getServicesInformation().put(serviceInfo.getEntityID(), serviceInfo);
+    }
+
+    /**
+     * Merges the two {@link Subject}s in to a new {@link Subject}. The new subjects contains all the {@link Principal}s
+     * from both subjects. If {@link #retainSubjectsPrivateCredentials} is true then the new subject will contain all
+     * the private credentials from both subjects, if not the new subject will not contain private credentials. If
+     * {@link #retainSubjectsPublicCredentials} is true then the new subject will contain all the public credentials
+     * from both subjects, if not the new subject will not contain public credentials.
+     * 
+     * @param subject1 first subject to merge, may be null
+     * @param subject2 second subject to merge, may be null
+     * 
+     * @return subject containing the merged information
+     */
+    protected Subject mergeSubjects(Subject subject1, Subject subject2) {
+        if (subject1 == null && subject2 == null) {
+            return new Subject();
+        }
+
+        if (subject1 == null) {
+            return subject2;
+        }
+
+        if (subject2 == null) {
+            return subject1;
+        }
+
+        Set<Principal> principals = new HashSet<Principal>(3);
+        principals.addAll(subject1.getPrincipals());
+        principals.addAll(subject2.getPrincipals());
+
+        Set<Object> publicCredentials = new HashSet<Object>(3);
+        if (retainSubjectsPublicCredentials) {
+            LOG.debug("Merging in subjects public credentials");
+            publicCredentials.addAll(subject1.getPublicCredentials());
+            publicCredentials.addAll(subject2.getPublicCredentials());
+        }
+
+        Set<Object> privateCredentials = new HashSet<Object>(3);
+        if (retainSubjectsPrivateCredentials) {
+            LOG.debug("Merging in subjects private credentials");
+            privateCredentials.addAll(subject1.getPrivateCredentials());
+            privateCredentials.addAll(subject2.getPrivateCredentials());
+        }
+
+        return new Subject(false, principals, publicCredentials, privateCredentials);
+    }
+
+    /**
+     * Adds an IdP session cookie to the outbound response.
+     * 
+     * @param httpRequest current request
+     * @param httpResponse current response
+     * @param userSession user's session
+     */
+    protected void addSessionCookie(HttpServletRequest httpRequest, HttpServletResponse httpResponse,
+            Session userSession) {
+        httpRequest.setAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE, userSession);
+
+        byte[] remoteAddress = httpRequest.getRemoteAddr().getBytes();
+        byte[] sessionId = userSession.getSessionID().getBytes();
+
+        String signature = null;
+        try {
+            MessageDigest digester = MessageDigest.getInstance("SHA");
+            digester.update(userSession.getSessionSecret());
+            digester.update(remoteAddress);
+            digester.update(sessionId);
+            signature = Base64.encodeBytes(digester.digest());
+        } catch (GeneralSecurityException e) {
+            LOG.error("Unable to compute signature over session cookie material", e);
+        }
+
+        LOG.debug("Adding IdP session cookie to HTTP response");
+        StringBuilder cookieValue = new StringBuilder();
+        cookieValue.append(Base64.encodeBytes(remoteAddress, Base64.DONT_BREAK_LINES)).append("|");
+        cookieValue.append(Base64.encodeBytes(sessionId, Base64.DONT_BREAK_LINES)).append("|");
+        cookieValue.append(signature);
+
+        String cookieDomain = HttpServletHelper.getCookieDomain(context);
+
+        Cookie sessionCookie = new Cookie(IDP_SESSION_COOKIE_NAME, HTTPTransportUtils.urlEncode(cookieValue.toString()));
+        sessionCookie.setVersion(1);
+        if (cookieDomain != null) {
+            sessionCookie.setDomain(cookieDomain);
+        }
+        sessionCookie.setPath("".equals(httpRequest.getContextPath()) ? "/" : httpRequest.getContextPath());
+        sessionCookie.setSecure(httpRequest.isSecure());
+        httpResponse.addCookie(sessionCookie);
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationException.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/AuthenticationException.java
new file mode 100644 (file)
index 0000000..18c56ce
--- /dev/null
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn;
+
+/**
+ * An exception indicating a problem with user authentication.
+ */
+public class AuthenticationException extends Exception {
+
+    /** Serial version UID. */
+    private static final long serialVersionUID = -889930177786373711L;
+
+    /** Constructor. */
+    public AuthenticationException() {
+        super();
+    }
+
+    /**
+     * Constructor.
+     * 
+     * @param message exception message
+     */
+    public AuthenticationException(String message) {
+        super(message);
+    }
+
+    /**
+     * Constructor.
+     * 
+     * @param wrappedException exception to be wrapped by this one
+     */
+    public AuthenticationException(Exception wrappedException) {
+        super(wrappedException);
+    }
+
+    /**
+     * Constructor.
+     * 
+     * @param message exception message
+     * @param wrappedException exception to be wrapped by this one
+     */
+    public AuthenticationException(String message, Exception wrappedException) {
+        super(message, wrappedException);
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/ForceAuthenticationException.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/ForceAuthenticationException.java
new file mode 100644 (file)
index 0000000..919125a
--- /dev/null
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn;
+
+/**
+ * Exception indicating that forced authentication was requested but could not be performed.
+ */
+public class ForceAuthenticationException extends AuthenticationException {
+
+    /** Serial version UID. */
+    private static final long serialVersionUID = 6955738708697468055L;
+
+    /** Constructor. */
+    public ForceAuthenticationException() {
+        super();
+    }
+
+    /**
+     * Constructor.
+     * 
+     * @param message exception message
+     */
+    public ForceAuthenticationException(String message) {
+        super(message);
+    }
+
+    /**
+     * Constructor.
+     * 
+     * @param wrappedException exception to be wrapped by this one
+     */
+    public ForceAuthenticationException(Exception wrappedException) {
+        super(wrappedException);
+    }
+
+    /**
+     * Constructor.
+     * 
+     * @param message exception message
+     * @param wrappedException exception to be wrapped by this one
+     */
+    public ForceAuthenticationException(String message, Exception wrappedException) {
+        super(message, wrappedException);
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/LoginContext.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/LoginContext.java
new file mode 100644 (file)
index 0000000..d05b16b
--- /dev/null
@@ -0,0 +1,464 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn;
+
+import java.io.Serializable;
+import java.security.Principal;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.joda.time.DateTime;
+import org.opensaml.xml.util.LazyList;
+
+import edu.internet2.middleware.shibboleth.idp.session.AuthenticationMethodInformation;
+
+/**
+ * Login context created by a profile handler and interpreted by the authentication package.
+ * 
+ * Two properties are tracked by default:
+ * <ul>
+ * <li><code>forceAuth</code> - Should user authentication be forced (default value: false).</li>
+ * <li><code>passiveAuth</code> - Should user authentication not control the UI (default value: false).</li>
+ * </ul>
+ * 
+ * A {@link Map}&lt;String, Object&gt; is provided to store other properties. Alternatively, a profile handler may
+ * create a subclass of LoginContext with extra fields.
+ * 
+ * LoginContexts should be created by a profile handler when authentication is needed. Once control has returned to the
+ * profile handler, it should remove the LoginContext from the HttpSession.
+ * 
+ * The {@link AuthenticationEngine} should set the {@link LoginContext#setAuthenticationAttempted()},
+ * {@link LoginContext#setPrincipalAuthenticated(boolean)},
+ * {@link LoginContext#setAuthenticationFailure(AuthenticationException)}, appropriately.
+ */
+public class LoginContext implements Serializable {
+
+    /** the key in a HttpSession where login contexts are stored. */
+    public static final String LOGIN_CONTEXT_KEY = "shib2.logincontext";
+
+    /** Serial version UID. */
+    private static final long serialVersionUID = -8764003758734956911L;
+
+    /** Entity ID of the relying party. */
+    private String relyingPartyId;
+
+    /** Should user authentication be forced. */
+    private boolean forceAuth;
+
+    /** Must authentication not interact with the UI. */
+    private boolean passiveAuth;
+
+    /** A catch-all map for other properties. */
+    private Map<String, Serializable> propsMap = new ConcurrentHashMap<String, Serializable>(0);
+
+    /** The ProfileHandler URL. */
+    private String profileHandlerURL;
+
+    /** The authentication engine's URL. */
+    private String authnEngineURL;
+
+    /** Whether authentication been attempted yet. */
+    private boolean authnAttempted;
+
+    /** Attempted user authentication method. */
+    private String attemptedAuthnMethod;
+
+    /** Did authentication succeed? */
+    private boolean principalAuthenticated;
+
+    /** Exception that occurred during authentication. */
+    private AuthenticationException authnException;
+
+    /** The session id. */
+    private String sessionID;
+
+    /** Default authentication method to use if no other method is requested. */
+    private String defaultAuthenticationMethod;
+
+    /** List of request authentication methods. */
+    private List<String> requestAuthenticationMethods;
+
+    /** Information about the authentication method. */
+    private AuthenticationMethodInformation authenticationMethodInformation;
+
+    /** Creates a new instance of LoginContext. */
+    public LoginContext() {
+        requestAuthenticationMethods = new LazyList<String>();
+    }
+
+    /**
+     * Creates a new instance of LoginContext.
+     * 
+     * @param force if the authentication manager must re-authenticate the user.
+     * @param passive if the authentication manager must not interact with the users UI.
+     */
+    public LoginContext(boolean force, boolean passive) {
+        forceAuth = force;
+        passiveAuth = passive;
+        requestAuthenticationMethods = new LazyList<String>();
+    }
+
+    /**
+     * Gets the authentication method that was used when attempting to authenticate the user. Note, this may be
+     * different than the authentication method reported within {@link #getAuthenticationMethodInformation()}.
+     * 
+     * @return authentication method that was used when attempting to authenticate the user
+     */
+    public synchronized String getAttemptedAuthnMethod() {
+        return attemptedAuthnMethod;
+    }
+
+    /**
+     * Returns if authentication has been attempted for this user.
+     * 
+     * @return if authentication has been attempted for this user
+     */
+    public synchronized boolean getAuthenticationAttempted() {
+        return authnAttempted;
+    }
+
+    /**
+     * Gets the duration of authentication.
+     * 
+     * @return The duration of authentication, or zero if none was set.
+     */
+    public synchronized long getAuthenticationDuration() {
+        if(authenticationMethodInformation == null){
+            return 0;
+        }
+
+        return authenticationMethodInformation.getAuthenticationDuration();
+    }
+
+    /**
+     * Gets the authentication engine's URL.
+     * 
+     * @return the URL of the authentication engine
+     */
+    public synchronized String getAuthenticationEngineURL() {
+        return authnEngineURL;
+    }
+
+    /**
+     * Gets the error that occurred during authentication.
+     * 
+     * @return error that occurred during authentication
+     */
+    public synchronized AuthenticationException getAuthenticationFailure() {
+        return authnException;
+    }
+
+    /**
+     * Gets the authentication instant.
+     * 
+     * @return The instant of authentication, or <code>null</code> if none was set.
+     */
+    public synchronized DateTime getAuthenticationInstant() {
+        if(authenticationMethodInformation == null){
+            return null;
+        }
+
+        return authenticationMethodInformation.getAuthenticationInstant();
+    }
+
+    /**
+     * Gets the method used to authenticate the user.
+     * 
+     * @return The method used to authenticate the user.
+     */
+    public synchronized String getAuthenticationMethod() {
+        if(authenticationMethodInformation == null){
+            return null;
+        }
+        return authenticationMethodInformation.getAuthenticationMethod();
+    }
+
+    /**
+     * Gets information about the authentication event.
+     * 
+     * @return information about the authentication event.
+     */
+    public synchronized AuthenticationMethodInformation getAuthenticationMethodInformation() {
+        return authenticationMethodInformation;
+    }
+
+    /**
+     * Gets the authentication method to use if none is requested.
+     * 
+     * @return authentication method to use if none is requested, may be null which indicates any method may be used
+     */
+    public synchronized String getDefaultAuthenticationMethod() {
+        return defaultAuthenticationMethod;
+    }
+
+    /**
+     * Returns the ID of the authenticated user.
+     * 
+     * @return the ID of the user, or <code>null</code> if authentication failed.
+     */
+    public synchronized String getPrincipalName() {
+        if(authenticationMethodInformation == null){
+            return null;
+        }
+
+        Principal principal = authenticationMethodInformation.getAuthenticationPrincipal();
+        if(principal == null){
+            return null;
+        }
+        
+        return principal.getName();
+    }
+
+    /**
+     * Gets the ProfileHandler URL.
+     * 
+     * @return the URL of the profile handler that is invoking the Authentication Manager.
+     */
+    public synchronized String getProfileHandlerURL() {
+        return profileHandlerURL;
+    }
+
+    /**
+     * Get an optional property object.
+     * 
+     * @param key The key in the properties Map.
+     * 
+     * @return The object, or <code>null</code> is no object exists for the key.
+     */
+    public synchronized Object getProperty(String key) {
+        return propsMap.get(key);
+    }
+
+    /**
+     * Gets the entity ID of the relying party.
+     * 
+     * @return entity ID of the relying party
+     */
+    public synchronized String getRelyingPartyId() {
+        return relyingPartyId;
+    }
+
+    /**
+     * Return the acceptable authentication handler URIs, in preference order, for authenticating this user. If no
+     * authentication methods are preferred the resultant list will be empty.
+     * 
+     * @return an list of authentication method identifiers
+     */
+    public synchronized List<String> getRequestedAuthenticationMethods() {
+        return requestAuthenticationMethods;
+    }
+
+    /**
+     * Gets the {@link edu.internet2.middleware.shibboleth.idp.session.Session} ID.
+     * 
+     * @return the Session id
+     */
+    public synchronized String getSessionID() {
+        return sessionID;
+    }
+
+    /**
+     * Returns if authentication must be forced.
+     * 
+     * @return <code>true</code> if the authentication manager must re-authenticate the user.
+     */
+    public synchronized boolean isForceAuthRequired() {
+        return forceAuth;
+    }
+
+    /**
+     * Returns if authentication must be passive.
+     * 
+     * @return <code>true</code> if the authentication manager must not interact with the users UI.
+     */
+    public synchronized boolean isPassiveAuthRequired() {
+        return passiveAuth;
+    }
+
+    /**
+     * Returns if authentication succeeded.
+     * 
+     * @return <code>true</code> is the user was successfully authenticated.
+     */
+    public synchronized boolean isPrincipalAuthenticated() {
+        return principalAuthenticated;
+    }
+
+    /**
+     * Sets the authentication method that was used when attempting to authenticate the user.
+     * 
+     * @param method authentication method that was used when attempting to authenticate the user
+     */
+    public synchronized void setAttemptedAuthnMethod(String method) {
+        attemptedAuthnMethod = method;
+    }
+
+    /**
+     * Set if authentication has been attempted.
+     * 
+     * This method should be called by an {@link LoginHandler} while processing a request.
+     */
+    public synchronized void setAuthenticationAttempted() {
+        authnAttempted = true;
+    }
+
+    /**
+     * Sets the duration of authentication.
+     * 
+     * @param duration The duration of authentication.
+     * 
+     * @deprecated this information is contained in the {@link AuthenticationMethodInformation}
+     */
+    public synchronized void setAuthenticationDuration(long duration) {
+    }
+
+    /**
+     * Sets the authentication engine's URL.
+     * 
+     * @param url the URL of the authentication engine
+     */
+    public synchronized void setAuthenticationEngineURL(String url) {
+        authnEngineURL = url;
+    }
+
+    /**
+     * Sets the error that occurred during authentication.
+     * 
+     * @param error error that occurred during authentication
+     */
+    public synchronized void setAuthenticationFailure(AuthenticationException error) {
+        authnException = error;
+    }
+
+    /**
+     * Sets the authentication instant.
+     * 
+     * @param instant The instant of authentication.
+     * 
+     * @deprecated this information is contained in the {@link AuthenticationMethodInformation}
+     */
+    public synchronized void setAuthenticationInstant(final DateTime instant) {
+    }
+
+    /**
+     * Sets the method used to authenticate the user.
+     * 
+     * @param method The method used to authenticate the user.
+     * 
+     * @deprecated this information is contained in the {@link AuthenticationMethodInformation}
+     */
+    public synchronized void setAuthenticationMethod(String method) {
+    }
+
+    /**
+     * Sets the information about the authentication event.
+     * 
+     * @param info information about the authentication event
+     */
+    public synchronized void setAuthenticationMethodInformation(AuthenticationMethodInformation info) {
+        authenticationMethodInformation = info;
+    }
+
+    /**
+     * Sets the authentication method to use if none is requested.
+     * 
+     * @param method authentication method to use if none is requested, may be null which indicates any method may be
+     *            used
+     */
+    public synchronized void setDefaultAuthenticationMethod(String method) {
+        defaultAuthenticationMethod = method;
+    }
+
+    /**
+     * Sets if authentication must be forced.
+     * 
+     * @param force if the authentication manager must re-authenticate the user.
+     */
+    public synchronized void setForceAuthRequired(boolean force) {
+        forceAuth = force;
+    }
+
+    /**
+     * Sets if authentication must be passive.
+     * 
+     * @param passive if the authentication manager must not interact with the users UI.
+     */
+    public synchronized void setPassiveAuthRequired(boolean passive) {
+        passiveAuth = passive;
+    }
+
+    /**
+     * Sets if authentication succeeded.
+     * 
+     * @param authnOK if authentication succeeded;
+     */
+    public synchronized void setPrincipalAuthenticated(boolean authnOK) {
+        this.principalAuthenticated = authnOK;
+    }
+
+    /**
+     * Sets the ID of the authenticated user.
+     * 
+     * @param id The userid.
+     * 
+     * @deprecated this information is contained in the {@link AuthenticationMethodInformation}
+     */
+    public synchronized void setPrincipalName(String id) {
+
+    }
+
+    /**
+     * Sets the ProfileHandler URL.
+     * 
+     * @param url The URL of the profile handler that invoked the AuthenticationManager/
+     */
+    public synchronized void setProfileHandlerURL(String url) {
+        profileHandlerURL = url;
+    }
+
+    /**
+     * Sets an optional property object.
+     * 
+     * If an object is already associated with key, it will be overwritten.
+     * 
+     * @param key The key to set.
+     * @param obj The object to associate with key.
+     */
+    public synchronized void setProperty(String key, final Serializable obj) {
+        propsMap.put(key, obj);
+    }
+
+    /**
+     * Gets the entity ID of the relying party.
+     * 
+     * @param id entity ID of the relying party
+     */
+    public synchronized void setRelyingParty(String id) {
+        relyingPartyId = id;
+    }
+
+    /**
+     * Sets the {@link edu.internet2.middleware.shibboleth.idp.session.Session} ID.
+     * 
+     * @param id the Session ID
+     */
+    public synchronized void setSessionID(String id) {
+        sessionID = id;
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/LoginContextEntry.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/LoginContextEntry.java
new file mode 100644 (file)
index 0000000..bc3c70d
--- /dev/null
@@ -0,0 +1,51 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn;
+
+import org.joda.time.DateTime;
+import org.opensaml.util.storage.AbstractExpiringObject;
+
+/** Storage service entry for login contexts. */
+public class LoginContextEntry extends AbstractExpiringObject {
+
+    /** Serial version UID. */
+    private static final long serialVersionUID = -1528197153404835381L;
+    
+    /** Stored login context. */
+    private LoginContext loginCtx;
+
+    /**
+     * Constructor.
+     * 
+     * @param ctx context to store
+     * @param lifetime lifetime of the entry
+     */
+    public LoginContextEntry(LoginContext ctx, long lifetime) {
+        super(new DateTime().plus(lifetime));
+        loginCtx = ctx;
+    }
+
+    /**
+     * Gets the login context.
+     * 
+     * @return login context
+     */
+    public LoginContext getLoginContext() {
+        return loginCtx;
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/LoginHandler.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/LoginHandler.java
new file mode 100644 (file)
index 0000000..cfe7884
--- /dev/null
@@ -0,0 +1,128 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn;
+
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Authentication handlers authenticate a user in an implementation specific manner. Some examples of this might be by
+ * collecting a user name and password and validating it against an LDAP directory, validating a client certificate, or
+ * validating one-time password.
+ * 
+ * When a login handler is invoked the user's {@link edu.internet2.middleware.shibboleth.idp.session.Session} is bound
+ * to the {@link javax.servlet.http.HttpSession} under the attribute with the name
+ * {@link edu.internet2.middleware.shibboleth.idp.session.Session#HTTP_SESSION_BINDING_ATTRIBUTE}.
+ * 
+ * After a successful authentication has been completed the handler <strong>MUST</strong> either:
+ * <ul>
+ * <li>Bind a {@link javax.security.auth.Subject} to the attribute identified by {@link #SUBJECT_KEY} if one was created
+ * during the authentication process. The principals, public, and private credentials from this subject will be merged
+ * with those in the {@link javax.security.auth.Subject} within the
+ * {@link edu.internet2.middleware.shibboleth.idp.session.Session}.</li>
+ * <li>Bind a {@link java.security.Principal} for the user to the request attribute identified by {@link #PRINCIPAL_KEY}
+ * . Such a {@link java.security.Principal} <strong>MUST</strong> implement {@link java.io.Serializable}. This principal
+ * will be added to the {@link javax.security.auth.Subject} within the
+ * {@link edu.internet2.middleware.shibboleth.idp.session.Session}.</li>
+ * <li>Bind a principal name string to the request attribute identified by {@link #PRINCIPAL_NAME_KEY}. In this case the
+ * {@link AuthenticationEngine} will create a {@link java.security.Principal} object of type
+ * {@link edu.internet2.middleware.shibboleth.idp.authn.UsernamePrincipal} and add that to the
+ * {@link javax.security.auth.Subject} within the {@link edu.internet2.middleware.shibboleth.idp.session.Session}.</li>
+ * </ul>
+ * 
+ * The handler <strong>MAY</strong> also:
+ * <ul>
+ * <li>Bind a URI string, representing the authentication method actually used, to a request attribute identified by
+ * {@link #AUTHENTICATION_METHOD_KEY}. This may be used if a handler is capable of performing multiple types of
+ * authentication.</li>
+ * <li>Bind an error message, if an error occurred during authentication to the request attribute identified by
+ * {@link LoginHandler#AUTHENTICATION_ERROR_KEY}.</li>
+ * <li>Bind a {@link AuthenticationException}, if an exception occurred during authentication to the request attribute
+ * identified by {@link LoginHandler#AUTHENTICATION_EXCEPTION_KEY}.</li>
+ * </ul>
+ * 
+ * Finally, the handler must return control to the authentication engine by invoking
+ * {@link AuthenticationEngine#returnToAuthenticationEngine(HttpServletRequest, HttpServletResponse)}. After which the
+ * authentication handler must immediately return.
+ * 
+ * Handlers <strong>MUST NOT</strong> change or add any data to the user's {@link javax.servlet.http.HttpSession} that
+ * persists past the process of authenticating the user, that is no additional session data may be added and no existing
+ * session data may be changed when the handler returns control to the authentication engine.
+ */
+public interface LoginHandler {
+
+    /** Request attribute to which user's principal should be bound. */
+    public static final String PRINCIPAL_KEY = "principal";
+
+    /** Request attribute to which user's principal name should be bound. */
+    public static final String PRINCIPAL_NAME_KEY = "principal_name";
+
+    /** Request attribute to which user's subject should be bound. */
+    public static final String SUBJECT_KEY = "subject";
+
+    /** Request attribute to which an authentication method URI may be bound. */
+    public static final String AUTHENTICATION_METHOD_KEY = "authnMethod";
+
+    /** Request attribute to which an authentication timestamp may be bound. */
+    public static final String AUTHENTICATION_INSTANT_KEY = "authnInstant";
+    
+    /** Request attribute to which an error message may be bound. */
+    public static final String AUTHENTICATION_ERROR_KEY = "authnError";
+
+    /** Request attribute to which an {@link AuthenticationException} may be bound. */
+    public static final String AUTHENTICATION_EXCEPTION_KEY = "authnException";
+
+    /**
+     * Gets the list of authentication methods this handler supports.
+     * 
+     * @return authentication methods this handler supports
+     */
+    public List<String> getSupportedAuthenticationMethods();
+
+    /**
+     * Gets the length of time, in milliseconds, after which a user authenticated by this handler should be
+     * re-authenticated.
+     * 
+     * @return length of time, in milliseconds, after which a user should be re-authenticated
+     */
+    public long getAuthenticationDuration();
+
+    /**
+     * Gets whether this handler supports passive authentication.
+     * 
+     * @return whether this handler supports passive authentication
+     */
+    public boolean supportsPassive();
+
+    /**
+     * Returns if this handler supports the ability to force a user to (re-)authenticate.
+     * 
+     * @return if this handler can force a user to (re-)authenticate.
+     */
+    public boolean supportsForceAuthentication();
+
+    /**
+     * Authenticate the user making the request.
+     * 
+     * @param httpRequest user request
+     * @param httpResponse response to user
+     */
+    public void login(HttpServletRequest httpRequest, HttpServletResponse httpResponse);
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/PassiveAuthenticationException.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/PassiveAuthenticationException.java
new file mode 100644 (file)
index 0000000..3f7faa5
--- /dev/null
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn;
+
+/**
+ * Exception indicating that passive authentication was requested but could not be performed.
+ */
+public class PassiveAuthenticationException extends AuthenticationException {
+
+    /** Serial version UID. */
+    private static final long serialVersionUID = 8333401210912649476L;
+
+    /** Constructor. */
+    public PassiveAuthenticationException() {
+        super();
+    }
+
+    /**
+     * Constructor.
+     * 
+     * @param message exception message
+     */
+    public PassiveAuthenticationException(String message) {
+        super(message);
+    }
+
+    /**
+     * Constructor.
+     * 
+     * @param wrappedException exception to be wrapped by this one
+     */
+    public PassiveAuthenticationException(Exception wrappedException) {
+        super(wrappedException);
+    }
+
+    /**
+     * Constructor.
+     * 
+     * @param message exception message
+     * @param wrappedException exception to be wrapped by this one
+     */
+    public PassiveAuthenticationException(String message, Exception wrappedException) {
+        super(message, wrappedException);
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/Saml2LoginContext.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/Saml2LoginContext.java
new file mode 100644 (file)
index 0000000..5a7f72e
--- /dev/null
@@ -0,0 +1,189 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn;
+
+import java.io.Serializable;
+import java.io.StringWriter;
+import java.util.List;
+
+import org.opensaml.Configuration;
+import org.opensaml.saml2.core.AuthnContext;
+import org.opensaml.saml2.core.AuthnContextClassRef;
+import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration;
+import org.opensaml.saml2.core.AuthnContextDeclRef;
+import org.opensaml.saml2.core.AuthnRequest;
+import org.opensaml.saml2.core.RequestedAuthnContext;
+import org.opensaml.xml.io.Marshaller;
+import org.opensaml.xml.io.MarshallingException;
+import org.opensaml.xml.io.UnmarshallingException;
+import org.opensaml.xml.util.DatatypeHelper;
+import org.opensaml.xml.util.LazyList;
+import org.opensaml.xml.util.XMLHelper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.w3c.dom.Element;
+
+/**
+ * A SAML 2.0 {@link LoginContext}.
+ * 
+ * This class can interpret {@link RequestedAuthnContext} and act accordingly.
+ */
+public class Saml2LoginContext extends LoginContext implements Serializable {
+
+    /** Serial version UID. */
+    private static final long serialVersionUID = -7117092606828289070L;
+
+    /** Relay state from authentication request. */
+    private String relayState;
+
+    /** Serialized authentication request. */
+    private String serialAuthnRequest;
+    
+    /** Unsolicited SSO indicator.  */
+    private boolean unsolicited;
+
+    /**
+     * Creates a new instance of Saml2LoginContext.
+     * 
+     * @param relyingParty entity ID of the relying party
+     * @param state relay state from incoming authentication request
+     * @param request SAML 2.0 Authentication Request
+     * 
+     * @throws MarshallingException thrown if the given request can not be marshalled and serialized into a string
+     */
+    public Saml2LoginContext(String relyingParty, String state, AuthnRequest request) throws MarshallingException {
+        super();
+        
+        if (relyingParty == null || request == null) {
+            throw new IllegalArgumentException("SAML 2 authentication request and relying party ID may not be null");
+        }
+        setRelyingParty(relyingParty);
+        relayState = state;
+        serialAuthnRequest = serializeRequest(request);
+        
+        setForceAuthRequired(request.isForceAuthn());
+        setPassiveAuthRequired(request.isPassive());
+        getRequestedAuthenticationMethods().addAll(extractRequestedAuthenticationMethods(request));
+    }
+
+    /**
+     * Gets the serialized authentication request that started the login process.
+     * 
+     * @return authentication request that started the login process
+     * 
+     * @throws UnmarshallingException thrown if the serialized form on the authentication request can be unmarshalled
+     */
+    public synchronized String getAuthenticationRequest() throws UnmarshallingException {
+        return serialAuthnRequest;
+    }
+    
+    /**
+     * Gets the relay state from the originating authentication request.
+     * 
+     * @return relay state from the originating authentication request
+     */
+    public synchronized String getRelayState(){
+        return relayState;
+    }
+
+    /**
+     * Returns the unsolicited SSO indicator.
+     * 
+     * @return the unsolicited SSO indicator
+     */
+    public boolean isUnsolicited() {
+        return unsolicited;
+    }
+
+    /**
+     * Sets the unsolicited SSO indicator.
+     * 
+     * @param unsolicited unsolicited SSO indicator to set
+     */
+    public void setUnsolicited(boolean unsolicited) {
+        this.unsolicited = unsolicited;
+    }        
+    
+    /**
+     * Serializes an authentication request into a string.
+     * 
+     * @param request the request to serialize
+     * 
+     * @return the serialized form of the string
+     * 
+     * @throws MarshallingException thrown if the request can not be marshalled and serialized
+     */
+    protected String serializeRequest(AuthnRequest request) throws MarshallingException {
+        Marshaller marshaller = Configuration.getMarshallerFactory().getMarshaller(request);
+        Element requestElem = marshaller.marshall(request);
+        StringWriter writer = new StringWriter();
+        XMLHelper.writeNode(requestElem, writer);
+        return writer.toString();
+    }
+
+    
+    /**
+     * Extracts the authentication methods requested within the request.
+     * 
+     * @param request the authentication request
+     * 
+     * @return requested authentication methods, or an empty list if no preference
+     */
+    protected List<String> extractRequestedAuthenticationMethods(AuthnRequest request){
+        LazyList<String> requestedMethods = new LazyList<String>();
+
+        RequestedAuthnContext authnContext = request.getRequestedAuthnContext();
+        if (authnContext == null) {
+            return requestedMethods;
+        }
+
+        // For the immediate future, we only support the "exact" comparator.
+        AuthnContextComparisonTypeEnumeration comparator = authnContext.getComparison();
+        if (comparator != null && comparator != AuthnContextComparisonTypeEnumeration.EXACT) {
+            Logger log = LoggerFactory.getLogger(Saml2LoginContext.class);
+            log.warn("Unsupported comparision operator ( " + comparator
+                    + ") in RequestedAuthnContext. Only exact comparisions are supported.");
+            return requestedMethods;
+        }
+
+        // build a list of all requested authn classes and declrefs
+        List<AuthnContextClassRef> authnClasses = authnContext.getAuthnContextClassRefs();
+        if (authnClasses != null) {
+            for (AuthnContextClassRef classRef : authnClasses) {
+                if (classRef != null && !DatatypeHelper.isEmpty(classRef.getAuthnContextClassRef())) {
+                    requestedMethods.add(classRef.getAuthnContextClassRef());
+                }
+            }
+        }
+
+        List<AuthnContextDeclRef> authnDeclRefs = authnContext.getAuthnContextDeclRefs();
+        if (authnDeclRefs != null) {
+            for (AuthnContextDeclRef declRef : authnDeclRefs) {
+                if (declRef != null&& !DatatypeHelper.isEmpty(declRef.getAuthnContextDeclRef())) {
+                    requestedMethods.add(declRef.getAuthnContextDeclRef());
+                }
+            }
+        }
+        
+        if(requestedMethods.contains(AuthnContext.UNSPECIFIED_AUTHN_CTX)){
+            requestedMethods.clear();
+        }
+
+        return requestedMethods;
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/ShibbolethSSOLoginContext.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/ShibbolethSSOLoginContext.java
new file mode 100644 (file)
index 0000000..623122a
--- /dev/null
@@ -0,0 +1,72 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn;
+
+/** Shibboleth SSO aware extension to {@link LoginContext}. */
+public class ShibbolethSSOLoginContext extends LoginContext {
+
+    /** Serial version UID. */
+    private static final long serialVersionUID = -8388394528549536613L;
+
+    /** Service provider assertion consumer service URL. */
+    private String spAssertionConsumerService;
+
+    /** Service provider target URL. */
+    private String spTarget;
+
+    /** Constructor. */
+    public ShibbolethSSOLoginContext() {
+        super(false, false);
+    }
+
+    /**
+     * Gets the service provider assertion consumer service URL.
+     * 
+     * @return service provider assertion consumer service URL
+     */
+    public synchronized String getSpAssertionConsumerService() {
+        return spAssertionConsumerService;
+    }
+
+    /**
+     * Sets the service provider assertion consumer service URL.
+     * 
+     * @param url service provider assertion consumer service URL
+     */
+    public synchronized void setSpAssertionConsumerService(String url) {
+        spAssertionConsumerService = url;
+    }
+
+    /**
+     * Gets the service provider target URL.
+     * 
+     * @return service provider target URL
+     */
+    public synchronized String getSpTarget() {
+        return spTarget;
+    }
+
+    /**
+     * Sets the service provider target URL.
+     * 
+     * @param url service provider target URL
+     */
+    public synchronized void setSpTarget(String url) {
+        spTarget = url;
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/UsernamePrincipal.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/UsernamePrincipal.java
new file mode 100644 (file)
index 0000000..61c38fd
--- /dev/null
@@ -0,0 +1,73 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn;
+
+import java.io.Serializable;
+import java.security.Principal;
+
+import org.opensaml.xml.util.DatatypeHelper;
+
+/** A basic implementation of {@link Principal}. */
+public class UsernamePrincipal implements Principal, Serializable {
+
+    /** Serial version UID. */
+    private static final long serialVersionUID = 8708917521896240626L;
+    
+    /** Name of the principal. */
+    private String name;
+
+    /**
+     * Constructor.
+     * 
+     * @param principalName name of the principal
+     */
+    public UsernamePrincipal(String principalName) {
+        name = DatatypeHelper.safeTrimOrNullString(principalName);
+        if(name == null){
+            throw new IllegalArgumentException("principal name may not be null or empty");
+        }
+    }
+
+    /** {@inheritDoc} */
+    public String getName() {
+        return name;
+    }
+
+    /** {@inheritDoc} */
+    public String toString() {
+        return "{BasicPrincipal}" + getName();
+    }
+
+    /** {@inheritDoc} */
+    public int hashCode() {
+        return name.hashCode();
+    }
+
+    /** {@inheritDoc} */
+    public boolean equals(Object obj) {
+        if (obj == this) {
+            return true;
+        }
+
+        if (obj instanceof UsernamePrincipal) {
+            return DatatypeHelper.safeEquals(getName(), ((UsernamePrincipal) obj).getName());
+        }
+
+        return false;
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/AbstractLoginHandler.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/AbstractLoginHandler.java
new file mode 100644 (file)
index 0000000..cb03cac
--- /dev/null
@@ -0,0 +1,107 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn.provider;
+
+import java.util.List;
+
+import org.opensaml.xml.util.LazyList;
+
+import edu.internet2.middleware.shibboleth.idp.authn.LoginHandler;
+
+/**
+ * Base class for authentication handlers.
+ */
+public abstract class AbstractLoginHandler implements LoginHandler {
+    
+    /** Authentication methods this handler supports. */
+    private List<String> supportedAuthenticationMethods;
+
+    /** Length of time, in milliseconds, after which a user should be re-authenticated. */
+    private long authenticationDuration;
+
+    /** Whether this handler supports foreced re-authentication. */
+    private boolean supportsForceAuthentication;
+
+    /** Whether this handler supports passive authentication. */
+    private boolean supportsPassive;
+    
+    /** Constructor. */
+    protected AbstractLoginHandler(){
+        supportedAuthenticationMethods = new LazyList<String>();
+        supportsForceAuthentication = false;
+        supportsPassive = false;
+    }
+    
+    /** {@inheritDoc} */
+    public List<String> getSupportedAuthenticationMethods() {
+        return supportedAuthenticationMethods;
+    }
+
+    /** {@inheritDoc} */
+    public long getAuthenticationDuration() {
+        return authenticationDuration;
+    }
+    
+    /**
+     * Sets the length of time, in milliseconds, after which a user should be re-authenticated.
+     * 
+     * @param duration length of time, in milliseconds, after which a user should be re-authenticated 
+     */
+    public void setAuthenticationDuration(long duration) {
+        authenticationDuration = duration;
+    }
+
+    /**
+     * Sets the length of time, in milliseconds, after which a user should be re-authenticated.
+     * 
+     * @param duration length of time, in milliseconds, after which a user should be re-authenticated
+     * 
+     * @deprecated use {@link #setAuthenticationDuration(long)}
+     */
+    public void setAuthenticationDurection(long duration) {
+        authenticationDuration = duration;
+    }
+
+    /** {@inheritDoc} */
+    public boolean supportsForceAuthentication() {
+        return supportsForceAuthentication;
+    }
+
+    /**
+     * Sets whether this handler supports forced re-authentication.
+     * 
+     * @param supported whether this handler supports forced re-authentication
+     */
+    public void setSupportsForceAuthentication(boolean supported) {
+        supportsForceAuthentication = supported;
+    }
+
+    /** {@inheritDoc} */
+    public boolean supportsPassive() {
+        return supportsPassive;
+    }
+
+    /**
+     * Sets whether this handler supports passive authentication.
+     * 
+     * @param supported whether this handler supports passive authentication.
+     */
+    public void setSupportsPassive(boolean supported) {
+        supportsPassive = supported;
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/ExternalAuthnSystemLoginHandler.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/ExternalAuthnSystemLoginHandler.java
new file mode 100644 (file)
index 0000000..f733ab1
--- /dev/null
@@ -0,0 +1,136 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn.provider;
+
+import java.io.IOException;
+
+import javax.servlet.RequestDispatcher;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.opensaml.xml.util.DatatypeHelper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import edu.internet2.middleware.shibboleth.idp.authn.LoginContext;
+import edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper;
+
+/**
+ * A login handler meant to bridge between the IdP and an external, web-based, authentication service.
+ * 
+ * This login handler will forward the user-agent to a context-relative path and include the following request
+ * attributes: {@link #FORCE_AUTHN_PARAM}, {@link #PASSIVE_AUTHN_PARAM}, {@link #AUTHN_METHOD_PARAM}, and
+ * {@link #RELYING_PARTY_PARAM}.
+ * 
+ * The external authentication system invocation Fileter/Servlet/JSP must, upon completion of authentication, set the
+ * appropriate {@link HttpServletRequest} attributes, as described by the
+ * {@link edu.internet2.middleware.shibboleth.idp.authn.LoginHandler} interface and then invoke
+ * {@link edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine#returnToAuthenticationEngine(HttpServletRequest, HttpServletResponse)}
+ * .
+ */
+public class ExternalAuthnSystemLoginHandler extends AbstractLoginHandler {
+
+    /** Query parameter, {@value} , that indicates whether the authentication request requires forced authentication. */
+    public static final String FORCE_AUTHN_PARAM = "forceAuthn";
+
+    /** Query parameter, {@value} , that indicates whether the authentication requires passive authentication. */
+    public static final String PASSIVE_AUTHN_PARAM = "isPassive";
+
+    /** Query parameter, {@value} , that provides which authentication method should be attempted. */
+    public static final String AUTHN_METHOD_PARAM = "authnMethod";
+
+    /** Query parameter, {@value} , that provides the entity ID of the relying party that is requesting authentication. */
+    public static final String RELYING_PARTY_PARAM = "relyingParty";
+
+    /** Class logger. */
+    private final Logger log = LoggerFactory.getLogger(RemoteUserLoginHandler.class);
+
+    /** The context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system. */
+    private String externalAuthnPath;
+
+    /** Constructor. */
+    public ExternalAuthnSystemLoginHandler() {
+        super();
+    }
+
+    /**
+     * Get context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system.
+     * 
+     * @return context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system
+     */
+    public String getExternalAuthnPath() {
+        return externalAuthnPath;
+    }
+
+    /**
+     * Set context-relative path to the Filter, Servlet, or JSP that triggers the external authentication system.
+     * 
+     * @param path context-relative path to the Filter, Servlet, or JSP that triggers the external authentication
+     *            system, may not be null or empty
+     */
+    public void setExternalAuthnPath(String path) {
+        String trimmedPath = DatatypeHelper.safeTrimOrNullString(path);
+        if (trimmedPath == null) {
+            throw new IllegalArgumentException("External Authn path may not be null or empty");
+        }
+
+        externalAuthnPath = trimmedPath;
+    }
+
+    /** {@inheritDoc} */
+    public void login(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
+
+        try {
+            log.debug("Forwarding authentication request to {}", externalAuthnPath);
+            populateRequestAttributes(httpRequest);
+            RequestDispatcher dispatcher = httpRequest.getRequestDispatcher(externalAuthnPath);
+            dispatcher.forward(httpRequest, httpResponse);
+            return;
+        } catch (IOException e) {
+            log.error("Unable to forward authentication request to external authentication system.", e);
+        } catch (ServletException e) {
+            log.error("Unable to forward authentication request to external authentication system.", e);
+        }
+    }
+
+    /**
+     * Sets the request attributes that will be sent to the external authentication service.
+     * 
+     * @param httpRequest current HTTP request
+     */
+    protected void populateRequestAttributes(HttpServletRequest httpRequest) {
+        LoginContext loginContext = HttpServletHelper.getLoginContext(httpRequest);
+
+        if (loginContext.isForceAuthRequired()) {
+            httpRequest.setAttribute(FORCE_AUTHN_PARAM, Boolean.TRUE);
+        } else {
+            httpRequest.setAttribute(FORCE_AUTHN_PARAM, Boolean.FALSE);
+        }
+
+        if (loginContext.isPassiveAuthRequired()) {
+            httpRequest.setAttribute(PASSIVE_AUTHN_PARAM, Boolean.TRUE);
+        } else {
+            httpRequest.setAttribute(PASSIVE_AUTHN_PARAM, Boolean.FALSE);
+        }
+
+        httpRequest.setAttribute(AUTHN_METHOD_PARAM, loginContext.getAttemptedAuthnMethod());
+
+        httpRequest.setAttribute(RELYING_PARTY_PARAM, loginContext.getRelyingPartyId());
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/IPAddressLoginHandler.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/IPAddressLoginHandler.java
new file mode 100644 (file)
index 0000000..6901cf8
--- /dev/null
@@ -0,0 +1,126 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn.provider;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.opensaml.xml.util.DatatypeHelper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine;
+import edu.internet2.middleware.shibboleth.idp.authn.LoginHandler;
+import edu.internet2.middleware.shibboleth.idp.util.IPRange;
+
+/**
+ * IP Address authentication handler.
+ * 
+ * This "authenticates" a user based on their IP address. It operates in either default deny or default allow mode, and
+ * evaluates a given request against a list of blocked or permitted IPs. It supports both IPv4 and IPv6.
+ */
+public class IPAddressLoginHandler extends AbstractLoginHandler {
+
+    /** Class logger. */
+    private final Logger log = LoggerFactory.getLogger(IPAddressLoginHandler.class);
+
+    /** The username to use for IP-address "authenticated" users. */
+    private String authenticatedUser;
+
+    /** List of configured IP ranged. */
+    private List<IPRange> ipRanges;
+
+    /** Whether a user is "authenticated" if their IP address is within a configured IP range. */
+    private boolean ipInRangeIsAuthenticated;
+
+    public IPAddressLoginHandler(String user, List<IPRange> ranges, boolean ipInRangeIsAuthenticated) {
+        authenticatedUser = DatatypeHelper.safeTrimOrNullString(user);
+        if (authenticatedUser == null) {
+            throw new IllegalArgumentException("The authenticated user ID may not be null or empty");
+        }
+
+        if (ranges == null || ranges.isEmpty()) {
+            throw new IllegalArgumentException("The list of IP ranges may not be null or empty");
+        }
+        ipRanges = new ArrayList<IPRange>(ranges);
+
+        this.ipInRangeIsAuthenticated = ipInRangeIsAuthenticated;
+    }
+
+    /** {@inheritDoc} */
+    public boolean supportsPassive() {
+        return true;
+    }
+
+    /** {@inheritDoc} */
+    public boolean supportsForceAuthentication() {
+        return true;
+    }
+
+    /** {@inheritDoc} */
+    public void login(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
+        log.debug("Attempting to authenticated client '{}'", httpRequest.getRemoteAddr());
+        try {
+            InetAddress clientAddress = InetAddress.getByName(httpRequest.getRemoteAddr());
+            if (authenticate(clientAddress)) {
+                log.debug("Authenticated user by IP address");
+                httpRequest.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, authenticatedUser);
+            } else {
+                log.debug("Client IP address {} failed authentication.", httpRequest.getRemoteAddr());
+                httpRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY,
+                        "Client failed IP address authentication");
+            }
+        } catch (UnknownHostException e) {
+            String msg = "Unable to resolve " + httpRequest.getRemoteAddr() + " in to an IP address";
+            log.warn(msg);
+            httpRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY, msg);
+        }
+
+        AuthenticationEngine.returnToAuthenticationEngine(httpRequest, httpResponse);
+    }
+
+    /**
+     * Authenticates the client address.
+     * 
+     * @param clientAddress the client address
+     * 
+     * @return true if the client address is authenticated, false it not
+     */
+    protected boolean authenticate(InetAddress clientAddress) {
+        if (ipInRangeIsAuthenticated) {
+            for (IPRange range : ipRanges) {
+                if (range.contains(clientAddress)) {
+                    return true;
+                }
+            }
+        } else {
+            for (IPRange range : ipRanges) {
+                if (!range.contains(clientAddress)) {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/PreviousSessionLoginHandler.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/PreviousSessionLoginHandler.java
new file mode 100644 (file)
index 0000000..8d28b3c
--- /dev/null
@@ -0,0 +1,118 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn.provider;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.opensaml.saml2.core.AuthnContext;
+import org.opensaml.xml.util.DatatypeHelper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine;
+import edu.internet2.middleware.shibboleth.idp.authn.LoginHandler;
+import edu.internet2.middleware.shibboleth.idp.session.Session;
+
+/** Login handler that is called when user is logged in under a previously existing session. */
+public class PreviousSessionLoginHandler extends AbstractLoginHandler {
+    
+    /** Class logger. */
+    private final Logger log = LoggerFactory.getLogger(PreviousSessionLoginHandler.class);
+
+    /** The path of the servlet to which the user agent may be redirected. */
+    private String servletPath;
+
+    /** Whether to report the authentication method as PreviousSession. */
+    private boolean reportPreviousSessionAuthnMethod;
+
+    /** Constructor. */
+    public PreviousSessionLoginHandler() {
+        super();
+        servletPath = null;
+        setSupportsPassive(true);
+        setSupportsForceAuthentication(false);
+    }
+
+    /**
+     * Get the path of the servlet to which the user agent may be redirected.
+     * 
+     * @return path of the servlet to which the user agent may be redirected
+     * 
+     * @deprecated
+     */
+    public String getServletPath() {
+        return servletPath;
+    }
+
+    /**
+     * Set the path of the servlet to which the user agent may be redirected.
+     * 
+     * @param path path of the servlet to which the user agent may be redirected
+     * 
+     * @deprecated
+     */
+    public void setServletPath(String path) {
+        servletPath = DatatypeHelper.safeTrimOrNullString(path);
+    }
+
+    /**
+     * Gets whether to use PreviousSession as the users authentication method.
+     * 
+     * @return whether to use PreviousSession as the users authentication method
+     */
+    public boolean reportPreviousSessionAuthnMethod() {
+        return reportPreviousSessionAuthnMethod;
+    }
+
+    /**
+     * Sets whether to use PreviousSession as the users authentication method.
+     * 
+     * @param report whether to use PreviousSession as the users authentication method
+     */
+    public void setReportPreviousSessionAuthnMethod(boolean report) {
+        reportPreviousSessionAuthnMethod = report;
+    }
+
+    /** {@inheritDoc} */
+    public boolean supportsPassive() {
+        if (servletPath == null) {
+            return true;
+        }
+
+        return super.supportsPassive();
+    }
+
+    /** {@inheritDoc} */
+    public void login(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
+        if (reportPreviousSessionAuthnMethod) {
+            httpRequest.setAttribute(LoginHandler.AUTHENTICATION_METHOD_KEY, AuthnContext.PREVIOUS_SESSION_AUTHN_CTX);
+        }
+        
+        Session idpSession = (Session) httpRequest.getAttribute(Session.HTTP_SESSION_BINDING_ATTRIBUTE);
+        if(idpSession == null){
+            log.warn("No existing IdP session available.");
+            httpRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY, "No existing IdP session available");
+        }else{
+            log.debug("Using existing IdP session for {}", idpSession.getPrincipalName());
+            httpRequest.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, idpSession.getPrincipalName());
+        }
+
+        AuthenticationEngine.returnToAuthenticationEngine(httpRequest, httpResponse);
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/RemoteUserAuthServlet.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/RemoteUserAuthServlet.java
new file mode 100644 (file)
index 0000000..26a5ff8
--- /dev/null
@@ -0,0 +1,57 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn.provider;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.opensaml.xml.util.DatatypeHelper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine;
+import edu.internet2.middleware.shibboleth.idp.authn.LoginHandler;
+import edu.internet2.middleware.shibboleth.idp.authn.UsernamePrincipal;
+
+/** Extracts the REMOTE_USER and places it in a request attribute to be used by the authentication engine. */
+public class RemoteUserAuthServlet extends HttpServlet {
+
+    /** Serial version UID. */
+    private static final long serialVersionUID = -6153665874235557534L;    
+
+    /** Class logger. */
+    private final Logger log = LoggerFactory.getLogger(RemoteUserAuthServlet.class);
+
+    /** {@inheritDoc} */
+    protected void service(HttpServletRequest httpRequest, HttpServletResponse httpResponse) throws ServletException,
+            IOException {
+        String principalName = DatatypeHelper.safeTrimOrNullString(httpRequest.getRemoteUser());
+        if(principalName != null){
+            log.debug("Remote user identified as {} returning control back to authentication engine", principalName);
+            httpRequest.setAttribute(LoginHandler.PRINCIPAL_KEY, new UsernamePrincipal(principalName));
+        }else{
+            log.debug("No remote user information was present in the request");
+        }
+
+        AuthenticationEngine.returnToAuthenticationEngine(httpRequest, httpResponse);
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/RemoteUserLoginHandler.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/RemoteUserLoginHandler.java
new file mode 100644 (file)
index 0000000..1576807
--- /dev/null
@@ -0,0 +1,73 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn.provider;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper;
+
+/**
+ * Authentication Handler that redirects to servlet protected by a Web Single-Sign-On system.
+ */
+public class RemoteUserLoginHandler extends AbstractLoginHandler {
+
+    /** Class logger. */
+    private final Logger log = LoggerFactory.getLogger(RemoteUserLoginHandler.class);
+
+    /** The URL of the SSO-protected servlet. */
+    private String servletURL;
+
+    /**
+     * Set the SSO-protected servlet's URL.
+     * 
+     * @param url The URL of the SSO-protected servlet.
+     */
+    public void setServletURL(String url) {
+        servletURL = url;
+    }
+
+    /**
+     * Get the URL of the SSO-protected servlet.
+     * 
+     * @return The URL of the SSO-protected servlet.
+     */
+    public String getServletURL() {
+        return servletURL;
+    }
+
+    /** {@inheritDoc} */
+    public void login(HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
+
+        // forward control to the servlet.
+        try {
+            String profileUrl = HttpServletHelper.getContextRelativeUrl(httpRequest, servletURL).buildURL();
+
+            log.debug("Redirecting to {}", profileUrl);
+            httpResponse.sendRedirect(profileUrl);
+            return;
+        } catch (IOException ex) {
+            log.error("Unable to redirect to remote user authentication servlet.", ex);
+        }
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/UsernamePasswordCredential.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/UsernamePasswordCredential.java
new file mode 100644 (file)
index 0000000..a19ae40
--- /dev/null
@@ -0,0 +1,62 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn.provider;
+
+import java.io.Serializable;
+
+/** Represents a username and password entered used to authenticate a subject. */
+public class UsernamePasswordCredential implements Serializable{
+
+    /** Serial version UID. */
+    private static final long serialVersionUID = -5262041398037656037L;
+
+    /** Username of a subject. */
+    private String username;
+
+    /** Password of a subject. */
+    private String password;
+
+    /**
+     * Constructor.
+     * 
+     * @param name username of the subject
+     * @param pass password of the subject
+     */
+    public UsernamePasswordCredential(String name, String pass) {
+        username = name;
+        password = pass;
+    }
+
+    /**
+     * Gets the username of the subject.
+     * 
+     * @return username of the subject
+     */
+    public String getUsername() {
+        return username;
+    }
+
+    /**
+     * Gets the password of the subject.
+     * 
+     * @return password of the subject
+     */
+    public String getPassword() {
+        return password;
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/UsernamePasswordLoginHandler.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/UsernamePasswordLoginHandler.java
new file mode 100644 (file)
index 0000000..5d932bf
--- /dev/null
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn.provider;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper;
+
+/**
+ * Authenticate a username and password against a JAAS source.
+ * 
+ * This login handler creates a {@link javax.security.auth.Subject} and binds it to the request as described in the
+ * {@link edu.internet2.middleware.shibboleth.idp.authn.LoginHandler} documentation. If the JAAS module does not create
+ * a principal for the user a {@link edu.internet2.middleware.shibboleth.idp.authn.UsernamePrincipal} is created, using
+ * the entered username. If the <code>storeCredentialsInSubject</code> init parameter of the authentication servlet is
+ * set to true a {@link UsernamePasswordCredential} is created, based on the entered username and password, and stored
+ * in the Subject's private credentials.
+ */
+public class UsernamePasswordLoginHandler extends AbstractLoginHandler {
+
+    /** Class logger. */
+    private final Logger log = LoggerFactory.getLogger(UsernamePasswordLoginHandler.class);
+
+    /** The context-relative path of the servlet used to perform authentication. */
+    private String authenticationServletPath;
+
+    /**
+     * Constructor.
+     * 
+     * @param servletPath context-relative path to the authentication servlet, may start with "/"
+     */
+    public UsernamePasswordLoginHandler(String servletPath) {
+        super();
+        setSupportsPassive(false);
+        setSupportsForceAuthentication(true);
+        authenticationServletPath = servletPath;
+    }
+
+    /** {@inheritDoc} */
+    public void login(final HttpServletRequest httpRequest, final HttpServletResponse httpResponse) {
+        // forward control to the servlet.
+        try {
+            String authnServletUrl = HttpServletHelper.getContextRelativeUrl(httpRequest, authenticationServletPath)
+                    .buildURL();
+            log.debug("Redirecting to {}", authnServletUrl);
+            httpResponse.sendRedirect(authnServletUrl);
+            return;
+        } catch (IOException ex) {
+            log.error("Unable to redirect to authentication servlet.", ex);
+        }
+
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/UsernamePasswordLoginServlet.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/authn/provider/UsernamePasswordLoginServlet.java
new file mode 100644 (file)
index 0000000..de668f6
--- /dev/null
@@ -0,0 +1,234 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.authn.provider;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginException;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.opensaml.xml.util.DatatypeHelper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine;
+import edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException;
+import edu.internet2.middleware.shibboleth.idp.authn.LoginHandler;
+import edu.internet2.middleware.shibboleth.idp.authn.UsernamePrincipal;
+
+/**
+ * This Servlet authenticates a user via JAAS. The user's credential is always added to the returned {@link Subject} as
+ * a {@link UsernamePasswordCredential} within the subject's private credentials.
+ */
+public class UsernamePasswordLoginServlet extends HttpServlet {
+
+    /** Serial version UID. */
+    private static final long serialVersionUID = -572799841125956990L;
+
+    /** Class logger. */
+    private final Logger log = LoggerFactory.getLogger(UsernamePasswordLoginServlet.class);
+
+    /** Name of JAAS configuration used to authenticate users. */
+    private String jaasConfigName = "ShibUserPassAuth";
+
+    /** init-param which can be passed to the servlet to override the default JAAS config. */
+    private final String jaasInitParam = "jaasConfigName";
+
+    /** Login page name. */
+    private String loginPage = "login.jsp";
+
+    /** init-param which can be passed to the servlet to override the default login page. */
+    private final String loginPageInitParam = "loginPage";
+
+    /** Parameter name to indicate login failure. */
+    private final String failureParam = "loginFailed";
+
+    /** HTTP request parameter containing the user name. */
+    private final String usernameAttribute = "j_username";
+
+    /** HTTP request parameter containing the user's password. */
+    private final String passwordAttribute = "j_password";
+
+    /** {@inheritDoc} */
+    public void init(ServletConfig config) throws ServletException {
+        super.init(config);
+
+        if (getInitParameter(jaasInitParam) != null) {
+            jaasConfigName = getInitParameter(jaasInitParam);
+        }
+
+        if (getInitParameter(loginPageInitParam) != null) {
+            loginPage = getInitParameter(loginPageInitParam);
+        }
+        if (!loginPage.startsWith("/")) {
+            loginPage = "/" + loginPage;
+        }
+    }
+
+    /** {@inheritDoc} */
+    protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException,
+            IOException {
+        String username = request.getParameter(usernameAttribute);
+        String password = request.getParameter(passwordAttribute);
+
+        if (username == null || password == null) {
+            redirectToLoginPage(request, response);
+            return;
+        }
+
+        try {
+            authenticateUser(request, username, password);
+            AuthenticationEngine.returnToAuthenticationEngine(request, response);
+        } catch (LoginException e) {
+            request.setAttribute(failureParam, "true");
+            request.setAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY, new AuthenticationException(e));
+            redirectToLoginPage(request, response);
+        }
+    }
+
+    /**
+     * Sends the user to the login page.
+     * 
+     * @param request current request
+     * @param response current response
+     */
+    protected void redirectToLoginPage(HttpServletRequest request, HttpServletResponse response) {
+
+        StringBuilder actionUrlBuilder = new StringBuilder();
+        if(!"".equals(request.getContextPath())){
+            actionUrlBuilder.append(request.getContextPath());
+        }
+        actionUrlBuilder.append(request.getServletPath());
+        
+        request.setAttribute("actionUrl", actionUrlBuilder.toString());
+
+        try {
+            request.getRequestDispatcher(loginPage).forward(request, response);
+            log.debug("Redirecting to login page {}", loginPage);
+        } catch (IOException ex) {
+            log.error("Unable to redirect to login page.", ex);
+        } catch (ServletException ex) {
+            log.error("Unable to redirect to login page.", ex);
+        }
+    }
+
+    /**
+     * Authenticate a username and password against JAAS. If authentication succeeds the name of the first principal, or
+     * the username if that is empty, and the subject are placed into the request in their respective attributes.
+     * 
+     * @param request current authentication request
+     * @param username the principal name of the user to be authenticated
+     * @param password the password of the user to be authenticated
+     * 
+     * @throws LoginException thrown if there is a problem authenticating the user
+     */
+    protected void authenticateUser(HttpServletRequest request, String username, String password) throws LoginException {
+        try {
+            log.debug("Attempting to authenticate user {}", username);
+
+            SimpleCallbackHandler cbh = new SimpleCallbackHandler(username, password);
+
+            javax.security.auth.login.LoginContext jaasLoginCtx = new javax.security.auth.login.LoginContext(
+                    jaasConfigName, cbh);
+
+            jaasLoginCtx.login();
+            log.debug("Successfully authenticated user {}", username);
+
+            Subject loginSubject = jaasLoginCtx.getSubject();
+
+            Set<Principal> principals = loginSubject.getPrincipals();
+            principals.add(new UsernamePrincipal(username));
+
+            Set<Object> publicCredentials = loginSubject.getPublicCredentials();
+
+            Set<Object> privateCredentials = loginSubject.getPrivateCredentials();
+            privateCredentials.add(new UsernamePasswordCredential(username, password));
+
+            Subject userSubject = new Subject(false, principals, publicCredentials, privateCredentials);
+            request.setAttribute(LoginHandler.SUBJECT_KEY, userSubject);
+        } catch (LoginException e) {
+            log.debug("User authentication for " + username + " failed", e);
+            throw e;
+        } catch (Throwable e) {
+            log.debug("User authentication for " + username + " failed", e);
+            throw new LoginException("unknown authentication error");
+        }
+    }
+
+    /**
+     * A callback handler that provides static name and password data to a JAAS loging process.
+     * 
+     * This handler only supports {@link NameCallback} and {@link PasswordCallback}.
+     */
+    protected class SimpleCallbackHandler implements CallbackHandler {
+
+        /** Name of the user. */
+        private String uname;
+
+        /** User's password. */
+        private String pass;
+
+        /**
+         * Constructor.
+         * 
+         * @param username The username
+         * @param password The password
+         */
+        public SimpleCallbackHandler(String username, String password) {
+            uname = username;
+            pass = password;
+        }
+
+        /**
+         * Handle a callback.
+         * 
+         * @param callbacks The list of callbacks to process.
+         * 
+         * @throws UnsupportedCallbackException If callbacks has a callback other than {@link NameCallback} or
+         *             {@link PasswordCallback}.
+         */
+        public void handle(final Callback[] callbacks) throws UnsupportedCallbackException {
+
+            if (callbacks == null || callbacks.length == 0) {
+                return;
+            }
+
+            for (Callback cb : callbacks) {
+                if (cb instanceof NameCallback) {
+                    NameCallback ncb = (NameCallback) cb;
+                    ncb.setName(uname);
+                } else if (cb instanceof PasswordCallback) {
+                    PasswordCallback pcb = (PasswordCallback) cb;
+                    pcb.setPassword(pass.toCharArray());
+                }
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/AbstractSAMLProfileHandlerBeanDefinitionParser.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/AbstractSAMLProfileHandlerBeanDefinitionParser.java
new file mode 100644 (file)
index 0000000..7bcbebd
--- /dev/null
@@ -0,0 +1,49 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.config.profile;
+
+import org.opensaml.xml.util.DatatypeHelper;
+import org.opensaml.xml.util.XMLHelper;
+import org.springframework.beans.factory.support.BeanDefinitionBuilder;
+import org.w3c.dom.Element;
+
+import edu.internet2.middleware.shibboleth.common.config.profile.AbstractShibbolethProfileHandlerBeanDefinitionParser;
+
+/**
+ * Base class for SAML profile handler configuration parsers.
+ */
+public abstract class AbstractSAMLProfileHandlerBeanDefinitionParser extends
+        AbstractShibbolethProfileHandlerBeanDefinitionParser {
+
+    /** {@inheritDoc} */
+    protected void doParse(Element config, BeanDefinitionBuilder builder) {
+        super.doParse(config, builder);
+
+        builder.addPropertyReference("idGenerator", config.getAttributeNS(null, "idGeneratorId"));
+
+        builder.addPropertyReference("messageDecoders", "shibboleth.MessageDecoders");
+
+        builder.addPropertyReference("messageEncoders", "shibboleth.MessageEncoders");
+
+        builder.addPropertyValue("inboundBinding", DatatypeHelper.safeTrimOrNullString(config.getAttributeNS(null,
+                "inboundBinding")));
+
+        builder.addPropertyValue("supportedOutboundBindings", XMLHelper.getAttributeValueAsList(config
+                .getAttributeNodeNS(null, "outboundBindingEnumeration")));
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/IdPProfileHandlerManagerBeanDefinitionParser.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/IdPProfileHandlerManagerBeanDefinitionParser.java
new file mode 100644 (file)
index 0000000..4836892
--- /dev/null
@@ -0,0 +1,40 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.config.profile;
+
+import javax.xml.namespace.QName;
+
+import org.w3c.dom.Element;
+
+import edu.internet2.middleware.shibboleth.common.config.service.AbstractReloadableServiceBeanDefinitionParser;
+import edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager;
+
+/**
+ * Spring bean definition parser for {@link IdPProfileHandlerManager}s.
+ */
+public class IdPProfileHandlerManagerBeanDefinitionParser extends AbstractReloadableServiceBeanDefinitionParser {
+
+    /** Schema type. */
+    public static final QName SCHEMA_TYPE = new QName(ProfileHandlerNamespaceHandler.NAMESPACE,
+            "IdPProfileHandlerManager");
+
+    /** {@inheritDoc} */
+    protected Class getBeanClass(Element arg0) {
+        return IdPProfileHandlerManager.class;
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/ProfileHandlerGroupBeanDefinitionParser.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/ProfileHandlerGroupBeanDefinitionParser.java
new file mode 100644 (file)
index 0000000..e541ca3
--- /dev/null
@@ -0,0 +1,63 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.config.profile;
+
+import java.util.List;
+import java.util.Map;
+
+import javax.xml.namespace.QName;
+
+import org.opensaml.xml.util.XMLHelper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.config.BeanDefinition;
+import org.springframework.beans.factory.xml.BeanDefinitionParser;
+import org.springframework.beans.factory.xml.ParserContext;
+import org.w3c.dom.Element;
+
+import edu.internet2.middleware.shibboleth.common.config.SpringConfigurationUtils;
+
+/** Spring bean definition parser for profile handler root element. */
+public class ProfileHandlerGroupBeanDefinitionParser implements BeanDefinitionParser {
+
+    /** Schema type name. */
+    public static final QName SCHEMA_TYPE = new QName(ProfileHandlerNamespaceHandler.NAMESPACE, "ProfileHandlerGroup");
+
+    /** Class logger. */
+    private static Logger log = LoggerFactory.getLogger(ProfileHandlerGroupBeanDefinitionParser.class);
+
+    /** {@inheritDoc} */
+    public BeanDefinition parse(Element config, ParserContext context) {
+        Map<QName, List<Element>> configChildren = XMLHelper.getChildElements(config);
+        List<Element> children;
+
+        children = configChildren.get(new QName(ProfileHandlerNamespaceHandler.NAMESPACE, "ErrorHandler"));
+        log.debug("{} error handler definitions found", children.size());
+        SpringConfigurationUtils.parseInnerCustomElement(children.get(0), context);
+
+        children = configChildren.get(new QName(ProfileHandlerNamespaceHandler.NAMESPACE, "ProfileHandler"));
+        log.debug("{} profile handler definitions found", children.size());
+        SpringConfigurationUtils.parseInnerCustomElements(children, context);
+
+        children = configChildren.get(new QName(ProfileHandlerNamespaceHandler.NAMESPACE, "LoginHandler"));
+        log.debug("{} login handler definitions found", children.size());
+        SpringConfigurationUtils.parseInnerCustomElements(children, context);
+
+        return null;
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/ProfileHandlerNamespaceHandler.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/ProfileHandlerNamespaceHandler.java
new file mode 100644 (file)
index 0000000..fb5a9e2
--- /dev/null
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.config.profile;
+
+import javax.xml.namespace.QName;
+
+import edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler;
+import edu.internet2.middleware.shibboleth.common.config.profile.JSPErrorHandlerBeanDefinitionParser;
+import edu.internet2.middleware.shibboleth.common.config.profile.VelocityErrorHandlerBeanDefinitionParser;
+import edu.internet2.middleware.shibboleth.idp.config.profile.authn.ExternalAuthnSystemLoginHandlerBeanDefinitionParser;
+import edu.internet2.middleware.shibboleth.idp.config.profile.authn.IPAddressLoginHandlerBeanDefinitionParser;
+import edu.internet2.middleware.shibboleth.idp.config.profile.authn.PreviousSessionLoginHandlerBeanDefinitionParser;
+import edu.internet2.middleware.shibboleth.idp.config.profile.authn.RemoteUserLoginHandlerBeanDefinitionParser;
+import edu.internet2.middleware.shibboleth.idp.config.profile.authn.UsernamePasswordLoginHandlerBeanDefinitionParser;
+import edu.internet2.middleware.shibboleth.idp.config.profile.saml1.SAML1ArtifactResolutionProfileHanderBeanDefinitionParser;
+import edu.internet2.middleware.shibboleth.idp.config.profile.saml1.SAML1AttributeQueryProfileHandlerBeanDefinitionParser;
+import edu.internet2.middleware.shibboleth.idp.config.profile.saml1.ShibbolethSSOProfileHandlerBeanDefinitionParser;
+import edu.internet2.middleware.shibboleth.idp.config.profile.saml2.SAML2ArtifactResolutionProfileHandlerBeanDefinitionParser;
+import edu.internet2.middleware.shibboleth.idp.config.profile.saml2.SAML2AttributeQueryProfileHandlerBeanDefinitionParser;
+import edu.internet2.middleware.shibboleth.idp.config.profile.saml2.SAML2ECPProfileHandlerBeanDefinitionParser;
+import edu.internet2.middleware.shibboleth.idp.config.profile.saml2.SAML2SSOProfileHandlerBeanDefinitionParser;
+
+/**
+ * Spring namespace handler for profile handler configurations.
+ */
+public class ProfileHandlerNamespaceHandler extends BaseSpringNamespaceHandler {
+
+    /** Namespace URI. */
+    public static final String NAMESPACE = "urn:mace:shibboleth:2.0:idp:profile-handler";
+
+    /** {@inheritDoc} */
+    public void init() {
+        registerBeanDefinitionParser(IdPProfileHandlerManagerBeanDefinitionParser.SCHEMA_TYPE,
+                new IdPProfileHandlerManagerBeanDefinitionParser());
+
+        registerBeanDefinitionParser(ProfileHandlerGroupBeanDefinitionParser.SCHEMA_TYPE,
+                new ProfileHandlerGroupBeanDefinitionParser());
+
+        registerBeanDefinitionParser(StatusHandlerBeanDefinitionParser.SCHEMA_TYPE,
+                new StatusHandlerBeanDefinitionParser());
+
+        registerBeanDefinitionParser(new QName(NAMESPACE, JSPErrorHandlerBeanDefinitionParser.ELEMENT_NAME),
+                new JSPErrorHandlerBeanDefinitionParser());
+
+        registerBeanDefinitionParser(new QName(NAMESPACE, VelocityErrorHandlerBeanDefinitionParser.ELEMENT_NAME),
+                new VelocityErrorHandlerBeanDefinitionParser());
+        
+        registerBeanDefinitionParser(SAMLMetadataHandlerBeanDefinitionParser.SCHEMA_TYPE,
+                new SAMLMetadataHandlerBeanDefinitionParser());
+
+        registerBeanDefinitionParser(ShibbolethSSOProfileHandlerBeanDefinitionParser.SCHEMA_TYPE,
+                new ShibbolethSSOProfileHandlerBeanDefinitionParser());
+
+        registerBeanDefinitionParser(SAML1AttributeQueryProfileHandlerBeanDefinitionParser.SCHEMA_TYPE,
+                new SAML1AttributeQueryProfileHandlerBeanDefinitionParser());
+
+        registerBeanDefinitionParser(SAML1ArtifactResolutionProfileHanderBeanDefinitionParser.SCHEMA_TYPE,
+                new SAML1ArtifactResolutionProfileHanderBeanDefinitionParser());
+
+        registerBeanDefinitionParser(SAML2SSOProfileHandlerBeanDefinitionParser.SCHEMA_TYPE,
+                new SAML2SSOProfileHandlerBeanDefinitionParser());
+
+        registerBeanDefinitionParser(SAML2ECPProfileHandlerBeanDefinitionParser.SCHEMA_TYPE,
+                new SAML2ECPProfileHandlerBeanDefinitionParser());
+
+        registerBeanDefinitionParser(SAML2AttributeQueryProfileHandlerBeanDefinitionParser.SCHEMA_TYPE,
+                new SAML2AttributeQueryProfileHandlerBeanDefinitionParser());
+
+        registerBeanDefinitionParser(SAML2ArtifactResolutionProfileHandlerBeanDefinitionParser.SCHEMA_TYPE,
+                new SAML2ArtifactResolutionProfileHandlerBeanDefinitionParser());
+
+        registerBeanDefinitionParser(PreviousSessionLoginHandlerBeanDefinitionParser.SCHEMA_TYPE,
+                new PreviousSessionLoginHandlerBeanDefinitionParser());
+
+        registerBeanDefinitionParser(RemoteUserLoginHandlerBeanDefinitionParser.SCHEMA_TYPE,
+                new RemoteUserLoginHandlerBeanDefinitionParser());
+        
+        registerBeanDefinitionParser(ExternalAuthnSystemLoginHandlerBeanDefinitionParser.SCHEMA_TYPE,
+                new ExternalAuthnSystemLoginHandlerBeanDefinitionParser());
+
+        registerBeanDefinitionParser(UsernamePasswordLoginHandlerBeanDefinitionParser.SCHEMA_TYPE,
+                new UsernamePasswordLoginHandlerBeanDefinitionParser());
+
+        registerBeanDefinitionParser(IPAddressLoginHandlerBeanDefinitionParser.SCHEMA_TYPE,
+                new IPAddressLoginHandlerBeanDefinitionParser());
+    }
+}
\ No newline at end of file
diff --git a/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/SAMLMetadataHandlerBeanDefinitionParser.java b/REL_2/src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/SAMLMetadataHandlerBeanDefinitionParser.java
new file mode 100644 (file)
index 0000000..ca7e9bc
--- /dev/null
@@ -0,0 +1,58 @@
+/*
+ * Licensed to the University Corporation for Advanced Internet Development, 
+ * Inc. (UCAID) under one or more contributor license agreements.  See the 
+ * NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The UCAID licenses this file to You under the Apache 
+ * License, Version 2.0 (the "License"); you may not use this file except in 
+ * compliance with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed&nbs