public String getProviderId();
/**
- * Returns the credential that this provider uses to sign SAML authentication responses to requests, or
- * <code>null</code> if responses should not be signed.
+ * Returns the credential that this provider uses to sign SAML responses and assertions, or <code>null</code> if
+ * responses should not be signed.
*
* @return the credential or <code>null</code>
*/
- public Credential getAuthNResponseSigningCredential();
+ public Credential getSigningCredential();
- /**
- * Returns the credential that this provider uses to sign SAML authentication assertions, or <code>null</code> if
- * assertions should not be signed.
- *
- * @return the credential or <code>null</code>
- */
- public Credential getAuthNAssertionSigningCredential();
-
- /**
- * Returns the credential that this provider uses to sign SAML attribute responses to requests, or <code>null</code>
- * if responses should not be signed.
- *
- * @return the credential or <code>null</code>
- */
- public Credential getAttributeResponseSigningCredential();
-
- /**
- * Returns the credential that this provider uses to sign SAML attribute assertions, or <code>null</code> if
- * assertions should not be signed.
- *
- * @return the credential or <code>null</code>
- */
- public Credential getAttributeAssertionSigningCredential();
-
-}
+}
\ No newline at end of file
}
}
- // Load credentials for signing
- Credential authNCredential = null;
- Credential attrCredential = null;
-
- boolean signAuthResponses = new Boolean(((Element) partyConfig).getAttribute("signAuthResponses"))
- .booleanValue();
- boolean signAuthAssertions = new Boolean(((Element) partyConfig).getAttribute("signAuthAssertions"))
- .booleanValue();
- boolean signAttrResponses = new Boolean(((Element) partyConfig).getAttribute("signAttrResponses"))
- .booleanValue();
- boolean signAttrAssertions = new Boolean(((Element) partyConfig).getAttribute("signAttrAssertions"))
- .booleanValue();
-
+ // Load the credential for signing
String credentialName = ((Element) partyConfig).getAttribute("signingCredential");
-
- // Load the credential for AuthN signing
- if (signAuthResponses || signAuthAssertions) {
-
- authNCredential = credentials.getCredential(credentialName);
- if (authNCredential == null) {
- if (credentialName == null || credentialName.equals("")) {
- log.error("Relying Party credential not set. Add a (signingCredential) "
- + "attribute to <RelyingParty>.");
- throw new ServiceProviderMapperException("Required configuration not specified.");
- } else {
- log.error("Relying Party credential invalid. Fix the (signingCredential) attribute "
- + "on <RelyingParty>.");
- throw new ServiceProviderMapperException("Required configuration is invalid.");
- }
- }
- }
-
- // Load the credential for Attribute signing
- if (signAttrAssertions || signAttrResponses) {
- String aaCredentialName = ((Element) partyConfig).getAttribute("AASigningCredential");
- attrCredential = credentials.getCredential(aaCredentialName);
- if (aaCredentialName == null || aaCredentialName.equals("")) {
- if (authNCredential != null) {
- attrCredential = authNCredential;
- } else {
- aaCredentialName = ((Element) partyConfig).getAttribute("signingCredential");
- attrCredential = credentials.getCredential(aaCredentialName);
- }
- } else {
- log.debug("Using (AASigningCredential) for AA signing.");
- }
- }
-
- if ((attrCredential == null) && (signAttrResponses || signAttrAssertions)) {
+ Credential signingCredential = credentials.getCredential(credentialName);
+ if (signingCredential == null) {
if (credentialName == null || credentialName.equals("")) {
- log.error("Relying Party credential not set. Add a (AASigningCredential) or (signingCredential) "
+ log.error("Relying Party credential not set. Add a (signingCredential) "
+ "attribute to <RelyingParty>.");
throw new ServiceProviderMapperException("Required configuration not specified.");
} else {
+ "on <RelyingParty>.");
throw new ServiceProviderMapperException("Required configuration is invalid.");
}
+
}
// Initialize and Identity Provider object for this use by this relying party
identityProvider = new RelyingPartyIdentityProvider(overridenOriginProviderId != null
? overridenOriginProviderId
- : configuration.getProviderId(), signAuthResponses ? authNCredential : null, signAuthAssertions
- ? authNCredential
- : null, signAttrResponses ? attrCredential : null, signAttrAssertions ? attrCredential : null);
+ : configuration.getProviderId(), signingCredential);
}
protected class RelyingPartyIdentityProvider implements IdentityProvider {
private String providerId;
- private Credential authNResponseSigningCredential;
- private Credential authNAssertionSigningCredential;
- private Credential attributeResponseSigningCredential;
- private Credential attributeAssertionSigningCredential;
+ private Credential credential;
- public RelyingPartyIdentityProvider(String providerId, Credential authNResponseSigningCredential,
- Credential authNAssertionSigningCredential, Credential attributeResponseSigningCredential,
- Credential attributeAssertionSigningCredential) {
+ public RelyingPartyIdentityProvider(String providerId, Credential credential) {
this.providerId = providerId;
- this.authNResponseSigningCredential = authNResponseSigningCredential;
- this.authNAssertionSigningCredential = authNAssertionSigningCredential;
- this.attributeResponseSigningCredential = attributeResponseSigningCredential;
- this.attributeAssertionSigningCredential = attributeAssertionSigningCredential;
+ this.credential = credential;
}
+ /*
+ * @see edu.internet2.middleware.shibboleth.common.IdentityProvider#getProviderId()
+ */
public String getProviderId() {
return providerId;
}
- public Credential getAuthNResponseSigningCredential() {
+ /*
+ * @see edu.internet2.middleware.shibboleth.common.IdentityProvider#getSigningCredential()
+ */
+ public Credential getSigningCredential() {
- return authNResponseSigningCredential;
+ return credential;
}
-
- public Credential getAuthNAssertionSigningCredential() {
-
- return authNAssertionSigningCredential;
- }
-
- public Credential getAttributeResponseSigningCredential() {
-
- return attributeResponseSigningCredential;
- }
-
- public Credential getAttributeAssertionSigningCredential() {
-
- return attributeAssertionSigningCredential;
- }
-
}
}
return ((RelyingParty) wrapped).getDefaultAuthMethod();
}
}
-}
+}
\ No newline at end of file
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Date;
import java.util.Iterator;
import java.util.Vector;
import java.util.regex.Matcher;
import org.apache.log4j.Logger;
import org.apache.log4j.NDC;
import org.apache.xml.security.signature.XMLSignature;
-import org.opensaml.InvalidCryptoException;
import org.opensaml.NoSuchProviderException;
import org.opensaml.ReplayCache;
-import org.opensaml.SAMLAssertion;
-import org.opensaml.SAMLAudienceRestrictionCondition;
-import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLBrowserProfile;
import org.opensaml.SAMLBrowserProfileFactory;
-import org.opensaml.SAMLConfig;
import org.opensaml.SAMLException;
-import org.opensaml.SAMLNameIdentifier;
-import org.opensaml.SAMLResponse;
import org.opensaml.SAMLSignedObject;
-import org.opensaml.SAMLSubject;
import org.opensaml.TrustException;
-import org.w3c.dom.Document;
import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
import edu.internet2.middleware.shibboleth.metadata.IDPProviderRole;
}
/**
- * Used by HS to generate a signed SAML response conforming to the POST profile
- * <P>
- *
- * @param recipient
- * URL of the assertion consumer
- * @param relyingParty
- * the intended recipient of the response
- * @param nameId
- * Name Identifier for the response
- * @param subjectIP
- * Client address of subject (optional)
- * @param authMethod
- * URI of authentication method being asserted
- * @param authInstant
- * Date and time of authentication being asserted
- * @param bindings
- * Set of SAML authorities the relying party may contact (optional)
- * @return SAML response to send to accepting site
- * @exception SAMLException
- * Base class of exceptions that may be thrown during processing
- */
- public SAMLResponse prepare(String recipient, RelyingParty relyingParty, SAMLNameIdentifier nameId,
- String subjectIP, String authMethod, Date authInstant, Collection bindings) throws SAMLException {
-
- Document doc = org.opensaml.XML.parserPool.newDocument();
-
- ArrayList audiences = new ArrayList();
- if (relyingParty.getProviderId() != null) {
- audiences.add(relyingParty.getProviderId());
- }
- if (relyingParty.getName() != null && !relyingParty.getName().equals(relyingParty.getProviderId())) {
- audiences.add(relyingParty.getName());
- }
-
- String issuer = null;
- if (relyingParty.isLegacyProvider()) {
-
- log.debug("Service Provider is running Shibboleth <= 1.1. Using old style issuer.");
- if (relyingParty.getIdentityProvider().getAuthNResponseSigningCredential() == null
- || relyingParty.getIdentityProvider().getAuthNResponseSigningCredential().getX509Certificate() == null) {
- throw new SAMLException("Cannot serve legacy style assertions without an X509 certificate");
- }
- issuer = getHostNameFromDN(relyingParty.getIdentityProvider().getAuthNResponseSigningCredential()
- .getX509Certificate().getSubjectX500Principal());
- if (issuer == null || issuer.equals("")) {
- throw new SAMLException("Error parsing certificate DN while determining legacy issuer name.");
- }
-
- } else {
- issuer = relyingParty.getIdentityProvider().getProviderId();
- }
-
- // XXX: Inlined the old prepare method, this whole method should probably be pulled out into the IdP package.
- // At a minimum, artifact should be integrated in.
- SAMLResponse r = new SAMLResponse(
- null,
- recipient,
- Collections.singleton(
- new SAMLAssertion(
- issuer,
- new Date(),
- new Date(System.currentTimeMillis() + 1000 * SAMLConfig.instance().getIntProperty("org.opensaml.clock-skew")),
- Collections.singleton(
- new SAMLAudienceRestrictionCondition(audiences)
- ),
- null,
- Collections.singleton(
- new SAMLAuthenticationStatement(
- new SAMLSubject(
- nameId,
- Collections.singleton(SAMLSubject.CONF_BEARER),
- null,
- null
- ),
- authMethod,
- authInstant,
- subjectIP,
- null,
- bindings
- )
- )
- )
- ),
- null
- );
- r.toDOM(doc);
-
- //Sign the assertions, if appropriate
- if (relyingParty.getIdentityProvider().getAuthNAssertionSigningCredential() != null
- && relyingParty.getIdentityProvider().getAuthNAssertionSigningCredential().getPrivateKey() != null) {
-
- String assertionAlgorithm;
- if (relyingParty.getIdentityProvider().getAuthNAssertionSigningCredential().getCredentialType() == Credential.RSA) {
- assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
- } else if (relyingParty.getIdentityProvider().getAuthNAssertionSigningCredential().getCredentialType() == Credential.DSA) {
- assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
- } else {
- throw new InvalidCryptoException(SAMLException.RESPONDER,
- "ShibPOSTProfile.prepare() currently only supports signing with RSA and DSA keys.");
- }
-
- ((SAMLAssertion) r.getAssertions().next()).sign(assertionAlgorithm, relyingParty.getIdentityProvider()
- .getAuthNAssertionSigningCredential().getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider()
- .getAuthNAssertionSigningCredential().getX509CertificateChain()));
- }
-
- //Sign the response, if appropriate
- if (relyingParty.getIdentityProvider().getAuthNResponseSigningCredential() != null
- && relyingParty.getIdentityProvider().getAuthNResponseSigningCredential().getPrivateKey() != null) {
-
- String responseAlgorithm;
- if (relyingParty.getIdentityProvider().getAuthNResponseSigningCredential().getCredentialType() == Credential.RSA) {
- responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
- } else if (relyingParty.getIdentityProvider().getAuthNResponseSigningCredential().getCredentialType() == Credential.DSA) {
- responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
- } else {
- throw new InvalidCryptoException(SAMLException.RESPONDER,
- "ShibPOSTProfile.prepare() currently only supports signing with RSA and DSA keys.");
- }
-
- r.sign(responseAlgorithm,
- relyingParty.getIdentityProvider().getAuthNResponseSigningCredential().getPrivateKey(), Arrays
- .asList(relyingParty.getIdentityProvider().getAuthNResponseSigningCredential()
- .getX509CertificateChain()));
- }
-
- return r;
- }
-
- /**
* Given a key from Trust associated with a HS Role from a Metadata Entity Descriptor,
* verify the SAML Signature.
*
// TODO Maybe should rethink the inheritance here, since there is only one
// servlet
- // TODO signing is broken... it doesn't distinguish between authn and attr signing
private static Logger transactionLog = Logger.getLogger("Shibboleth-TRANSACTION");
private static Logger log = Logger.getLogger(IdPResponder.class.getName());
}
// If we have DEBUGing turned on, dump out the request to the log
- if (log.isDebugEnabled()) { // This takes some processing, so only do it if we need to
+ // This takes some processing, so only do it if we need to
+ if (log.isDebugEnabled()) {
try {
log.debug("Dumping generated SAML Request:"
+ System.getProperty("line.separator")
SAMLAssertion[] assertions = activeHandler.processHook(request, relyingParty, provider, nameId,
authenticationMethod, new Date(System.currentTimeMillis()));
+ //TODO do assertion signing here
+
// SAML Artifact profile
if (useArtifactProfile(provider, acceptanceURL)) {
log.debug("Responding with Artifact profile.");
request.setAttribute("target", activeHandler.getSAMLTargetParameter(request, relyingParty, provider));
SAMLResponse samlResponse = new SAMLResponse(null, acceptanceURL, Arrays.asList(assertions), null);
- addSignatures(samlResponse, relyingParty);
+ addSignatures(samlResponse, relyingParty, provider, true);
createPOSTForm(request, response, samlResponse.toBase64());
// Make transaction log entry
then, Collections.singleton(condition), null, Collections.singleton(statement));
samlResponse = new SAMLResponse(samlRequest.getId(), null, Collections.singleton(sAssertion), exception);
- addSignatures(samlResponse, relyingParty);
+ addSignatures(samlResponse, relyingParty, lookup(relyingParty.getProviderId()), false);
}
} catch (SAMLException se) {
ourSE = se;
}
}
- private static void addSignatures(SAMLResponse reponse, RelyingParty relyingParty) throws SAMLException {
+ private static void addSignatures(SAMLResponse response, RelyingParty relyingParty, Provider provider,
+ boolean signResponse) throws SAMLException {
- // TODO make sure this signing optionally happens according to origin.xml params
- // TODO this has to be made to work for both AuthN and Attr assertion types
+ if (provider != null) {
+ boolean signAssertions = false;
- // Sign the assertions, if appropriate
- if (relyingParty.getIdentityProvider().getAuthNAssertionSigningCredential() != null
- && relyingParty.getIdentityProvider().getAttributeAssertionSigningCredential().getPrivateKey() != null) {
-
- String assertionAlgorithm;
- if (relyingParty.getIdentityProvider().getAttributeAssertionSigningCredential().getCredentialType() == Credential.RSA) {
- assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
- } else if (relyingParty.getIdentityProvider().getAttributeAssertionSigningCredential().getCredentialType() == Credential.DSA) {
- assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
- } else {
- throw new InvalidCryptoException(SAMLException.RESPONDER,
- "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
+ ProviderRole[] roles = provider.getRoles();
+ if (roles.length == 0) {
+ log.info("Inappropriate metadata for provider: " + provider.getId() + ". Expected SPSSODescriptor.");
}
+ for (int i = 0; roles.length > i; i++) {
+ if (roles[i] instanceof SPProviderRole) {
+ if (((SPProviderRole) roles[i]).wantAssertionsSigned()) {
+ signAssertions = true;
+ }
+ }
+ }
+
+ if (signAssertions && relyingParty.getIdentityProvider().getSigningCredential() != null
+ && relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() != null) {
+
+ Iterator assertions = response.getAssertions();
+
+ while (assertions.hasNext()) {
+ SAMLAssertion assertion = (SAMLAssertion) assertions.next();
+ String assertionAlgorithm;
+ if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
+ assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
+ } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
+ assertionAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
+ } else {
+ throw new InvalidCryptoException(SAMLException.RESPONDER,
+ "The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
+ }
- ((SAMLAssertion) reponse.getAssertions().next()).sign(assertionAlgorithm, relyingParty
- .getIdentityProvider().getAttributeAssertionSigningCredential().getPrivateKey(), Arrays
- .asList(relyingParty.getIdentityProvider().getAttributeAssertionSigningCredential()
+ assertion.sign(assertionAlgorithm, relyingParty.getIdentityProvider().getSigningCredential()
+ .getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential()
.getX509CertificateChain()));
+ }
+ }
}
// Sign the response, if appropriate
- if (relyingParty.getIdentityProvider().getAttributeResponseSigningCredential() != null
- && relyingParty.getIdentityProvider().getAttributeResponseSigningCredential().getPrivateKey() != null) {
+ if (signResponse && relyingParty.getIdentityProvider().getSigningCredential() != null
+ && relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey() != null) {
String responseAlgorithm;
- if (relyingParty.getIdentityProvider().getAttributeResponseSigningCredential().getCredentialType() == Credential.RSA) {
+ if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.RSA) {
responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_RSA_SHA1;
- } else if (relyingParty.getIdentityProvider().getAttributeResponseSigningCredential().getCredentialType() == Credential.DSA) {
+ } else if (relyingParty.getIdentityProvider().getSigningCredential().getCredentialType() == Credential.DSA) {
responseAlgorithm = XMLSignature.ALGO_ID_SIGNATURE_DSA;
} else {
throw new InvalidCryptoException(SAMLException.RESPONDER,
"The Shibboleth IdP currently only supports signing with RSA and DSA keys.");
}
- reponse.sign(responseAlgorithm, relyingParty.getIdentityProvider().getAttributeResponseSigningCredential()
- .getPrivateKey(), Arrays.asList(relyingParty.getIdentityProvider()
- .getAttributeResponseSigningCredential().getX509CertificateChain()));
+ response.sign(responseAlgorithm, relyingParty.getIdentityProvider().getSigningCredential().getPrivateKey(),
+ Arrays.asList(relyingParty.getIdentityProvider().getSigningCredential().getX509CertificateChain()));
}
}
* The Shibboleth License, Version 1. Copyright (c) 2002 University Corporation for Advanced Internet Development, Inc.
* All rights reserved Redistribution and use in source and binary forms, with or without modification, are permitted
* provided that the following conditions are met: Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the
- * above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other
- * materials provided with the distribution, if any, must include the following acknowledgment: "This product includes
- * software developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu>Internet2
- * Project. Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
- * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2,
- * nor the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
- * products derived from this software without specific prior written permission. For written permission, please
- * contact shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2,
- * UCAID, or the University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name,
- * without prior written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS
- * PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND
- * NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS
- * WITH LICENSEE. IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED
- * INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
- * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
- * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
+ * notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials
+ * provided with the distribution, if any, must include the following acknowledgment: "This product includes software
+ * developed by the University Corporation for Advanced Internet Development <http://www.ucaid.edu>Internet2 Project.
+ * Alternately, this acknowledegement may appear in the software itself, if and wherever such third-party
+ * acknowledgments normally appear. Neither the name of Shibboleth nor the names of its contributors, nor Internet2, nor
+ * the University Corporation for Advanced Internet Development, Inc., nor UCAID may be used to endorse or promote
+ * products derived from this software without specific prior written permission. For written permission, please contact
+ * shibboleth@shibboleth.org Products derived from this software may not be called Shibboleth, Internet2, UCAID, or the
+ * University Corporation for Advanced Internet Development, nor may Shibboleth appear in their name, without prior
+ * written permission of the University Corporation for Advanced Internet Development. THIS SOFTWARE IS PROVIDED BY THE
+ * COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE
+ * DISCLAIMED AND THE ENTIRE RISK OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE. IN NO
+ * EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC.
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
package edu.internet2.middleware.shibboleth.metadata;
public boolean getAuthnRequestsSigned();
+ public boolean wantAssertionsSigned();
+
public Endpoint[] getAssertionConsumerServiceURLs();
-}
+}
\ No newline at end of file
public KeyDescriptor[] getKeyDescriptors() {
return (KeyDescriptor[]) keyDescriptors.toArray(new KeyDescriptor[0]);
}
+
+ public boolean wantAssertionsSigned() {
+ return false;
+ }
class ShibEndpoint implements Endpoint {
return new KeyInfo[]{keyInfo};
}
}
-
}
class XMLContactPerson implements ContactPerson {
<xs:attribute name="name" type="xs:string" use="required"/>
<xs:attribute name="providerId" type="xs:anyURI" use="optional"/>
<xs:attribute name="signingCredential" type="xs:string" use="optional"/>
- <xs:attribute name="AASigningCredential" type="xs:string" use="optional"/>
- <xs:attribute name="signAuthResponses" type="xs:boolean" use="optional" default="true"/>
- <xs:attribute name="signAuthAssertions" type="xs:boolean" use="optional" default="false"/>
- <xs:attribute name="signAttrAssertions" type="xs:boolean" use="optional" default="false"/>
- <xs:attribute name="signAttrResponses" type="xs:boolean" use="optional" default="false"/>
<xs:attribute name="AAUrl" type="xs:anyURI" use="optional"/>
<xs:attribute name="passThruErrors" type="xs:boolean" use="optional"/>
<xs:attribute name="defaultAuthMethod" type="xs:string" use="optional"/>
import edu.internet2.middleware.shibboleth.common.ServiceProvider;
import edu.internet2.middleware.shibboleth.xml.Parser;
-
-
/**
* Validation suite for the <code>NameMapper</code>.
*
+ " xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
+ " xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
+ " id=\"cryptotest\" format=\"urn:mace:shibboleth:1.0:nameIdentifier\" "
- + " type=\"CryptoHandleGenerator\" handleTTL=\"1800\">"
- + " <KeyStorePath>" + file.toURL().toString() + "</KeyStorePath>"
- + " <KeyStorePassword>shibhs</KeyStorePassword>"
+ + " type=\"CryptoHandleGenerator\" handleTTL=\"1800\">" + " <KeyStorePath>"
+ + file.toURL().toString() + "</KeyStorePath>" + " <KeyStorePassword>shibhs</KeyStorePassword>"
+ " <KeyStoreKeyAlias>handlekey</KeyStoreKeyAlias>"
- + " <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>"
- + " </NameMapping>";
+ + " <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>" + " </NameMapping>";
parser.parse(new InputSource(new StringReader(rawConfig)));
nameMapper.addNameMapping(parser.getDocument().getDocumentElement());
+ " xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
+ " xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
+ " id=\"cryptotest\" format=\"urn:mace:shibboleth:1.0:nameIdentifier\" "
- + " type=\"CryptoHandleGenerator\" handleTTL=\"1800\">"
- + " <KeyStorePath>"+ file.toURL().toString() + "</KeyStorePath>"
- + " <KeyStorePassword>shibhs</KeyStorePassword>"
+ + " type=\"CryptoHandleGenerator\" handleTTL=\"1800\">" + " <KeyStorePath>"
+ + file.toURL().toString() + "</KeyStorePath>" + " <KeyStorePassword>shibhs</KeyStorePassword>"
+ " <KeyStoreKeyAlias>handlekey</KeyStoreKeyAlias>"
+ " <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>"
- + " <Cipher>DESede/CBC/PKCS5Padding</Cipher>"
- + " <MAC>HmacSHA1</MAC>"
- + " <KeyStoreType>JCEKS</KeyStoreType>"
- + " </NameMapping>";
+ + " <Cipher>DESede/CBC/PKCS5Padding</Cipher>" + " <MAC>HmacSHA1</MAC>"
+ + " <KeyStoreType>JCEKS</KeyStoreType>" + " </NameMapping>";
parser.parse(new InputSource(new StringReader(rawConfig)));
nameMapper.addNameMapping(parser.getDocument().getDocumentElement());
}
}
-
+
public void testCryptoMappingBadQualifier() {
try {
+ " xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
+ " xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
+ " id=\"cryptotest\" format=\"urn:mace:shibboleth:1.0:nameIdentifier\" "
- + " type=\"CryptoHandleGenerator\" handleTTL=\"1800\">"
- + " <KeyStorePath>" + file.toURL().toString() + "</KeyStorePath>"
- + " <KeyStorePassword>shibhs</KeyStorePassword>"
+ + " type=\"CryptoHandleGenerator\" handleTTL=\"1800\">" + " <KeyStorePath>"
+ + file.toURL().toString() + "</KeyStorePath>" + " <KeyStorePassword>shibhs</KeyStorePassword>"
+ " <KeyStoreKeyAlias>handlekey</KeyStoreKeyAlias>"
- + " <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>"
- + " </NameMapping>";
+ + " <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>" + " </NameMapping>";
parser.parse(new InputSource(new StringReader(rawConfig)));
nameMapper.addNameMapping(parser.getDocument().getDocumentElement());
AuthNPrincipal principal = nameMapper.getPrincipal(nameId, new BasicServiceProvider(),
new BasicIdentityProvider("urn-x:bad"));
-
+
fail("Expected failure for bad name qualifier.");
-
+
} catch (NameIdentifierMappingException e) {
//This exception should be generated by this test
-
+
} catch (MalformedURLException e) {
fail("Error in test specification: " + e.getMessage());
-
+
} catch (Exception e) {
fail("Error exercising NameMaper: " + e.getMessage());
}
+ " xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
+ " xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
+ " format=\"urn:mace:shibboleth:1.0:nameIdentifier\""
- + " type=\"CryptoHandleGenerator\" handleTTL=\"1800\">"
- + " <KeyStorePath>" + file.toURL().toString() + "</KeyStorePath>"
- + " <KeyStorePassword>shibhs</KeyStorePassword>"
+ + " type=\"CryptoHandleGenerator\" handleTTL=\"1800\">" + " <KeyStorePath>"
+ + file.toURL().toString() + "</KeyStorePath>" + " <KeyStorePassword>shibhs</KeyStorePassword>"
+ " <KeyStoreKeyAlias>handlekey</KeyStoreKeyAlias>"
- + " <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>"
- + " </NameMapping>";
+ + " <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>" + " </NameMapping>";
parser.parse(new InputSource(new StringReader(rawConfig)));
nameMapper.addNameMapping(parser.getDocument().getDocumentElement());
+ " xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
+ " xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
+ " format=\"urn:mace:shibboleth:1.0:nameIdentifier\""
- + " type=\"CryptoHandleGenerator\" handleTTL=\"1800\">"
- + " <KeyStorePath>" + file.toURL().toString() + "</KeyStorePath>"
- + " <KeyStorePassword>shibhs</KeyStorePassword>"
+ + " type=\"CryptoHandleGenerator\" handleTTL=\"1800\">" + " <KeyStorePath>"
+ + file.toURL().toString() + "</KeyStorePath>" + " <KeyStorePassword>shibhs</KeyStorePassword>"
+ " <KeyStoreKeyAlias>handlekey</KeyStoreKeyAlias>"
- + " <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>"
- + " </NameMapping>";
+ + " <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>" + " </NameMapping>";
parser.parse(new InputSource(new StringReader(rawConfig)));
nameMapper.addNameMapping(parser.getDocument().getDocumentElement());
+ "<NameMapping xmlns=\"urn:mace:shibboleth:namemapper:1.0\""
+ " xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
+ " xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
- + " format=\"urn-x:testNameIdentifier\""
- + " type=\"CryptoHandleGenerator\" handleTTL=\"1800\">"
+ + " format=\"urn-x:testNameIdentifier\"" + " type=\"CryptoHandleGenerator\" handleTTL=\"1800\">"
+ " <KeyStorePath>" + file.toURL().toString() + "</KeyStorePath>"
+ " <KeyStorePassword>shibhs</KeyStorePassword>"
+ " <KeyStoreKeyAlias>handlekey</KeyStoreKeyAlias>"
- + " <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>"
- + " </NameMapping>";
+ + " <KeyStoreKeyPassword>shibhs</KeyStoreKeyPassword>" + " </NameMapping>";
parser.parse(new InputSource(new StringReader(rawConfig2)));
+ "<NameMapping xmlns=\"urn:mace:shibboleth:namemapper:1.0\""
+ " xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
+ " xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
- + " id=\"memorytest\" "
- + " format=\"urn:mace:shibboleth:1.0:nameIdentifier\""
+ + " id=\"memorytest\" " + " format=\"urn:mace:shibboleth:1.0:nameIdentifier\""
+ " type=\"SharedMemoryShibHandle\" handleTTL=\"1800\"/>";
parser.parse(new InputSource(new StringReader(rawConfig)));
fail("Error exercising NameMaper: " + e.getMessage());
}
}
-
+
public void testMemoryMappingBadQualifier() {
try {
+ "<NameMapping xmlns=\"urn:mace:shibboleth:namemapper:1.0\""
+ " xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
+ " xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
- + " id=\"memorytest\" "
- + " format=\"urn:mace:shibboleth:1.0:nameIdentifier\""
+ + " id=\"memorytest\" " + " format=\"urn:mace:shibboleth:1.0:nameIdentifier\""
+ " type=\"SharedMemoryShibHandle\" handleTTL=\"1800\"/>";
parser.parse(new InputSource(new StringReader(rawConfig)));
nameMapper.addNameMapping(parser.getDocument().getDocumentElement());
- SAMLNameIdentifier nameId = nameMapper.getNameIdentifierName("memory", new AuthNPrincipal(
- "testprincipal"), new BasicServiceProvider(), new BasicIdentityProvider("urn-x:good"));
+ SAMLNameIdentifier nameId = nameMapper.getNameIdentifierName("memory", new AuthNPrincipal("testprincipal"),
+ new BasicServiceProvider(), new BasicIdentityProvider("urn-x:good"));
AuthNPrincipal principal = nameMapper.getPrincipal(nameId, new BasicServiceProvider(),
new BasicIdentityProvider("urn-x:bad"));
-
+
fail("Expected failure for bad name qualifier.");
-
+
} catch (NameIdentifierMappingException e) {
//This exception should be generated by this test
-
+
} catch (MalformedURLException e) {
fail("Error in test specification: " + e.getMessage());
-
+
} catch (Exception e) {
fail("Error exercising NameMaper: " + e.getMessage());
}
String rawConfig = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+ "<NameMapping xmlns=\"urn:mace:shibboleth:namemapper:1.0\""
+ " xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
- + " xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
- + " format=\"" + format + "\"" + " type=\"Principal\"/>";
+ + " xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" " + " format=\""
+ + format + "\"" + " type=\"Principal\"/>";
parser.parse(new InputSource(new StringReader(rawConfig)));
nameMapper.addNameMapping(parser.getDocument().getDocumentElement());
}
}
-
+
public void testPrincipalMappingBadQualifier() {
try {
String rawConfig = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+ "<NameMapping xmlns=\"urn:mace:shibboleth:namemapper:1.0\""
+ " xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\""
- + " xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" "
- + " format=\"" + format + "\"" + " type=\"Principal\"/>";
+ + " xsi:schemaLocation=\"urn:mace:shibboleth:namemapper:1.0 namemapper.xsd\" " + " format=\""
+ + format + "\"" + " type=\"Principal\"/>";
parser.parse(new InputSource(new StringReader(rawConfig)));
nameMapper.addNameMapping(parser.getDocument().getDocumentElement());
AuthNPrincipal principal = nameMapper.getPrincipal(nameId, new BasicServiceProvider(),
new BasicIdentityProvider("urn-x:bad"));
-
+
fail("Expected failure for bad name qualifier.");
-
+
} catch (NameIdentifierMappingException e) {
//This exception should be generated by this test
-
+
} catch (MalformedURLException e) {
fail("Error in test specification: " + e.getMessage());
-
+
} catch (Exception e) {
fail("Error exercising NameMaper: " + e.getMessage());
}
return id;
}
-
- public Credential getAuthNResponseSigningCredential() {
+ public Credential getSigningCredential() {
return null;
}
- public Credential getAuthNAssertionSigningCredential() {
+ public boolean signAuthNAssertions() {
- return null;
+ return false;
}
- public Credential getAttributeResponseSigningCredential() {
+ public boolean signAuthNResponses() {
- return null;
+ return false;
}
- public Credential getAttributeAssertionSigningCredential() {
+ public boolean signAttributeAssertions() {
- return null;
+ return false;
+ }
+
+ public boolean signAttributeResponses() {
+
+ return false;
}
}