</filterset>
</copy>
- <symlink link="${idp.home}/bin/aacli.sh" resource="shib-tools.sh" />
+ <symlink link="${idp.home}/bin/aacli.sh" resource="shib-tools.sh" overwrite="true"/>
<chmod file="${idp.home}/bin/*.sh" perm="+x" />
<copy todir="${idp.home}/war" file="${dist.dir}/${war.name}" preservelastmodified="true" />
<xsd:extension base="RequestURIMappedProfileHandlerType" />
</xsd:complexContent>
</xsd:complexType>
-
+
<xsd:complexType name="SAML2SSO">
<xsd:annotation>
- <xsd:documentation>Configuration type for SAML 2 Attribute Query profile handlers.</xsd:documentation>
+ <xsd:documentation>Configuration type for SAML 2 SSO profile handlers.</xsd:documentation>
</xsd:annotation>
<xsd:complexContent>
<xsd:extension base="SAML2ProfileHandler">
</xsd:complexContent>
</xsd:complexType>
+ <xsd:complexType name="ShibbolethSSO">
+ <xsd:annotation>
+ <xsd:documentation>Configuration type for Shibboleth 1 SSO profile handlers.</xsd:documentation>
+ </xsd:annotation>
+ <xsd:complexContent>
+ <xsd:extension base="SAML1ProfileHandler">
+ <xsd:attribute name="authenticationManagerPath" type="xsd:string" default="/AuthnEngine">
+ <xsd:annotation>
+ <xsd:documentation>
+ The context relative path to the authentication manager used by this profile handler. This
+ should match the URL pattern given in the web.xml
+ </xsd:documentation>
+ </xsd:annotation>
+ </xsd:attribute>
+ </xsd:extension>
+ </xsd:complexContent>
+ </xsd:complexType>
+
<xsd:complexType name="SAML1AttributeQuery">
<xsd:annotation>
<xsd:documentation>Configuration type for SAML 1 Attribute Query profile handlers.</xsd:documentation>
</xsd:annotation>
<xsd:complexContent>
- <xsd:extension base="SAML1ProfileHandler" />
+ <xsd:extension base="SAML1ProfileHandler">
+ <xsd:attribute name="securityPolicyFactoryId" type="xsd:string"
+ default="shibboleth.SAML1AttributeQueryMessageSecurityPolicyFactory">
+ <xsd:annotation>
+ <xsd:documentation>
+ The component ID of the security policy factory to use with the profile handler.
+
+ This setting should not be changed from its default unless the deployer fully understands
+ the inter-relationship between IdP components.
+ </xsd:documentation>
+ </xsd:annotation>
+ </xsd:attribute>
+ </xsd:extension>
</xsd:complexContent>
</xsd:complexType>
<RequestPath>/status</RequestPath>
</ProfileHandler>
- <ProfileHandler xsi:type="SAML2AttributeQuery">
- <RequestPath>/saml2/SOAP/AttributeQuery</RequestPath>
+ <ProfileHandler xsi:type="ShibbolethSSO">
+ <RequestPath>/shibboleth/SSO</RequestPath>
+ </ProfileHandler>
+
+ <ProfileHandler xsi:type="SAML1AttributeQuery">
+ <RequestPath>/saml1/SSO</RequestPath>
</ProfileHandler>
<ProfileHandler xsi:type="SAML2SSO">
<RequestPath>/saml2/SSO</RequestPath>
</ProfileHandler>
+ <ProfileHandler xsi:type="SAML2AttributeQuery">
+ <RequestPath>/saml2/SOAP/AttributeQuery</RequestPath>
+ </ProfileHandler>
+
<AuthenticationHandler xsi:type="RemoteUser">
<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthenticationMethod>
<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</AuthenticationMethod>
<property name="requiredAuthenticatedIssuer" value="false" />
</bean>
+ <bean id="shibboleth.SAML1AttributeQueryMessageSecurityPolicyFactory"
+ parent="shibboleth.BaseSAML1SecurityPolicyFactory">
+ <property name="issuerRole">
+ <bean id="shibboleth.SAML1AttributeQueryRole" class="javax.xml.namespace.QName">
+ <constructor-arg value="urn:oasis:names:tc:SAML:2.0:metadata" />
+ <constructor-arg value="SPSSODescriptor" />
+ </bean>
+ </property>
+ </bean>
+
+ <bean id="shibboleth.BaseSAML1SecurityPolicyFactory" abstract="true" class="org.opensaml.common.binding.security.SAMLSecurityPolicyFactory">
+ <property name="issuerProtocol" value="urn:oasis:names:tc:SAML:1.0:protocol" />
+ <property name="policyRuleFactories">
+ <list>
+ <ref bean="shibboleth.SAML1ProtocolMessageRuleFactory" />
+ <!-- Removed for testing -->
+ <!-- ref bean="shibboleth.MessageIssueInstantRuleFactory" /-->
+ </list>
+ </property>
+ <!-- Turn off for testing -->
+ <property name="requiredAuthenticatedIssuer" value="false" />
+ </bean>
+
<bean id="shibboleth.SAML2ProtocolMessageRuleFactory" class="org.opensaml.saml2.binding.security.SAML2ProtocolMessageRuleFactory" />
+ <bean id="shibboleth.SAML1ProtocolMessageRuleFactory" class="org.opensaml.saml1.binding.security.SAML1ProtocolMessageRuleFactory" />
+
<bean id="shibboleth.MessageIssueInstantRuleFactory" class="org.opensaml.common.binding.security.IssueInstantRuleFactory">
<property name="clockSkew" value="5" />
<property name="expires" value="10" />
+<%@page import="edu.internet2.middleware.shibboleth.common.profile.AbstractErrorHandler"%>
+
+<%
+ Throwable error = (Throwable) request.getAttribute(AbstractErrorHandler.ERROR_KEY);
+%>
+
<html>
<body>
<h1>ERROR</h1>
- <%= request.getAttribute("requestError") %>
+ Error Message: <%= error.getMessage() %>
+
</body>
</html>
\ No newline at end of file
registerBeanDefinitionParser(new QName(NAMESPACE, VelocityErrorHandlerBeanDefinitionParser.ELEMENT_NAME),
new VelocityErrorHandlerBeanDefinitionParser());
+ registerBeanDefinitionParser(ShibbolethSSOProfileHandlerBeanDefinitionParser.SCHEMA_TYPE,
+ new ShibbolethSSOProfileHandlerBeanDefinitionParser());
+
+ registerBeanDefinitionParser(SAML1AttributeQueryProfileHandlerBeanDefinitionParser.SCHEMA_TYPE,
+ new SAML1AttributeQueryProfileHandlerBeanDefinitionParser());
+
registerBeanDefinitionParser(StatusHandlerBeanDefinitionParser.SCHEMA_TYPE,
new StatusHandlerBeanDefinitionParser());
--- /dev/null
+/*
+ * Copyright [2007] [University Corporation for Advanced Internet Development, Inc.]
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.config.profile;
+
+import javax.xml.namespace.QName;
+
+import org.opensaml.xml.util.DatatypeHelper;
+import org.springframework.beans.factory.support.BeanDefinitionBuilder;
+import org.w3c.dom.Element;
+
+import edu.internet2.middleware.shibboleth.idp.profile.saml1.AttributeQueryProfileHandler;
+
+/**
+ * Spring bean definition parser for {@link HTTPSOAPAttributeQuery} profile handlers.
+ */
+public class SAML1AttributeQueryProfileHandlerBeanDefinitionParser extends
+ AbstractSAML2ProfileHandlerBeanDefinitionParser {
+
+ /** Schema type. */
+ public static final QName SCHEMA_TYPE = new QName(ProfileHandlerNamespaceHandler.NAMESPACE, "SAML1AttributeQuery");
+
+ /** {@inheritDoc} */
+ protected Class getBeanClass(Element arg0) {
+ return AttributeQueryProfileHandler.class;
+ }
+
+ /** {@inheritDoc} */
+ protected void doParse(Element config, BeanDefinitionBuilder builder) {
+ super.doParse(config, builder);
+
+ builder.addPropertyReference("securityPolicyFactory", DatatypeHelper.safeTrimOrNullString(config
+ .getAttributeNS(null, "securityPolicyFactoryId")));
+ }
+}
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright [2007] [University Corporation for Advanced Internet Development, Inc.]
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package edu.internet2.middleware.shibboleth.idp.config.profile;
+
+import javax.xml.namespace.QName;
+
+import org.opensaml.xml.util.DatatypeHelper;
+import org.springframework.beans.factory.support.BeanDefinitionBuilder;
+import org.w3c.dom.Element;
+
+import edu.internet2.middleware.shibboleth.idp.profile.saml1.ShibbolethSSOProfileHandler;
+
+/**
+ * Spring bean configuration parser for {@link ShibbolethSSOProfileHandler}s.
+ */
+public class ShibbolethSSOProfileHandlerBeanDefinitionParser extends AbstractSAML1ProfileHandlerBeanDefinitionParser {
+
+ /** Schema type. */
+ public static final QName SCHEMA_TYPE = new QName(ProfileHandlerNamespaceHandler.NAMESPACE, "ShibbolethSSO");
+
+ /** {@inheritDoc} */
+ protected Class getBeanClass(Element arg0) {
+ return ShibbolethSSOProfileHandler.class;
+ }
+
+ /** {@inheritDoc} */
+ protected void doParse(Element config, BeanDefinitionBuilder builder) {
+ super.doParse(config, builder);
+
+ builder.addConstructorArg(DatatypeHelper.safeTrimOrNullString(config.getAttributeNS(null,
+ "authenticationManagerPath")));
+ }
+
+}
\ No newline at end of file
/** URL of the authentication manager servlet. */
private String authenticationManagerPath;
- /** Message encoder binding URI. */
- private String encodingBinding;
-
/**
* Constructor.
*
* @throws IllegalArgumentException thrown if either the authentication manager path or encoding binding URI are
* null or empty
*/
- public ShibbolethSSOProfileHandler(String authnManagerPath, String encoder) {
- if (DatatypeHelper.isEmpty(authnManagerPath) || DatatypeHelper.isEmpty(encoder)) {
- throw new IllegalArgumentException("Authentication manager path and encoder binding URI may not be null");
+ public ShibbolethSSOProfileHandler(String authnManagerPath) {
+ if (DatatypeHelper.isEmpty(authnManagerPath)) {
+ throw new IllegalArgumentException("Authentication manager path may not be null");
}
authenticationManagerPath = authnManagerPath;
- encodingBinding = encoder;
authnStatementBuilder = (SAMLObjectBuilder<AuthenticationStatement>) getBuilderFactory().getBuilder(
AuthenticationStatement.DEFAULT_ELEMENT_NAME);
if (log.isDebugEnabled()) {
log.debug("Encoding response to SAML request from relying party " + requestContext.getRelyingPartyId());
}
- MessageEncoder<ServletResponse> encoder = getMessageEncoderFactory().getMessageEncoder(encodingBinding);
- if (encoder == null) {
- throw new ProfileException("No response encoder was registered for binding type: " + encodingBinding);
- }
+
+
+ //TODO endpoint selection
+ MessageEncoder<ServletResponse> encoder = null;
super.populateMessageEncoder(encoder);
ProfileResponse<ServletResponse> profileResponse = requestContext.getProfileResponse();
projects / java-idp.git / commitdiff