--- /dev/null
+/*
+ * The OpenSAML License, Version 1.
+ * Copyright (c) 2002
+ * University Corporation for Advanced Internet Development, Inc.
+ * All rights reserved
+ *
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution, if any, must include
+ * the following acknowledgment: "This product includes software developed by
+ * the University Corporation for Advanced Internet Development
+ * <http://www.ucaid.edu>Internet2 Project. Alternately, this acknowledegement
+ * may appear in the software itself, if and wherever such third-party
+ * acknowledgments normally appear.
+ *
+ * Neither the name of OpenSAML nor the names of its contributors, nor
+ * Internet2, nor the University Corporation for Advanced Internet Development,
+ * Inc., nor UCAID may be used to endorse or promote products derived from this
+ * software without specific prior written permission. For written permission,
+ * please contact opensaml@opensaml.org
+ *
+ * Products derived from this software may not be called OpenSAML, Internet2,
+ * UCAID, or the University Corporation for Advanced Internet Development, nor
+ * may OpenSAML appear in their name, without prior written permission of the
+ * University Corporation for Advanced Internet Development.
+ *
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND WITH ALL FAULTS. ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+ * PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND THE ENTIRE RISK
+ * OF SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH LICENSEE.
+ * IN NO EVENT SHALL THE COPYRIGHT OWNER, CONTRIBUTORS OR THE UNIVERSITY
+ * CORPORATION FOR ADVANCED INTERNET DEVELOPMENT, INC. BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+ package edu.internet2.middleware.shibboleth.common;
+
+/**
+ * Signals that an error occurred while creating or using an <code>OriginSiteMapper</code>
+ *
+ * @author Walter Hoehn wassa@columbia.edu
+ *
+ */
+public class OriginSiteMapperException extends Exception {
+
+ public OriginSiteMapperException(String message) {
+ super(message);
+ }
+
+}
+
package edu.internet2.middleware.shibboleth.shire;
-import edu.internet2.middleware.shibboleth.common.*;
-
-import java.io.*;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.io.PrintWriter;
import java.security.Key;
import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
-import java.text.*;
-import javax.servlet.*;
-import javax.servlet.http.*;
-import org.doomdark.uuid.*;
-import org.opensaml.*;
+import java.security.cert.CertificateException;
+
+import javax.servlet.ServletException;
+import javax.servlet.UnavailableException;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpUtils;
+
+import org.apache.log4j.Logger;
+import org.doomdark.uuid.UUIDGenerator;
+import org.opensaml.SAMLAuthenticationStatement;
+import org.opensaml.SAMLAuthorityBinding;
+import org.opensaml.SAMLException;
+import org.opensaml.SAMLResponse;
+
+import edu.internet2.middleware.shibboleth.common.Constants;
+import edu.internet2.middleware.shibboleth.common.OriginSiteMapperException;
+import edu.internet2.middleware.shibboleth.common.ShibPOSTProfile;
+import edu.internet2.middleware.shibboleth.common.ShibPOSTProfileFactory;
/**
* Implements a SAML POST profile consumer
*/
public class ShireServlet extends HttpServlet
{
- private String shireLocation = null;
- private String cookieName = null;
- private String cookieDomain = null;
- private String sessionDir = null;
+
+ private String shireLocation;
+ private String cookieName;
+ private String cookieDomain;
+ private String sessionDir;
+ private String keyStorePath;
+ private String keyStorePasswd;
+ private String keyStoreAlias;
+ private String registryURI;
private boolean sslOnly = true;
private boolean checkAddress = true;
private boolean verbose = false;
+
+
private XMLOriginSiteMapper mapper = null;
+ private static Logger log = Logger.getLogger(ShireServlet.class.getName());
+
private static void HTMLFormat(PrintWriter pw, String buf)
{
* <DD> Verbosity of redirection response</DD>
* </DL>
*
- *
- * @exception ServletException Raised if the servlet cannot be initialized
*/
public void init()
throws ServletException
{
+ super.init();
+ log.info("Initializing SHIRE.");
+
edu.internet2.middleware.shibboleth.common.Init.init();
- ServletConfig conf = getServletConfig();
-
- shireLocation = conf.getInitParameter("shire-location");
- cookieDomain = conf.getInitParameter("cookie-domain");
-
- cookieName = conf.getInitParameter("cookie-name");
- if (cookieName == null)
- throw new ServletException("ShireServlet.init() missing init parameter: cookie-name");
-
- sessionDir = conf.getInitParameter("session-dir");
- if (sessionDir == null)
- sessionDir = "/tmp";
-
- String temp = conf.getInitParameter("ssl-only");
- if (temp != null && (temp.equalsIgnoreCase("false") || temp.equals("0")))
- sslOnly = false;
+ loadInitParams();
+ verifyConfig();
- temp = conf.getInitParameter("check-address");
- if (temp != null && (temp.equalsIgnoreCase("false") || temp.equals("0")))
- checkAddress = false;
-
- temp = conf.getInitParameter("verbose");
- if (temp != null && (temp.equalsIgnoreCase("true") || temp.equals("1")))
- verbose = true;
-
- try
- {
+ log.info("Loading keystore.");
+ try {
Key k = null;
KeyStore ks = KeyStore.getInstance("JKS");
- ks.load(conf.getServletContext().getResourceAsStream(conf.getInitParameter("keystore-path")),
- conf.getInitParameter("keystore-password").toCharArray());
- if (conf.getInitParameter("keystore-alias") != null)
+ ks.load(getServletContext().getResourceAsStream(keyStorePath), keyStorePasswd.toCharArray());
+
+ if (keyStoreAlias != null)
{
- Certificate cert = ks.getCertificate(conf.getInitParameter("keystore-alias"));
- if (cert == null || (k = cert.getPublicKey()) == null)
- throw new ServletException("ShireServlet.init() unable to find registry verification certificate/key");
+ Certificate cert;
+ cert = ks.getCertificate(keyStoreAlias);
+
+ if (cert == null || (k = cert.getPublicKey()) == null) {
+ log.fatal("Unable to load registry verification certificate (" +keyStoreAlias +") from keystore");
+ throw new UnavailableException("Unable to load registry verification certificate (" +keyStoreAlias +") from keystore");
+ }
}
- mapper = new XMLOriginSiteMapper(conf.getInitParameter("registry-uri"), k, ks);
- }
- catch (java.security.KeyStoreException e)
- {
- throw new ServletException("ShireServlet.init() unable to load Java keystore");
- }
- catch (java.security.NoSuchAlgorithmException e)
- {
- throw new ServletException("ShireServlet.init() unable to load Java keystore");
- }
- catch (java.security.cert.CertificateException e)
- {
- throw new ServletException("ShireServlet.init() unable to load Java keystore");
- }
- catch (FileNotFoundException e)
- {
- throw new ServletException("ShireServlet.init() unable to locate Java keystore");
- }
- catch (IOException e)
- {
- throw new ServletException("ShireServlet.init() unable to load Java keystore");
- }
- catch (Exception e)
- {
- throw new ServletException("ShireServlet.init() unable to load origin site registry: " + e.getMessage());
- }
+
+ log.info("Loading shibboleth site information.");
+ mapper = new XMLOriginSiteMapper(registryURI, k, ks);
+
+ } catch (OriginSiteMapperException e) {
+ log.fatal("Unable load shibboleth site information." + e.getMessage());
+ throw new UnavailableException("Unable load shibboleth site information." + e.getMessage());
+ } catch (KeyStoreException e) {
+ log.fatal("Unable supplied keystore." + e.getMessage());
+ throw new UnavailableException("Unable load supplied keystore." + e.getMessage());
+ } catch (NoSuchAlgorithmException e) {
+ log.fatal("Unable supplied keystore." + e.getMessage());
+ throw new UnavailableException("Unable load supplied keystore." + e.getMessage());
+ } catch (CertificateException e) {
+ log.fatal("Unable supplied keystore." + e.getMessage());
+ throw new UnavailableException("Unable load supplied keystore." + e.getMessage());
+ } catch (IOException e) {
+ log.fatal("Unable supplied keystore." + e.getMessage());
+ throw new UnavailableException("Unable load supplied keystore." + e.getMessage());
+ }
+
}
+ /**
+ * Method verifyConfig.
+ */
+ private void verifyConfig() throws UnavailableException {
+
+ if (cookieName == null) {
+ log.fatal("Init parameter (cookie-name) is required in deployment descriptor.");
+ throw new UnavailableException("Init parameter (cookie-name) is required in deployment descriptor.");
+ }
+
+ if (registryURI == null) {
+ log.fatal("Init parameter (registry-uri) is required in deployment descriptor.");
+ throw new UnavailableException("Init parameter (registry-uri) is required in deployment descriptor.");
+ }
+
+ if (keyStorePath == null) {
+ log.fatal("Init parameter (keystore-path) is required in deployment descriptor.");
+ throw new UnavailableException("Init parameter (keystore-path) is required in deployment descriptor.");
+ }
+
+ if (keyStorePasswd == null) {
+ log.fatal("Init parameter (keystore-password) is required in deployment descriptor.");
+ throw new UnavailableException("Init parameter (keystore-password) is required in deployment descriptor.");
+ }
+
+ }
+
+
+ private void loadInitParams() {
+
+ log.info("Loading configuration from deployment descriptor (web.xml).");
+
+ shireLocation = getServletConfig().getInitParameter("shire-location");
+ cookieDomain = getServletConfig().getInitParameter("cookie-domain");
+ cookieName = getServletConfig().getInitParameter("cookie-name");
+ keyStorePath = getServletConfig().getInitParameter("keystore-path");
+ keyStorePasswd = getServletConfig().getInitParameter("keystore-password");
+ keyStoreAlias = getServletConfig().getInitParameter("keystore-alias");
+ registryURI = getServletConfig().getInitParameter("registry-uri");
+
+ sessionDir = getServletConfig().getInitParameter("session-dir");
+ if (sessionDir == null) {
+ sessionDir = "/tmp";
+ log.warn("No session-dir parameter found... using default location: (" + sessionDir +").");
+ }
+
+ String temp = getServletConfig().getInitParameter("ssl-only");
+ if (temp != null && (temp.equalsIgnoreCase("false") || temp.equals("0")))
+ sslOnly = false;
+
+ temp = getServletConfig().getInitParameter("check-address");
+ if (temp != null && (temp.equalsIgnoreCase("false") || temp.equals("0")))
+ checkAddress = false;
+
+ temp = getServletConfig().getInitParameter("verbose");
+ if (temp != null && (temp.equalsIgnoreCase("true") || temp.equals("1")))
+ verbose = true;
+
+ }
+
/**
* Processes a sign-on submission<P>
*
package edu.internet2.middleware.shibboleth.shire;
-import edu.internet2.middleware.shibboleth.common.*;
+import java.io.IOException;
import java.security.Key;
import java.security.KeyStore;
import java.security.PublicKey;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Vector;
-import javax.xml.parsers.*;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.ParserConfigurationException;
+
import org.apache.xml.security.c14n.Canonicalizer;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
-import org.apache.xml.security.signature.*;
-import org.apache.xml.security.transforms.Transform;
+import org.apache.xml.security.signature.Reference;
+import org.apache.xml.security.signature.SignedInfo;
+import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.transforms.Transforms;
-import org.w3c.dom.*;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.SAXException;
+
+import edu.internet2.middleware.shibboleth.common.OriginSiteMapper;
+import edu.internet2.middleware.shibboleth.common.OriginSiteMapperException;
+import edu.internet2.middleware.shibboleth.common.XML;
/**
* OriginSiteMapper implementation using an XML file to populate an in-memory
* @author Scott Cantor
* @created June 8, 2002
*/
-public class XMLOriginSiteMapper implements OriginSiteMapper
-{
+public class XMLOriginSiteMapper implements OriginSiteMapper {
- private HashMap originSites = null;
- private HashMap hsKeys = null;
- private KeyStore ks = null;
+ private HashMap originSites = null;
+ private HashMap hsKeys = null;
+ private KeyStore ks = null;
- /**
- * Constructor for the XMLOriginSiteMapper object
- *
- * @param registryURI Tells where to find/download origin
- * site registry file
- * @param verifyKey Optional key to verify signature with
- * @param ks Key store containing the trusted roots
- * to be used by SHIRE
- * @exception Exception Raised if the registry file cannot be
- * parsed and loaded
- */
- public XMLOriginSiteMapper(String registryURI, Key verifyKey, KeyStore ks)
- throws Exception
- {
- this.ks = ks;
- originSites = new HashMap();
- hsKeys = new HashMap();
+ /**
+ * Constructor for the XMLOriginSiteMapper object
+ *
+ * @param registryURI Tells where to find/download origin
+ * site registry file
+ * @param verifyKey Optional key to verify signature with
+ * @param ks Key store containing the trusted roots
+ * to be used by SHIRE
+ * @exception Exception Raised if the registry file cannot be
+ * parsed and loaded
+ */
- DocumentBuilder builder = null;
- try
- {
- builder = org.opensaml.XML.parserPool.get();
- Document doc = builder.parse(registryURI);
- Element e = doc.getDocumentElement();
- if (!XML.SHIB_NS.equals(e.getNamespaceURI()) || !"Sites".equals(e.getLocalName()))
- throw new Exception("XMLOriginSiteMapper() requires shib:Sites as root element");
+ public XMLOriginSiteMapper(String registryURI, Key verifyKey, KeyStore ks)
+ throws OriginSiteMapperException {
+ this.ks = ks;
+ originSites = new HashMap();
+ hsKeys = new HashMap();
- // Loop over the OriginSite elements.
- NodeList nlist = e.getElementsByTagNameNS(XML.SHIB_NS,"OriginSite");
- for (int i=0; nlist!=null && i<nlist.getLength(); i++)
- {
- String os_name = ((Element)nlist.item(i)).getAttributeNS(null, "Name").trim();
- if (os_name.length() == 0)
- continue;
+ DocumentBuilder builder = null;
+ try {
+ builder = org.opensaml.XML.parserPool.get();
+ Document doc;
+ doc = builder.parse(registryURI);
+ Element e = doc.getDocumentElement();
+ if (!XML.SHIB_NS.equals(e.getNamespaceURI()) || !"Sites".equals(e.getLocalName()))
+ throw new OriginSiteMapperException("XMLOriginSiteMapper() requires shib:Sites as root element");
- OriginSite os_obj = new OriginSite(os_name);
- originSites.put(os_name, os_obj);
+ // Loop over the OriginSite elements.
+ NodeList nlist = e.getElementsByTagNameNS(XML.SHIB_NS, "OriginSite");
+ for (int i = 0; nlist != null && i < nlist.getLength(); i++) {
+ String os_name = ((Element) nlist.item(i)).getAttributeNS(null, "Name").trim();
+ if (os_name.length() == 0)
+ continue;
- Node os_child = nlist.item(i).getFirstChild();
- while (os_child != null)
- {
- if (os_child.getNodeType() != Node.ELEMENT_NODE)
- {
- os_child = os_child.getNextSibling();
- continue;
- }
+ OriginSite os_obj = new OriginSite(os_name);
+ originSites.put(os_name, os_obj);
- // Process the various kinds of OriginSite children that we care about...
- if (XML.SHIB_NS.equals(os_child.getNamespaceURI()) && "HandleService".equals(os_child.getLocalName()))
- {
- String hs_name = ((Element)os_child).getAttributeNS(null, "Name").trim();
- if (hs_name.length() > 0)
- {
- os_obj.handleServices.add(hs_name);
+ Node os_child = nlist.item(i).getFirstChild();
+ while (os_child != null) {
+ if (os_child.getNodeType() != Node.ELEMENT_NODE) {
+ os_child = os_child.getNextSibling();
+ continue;
+ }
- // Check for KeyInfo.
- Node ki = os_child.getFirstChild();
- while (ki != null && ki.getNodeType() != Node.ELEMENT_NODE)
- ki = ki.getNextSibling();
- if (ki != null && org.opensaml.XML.XMLSIG_NS.equals(ki.getNamespaceURI()) &&
- "KeyInfo".equals(ki.getLocalName()))
- {
- try
- {
- KeyInfo kinfo = new KeyInfo((Element)ki, null);
- PublicKey pubkey = kinfo.getPublicKey();
- if (pubkey != null)
- hsKeys.put(hs_name, pubkey);
- }
- catch (XMLSecurityException exc)
- {
- }
- }
- }
- }
- else if (XML.SHIB_NS.equals(os_child.getNamespaceURI()) && "Domain".equals(os_child.getLocalName()))
- {
- String dom = os_child.getFirstChild().getNodeValue().trim();
- if (dom.length() > 0)
- os_obj.domains.add(dom);
- }
- os_child = os_child.getNextSibling();
- }
- }
+ // Process the various kinds of OriginSite children that we care about...
+ if (XML.SHIB_NS.equals(os_child.getNamespaceURI())
+ && "HandleService".equals(os_child.getLocalName())) {
+ String hs_name = ((Element) os_child).getAttributeNS(null, "Name").trim();
+ if (hs_name.length() > 0) {
+ os_obj.handleServices.add(hs_name);
- if (verifyKey == null)
- return;
+ // Check for KeyInfo.
+ Node ki = os_child.getFirstChild();
+ while (ki != null && ki.getNodeType() != Node.ELEMENT_NODE)
+ ki = ki.getNextSibling();
+ if (ki != null
+ && org.opensaml.XML.XMLSIG_NS.equals(ki.getNamespaceURI())
+ && "KeyInfo".equals(ki.getLocalName())) {
+ try {
+ KeyInfo kinfo = new KeyInfo((Element) ki, null);
+ PublicKey pubkey = kinfo.getPublicKey();
+ if (pubkey != null)
+ hsKeys.put(hs_name, pubkey);
+ } catch (XMLSecurityException exc) {
+ }
+ }
+ }
+ } else if (
+ XML.SHIB_NS.equals(os_child.getNamespaceURI())
+ && "Domain".equals(os_child.getLocalName())) {
+ String dom = os_child.getFirstChild().getNodeValue().trim();
+ if (dom.length() > 0)
+ os_obj.domains.add(dom);
+ }
+ os_child = os_child.getNextSibling();
+ }
+ }
- Node n=e.getLastChild();
- while (n!=null && n.getNodeType()!=Node.ELEMENT_NODE)
- n=n.getPreviousSibling();
+ if (verifyKey == null)
+ return;
- if (n!=null && org.opensaml.XML.XMLSIG_NS.equals(n.getNamespaceURI()) && "Signature".equals(n.getLocalName()))
- {
- XMLSignature sig = new XMLSignature((Element)n, null);
- if (sig.checkSignatureValue(verifyKey))
- {
- // Now we verify that what is signed is what we expect.
- SignedInfo sinfo = sig.getSignedInfo();
- if (sinfo.getLength()==1 && (
- sinfo.getCanonicalizationMethodURI().equals(Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS) ||
- sinfo.getCanonicalizationMethodURI().equals(Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS)))
-// sinfo.getCanonicalizationMethodURI().equals(Canonicalizer.ALGO_ID_C14N_EXCL_WITH_COMMENTS) ||
-// sinfo.getCanonicalizationMethodURI().equals(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS))
- {
- Reference ref = sinfo.item(0);
- if (ref.getURI() == null || ref.getURI().equals(""))
- {
- Transforms trans = ref.getTransforms();
- if (trans.getLength() == 1 && trans.item(0).getURI().equals(Transforms.TRANSFORM_ENVELOPED_SIGNATURE))
- return;
- }
- }
- }
- }
- throw new Exception("XMLOriginSiteMapper() unable to verify signature on registry file");
- }
- catch (ParserConfigurationException pce)
- {
- throw new Exception("XMLOriginSiteMapper() parser configuration error");
- }
- finally
- {
- if (builder != null)
- org.opensaml.XML.parserPool.put(builder);
- }
- }
+ Node n = e.getLastChild();
+ while (n != null && n.getNodeType() != Node.ELEMENT_NODE)
+ n = n.getPreviousSibling();
- /**
- * Provides an iterator over the trusted Handle Services for the specified
- * origin site
- *
- * @param originSite The DNS name of the origin site to query
- * @return An iterator over the Handle Service DNS names
- */
- public Iterator getHandleServiceNames(String originSite)
- {
- OriginSite o = (OriginSite)originSites.get(originSite);
- if (o != null)
- return o.handleServices.iterator();
- return null;
- }
+ if (n != null
+ && org.opensaml.XML.XMLSIG_NS.equals(n.getNamespaceURI())
+ && "Signature".equals(n.getLocalName())) {
+ try {
+ XMLSignature sig = new XMLSignature((Element) n, null);
+ if (sig.checkSignatureValue(verifyKey)) {
+ // Now we verify that what is signed is what we expect.
+ SignedInfo sinfo = sig.getSignedInfo();
+ if (sinfo.getLength() == 1
+ && (sinfo
+ .getCanonicalizationMethodURI()
+ .equals(Canonicalizer.ALGO_ID_C14N_WITH_COMMENTS)
+ || sinfo.getCanonicalizationMethodURI().equals(
+ Canonicalizer.ALGO_ID_C14N_OMIT_COMMENTS)))
+ // sinfo.getCanonicalizationMethodURI().equals(Canonicalizer.ALGO_ID_C14N_EXCL_WITH_COMMENTS) ||
+ // sinfo.getCanonicalizationMethodURI().equals(Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS))
+ {
+ Reference ref = sinfo.item(0);
+ if (ref.getURI() == null || ref.getURI().equals("")) {
+ Transforms trans = ref.getTransforms();
+ if (trans.getLength() == 1
+ && trans.item(0).getURI().equals(Transforms.TRANSFORM_ENVELOPED_SIGNATURE))
+ return;
+ }
+ }
+ }
+ } catch (Exception sigE) {
+ throw new OriginSiteMapperException(
+ "Unable to verify signature on registry file: Site file not signed correctly with specified key:"
+ + sigE);
+ }
+ }
+ throw new OriginSiteMapperException("Unable to verify signature on registry file: no signature found.");
+ } catch (SAXException e) {
+ throw new OriginSiteMapperException("Problem parsing site configuration" + e.getMessage());
+ } catch (IOException e) {
+ throw new OriginSiteMapperException("Problem accessing site configuration" + e.getMessage());
+ } catch (ParserConfigurationException pce) {
+ throw new OriginSiteMapperException("Parser configuration error" + pce.getMessage());
+ } finally {
+ if (builder != null)
+ org.opensaml.XML.parserPool.put(builder);
+ }
+ }
- /**
- * Returns a preconfigured key to use in verifying a signature created by
- * the specified HS<P>
- *
- * Any key returned is implicitly trusted and a certificate signed by
- * another trusted entity is not sought or required
- *
- * @param handleService Description of Parameter
- * @return A trusted key (probably public but could be
- * secret) or null
- */
- public Key getHandleServiceKey(String handleService)
- {
- return (Key)hsKeys.get(handleService);
- }
+ /**
+ * Provides an iterator over the trusted Handle Services for the specified
+ * origin site
+ *
+ * @param originSite The DNS name of the origin site to query
+ * @return An iterator over the Handle Service DNS names
+ */
+ public Iterator getHandleServiceNames(String originSite) {
+ OriginSite o = (OriginSite) originSites.get(originSite);
+ if (o != null)
+ return o.handleServices.iterator();
+ return null;
+ }
- /**
- * Provides an iterator over the security domain expressions for which the
- * specified origin site is considered to be authoritative
- *
- * @param originSite The DNS name of the origin site to query
- * @return An iterator over a set of regular expression strings
- */
- public Iterator getSecurityDomains(String originSite)
- {
- OriginSite o = (OriginSite)originSites.get(originSite);
- if (o != null)
- return o.domains.iterator();
- return null;
- }
+ /**
+ * Returns a preconfigured key to use in verifying a signature created by
+ * the specified HS<P>
+ *
+ * Any key returned is implicitly trusted and a certificate signed by
+ * another trusted entity is not sought or required
+ *
+ * @param handleService Description of Parameter
+ * @return A trusted key (probably public but could be
+ * secret) or null
+ */
+ public Key getHandleServiceKey(String handleService) {
+ return (Key) hsKeys.get(handleService);
+ }
- /**
- * Gets a key store containing certificate entries that are trusted to sign
- * Handle Service certificates that are encountered during processing<P>
- *
- *
- *
- * @return A key store containing trusted certificate issuers
- */
- public KeyStore getTrustedRoots()
- {
- return ks;
- }
+ /**
+ * Provides an iterator over the security domain expressions for which the
+ * specified origin site is considered to be authoritative
+ *
+ * @param originSite The DNS name of the origin site to query
+ * @return An iterator over a set of regular expression strings
+ */
+ public Iterator getSecurityDomains(String originSite) {
+ OriginSite o = (OriginSite) originSites.get(originSite);
+ if (o != null)
+ return o.domains.iterator();
+ return null;
+ }
- private class OriginSite
- {
+ /**
+ * Gets a key store containing certificate entries that are trusted to sign
+ * Handle Service certificates that are encountered during processing<P>
+ *
+ *
+ *
+ * @return A key store containing trusted certificate issuers
+ */
+ public KeyStore getTrustedRoots() {
+ return ks;
+ }
- private Vector domains = null;
- private Vector handleServices = null;
+ private class OriginSite {
- private OriginSite(String name)
- {
- domains = new Vector();
- domains.add(name);
- handleServices = new Vector();
- }
- }
-}
+ private Vector domains = null;
+ private Vector handleServices = null;
+ private OriginSite(String name) {
+ domains = new Vector();
+ domains.add(name);
+ handleServices = new Vector();
+ }
+ }
+}