Code cleanup: removed some Shibboleth 1.1 compatibility code.
authorwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 24 May 2006 20:31:39 +0000 (20:31 +0000)
committerwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Wed, 24 May 2006 20:31:39 +0000 (20:31 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1946 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/common/RelyingParty.java
src/edu/internet2/middleware/shibboleth/common/ServiceProviderMapper.java
src/edu/internet2/middleware/shibboleth/idp/provider/SAMLv1_AttributeQueryHandler.java
src/edu/internet2/middleware/shibboleth/idp/provider/ShibbolethV1SSOHandler.java

index def7739..3016def 100644 (file)
@@ -52,12 +52,6 @@ public interface RelyingParty extends ServiceProvider {
        public String[] getNameMapperIds();
 
        /**
        public String[] getNameMapperIds();
 
        /**
-        * Returns a boolean indication of whether this {@link RelyingParty}is running &lt;= Shibboleth v1.1. Used to
-        * ensure backward compatibility.
-        */
-       public boolean isLegacyProvider();
-
-       /**
         * Returns the location of the Shibboleth Attribute Authority that should answer requests for this
         * {@link RelyingParty}.
         * 
         * Returns the location of the Shibboleth Attribute Authority that should answer requests for this
         * {@link RelyingParty}.
         * 
index 50f55b4..bb0aed8 100644 (file)
@@ -138,8 +138,7 @@ public class ServiceProviderMapper {
                                        if (relyingParties.containsKey(parent.getName())) {
                                                log.info("Found matching Relying Party for group (" + parent.getName() + ").");
                                                return (RelyingParty) relyingParties.get(parent.getName());
                                        if (relyingParties.containsKey(parent.getName())) {
                                                log.info("Found matching Relying Party for group (" + parent.getName() + ").");
                                                return (RelyingParty) relyingParties.get(parent.getName());
-                                       }
-                                       else {
+                                       } else {
                                                log.debug("Provider is a member of group (" + parent.getName()
                                                                + "), but no matching Relying Party was found.");
                                        }
                                                log.debug("Provider is a member of group (" + parent.getName()
                                                                + "), but no matching Relying Party was found.");
                                        }
@@ -163,17 +162,6 @@ public class ServiceProviderMapper {
        }
 
        /**
        }
 
        /**
-        * Returns the relying party for a legacy provider(the default)
-        */
-       public RelyingParty getLegacyRelyingParty() {
-
-               RelyingParty relyingParty = getDefaultRelyingParty();
-               log.info("Request is from legacy shib SP.  Selecting default Relying Party: (" + relyingParty.getName() + ").");
-               return new LegacyWrapper((RelyingParty) relyingParty);
-
-       }
-
-       /**
         * Returns the appropriate relying party for the supplied service provider id.
         */
        public RelyingParty getRelyingParty(String providerIdFromSP) {
         * Returns the appropriate relying party for the supplied service provider id.
         */
        public RelyingParty getRelyingParty(String providerIdFromSP) {
@@ -296,7 +284,7 @@ public class ServiceProviderMapper {
                        } else {
                                log.debug("Relying party defaults to multiple assertions when pushing attributes.");
                        }
                        } else {
                                log.debug("Relying party defaults to multiple assertions when pushing attributes.");
                        }
-                       
+
                        // Relying Party wants assertions signed?
                        attribute = ((Element) partyConfig).getAttribute("signAssertions");
                        if (attribute != null && !attribute.equals("")) {
                        // Relying Party wants assertions signed?
                        attribute = ((Element) partyConfig).getAttribute("signAssertions");
                        if (attribute != null && !attribute.equals("")) {
@@ -418,11 +406,6 @@ public class ServiceProviderMapper {
                        return identityProvider;
                }
 
                        return identityProvider;
                }
 
-               public boolean isLegacyProvider() {
-
-                       return false;
-               }
-
                public String[] getNameMapperIds() {
 
                        return (String[]) mappingIds.toArray(new String[0]);
                public String[] getNameMapperIds() {
 
                        return (String[]) mappingIds.toArray(new String[0]);
@@ -466,9 +449,10 @@ public class ServiceProviderMapper {
                }
 
                public boolean singleAssertion() {
                }
 
                public boolean singleAssertion() {
+
                        return singleAssertion;
                }
                        return singleAssertion;
                }
-               
+
                public boolean defaultToPOSTProfile() {
 
                        return defaultToPOST;
                public boolean defaultToPOSTProfile() {
 
                        return defaultToPOST;
@@ -549,11 +533,6 @@ public class ServiceProviderMapper {
                        return wrapped.getName();
                }
 
                        return wrapped.getName();
                }
 
-               public boolean isLegacyProvider() {
-
-                       return false;
-               }
-
                public IdentityProvider getIdentityProvider() {
 
                        return wrapped.getIdentityProvider();
                public IdentityProvider getIdentityProvider() {
 
                        return wrapped.getIdentityProvider();
@@ -595,10 +574,10 @@ public class ServiceProviderMapper {
                }
 
                public boolean singleAssertion() {
                }
 
                public boolean singleAssertion() {
-                       
+
                        return wrapped.singleAssertion();
                }
                        return wrapped.singleAssertion();
                }
-               
+
                public boolean defaultToPOSTProfile() {
 
                        return wrapped.defaultToPOSTProfile();
                public boolean defaultToPOSTProfile() {
 
                        return wrapped.defaultToPOSTProfile();
@@ -661,11 +640,6 @@ public class ServiceProviderMapper {
                        return wrapped.getNameMapperIds();
                }
 
                        return wrapped.getNameMapperIds();
                }
 
-               public boolean isLegacyProvider() {
-
-                       return wrapped.isLegacyProvider();
-               }
-
                public URL getAAUrl() {
 
                        return wrapped.getAAUrl();
                public URL getAAUrl() {
 
                        return wrapped.getAAUrl();
@@ -692,10 +666,10 @@ public class ServiceProviderMapper {
                }
 
                public boolean singleAssertion() {
                }
 
                public boolean singleAssertion() {
-                       
+
                        return false;
                }
                        return false;
                }
-               
+
                public boolean defaultToPOSTProfile() {
 
                        return true;
                public boolean defaultToPOSTProfile() {
 
                        return true;
@@ -723,39 +697,6 @@ public class ServiceProviderMapper {
        }
 
        /**
        }
 
        /**
-        * Relying party wrapper for Shibboleth &lt;=1.1 service providers.
-        * 
-        * @author Walter Hoehn
-        */
-       class LegacyWrapper extends UnknownProviderWrapper implements RelyingParty {
-
-               LegacyWrapper(RelyingParty wrapped) {
-
-                       super(wrapped, null);
-               }
-
-               public boolean isLegacyProvider() {
-
-                       return true;
-               }
-
-               public String[] getNameMapperIds() {
-
-                       return ((RelyingParty) wrapped).getNameMapperIds();
-               }
-
-               public URL getAAUrl() {
-
-                       return ((RelyingParty) wrapped).getAAUrl();
-               }
-
-               public URI getDefaultAuthMethod() {
-
-                       return ((RelyingParty) wrapped).getDefaultAuthMethod();
-               }
-       }
-
-       /**
         * Relying party wrapper for providers for which we have no metadata
         * 
         * @author Walter Hoehn
         * Relying party wrapper for providers for which we have no metadata
         * 
         * @author Walter Hoehn
index eaeb2cd..2d73577 100644 (file)
@@ -182,17 +182,14 @@ public class SAMLv1_AttributeQueryHandler extends BaseServiceHandler implements
 
                // Fail if we can't honor SAML Subject Confirmation unless the only one supplied is
                // bearer, in which case this is probably a Shib 1.1 query, and we'll let it slide for now.
 
                // Fail if we can't honor SAML Subject Confirmation unless the only one supplied is
                // bearer, in which case this is probably a Shib 1.1 query, and we'll let it slide for now.
-               // TODO: remove the compatibility with 1.1 and be strict about this?
                boolean hasConfirmationMethod = false;
                boolean hasConfirmationMethod = false;
-               boolean hasOnlyBearer = true;
                Iterator iterator = attributeQuery.getSubject().getConfirmationMethods();
                while (iterator.hasNext()) {
                        String method = (String) iterator.next();
                        log.info("Request contains SAML Subject Confirmation method: (" + method + ").");
                        hasConfirmationMethod = true;
                Iterator iterator = attributeQuery.getSubject().getConfirmationMethods();
                while (iterator.hasNext()) {
                        String method = (String) iterator.next();
                        log.info("Request contains SAML Subject Confirmation method: (" + method + ").");
                        hasConfirmationMethod = true;
-                       if (!method.equals(SAMLSubject.CONF_BEARER)) hasOnlyBearer = false;
                }
                }
-               if (hasConfirmationMethod && !hasOnlyBearer) { throw new SAMLException(SAMLException.REQUESTER,
+               if (hasConfirmationMethod) { throw new SAMLException(SAMLException.REQUESTER,
                                "This SAML authority cannot honor requests containing the supplied SAML Subject Confirmation Method(s)."); }
 
                // Map Subject to local principal
                                "This SAML authority cannot honor requests containing the supplied SAML Subject Confirmation Method(s)."); }
 
                // Map Subject to local principal
index c9d0a4e..4b5b0c0 100644 (file)
@@ -31,7 +31,6 @@ import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.xml.namespace.QName;
 
 import org.apache.log4j.Logger;
 import org.bouncycastle.util.encoders.Base64;
 
 import org.apache.log4j.Logger;
 import org.bouncycastle.util.encoders.Base64;
@@ -41,7 +40,6 @@ import org.opensaml.SAMLAttributeStatement;
 import org.opensaml.SAMLAudienceRestrictionCondition;
 import org.opensaml.SAMLAuthenticationStatement;
 import org.opensaml.SAMLAuthorityBinding;
 import org.opensaml.SAMLAudienceRestrictionCondition;
 import org.opensaml.SAMLAuthenticationStatement;
 import org.opensaml.SAMLAuthorityBinding;
-import org.opensaml.SAMLBinding;
 import org.opensaml.SAMLBrowserProfile;
 import org.opensaml.SAMLCondition;
 import org.opensaml.SAMLException;
 import org.opensaml.SAMLBrowserProfile;
 import org.opensaml.SAMLCondition;
 import org.opensaml.SAMLException;
@@ -68,7 +66,7 @@ import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
 
 /**
  * <code>ProtocolHandler</code> implementation that responds to SSO flows as specified in "Shibboleth Architecture:
 
 /**
  * <code>ProtocolHandler</code> implementation that responds to SSO flows as specified in "Shibboleth Architecture:
- * Protocols and Profiles". Includes a compatibility mode for dealing with Shibboleth v1.1 SPs.
+ * Protocols and Profiles".
  * 
  * @author Walter Hoehn
  */
  * 
  * @author Walter Hoehn
  */
@@ -118,10 +116,8 @@ public class ShibbolethV1SSOHandler extends SSOHandler implements IdPProtocolHan
                        String remoteProviderId = request.getParameter("providerId");
                        // If the SP did not send a Provider Id, then assume it is a Shib
                        // 1.1 or older SP
                        String remoteProviderId = request.getParameter("providerId");
                        // If the SP did not send a Provider Id, then assume it is a Shib
                        // 1.1 or older SP
-                       if (remoteProviderId == null) {
-                               relyingParty = support.getServiceProviderMapper().getLegacyRelyingParty();
-                       } else if (remoteProviderId.equals("")) {
-                               throw new InvalidClientDataException("Invalid service provider id.");
+                       if (remoteProviderId == null || remoteProviderId.equals("")) {
+                               throw new InvalidClientDataException("Invalid or missing service provider id.");
                        } else {
                                log.debug("Remote provider has identified itself as: (" + remoteProviderId + ").");
                                relyingParty = support.getServiceProviderMapper().getRelyingParty(remoteProviderId);
                        } else {
                                log.debug("Remote provider has identified itself as: (" + remoteProviderId + ").");
                                relyingParty = support.getServiceProviderMapper().getRelyingParty(remoteProviderId);
@@ -133,20 +129,18 @@ public class ShibbolethV1SSOHandler extends SSOHandler implements IdPProtocolHan
                        // Make sure that the selected relying party configuration is appropriate for this
                        // acceptance URL
                        String acceptanceURL = request.getParameter("shire");
                        // Make sure that the selected relying party configuration is appropriate for this
                        // acceptance URL
                        String acceptanceURL = request.getParameter("shire");
-                       if (!relyingParty.isLegacyProvider()) {
 
 
-                               if (descriptor == null) {
-                                       log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
-                                       relyingParty = support.getServiceProviderMapper().getRelyingParty(null);
+                       if (descriptor == null) {
+                               log.info("No metadata found for provider: (" + relyingParty.getProviderId() + ").");
+                               relyingParty = support.getServiceProviderMapper().getRelyingParty(null);
 
 
+                       } else {
+                               if (isValidAssertionConsumerURL(descriptor, acceptanceURL)) {
+                                       log.info("Supplied consumer URL validated for this provider.");
                                } else {
                                } else {
-                                       if (isValidAssertionConsumerURL(descriptor, acceptanceURL)) {
-                                               log.info("Supplied consumer URL validated for this provider.");
-                                       } else {
-                                               log.error("Assertion consumer service URL (" + acceptanceURL + ") is NOT valid for provider ("
-                                                               + relyingParty.getProviderId() + ").");
-                                               throw new InvalidClientDataException("Invalid assertion consumer service URL.");
-                                       }
+                                       log.error("Assertion consumer service URL (" + acceptanceURL + ") is NOT valid for provider ("
+                                                       + relyingParty.getProviderId() + ").");
+                                       throw new InvalidClientDataException("Invalid assertion consumer service URL.");
                                }
                        }
 
                                }
                        }
 
@@ -174,7 +168,7 @@ public class ShibbolethV1SSOHandler extends SSOHandler implements IdPProtocolHan
                        boolean artifactProfile = useArtifactProfile(descriptor, acceptanceURL, relyingParty);
 
                        // SAML Artifact profile - don't even attempt this for legacy providers (they don't support it)
                        boolean artifactProfile = useArtifactProfile(descriptor, acceptanceURL, relyingParty);
 
                        // SAML Artifact profile - don't even attempt this for legacy providers (they don't support it)
-                       if (!relyingParty.isLegacyProvider() && artifactProfile) {
+                       if (artifactProfile) {
                                respondWithArtifact(request, response, support, principal, relyingParty, descriptor, acceptanceURL,
                                                nameId, authenticationMethod, authNSubject);
 
                                respondWithArtifact(request, response, support, principal, relyingParty, descriptor, acceptanceURL,
                                                nameId, authenticationMethod, authNSubject);
 
@@ -202,7 +196,7 @@ public class ShibbolethV1SSOHandler extends SSOHandler implements IdPProtocolHan
                                getAuthNTime(request), authNSubject));
 
                // Package attributes for push, if necessary.
                                getAuthNTime(request), authNSubject));
 
                // Package attributes for push, if necessary.
-               if (!relyingParty.isLegacyProvider() && pushAttributes(true, relyingParty)) {
+               if (pushAttributes(true, relyingParty)) {
                        log.info("Resolving attributes for push.");
                        generateAttributes(support, principal, relyingParty, assertions, request);
                }
                        log.info("Resolving attributes for push.");
                        generateAttributes(support, principal, relyingParty, assertions, request);
                }
@@ -286,7 +280,7 @@ public class ShibbolethV1SSOHandler extends SSOHandler implements IdPProtocolHan
                                getAuthNTime(request), authNSubject));
 
                // Package attributes for push, if necessary.
                                getAuthNTime(request), authNSubject));
 
                // Package attributes for push, if necessary.
-               if (!relyingParty.isLegacyProvider() && pushAttributes(pushAttributeDefault, relyingParty)) {
+               if (pushAttributes(pushAttributeDefault, relyingParty)) {
                        log.info("Resolving attributes for push.");
                        generateAttributes(support, principal, relyingParty, assertions, request);
                }
                        log.info("Resolving attributes for push.");
                        generateAttributes(support, principal, relyingParty, assertions, request);
                }
@@ -316,19 +310,11 @@ public class ShibbolethV1SSOHandler extends SSOHandler implements IdPProtocolHan
                createPOSTForm(request, response, samlResponse.toBase64());
 
                // Make transaction log entry
                createPOSTForm(request, response, samlResponse.toBase64());
 
                // Make transaction log entry
-               if (relyingParty.isLegacyProvider()) {
-                       support.getTransactionLog().info(
-                                       "Authentication assertion issued to legacy provider (SHIRE: " + request.getParameter("shire")
-                                                       + ") on behalf of principal (" + principal.getName() + ") for resource ("
-                                                       + request.getParameter("target") + "). Name Identifier: (" + nameId.getName()
-                                                       + "). Name Identifier Format: (" + nameId.getFormat() + ").");
+               support.getTransactionLog().info(
+                               "Authentication assertion issued to provider (" + relyingParty.getProviderId()
+                                               + ") on behalf of principal (" + principal.getName() + "). Name Identifier: ("
+                                               + nameId.getName() + "). Name Identifier Format: (" + nameId.getFormat() + ").");
 
 
-               } else {
-                       support.getTransactionLog().info(
-                                       "Authentication assertion issued to provider (" + relyingParty.getProviderId()
-                                                       + ") on behalf of principal (" + principal.getName() + "). Name Identifier: ("
-                                                       + nameId.getName() + "). Name Identifier Format: (" + nameId.getFormat() + ").");
-               }
        }
 
        private void generateAttributes(IdPProtocolSupport support, LocalPrincipal principal, RelyingParty relyingParty,
        }
 
        private void generateAttributes(IdPProtocolSupport support, LocalPrincipal principal, RelyingParty relyingParty,
@@ -424,30 +410,9 @@ public class ShibbolethV1SSOHandler extends SSOHandler implements IdPProtocolHan
                }
 
                // Determine the correct issuer
                }
 
                // Determine the correct issuer
-               String issuer = null;
-               if (relyingParty.isLegacyProvider()) {
-
-                       log.debug("Service Provider is running Shibboleth <= 1.1. Using old style issuer.");
-                       if (relyingParty.getIdentityProvider().getSigningCredential() == null
-                                       || relyingParty.getIdentityProvider().getSigningCredential().getX509Certificate() == null) { throw new SAMLException(
-                                       "Cannot serve legacy style assertions without an X509 certificate"); }
-                       issuer = getHostNameFromDN(relyingParty.getIdentityProvider().getSigningCredential().getX509Certificate()
-                                       .getSubjectX500Principal());
-                       if (issuer == null || issuer.equals("")) { throw new SAMLException(
-                                       "Error parsing certificate DN while determining legacy issuer name."); }
+               String issuer = relyingParty.getIdentityProvider().getProviderId();
 
 
-               } else {
-                       issuer = relyingParty.getIdentityProvider().getProviderId();
-               }
-
-               // For compatibility with pre-1.2 shibboleth targets, include a pointer to the AA
                ArrayList<SAMLAuthorityBinding> bindings = new ArrayList<SAMLAuthorityBinding>();
                ArrayList<SAMLAuthorityBinding> bindings = new ArrayList<SAMLAuthorityBinding>();
-               if (relyingParty.isLegacyProvider()) {
-
-                       SAMLAuthorityBinding binding = new SAMLAuthorityBinding(SAMLBinding.SOAP, relyingParty.getAAUrl()
-                                       .toString(), new QName(org.opensaml.XML.SAMLP_NS, "AttributeQuery"));
-                       bindings.add(binding);
-               }
 
                // Create the assertion
                Vector<SAMLCondition> conditions = new Vector<SAMLCondition>(1);
 
                // Create the assertion
                Vector<SAMLCondition> conditions = new Vector<SAMLCondition>(1);