Profile defaults for attribute push can now be overidden per Relying Party.
authorwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 18 Mar 2005 20:16:51 +0000 (20:16 +0000)
committerwassa <wassa@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Fri, 18 Mar 2005 20:16:51 +0000 (20:16 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@1316 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

src/edu/internet2/middleware/shibboleth/common/RelyingParty.java
src/edu/internet2/middleware/shibboleth/common/ServiceProviderMapper.java
src/edu/internet2/middleware/shibboleth/idp/provider/ShibbolethV1SSOHandler.java
src/schemas/shibboleth-idpconfig-1.0.xsd

index 5da797d..9868215 100644 (file)
@@ -37,8 +37,8 @@ import java.net.URL;
 public interface RelyingParty extends ServiceProvider {
 
        /**
 public interface RelyingParty extends ServiceProvider {
 
        /**
-        * Returns the name of the relying party. If the relying party is a Shibboleth SP (not a group), this
-        * function returns the same thing as {@link #getProviderId}.
+        * Returns the name of the relying party. If the relying party is a Shibboleth SP (not a group), this function
+        * returns the same thing as {@link #getProviderId}.
         * 
         * @return name of the relying party
         */
         * 
         * @return name of the relying party
         */
@@ -85,4 +85,16 @@ public interface RelyingParty extends ServiceProvider {
         * A boolean indication of whether internal errors should be transmitted to this {@link RelyingParty}
         */
        public boolean passThruErrors();
         * A boolean indication of whether internal errors should be transmitted to this {@link RelyingParty}
         */
        public boolean passThruErrors();
+
+       /**
+        * A boolean indication of whether attributes should be pushed without regard for the profile (POST vs. Artifact).
+        * This should be be mutually exclusive with forceAttributeNoPush().
+        */
+       public boolean forceAttributePush();
+
+       /**
+        * A boolean indication of whether attributes should be NOT pushed without regard for the profile (POST vs.
+        * Artifact).
+        */
+       public boolean forceAttributeNoPush();
 }
 }
index 68d99e1..472fc31 100644 (file)
@@ -73,8 +73,9 @@ public class ServiceProviderMapper {
                verifyDefaultParty(configuration);
 
        }
                verifyDefaultParty(configuration);
 
        }
-       
+
        public void setMetadata(Metadata metadata) {
        public void setMetadata(Metadata metadata) {
+
                this.metaData = metadata;
        }
 
                this.metaData = metadata;
        }
 
@@ -135,7 +136,7 @@ public class ServiceProviderMapper {
        private RelyingParty findRelyingPartyByGroup(String providerIdFromTarget) {
 
                if (metaData == null) { return null; }
        private RelyingParty findRelyingPartyByGroup(String providerIdFromTarget) {
 
                if (metaData == null) { return null; }
-               
+
                EntityDescriptor provider = metaData.lookup(providerIdFromTarget);
                if (provider != null) {
                        EntitiesDescriptor parent = provider.getEntitiesDescriptor();
                EntityDescriptor provider = metaData.lookup(providerIdFromTarget);
                if (provider != null) {
                        EntitiesDescriptor parent = provider.getEntitiesDescriptor();
@@ -222,6 +223,8 @@ public class ServiceProviderMapper {
                private IdPConfig configuration;
                private boolean overridenPassThruErrors = false;
                private boolean passThruIsOverriden = false;
                private IdPConfig configuration;
                private boolean overridenPassThruErrors = false;
                private boolean passThruIsOverriden = false;
+               private boolean forceAttributePush = false;
+               private boolean forceAttributeNoPush = false;
 
                public RelyingPartyImpl(Element partyConfig, IdPConfig globalConfig, Credentials credentials,
                                NameMapper nameMapper) throws ServiceProviderMapperException {
 
                public RelyingPartyImpl(Element partyConfig, IdPConfig globalConfig, Credentials credentials,
                                NameMapper nameMapper) throws ServiceProviderMapperException {
@@ -272,6 +275,21 @@ public class ServiceProviderMapper {
                                passThruIsOverriden = true;
                        }
 
                                passThruIsOverriden = true;
                        }
 
+                       // Determine whether or not we are forcing attribute push on or off
+                       String forcePush = ((Element) partyConfig).getAttribute("forceAttributePush");
+                       String forceNoPush = ((Element) partyConfig).getAttribute("forceAttributeNoPush");
+
+                       if (forcePush != null && Boolean.valueOf(forcePush).booleanValue() && forceNoPush != null
+                                       && Boolean.valueOf(forceNoPush).booleanValue()) {
+                               log.error("Invalid configuration:  Attribute push is forced to ON and OFF for this relying "
+                                               + "party.  Turning off forcing in favor of profile defaults.");
+                       } else {
+                               forceAttributePush = Boolean.valueOf(forcePush).booleanValue();
+                               forceAttributeNoPush = Boolean.valueOf(forceNoPush).booleanValue();
+                               log.debug("Attribute push forcing is set to (" + forceAttributePush + ").");
+                               log.debug("No attribute push forcing is set to (" + forceAttributeNoPush + ").");
+                       }
+
                        // Load and verify the name format that the HS should use in
                        // assertions for this RelyingParty
                        NodeList hsNameFormats = ((Element) partyConfig).getElementsByTagNameNS(IdPConfig.configNameSpace,
                        // Load and verify the name format that the HS should use in
                        // assertions for this RelyingParty
                        NodeList hsNameFormats = ((Element) partyConfig).getElementsByTagNameNS(IdPConfig.configNameSpace,
@@ -378,6 +396,16 @@ public class ServiceProviderMapper {
                        }
                }
 
                        }
                }
 
+               public boolean forceAttributePush() {
+
+                       return forceAttributePush;
+               }
+
+               public boolean forceAttributeNoPush() {
+
+                       return forceAttributeNoPush;
+               }
+
                /**
                 * Default identity provider implementation.
                 * 
                /**
                 * Default identity provider implementation.
                 * 
@@ -467,6 +495,16 @@ public class ServiceProviderMapper {
 
                        return wrapped.passThruErrors();
                }
 
                        return wrapped.passThruErrors();
                }
+
+               public boolean forceAttributePush() {
+
+                       return wrapped.forceAttributePush();
+               }
+
+               public boolean forceAttributeNoPush() {
+
+                       return wrapped.forceAttributeNoPush();
+               }
        }
 
        /**
        }
 
        /**
@@ -524,6 +562,16 @@ public class ServiceProviderMapper {
 
                        return wrapped.passThruErrors();
                }
 
                        return wrapped.passThruErrors();
                }
+
+               public boolean forceAttributePush() {
+
+                       return false;
+               }
+
+               public boolean forceAttributeNoPush() {
+
+                       return false;
+               }
        }
 
        /**
        }
 
        /**
index 059f632..b499628 100644 (file)
@@ -76,6 +76,9 @@ import edu.internet2.middleware.shibboleth.metadata.EntityDescriptor;
 import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
 
 /**
 import edu.internet2.middleware.shibboleth.metadata.SPSSODescriptor;
 
 /**
+ * <code>ProtocolHandler</code> implementation that responds to SSO flows as specified in "Shibboleth Architecture:
+ * Protocols and Profiles". Includes a compatibility mode for dealing with Shibboleth v1.1 SPs.
+ * 
  * @author Walter Hoehn
  */
 public class ShibbolethV1SSOHandler extends BaseHandler implements IdPProtocolHandler {
  * @author Walter Hoehn
  */
 public class ShibbolethV1SSOHandler extends BaseHandler implements IdPProtocolHandler {
@@ -187,7 +190,7 @@ public class ShibbolethV1SSOHandler extends BaseHandler implements IdPProtocolHa
 
                        // Package attributes for push, if necessary - don't attempt this for legacy providers (they don't support
                        // it)
 
                        // Package attributes for push, if necessary - don't attempt this for legacy providers (they don't support
                        // it)
-                       if (!relyingParty.isLegacyProvider() && pushAttributes(artifactProfile)) {
+                       if (!relyingParty.isLegacyProvider() && pushAttributes(artifactProfile, relyingParty)) {
                                log.info("Resolving attributes for push.");
                                SAMLAssertion attrAssertion = generateAttributeAssertion(support, principal, relyingParty, authNSubject);
                                if (attrAssertion != null) {
                                log.info("Resolving attributes for push.");
                                SAMLAssertion attrAssertion = generateAttributeAssertion(support, principal, relyingParty, authNSubject);
                                if (attrAssertion != null) {
@@ -451,6 +454,9 @@ public class ShibbolethV1SSOHandler extends BaseHandler implements IdPProtocolHa
                rd.forward(req, res);
        }
 
                rd.forward(req, res);
        }
 
+       /**
+        * Boolean indication of which browser profile is in effect. "true" indicates Artifact and "false" indicates POST.
+        */
        private static boolean useArtifactProfile(EntityDescriptor provider, String acceptanceURL) {
 
                // TODO this logic needs to be updated
        private static boolean useArtifactProfile(EntityDescriptor provider, String acceptanceURL) {
 
                // TODO this logic needs to be updated
@@ -475,13 +481,28 @@ public class ShibbolethV1SSOHandler extends BaseHandler implements IdPProtocolHa
                return false;
        }
 
                return false;
        }
 
-       private static boolean pushAttributes(boolean artifactProfile) {
+       /**
+        * Boolean indication of whether an assertion containing an attribute statement should be bundled in the response
+        * with the assertion containing the AuthN statement.
+        */
+       private static boolean pushAttributes(boolean artifactProfile, RelyingParty relyingParty) {
 
 
-               if (artifactProfile) { return true; }
-               // TODO implement overrides
-               return false;
+               // By default push for Artifact and don't push for POST
+               // This can be overriden at the level of the relying party
+               if (relyingParty.forceAttributePush()) {
+                       return true;
+               } else if (relyingParty.forceAttributeNoPush()) {
+                       return false;
+               } else if (artifactProfile) {
+                       return true;
+               } else {
+                       return false;
+               }
        }
 
        }
 
+       /**
+        * Boolean indication of whethere or not a given assertion consumer URL is valid for a given SP.
+        */
        private static boolean isValidAssertionConsumerURL(EntityDescriptor provider, String shireURL)
                        throws InvalidClientDataException {
 
        private static boolean isValidAssertionConsumerURL(EntityDescriptor provider, String shireURL)
                        throws InvalidClientDataException {
 
index 183bf50..7c35e7d 100644 (file)
@@ -58,6 +58,8 @@
                                                        <xs:attribute name="signingCredential" type="xs:string" use="optional"/>
                                                        <xs:attribute name="AAUrl" type="xs:anyURI" use="optional"/>
                                                        <xs:attribute name="passThruErrors" type="xs:boolean" use="optional"/>
                                                        <xs:attribute name="signingCredential" type="xs:string" use="optional"/>
                                                        <xs:attribute name="AAUrl" type="xs:anyURI" use="optional"/>
                                                        <xs:attribute name="passThruErrors" type="xs:boolean" use="optional"/>
+                                                       <xs:attribute name="forceAttributePush" type="xs:boolean" use="optional"/>
+                                                       <xs:attribute name="forceAttributeNoPush" type="xs:boolean" use="optional"/>
                                                        <xs:attribute name="defaultAuthMethod" type="xs:string" use="optional"/>
                                                </xs:complexType>
                                        </xs:element>
                                                        <xs:attribute name="defaultAuthMethod" type="xs:string" use="optional"/>
                                                </xs:complexType>
                                        </xs:element>